Jump to content





Photo
- - - - -

Italy train crash: 'Ten killed' near Bari




  • Please log in to reply
48 replies to this topic

#26 phil-b259

phil-b259

    Member


  • Members
  • PipPip
  • 4,704 posts
  • LocationBurgess Hill, UK

Posted 14 July 2016 - 14:48

Every system in use is safe, if everyone follows the rules. :rolleyes:


Which is why any good railway system has backup systems. While yes, there is the 'Swiss Chease' example where if all the holes line up something can slip through, it also stands to reason the more layers you have, the less likely it is to occur in the first place.

As such a single line token (be it virtual or physical) or full track circuiting (or something similar to prove the section clear or occupied) plus having the appropriate enterance signals interlocked with the previous items and either trap points or some way of stopping a train that has SPADed are the basics for a safe single line railway in this day and age.
  • Agree x 2



#27 Fat Controller

Fat Controller

    Member


  • Members
  • PipPip
  • 14,267 posts

Posted 14 July 2016 - 15:22

The reports yesterday just said that 'one train should not have been there' . It does seem odd that in the 21st century a simple and cheap system could not be introduced. With GPS and mobile phones it would not be that difficult to in effect create an electronic token. Simple interface on control board of train, requiring key card(ie token), which can only be programmed to allow one train on that track. If you can control a car using a playstation then this should be simple, safe and cheap.

One other thing in the report was that it stated the line was operated by a private company, I suppose that was to stop people blaming the government.

The 'cheap and dirty' solution is initially very tempting; however, you have to make sure (as with any safety-critical system) that it cannot be hacked into. A system based around GSM-R should be secure.

The railway may not be part of FS (or whatever the infrastructure part is now called), but this doesn't mean it's a private company. Many such railways around Italy are in fact owned by Regional and Local authorities, who either operate them directly, or offer an operating concession to a suitable operator (which might be FS)


  • Agree x 1

#28 eastwestdivide

eastwestdivide

    Member


  • Members
  • PipPip
  • 4,145 posts
  • LocationEast of the west coast and west of the east coast

Posted 14 July 2016 - 15:23

I presume that this means reported incidents. 
It would be interesting to know how many "oh sh1t" moments there have been (or the Italian equivalent), which have never been reported. I believe that there is a rule of thumb that for every accident, there are 10 near misses, and for every near miss, there are ten incidents which could have developed into something more serious. 
Best wishes 
Eric

 
Well the Italian verb is a bit of a false friend. It says "non si sono verificati incidenti", and verificarsi (the reflexive verb used) means "to happen/occur/take place", rather than "verified" as you might expect. 
 
Your point still stands though, if no-one reports an "oops" moment, it's like a tree falling in a forest with no-one to hear it. Also depends what you mean by incident.


#29 Coryton

Coryton

    Member


  • Members
  • PipPip
  • 2,114 posts

Posted 14 July 2016 - 15:28

I presume that this means reported incidents. 

It would be interesting to know how many "oh sh1t" moments there have been (or the Italian equivalent), which have never been reported. I believe that there is a rule of thumb that for every accident, there are 10 near misses, and for every near miss, there are ten incidents which could have developed into something more serious. 

Best wishes 

Eric 

 

I've read (may or not be true) that before TPWS it wasn't unheard of for drivers in RETB territory to forget to obtain the token before entering a section and to then get it 'on the fly.'

 

It presumably wouldn't be hard now - in principle - to install a GPS system that provided a warning when entering a section without the token. But presumably there's little point in updating RETB now rather than replacing with something more modern.

 

The mechanical token system does not allow the section signal to be clear unless a token is obtained.

For a head on to happen not only has the train to pass a signal at danger but also not be in possession of a token.

 

I must confess I wasn't aware that the token machines were interlocked with the signals, though it clearly makes sense.

 

So these days (and presumably not the for the Abermule accident) the token is not so much required in order to give the driver authority to enter the section, but to prove that the train has reached the other end of the section and the line is now clear so the signalling can allow another train in?



#30 phil-b259

phil-b259

    Member


  • Members
  • PipPip
  • 4,704 posts
  • LocationBurgess Hill, UK

Posted 14 July 2016 - 16:05

 

I must confess I wasn't aware that the token machines were interlocked with the signals, though it clearly makes sense.

 

So these days (and presumably not the for the Abermule accident) the token is not so much required in order to give the driver authority to enter the section, but to prove that the train has reached the other end of the section and the line is now clear so the signalling can allow another train in?

 

Spot on.



#31 meil

meil

    Member


  • Members
  • PipPip
  • 632 posts

Posted 14 July 2016 - 16:17

I've read (may or not be true) that before TPWS it wasn't unheard of for drivers in RETB territory to forget to obtain the token before entering a section and to then get it 'on the fly.'

 

It presumably wouldn't be hard now - in principle - to install a GPS system that provided a warning when entering a section without the token. But presumably there's little point in updating RETB now rather than replacing with something more modern.

 

 

I must confess I wasn't aware that the token machines were interlocked with the signals, though it clearly makes sense.

 

So these days (and presumably not the for the Abermule accident) the token is not so much required in order to give the driver authority to enter the section, but to prove that the train has reached the other end of the section and the line is now clear so the signalling can allow another train in?

It was Abermule that resulted in the Section signals being interlocked with the Token.

 

Also remember that the token cannot be released unless there are no tokens "out" and that release requires the permission of BOTH signalmen to obtain.



#32 pete_mcfarlane

pete_mcfarlane

    Member


  • Members
  • PipPip
  • 2,929 posts

Posted 14 July 2016 - 17:55

The 'cheap and dirty' solution is initially very tempting; however, you have to make sure (as with any safety-critical system) that it cannot be hacked into. A system based around GSM-R should be secure.

The system itself would be cheap, but the testing needed to demonstrate that it's safe (and idiot proof) to the appropriate regulatory authorities is going to be quite expensive.  Proper software testers(*) aren't cheap. 

 

* Not ones certain parts of the developing World, who seem to lack the 'let's see if we can break this' mentality needed to test stuff. 


  • Agree x 1

#33 D869

D869

    Member


  • Members
  • PipPip
  • 315 posts

Posted 14 July 2016 - 18:19

I was thinking of Foxcote on the S&D as a reason why we don't use crossing order systems in the UK but train order systems were widely used in sparsely populated parts of the US for many years so presumably they can be safe. Clearly something has gone tragically wrong in Italy but I don't think we know enough to judge exactly what.


  • Agree x 1

#34 caradoc

caradoc

    Member


  • Members
  • PipPip
  • 1,397 posts

Posted 14 July 2016 - 18:22

On British single lines, no matter what the method of signalling, TPWS should stop any train which passes a signal at danger to enter the single line, and if this should fail the Signaller has direct radio communication with the trains involved; Either of these features would have prevented the Cowden accident. I find it astonishing that Italy does not appear to have similar safeguards. 



#35 Derekl

Derekl

    Member


  • Members
  • PipPip
  • 351 posts
  • LocationKnowle, Solihull

Posted 14 July 2016 - 18:37

I was thinking of Foxcote on the S&D as a reason why we don't use crossing order systems in the UK but train order systems were widely used in sparsely populated parts of the US for many years so presumably they can be safe. Clearly something has gone tragically wrong in Italy but I don't think we know enough to judge exactly what.

They were so used in the US - the results often known as "cornfield meets". Not really that safe - fair amount of literature knocking around on the subject.


  • Agree x 1

#36 rue_d_etropal

rue_d_etropal

    Member


  • Members
  • PipPip
  • 1,998 posts
  • LocationLancashire and sometimes France

Posted 14 July 2016 - 18:55

The big trouble with developing any system is that there is always someone trying to make money out of it. look at all those military projects that just cost more and more. No company offering a system is going to offer something low cost but still doing the job. They want to make as much out of it as possible. two ways , one way is to make system complex so is expensive, and other way is to design system which can be easily modified for other customers. The second way used to be common(even some military systems found their way into commercial organisations), would expect that, but I suspect quite a bit of the other occurs.

I finished up working in system testing after having worked in programming and analysis, and from my point of view it was more about crossing the t's and dotting the i's. What is needed to properly test is good old common sense and a vivid imagination, working out how to break systems like a hacker would. There are plenty of people out there who can do that, but there is also a mentality that to get the best you have to pay more. If you were testing computer games for a wellknown manufacturer then you pay peanuts as there are a lot of skilled gaming people who are happy to be paid to play games all day.

The type of equipment is out there, the right type of software is out there, it is not that complex. The real cost is down to someone being cheeky enough to demand it. The spanners in the works are the overpaid ones sitting on comfortable chairs in air conditioned offices, doing nothing practical(or is that practically nothing). Throw in a bit of corruption and everyone goes round in circles getting nowhere but spending more each year.



#37 jjb1970

jjb1970

    Member


  • Members
  • PipPip
  • 4,419 posts
  • LocationMilton Keynes, England

Posted 14 July 2016 - 19:22

The big trouble with developing any system is that there is always someone trying to make money out of it. look at all those military projects that just cost more and more. No company offering a system is going to offer something low cost but still doing the job. They want to make as much out of it as possible. two ways , one way is to make system complex so is expensive, and other way is to design system which can be easily modified for other customers. The second way used to be common(even some military systems found their way into commercial organisations), would expect that, but I suspect quite a bit of the other occurs.

I finished up working in system testing after having worked in programming and analysis, and from my point of view it was more about crossing the t's and dotting the i's. What is needed to properly test is good old common sense and a vivid imagination, working out how to break systems like a hacker would. There are plenty of people out there who can do that, but there is also a mentality that to get the best you have to pay more. If you were testing computer games for a wellknown manufacturer then you pay peanuts as there are a lot of skilled gaming people who are happy to be paid to play games all day.

The type of equipment is out there, the right type of software is out there, it is not that complex. The real cost is down to someone being cheeky enough to demand it. The spanners in the works are the overpaid ones sitting on comfortable chairs in air conditioned offices, doing nothing practical(or is that practically nothing). Throw in a bit of corruption and everyone goes round in circles getting nowhere but spending more each year.

 

That sounds like something the brothers of the RMT or Unite would say but is not really reflective of reality. There are plenty of excellent safety critical equipment suppliers who are fully capable of delivering systems that function as intended and no shortage of companies capable of doing the design verification and approval. Of course they are commercial companies who have to make a profit but making a profit is not wrong and the real question is whether such companies offer value for money. And many do or they wouldn't continue in business.

 

I must admit I do find it quite shocking that we have had two collisions with heavy loss of life within a relatively short period, both in developed, wealthy European countries where it appears that a major causal factor was an over reliance on procedural controls when the susceptibility of humans to make errors has been recognised for longer than anybody on the board has been alive.


  • Agree x 3

#38 jjb1970

jjb1970

    Member


  • Members
  • PipPip
  • 4,419 posts
  • LocationMilton Keynes, England

Posted 14 July 2016 - 19:27

I hope that any investigation does go further than blaming one individual and look more into the reasons as to why it was able to happen.

 

Couldn't agree more with this point. We've made a huge effort to break out of a culture of blaming the poor sap that made a mistake and throwing the responsibility for safety systems that were not fit for purpose onto these individuals. I'm not arguing that those who make mistakes should not be accountable for their actions or inactions (they should), but in todays world I think systems which allow individual mistakes to escalate to loss of life as we've seen in this incident with no mechanism to intervene are not fit for purpose. I hope also there will be consideration of the softer side of things (corporate cultures, training etc).



#39 Foulounoux

Foulounoux

    Member


  • Members
  • PipPip
  • 406 posts
  • LocationWaterlooville and Charente France

Posted 14 July 2016 - 19:47

Reading the latest BBC reports seems that

As usual in such events the Swiss cheese holes did line up ..all the issues discussed already plus an extra train that the stationmaster wasn't aware of

And that the investigation will be wide ranging even asking why wasn't the line upgraded to,double track

Colin
  • Like x 1

#40 Coryton

Coryton

    Member


  • Members
  • PipPip
  • 2,114 posts

Posted 14 July 2016 - 20:33

And that the investigation will be wide ranging even asking why wasn't the line upgraded to,double track

 

I imagine that one's quite easy - not enough traffic to justify the cost.

 

I must admit I do find it quite shocking that we have had two collisions with heavy loss of life within a relatively short period, both in developed, wealthy European countries where it appears that a major causal factor was an over reliance on procedural controls when the susceptibility of humans to make errors has been recognised for longer than anybody on the board has been alive.

 

Though they do seem to have been under very different signalling systems. If I recall correctly, the German system was heavily interlocked and failsafe. But when it did fail safe there was a manual over-ride with little in the way of protection from mistakes.

 

They were so used in the US - the results often known as "cornfield meets". Not really that safe - fair amount of literature knocking around on the subject.

 

According to Wikipedia, the Long Island Railroad (a primarily passenger railway) still uses train orders at the extremities of the system. Track Warrant systems in which permission to enter a section of track is given by radio are still common in North America. This sounds scary to someone used to British signalling, in that it relies completely on the driver correctly stopping at the end of the permitted area (which could just be a milepost) with no override if they fail to do so. It seems to work reasonably well, though of course for far less intensive services than we are used to in the UK. In a sense it's a voice based version of RETB, but cheaper and with much more flexibility. Just less safety.

 

Some years ago there was a freight line in New York state which ran a passenger shuttle service in the town at one end of the line (I think in return for tax breaks). When I travelled on it and the driver realised I was just along for the ride he invited me into the cab, at which point I discovered that as well as the driver he was also the dispatcher, controlling not only his train but a passing freight train.

 

It was Abermule that resulted in the Section signals being interlocked with the Token.

 

Also remember that the token cannot be released unless there are no tokens "out" and that release requires the permission of BOTH signalmen to obtain.

 

With "modern" variations such as no signalman key token, and no-signalman token remote (which according to what I have just read on the web is, like RETB, is not interlocked with signalling but (also like RETB) now has TPWS protection.)

 

Also human voice communication is one of the worst ways of communicating safety critical information - it's one of the big advantages of bell codes - the phrases are predefined and thus cannot be corrupted by persons 'add lobbing'*

* you try and read from a script to an audience without putting your own spin on it - it's not as easy as you think.

 

I'm not convinced by that. I think the success of modern air traffic control shows that voice communication can be perfectly fine with the appropriate procedures and training.

Likewise the North American track warrant system I referred to above. (There are various web sites around that let you listen to this going on).

 

I think if you replaced bells by a properly defined set of messages "class x train entered section" it would work just as safely. Bells presumably do have the advantage that you don't have to wear headphones or stop what you're doing to lift up a phone receiver to hear a voice message clearly.

 

With NSTR, don't the drivers communicate with the signaller by phone rather than bells?



#41 roythebus

roythebus

    Member


  • Members
  • PipPip
  • 2,775 posts
  • LocationNear the 15" gauge and the 5"gauge, far from standard gauge, but 25 miles from Calais.

Posted 14 July 2016 - 23:52

In the UK it is entirely possible to enter a single track section with the wrong token with the section signal clear. The correct token has to be removed from the token machine and the correct number of tokens have to be present in that machine and in the machine in the other end of the section, i.e. if there are 10 tokens in total, one has to be removed to clear the section signal. If more than one are removed, then it is not possible to clear the signal.

 

My son had an example of that when he done his firing exam on a heritage railway in the south; the driver "had some grit in his eye" and couldn't drive for that trip, so son had to drive and fire; at one station, he got the token and a clear signal, then noticed it was the wrong token for the section. He dropped the lot and changed it for the correct token. That was part of the training exercise. Heritage railways don't have TWPS or whatever, but still operate in complete safety with 19th century equipment PROVIDING everyone follows the rule book.

 

Remember, in the German crash, the emergency STOP to the drivers was relying on a radio signal which was not available on that section of track, so radio is not infallible.


  • Agree x 1

#42 Edwin_m

Edwin_m

    Member


  • Members
  • PipPip
  • 6,526 posts

Posted 15 July 2016 - 07:12

In the UK it is entirely possible to enter a single track section with the wrong token with the section signal clear. The correct token has to be removed from the token machine and the correct number of tokens have to be present in that machine and in the machine in the other end of the section, i.e. if there are 10 tokens in total, one has to be removed to clear the section signal. If more than one are removed, then it is not possible to clear the signal.

Slight correction - the token machine doesn't "know" how many tokens there are.  Instead, the electrical interlocking between the token machines makes it impossible to remove a token if one has already been removed at either end of the section, until that one has been replaced into one of the machines. 



#43 meil

meil

    Member


  • Members
  • PipPip
  • 632 posts

Posted 15 July 2016 - 07:57

 

 

My son had an example of that when he done his firing exam on a heritage railway in the south; the driver "had some grit in his eye" and couldn't drive for that trip, so son had to drive and fire; at one station, he got the token and a clear signal, then noticed it was the wrong token for the section. He dropped the lot and changed it for the correct token. That was part of the training exercise. Heritage railways don't have TWPS or whatever, but still operate in complete safety with 19th century equipment PROVIDING everyone follows the rule book.

 

Ok but don't confuse specially set up training exercises with proper operation. For the Section signal to be off the correct token had to be out of the machine - it's just that your son was given some other token to test him.

 

Without the connivance of 3 three signalmen and driver I can only think of one scenario where the wrong token could be given and the section signal off and that would be at a crossing place with two trains passing. Each could be given the others token. But in that case, so long as neither token was returned to the instrument, the trains would pass through their sections safely. only when they arrived at the end of section would the fun start.



#44 Coryton

Coryton

    Member


  • Members
  • PipPip
  • 2,114 posts

Posted 15 July 2016 - 08:08

As usual on threads like this we are perhaps departing somewhat from the original topic of this thread, but...

 

Without the connivance of 3 three signalmen and driver I can only think of one scenario where the wrong token could be given and the section signal off and that would be at a crossing place with two trains passing. Each could be given the others token. But in that case, so long as neither token was returned to the instrument, the trains would pass through their sections safely. only when they arrived at the end of section would the fun start.

 

"So long as neither token was returned" is the key part, isn't it?

 

If I understand things correctly, with signal interlocking a token is no longer your proof that it is safe to enter the section because it's empty...it's your proof that once you've entered the section, nobody else will be allowed to do so from either end. 

 


Edited by Coryton, 15 July 2016 - 08:56 .


#45 Titan

Titan

    Member


  • Members
  • PipPip
  • 1,780 posts

Posted 15 July 2016 - 08:34

 

As usual on threads like this we are perhaps departing somewhat from the original topic of this thread, but...

 

 

"So long as neither token was returned" is the key part, isn't it?

 

If I understand things correctly, with signal interlocking a token is no longer your proof that it is safe to enter the section because it's empty...it's your proof that once you've entered the section, nobody else will be allowed to do so from either end. 

 

Without the connivance of 3 three signalmen and driver I can only think of one scenario where the wrong token could be given and the section signal off and that would be at a crossing place with two trains passing. Each could be given the others token. But in that case, so long as neither token was returned to the instrument, the trains would pass through their sections safely. only when they arrived at the end of section would the fun start.

 

 

This was kind of the scenario that led to the Abermule collision in 1921. By this time most token instruments were interlocked with the signals. However unusually at Abermule the token instruments were in the station building rather than the signal box and therefore not interlocked. Sloppy working meant that the driver was given back the token from the previous section he had just left. He did not check it, the signal was cleared and off he went and collided with the train he was supposed to be crossing at Abermule..


Edited by Titan, 15 July 2016 - 08:35 .


#46 John_Hughes

John_Hughes

    Member


  • Members
  • PipPip
  • 2,092 posts

Posted 15 July 2016 - 08:36

The North American sysem of telegraphic control, like modern air traffic systems, specifies exactly what words must be used in a message and how they must be read back to ensure correct transmission.

 

That said, there have indeed been some very nasty accidents when someone - almost always but not invariably a locomotive crew - screwed up; but then, I promise you there have been occasions in the UK when drivers have entered sections when the signal was Off but without them actually possessing the token on lines where signal / token interlocking was not in force so they were totally unprotected.

 

No names, no pack-drill!



#47 John M

John M

    Member


  • Members
  • PipPip
  • 258 posts

Posted 15 July 2016 - 09:21

I imagine that one's quite easy - not enough traffic to justify the cost.
 
 
Though they do seem to have been under very different signalling systems. If I recall correctly, the German system was heavily interlocked and failsafe. But when it did fail safe there was a manual over-ride with little in the way of protection from mistakes.
 
 
According to Wikipedia, the Long Island Railroad (a primarily passenger railway) still uses train orders at the extremities of the system. Track Warrant systems in which permission to enter a section of track is given by radio are still common in North America. This sounds scary to someone used to British signalling, in that it relies completely on the driver correctly stopping at the end of the permitted area (which could just be a milepost) with no override if they fail to do so. It seems to work reasonably well, though of course for far less intensive services than we are used to in the UK. In a sense it's a voice based version of RETB, but cheaper and with much more flexibility. Just less safety.
 
Some years ago there was a freight line in New York state which ran a passenger shuttle service in the town at one end of the line (I think in return for tax breaks). When I travelled on it and the driver realised I was just along for the ride he invited me into the cab, at which point I discovered that as well as the driver he was also the dispatcher, controlling not only his train but a passing freight train. 
  
I'm not convinced by that. I think the success of modern air traffic control shows that voice communication can be perfectly fine with the appropriate procedures and training.
Likewise the North American track warrant system I referred to above. (There are various web sites around that let you listen to this going on).

 
With NSTR, don't the drivers communicate with the signaller by phone rather than bells?



The main advantages of TWC over the traditional American Timetable Train Order system that Track Warrants are dictated directly by the Dispatcher or Train Controller to the Engineer over an open channel radio system, in contrast to a system where train orders were dictated by telegraph or phone to a local operator/signaller who passed the Train Order in a similar manner as a token to the engineer. Another safe guard is that a Track Warrant cannot be picked up a Warrant when a train is moving unlike a Train Order or a token.

TWC has been used to replace token signal systems on lines in Australia and New Zealand where traffic levels did not justify conversion to CTC for over a quarter of a Century. In the absence of detection there is nothing to warn a Dispatcher or Train Controller that a train has over-run its authority. In New Zealand we had one reported incident where a driver apparently became disorientated, over ran his authority and ran through a section without a Warrant.

Positive Train Control is GPS based system being in the United States that intended to manage the risk of collision between trains, the FR & Welsh Highland are planning a cellular based system to link Webb & Thompson ETS instruments on the Welsh Highland Railway, at work we are trialling an encrypted cellular system to transmit secure data from remote locations in the field to a cloud server.

Opinion on communication between signaller and driver in the UK has shifted from drivers talking to signallers in highly prescribed circumstances to more open communication with improved radio/cellular technology.

It will be interesting to establish whether or not there were plans to upgrade the signalling on the line in Italy under the ETMS or

Edited by John M, 15 July 2016 - 09:35 .


#48 The Stationmaster

The Stationmaster

    Member


  • Members
  • PipPip
  • 31,141 posts

Posted 15 July 2016 - 09:58

It was Abermule that resulted in the Section signals being interlocked with the Token.

 

Also remember that the token cannot be released unless there are no tokens "out" and that release requires the permission of BOTH signalmen to obtain.

 

Which hardly explains why 40 years after Abermule there were plenty of Section Signal on single lines which were not released by the token (or equivalent).  I doubt if there are any nowadays as most token sections are relatively new and most of the old ones have long gone but it is a fact that Section Signals which were not interlinked with the block/token on both double and single lines survived in Britain well into the 1960s and possibly even later.

 

Equally block controls interlinked with a  berth track circuit at the Home Signal and a  'Home Normal' proving contact were fairly rare birds into the 1960s while the berth track circuit block control probably doesn't exist at a number of places even today.

 

Inherently telephone block on single lines has flaws as it relies on human frailty not being frail hence its being outlawed in Britain a very long time ago (following the Norwich/Thorpe collision in 1874) but other parts of teh world have continued with it with reasonably good safety records.

 

And of course as Abermule - and various other incidents - have shown even the electric token/staff/tablet systems have chinks in their supposed armour.


  • Agree x 1

#49 PaulRhB

PaulRhB

    Member


  • Members
  • PipPip
  • 7,695 posts
  • LocationSalisbury

Posted 15 July 2016 - 11:53

With NSTR, don't the drivers communicate with the signaller by phone rather than bells?

Yes and follow a set script in the case local to me which the driver must repeat that clearly highlights which section it refers to to ensure they read the token.