German Train Crash

[Coryton]

The chances are, if you ask a member of platform staff, they will look at the screen anyway...

I think the point wasn't that a computer or a person would be more correct, but a human will trust a person more, whether that is the best thing to do or not.

 

That was the point. And I'm disagreeing with it.

 

I'm saying that - for whatever reason - especially at times of disruption automated systems get their knickers in a twist and start doling out misleading information and you are MUCH more likely to get helpful advice from platform staff who have an idea of what's going on.

 

I'll give another example, shall I?

 

Standing at Bristol Parkway, waiting for a delayed train. It will be here in a few minutes. Oops no, the one behind it's coming in first. THEN it will be here. No, wait a minute, the one after that is coming in next. And the one after that.

 

The train I wanted was crawling along but the system kept recalculating the arrival time assuming it would make line speed. 

 

On the other hand the platform staff had been informed about what had happened to the train and knew when it was likely to arrive.

 

Now if only they'd thought to make an announcement rather than waiting until I finally got fed up and found someone to ask what was going on...

 

Bottom line - I trust a human because all my experience as a rail traveller tells me it is almost always the best thing to do!

 

Edit: Also platform staff usually get much more useful screens to look at than we do. Very few stations have the signalling diagram on public display for passengers to see for themselves where their train actually is.

[Glorious NSE]

Are there any major countries in Europe which have had no fatal accidents since 1994?

[Pacific231G]

The chances are, if you ask a member of platform staff, they will look at the screen anyway...

I think the point wasn't that a computer or a person would be more correct, but a human will trust a person more, whether that is the best thing to do or not.

The last time I travelled on my local branch line which has two trains an hour,  the departure screen confidently announced that the next up train would be the 12.17 on time and not the 11.47 that I expected to catch. The down train that would return as the 11.47 had already passed in the oppposite direction to the terminus, Greenford, which is the next station with room for only one train. There is also no other realistic route from the terminus apart from back towards Paddington. The departures board also quite often misses out a train so I could be very confident in reasurring another passenger that it was very unlikely that the 11.47 had been cancelled and it duly appeared two minutes later and on time. Trains do sometimes get cancelled on the branch but my local knowledge is that it's very unusual for that to happen if the down train was on time.  

 

The thing that one always has to remember about computers is that they have absolutely no common sense. If a fault in the programming permits it a computer will cheerfully put two trains onto the same line so there should be another system to prevent that. A human signaller would be unlikely to even if the electrical or mechanical systems were corrupted.On the other hand if, due to confusion or carelessness, a human signaller did try to clear a conflicting movement, the interlocking should stop him so it would require both an error by the signaller and a fault in the system for that safety system to be breached. I'd always understood that computerised signalling systems, including automated ones like the DLR, were backed up by hard wired interlocking but is that still the case? Could a programming error alone cause a collision or would it have to be accompanied by another failure? 

[Fat Controller]

Are there any major countries in Europe which have had no fatal accidents since 1994?

I can't think of any:-

France had the derailment at Bretigny

Germany has had several, including one of the worst at Eschede with 101 fatalities.

Italy has had several.

Spain has had one very bad one.

[Coryton]

The last time I travelled on my local branch line which has two trains an hour,  the departure screen confidently announced that the next up train would be the 12.17 on time and not the 11.47 that I expected to catch. The down train that would return as the 11.47 had already passed in the oppposite direction to the terminus, Greenford, which is the next station with room for only one train. There is also no other realistic route from the terminus apart from back towards Paddington. The departures board also quite often misses out a train so I could be very confident in reasurring another passenger that it was very unlikely that the 11.47 had been cancelled and it duly appeared two minutes later and on time. Trains do sometimes get cancelled on the branch but my local knowledge is that it's very unusual for that to happen if the down train was on time.  

 

It's been fixed now, but not so long on my local line - a single track branch line - the system usually told you that trains would depart the "terminus" on time, even if the inbound train was known to be late.

[Gordon Connell]

I have to disagree: 5 major post BR accidents with each significant loss of life vs various other European railways who didn't with larger networks, more passenger capacity and more intense service levels

 

I'm afraid this table from Eurostat doesn't give the figures proportionately which might address this more clearly, nonetheless certainly in the last 10 years the UK's figures do not look exceptional.

 

http://ec.europa.eu/eurostat/product?mode=view&code=rail_ac_catvict

[david.hill64]

I have to disagree: 5 major post BR accidents with each significant loss of life vs various other European railways who didn't with larger networks, more passenger capacity and more intense service levels

You can disagree all you like but you will be wrong.

 

Not only has the UK one of the best current safety performances in Europe it also has a very intensive service compared with most. Don't take my word for it, try this:

 

http://www.era.europa.eu/Document-Register/Documents/SPR2014.pdf

 

It has been in the top rankings for probably about 10 years with no fatalities to passengers due to a train accident since 2007.

[Glorious NSE]

Using the admittedly very unscientific method of looking through the list of notable accidents on Wikepedia, disregarding any that don't appear to have occurred on 'national networks' (IE ones involving trams/light rail, subways/underground, heritage/tourist operations etc), and disregarding deaths at crossings where the fatalities appear to be solely on the road side of the equation....then in the most recent 10 years from 2006 to 2015, fatalities look to be:

1 Fatality each - Holland (2012) and UK (2007)
7 Fatalities - Switzerland (over 3 incidents)
16 Fatalities - Germany (4 incidents)
25 Fatalities - France (4 incidents)
48 Fatalities - Italy (6 incidents)
85 Fatalities - Spain (2 incidents, with the Talgo derailment distorting the stats drastically)

I'm not a fan of complacency, but that's not a bad result for the UK, and I don't think it's a fluke.

If you took the previous decade (96-05) then it's a very different story, and the UK certainly wasn't going to win any awards back then - that maybe accounts for a degree of latent understanding?

1 Fatality - Holland
7 Fatalities - Switzerland (5 incidents)
12 Fatalities - France (1 incident)
19 Fatalities - Spain (1 incident)
32 Fatalities - Italy (3 incidents)
67 Fatalities - UK (8 incidents)
107 Fatalities - Germany (2 incidents, with Eschede distorting the stats drastically)
 

[PatB]

The trouble with rail safety stats is that, for most (all?) developed countries, the sample  size of fatal accidents is so small that a single incident can make a huge difference to any ranking, as noted above wrt the Talgo crash in Spain. Whilst I'm not a trained statistician, I suspect that, given the size of the rail travelling population in any given European country, the proportion of that population who are killed in crashes is, statistically speaking, zero for all intents and purposes, making comparisons between European countries on the basis of number of fatalities effectively meaningless. When i worked in traffic safety here in Australia we had a similar problem with road crash statistics from some of the smaller population states where the overall number of fatalities was small enough that a single crash of, say a coach or, more frequently, a uteful of passengers, would skew the figures for the year.

 

Any meaningful comparison can only be done by rather more detailed analysis of the likelihood/frequency of potentially fatal incidents. Something I'm sure at least some RMWebbers have expert knowledge of but also something I'm sure that many (myself included) don't.

[Mike Storey]

I have to disagree: 5 major post BR accidents with each significant loss of life vs various other European railways who didn't with larger networks, more passenger capacity and more intense service levels

 

What was the point of making this misleading (when taken in the context of all networks since 1995 to date) and out of date comment? You are usually someone I take to have very informed and balanced opinions.

[Mike Storey]

The trouble with rail safety stats is that, for most (all?) developed countries, the sample  size of fatal accidents is so small that a single incident can make a huge difference to any ranking, as noted above wrt the Talgo crash in Spain. Whilst I'm not a trained statistician, I suspect that, given the size of the rail travelling population in any given European country, the proportion of that population who are killed in crashes is, statistically speaking, zero for all intents and purposes, making comparisons between European countries on the basis of number of fatalities effectively meaningless. When i worked in traffic safety here in Australia we had a similar problem with road crash statistics from some of the smaller population states where the overall number of fatalities was small enough that a single crash of, say a coach or, more frequently, a uteful of passengers, would skew the figures for the year.

 

Any meaningful comparison can only be done by rather more detailed analysis of the likelihood/frequency of potentially fatal incidents. Something I'm sure at least some RMWebbers have expert knowledge of but also something I'm sure that many (myself included) don't.

 

The number of accidents, and their cause, is recorded by ERA more significantly than the number of fatalities and injuries (and individual accidents which skew the data are also noted), to seek any particular trends. For example, level crossing vehicle and pedestrian collisions/accidents had continued to be a major problem, and an accelerated programme of closures and modifications has seen the accident rate drop significantly over the past ten years. There is still much more to do. France is embarking on a similar programme (not sure where that is at).

 

Near-misses (the equivalent of potentially serious accidents) are recorded in the UK, and reported to the rail safety authority (ORR), and a confidential staff reporting system was introduced many years ago to try to ensure these are not covered up. Near-misses are included in the published safety data. The latest publicised case involved a steam locomotive crew on the main line who had deliberately isolated a safety system, without following appropriate rules, and nearly caused a major accident when they ran past a signal at danger. The owning company was nearly permanently barred from further operation and is now under strict observation for a series of expensive modifications and other, human behaviour management measures. Another of their crews was caught doing much the same thing a few weeks later and the excrement really hit the fan.

[Glorious NSE]

PatB, ref the frequency question, that was why I'd included the frequency in the post...FWIW from the UK perspective I think those two ten-year spans do point to where we were for a specific period, and where we are now.

Interestingly, the frequency of fatal accidents across both ten year groups is the same number (21), though the average fatalities themselves have dropped, presumably largely down to better rolling stock - that stays true even if you exclude the single instance of a really extreme number in each group...

[david.hill64]

The trouble with rail safety stats is that, for most (all?) developed countries, the sample  size of fatal accidents is so small that a single incident can make a huge difference to any ranking, as noted above wrt the Talgo crash in Spain. Whilst I'm not a trained statistician, I suspect that, given the size of the rail travelling population in any given European country, the proportion of that population who are killed in crashes is, statistically speaking, zero for all intents and purposes, making comparisons between European countries on the basis of number of fatalities effectively meaningless. When i worked in traffic safety here in Australia we had a similar problem with road crash statistics from some of the smaller population states where the overall number of fatalities was small enough that a single crash of, say a coach or, more frequently, a uteful of passengers, would skew the figures for the year.

 

Any meaningful comparison can only be done by rather more detailed analysis of the likelihood/frequency of potentially fatal incidents. Something I'm sure at least some RMWebbers have expert knowledge of but also something I'm sure that many (myself included) don't.

Completely agree. The Eurostat publication does give details about network size, train kilometres and passenger kilometres which helps in that you can use this to normalise data. For example Germany runs twice as many train km as UK, but on a network that is twice the size, so on average the train density is less. France has somewhat less train density but a much greater load factor so passenger km are high. The basic safety performance is normalised to take into account of this and other factors, so for example if you look at UK ORR safety reports they generally show poorer performance than the Eurostat data which also tries to take into account different reporting criteria in different countries.

 

One of the basic safety statistics shown by Eurostat is the percentage of lines fitted with ATP to which the UK fares very badly. You might reasonably ask why the UK does so well in overall safety performance when we fail so badly on this metric. The answer of course is that ATP is an expensive solution to a rare high consequence event and it is certainly true that UK is potentially vulnerable to a very low probability high consequence event (like the Southall crash) that TPWS and the safety management systems cannot eliminate. However, getting the basics right to protect against more credible incidents has paid dividends. I for one certainly regret that 24 years after Railtrack bet the farm on ETCS level 3 being available (where the impressive safety benefits come for free), the EU has still not been able to finally agree the specifications for the system and individual countries are not permitted to develop/ install national alternatives.UK needs it to get infrastructure maintenance costs down, reliability up and the safety benefits realised. Instead we will get level 2 to replace worn out systems.

 

In a post earlier in this thread there was a comment that French engineers could not understand the UK approach to safety as unlike road traffic accidents there wasn't much data available. The French approach at that time typified what had been the traditional BR approach which was to develop the rule book and standards to take into account experience. The major flaw with this approach is that you are only protecting against the consequences of the accidents that you have already had. Post Clapham there was a real need to change to a proactive approach similar to that adopted in the nuclear power industry, where waiting for an accident to happen and then learning from it would be a tad disconcerting to dwellers neighbouring the power station.

 

So the approach now is risk based: identify what could go wrong, how it could go wrong, how likely it is to go wrong, what the consequences might be and then use this to prioritise your limited funds. It is an absolute requirement in the UK and as noted above other countries including Ireland. So yes, we do look at the likelihood/frequency and potential consequences of all hazards (defined as a situation with the potential to cause harm) and this gives the meaningful approach that you seek.

[phil-b259]

 

The thing that one always has to remember about computers is that they have absolutely no common sense. If a fault in the programming permits it a computer will cheerfully put two trains onto the same line so there should be another system to prevent that. A human signaller would be unlikely to even if the electrical or mechanical systems were corrupted.On the other hand if, due to confusion or carelessness, a human signaller did try to clear a conflicting movement, the interlocking should stop him so it would require both an error by the signaller and a fault in the system for that safety system to be breached. I'd always understood that computerised signalling systems, including automated ones like the DLR, were backed up by hard wired interlocking but is that still the case? Could a programming error alone cause a collision or would it have to be accompanied by another failure? 

 

No, there is no electo-mechanical relay backup / checking to computer based signalling systems. Instead we use the principle of two computers running programs written by separate people coming to the same answer thus hopefully preventing a programming error*. For example if the out put must equal the number 100, then one program might do this by addition / subtraction (i.e. 420 - 320 = 100 or 73 + 27 = 100) whilst the other uses multiplication / division (25 x 4 = 100 or 500 / 5 = 100). Unless both programs give the same answer the specified action (represented by the number 100) will not take place.

 

This is no different in principle to requiring two totally different mechanical locked lever frames having to be operated or two completely differently wired relay based interlockings having to agree and come out with the same end result. The problem is humans would intrinsically trust these more because they can have a sensor experience with the individual components used at every stage of the process (metal bars moving / relay contacts moving).

 

So once again I say, providing the human being(s) who design an electronic system design it correctly (including covering all foreseeable failure modes / in service possibilities), maintain it correctly and use it as it is supposed to be used, then it should be trusted. The issue comes when something fails (such as communication links) fail and the designer of the system hasn't put in suitable contingency programming to cover it -  resulting in the garbage in - garbage out syndrome.

[Edwin_m]

No, there is no electo-mechanical relay backup / checking to computer based signalling systems. Instead we use the principle of two computers running programs written by separate people coming to the same answer thus hopefully preventing a programming error*. For example if the out put must equal the number 100, then one program might do this by addition / subtraction (i.e. 420 - 320 = 100 or 73 + 27 = 100) whilst the other uses multiplication / division (25 x 4 = 100 or 500 / 5 = 100). Unless both programs give the same answer the specified action (represented by the number 100) will not take place.

 

This is no different in principle to requiring two totally different mechanical locked lever frames having to be operated or two completely differently wired relay based interlockings having to agree and come out with the same end result. The problem is humans would intrinsically trust these more because they can have a sensor experience with the individual components used at every stage of the process (metal bars moving / relay contacts moving).

 

So once again I say, providing the human being(s) who design an electronic system design it correctly (including covering all foreseeable failure modes / in service possibilities), maintain it correctly and use it as it is supposed to be used, then it should be trusted. The issue comes when something fails (such as communication links) fail and the designer of the system hasn't put in suitable contingency programming to cover it -  resulting in the garbage in - garbage out syndrome.

Is diversity of this type used in any of the modern Computer Based Interlockings?  It certainly wasn't/isn't in SSI where the processors and their programs are identical and it relies on rigorous checking/testing to iron out software errors. 

 

I believe diverse systems can have problems if the two different processors take a different length of time to produce the "answer", thus there may be an apparent disagreement for a short period.  Also, and probably more significantly, they don't protect against an error in the requirements specification or the top-level design which is common to all the diverse systems, or against two sets of people making the same mistake. 

 

In terms of systems checking other systems, there are all sorts of systems trying to do things to the railway but the most they can do is to send requests to the interlocking.  This is traditionally relay-based but now more likely to be a high-integrity processor-based system which will ignore any requests that would result (according to the design/programming of the interlocking) in an unsafe situation. 

[jjb1970]

I suspect most of us undertake activities everyday where we entrust our lives to software based safety systems. Many industries rely on software based control and safety systems to operate (including air transport and nuclear) and the technology is reliable and effective. In fact it is more than effective, it would be impossible to get anywhere near the performance and dependability of modern computer based safety systems with old electro-mechanical technologies (with current known technology at any rate). Software based systems actually tend to be more reliable than electric, electro-mechanical, pneumatic and other alternative options. Relay logic was notoriously maintenance intensive, pneumatics were very vulnerable to air quality, electrical systems were sensitive to voltage and frequency and all sorts of other things. Provided there is a good software assurance regime in place and the build data is controlled then to be honest I have more confidence in them than alternatives. In fact the weaknesses and reasons for failure are the peripheral sensors, transducers and more traditional physical parts of the system in my experience, not the computer brain.

As has been said, for several decades there has been a real effort to break free of reactive safety management where we improve safety in response to killing people (the so called tombstone imperative) in favour of risk analysis. And as has been noted, a lot of this work was initiated by the nuclear sector, also aerospace and defence. Many of the systems widely used today were developed as part of the assurance effort for nuclear weapons and their delivery systems in the 50's and 60's. There are multiple standard out there and the tool box for doing risk analysis is now a big one from low end to high end.

Something to remember is that electronic systems do not eliminate human error, they just move the responsibility from a driver, signalman, pilot, plant operator etc to the system designers, programmers, those doing the software assurance and system verification. And there are two real areas of risk, one is the obvious of what if a programmer makes a mistake and it isn't noticed, but in some ways a more challenging one is how do you establish the reliability of some of the input data for some of these systems? Sometimes people blame the software developers for a failure when the problem is not that the software itself was wrong but rather that the input data used to build it was wrong, a very different concept.

[phil-b259]

Is diversity of this type used in any of the modern Computer Based Interlockings?  It certainly wasn't/isn't in SSI where the processors and their programs are identical and it relies on rigorous checking/testing to iron out software errors. 

 

It's how SSI was explained to me on my training course - because as you say, if the two programs are identical what if there is the same mistake in each.

[jjb1970]

There has been a relaxation in requirements for diversity in many applications which does worry many, simply because the systems are now so complex and the assurance and verification is so expensive industries successfully argued it had become prohibitive. The incident I alluded to earlier in this thread was an essential system which if it failed could result in an incident like the Deepwater Horizon. The safety system used three fully independent computers with no cross connection however all three were identical units. There was a time dependent fault (it is a fault which only manifest itself after a certain time or number of cycles), because all three computers were switched on at the same time they all crashed with the same fault at the same time losing the entire safety system completely defeating the redundancy concept. If they'd been switched on in a sequence a couple of minutes apart then there would not have been an incident as they could have been reset and brought back up or a safe suspension initiated without losing all three systems.

[phil-b259]

It's been fixed now, but not so long on my local line - a single track branch line - the system usually told you that trains would depart the "terminus" on time, even if the inbound train was known to be late.

That sounds like the information system is not looking at the correct triggers. One issue with using train describes to provide running information is in areas with long signal sections, the data refresh rate is not good enough to create reliable customer information in isolation.

 

The other scenario is that the communication links have failed and rather than give no information, the customer display system has reverted to static data in other words operates to the timetable rather than where the train actually is.

[phil-b259]

 

Happily. Barnham station, 8th February, around 17:50. Displays at Barnham *and* Chichester told us to stand back as the next train wasn't scheduled to stop, but it was actually a 313 for Portsmouth Harbour. Seemed to get sorted out a few stops later.

 

And - while I'm here - the 7:46 from Horsham to Billingshurst routinely arrives in Horsham and an automated announcement tells me to stand back as the train is about to depart...before the doors have even released. None of this makes me have much belief that I should pay attention to automated announcements.

 

Investigation of the control logs doesn't show any issues to do with the train describeds in the Barnham area - so that theory is out. There was some congestion experienced earlier in the day due to a relic crew not being present at Barnham when they should have been, plus of course the high winds and trees being down in a number of locations disrupted the service generally on the Sussex route.

 

It's a pity I do not have access to the Barnham interlocking to have a look at train movements at the time which may have given a clue.

[phil-b259]

In principle, perhaps. But in practise, I know as a frequent rail traveller that automatic information is often completely wrong, especially when there is disruption. Now it may well be that the system is doing exactly what it was designed to do and people aren't feeding the correct information in properly. But that doesn't change things. Currently, automated systems have no "common sense" and will happily give out rubbish if that's what they've been told, whereas humans have the ability to actually think.

 

Example: 3 coach train leaving Cardiff should drop off 1 coach at Westbury. Due to disruption it's replaced by a 2 coach DMU. The display says "First TWO coaches to Portsmouth Harbour, rear COACHES to Westbury". Utter nonsense, and a human announcer would know that (and that a 150 isn't going to split in the middle).

 

Maybe in principle we could have perfect automated systems that never give out misinformation and that would be lovely. But it's not what we have now and I'll take a member of station staff in touch with control and a view of the signalling diagram any day.

 

As a frequent rail traveller, I learnt a long time ago to take any computerised announcement or display with a pinch of salt and to pay much more attention to what a human tells me.

 

 

In the example you quote the station announcer can only make an assessment about a trains length when it arrives in the station. By contrast an electronic system can in theory provide that information from he very moment the train starts its journey.

 

However if (and this is where the issues frequently lie) the designer of the electronic system has not allowed the information system to get the correct information about a trains makeup (every train head ode has a planned train dagram behind it giving unit numbers and train makeup - i.e. the TOPS data - or whatever the more modern version is and it is not hard to keep track of what unit is on what diagram) then naturally the electronic system will not have the complete picture. In other words it knows what length train should be on that diagram but cannot prove it.

 

Thus while I readily accept that while the implementation of electronic information systems is indeed far from perfect - that is not the fault of the system itself and nor does it make the concept of a machine being better able to supply information or being just as trustworthy than a human if other humans set it up to do so. With a human however we can sense them looking - be it flipping through a timetable book, radioing a colleague or even using the same information as the electronic system in front of us which provides that essential feedback to our brains and increases trust in the information they provide.

[Jeff Smith]

Sorry guys but I can't help thinking that discussions about the accuracy of station information systems is somewhat OT.....

 

However in all truth I have nothing to add, the story seems to have slipped from the headlines. As with all accidents it takes time for the investigators to do their job and publish the results.

[roythebus]

Thanks for the on-topic update.

[FelixM]

It is reported that there have been 4 train driver ob board of the two trains, of which 2 were driving (killed), the third was an instructor and in one of the driving cabs (killed too) and the fourth travelling in the passenger compartments (now sadly passed away in hospital). The presence of an instructor in a driver cab further complicates the situation because in such situation it always is unclear (*) who is responsible, whose comments must be obeyed and what to do if the signals and the instructor contradict themself. No details known yet though.

 

Edit: (*) Unclear what has happened after an accident occurred I mean.

[Edwin_m]

It's how SSI was explained to me on my training course - because as you say, if the two programs are identical what if there is the same mistake in each.

Then your trainer was wrong. SSI development was a bit before my time but I worked with several of the team who had developed it, and myself developed a simulator based on the SSI architecture, so probably fair to say I know more about it than most.  I agree there is a risk of a common error but I explained above how it can be managed.