German Train Crash

[PaulRhB]

My thoughts exactly. I bet there isn't a railwayman posting on this thread who hasn't made a mistake or done something stupid at some stage of their career that could have had serious consequences. I know I have.

 

Mark.

True and why it's heartening to see he had tried to stop them on realising. It's not widely realised just how often the system has to rely on the purely human element and how complex the decisions are because there are so any variations. Any time there's a SPAD or signalling error you feel the realisation that you could have tripped up too. Wilful avoidance of procedure is extremely rare in the percentage of accidents and there's a lot of distractions and pressure out there at all levels and across the board of jobs. There's a good reason railways in Europe have better safety records than roads but like aircraft there's a lot of people in one place when it does happen.

Very sad for all the injured and families bereaved and I think the German Police have handled the release of info very well so far to the media.

[John_Hughes]

My thoughts exactly. I bet there isn't a railwayman posting on this thread who hasn't made a mistake or done something stupid at some stage of their career that could have had serious consequences. I know I have.

 

Mark.

 

Indeed - and not just railwaymen, either. There seems to be no limit to humanity's ability to muck things up - I know I do.

 

It's a tribute to the day-in day-out professionalism of the people we entrust with the job of getting us around safely - often in very difficult circumstances - that such blunders so rarely result in a tragedy.

[jjb1970]

It alway worries me when "human error" is given as the cause of any accident. The one certainty is that humans make errors, often when they're dealing with unusual situations when other ducks are likely to be lining up and sometimes seemingly inexplicable (as at Quintishill). Much if not most of the progress in transport safety has come from not simply accepting someone's mistake as the cause but looking deeper and developing systems and procedures that make it very much harder for such an error to cause an accident.

This is something that always concerns me when I see human error blamed for a safety incident. We all know that human beings are fallible and will make mitakes. Even the most concientious and competent people are liable to errors of judgement. So in a safety critical process systems should be designed to be resilient to human error and designout risk. Note I don't say this eliminates human error as it moves some of the risk from operator to designer but the designs should be subject to a thorough design review process and certification procedure which should hugely reduce the probability of errors being carried through to the final product. Where this is not possible then staff training, operational procedures, management ovesight, corporate cultures etc should be in place to reducethe risk of a human error causing a tragedy. For instance if it was what we might call a genuine mistake (ie. no intent to cause an incident and no distorted judgement as a result of pressure applied to the individual) then how was the person deemed competent for the role, what training is provided, who found them competent, what oversight regime was in place. If external pressure resulted in a failure of judgement then why did that happen, what is crporate culture like? This could go on and often every answer just opens the door to another question but clearly human error is in itself a completely inadequate explanation for a head on collision between trains on a modern rail system.

[Jeff Smith]

My background is aerospace engineering but there are clear similarities when it comes to safety system overrides.  If there are none, like in the case of the inability for the captain to open the cockpit door when the co-pilot locked himself in and deliberately crashed the German A320, then you could argue that there should be.  But is the danger of mis-use greater than the danger of having no override?  The same argument applies to transponders which transmit a/c identification to radar systems - currently most if not all can be switched off in the cockpit but there is a compelling argument that they should not be capable of being switched off so that if a terrorist hijacks a plane it can at least be tracked.....

[PaulRhB]

It's a catch 22 situation if you lock out the human element how do you stop it when the totally automated system fails? As said above with the plane no system can be 100% that's why we have investigation authorities for all transport. We can only minimise risk not eliminate it. In one breath we shout against restrictions and the nanny state and then we demand total safety.

Ask yourselves can you guarantee 100% that nothing will fall off your house as you walk out the door or hit your car on the way to the shops? No, it's impossible. We train people to show them why they have to follow rules. We have speed limits on the road but still they break them through distraction or impatience. I'll bet there's very very few who can say they've never ever broken a rule in a car despite knowing it can cause crashes. Do we really want a system so convoluted to give us 99.9% safety but consequently grinds the entire system to a halt every single day? I'll bet you one week of chaos and you'd be screaming for how it was . . .

[Oldddudders]

ISTR reading of a single-line head-on accident in Switzerland decades ago, in which a mix-up over communication caused two trains to head towards each other. A manager involved realised his mistake and rushed over to pull out the traction current breakers - but as he reached the hut they blew out as a result of the crash. I'm sure you never get over those things. Would you trust anyone who did?

[martin_wynne]

It's a catch 22 situation if you lock out the human element how do you stop it when the totally automated system fails?

 

The objection here is not to the existence of an over-ride mechanism. But to the apparent ease with which one man acting alone was able to use it, for no reason other than a train being a few minutes late. It should surely require co-operation with others, and if in an emergency no-one else is available, the bashing-in of a glass seal or similar.

 

Martin.

[PhilJ W]

ISTR reading of a single-line head-on accident in Switzerland decades ago, in which a mix-up over communication caused two trains to head towards each other. A manager involved realised his mistake and rushed over to pull out the traction current breakers - but as he reached the hut they blew out as a result of the crash. I'm sure you never get over those things. Would you trust anyone who did?

A good example of where better design may have prevented an accident. If the circuit breakers had been to hand perhaps they could have been pulled out in time to prevent the accident.

[PaulRhB]

The objection here is not to the existence of an over-ride mechanism. But to the apparent ease with which one man acting alone was able to use it, for no reason other than a train being a few minutes late. It should surely require co-operation with others, and if in an emergency no-one else is available, the bashing-in of a glass seal or similar.

 

Martin.

Martin that's still assuming he just sent it in as it was running late, that he didn't check why it couldn't be signalled normally.

On the single line I control there's actually nothing to stop me talking a train past the signal without anyone else being involved, Except my training and morals. I know that if I don't follow the process then at best I'll get discipline at worst a crash. We are paid for that responsibility when it goes wrong.

In MBW the driver relies on the fact that I tell him I've got authority from the manager, they only talk to me, no one else. The safety lies in me following procedure and the time it takes.

We know the controller has admitted responsibility in this sad case but not exactly what he did yet or his reason at that moment.

[jjb1970]

It's a catch 22 situation if you lock out the human element how do you stop it when the totally automated system fails? As said above with the plane no system can be 100% that's why we have investigation authorities for all transport. We can only minimise risk not eliminate it. In one breath we shout against restrictions and the nanny state and then we demand total safety.

Ask yourselves can you guarantee 100% that nothing will fall off your house as you walk out the door or hit your car on the way to the shops? No, it's impossible. We train people to show them why they have to follow rules. We have speed limits on the road but still they break them through distraction or impatience. I'll bet there's very very few who can say they've never ever broken a rule in a car despite knowing it can cause crashes. Do we really want a system so convoluted to give us 99.9% safety but consequently grinds the entire system to a halt every single day? I'll bet you one week of chaos and you'd be screaming for how it was . . .

I find it quite sad that health and safety has almost became a pejorative concept in some quarters with silly season "elf n'safety" stories etc. Nobody is saying anything is 100% safe or that any complex process can be made to be 100% safe. That should be our aspiration but there are already well established mechanisms for evaluating cost - benefit and accepting that safety improvements whose benefit is disproportionate to the cost of implementing them should not be mandated. Your post is based on an assumption that more robust safety is directly correlated to tying up a process with red tape, making it more expensive and grinding it to a stop, that is not at all correct and there is no reason why good risk management cannot be integrated into a cost effective, efficient business process as evidenced by 1000's of businesses and organisations around the world. And in fact the railways are an excellent example of organisations that has developed systems to mitigate the risks of human error and embed safety into the design of their systems. When a hole is found in one of those systems the answer is not to retreat into an argument that because other activities are high risk we don't have to do anything or complain that making our operation safer might cost money or be inconvenient, it should be to go out and figure out how to close that hole. Even if your point was true, the people that use that service in Germany are probably being somewhat inconvenienced by this crash. Ask yourself this - if one of your loved ones used that service would you rather they were delayed sometimes because of an additional risk management process (notwithstanding that I do not accept the logic that better safety means this would happen) or would you rather be accompanying an official to the morgue to identify their body? There are two logical positions, human beings are infallible therefore we need not worry about human failure, or humans are fallible and make mistakes. In the second case which I think any sensible person would accept then it is not acceptable to just accept that mistakes happen and that we should accept a few crashes as the price of a working railway.

[PaulRhB]

I'm not saying we should tie things up in the mythical levels of H&S red tape, I'm fully aware of the systems for risk assessment as I do them occasionally. I used an extreme example, stopping the job, because that's others are demanding foolproof systems and there is no such thing.

The current system works well here and I'm sure is near identical in Germany and the official process fully assesses the risks. All I'm saying is you cannot build a system that requires physical unlocking by two people without incurring massive costs in redesigning the interlocking and making it secure especially if the manager is remote. The only other option would be to say don't run until it's sorted out, which could take days. Modern business can't stand that kind of cost and the media backlash would be immense. So in summary the current system doesn't need changing but is unfortunately reliant on people following the system very carefully.

I haven't ever suggested mistakes are acceptable only that we wait to see the report to understand how the system broke down. The Controller has admitted he caused it but we don't have details of how he circumvented the system so that will have to wait for the report and no one can specify any changes until what happened is understood.

[PaulRhB]

I see on a daily basis what disruption fatalities, trespass etc cause and if we become so risk averse that we attempted to cover every possibility the only way would be to only run when all systems were working perfectly. If that was the case them there would be no reason to highly train and give such responsibility to a Signaller. We are there to follow the process to keep things moving when the system fails and take the responsibility for our actions, in court if it comes to that. We are well trained and then tested regularly and make suggestions and get involved in solving any issues that arise to make it safer.

I can't see anywhere I suggested we never review the system, just that we find out what went wrong first.

[meil]

Martin that's still assuming he just sent it in as it was running late, that he didn't check why it couldn't be signalled normally.

On the single line I control there's actually nothing to stop me talking a train past the signal without anyone else being involved, Except my training and morals. I know that if I don't follow the process then at best I'll get discipline at worst a crash. We are paid for that responsibility when it goes wrong.

In MBW the driver relies on the fact that I tell him I've got authority from the manager, they only talk to me, no one else. The safety lies in me following procedure and the time it takes.

We know the controller has admitted responsibility in this sad case but not exactly what he did yet or his reason at that moment.

Theoretically you can do this but I know that if I told a driver to pass a section signal at danger for the purpose of passing through the section and without token, pilotman or signalman's ticket in circumstances where the driver was expecting to cross with another train his first action would be to call for the men in white coats to take me away in a straight jacket.

[PaulRhB]

Theoretically you can do this but I know that if I told a driver to pass a section signal at danger for the purpose of passing through the section and without token, pilotman or signalman's ticket in circumstances where the driver was expecting to cross with another train his first action would be to call for the men in white coats to take me away in a straight jacket.

That's what I meant though, I issue the ticket for MBW, the driver has to assume I have the right authority to do so

I've issued 8 MBW tickets in the last couple of years, I checked, and pilotworking many more times than that including 5 nights three weeks ago. I'm lucky in that I get a lot of practice but you are always aware that if you get the info wrong talking to a manager who's been dragged out of bed at 04:00 they have no way of verifying that I'm correct apart from asking what the last train through was. Drivers know I control both ends of the section so they have to trust that when I issue the ticket I have followed all the procedures. Now if I forgot to authorise it, it has happened in the UK, for whatever reason then I am the only one doing it and how would they know.

The story from Germany says he didn't talk to his manager to get the authority so it suggests for he didn't know the process fully or for whatever reason forgot the second check. When we are double manned we always check each other setting routes etc but we still require either a manager for MBW or a pilotman to agree before we talk into section. If the German system is similar in principle to MBW then the driver has no way of knowing we haven't done all those checks, they aren't required to ask if we have the authority we just have to tel them why we are doing it, ie due to failure.

[phil-b259]

ISTR reading of a single-line head-on accident in Switzerland decades ago, in which a mix-up over communication caused two trains to head towards each other. A manager involved realised his mistake and rushed over to pull out the traction current breakers - but as he reached the hut they blew out as a result of the crash. I'm sure you never get over those things. Would you trust anyone who did?

Some of the details around this case are sounding alarmingy familiar back in the mid 90s we in the UK had a very nasty head on smash at Cowden on one of the three single line sections of the Uckfield branch. On this occasion the driver for of one train SPADed the signal protecting the single line and continued without stopping. The signaller in Oxted box got an alarm as the train ran through the points (which were set to recieve a train already in the single line section. With no form of radio to contact the trains involved he had to simply sit and watch as the two trains continued towards a head on crash. All his supervisors could do is say to him was "tell us where they meet so we know where to send the emergency services". Unsurprisingly he suffered considerably from the experience and it totally destroyed his signalling career (from a personal perspective that is - management did their uppermost to help him, but as with suicides, there are some things some people just cannot cope with)

 

One of the many things that came out of that incident was a deep fear of anything unusual. As such if there was any issues with the signalling down there Pioltman working would be implamented immediately.

 

Of course with TPWS fitted to the line & units things are much safer - which is precisely why I will not tolerate people trying to excuse WCRs behaviour with regard to it.

[Oldddudders]

Some of the details around this case are sounding alarmingy familiar back in the mid 90s we in the UK had a very nasty head on smash at Cowden on one of the three single line sections of the Uckfield branch. On this occasion the driver for of one train SPADed the signal protecting the single line and continued without stopping. The signaller in Oxted box got an alarm as the train ran through the points (which were set to recieve a train already in the single line section. With no form of radio to contact the trains involved he had to simply sit and watch as the two trains continued towards a head on crash. All his supervisors could do is say to him was "tell us where they meet so we know where to send the emergency services". Unsurprisingly he suffered considerably from the experience and it totally destroyed his signalling career (from a personal perspective that is - management did their uppermost to help him, but as with suicides, there are some things some people just cannot cope with)

One of the many things that came out of that incident was a deep fear of anything unusual. As such if there was any issues with the signalling down there Pioltman working would be implamented immediately.

Of course with TPWS fitted to the line & units things are much safer - which is precisely why I will not tolerate people trying to excuse WCRs behaviour with regard to it.

Perhaps I should not sleep well. After all, I wrote the Investment Submission for the singling etc of that line. But I remain convinced that the system the engineers installed was adequate to meet the safe operating requirements of the day, and, as we have been discussing, it was cavalier human intervention that caused the loss of life. ISTR there were suggestions the guard was driving the train.

[The Stationmaster]

Perhaps I should not sleep well. After all, I wrote the Investment Submission for the singling etc of that line. But I remain convinced that the system the engineers installed was adequate to meet the safe operating requirements of the day, and, as we have been discussing, it was cavalier human intervention that caused the loss of life. ISTR there were suggestions the guard was driving the train.

 

This can often be the case Ian.  We make (or made) managerial decisions based on the knowledge of the time, on the safety ethos, Rules and design criteria, and equipment, of the time and so on.  While I had nothing at all to do with it at any stage some of the things said after the collision about the Portobello Jcn - Ladbroke Grove arrangements were said by people who should have known better and who were riding their own hobby horses.  In my subsequent consulting days I came across one such in a meeting who pointed out to me that if a train was running late on my trainplan and layout proposals another would pass a signal showing single yellow - to which I replied that is obvious, however if the first train is running punctually the other one will get a green.

 

It all  comes back to what has already been said - in the end there are a number of situations where you have to rely on the human element although as history has shown various mitigations have been introduced over the years to cater for humans getting it wrong.  However what that then might do is introduce a need for cost-benefit accounting for such measures and that moves the decision somewhere else.  And also of course you have to face the potential failure situations as Paul has explained.

[roythebus]

Has there been any update on the actual cause of this accident yet?

[TonyA]

Has there been any update on the actual cause of this accident yet?

This was posted on Deutsche Welle a few days ago.

 

http://www.dw.com/en/two-tragic-mistakes-led-to-bavarian-train-crash/a-19147431

 

Tony

[Oldddudders]

Whether he goes to jail or not, that guy will never be the same. How can you recover from something like that?

[locoholic]

I have no technical knowledge of these matters, so maybe I'm being naiive, but surely in the 21st century it must be possible to configure the signalling so that it's impossible for a train dispatcher to clear the line for two trains travelling on a collision course?

 

If we're relying on a human not pressing the wrong button, we're not really any further forward than Abermule or Radstock.

 

Or is this just a case of the media over-simplifying the story for the general public?

 

P.S. At Cowden, why wasn't some kind of catch-point installed at the end of the loop, so that a SPAD wouldn't result in a head-on collision?

[LMS2968]

I have no technical knowledge of these matters, so maybe I'm being naiive, but surely in the 21st century it must be possible to configure the signalling so that it's impossible for a train dispatcher to clear the line for two trains travelling on a collision course?

 

If we're relying on a human not pressing the wrong button, we're not really any further forward than Abermule or Radstock.

 

Or is this just a case of the media over-simplifying the story for the general public?

 

P.S. At Cowden, why wasn't some kind of catch-point installed at the end of the loop, so that a SPAD wouldn't result in a head-on collision?

Yes, it's possible, but the question then arises: what do you in the event of a systems failure? If, for instance, you have a train fail in a section, how do you authorise an assistant train to enter the occupied section to clear it?

 

A snag with all such systems is that the must be some way of over-riding it when problems arise. All you can do is make the over-ride difficult, time consuming so that the person has some thinking time about what he is doing, and an accountability system so that the person must be able to justify his action, whether or not an accident occurred.

 

[martin_wynne]

A snag with all such systems is that the must be some way of over-riding it when problems arise. All you can do is make the over-ride difficult, time consuming so that the person has some thinking time about what he is doing, and an accountability system so that the person must be able to justify his action, whether or not an accident occurred.

 

That's not all you can do. The most obvious is to require more than one person to agree on the course of action to be taken. And if in an emergency no-one else is available, it requires something dramatic such as the smashing of a glass seal.

 

Martin.

[The Stationmaster]

I have no technical knowledge of these matters, so maybe I'm being naiive, but surely in the 21st century it must be possible to configure the signalling so that it's impossible for a train dispatcher to clear the line for two trains travelling on a collision course?

 

If we're relying on a human not pressing the wrong button, we're not really any further forward than Abermule or Radstock.

 

Or is this just a case of the media over-simplifying the story for the general public?

 

P.S. At Cowden, why wasn't some kind of catch-point installed at the end of the loop, so that a SPAD wouldn't result in a head-on collision?

 

Some answered already of course but a few things are relevant.

 

Firstly effectively all that would seem to have happened at Bad Aibling is that a Driver was instructed to pass a signal at danger.  There can be all sorts of reasons (legitimate) for such an action but it clearly presents a potentially greater risk if that signal controls the entrance to a single line section and that is where the need for additional instructions, or additional steps in Instructions or reference to a second person is needed to add a layer of additional protection.  But there will still inevitably be a final human decision and thus an unavoidable human element.

 

Providing a trap point (very much frowned on in the UK as statistically they were long ago established as a greater source of derailments causing more problems  than they solved) is one possibility but really that means only providing an additional step/item to check in the process - that step might serve as a reminder but it might not.  A sealed release is basically an irrelevance because if a signal is being passed at danger there is no need to release anything - effectively the signal is not there except as marking a place for a train to halt before being given a verbal Instruction to proceed.

 

Some benefit would come from an open channel radio system on which all Drivers would hear a particular train being instructed to pass a signal but such systems can just as equally lead to confusion and the wrong train starting off so in Britain they are frowned on for such Instructions (which makes sense to me in a mainline railway context although it is a good idea in a low speed situation).

 

The big safety benefit - as included (not too cleverly as it happens) in the BR Driver-To-Shore radio system is to use a broadcast (to all receiving units) emergency message and careful arrangement of coverage could be one of the best safeguards if an Instruction is given inadvertently.

 

As it happens PaulRhB and I are familiar with a particular system on BR (and successor) on a long stretch of single line where trains could be given a verbal Instruction to enter a single line section under certain signalling system failure conditions.  That system was extremely tightly regulated and required the Signalman to obtain permission to do so from a manager and, in my day,  there was only one manager at any time (out of a pool of three) legally authorised to give that permission - and yes, I do mean legally as it was in accordance with an Order issued on the authority of the Secretary of State.  So it was still entirely verbal and as it happens the manager could be (and usually was) miles away from the Signalmen involved but it imposed a second layer and it worked well and perfectly safely;  I never bothered to count how many times I gave such authority but over a space of three years it might well have run into three figures.

 

The situation is in my view very simple - if you are going to give trains verbal authority to enter a single line section you need a set of suitable, readily comprehended, Instructions with some suitable imposed checks (by a second person) built in, and you apply them rigidly ideally using a voice recorder for the procedural parts. The alternative of course is even simpler - you jus delay (considerably) or cancel the affected train(s) - however passengers tend not to be over keen on those alternatives.

[Edwin_m]

I have no technical knowledge of these matters, so maybe I'm being naiive, but surely in the 21st century it must be possible to configure the signalling so that it's impossible for a train dispatcher to clear the line for two trains travelling on a collision course?

 

If we're relying on a human not pressing the wrong button, we're not really any further forward than Abermule or Radstock.

 

Or is this just a case of the media over-simplifying the story for the general public?

 

P.S. At Cowden, why wasn't some kind of catch-point installed at the end of the loop, so that a SPAD wouldn't result in a head-on collision?

To add to Mike's answer, it appears one of the trains was authorised to pass using a "back-up" signal which is there to keep things moving in the event of failure of the signalling equipment.  However the more checks you put into the backup system, the more likely it is that whatever caused the failure in the first place will also render the backup useless.  So at a certain point you have to fall back on a manual system, and I agree with Mike that it helps to make this a bit awkward and especially to involve a second person.  From what I can gather the signaller was supposed to check certain things were true before authorising the train to proceed, and maybe just reading the list of checks over the radio to the driver would be sufficient? 

 

A trap point would be irrelevant in this case because the signaller appears to have made the decision that the train was to proceed, and would presumably have set any trap point to allow that to happen.  In any case a train protection system such as the one fitted on this line, and TPWS as used on Network Rail, would have stopped the train just as effectively and much more safely had it been commanded to do so.