German Train Crash

[meil]

I find it incredulous that a signalman (I assume that is what "dispatcher" is) can override the signalling system in this simple manner. Is the signalman being scapegoated? You couldn't do this if an ETT system had been installed and that system is over a hundred years old! yes I know about Abermule but then the starting signal wasn't interlocked.

[The Stationmaster]

I find it incredulous that a signalman (I assume that is what "dispatcher" is) can override the signalling system in this simple manner. Is the signalman being scapegoated? You couldn't do this if an ETT system had been installed and that system is over a hundred years old! yes I know about Abermule but then the starting signal wasn't interlocked.

 

Oh yes you could - you could just as readily instruct a Driver to pass the Section Signal on any  system of single line signalling ever used in Britain.  However the circumstances in which he would be allowed to pass such a signal and proceed through the section were very limited indeed and would inevitably have involved the presence of a Pilotman (except in respect of the system and situation I mentioned in Post 214).

 

And in fact in various of the single line Signalling Regulations it was quite legitimate to instruct a train to pass the Section Signal at danger in order to make a shunting movement into a section which was already occupied by a train provided that train was proceeding away from the crossing /token station at which the second train was to be shunted into the section.  So on the occasion when a Signalman and I deliberately had two passenger trains in the same token section we were acting strictly in accordance with the Instructions in the General Appendix and the Electric Token Block Signalling Regulations (mind you I had to show the Driver of the train I was shunting the contents of the General Appendix before he was prepared to pass the Section Signal at danger).

[PaulRhB]

It's often thrown about Signalmen are overpaid, the responsibility to make those decisions and the consequences of getting it wrong are why they are paid what they are. And it's less than the drivers they are directing in the vast majority of cases.

[Oldddudders]

It's often thrown about Signalmen are overpaid, the responsibility to make those decisions and the consequences of getting it wrong are why they are paid what they are. And it's less than the drivers they are directing in the vast majority of cases.

 

Drivers and signalmen were traditionally rivals for status and salary. On 1.4.94 signalmen found themselves all still working for one employer, as they still are, while over the next couple of years drivers found there was a new and lucrative market in their skills among TOCs. Guess who earns more today?

[PaulRhB]

Oh I know, you only have to look at their car park opposite!

 

If we relied on the systems to work all the time there'd be spectacular delays. The Signalman is there to become the safety when the interlocking system fails. We have to know the Rule Book, Sectional Appendices, Special Box Instructions and the National Operating instructions, (which basically is a lot of the stuff culled from the Rule Book), and put all four together to keep things moving when it goes pear shaped

People need to be realistic when making statements about the Signaller shouldn't be allowed to do such things. Whatever their process was it went wrong and it will be useful to know why if only to instruct people why to take their time.

Following that process in degraded situations and getting it all done safely is one of the best bits of the job even if it frazzles you at the end of the shift

[Mark Saunders]

Drivers and signalmen were traditionally rivals for status and salary. On 1.4.94 signalmen found themselves all still working for one employer, as they still are, while over the next couple of years drivers found there was a new and lucrative market in their skills among TOCs. Guess who earns more today?

 

When the Drivers were divided between the TOCs & FOC's it ended the ability of ASLEF to have a National Strike but instead handed it to the Signalmen!

 

Mark Saunders

[Oldddudders]

When the Drivers were divided between the TOCs & FOC's it ended the ability of ASLEF to have a National Strike but instead handed it to the Signalmen!

 

Mark Saunders

 

ISTR there was nearly one of those in the first few months after Railtrack took them over. I was on standby to go back to London Bridge, where in 1976 I had been a temporary Traffic Regulator after commissioning. Scary!

[Talltim]

When the Drivers were divided between the TOCs & FOC's it ended the ability of ASLEF to have a National Strike but instead handed it to the Signalmen!

 

Mark Saunders

The drivers no longer need to strike (for pay anyway) they just move to a better paying TOC

[jjb1970]

I find the conclusions reported very troubling. To me if a safe system of work allows a safety critical system to continue operating either without engineering controls to minimise the probability of a head on collision or with those controls in a degraded state with what appears to be total reliance on the sound judgement of a single individual then it is not fit for purpose. I can see why it may be necessary to accept continued operation with a degraded control system but in such cases I'd really expect something a bit more robust in terms of checks and controls than relying on an individual not to make a mistake. Latching onto human error and not asking the questions of how such an error could happen is pointless IMO, the very fact that human error by an individual could cause a fatal collision is in itself evidence that something was seriously wrong quite apart from human error.

[PaulRhB]

But what do you do if someone doesn't follow the process? That applies as much in your car and can have equally bad consequences.

Handling dangerous goods relies on one person to be responsible. There's loads of examples where it relies on one person to follow process and unfortunately every now and again the human element fails as well as the system.

This from initial reports seems to be a catastrophic error in not completing the process so it's why that will hopefully come out.

Commercial reality means risk assessments are made of the possibility of this vs performance and inevitably cost and if you looked at the percentages they are incredibly low but they make big news. There have been far more people killed because of level crossing abuse but do we talk about stopping people driving because a minority don't obey the lights?

I think some people would have kittens if they realised how often we keep trains moving with the UK equivalent. The drivers know the Signalmen and they trust us to have done all those checks.

[locoholic]

I find the conclusions reported very troubling. To me if a safe system of work allows a safety critical system to continue operating either without engineering controls to minimise the probability of a head on collision or with those controls in a degraded state with what appears to be total reliance on the sound judgement of a single individual then it is not fit for purpose. I can see why it may be necessary to accept continued operation with a degraded control system but in such cases I'd really expect something a bit more robust in terms of checks and controls than relying on an individual not to make a mistake. Latching onto human error and not asking the questions of how such an error could happen is pointless IMO, the very fact that human error by an individual could cause a fatal collision is in itself evidence that something was seriously wrong quite apart from human error.

 

I've spent some time reading back through this thread, and I agree with jjb1970 above. Either we've misunderstood, or some aspect of the fail-safe procedure hasn't been reported, or the system in operation wasn't fit for purpose, with the tragic results we know about. Is there any sign of the German rail authorities acknowledging the latter, and planning to introduce a safer system?

[jjb1970]

If a single individual can make a mistake with such catastrophic consequences then the risk management system is inadequate. Technical risk management relies on multiple layers of protection along with a recognition of the fallibility of human behaviour. People make mistakes and are subject to errors of judgement, no matter how competent, dedicated and quick witted they are, and risk management has recognised that for many decades.

[Mark Saunders]

If a single individual can make a mistake with such catastrophic consequences then the risk management system is inadequate. Technical risk management relies on multiple layers of protection along with a recognition of the fallibility of human behaviour. People make mistakes and are subject to errors of judgement, no matter how competent, dedicated and quick witted they are, and risk management has recognised that for many decades.

 

I would believe that it would have taken two and or the second person not to notice the mistake of the first!

 

Mark Saunders

[PaulRhB]

Reading between the lines I think I know what happened, but not why though I can guess, but it doesn't help to speculate here in case it's wrong because I don't have enough info to be sure.

Ultimately one person can override most systems unless, like nuclear launch, two unique keys are required to physically unlock the system every time. That's hideously expensive to do remotely and why we have Modified Block Working in the UK instead.

When I do it I will grab any available member of staff including a driver to double check as well as calling the On Call Manager. It slows it down and we all do it to give thinking time because safety does come before performance. I much prefer Pilotman working as I have someone else fully familiar with the system to work with but often the MOM or spare Signalman can be an hour or more away so we have MBW to get things moving.

If you follow the process it's safe and if there's any doubt on any part of it you don't go on that's drummed into us and why we train new Signallers to make a brew and think. It's not a distraction it's making time to double check without pressing buttons or answering calls that can distract.

[The Stationmaster]

I find the conclusions reported very troubling. To me if a safe system of work allows a safety critical system to continue operating either without engineering controls to minimise the probability of a head on collision or with those controls in a degraded state with what appears to be total reliance on the sound judgement of a single individual then it is not fit for purpose. I can see why it may be necessary to accept continued operation with a degraded control system but in such cases I'd really expect something a bit more robust in terms of checks and controls than relying on an individual not to make a mistake. Latching onto human error and not asking the questions of how such an error could happen is pointless IMO, the very fact that human error by an individual could cause a fatal collision is in itself evidence that something was seriously wrong quite apart from human error.

 

I get the impression - and don't forget we are really looking at press translations into English of the way a German newspaper/their media are presenting the facts - that there was a seemingly robust system of Instructions applicable to such a case but the Signalman failed to properly apply them (and/or to apply the full extent of them).  Without knowing the Instructions - ideally seeing a decent translation of them into English of course - we don't know how good or bad those Instructions are and whether there are holes in them or whether there was a major, and unnoticed, procedural lapse on the part of the Signalman.  My impression is that it seems to have been a combination of the two but I might be reading wrongly between the lines.

 

I have very limited experience of German operational Instructions although considerable experience in another sphere and in that area they were very insistent on following very clear procedures which were neither onerous to understand or capable of misinterpretation although quite proscriptive - but that was back in the late 1990s.  Beyond that I can offer no judgement on their methodology other than to say that in some cases it might be rather 'ponderous' (and if that is the case therein might lie a problem?).  Equally i don't know if they are as advanced as Britain and some other countries when it comes to consideration and maximum mitigation of potential risk when considering or writing procedures.

[PaulRhB]

Another thing is if I didn't think the systems we have were robust why would I travel in trains as a punter or a pilotman? This applies equally to German Railways and we haven't seen a major outcry over there so that tells me their industry knows what went wrong and if there was a flaw in the system I'm sure it was briefed out rapidly.

I'd be amazed if they don't have very similar processes to us for risk management and their rule book no doubt evolved in part from the same grisly experience as ours. There's a good reason for the reputation for process of our German counterparts and having spoken to a couple now working over here there's very little difference overall.

Some accidents are down to following rules that have been interpreted wrongly rather than not following them at all. Our assessment process means we are tested on a three year rolling cycle and being a qualified assessor I use that opportunity to question around the computer tests and have identified misunderstandings that are then easy to sort before they ever have to apply them. We also encourage people to ask an adjacent box or the on call Manager if they are ever unsure as similarly it highlights issues. It may be a cliche but you can be damn sure if one person doesn't know they aren't alone and removing the fear of asking is paramount. You get to know your colleagues and these things get discussed between boxes and raised officially as a result.

There's a host of possibilities in the details and they will be shared internationally because it's important to understand and see if our own system, including people and management style too has a similar potential issue.

[jjb1970]

Germany doesn't actually have such a great reputation for industrial health and safety. When I worked in electricity generation my employer was German and their safety record in Germany was significantly worse than their UK plants. Something I found interesting was that whereas in the UK the safety rules were still based on the old CEGB rules which required isolations and earths to be locked with the keys going in a key safe and key safe keys being controlled including being attached to the permit for work which itself went in a permit safe in Germany they tended to use tag out systems with no securing of isolations. Their argument was that why would anybody ignore a tag however the safety incidents tended to highlight the fact that people did ignore tags at times or make mistakes as the tag system allows people to make mistakes in a way which is prevented in the UK system. The UK side was also much more enthusiastic about the cascade interlocking key system for switchgear rather than relying on procedural controls for switching. Nowadays I work for one of the trade associations in the offshore energy sector and there have been some diving fatalities in Germany that really do not speak well of the safe systems of work that were in place.

My own view, and it is a personal view, is that humans are inherently fallible and will make mistakes. Therefore control systems should be designed to be resilient to human error and maloperation, that is best done by engineering controls (and yes, I know that just moves the potential for human error from operator to designer but there are rigorous assurance processes for design and manufacture that are not possible for operational controls) with procedures and training backing this up. There is a lot that can be done by applying good ergonomics, many control stations are accidents waiting to happen just because of poor ergonomic design. I find it rather depressing that in the modern world where the basic principles of ergonomics and occupational psychology are far from new there is still so much poor ergonomic design.

[Edwin_m]

The human brain evolved to manage nothing more sophisticated that a complicated hunt for animals, and risks with probabilities in the range of a few years and severities in the range of being eaten by a lion.  So it needs some assistance when trying to cope with something moderately complex like train operation, and with risks that are much less frequent but have much more severe consequences. 

[Andy Hayter]

.........and yet, having worked in several coutries in Europe I have found some profound differences in the way people work and the way they tackle problems.

 

Given a particular problem. I would find that in the UK a discussion with the team, would result in the team going away, discussing among themselves, maybe asking for guidance on some points and a working solution being arrived at.  In France a simialr process would follow but with more need for formal meetings to agree the main principles at various points in the process.  In Germany I would be asked for the working instructions for the process and since in such circumstances none would exist, it would be necessary to have extensive discussions to have the instructions devised and written down. 

 

With such reliance on instructions and it must be said a general requirement to follow them/expectation that they will be followed to the letter, I can understand why a need for second and third level protection is not always seen as essential.  I think that is a view that is (rightly) changing, but it is deeply ingrained in the psyche. 

[meil]

Oh yes you could - you could just as readily instruct a Driver to pass the Section Signal on any  system of single line signalling ever used in Britain.  However the circumstances in which he would be allowed to pass such a signal and proceed through the section were very limited indeed and would inevitably have involved the presence of a Pilotman (except in respect of the system and situation I mentioned in Post 214).

 

And in fact in various of the single line Signalling Regulations it was quite legitimate to instruct a train to pass the Section Signal at danger in order to make a shunting movement into a section which was already occupied by a train provided that train was proceeding away from the crossing /token station at which the second train was to be shunted into the section.  So on the occasion when a Signalman and I deliberately had two passenger trains in the same token section we were acting strictly in accordance with the Instructions in the General Appendix and the Electric Token Block Signalling Regulations (mind you I had to show the Driver of the train I was shunting the contents of the General Appendix before he was prepared to pass the Section Signal at danger).

Yes I agree you can do this but the point is the reason you are instructing him past is because the interlocking is preventing you pulling the signal off. Also when instructing him to pass you are telling him why you are doing it (ie running around train). Therefore two people know of the circumstances. You yourself said you have been questioned by a driver when authorising. Further these permissions are given in defined instances (Blocking Back etc). No driver is going to accept an authority to pass to travel through the section without explanation, pilot-man or signalman's ticket.

 

The German situation appears that an override (very easily put in place it would seem) by the signalman was unquestionably obeyed by the driver of the train given an "erzats" section signal. it is for that reason I say - is the signalman being scapegoated? He was given a system easily overridden and an unquestioning driver given an "erzats" signal with no explanation.

[jjb1970]

I don't know whether I'd use the word scapegoated, as regardless of the shortcomings of a safe system of work people have a responsibility to discharge their own duties and responsibilities to an acceptable standard. Often these cases are represented in terms of opposed positions which see the person who made a mistake as being a scapegoat and that all of the responsibility is with the organisation and an opposite position which says the person was given a procedure, he didn't follow it therefore it's all his fault. I really don't see that there is a conflict, people can be held accountable for their actions whilst also looking at the wider context and expecting the organisation to take responsibility for a safety system that allows an individual to make a mistake which has such awful consequences. In this case we do not know the whole story and I'm not arguing that the individual who has been blamed and who is facing legal proceedings should be left to walk and leave his employer to face the music, but I am deeply troubled that there is a sense of complacency about the whole attitude of investigators with respect to the wider deficiencies in how trains are controlled which seem apparent. Unless they learn lessons (yes I know, that is straight from the lexicon of management BS but in this case it is appropriate) then prosecuting the individual (who will have to live with his mistake for the rest of his life) is not going to achieve anything in terms of making the railways safer. And surely one of the principal objectives of any investigation following the identification of what went wrong is to identify measures to avoid a repeat occurrence.

In terms of the German attitude to procedures, I think Andy Hayter makes a good point. I found that their approach was to have a procedure for everything and a culture whereby if there is a procedure then it is the job of an employee to follow it and that procedures are a perfectly acceptable primary risk management tool. I'm not arguing we do not need procedures and it is common sense (which not be so common) that any safety critical process needs robust operating controls but they should complement efforts to design out risk and to mitigate risks using engineering controls to make the system resilient to human failure.

[meil]

I'm not arguing for the exoneration of the signalman. He did something wrong and should be held accountable but so should others who placed him in that position; the unquestioning driver and the signal system design.

[The Stationmaster]

Yes I agree you can do this but the point is the reason you are instructing him past is because the interlocking is preventing you pulling the signal off. Also when instructing him to pass you are telling him why you are doing it (ie running around train). Therefore two people know of the circumstances. You yourself said you have been questioned by a driver when authorising. Further these permissions are given in defined instances (Blocking Back etc). No driver is going to accept an authority to pass to travel through the section without explanation, pilot-man or signalman's ticket.

 

The German situation appears that an override (very easily put in place it would seem) by the signalman was unquestionably obeyed by the driver of the train given an "erzats" section signal. it is for that reason I say - is the signalman being scapegoated? He was given a system easily overridden and an unquestioning driver given an "erzats" signal with no explanation.

 

I think you have lighted on a key point in this incident - and one which we have not received a full explanation of so its relevance might or might not be critical.

 

As you say the clear implication is that a fixed signal (your 'ersatz signal' - presumably some sort of subsidary signal?) was a cleared to authorise the train to proceed onto the single line.  Presumably - and it is only a  presumption - the Driver was told to proceed on the authority of that signal and seemingly if he did question it he was reassured - note 'if he did question it'.  This is really an area where what the media and, more importantly, statements by the investigators have told us no more than part of the story.  We know little about this signal, we know nothing about its proper use or even any hints of improper use, and we know nothing about any Instructions relating to its use.  Equally we know little or nothing about how the authority to enter the section given by this signal is conveyed to the Driver as an authority to proceed through the section at normal running speed.

 

In other words there is an important gap in our knowledge about what should have been done at that level and what was done.  This is in my view - for the very reason you have identified - is as important as the Signalman's incorrect decision to give the train authority to enter the section - was there a procedure for talking, explaining and the Driver questioning or was it simply 'take that signal Driver and away you can go?'  It would be very helpful to know the details of the entire procedure.

[meil]

Erzats signal comes from post 52.

[Arthur]

 

Further update, allegations that the controller involved was playing a computer game on his phone at the time.

 

http://www.bbc.co.uk/news/world-europe-36025951