Spanish Rail Crash

[Oldddudders]

Yes, but should the railway management work to design out the likelihood of human failure.

In my industry (Petrochemicals), we are required to design out the possibility of human mistakes with major consequences, on the basis that if they can occur, they will.

 

It strikes me that it is all too easy to blame the driver, and ignore the fact that the safety systems then in place were designed to permit the accident to happen.

Quite right, and within BR it took Clapham to bring the issue of safety to a new pinnacle of importance. Did Piper Alpha do the same for the oil industry, I think?

 

Now, no doubt, RENFE has had a similar awakening, as we hear  something safer is now in place for the corner bend in question, and probably a principle will be established.

[The Stationmaster]

Yes, but should the railway management work to design out the likelihood of human failure.

In my industry (Petrochemicals), we are required to design out the possibility of human mistakes with major consequences, on the basis that if they can occur, they will.

 

It strikes me that it is all too easy to blame the driver, and ignore the fact that the safety systems then in place were designed to permit the accident to happen.

If the designers of the new line had followed UK practice that is exactly what would have happened - hence my original comments about looking at all the factors involved (i.e. you don't just look at what the Driver did or didn't do but at design, signalling, warning systems and so on).  We still have a lot to learn about the real causes of this derailment and i continue to hope that everything related to it will be thoroughly investigated although at last we do seem to be getting away from the early hue & cry which, regrettably and naively, centred on piling blame onto the unfortunate Driver.

[Colin_McLeod]

It strikes me that it is all too easy to blame the driver, and ignore the fact that the safety systems then in place were designed to permit the accident to happen.

 

I very much doubt that safety systems were designed to permit the accident to happen.  I would have thought that the design brief was to prevent accidents, but in this case, perhaps, not designed very well.  After all, the first Tay bridge was not designed to fall down when a train crossed it in high winds.

[Jeff Smith]

'Designed to permit an accident' is a misleading turn of phrase which really means that the system, or otherwise, was not sufficiently analysed to identify possible design flaws.  Designs should never knowingly be designed to fail but can accidentally allow failure.

[Edwin_m]

'Designed to permit an accident' is a misleading turn of phrase which really means that the system, or otherwise, was not sufficiently analysed to identify possible design flaws.  Designs should never knowingly be designed to fail but can accidentally allow failure.

Not directly relevant here, but in the context of that general statement there are many circumstances when a design is designed to fail in a predictable manner if it is unable to fulfil its primary function.  A couple of examples are vehicle structures which deform and absorb energy if they are unable to withstand a collision, and signalling systems which fail "right side", putting signals to red, if any component does not function correctly. 

[jjb1970]

That is more fail safe, there are two principal design tools for safety. The first is to design accidents out if possible, the second is to design in features to mitigate an accident. Signal fail safe is in the first group in shutting the line down if a signal fails, car safety cells are in the second group in protecting the occupants in a crash.

[The Stationmaster]

I very much doubt that safety systems were designed to permit the accident to happen.  I would have thought that the design brief was to prevent accidents, but in this case, perhaps, not designed very well.  After all, the first Tay bridge was not designed to fall down when a train crossed it in high winds.

I agree with Jeff's comment that systems etc are not designed to permit an accident to happen (in which case it wouldn't be an 'accident' anyway of course).  But systems do need to be designed to eliminate or mitigate the potential for various sorts of incidents and their consequences.  We found when doing SPAD mitigation work on CTRL (now HS1) interfaces that in several places electrification design was such that it would unnecessarily increase Driver workload in rear of various signals thus creating a potential for a Driver to be distracted from observing and complying with signal indications which might result in a SPAD.  It was simply a consequence of the electrification engineers doing what they thought was their job without reference to anything else.

 

The consequence was that through the process we carried out various mitigation measures were identified and incorporated into the design which would either reduce the potential for a SPAD or mitigate its effects (i.e. avoid the potential for a collision) should one occur.  This is just one example to which you could apply the term 'systems design' as part of a process of identifying potential for various types of incident and doing something to eliminate or mitigate that potential.

[AngryMeerkat]

I'm a little unsure how or why the driver being distracted means there were insufficient technical barriers to prevent an accident?

 

From what I can gather, the system worked for a long time without any incident or accident. How long have high speed trains been rounding this corner? How many trains have passed through this section of track?

 

I believe the key point here is "the driver was distracted", anything else is merely a diversion. Instead of saying that automatic braking systems should be in place, or signalling upgrades, how about the focus is placed on the real cause - distraction. Why is nobody calling for the driver distractions to be addressed?

 

The guard called the driver to ask which platform they would be entering at the next station. The call distracted the driver. He lost his bearings. Why was the guard calling the driver to ask such an inconsequential question? Why is there not a system where such information is automatically sent to the guard in the form of a text message to his guards cabin or wherever it is he sits? The driver is there to drive the train, not tell the guard which platform. It's this distraction that APPEARS to be the cause of the accident, nothing to do with signals or brake application.

 

Unfortunately this places focus clearly on the driver, which I believe is also misguided. The driver made a mistake due to an unneccessary outside influence distracting him from his job at a crucial time. Although this makes the accident the drivers fault, I don't think he is to blame for what has happened.

 

Mark

[PatB]

I've heard it said that many (most?) fatal accidents (of all kinds, not just the railway variety) are not the result of having your head bitten off by a tiger that comes out of nowhere but are more frequently a case of being nibbled to death by ducks, every single one of which you knew were there all the time but chose to ignore because, individually, they seemed so harmless and inoffensive, even comical.

 

Duck One:    Sharp, speed limited curve following high speed stretch

Duck Two:     No automated braking incorporated in infrastructure/train system

Duck Three:  No means of providing guard with definitive information on arrival platform

Duck Four:    Possibly nothing in regs to prevent guard from responding to Duck Three by ringing driver, especially at a moment of                    potentially high workload in the cabin

Duck 5:          Flamin' great concrete wall end on the outside of a sharp curve, right where a derailed train is going to hit it hard.

 

Etcetera etcetera.

 

Everything's fine for ages until they all happen along at once.

[Torr Giffard LSWR 1951-71]

I'm a little unsure how or why the driver being distracted means there were insufficient technical barriers to prevent an accident?

 

From what I can gather, the system worked for a long time without any incident or accident. How long have high speed trains been rounding this corner? How many trains have passed through this section of track?

 

I believe the key point here is "the driver was distracted", anything else is merely a diversion. Instead of saying that automatic braking systems should be in place, or signalling upgrades, how about the focus is placed on the real cause - distraction. Why is nobody calling for the driver distractions to be addressed?

 

The guard called the driver to ask which platform they would be entering at the next station. The call distracted the driver. He lost his bearings. Why was the guard calling the driver to ask such an inconsequential question? Why is there not a system where such information is automatically sent to the guard in the form of a text message to his guards cabin or wherever it is he sits? The driver is there to drive the train, not tell the guard which platform. It's this distraction that APPEARS to be the cause of the accident, nothing to do with signals or brake application.

 

Unfortunately this places focus clearly on the driver, which I believe is also misguided. The driver made a mistake due to an unneccessary outside influence distracting him from his job at a crucial time. Although this makes the accident the drivers fault, I don't think he is to blame for what has happened.

 

Mark

 

...professional driving/piloting of anything requires knowing when to disregard distractions and when it is safe to allow them into your thought processes.

 

Dave

[The Stationmaster]

...professional driving/piloting of anything requires knowing when to disregard distractions and when it is safe to allow them into your thought processes.

 

Dave

And professional design of a new railway means trying to take all such things into account in order to either design them out or to mitigate their effect - the things, for example, which PatB listed under his headings of 'Ducks'. 

[Edwin_m]

With the professionalism of train drivers, errors of this magnitude are extremely rare.  However accidents over the years show that they have happened, not always for reasons that can be explained (Harrow, Moorgate etc). So technical safeguards are put in place to guard against those rare errors, and who is to know how many more serious accidents have been prevented by systems such as AWS, TPWS and the equivalents in other countries? 

[Andy Hayter]

Well my use of "designed to permit the accident to happen" seems to have raised some debate and maybe ruffled some feathers. Nevertheless I stand by that statement.

 

In planning the safety systems, the safety assessment will surely have looked at the needs to provide safe passage through this curve.The decision has clearly been to rely on human intervention only as the means of ensuring that trains met the maximum speed restriction. This in the certain knowledge that humans make errors (although not necessarily here, with a safety system you have to review the worst case). In this respect the safety system was designed to permit the accident to happen since in the event of human error there is no further mitigation system in place. It was a conscious decision by the design team.

 

Does this mean that they envisaged a train coming into the curve at 190kph? No of course not. Indeed I might speculate that one reason why no automated braking system was installed was because the curve is so close to the station that any over-speed would be minimal.

 

If the transcripts and translations of the telephone conversation after the accident are to be believed, then it seems that drivers (plural) had made representation to management about the lack of safety back-up on this curve - and reading between the lines perhaps other drivers had found themselves on this curve at, shall we say, inappropriate speed. And Management had done nothing - again a conscious decision?

 

 

 

Edited to correct punctuation

[Edwin_m]

Well my use of "designed to permit the accident to happen" seems to have raised some debate and maybe ruffled some feathers. Nevertheless I stand by that statement.

While I stand by my disagreement with your statement as a general principle, I do agree that in this case the design was deficient in relying on the driver to brake for this curve. 

 

If the design approach was based on applying existing rules and standards, then perhaps they were written around conventional speed railways because high speed lines were assumed to be controlled by other systems. 

 

If there was an approach of identifying and addressing specific hazards, then either this hazard was missed or it was considered and for whatever reason the decision was made that no mitigation was necessary. 

[The Stationmaster]

While I stand by my disagreement with your statement as a general principle, I do agree that in this case the design was deficient in relying on the driver to brake for this curve. 

 

If the design approach was based on applying existing rules and standards, then perhaps they were written around conventional speed railways because high speed lines were assumed to be controlled by other systems. 

 

If there was an approach of identifying and addressing specific hazards, then either this hazard was missed or it was considered and for whatever reason the decision was made that no mitigation was necessary. 

I agree with Edwin but in some respects we are talking more about wording than anything else.  It's not so much 'designing for an incident' to happen as failing to design and plan in such a way that avoidable incidents will be avoided.  That requires a different approach to design and systems and while it is one which might upset traditionalists in the approach to railway design and systems it is really something which has gradually grown and become more extensive and considerate of a wider range of factors over a period of time.  Albeit supplemented in more recent years by fancy modern terminology and things like risk assessments carried out as a mathematical exercise rather than relying solely on experience and judgement.

 

Nobody consciously designs for something to go wrong (I hate the word 'accident in this context) but what can happen is that they don't take every factor into account in designing systems - there are errors of omission as opposed to errors of commission, simple as that.

[PatB]

Whilst it's speculation on my part, not having been party to the decision making process, personal experience and cynicism lead me to suspect that the reason for not adopting appropriate and available technology had a dollar sign attached to it.

 

Moorgate taught us, nearly 40 years ago now, that proximity to a terminus is no guarantee of speed reduction if control is left entirely to fallible humans.

[Oldddudders]

In planning the safety systems, the safety assessment will surely have looked at the needs to provide safe passage through this curve.

 

Do we have any evidence of a safety assessment? Until Clapham, no-one on BR had heard the expression. And are we convinced that for RENFE signalling is considered to be part of a safety system, as distinct from a highly-specified engineering exercise?  In BR prior to 1989, signal engineers designed signalling systems in conformity with signalling principles, that's all, as they had been doing for decades. There have been plenty of incidents of over-speed derailments where use of approach control would have avoided those, but wasn't required by those principles, and thus wasn't provided.

 

I, maybe you, have no idea how RENFE signalling design is undertaken, nor whether a safety assessment formed part of the process. We can all speculate that it might in future.

[The Stationmaster]

Do we have any evidence of a safety assessment? Until Clapham, no-one on BR had heard the expression. And are we convinced that for RENFE signalling is considered to be part of a safety system, as distinct from a highly-specified engineering exercise?  In BR prior to 1989, signal engineers designed signalling systems in conformity with signalling principles, that's all, as they had been doing for decades. There have been plenty of incidents of over-speed derailments where use of approach control would have avoided those, but wasn't required by those principles, and thus wasn't provided.

 

I, maybe you, have no idea how RENFE signalling design is undertaken, nor whether a safety assessment formed part of the process. We can all speculate that it might in future.

Apart from what is on the 'net I don't know anything about either Spanish high speed line signalling or, more pertinently in the case of this derailment, anything about the transition from a high speed line.  

 

However 'traditional' Spanish colour light signalling owes quite a lot to French methodology albeit with some rather British looking indications and it does include some element of speed signalling indications for low speed (30kph) divergences.  Apart from the considerable difference in linespeed there was - clearly - no divergence involved in the case of this derailment so traditional Spanish colour light signalling would seemingly not cater for it.  But things might have changed since the mid 1990s when the information I have on RENFE signalling was published.

[roythebus]

You can engineer for most "accidents", but there's always the unforeseen, such as the Land Rover that leaves the road and kills numerous people; the heavy low loader with a transformer that stalls on a level crossing; the drunk train driver who hits a curve far too fast; the whisker of wire that gives a false signal aspect... some of those you can "engineer" out of the equation, others you can't.

[jjb1970]

The swiss cheese model is a very good model for demonstrating layers of protection and their failure. Accidents happen when the holes in different layers of protection line up and allow a trigger to escalate up to an incident. No layer of protection is 100% effective, a reason why anything that only relies on a single protection mechanism is a disaster waiting to happen and why trains, aircraft, power plants, process plants have so many layers of protection.

[roythebus]

Heard on BBC Radio 4 news yesterday evening that a couple of top officials of the Spanish Railways have been charged and arrested in connection with the incident. The drivers have already been arrested as we know.

[Jock67B]

Watched the programme on sky last week and apparently the top brass have known for over a year that the 'hybrid' type of train did not have the latest EU safety system fitted (or the line side equipment wasn't installed?). That meant that the speed at which the train was moving was such that the fitted safety system was inoperative and that they totally relied on the driver who had just been distracted by on on-board phone call!! The programme seemed to indicate the implication of said top brass - the only surprise is that it has taken so long to act. Mañana in operation? I must say it is some of the most awful footage to watch : what a needless loss of life. As said above, you can't engineer out the human element!

Kind regards,

Jock67B.

PS the layers of protection should have been there which probably led to the eventual arrests?

[dmustu]

There's been an update on this, link here -

 

http://www.railjournal.com/index.php/europe/driver-error-only-cause-of-santiago-accident-says-report.html?channel=542

 

9 recommendations to RENFE and ADIF, issues regarding the lack of protection for the curve, a report from 2011 raising concerns over the lack of speed markers on approach to the curve not reaching the appropriate authorities, yet the report is only citing the driver as responsible! 

[JerryinMadrid]

I’m afraid there is at least one precedent in Spain of politicians and managers disclaiming responsibility and blaming the driver for an accident.

 

On July 3, 2006 43 people died in a derailment on the Valencia metro (FGV) caused by excess speed on a tight curve. The line concerned had no automatic security system that would have prevented the train from speeding at this point. Later investigations by journalists have shown that, had such a system existed, the accident would almost certainly have been prevented, or at least much less serious.

The subsequent inquiry held in the Valencian Parliament refused to hear many of the experts and witnesses proposed by the opposition, making it impossible to discover the full details of the accident. Later press investigations showed that FGV managers attending the inquiry had been "tutored" by a company paid with public money to deny any liability, and to blame the driver, who died in the crash. Rumours even appeared in the press that he had epilepsy (which would have made it illegal to be driving a train). His incident instruction manual (a compulsory document) disappeared. Some witnesses later admitted that they were afraid of reprisals if they told the truth. There were no resignations over the accident: neither the local government, (several of whose members have since been accused of corruption- mostly unconnected with this case) nor FGV management were prepared to admit that the accident could have been avoided, and the legal case was dismissed.

Some survivors and relatives of the victims allege that the president of the Valencian parliament contacted them, offering jobs or money in exchange for silence. He has refused to confirm or deny these allegations when questioned. Survivors have continued to press to reopen the enquiry.

 

(There are more details and links on Wikipedia, under “Valencia Metro derailment”).

 

Saludos from Madrid,

 

Jerry

[JerryinMadrid]

And the latest news today is that the only person found guilty is the driver, who now faces 80 charges of homicide and 144 cases of injury through professional negligence. The managers of Adif, the infrastructure company, who failed to install automatic braking systems or failsafe devices on the track, have been acquitted. Now, there's a surprise... The association of victims of the crash wanted the senior management of Adif and members of the Ministry of Public Works (Fomento) to be made jointly responsible- initially the judge in charge of the case also accused 27 ex-managers and technicians, but the verdict was overturned by a higher court on the grounds that they were acting in accordance with the regulations in force at the time. Here's a link for Spanish readers:

http://politica.elpais.com/politica/2015/10/07/actualidad/1444211686_428003.html

 

Saludos from Madrid-

P.S. Anybody in the Madrid area interested in a whole load of Railway Modeller back numbers? Twenty years worth, give or take a copy or two...