The report from the Rail Accident Investigation Board (RAIB) has been published and is available for download
I've taken this summary from an article by Robert (Bob) Waixel on the Risks Digest
Background
Docklands Light Railway (DLR) is an off-street rapid transit light railway
system in London England (it is different from the London Underground or
'Tube' system).
DLR trains are normally run under remote automatic computer control
(monitored by controllers) but from time to time are controlled by a
passenger service agent onboard, at times of so called degraded working. At
the time of the derailment on 10 March 2009 this was the case, as the
automatic signaling had failed at a complex three way intersection. The
person driving (for simplicity referred to as 'the driver' from now on) was
being given instructions by a controller in a control room by radio. When
being manually driven trains can only be driven at a very restricted speed.
There are very few colour light signals on this railway since they are not
needed when trains are being driven automatically. Points (US: switches)
where lines diverge (or converge as in this case) have Point Position
Indicator (PPI) display lights (at ground level) to indicate their
setting. Such setting can also, of course, be confirmed by the position of
the point/switch blades themselves.
In this accident the train ran through a set of trailing points at low speed
and was derailed. There were no injuries and passengers were detrained
rapidly to an adjacent station platform.
Why did it happen?
The interest to RISKS readers lie in the mix of factors that led to the
incident, a mix of technical and human problems, including these:
* Major long term upgrade work on the whole railway caused the signaling
in this complex trackwork area to fail for long periods thus needing
trains to be driven from onboard under manual control (giving a heavy
sustained workload on controllers).
* A software change in the behaviour of interlocking of signaling and
these points, by the upgrade contractors had not been communicated by the
upgrade contractor to the controllers.
* The controller did not fully follow correct procedure in authorising the
train forward.
* The controller did not monitor progress of the train (controller was busy
elsewhere) (their screen was switched to a different type of display).
* The driver did not check the position of the points/switches for their
intended route.
* that type of Point Position Indicator was hard to see by the driver
(management had postponed replacement of them as not being urgent).
* The bulb in the PPI had failed (replacement of failed light bulbs in PPIs
wasn't considered urgent).
* The driver should not have crossed points without correct PPI showing
(driver didn't notice that no indication was showing).
MESSAGES TO TAKE AWAY:
* Equipment that might not be safety critical in 'normal usage' becomes so
in 'abnormal/degraded' working conditions
* People's workloads that might not be safety critical in 'normal usage'
becomes so in 'abnormal/degraded' working conditions
* If it takes a lot of simultaneous failures for an accident to happen, then
it will happen, sooner or later.
Robert (Bob) Waixel, MBCS, CITP, MCInstM, FHEA, Cambridge, CB4 1JL, UK
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment