Waterfall rail accident
The Waterfall rail accident was a train accident that occurred on 31 January 2003 near Waterfall, New South Wales, Australia. The train derailed, killing seven people aboard, including the train driver. The accident is famously remembered by systems engineers due to the poorly designed safety systems.
Incident
On the day of the disaster, a Tangara interurban train service, set G7, which had come from Sydney Central station at 6:24 am, departed Sydney Waterfall railway station moving south towards Port Kembla station via Wollongong. At approximately 7:15 am, the driver suffered a sudden heart attack and lost control of the train. The train was thus travelling at as it approached a curve in the tracks through a small cutting. The curve is rated for speeds no greater than. The train derailed, overturned and collided with the rocky walls of the cutting in a remote area south of the station. It was reported that the rescuers had to carry heavy lifting equipment for more than to reach the site. Two of the carriages landed on their sides and another two were severely damaged in the accident. In addition to the seven fatalities, many more passengers were injured.The subsequent official inquiry discovered the deadman's brake had not been applied. The train guard's solicitor stated that the guard was in a microsleep for as much as 30 seconds, just prior to the accident. The experienced human-factors accident investigator determined the organizational culture had the driver firmly in charge, making it psychologically more difficult for the guard to act.
Causes of the accident
Tangara trains have a number of safety and vigilance devices installed, such as a deadman's brake, to address problems when the driver becomes incapacitated. If the driver releases pressure from this brake, the train will safely come to a halt.The train in question was a four-car Outer Suburban Tangara set, numbered G7 and fitted with a Mitsubishi Electric alternating current traction system for evaluation purposes. The driver was in the leading driving carriage and the guard was in the rear driving carriage, in between which were two non-driving motor cars. On this service, the guard, who could have applied the emergency brake, and the deadman's brake were the main safety mechanisms in place.
The train was later found to be travelling in excess of as it approached the curve where the accident occurred. Neither the deadman's brake nor the guard had intervened in this situation, and this excessive speed was found to be the direct cause of the accident. Training of train staff was also found to be a contributing factor in the accident.
Train G7 did not re-enter service. It was scrapped in 2005 due to the damage sustained in the accident; all four cars were damaged beyond repair.
These were the official findings of the NSW Ministry of Transport investigation of the accident. A report of the accident, managed by Commissioner Peter McInerney, was released in January 2004.
Systemic causes and ignored technical problems
It was reported that G7 was said to have been reported for technical problems "possibly half a dozen times" and had developed a reputation amongst the mechanical operations branch, saying the problems were "normal" for the set in question. During the six months leading up to the accident, three reports of technical problems were made.The inquiry found a number of flaws in the deadman's handle and related to the deadman's pedal:
- The dead weight of the unconscious and overweight driver appeared to be enough to defeat the deadman's pedal, of which 44% of Sydney train drivers' legs were of sufficient mass.
- The design of the deadman's pedal did not appear to be able to operate as intended with drivers above a certain weight.
- Marks near the deadman's pedal indicated some drivers were wedging a conveniently-sized red signalling flag to defeat the deadman's pedal to prevent their legs from cramping in the poorly-configured foot well and to give themselves freedom of movement in the cabin.
Official findings into the accident also blamed an "underdeveloped safety culture". There has been criticism of the way CityRail managed safety issues, resulting in what the NSW Ministry of Transport termed "a reactive approach to risk management".
At the inquiry, Paul Webb, Queen's Counsel, representing the guard on the train, said the guard was in a microsleep at the time of the question, for as much as 30 seconds, which would have removed the opportunity for the guard to halt the train. Webb had also proposed there had been attitudes that the driver was completely in charge of the train, and speeding was not an acceptable reason for the guard to slow or halt the train, which would have been a contributing factor in the accident.
Prior to this derailment, neither training nor procedures mandated the guard to exercise control over the speed of the train by using the emergency brake pipe cock. Apart from the driver being considered to be the sole operator of the train, the emergency brake pipe cock does not provide the same degree of control over the automatic brake as a proper brake valve. The consensus among train crews was that a sudden emergency application from the rear could cause a breakaway, and there was some evidence from previous accidents to validate such an opinion, however these were not involving the modern multiple-unit train design of which the Tangara is an example.
Since this derailment, CityRail training and operational procedures now emphasise the guard's responsibility to monitor the train's speed, and if necessary, open the emergency brake pipe tap to stop the train.
Changes implemented
All CityRail trains now have an additional safety feature, which has been fitted since the accident. In addition to the deadman handle and foot pedal, the trains are fitted with "task linked vigilance" - which resets a timer every time the driver activates certain controls. If there is no change in control, a flashing lamp and then buzzer sound and the driver is required to acknowledge a vigilance button. If the train's driver does not use the controls and does not acknowledge the vigilance alarm, the vigilance system is activated and makes an emergency brake application. All trains have also been fitted with data loggers to record the driver's and guard's actions as they work the train, as well as the train's speed. Such a system had been fitted to G7, but was in the early stage of fleet roll-out, and hence had not been commissioned and switched on at the time of the accident.Rescue workers who attended the scene were impeded from accessing the trapped passengers on the train because they did not have the keys required to open the emergency exit doors. Emergency exit mechanisms have all been modified, to allow them to be used without requiring a key. RailCorp has installed internal emergency door release mechanisms on all new trains. However many passengers found their own way out since the train was broken into 3 pieces during the accident.
Automatic train protection could possibly have prevented the accident. Railcorp has tested ATP systems on the Blue Mountains line in western Sydney, and plans for ATP implementation across the Sydney Trains and NSW TrainLink Intercity/Regional networks are being formulated.
CityRail/RailCorp incorporated emergency door releases on the insides of the new Waratah trains as a result of the inquiries to this disaster, enabling passengers to open the doors themselves in case of an emergency, where the crew are incapacitated and the train is at a standstill.
The 2004 changes to medical assessments of rail workers were developed in response to the incident. Overseen by the National Transport Commission, Cardiac assessments are mandatory for certification and re-certification with a proscribed mandatory checklist as part of the national standard in the interest of ensuring public safety, the intended purpose of the health assessments whereas previously the health assessments did not have an occupational risk but a clinical focus.