One of the perennial problems of safety engineering is the ‘completeness problem’, or how do we know that the safety requirements for a system are complete?
This ‘completeness’ problem is a general issue in the design and analysis of complex teleological systems, and can affect not just the design of systems but also investigations of their behaviour once deployed. One cause of such incompleteness problems is how the problem is ‘framed’ or presented. The Queensland Transport Rail Safety Unit (QTRSU) report into the fatal rail accident at Mindi in 2007 offers a good example of how problem framing bias can inadvertently lead to incomplete identification of causal factors in an accident investigation.
The accident sequence. On the 7 December 2007, two Queensland Rails (QR) Infrastructure Services Group (ISG) track workers were struck by a track machine and killed at Mindi (1). The accident occurred when the track machine commenced a routine reversing sequence, driven by the operator from the now trailing tamper cab. While a rearward facing CCTV camera was fitted to the now leading broom cab this was not authorised for remote control operation and was inadequate to indicate the presence of the track workers to the rear of the train. Warning horns were found to only actuate at the end in control (in this case the trailing tamper cab) and pointed away from the leading end. The horns were also competing against a noisy background and provided only 9.5 dB above the measured 94 dB ambient level. In the final analysis this meant that the safety of the infrastructure rail workers fell back purely upon procedural controls which due to a number organisational, supervisory and procedural reasons failed on the day.
The focus of the investigation. The QTRSU conducted a thorough post accident investigation focusing upon QR’s Rail Safety Management System and breakdowns in communication between work groups at the Mindi Site. Anyone familiar with Reason’s ‘Swiss Cheese’ model of accidents will be familiar with the methodology adopted by the QTRSU team. In total 51 findings were made by the team of these 13 related to absent or failed direct procedural and warning device type defences. What is interesting is that the report focused upon the management and control of the hazards within a safety management system and did not ask the more fundamental question, what is the source of the hazard and can we design it out?
So what is the hazard source? Simplistically the hazard is being struck by a moving train and subsequently run over, a cursory examination of the broom trailer shows that there is no effective barrier that would prevent an object on the track from passing underneath the broom trailer. So a refinement of the hazard would be that the design of the broom trailer face actually ensures that a struck rail worker would become entangled and pass under the train into an environment that is highly lethal. The other key aspect of the hazard is the speed with which the train was moving, at the time of impact 20 kmph. As the speed of a vehicle increases so too does the force of the impact as a square of the speed. So a further refinement of the hazard source would include the initial impact at high speed, sufficient to cause severe and incapacitating injury (in and of itself) followed by the potential for entanglement of the incapacitated worker and their passing underneath the train into a highly lethal environment.
Hard versus soft defences. One could ask the question why the designer’s of the cab front did not make the impact zone more survivable? At a minimum a barrier could ensure that a track worker would be thrown to the side rather than passing underneath the train. This principal of crash survivability is a familiar safety theme for the auto industry who now deliberately design the front of cars to lessen the injury to pedestrians and to ensure that they pass onto the bonnet rather than under the wheels. Importantly the hazard posed by operating trains where pedestrian traffic exists is also experienced by the operators of high deck trams in a city traffic environment. In this domain the hazard is reduced by fitting a sensor that detects an object, such as a bicyclist or pedestrian, going under the front of the tram and actuates a safety screen to drop down and prevent the person from going underneath the wheels and suspension (2). The advantage of such a ‘hard system’ solution is that it works every day and directly reduces the severity of the potential accident, unlike procedural controls or warnings devices that reduce the likelihood of an accident but do not eliminate it. Another simple ‘hard’ system solution that would enforce safety procedures is an interlock that prevents a cab from operating the train when in trail. Again this was not considered by the report.
Finally the question of safe operating speeds on a busy work site could be addressed through a dual keying approach where high speed operation is reserved for transit between sites only and requires the insertion of a secondary key held by the designated rail protection officer on the site. No transit key no fast operation.
The problem with problem framing. Humans are profoundly influenced (read biased) by the way in which a problem is ‘framed’. In the case of accident investigations we tend to accept the situation presented as being the complete picture and find it inherently difficult to conceptualise, what is missing, from this picture? In the case of the QT investigation the terms of reference directed the team to identify direct causal factors as well as human factors as underlying (read contributing) factors to the accident. Thus from the start the problem was inadvertently biased towards an investigation of the soft or ‘safety management system’ aspects of the accident. To put it another way if we describe a hazard in terms of a source, mechanism and outcome based on the direction provided in the terms of reference the QTRSU report focuses upon the mechanisms of the hazard (the procedural and equipment failures on the day) whilst ignoring the fundamental source of the hazard (3).
1. Mindi is located approximately 130 kilometres south west of Mackay in Queensland.
2. This hazard is peculiar to high deck trams whose front area has the capacity to direct a struck pedestrian under the front of the tram. Modern low deck trams, such as Citadis, effectively eliminate this problem.
3. Based on P.Clement’s hazard/source/mechanism model for hazard description.
Queensland Transport Rail Safety Unit (QTRSU), Final Report Rail Safety Investigation QT2140, Double Rail Fatality Track Machine MMA59 Mindi, Queensland 7 December 2007, ISBN 978-0-646-49246-9, 2008.