The Tangara dead man pedal

05/05/2010 — 4 Comments

Lead Tangara car damage (Source: Commission report)

On the 31st of January 2003 at approx. 7:14 am a four car Tangara passenger train on run C311 from Sydney Central to Port Kembla (G7) oversped on a downhill gradient leading into a curve and left the track. The train driver and six passengers were killed and the remaining passengers suffered various injuries ranging from minor bruising and lacerations to severe disabling injuries.

The subsequent commission of inquiry found that the train driver had suffered a heart attack on the approach to the curve and that the dead man system (1)  had failed to stop the train. The dead man system was designed by Goninans  train builder, to meet the SRA requirements and consisted of a dead man handle on the drivers desk along with a foot actuated dead man pedal.

Dead man Foot Pedal Installation (Source: Commission report)

As it turned out the static weight of the driver’s legs was enough to keep the dead man foot pedal in the set position after he had collapsed and the driver’s dead weight of course meant that emergency brake application would not occur. At the same time the drivers upper body slumping forward knocked the traction systems master controller lever to notch 4, the high-speed setting.

 5.3.16.3 (4)   The pedal design and/or operation shall be such that it cannot be over-ridden or tampered with in order to negate the safety feature.

SRA specification Clause 5.3.16.3

There are a couple of interesting aspects about this case, the first is the rather obvious one that human beings are a variable lot and system design needs to take account of that variablity, the study of which is termed ‘anthropometry’. In the case of the Tangara dead man pedal the designers failed to consider that heavier drivers would have sufficient weight in their lower legs to hold down the pedal using the dead weight of their legs alone (2). Unfortunately train drivers turn out to be a fairly heavy-set bunch and as the probability curve below shows 44% of the driver population would be able to hold the deadman pedal down with their leg weight alone (3).

Body masses (Source: Commission report)

This unhappy tale would end with a simple assessment that the design team of the SRA & Goninans cocked up the anthropometric design (4) (5). But lets stop and think about this accident from a common cause perspective for a second. Train driving is a sedentary occupation, this means that drivers tend to put on weight, driving is also a working class occupation and finally drivers tend to be middle aged. All these factors mean that drivers will be much more likely to be both overweight and suffer from to cardio-vascular disease (6).

So to put it another way, if your’e an overweight middle aged driver you’re far more likely to have a heart attack (or stroke) and also have sufficient lower leg weight to subvert the dead man switch. Further when suffering a massive and debilitating heart attack in a seated position the human body will tend to slump forward, when a forward pressure on the master controller increases traction we now have the trifecta of a drivers heart attack both negating the safety system and increasing the speed of the train.

The take home? While we can design our mechanistic systems to be independent, in human space things are rarely so simple. In this case human factors common causes outside the system acted to both increase the severity and the likelihood of driver incapacitation.

References

Special Commission of Inquiry into the Waterfall Rail Accident, Interim Report, January 2004.

Notes

1.  As the name implies a deadman system is intended to prevent unmanned operation of a train in the event of driver incapacitation.

2.  The design of a deadman pedal is complicated by the seated position of the driver and the requirement to minimise the force required to be exerted so as to minimise driver fatigue.

3.  Published percentile values for lower body weights were actually available at the time of the design of the Tangara deadman, see NASA-STD-3000 Vol 1 Figure 3.3.7.3.1.2-1 (Rev B 1994 ) (8).

4.  There is a basic systems engineering principle that one should try to specify a need and not a solution. In this case the SRA specification specified a specific implementation which Goninans engineers susequently detailed in the design.

5.  What was obvious in the testimony of SRA staff was that they had gven little to no thought to the implications of such an interface (7).

6.  Mr Zeides the train driver weighed 118 kg for example.

7.  In systems engineering speak thinking abou whether your requirement is the right requirement is called ‘requirements validation’. The Goninan engineers in carrying out the detailed design of course assumed that the implementation specified was valid.

8.  Another systems engineering principle is that specialist engineering aspects need to be explicitly identified and integrated with traditional disciplines for an effective design outcome. In this case the SRA and Goninan design team failed to even recognise that anthropometry existed as a concept.

4 responses to The Tangara dead man pedal

  1. 

    Matthew,
    Reinventing the wheel so as to allow the exact result that the device was intended to prevent is remarkable.

    I worked as Chief Architect for Amtrak in the ’90s. Our dead-man throttles IICR were devised to prevent putting a non-human weight on them to hold them active, and required toggling within some interval maybe every 30 seconds and could not be continuously leaned-on or would trigger an emergency stop.

    the engineers (drivers) found them a pain, but accepted their necessity.

    In the northeast corridor there are plenty of track-side signals and speed changes to keep drivers alert. But looking up a track where nothing happens for hours at a time could get quite deadly and put the driver to sleep. Sleeping driver could be just as deadly as dead driver – at least to everyone else.

  2. 

    sorry. haven’t thought about this in years.

    I think there was either a pedal or a knee lever which required constant presence and additionally the alertness button which was more likely a 45 second affair where need to hit the button was light signaled, then if not hit, another light and maybe a horn and if still not responded to, the full-brake stop.

    also Chief Architects meant buildings not systems or software although I was later involved in a project which required a systems safety analysis which in our case was a gigantic exercise in paperwork along the lines of what was done at the time (2002) for railroad civil projects in the UK.

  3. 

    The German system (SIFA) requires (and this for at least a hundred years, as I recall) that one (of at least 2 or more) switch to be “toggled” every 30 seconds. Failure to do so will result in 2 warnings and then in forced braking. It eludes me, why you would construct something so vital to safety in a different way…

    • 
      Matthew Squair 24/05/2011 at 9:08 am

      The accident of history, I’m afraid. On intercity locomotives a vigilance system (similar to what you describe) has traditionally been used but not in the metro fleet. After the Waterfall accident the metro fleet was retrofitted with a vigilance system (which includes monitoring for driver brake and throttle inputs not just switch throws) but the deadman pedal was retained. We (the company I worked for) made the safety argument that the deadman was thus irrelevant but the operator was wedded to it so it was left in along with the additional cost and headache of integrating another human interface into the crew cab.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s