On the 31st of January 2003 at approx. 7:14 am a four car Tangara passenger train on run C311 from Sydney Central to Port Kembla (G7) oversped on a downhill gradient leading into a curve and left the track. The train driver and six passengers were killed and the remaining passengers suffered various injuries ranging from minor bruising and lacerations to severe disabling injuries.
The subsequent commission of inquiry found that the train driver had suffered a heart attack on the approach to the curve and that the dead man system (1) had failed to stop the train. The dead man system was designed by Goninans train builder, to meet the SRA requirements and consisted of a dead man handle on the drivers desk along with a foot actuated dead man pedal.
As it turned out the static weight of the driver’s legs was enough to keep the dead man foot pedal in the set position after he had collapsed and the driver’s dead weight of course meant that emergency brake application would not occur. At the same time the drivers upper body slumping forward knocked the traction systems master controller lever to notch 4, the high-speed setting.
220.127.116.11 (4) The pedal design and/or operation shall be such that it cannot be over-ridden or tampered with in order to negate the safety feature.
SRA specification Clause 18.104.22.168
There are a couple of interesting aspects about this case, the first is the rather obvious one that human beings are a variable lot and system design needs to take account of that variablity, the study of which is termed ‘anthropometry’. In the case of the Tangara dead man pedal the designers failed to consider that heavier drivers would have sufficient weight in their lower legs to hold down the pedal using the dead weight of their legs alone (2). Unfortunately train drivers turn out to be a fairly heavy-set bunch and as the probability curve below shows 44% of the driver population would be able to hold the deadman pedal down with their leg weight alone (3).
This unhappy tale would end with a simple assessment that the design team of the SRA & Goninans cocked up the anthropometric design (4) (5). But lets stop and think about this accident from a common cause perspective for a second. Train driving is a sedentary occupation, this means that drivers tend to put on weight, driving is also a working class occupation and finally drivers tend to be middle aged. All these factors mean that drivers will be much more likely to be both overweight and suffer from to cardio-vascular disease (6).
So to put it another way, if your’e an overweight middle aged driver you’re far more likely to have a heart attack (or stroke) and also have sufficient lower leg weight to subvert the dead man switch. Further when suffering a massive and debilitating heart attack in a seated position the human body will tend to slump forward, when a forward pressure on the master controller increases traction we now have the trifecta of a drivers heart attack both negating the safety system and increasing the speed of the train.
The take home? While we can design our mechanistic systems to be independent, in human space things are rarely so simple. In this case human factors common causes outside the system acted to both increase the severity and the likelihood of driver incapacitation.
Special Commission of Inquiry into the Waterfall Rail Accident, Interim Report, January 2004.
1. As the name implies a deadman system is intended to prevent unmanned operation of a train in the event of driver incapacitation.
2. The design of a deadman pedal is complicated by the seated position of the driver and the requirement to minimise the force required to be exerted so as to minimise driver fatigue.
3. Published percentile values for lower body weights were actually available at the time of the design of the Tangara deadman, see NASA-STD-3000 Vol 1 Figure 22.214.171.124.1.2-1 (Rev B 1994 ) (8).
4. There is a basic systems engineering principle that one should try to specify a need and not a solution. In this case the SRA specification specified a specific implementation which Goninans engineers susequently detailed in the design.
5. What was obvious in the testimony of SRA staff was that they had gven little to no thought to the implications of such an interface (7).
6. Mr Zeides the train driver weighed 118 kg for example.
7. In systems engineering speak thinking abou whether your requirement is the right requirement is called ‘requirements validation’. The Goninan engineers in carrying out the detailed design of course assumed that the implementation specified was valid.
8. Another systems engineering principle is that specialist engineering aspects need to be explicitly identified and integrated with traditional disciplines for an effective design outcome. In this case the SRA and Goninan design team failed to even recognise that anthropometry existed as a concept.