The Weekly Reflektion Week 23 / 2020

31. May 2020

This week’s Reflektion concerns a train crash in 1988 in Paris where a chain of events caused an incoming train to collide with a stationary outgoing train. Driver error was identified as the cause. Given today’s prevailing view that human error is a symptom and not a cause, we will revisit the accident.

People make mistakes, so how can we ensure that systems design minimise the risk for human error to trigger a chain of events which culminate in a major accident? Do you evaluate re-design of systems in the possible mitigating actions during the learning process?

On the 27^th June 1988, a Paris-bound commuter was passing a through a station it usually stopped at, however, due to the new summer timetable, it no longer stopped. A mother was due to meet her children after school, she panicked when she realised it was not going to stop and pulled the emergency stop lever to stop the train. Before the train could continue its journey, the driver had to reset the brakes, a routine job which usually took less than 5 minutes. The reset handle was at the rear of the engine, but it was difficult to activate in the 20 cm space between the engine and the first carriage. When attempting to reset the brakes, the driver accidentally closed a valve on the compressed air line which was alongside. The line supplied the compressed air from the engine to the brakes on the other 7 carriages.

After resetting the brakes, the driver found that they were still engaged, and, not realising he had closed the valve locking in the air pressure. He set about bleeding air pressure from the brakes on each carriage relieving a situation he believed was due to an air lock in the compressed air system following the emergency stop. Bleeding pressure released the brakes, but now the brakes could no longer be engaged since the compressed air coming from the engine was isolated by the in-line valve that was now closed. This meant he had no brakes on any of the 7 carriages, only on the engine. This process took about 25 minutes, and the train was now running seriously late. The controllers in the station had already changed the points to route the train to a platform where there was no train, as it was recognised it was behind schedule, and another train was loading passengers at the original destination platform.

Trying to make up the lost time, the driver was told not to stop at further stations before descending into the Gare de Lyon station in Paris. The stations, where the train was timetabled to stop but did not, were on level ground, and, in the following investigation it was evaluated that, even with only the brakes on the engine working, the train could have been stopped here. However, because of the decision not to stop at these stations, the braking problem was not identified until the train began to descend into Paris. The driver tried to reduce speed, but, travelling downhill, the engine brakes were insufficient. Realising he could not stop the train, the driver contacted the Gare de Lyon station, but in a panic, did not inform them which train he was on.

The controllers knew that the runaway train was one of four trains due to arrive at the station, and they attempted to message all of them to narrow down the possibilities and divert the runaway to an empty stretch of track. However, when an emergency function was triggered setting all signals to red, it forced all trains on the network to stop wherever they were and wait for instructions. A resulting stream of calls from drivers inquiring about the stoppage clogged the communication lines between the control room and the trains. As a result, the controllers were never able to identify the runaway train. Triggering the emergency function not only set all signals to red, it disabled all pre-programming of the points, directing the train once again to the original platform, where a train was waiting to leave.

The driver had one more option, the use of a back-up electric brake system, but as use of this system was generally avoided by drivers because it was unreliable and caused excessive wear to the brakes, the driver did not think of this. Realising that a collision was now inevitable, the driver herded the passengers into the last carriage, saving many lives on the incoming train. In the collision, 56 people were killed, all in the stationary train, and 60 others injured.

The driver certainly made mistakes, and because of the accident, driver training was reviewed and improved. Poor system design was an enabler in the chain of events that led to the accident, both in the braking system, and in the communication system between the controllers and the trains. When accidents, incidents and near misses are analysed in your company, are inherently safer design principles used in your discussions around mitigating actions?