The Weekly Reflektion Week 48 / 2019
The subject of this week’s Reflektion is the Southall rail crash in London, England in 1997 and the consequences of disabling safety systems.
Do you disable safety systems without applying mitigating actions?
How do you ensure that disabled safety systems do not lead to a disaster?
On the 19th September 1997, a high-speed passenger train (HST) was travelling from Swansea in South Wales to London, Paddington. The train collided with an empty freight train crossing the main line at Southall, just west of central London. Seven passengers died, six in the crash, and one later in hospital. 139 passengers were injured.
The story of this crash starts the day before when a fault was reported with the automatic warning system (AWS) on the lead engine. The AWS gives both audio and visual warnings to the driver when passing warning signals, either yellow, double yellow, or red. If these warning signals are ignored, the Automatic Train Protection (ATP) system applies the emergency brakes automatically. The fault in the AWS in the lead engine prevented the brakes from being released and the AWS was inspected overnight however no fault was found. The AWS seemed to be working again so the train was passed as fit for service for the next day.
The AWS failed again at Paddington Station at 0600 hrs on the day of the crash, and the driver disabled this safety system. The driver reported the problem to the Operations Supervisor at Paddington, and to GWT (Great Western Train Company) Control at Swindon. The problem was not, however, reported to the signalmen and Railtrack, the owners of the track. Although maintenance personnel attended the train at Swansea, no attempt was made to repair the AWS. The message about the fault had got lost in the system. It emerged after the incident that the reset switch of the warning system had contamination on its electrical contact surfaces which rendered its performance intermittent
The train could have been removed from service. The train had two engines, one at either end, and the second train had an AWS that was functioning so the train could have been turned around. Neither was done.
A new driver joined the train at Cardiff on the way from Swansea to London, and he was made aware of the problems with the AWS. Just prior to the crash, he was packing his bags ready to leave the train and this distracted him such that he missed the single yellow and double yellow signals that required the driver to decrease speed from the cruising speed of 125 miles per hour (201 km/hr). The driver did see the red warning signal, and applied the brakes but it was too late. The train was still travelling at about 80 miles per hour (130 km/hr) when it collided with the empty wagons of a freight train that was crossing the lines.
The driver was charged with manslaughter by gross negligence, but the case was dismissed. The driver later retired from service and never drove a train after the accident. Great Western Trains was fined £1.5 million for not having a system to ensure HST’s had their AWS and ATP systems operative during long journeys.
One of the key points in the investigation report was that train drivers had become increasingly reliant on the AWS system due to a decrease in manning levels, and increasingly high speeds. There were however no clear procedures on what to do if the AWS was inoperative. Following the disaster, the management system was changed and restrictions in speed put in place in the event the AWS was inoperative. Operation at high speed was only allowed if a second driver familiar with the route was also in the drivers cab.
Systems should be designed and operated such that a single fault or failure should not lead to a serious incident or major accident. In the event that safety systems are disabled or inhibited, mitigation measures should be put in place to maintain this principle. Current views on human error recognise the fallibility of the operator and the inevitability of mistakes. Having worked offshore, audible and visual alarms in the control rooms, and on the drill floor are numerous and continuous and handling alarms can be challenging for the control room operators. Do you disable safety systems, removing barriers to major accidents, without applying mitigating actions? Do you put personnel in similar situations to the HST train driver in this incident? How do you know?
The Southall train crash was followed in October 1999 by another disaster, the Ladbroke Grove train crash, which severely damaged public confidence in the management and regulation of the safety of Britain’s privatised railway system. We shall come back to this in future Reflektions.