Human Error and Blame – the Holmesglen Train Collision

 

The damage - from official report

 

 

 

Human error will always be with us, and systems of work need to be designed to accommodate human error.

 

The above view is commonly expressed among the safety profession. We might even call it a dogma of modern Safety Science.  It is certainly difficult to find any argument against the view.

 

However, the outcome of a recent court case in Melbourne seems to challenge the relevance of this view to employees at the sharp end of industry. (Victorian Workcover Authority v P.Fernandez, Dandenong Magistrates Court, Dec 2002, case Q01271863)

 

The case arose from a collision between two suburban trains at Holmesglen Station, Melbourne, in July 2000. A passenger train, running eight minutes late and incapacitated at the station, was struck by the following, empty, non-stopping train.

 

The stationary train was carrying a hundred passengers and twelve persons were injured. Victorian Workcover Authority (VWA) prosecuted the driver of the empty train under the Occupational Health and Safety Act for not taking reasonable care for the safety of persons in the workplace. He was found guilty in the Dandenong Magistrates Court and received a conviction and a $3,000 fine.

 

The Department of Infrastructure (DoI), VWA and the rail operator all  investigated the collision. DoI’s report gives a comprehensive account of the accident and is available from their website.

(Official report  or www.doi.vic.gov.au then Transport>Managing public transport>Safety Investigations)

 

The guilty verdict hinged upon the judgement of the magistrate that the driver did not drive the train at a speed low enough to avoid a collision, in circumstances where the rules required him to do so. However, in her ruling, the magistrate said that she was convinced that the driver was, in his own mind, driving safely, and made an error of judgement and a miscalculation.

 

There was no suggestion of a malicious or grossly negligent act, or deliberate speeding, or the use of alcohol or other drugs. We have an unambiguous judicial ruling that this was a case of  “human error”.

 

The prosecuting barrister argued that the circumstances demanded extreme behaviour from the driver and allowed no room for error. This seems to be at odds with the principle that human error is to be expected and systems must be designed to tolerate error.

 

How did the driver find himself in circumstances that left no room for error? Should any employee going about their daily work be expected to perform in circumstances that demand perfect behaviour? Was it practicable to have systems that would have prevented these circumstances and maintained high levels of safety?

 

The most important question is: if the circumstances did not allow room for error, and the lives of one hundred passengers were at risk, who carries the main responsibility for allowing the circumstances to develop – the driver, the company or the regulator?

Systems of Work

 

The relevant systems of work in place were:

 

1. communications
2. signals
3. procedures for passing signals at red
4. vegetation control

 

Each of these systems of work appears to have had the capacity to prevent the collision.

 

Communications

 

The driver of the first train had advised Train Control, as required, that he was running eight minutes late, but Control did not advise the driver of the following train – they were not required to do so.

 

When the first train became incapacitated at the station, the driver did not advise Control – he was not required to do so

 

The crucial knowledge that the first train was delayed and incapacitated was not passed on to the one person who most needed it – the driver of the following train.

 

Signals

 

The protecting signal

 

The stationary train at Holmesglen Station was protected by a signal 555 metres before the platform. This signal was at red, indicating that this section of track was occupied. The company’s Manager of Rail Safety gave evidence that signals are the main device that protects trains. The basic premise behind the signals system is that if two trains are not allowed to occupy the same section of track, then they cannot collide.

 

The signals were working correctly. With the first train at the station, the protecting signal was at red indicating the section was occupied. As long as the signal was not passed, a collision was impossible.

 

Procedures for Passing Signals at Red

 

The driver of the second train stopped at the red signal, waited 40 seconds and then proceeded. This is an allowed procedure. It exists to allow a train to go to the assistance of a disabled train. Why the procedure was allowed to be used in this circumstance is not clear.

 

Once the red signal was passed, the driver was operating with no support from any automated safety system. The only engineering control preventing collision – the signals – had been deliberately bypassed.

 

The safety of one hundred passengers now depended entirely on the perfect performance of the driver.

 

Vegetation Control

 

The approach to Holmesglen is a long straight section followed by a sharp bend to the left just before the platform. Inside this bend was a large clump of dense vegetation that completely blocked the driver’s view of the station until about 120 metres from the end of the platform. When he saw the stationary train he applied emergency braking, but the trains collided.

 

Records showed that over the previous four years this vegetation had not been raised as an issue with the management committee responsible for sighting issues along tracks. The vegetation has now been removed.

 

The long straight approach to Holmesglen, before the bend

 

The vegetation – now removed – blocking  a driver’s view of the platform

 

Practicable Measures

 

The following systems-based precautions could have prevented or minimised the likelihood of collision, and they all appear to be practicable:-

 

• banning the passing of signals at red
• requiring drivers to gain approval from Control before passing signals at red
• stipulating a specific speed limit rather than a general caution
• requiring drivers to advise Control when a train becomes incapacitated
• requiring Control to advise the following train when the train ahead is delayed
• removing vegetation that obscures driver’s view of stations

 

Human Error v. System Design

 

This case deserves to become one for the textbooks. The high value of safety systems and the danger of total reliance on perfect human behaviour are clearly illustrated.

 

The Reason model, Barrier Analysis and Human Factor Analysis can all be readily applied to this accident – at least in the classroom.

 

But what of the view “human error will always be with us, and systems of work need to be designed to accommodate human error”?

 

This case suggests the view is not genuinely relevant at the industrial “coal face”, in both the prevention of accidents and the judicial processes after the accident.

 

©Copyright

John O’Meara

20 Feb 2003

 

mailto:[email protected]

 

HAZOZ