Delays that Kill
Jane Binyon writes about rail safety
No specific background was required when I joined the Factory Inspectorate in the mid-1960s, before it became part of the Health and Safety Executive: a philosophy graduate could be as successful as a chartered engineer. Indeed, diversity was one of its main strengths: the combination of a small group of specialists and a larger group with a wide variety of backgrounds gave it the ability to see a problem from many different perspectives and allowed it to challenge assumptions and ask stupid questions – often the most necessary.
In spite of this, there have always been those who advocated restricting recruitment to candidates with relevant degrees and experience. None of this changed when the Factory, Agriculture, Mining and Nuclear Installations Inspectorates were brought together under the HSE umbrella in 1974, or when railways joined in 1990. The smaller, highly specialised bodies, because they are much closer to the industries they regulate, have always taken a narrower view of recruitment. The first Railway Inspectors, or Inspecting Officers as they were called, were appointed in 1840 from the Corps of Royal Engineers, starting a tradition that lasted until the Inspectorate became part of HSE. The Railway Inspectorate (RI) now recruits almost entirely from railwaymen in mid-career – those, in particular, whom industry restructuring has made redundant. No one would deny that some inspectors at least have to have specialised knowledge, or that experience of an industry’s culture can be useful (though its currency declines rapidly), but recruiting exclusively from within the industry puts the Inspectorate in a very vulnerable position. The inspectors’ minds are likely to work very much like those of their industry colleagues, and they are prey to what is known as ‘regulatory capture’ – a tendency to avoid conflict and a reluctance to challenge the assumptions (often unspoken) that lie at the heart of an industry’s decision-making.
Inspection is about changing perceptions as much as providing technical solutions. Inspectors have to be able to persuade a company to reallocate resources and change plans in order to deal with health and safety problems which, for whatever reason, have been ignored or not considered in the past. They inhabit a no man’s land between employer and employee which they have to negotiate carefully. Managers give the official story, the shop-floor provides the reality, though often in coded form. Inspectors must be friendly while keeping enough distance to be awkward and to stand firm in the face of what is sometimes considerable opposition. They must be able to judge the moment when it is appropriate to move from persuasion to enforcement and to feel comfortable about issuing enforcement notices or summonses.
The RI has retained the two basic functions of the original Inspectorate: to approve new projects and to investigate accidents. Whether the two were ever compatible is debatable, but as the Inspecting Officers had no powers of enforcement it was not a question of great moment. However, the Health and Safety at Work Act 1974, which was applied to the railway industry for the first time when the Inspectorate became part of HSE, does contain far-reaching enforcement powers. A recent letter from Vic Coleman, Chief Inspector of Railways, to Chris Leah, Railtrack’s Director of Operations, published in the January number of Modern Railways, shows the impossibility of running approval, investigation and enforcement together:
Railtrack plc is, of course, wholly and solely responsible for meeting all its legal responsibilities . . . Let me make things crystal clear. Nothing that HSE does, or indeed does not do, can be taken in any way as confirming the adequacy of Railtrack’s actions, or inaction, under the law . . . Even where approvals are granted they should never be regarded as any kind of guarantee of compliance – particularly as time passes and newer experience emerges. Railtrack is already aware that approvals under the Railways and Other Transport Systems (Approvals of Works, Plant and Equipment) Regulations 1994 are based squarely on certificates of compliance and completion submitted by the railway operators themselves and our scrutiny has always been, and will inevitably remain selective.
If that’s the case, what is the value of RI’s stated aim (see its last annual report) of ‘ensuring, through approval and associated inspection procedures, that new works and rolling stock meet the standards set out in the Railway safety principles and guidance’? No wonder Railtrack feels aggrieved about signal SN109 at Paddington, ready for formal approval in March 1999 but banned six months later, after the Ladbroke Grove accident. Given the number of times the signal has been passed at danger, the RI was probably right to ban it. But why was it prepared to approve it in the first place?
Collisions between trains produce the accidents with the greatest number of fatalities. Their most common primary cause is failure on the part of a driver to respond to a signal. This is bound to happen from time to time, no matter how well drivers are trained or supervised. As the catchily titled HSE publication Reducing Error and Influencing Behaviour put it last year,
Up to 80 per cent of accidents may be attributed, at least in part, to the acts and omissions of people . . . It is quite wrong to believe that telling people to take more care is the answer to these problems. While it is reasonable to expect people to pay attention and take care at work, relying on this is not enough to control risks . . . Errors are more likely to occur under certain circumstances, including: tasks demanding high levels of alertness, jobs which are monotonous and repetitive.
Train-driving is just such a task and it is inevitable that drivers will make errors. This has been evident from the earliest days of rail travel and the search has been on since 1855 to find a system which will compensate for driver error. Of the three systems around at the moment, the oldest and simplest is the Automatic Warning System (AWS), which functions as a kind of wake-up call to the driver. If a train passes a caution signal a horn sounds in the cab, and unless the driver silences it, the system will automatically apply the brakes. But if he does silence it, the system will take no further action – even if the driver runs straight through a red signal. Most, but not all trains in this country are fitted with AWS.
Automatic Train Protection (ATP) is in a different league from AWS. It is an electronic system that passes information concerning the state of the track and signals to a computer in the driver’s cab which calculates the maximum safe speed for the train. If the driver is inattentive and the safe speed is exceeded by more than a set margin ATP takes over and automatically applies the brakes. Forms of this system are used successfully in most mainland European countries. It works satisfactorily on the Chiltern line, Eurostar and the Heathrow Express. With ATP a train cannot pass a red signal.
The Train Protection Warning System (TPWS) is a cheaper, compromise system which makes use of the existing AWS equipment, but unlike AWS, will apply the brakes automatically if a train passes a red signal or approaches one too fast. It is not as effective as ATP, however. Although TPWS can, in theory, eventually stop a train at any speed, it cannot safely stop one doing more than about 75 mph. TPWS will prevent some accidents and (it is hoped) lessen the severity of others. Had it been fitted to the Thames turbo train it would probably have prevented the Ladbroke Grove accident. It would not have stopped the Great Western train hitting the freight train in the Southall accident of 1997, though the collision would have occurred at a reduced speed.
In the 1920s the Chief Inspecting Officer of Railways recommended that AWS be installed across the entire network. The railway companies complained that it was too expensive – today they would say that a cost-benefit analysis made it impracticable – and nothing much was done until two serious accidents occurred in 1945. Again the Inspectorate recommended that AWS be installed: the industry continued to plead poverty. After another accident in 1947, and nationalisation in 1948, the industry accepted the recommendation but then delayed matters with endless pilot tests and evaluations of different systems. Five years later, in 1952 – after an accident at Harrow which killed 112 people and which might have been prevented had the system been installed – a prototype was finally ready. But even that dreadful accident doesn’t seem to have stiffened either the Inspectorate’s or British Railways’ resolve: several serious accidents and 25 years later, AWS had been installed on less than half the network. Gaps still remained in 1984, as the investigation into a crash at Eccles that year made clear. The investigating inspector reported that reviews were underway in the London Midlands region to determine what provisions were being made to eliminate the gaps. He recommended all regions to follow suit – note that ‘recommended’.
The gaps remained, however, because by this time ATP was seen as the answer. In November 1988 a development programme and two pilot schemes were agreed between British Rail and the RI. The Hidden Report on the crash at Clapham, which also considered accidents at Glasgow and Purley in the same year, followed in November 1989. Recommendation 46 welcomed BR’s commitment to introduce ATP on a large percentage of its network but was concerned at the dilatory timetable proposed. Hidden thought that there were no technical reasons why it should not be fully implemented by 1996 or 1997.
Everyone seemed enthusiastic about ATP but the whole project slowly ran out of steam. British Rail decided that no system could be simply bought off the shelf so it started the usual round of testing and evaluating different systems. The system piloted on Great Western high-speed trains, although widely used in Belgium and Holland, was soon beset by technical problems and, in any case, can hardly be said to have been pursued with vigour. Then the timetable for installation was overtaken by privatisation of the rail network.
In March 1994, British Rail presented a report to the Secretary of State for Transport arguing that fitting ATP across the network could not be justified. Its installation would cost about £14 million per life saved which, they said, far outweighed the benefit. The RI, which up to this point was still advocating installation, changed its mind and claimed that ‘the introduction of ATP on the whole network could not be regarded as reasonably practical.’ So network-wide fitment of ATP was abandoned. Further consideration was to be given to installing it in the future but meanwhile there was nothing to put in its place on the existing network.
Enter TPWS. In 1995, Railtrack promised to develop and install that on a pilot basis. Five years later, they are still piloting it and assessing how far it will be ‘reasonably practical’ to implement it operationally.
It is difficult to say what has been done to improve train protection since the Hidden Report. The inquiries into the accidents at Hyde (1990), Cannon Street and Newton Junction, Glasgow (1991) and Cowden (1994) recommended that ATP should be fitted throughout the network. ATP would have prevented the accidents at Watford (1996), Southall and Winsford (1997), and Spa Road and Ladbroke Grove (1999). You could argue that things have got worse. Some decisions – like the introduction of a new layout at Paddington to accommodate the Heathrow Express, which has resulted in the loss of uni-directional, up and down lines – seem to have been taken on the assumption that ATP would be installed across the network and were not reversed when ATP was dropped.
Other decisions – for example, the scrapping of train priority rules – seem to be entirely market-driven. Passenger trains once took priority over freight trains and fast passenger trains over slower ones. The Rail Regulator proposed in 1996 that the priority hierarchy should be abolished in order to give every train operator equal access to the system. His proposal was put to the RI but not, I’m ashamed to say, opposed by it, because in its view it had no safety implications. Double manning in the driver’s cab has also gone. Everybody in the business seems to agree that it’s a matter of safety – that two people in the cab are liable to distract each other – though an outsider might see it as a cost-cutting measure. At the same time there has been a significant increase in both passenger and freight traffic across the network.
It isn’t all downhill, however. In the last 15 years considerable resources have been committed to major resignalling projects. Signals, which were once manually operated, are now controlled from integrated electronic centres using Automatic Route-Setting (ARS) and Solid State Interlocking (SSI). ARS sets the routes according to a pre-loaded timetable and SSI sends the necessary instructions to the signals and points. Together, they are intended to allow the track to be used most efficiently, from both an economic and a safety point of view. Most accident investigation reports now exonerate the signalling, which is why, after the Ladbroke Grove crash, Railtrack, which is responsible for route-setting and signalling, claimed it was not its fault that a train at Paddington jumped a red light and came to grief.
When signals were manually operated signalmen were as likely to make mistakes as drivers, but ARS and SSI have removed them from the front line. ‘Signal interlocking has been introduced to minimise the scope for railway accidents caused by human error,’ the Inspectorate reported in 1995; and again in 1997: ‘the control of train movements by means of a signalling system is absolutely fundamental to the safe running of a railway.’ Yet I can find no evidence that any analysis was done to measure the cost of installing electronic signalling as against the benefit in lives saved. Had it been done, I suspect it would have found that the cost was at least as disproportionate as that of removing driver error. I assume it wasn’t done because the business imperative to use the tracks as intensively as possible made safety considerations irrelevant. ARS speeds things up. ATP and TPWS, on the other hand, will slow them down and anything that reduces capacity is unlikely to be popular in the industry. There is now an enormous gap between the support given to the signaller and the support given to the driver, although passenger safety depends on the two working properly together.
To make matters worse, when you get on a train you can’t be certain that such support as is provided for the driver is in use. In the Southall accident the high-speed Great Western train was equipped with both ATP and AWS; neither was in use. The driver who had started the journey back to Paddington from Swansea had not been trained in the use of ATP so it was switched off. (And it wouldn’t have been switched on if a driver who had had the requisite training had taken over at another station because the time needed to pre-test it was longer than the time the train was programmed to remain at the station.) Besides, as it is part of a pilot scheme, ATP is not considered an essential part of the train’s equipment and there is no obligation to use it.
The train’s AWS, meanwhile, had developed a fault and had been disconnected. AWS is classified only as an aid to the driver and if it doesn’t work that’s a category B failure in the rule book, which means that the locomotive should be taken out of service only when it can be done without causing delay or cancellation – in other words, at the end of the day (after several more journeys have been made). AWS is defined as category B because ‘its absence does not present a serious safety risk.’ When he found Great Western Trains guilty of a breach of the Health and Safety at Work Act in July 1999, Mr Justice Scott Baker said he thought this ‘an astonishing conclusion’.
The driver involved in the Southall accident was travelling at over 100 mph, and passed the distance between the first warning signal and the red stop signal in less than 45 seconds. He may have been travelling very much faster than his 19th-century forbears but he was no less dependent on his own eyes than they were. Nor is it unusual for AWS to go wrong. GWT admit that before the Southall accident at least two trains a week were running with it disconnected and the RI, which also regards AWS merely as a driver aid, reports that in a survey of 205 drivers carried out in the first three months of 1998 ‘failures were much more prevalent than anyone had appreciated hitherto.’ More than 90 per cent of the drivers said that they would carry on at normal speed with the AWS disconnected.
In mainland Europe a three-tier system of train protection has been developed. Level 1 of the European Train Control System (ETCS) corresponds to ATP. Level 2 is a more sophisticated version of ATP which will give the driver more frequently updated information from further down the track. It can also be upgraded to level 3. Level 3 uses a different technology: equipment on the train, rather than on the track, sends information on the train’s speed and position to a central processor, which radios back instructions. This provides a high level of control and protection and has the added attraction of dispensing with trackside equipment and maintenance. In the 1995 plan, our own West Coast mainline upgrade was to have ETCS level 3. Now this is described as technically too advanced to be installed in time to complete the upgrade by 2005. Instead, level 2 will be used – this is the lowest level that can be used to run trains safely at the proposed speed of 140mph.
All new protection systems will be required to meet the ETCS standard but TPWS does not and as it stands cannot easily be upgraded to do so. Given the drawbacks of TPWS, you may think it odd that it’s so popular but, as the RI puts it on its website, ‘a balance has to be struck between achieving maximum train protection and the need to operate an efficient railway.’ Hang on, though: ATP was – officially – abandoned because it was too expensive per life saved, not because it would make the railway inefficient. This supports my own belief that cost benefit analyses are basically documents of persuasion. In any case, the argument that new safety controls must reduce efficiency is contestable.
This view seems to be shared by David Davies, President of the Royal Academy of Engineering, in his recently published assessment of train protection systems, made in the wake of the Ladbroke Grove crash. ‘ETCS level 3,’ he writes, ‘is the best way ahead: it can offer increased line capacity . . . it should become attractive commercially and train protection will be provided as part of this larger commercial package.’ But it will take time: trials in 2003, fitting perhaps in 2008. He is clearly uneasy about the present TPWS proposals, which, he says, ‘could produce a short-term cost-effective solution that became a medium-term stalemate that prevented any further investment in train protection’. His solution is to suggest modifications to cope with higher speeds and compatibility with ETCS and to restore priority to high-speed passenger trains. Carrying out these modifications will be complex enough, but if the Southall Inquiry Report is right, the difficult relationships between the privatised companies will add considerably to the problems. John Uff, the chairman of the Southall Inquiry, says that the privatised rail industry is unable to deal effectively with inter-company issues, and that research and development projects open lines of conflict between the commercial interests of different parties to the detriment of safety. For example, GWT, even though they were in charge of an ATP pilot that was intended for network-wide fitment, were refused a place on the ATP steering group. Suspicion, lack of communication and co-operation seem to be the order of the day. This is surely the most significant consequence of the loss of an integrated rail system. Davies’s report will feed into yet another inquiry, to be jointly chaired by Uff and the chairman of the Ladbroke Grove Inquiry, Lord Cullen, to consider TPWS and future applications of ATP. This will mean further delays – and who’s to say that their recommendations will carry any more weight than all the others that have gone before?
When, last Christmas, my daughter came back from Manchester to Oxford by train and reported having heard that drivers were told to run through red lights, I dismissed the idea. However, industry contacts I have spoken to since then have hinted that drivers are ready to take a chance that the red light will have changed to green before the train has reached or run past it. As, of course, it often has – but not invariably. An investigation into two SPADs – occasions where signals have been passed at danger – in Scotland last October concluded that a timetable change had resulted in the signal being more often at danger as trains approached and that it was ‘likely that the drivers incorrectly anticipated that the signal would clear’. Other recent documents from the RI put a lot of emphasis on introducing so-called ‘defensive’ driving, which they hope will ‘become commonplace’. It strikes me as extraordinary that, with all the effort that’s been put into the selection, training, supervision and assessment of drivers, defensive driving – i.e. driving as if there might be a red light down the line – has not hitherto been part of the curriculum.
Since ATP has been abandoned, what can only be called a SPAD industry has grown up. We’ve had reports, action plans, multi-page investigation forms, signal-sighting committees, newsletters, briefings, focus groups, major conferences, not to mention additional track-side paraphernalia: count-down markers, signal reminder boards, SPAD indicators. Yet over the last five years SPADs have run at between 600 and 700 a year. About 75 per cent are described as of low consequence: that is, the train stops within the 200 yard overlap between the signal and the point of collision and no damage is caused. These incidents are not investigated, but no great reduction in the serious ones will be achieved so long as the low-consequence ones are seen as acceptable.
There had been three previous low-consequence SPADs at the signal involved in the accident at Purley in 1989, four at the signal involved in the 1996 Watford crash. SN109 at Ladbroke Grove is in the top 20 of signals that have been run past, and it appears that a Heathrow Express and a Great Western train nearly collided there in 1998. No accident comes out of the blue; every investigation will reveal that the warning signs were there. Establishing what is called a safety culture, where, at best, there is no gap between ought and is, needs long-term, visible top management commitment in time and resources. On the whole, organisations do what is dear to the boss’s heart, even when that is at odds with what is said in public. The workforce always knows what the real pressures are, and I suspect that on the railways they are about avoiding delay.
Unfortunately, the railways compare their own safety with safety on the roads, which gives them a wide margin for complacency. So, too, do the increases in passengers and freight. Better perhaps to ask what we should expect of a modern railway. Comparisons with other countries are difficult, but a survey carried out by the International Union of Railways gives figures of passenger deaths per billion passenger kilometres during the period 1986-96. Spain comes out best at 0.09, with Italy at 0.10, France at 0.27, Germany at 0.31: the comparable UK figure is 0.36. In spite of this record, when, after Ladbroke Grove, a spokesman for Railtrack spoke of public and media hysteria, he may have inadvertently given voice to the normally unsaid: Railtrack and the operating companies know only too well that a few weeks after a crash we will be back travelling as if nothing has happened. That’s why they won’t do much about safety. Driver error won’t be taken seriously until it is seen as being bad for business.
Meanwhile, I shall be making my own risk assessments. The rolling stock involved in the accident at Winsford in 1999 was severely damaged, and its ‘crash-worthiness’ is being investigated by the Health and Safety Laboratory. This rolling stock, Class 142 Pacers, was developed to provide a cheaper alternative to traditional railway coaches, and consists of a bus-type body attached to a freight chassis. Like all new rolling stock it must have been approved by the RI before it was put into service but when I next travel around Manchester I do not intend to go on a Pacer. On the other hand, if ATP continues in use on the Chiltern line, then, rather than use the Thames and Great Western trains from Oxford, I shall make the short road journey to Thame Parkway when going to London.