Waterfall rail accident

The Waterfall rail accident was a train accident that occurred on 31 January 2003 near Waterfall, New South Wales, Australia. The train derailed, killing seven people aboard, including the train driver. The accident is famously remembered by systems engineers due to the poorly designed safety systems.

Incident
On the day of the disaster, a Tangara interurban train service, set G7, which had come from Sydney Central station at 6:24 am, departed Sydney Waterfall railway station moving south towards Port Kembla station via Wollongong. At approximately 7:15 am, the driver suffered a sudden heart attack and lost control of the train. The train was thus travelling at 117 km/h as it approached a curve in the tracks through a small cutting. The curve is rated for speeds no greater than 60 km/h. The train derailed, overturned and collided with the rocky walls of the cutting in a remote area south of the station. It was reported that the rescuers had to carry heavy lifting equipment for more than 1.5 km to reach the site. Two of the carriages landed on their sides and another two were severely damaged in the accident. In addition to the seven fatalities, many more passengers were injured.

The subsequent official inquiry discovered the deadman's brake had not been applied. The train guard's solicitor stated that the guard was in a microsleep for as much as 30 seconds, just prior to the accident. The human-factors accident investigator determined the organisational culture had the driver firmly in charge, making it psychologically more difficult for the guard to act.

Causes of the accident
Tangara trains have a number of safety and vigilance devices installed, such as a deadman's brake, to address problems when the driver becomes incapacitated. If the driver releases pressure from this brake, the train will safely come to a halt.

The train in question was a four-car Outer Suburban Tangara set, numbered G7 and fitted with a Mitsubishi Electric alternating current traction system for evaluation purposes. The driver was in the leading driving carriage and the guard was in the rear driving carriage, in between which were two non-driving motor cars. On this service, the guard, who could have applied the emergency brake, and the deadman's brake were the main safety mechanisms in place.

The train was later found to be travelling in excess of 117 km/h as it approached the 60 km/h curve where the accident occurred. Neither the deadman's brake nor the guard had intervened in this situation, and this excessive speed was found to be the direct cause of the accident. Training of train staff was also found to be a contributing factor in the accident.

Train G7 did not re-enter service. It was scrapped in 2005 due to the damage sustained in the accident as all four cars were damaged beyond repair.

These were the official findings of the NSW Ministry of Transport investigation of the accident. A report of the accident, managed by Commissioner Peter McInerney, was released in January 2004.

Systemic causes and ignored technical problems
It was reported that G7 was said to have been reported for technical problems "possibly half a dozen times" and had developed a reputation amongst the mechanical operations branch, saying the problems were "normal" for the set in question. During the six months leading up to the accident, three reports of technical problems were made.

The inquiry found a number of flaws in the deadman's handle (which was not implicated in the accident) and related to the deadman's pedal:
 * The dead weight of the unconscious and overweight driver appeared to be enough to defeat the deadman's pedal, of which 44% of Sydney train drivers' legs were of sufficient mass.
 * The design of the deadman's pedal did not appear to be able to operate as intended with drivers above a certain weight.
 * Marks near the deadman's pedal indicated some drivers were wedging a conveniently-sized red signalling flag to defeat the deadman's pedal to prevent their legs from cramping in the poorly-configured footwell and to give themselves freedom of movement in the cabin.

Some of the technical problems reported for Tangaras generally, included brake failure and reported power surge problems. After the accident, they were often blamed by some for being the cause of the accident. Many of the survivors of the accident mentioned a large acceleration before the accident occurred. Furthermore, there was an understanding that the emergency brake should be seldom used because the train would accelerate between 5 and 10 km/h before the brake came into effect. It was noted that the G7 trainset was the only train in the Tangara fleet to use 3-phase induction motors, and that these are not able to "run-away". Furthermore, the majority of braking and traction system components were thoroughly examined and tested by experts from Australia and overseas, and found to be working normally. Those damaged in the crash were examined and were also found not to have had pre-existing damage able to cause such an accident.

Official findings into the accident also blamed an "underdeveloped safety culture". There has been criticism of the way CityRail managed safety issues, resulting in what the NSW Ministry of Transport termed "a reactive approach to risk management".

At the inquiry, Paul Webb, Queen's Counsel, representing the guard on the train, said the guard was in a microsleep at the time of the question, for as much as 30 seconds, which would have removed the opportunity for the guard to halt the train. Webb had also proposed there had been attitudes that the driver was completely in charge of the train, and speeding was not an acceptable reason for the guard to slow or halt the train, which would have been a contributing factor in the accident.

Prior to this derailment, neither training nor procedures mandated the guard to exercise control over the speed of the train by using the emergency brake pipe cock ("the tail"). Apart from the driver being considered to be the sole operator of the train, the emergency brake pipe cock does not provide the same degree of control over the automatic brake as a proper brake valve. The consensus among train crews was that a sudden emergency application from the rear could cause a breakaway (which is in fact not possible, as the cock does not apply the brakes solely to the rear car but rather uniformly along the full length of the train), and there was some evidence from previous accidents to validate such an opinion, however these were not involving the modern multiple-unit train design of which the Tangara is an example.

Since this derailment, CityRail training and operational procedures now emphasise the guard's responsibility to monitor the train's speed, and if necessary, open the emergency brake pipe tap to stop the train.

Changes implemented
All Sydney and Intercity NSW TrainLink trains now have an additional safety feature, which has been fitted since the accident. In addition to the deadman handle and foot pedal, the trains are fitted with "task linked vigilance" - which resets a timer every time the driver activates certain controls. If there is no change in control, a flashing lamp and then buzzer sound and the driver is required to acknowledge a vigilance button. If the train's driver does not use the controls and does not acknowledge the vigilance alarm, the vigilance system is activated and makes an emergency brake application. All trains have also been fitted with data loggers to record the driver's and guard's actions as they work the train, as well as the train's speed. Such a system had been fitted to G7, but was in the early stage of fleet roll-out, and hence had not been commissioned and switched on at the time of the accident.

Rescue workers who attended the scene were impeded from accessing the trapped passengers on the train because they did not have the keys required to open the emergency exit doors. Emergency exit mechanisms have all been modified, to allow them to be used without requiring a key. RailCorp has installed internal emergency door release mechanisms on all new trains. However many passengers found their own way out since the train was broken into three pieces during the accident.

CityRail/RailCorp incorporated emergency door releases on the insides of the new Waratah trains as a result of the inquiries to this disaster, enabling passengers to open the doors themselves in case of an emergency, where the crew are incapacitated and the train is at a standstill.

The 2004 changes to medical assessments of rail workers were developed in response to the incident. Overseen by the National Transport Commission, Cardiac assessments are mandatory for certification and re-certification with a proscribed mandatory checklist as part of the national standard in the interest of ensuring public safety, the intended purpose of the health assessments whereas previously the health assessments did not have an occupational risk but a clinical focus.