Based on the information so far in the German press, it appears the automated safety system did not fail; the dispatcher committed an error.
It is not surprising that on here, the tendency is to blame automation: this tragedy, the NEC crash in N. Philly, and the Metro-North crash, when the primary cause was faulty human judgment.
C&NW, CA&E, MILW, CGW and IC fan
schlimm Based on the information so far in the German press, it appears the automated safety system did not fail; the dispatcher committed an error.
So you're contending that the safety system didn't fail, but an accident still happened? That's an oxymoron. And if there is an accident, it's a failure of the safety system as a whole, whether or not its component parts all were working correctly and it was a short circuit between the headphones or whatever.
I understand that it's pretty common practice in critical-systems design to make safety systems immune to stupid operator errors. And that it is indeed the fault of the systems designer if that is not done. From what I understand, this was not an unusual combination of factors (like the situation leading up to Lac Megantic), it was a straightforward assertion of authority that a proper safety system (which by definition includes the procedures and paper workarounds used when any part of the engineering functionality is 'down' or tagged out) SHOULD have caught long before rail vehicles collided.
Not to make a cheap shot, but I seem to remember that this is the nation that computer-engineered a collision into one of its early scheduling algorithms -- Netz B, wasn't it? -- and I have to wonder if this represents a similar approach to technological implementation that turns out to be fragile in an unanticipated but very predictable way.
Wizlish: "an unanticipated but very predictable way" - you know, I get that. It's not the oxymoron it might seem to be.
A great article about a very similar accident - the interlocking was being upgraded, and there were some temporary 'work-arounds':
And another one, more about the fallibility of human-dependent systems and the DS relying too much on the operators in a case where there's some uncertainty:
- Paul North.
Yes to all the above, but I would note that both these were technically more complicated than the point of failure in the West Side collision. The problem there was that a fairly large number of 'standard operating practices' all contributed in a perfect storm that particular day, at least according to the government's report.
In the German accident it was being claimed that all the safety equipment was operating perfectly, and it was just a mistake that produced the wreck. And I continue to claim that it is the 'operating perfectly' claim that is defective here; as with another 'safety system' failure (the rear-end collision at Naperville that led more or less directly to the ICC's enforcement of the 79 mph ATC requirement by early 1951) it cannot be said to operate 'perfectly' if the system itself is imperfect (or incomplete, which is one of the semantic senses of 'imperfect') by design.
Of course I sympathize with the idea that accidents can occur even when all the equipment does what it was designed to do. That is not the full definition of what a 'system' needs to provide, though. That is one of the great things that came out of Cold War systems development, along with PERT and other approaches to getting results under uncertainty, and some things like PAL and the original and restarted B-70 programs, that managed both complex uncertainty and effective midcourse coordination when necessary.
I have a fundamental issue with deterministic fragile systems that purport to be 'safety' systems. And I consider this German accident to be another demonstration why I do.
WizlishWizlish wrote the following post 8 hours ago: schlimm Based on the information so far in the German press, it appears the automated safety system did not fail; the dispatcher committed an error. So you're contending that the safety system didn't fail, but an accident still happened? That's an oxymoron. And if there is an accident, it's a failure of the safety system as a whole, whether or not its component parts all were working correctly and it was a short circuit between the headphones or whatever.
The PLZ system did not fail; the dispatcher did by overriding it, as almost anyone would correctly read my comment. As a whole the "system" failed only by permitting human interference at that level.
I think operating proficency is still required. I recall on a trip to Philadelphia, riding a PATCO train to Lindenwald and watching the operator push the button to close the doors, push the button to start the train and the train accelerated to track spped and automatically slowed and stop at the next station. On the way back into Philly, the operator pushed the button to close the doors, then using the throttle manually operated the train to the next station all the way back. I asked him why. He replied "To keep my proficency up. On dry rail it (the automation) works fine but with wet rail, the train will slide through the station" He went on to explain the system was set for a heavy braking rate that could not be obtained on wet rail as there was a fixed transponder that initiaded a fixed braking applcation. So he needed to keep his proficiecy up.
I like flying Southwest Airlines because their pilots are expected to fly the plane into a landing rather than use the auto landing system. here have been articles about pilots not knowing how to react to abnormal situations.
Electroliner 1935I like flying Southwest Airlines because their pilots are expected to fly the plane into a landing rather than use the auto landing system. here have been articles about pilots not knowing how to react to abnormal situations.
Sometimes autoland may be the better option. To wit: Alaska Airlines landing on the parallel taxiway at Seattle. Flight deck crew will get new ones reamed for that. YUP! Human failure.
Norm
schlimm - what is your opinion of James Reason and his theories? What 'better' references have been produced since 'Human Error' was published, and what models would now produce the "safest" results for organizations trying to develop and adopt a good safety culture? What is new and significant in 'Organizational Accidents Revisited' (which came out last month and I don't have the money to get) that wasn't in the original?
wizlish: I think it's just a problem in semantics. I was using 'system' in the narrow sense, of the 'PLZ system' itself, while you are including the human override. But we are really saying the same thing.
schlimmwizlish: I think it's just a problem in semantics. I was using 'system' in the narrow sense, of the 'PLZ system' itself, while you are including the human override. But we are really saying the same thing.
Yes, I agree.
http://www.bbc.com/news/world-europe-35585302
I am guessing there were no intermediate signals, nor track circuits for any cab signals to react to on the segement of track where this happened.
Never too old to have a happy childhood!
Human error. The well-meaning dispatcher turned of the PLZ controls. He will be prosecuted as well.
schlimm Human error. The well-meaning dispatcher turned of the PLZ controls. He will be prosecuted as well.
Dispatcher - Tower Operator
In the US there are procedures designed to protect against such a happening.
Did the German controller follow the proper procedures in allowing the train to pass - did he even attempt to comply with the procedures or are there no procedures in place.
If the track is signalled, why didn't the trains get downgraded signal indications as the approached each other.
The failure of the PLZ system is that both trains were operating at track speed despite the human error.
What's the difference between PLZ and the (I thought it was) PZB system?
The thing is, that you stop being able to blame PZB the moment it's been turned off. I was making a point a few posts ago that a 'proper' safety system wouldn't have been capable of 'just being turned off' in a way that, as Balt noted, lets two trains (run by folks who would surely have known better than to run at track speed into known danger) collide head-on at high speed. It appears to me as if the system induced the wrong kind of trust as built: a sense that it would be safe to run trains with the system working, and no apparent indication to the runners when that safety was, essentially, arbitrarily shut off without warning.
There are some listed 'worthless things' in aviation: the altitude above you, the runway behind you, the fuel sitting in the truck. Here is a railroad analogue: the safety system that does nothing when it is arbitrarily overridden. (I have just been looking at the Amtrak 188 thread and have to wonder about the disabling of safety in the northbound direction 'because it was impossible to reach an excessive cruise speed up to that point in normal operation'...)
[translated from the SZ.de, the online version of Munich's national newspaper]
The train accident in the district of Rosenheim, in February 9 Eleven people died and 85 were injured, some seriously, has been caused by human error. This preliminary result was shared by investigators on Tuesday at a press conference in Bad Aibling .
His behavior "was not consistent with the applicable rules in line", the Chief Public Prosecutor Wolfgang Giese said at the press conference. Had the man, who in 1997 completed his training for dispatchers, acted rule compliant, the disaster would not have happened. The investigators conclude from intentional actions of the married 39-year-old, which is why he is not currently in custody.
schlimm His behavior "was not consistent with the applicable rules in line", the Chief Public Prosecutor Wolfgang Giese said at the press conference. Had the man, who in 1997 completed his training for dispatchers, acted rule compliant, the disaster would not have happened. The investigators conclude from {I think a better one-word semantic translation ewould be 'not' here] intentional actions of the married 39-year-old, which is why he is not currently in custody.
So, thank heavens, not another Andreas Lubitz. I had been worried about that...
Wizlish schlimm His behavior "was not consistent with the applicable rules in line", the Chief Public Prosecutor Wolfgang Giese said at the press conference. Had the man, who in 1997 completed his training for dispatchers, acted rule compliant, the disaster would not have happened. The investigators conclude from {I think a better one-word semantic translation ewould be 'not' here] intentional actions of the married 39-year-old, which is why he is not currently in custody. So, thank heavens, not another Andreas Lubitz. I had been worried about that...
And he did not test positive for alcohol when tested. As hard as it may be for some to accept, this was human error.
Sad how certain posters on here seem almost glib that it appears to be human error...but sadly not unexpected.
It is also inexcusable if the system permitted anything other than the equivalent of a restrict and proceed signal to be displayed. That is what needs to be addressed here. Tumble down can be a life saver.
An "expensive model collector"
schlimm Wizlish schlimm So, thank heavens, not another Andreas Lubitz. I had been worried about that... And he did not test positive for alcohol when tested. As hard as it may be for some to accept, this was human error.
Wizlish schlimm So, thank heavens, not another Andreas Lubitz. I had been worried about that...
schlimm
And systematic error that the human error permitted both trains to operate at track speed.
BaltACDAnd systematic error that the human error permitted both trains to operate at track speed.
n012944 Sad how certain posters on here seem almost glib that it appears to be human error...but sadly not unexpected. It is also inexcusable if the system permitted anything other than the equivalent of a restrict and proceed signal to be displayed. That is what needs to be addressed here. Tumble down can be a life saver.
Glib? Because I went to the trouble of finding detailed articles and translating the more pertinent contents? It is what it is. Clearly evry system needs ways to override and use manual controls. But the dispatcher failed to inform either engineer that there was another train ahead, compounding his error.
Glib? All I hear from our railroaders is a defense of the dispatcher by criticizing the system that he shut off. And not one word of sorrow for the passengers or two locomotive drivers (engineers) who were killed.
A real tragedy that need not have happened.
schlimm n012944 Sad how certain posters on here seem almost glib that it appears to be human error...but sadly not unexpected. It is also inexcusable if the system permitted anything other than the equivalent of a restrict and proceed signal to be displayed. That is what needs to be addressed here. Tumble down can be a life saver. Glib? Because I went to the trouble of finding detailed articles and translating the more pertinent contents? It is what it is. Clearly evry system needs ways to override and use manual controls. But the dispatcher failed to inform either engineer that there was another train ahead, compounding his error. Glib? All I hear from our railroaders is a defense of the dispatcher by criticizing the system that he shut off. And not one word of sorrow for the passengers or two locomotive drivers (engineers) who were killed. A real tragedy that need not have happened.
It is sad that you think that by pointing out the flaws in the system that is somehow "defending" the dispatcher. This is not a mutually exclusive argument. The system that I use will permit me to override signals in certain situations. When it does permit me, it will not give signals in the field that would pemit trains to run at anything approaching track speed. A failsafe. The dispatcher failed the passengers and train crew, the system failed the passengers and train crew.
Interestly, I just went over this thread again, and counted the times you used the phrase "human error". Four. Not in a quote from a news article, just times you wrote it as your conclusion. And not one word of sorrow from you for the passengers or two locomotive drivers (engineers) who were killed. So yes, glib.
But you are correct, an avoidable tragedy.
I used the phrase because that is what the articles said and because that was determined to be the primary cause of the crash. You avoid using the term because you have a vested interest.
I don't understand how the dispatcher could shut off the entire system for all trains. Has someone else pointed out, the PZB seems to be somewhat similiar to Automatic Train Stop here in the US. Automatic systems like ATS, ATC and/or cab signals are able to be shut off, but on individual trains. Even PTC will be able to be shut off on a train if it fails. (Yes, large sections of signal systems can be shut off, but it requires signal department people in the field. Affected individual trains are notified about such things and there are rules and procedures for such occurances.) I just can't imagine a person in an office being able to push a button/throw a switch and turn off a safety system.
I wonder if the whole story is being reported? Could it be the reporters have simplified the explanation? Or were told a simplified explanation by authorities?
Jeff
I don't know how a single individual in US train operations can 'turn off' a signal system - ANY SIGNAL SYSTEM.
There are any number of mistakes that a Train Dispatcher can make in the performance of their duties - turning off the signal system - IS NOT one of them
BaltACD I don't know how a single individual in US train operations can 'turn off' a signal system - ANY SIGNAL SYSTEM. There are any number of mistakes that a Train Dispatcher can make in the performance of their duties - turning off the signal system - IS NOT one of them
I am not sure if the reports of "turning off" the signal system are accurate, or just lay press simplistic reporting. There is already a Wikipedia article about this accident https://en.wikipedia.org/wiki/Bad_Aibling_rail_accident that asserts that the train director at Bad Aibling caused a "Substitution" aspect on the Exit Home Signal to be displayed, which indicates that the train may proceed past a stop or defective signal, roughly corresponding to a North American "Call On" signal. Several questions are raised in my mind, particularly since I don't understand, especially from a technical perspective, how train movements are protected. This line, like many in Germany (and some other European countries) has Home signals protected by Distant signals. The Home signals are contolled by either an operator under the direction of a Train Director or by the Train director directly.
Among the questions I have not resolved are 1) How are trains detected? 1a) is the detection over all territory as with typical track circuit systems, or is it only at selected points (e. g. wheel detectors)? 1b) Will the signals get automatically "knocked down" when the train passes them, or some other point, or dies the operator have to do this? 2) Are the opposing Home signals to a section of track mutually locked (I don't use the term interlocked to avoid confusion, but technically it's the same concept such as employed for the opposing head block signals in an APB signal system)? 2a) Are the 2 opposing Home signals controlled by the same person. 2b) If there is some form of check locking between the opposing Home signals does the system nevertheless permit a call on signal to be given?
After viewing the video linked by beaulieu on the 9th upthread it appears there is a station Bad Aibling Kurpark which has no siding and has a single set of opposing Home signals located just beyond the platforms (one on either side, staggered) on the Kolbermorr side, the latter being the station from which the second train should have been held. For the train director to have completed the intended move it appears that both the Kurpark and Kolbermorr Home signals would have to be cleared or called on.
Lots of questions on this one.
PZB uses three frequencies to indicate speed restrictions: 500 hz, 1000 hz and 2000 hz, with the 2000 hz signal indicating "stop". Unfortunately, unlike at least some versions of US ATS systems, the absence of an appropriate carrier is not readily detected by a train's pickup - hence it's possible to "turn off" PZB. The enforcement zone is from the area in approach to the distant signal to the home signal, enforcing a stop in the absence of appropriate action by the train operator. US ATS pickups are supposed to notice if a transponder is out of service. One of the reasons for the development of coded cab signals in the 1940s was to eliminate the window between transponders.
The signal indication should have governed in the case of transponder failure. I's still possible for bad behavior to make things worse, since a "call-on" should only be good for restricted speed to the next signal.
A few years ago an Amtrak train rear-ended a stopped NS doublestack in Chicago when the engineer and an instructor resumed track speed after receiving a restricting indication.
The hope is that PTC will reduce the size of existing safety holes, but the possible misuse of overrides makes it unlikely they will be eliminated.
schlimmThe PLZ system did not fail; the dispatcher did by overriding it, as almost anyone would correctly read my comment. As a whole the "system" failed only by permitting human interference at that level.
I believe that you somehow managed to have missed his entire point.
This safety system, meant to safeguard against human error to prevent tragedies such as this, shouldn't be able to be overridden in this manner. By being able to be needlessly disabled, it didn't protect against human error, which created a situation that led to a fatal wreck. Thus it indeed failed.
The safety system is clearly flawed since it didn't prevent what was an easily preventable incident that clearly didn't have to happen. Like someone else said, look up what fail safe means.
It's telling that you chose to omit the final responses made between wizlish and I, that we were quibbling about semantics of a narrow vs broader meaning of 'system.' I was simply providing a service by translating articles. And passing on the conclusions of the investigation. The dispatcher switched from the PLZ-90 to an alternate signaling device (Z-1), according to reports.
FYI: Fail-safe means that a device will not endanger lives or property when it fails. The PLZ-90 did not malfunction of fail. It was bypassed by the dispatcher with 'special signal Z-1' legitimately to allow what he thought would be a safe meet.
BTW, all systems (in the broad sense) can fail. Automated systems are clearly safer than when humans interfere.
Update:
The train accident with eleven dead near Bad Aibling could have been prevented if the railcar concerned would have fitted with the system RCAS. That says Professor Thomas Strang, who developed the system at the German Aerospace Center (DLR) in Oberpfaffenhofen. And that also says Heino Seeger, who by the end of 2012 was Chief of the Bavarian Oberland Bahn (BOB).
Seeger has tested the RCAS in his time as BOB head on their former routes. "The RCAS is the answer to prevent terrible conflicts like in Bad Aibling" says Seeger."I am sure that the RCAS is the future."
The abbreviation stands for RCAS "Railway Collision Avoidance System". "It is a technique that works completely independently of the system along the railway line," says developer strand. Equipment in the locomotives draws while moving all kinds of current data on the train, for example, the direction, the speed and the braking conditions. Over the radio, the devices are in contact and the same analyzes this data. "Now, when two trains, for whatever reason, come so close to each other that a collision is imminent, an alarm is triggered in the stands of the train driver, prompting them to an immediate emergency," says Strand. "When we designed the RCAS, we had the prevention of precisely such an accident scenario as in Bad Aibling in mind."
The articles stand on their own merits.
schlimm It's telling that you chose to omit the final responses made between wizlish and I, that we were quibbling about semantics of a narrow vs broader meaning of 'system.' I was simply providing a service by translating articles. And passing on the conclusions of the investigation. The dispatcher switched from the PLZ-90 to an alternate signaling device, according to reports. FYI: Fail-safe means that a device will not endanger lives or property when it fails. The PLZ-90 did not malfunction of fail. It was bypassed by the dispatcher legitimately to allow what he thought would be a safe meet. BTW, all systems (in the broad sense) can fail. Automated systems are clearly safer than when humans interfere.
It's telling that you chose to omit the final responses made between wizlish and I, that we were quibbling about semantics of a narrow vs broader meaning of 'system.' I was simply providing a service by translating articles. And passing on the conclusions of the investigation. The dispatcher switched from the PLZ-90 to an alternate signaling device, according to reports. FYI: Fail-safe means that a device will not endanger lives or property when it fails. The PLZ-90 did not malfunction of fail. It was bypassed by the dispatcher legitimately to allow what he thought would be a safe meet.
A signal system that can be 'switched off' without a exhustive series of checks and balances, that affect all trains in the territory of operation is a FAILED system.
Our community is FREE to join. To participate you must either login or register for an account.