Operational Controls are Worthless if They Aren’t Maintained
At approximately 5 pm on Monday 22nd June 2009, a Washington Metro train heading towards Shady Grove smashed into the rear of the train ahead of it. The Automatic Train Control system had instructed the train to travel at full speed (55 mph). When the driver of the moving train, Jeanice McMillan, saw the stationary carriages ahead, she applied the emergency breaks, but it was too late to avoid the crash.
Within twenty minutes, rescuers had arrived on the scene. The front carriage of the moving train had climbed over the back of the stationary vehicle, and the two carriages had slid together like a closing telescope, trapping many passengers. Survivors said the crash was “like… hit[ting] a concrete wall”. The air was full of smoke and debris, and passengers began to panic when the train doors didn’t open.
Ultimately there were over two hundred firemen at the scene. They worked throughout the night and had to use cranes in their efforts to free trapped passengers and search for bodies.
Jeanice McMillan and eight other people died. At least 80 were injured. The death toll made it the most severe crash the Metro had ever had.
The Inquiry
The National Transportation Safety Board began an inquiry. Investigators considered several possible causes. They looked at operator error, brake failure, a fault in the computerised signal and operation system, or a combination of the three.
The investigators discovered that the driver had used the emergency brake and that the rear train had been running under the guidance of the Automatic Train Control system. The automation should have stopped the train. The investigators also discovered that the track control system below the front train wasn’t working. It had failed to detect the presence of the stationary train.
These circuits are vital. It’s a signal system. It’s providing information, authorization and speed commands to the following train
Deborah Hersman, Chair of the National Transportation Safety Board
A Problem With the Wiring
The Metro has a sophisticated track control system. It allows the automated system, drivers and central controllers to see whether there is a train in any section of the track.
An electric current passes along one rail between two sensors. If there isn’t a train on that section, the current passes unhindered, and the controllers know that the rails are empty. If, however, there is a train, the current doesn’t make it from one sensor to the next. Instead, it skips across the metal train wheels and axels to the other track, where it shorts out to earth.
It is a clever system, but as with all things, there is wear and tear, parts age, and the machinery needs regular maintenance. The primary cause of the accident was that the ATC didn’t “see” the train that had stopped and so sent the second train straight into the back of it.
A Known Issue
Maintenance engineers had discovered this problem after a series of near-misses in 2005, four years earlier. To stop a reoccurrence, they designed a preventative maintenance check. During the night and weekends when rail traffic was light, teams of workers would walk down the tracks with a thick wire and lay it across the two rails at every section to mimic the trains’ wheels and axels. Using this check, they could be sure that the system was working and that they didn’t need to replace or repair anything.
The engineers had learnt about the problem and established an operational control to prevent it from happening again.
Once is Unlucky; Twice is Unforgivable
Accident investigators showed that the maintenance crews should have discovered the fault but hadn’t done the test. The rail operator hadn’t institutionalised the control. While they had issued an engineering bulletin and safety notice, the check hadn’t been well documented, trained, or reinforced. Maintenance crews weren’t aware of it.
The National Transportation Safety Board cited the Transit Authority’s lack of a safety culture and failure to monitor and maintain its automatic train control system as contributing causes of the accident.
Maintaining Operational Controls
The lesson from the tragedy is that it isn’t enough to write up a report after an incident detailing the preventative control you have put in place. You must have a system that ensures those operational controls are maintained, not abandoned or neglected. Otherwise, you create a false sense of security.
Painful lessons are useless if the organisation promptly forgets them.
If you enjoyed this post, click here to receive the next
Read another opinion
Image by FBI
Leave a Reply