Today’s safety video is brought to you by ScotRail. It examines in depth three cases of train drivers accidentally passing red signals.
*) SPAD = Signal Passed at Danger
In the morning hours of December 8th, 2008 a railcar left the train station of Merseburg, Germany and made a journey of 40 kilometers to Querfurt – all on its own, without a driver or any other person on board. The train finally came to a standstill on an uphill section of the railroad line. Luckily, nobody was injured and no damaged was caused by this ghost train. Apparently the incident was noticed when the railcar began to move and the line could be closed for other railway traffic to avoid collision.
There is no official investigation report so far and the exact causes of the incident remain unknown to the public. However, a programme broadcasted on January 6th, 2009 by the TV station MDR mentioned some interesting details about the incident. The programme quoted an official from the Federal Railway Authority (Eisenbahn-Bundesamt, EBA) vaguely hinting towards „technical faults“ and „software problems“ as the possible cause. More interesting than that was the description of the incident, which I enrich here with some additional information from Wikipedia:
The railcar was a Bombardier LVT/S, also known as series 672, operated by Burgenlandbahn, a subsidiary of Deutsche Bahn. It had arrived in Merseburg as one part of multiple unit coming from Querfurt. As the trailing unit, to be precise, which means that it still had been self-propelled during its previous service, but remote-controlled from another unit. In Merseburg the train was separated with the intention of using the trailing railcar to operate another service back from Merseburg to Querfurt. This was the one that drove off without waiting for its driver.
The series 672 railcar is equipped with automatic couplers. This makes separating the units really easy: the driver in the leading car stops the multiple unit, pushes a button and drives off with a single railcar, leaving the trailing car behind. It seems that this can leave the former trailing car in a particular condition: with its engines running and the driver’s safety device (aka dead man’s switch) still disabled. According to the TV programme the dead man’s switch, which is mandatory for trains in Germany, has to be disabled in the trailing railcar(s) of a multiple unit where there is no driver to operate it.
This does not explain how the railcar started its uncommanded run in the first place, but it provides a plausible explanation why the train was not stopped by safety mechanisms. The railroad line, being a secondary line, is not equipped with a train protection system. The dead man’s switch therefore was the only mechanism that could have stopped the railcar but failed to do so. To prevent further incidents of this kind, procedures have been changed to ensure that a driver is present in each of the cars when a multiple unit is being separated.
The incident illustrates how straightforward solutions to seemingly simple problems can be subtly wrong. The problem is that the railcar can be operated in different modes that require different configurations of its safety equipment. The system does not enforce, however, that the configuration is appropriate at any time. This may simplify the design of the technology but imposes upon the operator the need to deal with situations of inconsistency that might not be obvious until such an incident occurs.