 I've got half an hour and not much time, so yes another railway safety talk, I think it's the third of four, I'm told this is down internally as the railway track. So a bit about me, I'm a safety critical software engineer, so I've spent my career doing air traffic management, air traffic controls, that's the big radar screen that you see them use. And train bond, ERTMS, ETCS equipment, there's a lot of acronyms, I will try and expand them all. So that is some equipment that goes on the train and it's on the driver's desk, I've got a picture later. Disclaimer, these are my views and not my employers. So I think there's three key periods of time when you wanted to talk about rail safety, there's up to 1890, we'll cover why that is, the bit in the middle and then 1980 to the present day where we see the modern techniques that we use coming. I'm not covering signalling now that much, Robin Wilson did an excellent talk this morning on it, so hopefully that'll be a recording of that if you've not seen it. So in the beginning, it really was like the Wild West, the Liverpool and Manchester railway opened in 1830. On the opening day, the politician William Huskisson was killed, he wasn't the first person to die on the railway, but obviously it was a politician and the newspapers were interested and the day got even better. So the Prime Minister was on the train, he got pelted with vegetables when they arrived at Manchester because the people of Manchester were not happy with the tax policy of the time. So this all got into the press, people heard about these railways and they really took off. Private experimental carriages were run, so Charles Babbage was a good friend of Eisenbad Kingdom Brunel and he had an experimental train with 30 tonnes of iron and he orders a Paddington station and here's a train approaching, it says to the staff, I can hear a train. No, it's fine, no train scheduled for the next few hours, you're fine. Brunel appears from said train and steps down having seen this engine at Bristol, summoned it and driven at 50 miles an hour myself. So Babbage asks, so supposing you came across another train on the same line, all Brunel says he would put on all steam with a view to driving off the opposite engine by the superior velocity of his own. Thankfully for mathematics and engineering this didn't happen. But this is the sort of thing that was going on at the time. There were quite a few accidents and increasing the high profile, the writer Charles Dickens was involved in a train crash and used his top hat to give people water and administered brandy. Brunel, a select committee hearing about regulating railways said that railwaymen would hopefully answer questions in a gentlemanly manner. Railway companies were very suspicious about the government interfering with them. But by 1842 the Board of Trade could inspect the railways and prohibit them from opening if they thought they were unsafe. And they picked people from the Army Corps of Engineers for that because they were engineers and knew what they were doing. And maybe of course they were from the Army, the railway companies might listen to them. So they formed Her Majesty's Railway Inspectorate. And things were improving for the passengers as well. By 1844 third class passengers should be provided with seats and protected from the weather. Before then third class was effectively animal wagons so when sheep weren't being carried around they could carry passengers for a few pence. And obviously those wagons were made of wood and if there was a crash the third class passengers got it the worst. By 1871 30 years after it was created the railway inspectorate finally got the power to interview people and seize evidence. But they couldn't force the railway companies to do anything. They could just hurrump a lot and suggest things. Here's a picture of the first one so this being Victorian. They're all heavily mustachioed and they've gone for a windswept look here reflecting his army background. So what were they investigating? So there's some really shocking stuff. So at Round Oak in 1858 an excursion train carrying hundreds of people was on its way. And the guard was smoking and drinking and letting passengers experiment with the break. In those days carriages didn't have breaks themselves. You had break vans along the train with a big wheelhound break you wound on. And the carriages linked together with chain couplings so there's one in the middle and two on the side. And these kept breaking and snapping because they were fiddling with the break. And they'd stop and repair them and carry on. Except on the way back these couplings finally broke and the train which didn't have any breaks ran away and crashed. Quite a few people died. The guard claimed to say the break was faulty. They found the bit of the break and it wasn't and it was not good for him. And then on the engineering side the Tair Bridge disaster in 1879. So this was a dark and stormy night in Scotland. And the train leaves Bernitsyn station next to the Tair Bridge and disappears in a flash of light. This was due to wind loading. The construction of the bridge hadn't accounted for high winds and the combination of high winds and the weight of the train made the bridge collapse. And the quality of the building was pretty poor as well. And the career of its engineer was ruined and it killed 75 people at least. The railway inspector actually had some trouble here. So the railway companies were hurrung things saying they don't know about trains. Why should we listen to them? But they didn't know an awful lot about bridges. So there was a problem for them there. But the result was that everything else was heavily over-engineered. You see a lot of all this Victorian rail infrastructure is still here today. That's a quick picture of it. So I think it really changed things with the ALMA disaster. So Robin covered a couple of these earlier. So the railway inspector had been arguing for decades about the railway companies should adopt lock, block and break. So lock is full mechanical interlocking of signals. So the signalers can't signal conflicting movements. So that's where a train could be directed at another one and a number of other things. Block, the absolute block system. So railway track is divided into blocks and a train may only be in one block at any one time. And continuous brakes. So this is a brake pipe that runs the length of the train and if the train divides for any reason the brakes get applied. And that's controlled on the engine. So what happened in ALMA on 12th of June 1889? A big excursion train full of Sunday school children leaves ALMA station in what is now Northern Ireland. And there's a steep hill to climb. And the driver wants an assisting locomotive provided because he thinks he might not make it. And it's refused. The station master at ALMA effectively said, drivers don't complain about excursion trains here. Get on with it. But they decide the following train can assist if needed and give it a push. As Robin said this morning. So this time they use the time interval system. 15 minutes the centre train out. So if that happens then the next train along can give you a push up the hill. The train does indeed stall and they decide to divide it. So they agree to, the train crew agree to put the handbrakes on the rear half of the train. Take the other half over the summit and go back and collect the rest. So they start putting handbrakes on and use bits of rocks to hold the trucker wheels. The handbrakes don't hold. It rolls back down the hill and then collides with the following train and the next train on the other hand the interval system had been sent on its way. This was pretty horrible. So this collated people injured 200 and was the worst accident in the UK to date. I think because it was full of some of the school children, there was a public outrage at the time and that led to a middle section. So the government finally intervened and the Regulation of Railways Act 1889 gave powers for the lock, block and brake that they'd been wanting to command the railways to install these things. And things gradually improved. Obviously accidents were bad for the railway companies. They didn't want these accidents to happen. It was bad publicity and especially in the early days, people might go back to the stagecoach. Things were actually improving. There were technological advancements. World War I got in the way. So at Quentin Sill, also mentioned this morning, a simple enough signal box, all of those three were there and three passenger trains collided and killed 220 people and it remains the worst accident in this country. But what's interesting is, why did it happen? So there was some, it was arguably negligence from the signallers for not following their processes, but it was also wartime. So what do you make of that? There were too many people in the signal box because the newspaper had just arrived and they were discussing news about the war. Everyone was working long hours. The guard was hanging around. It's a lot more difficult than just saying the signaler was negligent. That is part of it. Second World War comes along and the big four railway companies in the middle on this diagram were effectively ruined. The real network was worn out. So British Railways was formed. And this helped hold the network together. So in terms of safety, what's happening right now, the Great Western Railway was experimenting with automatic train control. This became the automatic warning system that Robin talked about from 1906. So this is some equipment on the track that detects when a signal is not at green and sounds a warning bell. And we're also starting to mitigate the effects of accidents, trying to work out if there is an accident, and then we make it less severe. So removal of gaslighting in coaches and coaches that had a lot of wooden bodies. So a nasty one here was Harrow and Wheelstone. Again, signals not being followed. But the key was that this Mark I coach that British Rail had come out was all steel, had much better couplings and survived the crash a lot better. So we're starting to understand how the construction of carriages can help save lives. So that signals have had these interlocking and absolute block system for going up to 100 years by this point. But there was nothing much for the drivers. So that's where the automatic warning system came in and the inquiry into this one said that engine management should be given their share of technical aids to safe working. And they suggested that the AWS be rolled out across the network. So again, gradual improvements up to 1980. But I think here's where we get modern safety coming in. This was mentioned. The Swiss cheese factory was mentioned at the Boat versus Rig talk yesterday as well. So if you measure a piece of Swiss cheese, it's got some holes in. Some of the holes stop before they get to the other side and some go all the way through. And in this theory, if you can see all the way through the trees, that's some accident that happens. And the thicker the trees on the wall layers you have through a few holes. And you want to make your trees as thick as possible. And this comes into... What if we assume accidents will happen? If accidents, if we assume that, then we work about how we're going to mitigate them. So we can reduce the chances of accidents occurring to begin with. So this is known as a laugh or as low as reasonably practicable. Practicable. Practicable, thank you. So what this means is you need to consider things like cost is a factor, complexity. So there's a theory that if you add too many redundancies, that will actually increase the chance of an accident occurring as the system's so complex. I think that's one of the theories behind Three Mile Island, the nuclear accident in the United States. So you also want to reduce the consequences of an accident, as we said about some new coach designs. And all this can be known as defence in depth, and this is also followed by quite a few industries. I think that IT security talk about this a lot. But what about the people? So we're all human, and we make mistakes. And fatigue, tiredness, frustration, this is known about for a long time as well. If people are working too late or exhausted, they make mistakes. People can also be quite foolish. So in 1972, a driver of an excursion train drove his train to I think Margate and then drank several pints of mild ale and then some brandy. He was just a little bit over the limit. He misread his signals. Crash. Maybe we've learnt some lessons. 20 years later at Cannon Street in London, a driver suspected to be under the influence of Cannabis. He wasn't tested until several days after the event. Again, fails to break, crashes into buffers. Again, hundreds of injuries here. This was a packed commuter train and everyone was still getting ready to leave. A lot of the injuries were caused by very old coaches. The southern railway were in the habit of reusing coach underframes and these dated from the 1920s. What happens here? We have a lot more drug and alcohol testing. The old coaches get withdrawn. But the drug and alcohol thing is really, this was about 30 years ago and back then it was considered quite common if you had a few hours break to a driver's coach to go off to the railway club, have a few pints of bitter and a sandwich and then go back again. This in 1991 was a step change. It's now completely zero tolerance on alcohol as you might imagine. A bit more recent, Watton Bassett in 2015, a driver deliberately isolates his AWS that we've talked about quite a bit now. Girls passed a signal at red and narrowly avoids really quite a nasty collision with a passenger train. Steam trains have to have exactly the same systems as any other one if they're on the national network so that includes black box recorders and all of that. The RAIB, more about them later, relaxes with an investigation branch, find that the behaviour has almost certainly become an accepted practice among some train crews. We'll discuss about that later. This is saying the driver's done something monumentally stupid there but why did he do that? We'll think about that in a moment. In the early 1990s we had privatisation. A British Rail was split up into lots of different parts so it's split into rail track who own the infrastructure. The allegation is made that rail track viewed themselves as a property company that happened to have trains on their property. The Rosco, so Rosco's are the rolling stock owners so they own the trains. The Tox and Fox, so the train operating companies and the freight operating companies so they run the trains, so that's things like and lots and lots and lots of contractors and as we'll see it was becoming quite tricky to keep track of them all. So this was the early to mid 1990s and things ran okay for a few years. I should also say that Markman coach that was in the 1950s was heralded as a brand new design, very safe. 40 years later it was now updated a number of accidents around this time on one street in the last slide. It wasn't coming across too well and it started to be withdrawn. But the wheels come off the privatisation with I think three key accidents. In 1997 the south hole crash again a signal passed at red. The automatic warning system was defective so this is something that 50 years ago they said should be mandatory and rolled out to all lines. It was defective and the particular rush to fix it. However, there was a brand new protection system installed on the train and the track. It wasn't in use and there was a report going on about the time to decide whether they should actually scrap the whole thing because it was costing too much. All these newly privatised companies couldn't agree on who should fix things. So if the AWS was defective if it's on the train is that the owner of the train who fixes it? Is it the people that run the train? Everyone argued about this and nothing actually got done. However, in this accident the mark three coaches a newer design they were praised for their freshworthiness. More about that later. In terms of rail track in 2000 a piece of track disintegrated underneath the train from metal fatigue and the train derailed and I think six or seven people died there. Rail track admitted they didn't actually know where any other defects could be and the entire network has speed restrictions for the best part of a year. You might well remember that. It was a pretty bad year. Similarly, in 2002 there was another train derailed in a platform and it ended up wedged between the platform and the roof. It's an interesting picture. The competence of the contractor there was really dubious. The contractor actually tried to accuse those unknowners of sabotage which wasn't true. The really interesting one and you could do a whole talk on this itself is Labrote Grove again mentioned this morning. But a whole load of things were wrong with the industry here. The driver training wasn't good. The signalling scheme wasn't fully inspected. The train protection rollout system was very slow so by this time they decided that they really ought to do something but nothing had happened yet. I think the three of these combined really was a shock to the industry. What happened? The real accident investigation branch was formed on the first thing. This came out of South Island Labrote Grove. One of the issues there was Her Majesty's Railway Inspectorate. It had been around for well over 150 years now. It was a bias problem. Because they were having to investigate their own department there was an issue there of if they agreed to this signalling scheme at Labrote Grove which was a bit dodgy. The real accident investigation branch reformed to mitigate that. They're obliged to investigate incidents causing death or serious injury and also anything where if a circumstances were slightly different could have caused the same. The key thing is they don't apportion blurms. This is how to describe so I'll try my very best. So going back to that steam train in 2015 where the driver isolated his safety systems why did the driver do that? So the report found that there was a culture in the company involved which meant this sort of thing was tolerated as long as you didn't tell anyone. It was thought that it causes delays to disappear so the system was isolated of course the driver forgot to cancel the warning system and that put the brakes on and there's a 60 second delay before you can release them so he didn't want to have to explain why he was late. So it was understanding why the driver took that decision. There was another really interesting one from two years ago involving COVID where on the train driver on the night Boris Johnson in this country announced a national lockdown a train driver was worried about childcare for his daughter and this caused him to lose concentration and derail his train and that's not blaming the driver that's understanding the context in which people are in a very stressful situation and any of our outside influences. What else happened around this sort of time? Network Rail was created because Rail Track basically went bankrupt Network Rail was created because it was eventually decided that a company responsible for safety probably shouldn't be paying out shareholder dividends. The train protection and warning system was rolled out so they decided that a nationwide rollout of a really good speed signal supervision system that would be ideal but it was far too expensive very complex and would take a very long time whereas the train protection and warning system is a bit more simple it does similar things so it stops trains from speeding in certain situations and going past stop signals but it was a lot cheaper and it was also a lot faster to roll out because it could be retrofitted. So that's where we are so that's the sort of the state of things in the mid-2000s. So we're around now. Computers will fix everything, right? We can automate a lot of these signalling problems away, all these confusions about being signals so on the Cambrian line in Wales you have what's known as ETCS so the European train control system so this the train communicates with the signalling centre over radio and reads data from the track and this is displayed on the display in the driver's cab I've got a picture coming up and one day in 2017 a driver spots a speed restriction that's been there for several years isn't there any more and the signaler says that it is there so something's gone wrong here here's a picture of the screen so this is showing a train travelling at 39 km per hour at a limit of about 95 km per hour so something went badly wrong here and it was ultimately a database corruption error there was a single point of failure in this software system and it took the software vendor months to reproduce the issue in their lab and this is a bit concerning because software safety and software quality is taken by industry so from personal experience from writing codes to actually going into service takes about a year so something went seriously wrong here and the consequence from this is a lot closer look at software standards much closer look at software standards in the industry never mind so if we check our work software whatever that will be okay so this one was a couple of years ago I was thinking about doing a talk like this at EMF 2020 which didn't happen but I'd have said then that the last fatal passenger derailment was in this country was 2007 so that was a grey rig in Cumbria that's a really good safety record for this country and the network in this country I think is the most reliable in Europe the safest in Europe not the world actually but let's look at carment in 2020 so after a period of very heavy weather very heavy weather very heavy rain train comes along there's some debris on the track and it derails and goes down the hill and catches fire three people died at this very sadly if the train was this was a rush hour train if it had been busier it wasn't because of Covid it would have been really terrible the ultimate cause was a drain that was trying to drain water from the field above the railway to stop the railway flooding was incorrectly constructed the diagram just wasn't followed so unfortunately this goes back to Taylor Bridge 150 years earlier of power construction I think the specifications were okay but it was never inspected so once this drain was built it should have been entered into a computer system and that would have set a schedule of regular inspections that it just never happened no one knew it was there the signalling centre or the control room at ScotRail had a very comprehensive weather system that told them about rainstorms but no one had been trained on the advanced features of it so it wasn't being used to its full extent and the mark 3 carriage that 20 years ago was shown to be excellent and crash worthy was now seen being actually it's got some problems so what can we take from that it's that nothing's staying the same here everything, every things move slowly in the rail industry things move in decades rather than months or years but they're always looking for improvements and then recognising actually this has been around a long time it's time to retire it where can you read more if you're interested in this sort of stuff the real accident investigation branch so their reports are really human readable they have a good glossary they explain all the railway terms that are not obvious if you're interested in this sort of thing I really would pick a few out the one at Carmont is interesting and the one about safety culture for the steam train and what ambassador quite good as well Railways Archive covers everything before then and also has some good cross referencing for readings Red for Danger is a book that covers basically up to the formation of British Rail it's a bit technical but that's pretty readable if a bit depressing normal accidents by Charles Perrow so this talks about the Swiss trees model and the theory that if you make a system so complex accidents are just going to happen by the laws of probability so it's best to try and design to mitigate the consequences so conclusions 180 years now and we're still learning when we're still learning lessons I think in my opinion sometimes we're a bit too proactive we need to be more proactive accidents happen and we think why did they happen and stop them happening again I think we need to be a bit more on the other side of thinking where accidents could happen this does happen in the software industry other than that that's everything I've got some notes and references to some of the accidents I've talked about here if you want to read more on them contact me there and thank you very much