Wednesday, April 20, 2016

Bad Signaling at Bad Aibling

The Bad Aibling rail accident was a head on rail collision that took place on February 9th, 2016 on a single track portion of railroad near Bad Aibling Germany.  As of this writing the investigation is pointing towards human error on the part of the signalman and, more specifically, the fact that the signalman was playing a game on his mobile phone around the time the events of the accident occurred.  Now. while phone distraction has played a role in previous rail accidents, in this case I believe the true culprit is the design of the German railway signaling system itself and any claims of distraction are simply an easy answer.

This tower operator is distracted, but not unsafe
First let's deal with the issue of distraction.  Unlike operating a vehicle, operating a tower or dispatch interface does not require constant attention.  Of course it is better to have someone paying attention, but it is not unsafe and moreover, distractions are already built into the job.  Operators frequently have to use the restroom, eat meals, talk on the phone to other railroad employees or even leave the tower to deliver train orders.  In a job filled with distractions, the whole point of the signaling system is to prevent distraction from leading to accident.  It is a fundamental principal of railway signaling for things to fail safe.


German Zs1 Signal

The mechanism that allowed two trains to end up in a cornfield meet is the Zs1 signal, shown above.  Known as an "Ersatzsignal" or Substitute signal it is placed below a "main signal" and lit upon command of the signaler when the main signal cannot be displayed normally.  Many in English speaking rail circles have described it as a Restricting or call-on signal, but that analogy is not entirely accurate. In practice it is more like a manual block clear of the type that can still be encountered on the LIRR.  Trains pass the Zs1 and proceed through all turnouts at no more than 25mph and before they can increase to normal speed .  Some sources state the 25mph limit applies to the next main signal, but a majority say normal speed and that would agree with the behavior of the second train involved with the accident.

Zs1 Displayed for a train movement
 The Zs1 signal is displayed when, for any reason, the main signal governing movement into a section of track, cannot be displayed.  This can be due to a bulb out condition, an axle counter miscount or any other problem with the signaling system.  As far as I can tell, the Zs1 guarantees route locking only.  In most rail systems around the world, when the signal system fails trains must proceed on sight prepared to stop short of an obstruction or other problem.  This is because even in the case where the cause of the failure is known, that doesn't mean a second problem might exist.  Because the situation of compound failures can lead to accidents, in most of the world a substitute signaling system must replace the automatic one to relieve trains of this burden of traveling at Restricted speed .  As one might expect, performing this task can be quite involved, requiring multiple signalers and communicating the fact to many trains and qualified employees. However in Germany all it takes is a button press to light up the Zs1.

Bad Aibling Stellwerke

In North America there is no signal that can be displayed into a CTC block where traffic is set in the opposite direction in the same way a Zs1 is used in Germany.  You can't even give a Restricting against the flow of traffic, necessitating a permission past stop procedure and even then the train will continue to be limited to Restricted speed.  The permission past stop procedure involves speaking to the locomotive engineer, usually over an open radio channel.  Yes. dispatchers in North America can screw this up, but the procedure takes time, requires two persons and requires the operator or dispatcher to pay attention.  In Germany the signaler presses a button and the train operator heads on his way.  When used for routine problems like bulb out or axle miscounts the process can become rote and the procedure can be shortened or skipped entirely.





The Zs7 Caution signal is the best analog to North American Restricting
Unfortunately I don't as of yet know what the Zs1 procedure involves, but I from what I have read it consists of ensuring that the block is actually free of obstructions.  A newer signal, Zs7 Caution, is used in places where the signaler is unable to positively determine block occupancy and does in fact require the train receiving it to proceed at Restricted speed, but the problem of actually setting a route against traffic remains.

313 absolute signal where the Zs1 was displayed before the collision. Annotated version.
While misuse of the Zs1 was the ultimate cause of the accident, there were a number of other systemic factors that contributed to it.  First, closed channel radios are employed  in theory to prevent "confusion" over who is speaking to whom, but the end result is that train operators are kept in the dark.  Furthermore, in the case of the Bad Aibling accident closed channel radios actually prevented the signalman from being able to stop the trains involved with a radio call because he forgot the correct emergency broadcast code to use.  You know, as opposed to pushing transmit to talk.


Second, the use of axle counters as a cheap alternative to track circuits, only serves to further ingrain the manual block thinking.  Detecting track occupancy without track integrity only perpetuates the inability of distant signals to stop trains.  Moreover, while axle counters are prone to failure (or miscount), just like track circuits, the signaler is able to reset the problem on his own with a button, instead of needing a maintainer to fix it.  While some can see that as a feature, it removes a valuable form of two person control.  Again, fixing signal problems via the interlocking panel becomes habitual and eventually an accident happens.

Panel blocking was a basic way the PRR made operators think twice before bypassing signal protections.


Most signaling systems have their single point of failure.  In North America there isn't anything preventing an operator or dispatcher from giving a bad Form D and running a train into another on a stretch of single direction ABS track.  However for the last 50 years we have been on a quest to eliminate ABS and replace it with something where such a mistake cannot be made because the technology prevents it.  Germany however, despite all its fancy train protection systems, flank protection and signal overlaps, is still burdened with 19th century thinking when it comes to block systems.  As a society Germans are really good at following procedures so therefore these sorts of accidents are rare, but allowing something like the Zs1 still tempts fate and every so often you get burned.

Note: This is my 261st post.  Yay for important milestones!

7 comments:

  1. Mike, this may be a little off topic for this particular post, but just a heads up/GOOD news. NS is still using the R/ /Y restricting signals with the gap instead of a middle head in some locations. For example, at the north end of Whitaker Yard in Austell one of those signals exists, along with a whole host of dwarfs. Granted they are all modern signals, but still...
    Here's a link to a google street view of the location.
    https://www.google.com/maps/@33.840792,-84.6738029,3a,64.2y,331.64h,94.47t/data=!3m6!1e1!3m4!1sRdPqbMfl9zjSEMk5Xxti_g!2e0!7i13312!8i6656!6m1!1e1

    ReplyDelete
    Replies
    1. Good catch, but look at the non-Darth signal on the left. Might have been a like-for-like signal replacement as opposed to a re-signaling.

      Delete
  2. As a side note, the Zs1 aspect is available on CTC lines as well, where it is lit by a command from the central dispatcher.

    This forces the DB to use fail-safe (SIL 4) transmission between the control centers and the local apparatus, making the CTC equipment substantially costlier and more complex than e.g. American equipment

    From what I have read, a German central dispatcher is allowed to trust his desktop displays (they are vital), but not the video wall (non-vital). This, to me, is asking for trouble.

    ReplyDelete
    Replies
    1. Vital communications links are common in Europe because they employ area interlocking schemes. The interlocking logic is centralized and everything in the field is a dumb terminal.

      A a side note, Germany also uses telecom grade relays, which requires proving circuits not necessary in North America.

      Delete
  3. Thank you Mike for this analysis: I was wandering why the interlocking system allowed the dispatcher to enable the route. So, apparently, the problem was at the level of the human procedure followed to overcome the interlocking decision, right? Yesterday, another train crash occurred in Italy: http://www.nytimes.com/2016/07/13/world/europe/italy-train-crash.html?_r=0. In this case, no automatic signalling system was deployed on the line, and, apparently, it was again a mistake in the procedure followed by the dispatcher.
    The comparison is interesting because, no matter the presence of an automatic signalling system, both incidents happened because of an improper -- or improperly performed -- procedure. Since, apparently, we will have always a human in the loop, how to address these issues? It would be nice to have an analysis from your perspective.

    ReplyDelete
  4. Mike, just came across your blog, which I have asked to follow. My short (nine years) railroad career started on the NH in 1968 as S. S. Operator at Stamford (SS38)and Norwalk (SS44) and then ended in 1978 when I left the LIRR for a different industry and career. My lifelong fascination with signals, interlockings, and railroading in general has been an enjoyable hobby, and I found your blog especially interesting. If I might ask, what is your background? It's always fun to find people with similar interests and knowledge.

    ReplyDelete
    Replies
    1. I'm actually a computer security researcher. As such I appreciate technology that doesn't require programming and is resistant to being "hacked".

      Delete