Whether you’re an old hand or new recruit, certain events trigger adrenalin surges and the quest for self preservation. Instinct kicks in; so, hopefully, does your training. But imagine you’re at the controls of a vehicle, gathering pace down a hill. Then imagine that the brakes don’t work. Then imagine a red light appearing out of the darkness ahead.
At about 21:00hrs on 20th July 2010, a machine operator employed by Hydrex met up with a colleague from Network Rail’s depot at Inverness for a night of planned maintenance. These two men were highly experienced - the former had been using RRVs and other plant for 16 years; the latter was a railwayman of 30 years standing and would enjoy an arm-full of responsibilities, wearing PICOP, ES, COSS and machine controller badges for that shift.
With their possession secured at 23:20hrs, the two travelled in the PICOP/ES/COSS/MC’s van (let’s just call him the MC shall we?) to the Road-Rail Access Point (RRAP) at Drumrosach Farm near Raigmore, two miles from Inverness Station on the main line south. Once there, he gave permission for a waiting survey vehicle to be placed on the track before completing the Machine Site Arrival Checklist with the operator (let’s refer to him as the MO). They clearly regarded it as meaningless window dressing as the various items were all ticked ‘yes’ even though some of them, such as testing the stopping distance in rail mode, could not have been completed until the machine had been on-tracked. Authority to do this was given at 23:30hrs and the MO got on with it whilst the MC waded through the rest of his paperwork.
|
The Liebherr A900C ZW type 1033 high ride RRV.
Picture Source: RAIB Rail Accident Report (Crown Copyright)
|
That night’s machine was a Liebherr A900C ZW type 1033 high ride RRV. For those not in the know, their rail wheels are driven and braked by friction through contact with the tyres of the road wheels, rotating freely when not in contact. Each set of rail wheels is mounted on a hinged chassis which moves hydraulically. When a set is lowered, the adjacent road wheels are lifted clear of the ground. Contact between the two is not made until the rail wheels have almost completed their travel.
The 1033 has a software control system incorporating an interlock to prevent the machine operator from lowering the second set of rail wheels until the first is in position and contact has been made with the road tyres. It does this through inputs from potentiometers mounted on the main frame and connected to each rail chassis through mechanical linkages, converting their relative angle into a variable voltage input into the control system. In theory at least, this meant that the RRV could not enter a free-wheel state during on and off-tracking.
|
The Road-Rail Access Point at Drumrosach Farm.
Picture Source: RAIB Rail Accident Report (Crown Copyright)
|
At 23:36hrs, the MO began to manoeuvre the RRV onto the Down line, with the steerable front wheels pointing down the gradient towards Inverness; this is quite severe, averaging 1:60. The two men had a brief conversation on the machine controller’s arrival, the MC pointing out that the rear rail wheels were sitting on the wooden surface of the RRAP. This was resolved by the operator placing the boom arm’s clam shell bucket on the ballast in the four-foot, lifting the rear end of the vehicle and then lowering the wheels onto the rails. As soon as the bucket was lifted clear, the machine unexpectedly started to move. Nothing could be done to stop it. The MC rang the signaller to warn him of the runaway and then set off after it.
The operator immediately swung his cab to face the direction of travel, lowering the boom arm to miss the farm bridge. He made numerous attempts to apply the brakes, but with no effect. Despite the machine being in a free-wheel state, the MO found that he could not raise or lower the rail wheels but the upper part of the RRV responded normally to his commands. He dropped the bucket onto the sleepers in an attempt to slow the machine but its momentum was too great and the speed continued to increase. He tried this several times. In the hope of rebooting the internal software, the engine was switched off and on again, but it made no difference.
As the RRV approached crossovers at Cradlehall, the operator lifted the bucket to avoid damaging the track. After demolishing the possession limit board and exploding the detonators, he then looked ahead to see the tail lamp of a stationary freight train. He swung the cab through 90° so that the door was facing forwards. Almost a mile from the access point and now travelling in excess of 40mph, the machine slammed into the train. Not wearing a seatbelt, the operator was thrown from his cab, landing on top of the rear wagon and sustaining serious injuries. About four minutes later, the MC arrived and made an emergency call to the signaller. Shortly after, paramedics attended.
|
|
|
The accident site showing the RRV and the rear wagon of the freight train.
Picture Source: RAIB Rail Accident Report (Crown Copyright)
|
Another 27 hours had elapsed when the RRV was switched on and its memory analysed. The data showed no active error codes or any codes associated with the operation of the rail wheels. The interlock functions were then tested and appeared to operate correctly.
RAIB’s inquiry found that the rail wheels were not in contact with the road tyres, allowing them to rotate freely. Air gaps of 80mm and 20mm were recorded at the front and back respectively. In normal operating circumstances, there should have been at least 20mm of ‘squash’ between the road and rail wheels to provide the friction forces needed for traction and braking.
|
An RRV's rail wheels rely on friction from the road tyres for traction and braking. |
A series of 11 on-tracking scenarios was performed in an attempt to recreate the free-wheel condition but, in all cases, the interlocks and system software operated as expected. Additional tests examined the effect of data signal loss between the rail control box in the cab and the control system in the chassis, as well as simulating faults in the wiring harness and connectors between the potentiometers and the control computer. Again, no problems were found.
Detailed lab tests were then carried out on four potentiometers, including the two from the machine involved. In one, a loose fibre was found on the swept area of the potentiometer track - just 0.01mm in diameter and 2.28mm long. The Branch concluded that a fibre of this size could have been trapped under one of the wipers and created a resistive fault in the electrical circuit. This could cause the control system’s interlock function to be bypassed, enabling the position of one set of rail wheels to be changed even if the other end was neither fully raised nor lowered. This would allow the RRV to become unbraked.
|
|
|
Photographs showing the swept path of a potentiometer and the discovered fibre.
Picture Source: RAIB Rail Accident Report (Crown Copyright)
|
In analysing damage to the RRAP, RAIB also asserts that the operator probably made several mistakes in selecting the front or rear chassis before operating the controls to adjust them. The buttons on the panel are labelled with German abbreviations and, even more confusingly, the operator is required to depress the ‘front’ button (marked ‘VA’) if he wishes to move the ‘rear’ rail wheels (‘HA’), and vice versa. And bear in mind that the cab can rotate through 360° - the operator could easily lose track of which end is which.
Tests carried out by RAIB showed that the control system’s computer continuously monitors the position of the rail chassis to indicate whether each rail wheel axle is in an unbraked condition. However, the logic works the same whether one or both sets of wheels are unbraked. This means that, due to the interlocking, the operator is prevented from raising either wheelset when both are detected as unbraked, and he is therefore unable to recover from a potentially dangerous situation. The 1033 was originally designed with a button to override the interlock but, at Hydrex’s request, this was disabled in an earlier software update. No formal risk assessment was undertaken beforehand.
|
The cab control panel.
Picture Source: RAIB Rail Accident Report (Crown Copyright)
|
The operating manual recommends that the MO confirms ‘squash’ between the road and rail wheels by slewing the machine across the tracks. However this is not considered good practice in the UK due to the RRV’s instability. Alternatively he could have checked by getting out of his cab but that would have been contrary to his training: the course designers felt that this exposed operators to the risk of falling! They should be very proud of themselves.
RAIB makes four recommendations. Amongst these are modifications to the interlocking - allowing one of the rail axles to be raised if the machine enters a free-wheel state - together with changes to the labelling and operation of the control panel. The Branch also seeks reconsideration of the machine controller’s duties: should he check the wheels and advise the operator that they are properly deployed?
If the report is right - and there is an underlying sense of uncertainty - there is little of real positivity to take from it. If implemented, the proposed actions might empower the operator to take action in the event of a recurrence - assuming they’re not paralysed by panic - but surely prevention should be the aim. If a potentiometer glitch can really be caused by debris that’s almost microscopic (not good news in an environment as grotty as the railway), why not have a second potentiometer for redundancy purposes? Confidence in the machine must inevitably have been dented - it’s important therefore that any failings are fully understood and resolved, with no questions left hanging in the air. If I was a union official, distant alarm bells would be ringing.
|
...why not have a second potentiometer for redundancy purposes? |
|
|