Background
Waterfall is a town of 522 (as of 2021) in southeast Australia, located in the state of New South Wales 32km/20mi north of Wollongong and 36km/22mi southwest of Sydney (both measurements in linear distance).
Waterfall lies on the Illawarra Railway, a single- to quad-tracked partially electrified main line connecting Bomaderry and the Illawarra Junction on 153km/95mi of track along the coast. The line is used for both passenger and freight services, seeing mostly regional passenger services along with freight trains usually hauling coal and gravel.
The Train Involved
C311 was a passenger service from Sydney Central (the city’s main train station) to Port Kembla. On the day of the accident the service was provided by SRA (State Rail Authority, the main railway operator in New South Wales at the time) with G7, a Tangara G-Set.
The Tangara is a four-car bilevel electric multiple unit (EMU) introduced in 1988. The trains, which feature a distinctly futuristic design, were built as T-Sets for urban services and G-Sets for units intended to head further away from cities, being given slightly different interior equipment. Each Tangara measures 81.08m/266ft in length at an empty weight of 185 metric tons. The trains can carry up to 406 passengers in G-configuration at speeds of up to 130kph/81mph. G7 was unique among the fleet as it featured motors running on alternating current (AC) power for evaluation purposes while the rest of the fleet used direct current (DC) motors. The train carried just 47 passengers at the time of the accident, along with a conductor in the rear cab and a 53 years old driver at the controls.
The Accident
G7 departs Waterfall station on the 31st of January 2003 at 7:12am with 47 passengers on board. The train quickly picks up speed, gliding through a mild S-curve before reaching an 820m/2700ft straight which takes the train away from the paralleling M1 Motorway and deeper into wooded land. The end of the straight section has a 60kph/37mph speed limit as it leads into the first of several tight corners which take trains down a hillside towards Wollongong as the train enters a deep, rocky cut in the landscape. G7 reaches the end of the straight section at 7:14am, travelling at 117kph/73mph. Centrifugal forces immediately overcome the train as it enters the first left hand turn, derailing the leading car as it falls over. The train slides across the right hand “oncoming” track (Australian railways operate in left-hand traffic, meaning the oncoming traffic passes on the right) at speed, mowing down a support structure for the overhead catenary before the leading car slams into the rock wall to the right of the tracks roof-first, crushing the driver’s cab and much of the upper deck. The impact occurs at such a high speed that the leading car “bounces off” the rock wall, righting itself again before coming to a stop. The second car, separated from the leading car, is also deflected back onto its wheels by impacting the rock wall, while cars 3 and 4 remain on their sides. The driver and 6 passengers are killed in the collision, with the conductor and another 41 passengers being injured.
Aftermath
The derailment showed up on the screens at the control center as a power failure (caused by the derailing train taking down the overhead catenary), with workers expecting a power outage when radio calls to G7’s driver turned out to be impossible. Emergency services were eventually alerted by survivors calling the police at 7:20am, with general location information being provided after the conductor called Waterfall station at 7:30am and reported the derailment “just south” of the station. Police were dispatched to a supposed location 100m/328ft south of the station, despite that spot being visible from the station and no wreckage being there. It wasn’t until two officers, fed up with the chaotic communication with the railway, headed down the tracks on foot for about 2km/1.25mi that the wreckage was finally discovered. Rescue was then delayed some more as nobody on site knew how to emergency-release the doors of a powered down Tangara, leading ambulance crews to cut away rubber seals and remove windows to access the passengers. About 20 minutes passed between the derailment occuring and the first survivor receiving treatment by responders. The ability of responders to access the site eventually improved as locals guided them along various, largely unpaved tracks and unlocked wildlife gates for them.
The investigation stumbled over a problem immediately after starting. G7, as all Tangara-sets, had been carrying two independent data-loggers (similar to a plane’s black box), but as the type used had yet to finish the approval-process they had not been turned on. Investigators thus had to be content with tracking the train by where it had departed stations and passed signals, calculating positions and speed. They found that the driver had adhered to all speed limits since departing Sydney Central at 6:24am that morning, only to pass the last signal ahead of the accident’s site at wildly excessive speed. The information was used for a digital recreation of the derailment, where it was found that train could have entered the curve at up to 110kph/68mph, barely slower than it did travel, and not derailed, although it would have then fallen over to the other side in the right hand curve which follows immediately after the left hand curve it derailed in. The simulation also explained how the two leading cars had ended up upright with crushed roofs.
The investigators were thrown another curveball right when they started to see themselves on the correct path, when the coroner’s report showed that the driver had most certainly been incapacitated at the time of the accident, as he was either dead or dying. The autopsy showed that he had suffered a heart attack due to a clogged artery right before the accident occured. As such it had to be assumed that the driver wasn’t purposely speeding as he entered the curve, but that he had started accelerating as he pulled away from the platform at Waterfall and then became incapacitated by the heart attack, leaving him unable to ease off the throttle. This, however, was meant to be an impossible cause of an accident. Not only were conductors tasked with observing unusual, possibly dangerous driving inputs and trigger an emergency stop if they felt the need, but the Tangaras themselves were equipped to not just leave an incapacitated or distracted driver in control (or, not in control, as the case may be).
Australia had suffered a fatal rail accident caused by a driver suffering a heart attack way back in 1969, when a deceased driver had caused the “Southern Aurora” express train to run a red signal and crash head-on into an oncoming freight train which claimed 8 lives (the accident was covered in this recent installment of this blog). The accident had promoted the introduction of the dead man’s switch in Australian trains, a device which has since become standard worldwide to limit the risks posed by an incapacitated or distracted train driver. The system consists of a button or pedal which has to be operated by the driver to keep the train from triggering an emergency stop. The version of the system installed in Tangara trains was a pedal below the driver’s control desk, which the driver had to press down to show that they were alert and in control. The idea was that a driver who passes out would stop pressing his foot on the pedal, causing the pedal to release which would lead to the train triggering an automatic emergency stop. Similarly, excessive pressure would trigger a stop also. Alternatively, drivers had the option to use a T-shaped handle on the throttle lever. If they twisted the handle and kept it in the twisted position the pedal was not required to be pressed. It was not necessary to use both components.
Investigators accessed the pedal in the remains of G7’s leading car and tested the system, finding it functional. They also measured the pressure required to operate the pedal on G7 and five other, identical trains, finding initial activation to require 84–96 newtons of force, more than the required minimum of 73 newtons (84 newtons is the equivalent of 8.6kg/19lbs pressing down the pedal). However, once the pedal was activated it could be kept in the activated position by as little as 39.5 newtons of force. Calculations showed that, if a driver was slightly obese, the weight of their leg resting on the pedal alone could keep it in the activated position, rather than requiring them to consciously press down the foot. The report explains that a driver above a body weight of 110kg/243lbs could keep the pedal activated by resting both feet on it, at more than 115kg/254lbs a single foot would suffice. C7’s driver had a body weight of 118kg/260lbs at the time of the accident. These numbers meant that 44% of train drivers licensed for Tangaras at the time of the accident could keep the pedal activated without consciously pressing on it. Investigators also found a report filed by another driver in January 2003, saying that he had discovered easy operation of the pedal was possible by jamming the tip of one’s shoe under the footwell heater, which sat adjacent the top of the pedal.
This information resulted in the investigation seeing unintentional operation of the pedal as a main contributor to the accident. In their eyes the driver of G7 had consciously activated the pedal, but once he became incapacitated by the heart attack the weight of one or both his feet resting on the pedal was enough to keep it within the activation-range. His feet only slipped off the pedal as his train overturned, obviously way too late.
The investigation had a group of drivers and police officers recreate various situations in the cab, such as drivers of different weight and size pretending to be unconscious or testing different seating-positions. It was found that not only was it quite easy for an unconscious driver to still register as “alert”, but that drivers could also cross their legs or press a knee up to the underside of the control desk to keep the pedal activated.
When talking to the drivers the investigators were told a lot of complains about cramps and discomfort from pressing down on the pedal, which led to drivers finding tricks like jamming their foot under the heater. Some drivers even told investigators that they heard of other drivers who use objects to keep the pedal activated. A favorite among those unnamed drivers appeared to be the emergency flag found aboard each train, which consists of a bright red cloth attached to a rounded wooden pole. This flag, as it turned out, happened to be the perfect length to be jammed into a corner beneath the control desk and hold the pedal right within the range where the system registers an alert driver. The control desk in the rear car of G7 even showed markings which were a perfect match to the flag, meaning G7 had been driven with the flag holding the pedal down several times. An examination of 29 other randomly chosen Tangaras showed matching marks on all of them, with 8 of them also showing suspiciously placed and shaped chewing gum which was likely used to help keep the flagpole in place. Other drivers had supposedly turned circumvention of the system into a science, figuring out what kind of a bag at what weight they had to place on the pedal to keep it activated once they had done the initial activation no matter where their feet went.
With the information about the driver’s heart condition and the flaws and culture around the dead man’s pedal investigators started to piece together how the accident could have occured. They talked to the driver’s family about the weeks prior to the accident, finding that the accident had occurred on the second day of work for the driver after several weeks off. His BMI (Body Mass Index, a value calculated from age, weight and height to vaguely distinguish underweight, healthy and overweight people) showed him slightly obese, but his family described him as an active person who had no issues with physical activities and happily pursued them in his free time, such as working on relatives’ houses and gardens. He hadn’t done any straining work in the last few days before the accident, and had never complained about anything that could have been a sign of heart trouble.
While his weight put him at increased risk of heart attacks the one he suffered at the controls of G7 still must have hit him like lightning from a clear sky. The way the evidence indicates it he suffered the heart attack and passed out before he could even take his hand off the throttle, much less trigger a stop. This leaves him in the odd position of being at fault for the accident, but somehow also not being at fault. It certainly is a huge what-if, but it’s realistic that, if he had survived the heart attack and derailment, he would not have been criminally charged.
But this chain of events left one question: Why didn’t the conductor intervene? Like the driver, he was an experienced employee who knew the route, and must have noticed that the train was picking up too much speed. Unfortunately the conductor himself consistently claimed to not remember the moments ahead of the accident, claiming to have perhaps suffered an episode of microsleep or having memory loss from the accident itself. His lawyer supported the former theory, claiming his client had suffered the sudden lapse in consciousness for up to 30 seconds immediately prior to the accident due to a lack of sleep caused by the early start of his shift.
The conductor actually had access to a device called a “brake pipe cock” which would trigger an emergency stop. However, while conductors were told about the device at their disposal, they were not explicitly told that it was there for them to override driver input. The driver was seen as the “boss” on the train, and questioning him was, according to some employees, not encouraged. Furthermore, rumors spread among workers claimed that triggering an emergency stop from the rear cab could cause a train separation. This, obviously, was false, as the brakes activate in the whole train at once, not just the rear car (and later, perhaps, the rest of the train). The rumors likely stemmed from old locomotive-pushed trains, where there could be a delay with the locomotive’s brakes (at the back of the train) activating slightly before the brakes in the rest of the train. On an EMU like the Tangara this issue no longer occurs. The rumors and strict hierarchy did end up being considered a partial cause to the accident, as they may have made the conductor hesitant to trigger an emergency stop.
G7 was eventually sent to the scrapyard after the investigation finished, with its damage being well beyond the point of fixability. The report criticized the design of the dead man’s switch, which was less safe than systems which require the pedal/button to be pressed and released at regular intervals. This would have at the very least not led to a habit of “switching off” the system by placing objects on it. While a complete replacement of the system in existing trains wasn’t sensible a secondary safety system was installed on all trains operated by NSW TrainLink and Sydney Trains, the two operators who took over from SRA. The “Task Linked Vigilance”-system starts a timer after each control input. An emergency stop is triggered once the timer expires, unless the driver restarts it with another control input or by pushing a dedicated button. The data-loggers on the Tangara trains were also activated shortly after the accident, having finally finished the approval process. Lastly, crew training was improved to encourage conductors to be more critical of the driver’s behavior and be less hesitant to speak up or trigger an emergency stop if they feel the need for it.
The new Waratah-trains, which started service in 2011 as the Tangara’s “grandchild” of sorts, also saw their interior changed in reaction to the accident, with plans being changed to include clearly marked emergency door releases inside the trains. The Tangaras didn’t have anything like that, leaving passengers to either break the windows or climb out where the train cars had separated during the derailment. The exterior releases were also made easier to find and operate. A final preventative measure was introduced in 2004, when the medical assessment guidelines of rail workers were changed. The regular assessments now include cardiac evaluations, aiming to discover early signs of heart-issues which could lead to a heart attack.
_______________________________________________________________
A kind reader is posting the installments on reddit for me, I cannot interact with you there but I will read the feedback and corrections. You can find the post right here.
