Braking issue on Caledonian Sleeper causes train to "run away" at Edinburgh

37057

Member
Joined
3 Jul 2009
Messages
345
ECP brakes are not EP brakes.

ECP brakes would detect a shorting of connections because suddenly the back of the train would no longer appear on the driver's desk display.
"Apparently the sleeper is running light engine tonight....."

ECP Brakes have two way communicaton down the length of the train.
So you can read status updates from every vehicle in the formation if you want.

The existing standard can even be used to control locomotives elsewhere in the formation, all over the same pair of wires (plus a power wire obviously)
What about redundancy modes? I've come across various scenarios where traditional methods have had to be resorted to (one time the absence of functioning electronic brake control was undetected). I'm not discounting electronic brake control but the traditional methods certainly aren't 'obsolete'.
 
Sponsor Post - registered members do not see these adverts; click here to register, or click here to log in
R

RailUK Forums

37057

Member
Joined
3 Jul 2009
Messages
345
Given how often I see door control panels left open, I'm quite pleased they didn't do that (I know you can't do anything with them without keying in). Is it the norm on UIC coaches? I know you have the handbrake wheel accessible, and there's normally a cable through the gangway you could unplug (the loco->driving trailer remote control I think?). Though fiddling with either of those would result in the train stopping, not being unable to stop.
Don't wish to wander off topic but I can name a few types of trains in the UK where you could isolate the brakes from inside if you had a T-key! The display in the cab would give you away rather soon though.
 

O L Leigh

Established Member
Joined
20 Jan 2006
Messages
4,292
Location
In the cab with the paper
The point is that these incidents invariably point to a breakdown in procedure. Had the BPIC been opened fully so that it latched, had the shunter or driver cast an eye back at their handiwork before stepping away, had the static brake test been done as the final action, this incident would not have happened. Likewise, had the BPIC been in a better location, of a better design or made more noise when venting, the problem would have been spotted. As has already been said, this is a classic “Swiss cheese” incident.
 

TimboM

Established Member
Joined
12 Apr 2016
Messages
3,612
Regarding the EP point, Class 92s have EP fitted as it was in the original locomotive design for the Nightstar stock. Last I heard the EP assist switch is isolated, though, as it caused brake faults when switched in with the Mk5s.

Regarding the whole rheo brake discussion - it's a bit of red-herring (and why the RAIB report doesn't really make a great deal of mention of it). The locomotive brakes (rheo or friction) aren't designed to stop 400+ tonne of train on a falling gradient. The lack of control over the coach brakes was the fundamental issue.
 

Bletchleyite

Veteran Member
Joined
20 Oct 2014
Messages
53,267
Location
Up and down the south WCML (mostly)
The report appears to state that the first passenger alarm was effective but that the 10s delay in brake application didn't provide confidence to the Train Manager that it had worked so he used a second alarm. This is another design failing - the alarm should have provided some positive indication to the user that it had been effective.

I'm sure there's a reason for the time delay but it's not immediately obvious to me why that would be.
To allow the driver to override it if it would stop the train in a dangerous place e.g. on a viaduct or tunnel.

It's lucky it was CAF stock with a "classic" emergency brake, though. If it was just a passcom...
 

Bletchleyite

Veteran Member
Joined
20 Oct 2014
Messages
53,267
Location
Up and down the south WCML (mostly)
The point is that these incidents invariably point to a breakdown in procedure. Had the BPIC been opened fully so that it latched, had the shunter or driver cast an eye back at their handiwork before stepping away, had the static brake test been done as the final action, this incident would not have happened. Likewise, had the BPIC been in a better location, of a better design or made more noise when venting, the problem would have been spotted. As has already been said, this is a classic “Swiss cheese” incident.
True, though "passive safety" is better than "active safety" - i.e. it's better to design something to be inherently safe than to put procedures or active checks in place to mitigate it not being.

The classic example here is not having droplights vs. having signs saying not to stick your head out of them.
 

O L Leigh

Established Member
Joined
20 Jan 2006
Messages
4,292
Location
In the cab with the paper
True, though "passive safety" is better than "active safety" - i.e. it's better to design something to be inherently safe than to put procedures or active checks in place to mitigate it not being.
In this instance I think I’d disagree. Correct operation of the equipment or adherence to procedures would have highlighted the fault even with the equipment in it’s existing form.
 

Bletchleyite

Veteran Member
Joined
20 Oct 2014
Messages
53,267
Location
Up and down the south WCML (mostly)
In this instance I think I’d disagree. Correct operation of the equipment or adherence to procedures would have highlighted the fault even with the equipment in it’s existing form.
It would, but better that there would be no need for that.

As per my example, not sticking your head out of a droplight avoids it being knocked off, but not having a droplight means you absolutely can't have it knocked off even if you make an error and do stick it out.

Similarly, having a warning sign not to fall off a drop at the edge of a part-built building you're working on may mean you pay more attention, but having a temporary fence there means you absolutely can't.
 

O L Leigh

Established Member
Joined
20 Jan 2006
Messages
4,292
Location
In the cab with the paper
Perhaps so. But braking and coupling systems are not directly comparable to droplights. We can completely do without windows but we can’t do without brakes or couplers.

Even trains with auto-couplers and a TMS need to be checked manually to ensure correct operation. You can never design human supervision out of the system.
 
Last edited:

Taunton

Established Member
Joined
1 Aug 2013
Messages
4,693
The point is that these incidents invariably point to a breakdown in procedure ... had the static brake test been done as the final action, this incident would not have happened.
But they did the brake test exactly when stipulated, before going back and having to fiddle and heave right where the brake cock was, again as stipulated. Para 72 of the report, and also Learning Point 1.

Couple of other points which look like poor design. Para 18 states that when a loco is coupled at each end of the train, there could be "damage" to the jumper circuits. Yet dividing at Carstairs like this is part of normal nightly operation, and indeed normal railway operation. It was just never envisaged at the design stage, or in the test plan, and then led to an issue of an e-mail instruction which actually contradicted the Rule Book requirement to do the brake test last; so much for all the checking that's meant to go into such procedures. There's also a sly mention at para 123 that the closed position for the cocks was down on the coaches and up on the locomotive, and the coach cock has now been inverted so they both point the same way. That really is industrial design 1.01 to get right.
 
Last edited:

O L Leigh

Established Member
Joined
20 Jan 2006
Messages
4,292
Location
In the cab with the paper
You can't, but you could design a system whereby someone can't get in a loco and drive the train off with the train's brakes isolated.
I’m not going to cover the “how” because the solution to this simple sounding aim is surprisingly complicated. Instead I shall address the “why”.

Such a step in entirely unnecessary. It would be a gross overreaction to require the industry to go away and reinvent the wheel. No-one is recommending this; not the RAIB, not the parties involved. This is primarily a procedural failing, one that can be addressed simply by updating and enforcing the relevant procedures.

But they did the brake test exactly when stipulated, before going back and having to fiddle and heave right where the brake cock was, again as stipulated. Para 72 of the report, and also Learning Point 1.
Yes they did. But that will change (assuming it hasn’t already done so) and I’m sure it will be applied across the entire industry, not just those operating Mk5 stock.
 

43096

Established Member
Joined
23 Nov 2015
Messages
7,188
We nearly had hundreds of dead.
We could have been discussing a Class 92 led sleeper slamming into a morning commuter train full of hundreds of people.

It was only luck that the signaller was able to avert disaster.
Thanks for proving my point by lapsing into tabloid newspaper/Rail magazine banner headline speak.
 

hexagon789

Established Member
Joined
2 Sep 2016
Messages
9,015
Location
Glasgow
One of the recommendations already mentioned.

And they also now using the Glasgow loco to split the trains, which makes the order simpler. You only need to go betwe
Thanks, I managed to find that section after re-reading the report, must've skimmed past it the first time.


There is mention in the report that they will change the valve to one with a bigger vent - this should make it more obivous in the cab that there is a problem.

(The compressor could keep up with the vent leak)

I wondered if the vent could be fitted with a whistle - so it goes with a bit more whoosh when opened. So you hear it.
Hmm, it also talked about that potentially meaning the leak couldn't be defeated by the loco. I seem to remember that the 56s (or was it 60s?) when fairly new had an incident where they overran a signal due to poor brake effort. The brake pipe had split but the loco compressor had managed to keep up with the leak!
 

O L Leigh

Established Member
Joined
20 Jan 2006
Messages
4,292
Location
In the cab with the paper
Couple of other points which look like poor design. Para 18 states that when a loco is coupled at each end of the train, there could be "damage" to the jumper circuits. Yet dividing at Carstairs like this is part of normal nightly operation, and indeed normal railway operation. It was just never envisaged at the design stage, or in the test plan, and then led to an issue of an e-mail instruction which actually contradicted the Rule Book requirement to do the brake test last; so much for all the checking that's meant to go into such procedures. There's also a sly mention at para 123 that the closed position for the cocks was down on the coaches and up on the locomotive, and the coach cock has now been inverted so they both point the same way. That really is industrial design 1.01 to get right.
I'm uncertain as to why you've seized upon these particular points nor why you consider them to merit comment. It almost feels as though you've some point you're trying to prove.

The part of the coupling operation that could cause damage is the connection of the 61 way jumper cable. The reason for avoiding having two locos connected simultaneously should be fairly obvious, as connecting a second loco effectively connects a second power supply to all the circuits on that jumper which introduces the risk of damage due to an overload. As these circuits could include controls for the doors, PASSCOMs and other safety equipment, it's clearly of great importance not to expose them to avoidable damage.

In this regard the Cally Sleeper's Mk5s are no different from a lot of other stock where similar care needs to be exercised. For example, before "keying in" on a Voyager you must check on the TMS that there are no other keys already in, as having two keys in simultaneously causes an overload in the control circuits requiring the attention of the fitters. Checking that there are no other keys in forms an important part of the Voyager pre-coupling checks for the same reasons. But before you cry that this is simply a post-privatisation issue, similar problems could affect ex-BR stock from the pre-microprocessor era. It was always drilled into us when learning Cl315/Cl317 EMUs that it was very important that you took your door key out when you left the cab. If you accidentally had two door key switches live on the same train the resulting overload could fuse the relays which could cause some serious wrong-side door failures. Again, this meant a call to the fitters and the unit(s) being taken away for checking. All of these things can be (and are) mitigated by ensuring that the procedures are clear and that the necessary checks are made.

Besides, the only reason why the 61 way connection is mentioned at all is that the need to avoid having two locos attached at the same time necessitates that certain parts of the coupling and uncoupling procedures need to be carried out in a certain order. I'm not even very sure that it was particularly relevant to this incident as it seems that it was the second ETS connection, the shunter's inability to safely make it at the first attempt due to a freight train on the adjacent line and the subsequent difficulties in connecting it that were the main issue. But this has now been addressed by changing the procedure such that the loco already attached which hauls the Glasgow portion draws it's half of the train forward permitting the loco for the Edinburgh portion to undergo all the various coupling operations in one single go, including the 61 way jumper cable, which should remove any confusion about what needs to be done when while the loco is coupled.

The direction in which the handle of the BPIC faces really isn't such a big deal. On any individual train there will be cocks facing every which way, and often cocks with different types of handles, but this poses no great issue. As with all other devices of this type, railway isolation cocks follow the global operational convention meaning that it is obvious which position is "open" and which is "closed". Rather than belittling the level of engineering you might have highlighted the rest of Paragraph 123 which explains that reversing the position of the BPIC handle also introduces a failsafe, in that an unlatched BPIC handle should vibrate into the safe (open) position.

I think you also either misunderstand or misrepresent some parts of the report. You assert that the 61 way jumper resulted in an instruction that meant that the brake test was not done as the last action, in contradiction to the Rule Book requirements. This is not true, as the Rule Book did not mandate that the brake test should be the last action at the time of this incident. In fact it still doesn't. The RAIB have only just recommended that the RSSB consult on having this explicitly stated in the Rule Book (Para 127). The requirement as it is stated in the Rule Book at present is that the brake test must be carried out when the loco is coupled, and at the time the brake test was carried out the loco was coupled, even though there were still electrical connections to be made (Para 76).

Isn't having the EP brake and air brake combinations all on one locomotive just what Class 73 (a 1960s design) long had, locos which handle other sectors of the Scottish sleeper operation.
I think I'd just like to clarify this point. Yes the Cl73s (and Cl33/1s) had an EP brake, but this was to permit multiple working with SR EMUs and push-pull working with TC sets. Hauled dead, even by a Cl73, an SR EMU would be worked as a conventional two-pipe train.
 
Last edited:

deltic

Established Member
Joined
8 Feb 2010
Messages
2,128
The high operating costs of the sleeper was highlighted by the fact that the shunter spends all night at Carstairs with nothing to do between joining and splitting the Up and Down Lowland sleepers
 

Bald Rick

Veteran Member
Joined
28 Sep 2010
Messages
12,706
The high operating costs of the sleeper was highlighted by the fact that the shunter spends all night at Carstairs with nothing to do between joining and splitting the Up and Down Lowland sleepers
That’s not particularly unusual. What is unusual for the sleeper is the high number of staff and rolling stock required to operate just 10 service trains.
 

big all

On Moderation
Joined
23 Sep 2018
Messages
794
Location
redhill
I'm uncertain as to why you've seized upon these particular points nor why you consider them to merit comment. It almost feels as though you've some point you're trying to prove.

The part of the coupling operation that could cause damage is the connection of the 61 way jumper cable. The reason for avoiding having two locos connected simultaneously should be fairly obvious, as connecting a second loco effectively connects a second power supply to all the circuits on that jumper which introduces the risk of damage due to an overload. As these circuits could include controls for the doors, PASSCOMs and other safety equipment, it's clearly of great importance not to expose them to avoidable damage.

In this regard the Cally Sleeper's Mk5s are no different from a lot of other stock where similar care needs to be exercised. For example, before "keying in" on a Voyager you must check on the TMS that there are no other keys already in, as having two keys in simultaneously causes an overload in the control circuits requiring the attention of the fitters. Checking that there are no other keys in forms an important part of the Voyager pre-coupling checks for the same reasons. But before you cry that this is simply a post-privatisation issue, similar problems could affect ex-BR stock from the pre-microprocessor era. It was always drilled into us when learning Cl315/Cl317 EMUs that it was very important that you took your door key out when you left the cab. If you accidentally had two door key switches live on the same train the resulting overload could fuse the relays which could cause some serious wrong-side door failures. Again, this meant a call to the fitters and the unit(s) being taken away for checking. All of these things can be (and are) mitigated by ensuring that the procedures are clear and that the necessary checks are made.

Besides, the only reason why the 61 way connection is mentioned at all is that the need to avoid having two locos attached at the same time necessitates that certain parts of the coupling and uncoupling procedures need to be carried out in a certain order. I'm not even very sure that it was particularly relevant to this incident as it seems that it was the second ETS connection, the shunter's inability to safely make it at the first attempt due to a freight train on the adjacent line and the subsequent difficulties in connecting it that were the main issue. But this has now been addressed by changing the procedure such that the loco already attached which hauls the Glasgow portion draws it's half of the train forward permitting the loco for the Edinburgh portion to undergo all the various coupling operations in one single go, including the 61 way jumper cable, which should remove any confusion about what needs to be done when while the loco is coupled.

The direction in which the handle of the BPIC faces really isn't such a big deal. On any individual train there will be cocks facing every which way, and often cocks with different types of handles, but this poses no great issue. As with all other devices of this type, railway isolation cocks follow the global operational convention meaning that it is obvious which position is "open" and which is "closed". Rather than belittling the level of engineering you might have highlighted the rest of Paragraph 123 which explains that reversing the position of the BPIC handle also introduces a failsafe, in that an unlatched BPIC handle should vibrate into the safe (open) position.

I think you also either misunderstand or misrepresent some parts of the report. You assert that the 61 way jumper resulted in an instruction that meant that the brake test was not done as the last action, in contradiction to the Rule Book requirements. This is not true, as the Rule Book did not mandate that the brake test should be the last action at the time of this incident. In fact it still doesn't. The RAIB have only just recommended that the RSSB consult on having this explicitly stated in the Rule Book (Para 127). The requirement as it is stated in the Rule Book at present is that the brake test must be carried out when the loco is coupled, and at the time the brake test was carried out the loco was coupled, even though there were still electrical connections to be made (Para 76).



I think I'd just like to clarify this point. Yes the Cl73s (and Cl33/1s) had an EP brake, but this was to permit multiple working with SR EMUs and push-pull working with TC sets. Hauled dead, even by a Cl73, an SR EMU would be worked as a conventional two-pipe train.
Slight correction, Cromptons [class 33/1] although push/pull were not EP brake fitted. You just had to use the Westinghouse [ep off] position driving from a unit, apart from that fully compatible.
 

Bletchleyite

Veteran Member
Joined
20 Oct 2014
Messages
53,267
Location
Up and down the south WCML (mostly)
In this regard the Cally Sleeper's Mk5s are no different from a lot of other stock where similar care needs to be exercised. For example, before "keying in" on a Voyager you must check on the TMS that there are no other keys already in, as having two keys in simultaneously causes an overload in the control circuits requiring the attention of the fitters.
Why should that kind of shoddiness be accepted or justified? It's a serious design flaw.

It should never be possible to do something with the standard user interface of any product that will break it or cause a safety issue. Obviously that isn't always possible (e.g. you couldn't have a car that you couldn't steer into a wall - though that said, auto-brake features are being introduced to cover that!) but things like this utterly beggar belief.

It may be necessary to work around that sort of thing by way of procedures, but it shouldn't be the case in the first place. Mind you, Boeing seem to think it is acceptable with safety-critical features, not that that has killed people or anything.
 

Taunton

Established Member
Joined
1 Aug 2013
Messages
4,693
I'm uncertain as to why you've seized upon these particular points nor why you consider them to merit comment.
I don't believe I am "seizing points" at all, they are items seriously made in the report that I believe are worthy of discussion, because taken together they show an overall trend across the whole issue.

As you might imagine from my user name I have had more than a passing interest in sleeper train compound issues that build up to a serious event.

One thing notable is to go back to the beginning of this thread, on the day of the incident, and review the range of points made by presumably those quite uninvolved in the event, yet a considerable number of the myriad items raised actually now appear to have been incorporated in the report. There's the ubiquitous commentator decrying these and saying we should "wait for the RAIB report", well now we have it, and I think you will find the correspondence between them all is somewhat uncanny.

A further item is one commentator there describing what seem to be chaotic scenes back in the passenger accommodation as the train approached Edinburgh, with catering equipment failed, toilets not flushing, the shower facilities not working, multiple failures of these various services. The report meanwhile states that the train manager was indeed not at their position because they were back in the train, trying to attend to all these, and furthermore the urgent alert that they can receive, apparently in each vehicle, that the driver is trying to contact them had been overwhelmed on the alerts display by all these toilet and other failures. For such a string of faults the brand new vehicles really do not seem to have been fit for purpose.

I think I'd just like to clarify this point. Yes the Cl73s (and Cl33/1s) had an EP brake, but this was to permit multiple working with SR EMUs and push-pull working with TC sets.
I just made this point against a prior comment that EP brakes on a locomotive are somehow impractical, yet the Scottish sleeper is currently using some of the very locos built with it.

Why should that kind of shoddiness be accepted or justified? It's a serious design flaw.
Quite. This train had a loco on both ends at Carstairs every morning during the detachment, it was part of the basic requirement. It was never a problem with the previous stock. Trains have been double headed, assisted, reversed, divided etc since railways began. You can look at things like 1950s dmus where all sorts of combinations, different manufacturers, units coupled any way round, having arrived from one direction or the other, etc, thereafter always set off all working correctly without issue. That was adequate design.
 
Last edited:

O L Leigh

Established Member
Joined
20 Jan 2006
Messages
4,292
Location
In the cab with the paper
Why should that kind of shoddiness be accepted or justified? It's a serious design flaw.

It should never be possible to do something with the standard user interface of any product that will break it or cause a safety issue. Obviously that isn't always possible (e.g. you couldn't have a car that you couldn't steer into a wall - though that said, auto-brake features are being introduced to cover that!) but things like this utterly beggar belief.

It may be necessary to work around that sort of thing by way of procedures, but it shouldn't be the case in the first place. Mind you, Boeing seem to think it is acceptable with safety-critical features, not that that has killed people or anything.
I'm sorry, but you're starting to allow this to get out of proportion. This sort of situation has no parallels whatsoever with the 737Max and any attempt to draw one is just emotionally charged nonsense.

The key to your misunderstanding is your use of the word "product". A train is not a consumer product which has to be idiot-proofed with different shaped plugs and a battery compartment that prevents the batteries being inserted the wrong way around. I said it earlier in this discussion but it clearly bears repeating that the railways are not operated by 5 year olds and therefore there is no need to be going around idiot-proofing the equipment.

It is not possible to prevent a second key being inserted in the same way that it is not possible to prevent a second loco being attached to the Cally Sleeper's 61 way connection. No train is designed to work that way and the instances where this could happen are small, therefore it is entirely appropriate that there are procedural checks to protect against such mistakes. These are not difficult nor arduous to implement and ensure safe operation and the avoidance of mistakes.

I should just advise that you don't attempt to test the collision avoidance system on most cars, as it can very easily be defeated.

For such a string of faults the brand new vehicles really do not seem to have been fit for purpose.
Ah, there we go. I knew you were driving at something.

One thing notable is to go back to the beginning of this thread, on the day of the incident, and review the range of points made by presumably those quite uninvolved in the event, yet a considerable number of the myriad items raised actually now appear to have been incorporated in the report. There's the ubiquitous commentator decrying these and saying we should "wait for the RAIB report", well now we have it, and I think you will find the correspondence between them all is somewhat uncanny.
The sage accuracy of the earlier comments shouldn't be much of a surprise, as it really wasn't hard to piece together what happened to cause the overrun at Waverley. All we were waiting on from the RAIB was the precise chronology of the events and an explanation of how the train brakes came to be isolated from the loco.

A further item is one commentator there describing what seem to be chaotic scenes back in the passenger accommodation as the train approached Edinburgh, with catering equipment failed, toilets not flushing, the shower facilities not working, multiple failures of these various services. The report meanwhile states that the train manager was indeed not at their position because they were back in the train, trying to attend to all these, and furthermore the urgent alert that they can receive, apparently in each vehicle, that the driver is trying to contact them had been overwhelmed on the alerts display by all these toilet and other failures.
I'm curious about this, because it's not at all clear precisely how or when this fits in with the chronology of the incident. It may be that the set was having technical difficulties anyway, but I'm wondering whether the loss of supply from the OLE due to the VCB failing to close may have had any bearing. The loss of traction current to the loco will have meant a loss of ETS to the train. Therefore, high-draw circuits which rely on the ETS would have had no power causing widespread failure of all the devices attached to them.

This train had a loco on both ends at Carstairs every morning during the detachment, it was part of the basic requirement. It was never a problem with the previous stock. Trains have been double headed, assisted, reversed, divided etc since railways began. You can look at things like 1950s dmus where all sorts of combinations, different manufacturers, units coupled any way round, having arrived from one direction or the other, etc, thereafter always set off all working correctly without issue. That was adequate design.
I am aware of how things used to be. But technologies change and working practices along with them. Or should we continue with obsolete working practices, as we have been accused further up thread?
 

BigB

Member
Joined
20 Dec 2018
Messages
68
Location
Scotland
Quite. This train had a loco on both ends at Carstairs every morning during the detachment, it was part of the basic requirement. It was never a problem with the previous stock. Trains have been double headed, assisted, reversed, divided etc since railways began. You can look at things like 1950s dmus where all sorts of combinations, different manufacturers, units coupled any way round, having arrived from one direction or the other, etc, thereafter always set off all working correctly without issue. That was adequate design.
I was under the impression that the empty stock was brought to Euston top and tail, as well as Glasgow Central?? In addition during ECML diversions it was top and tailed to Wembley then tne leading engine removed and the stock reversed via Camden.
How is this managed if the guidance is not to do this because of the risk of overloading the circuits?
 

O L Leigh

Established Member
Joined
20 Jan 2006
Messages
4,292
Location
In the cab with the paper
I was under the impression that the empty stock was brought to Euston top and tail, as well as Glasgow Central?? In addition during ECML diversions it was top and tailed to Wembley then tne leading engine removed and the stock reversed via Camden.
How is this managed if the guidance is not to do this because of the risk of overloading the circuits?
Presumably because the trailing loco is "dead in train" and therefore not providing any power supply to the train. I can imagine the additional safeguard of not attaching the 61 way jumper from both locos at the same time.
 

BigB

Member
Joined
20 Dec 2018
Messages
68
Location
Scotland
Presumably because the trailing loco is "dead in train" and therefore not providing any power supply to the train. I can imagine the additional safeguard of not attaching the 61 way jumper from both locos at the same time.
Thanks - I'm not familiar with the connections for Mk5s and didn't realise that the jumper is separate from the coupler.
So when ECS runs to Euston/GLC under normal operations, does the ECS loco detach and move forward before the "train" loco starts to provide power to the train?
For ECML diversions at Wembley is there a temporary lack of train power and reliance on batteries whilst the swap is done?
Just wondering what the process is to understand the report better around how this potential issue is normally managed.
Far better the overrun occurred at Edinburgh instead of Glasgow though....
 
Last edited:

Domh245

Established Member
Joined
6 Apr 2013
Messages
5,655
Location
Somewhere
The key to your misunderstanding is your use of the word "product". A train is not a consumer product which has to be idiot-proofed with different shaped plugs and a battery compartment that prevents the batteries being inserted the wrong way around. I said it earlier in this discussion but it clearly bears repeating that the railways are not operated by 5 year olds and therefore there is no need to be going around idiot-proofing the equipment.
It doesn't have to be, but it does make it a lot easier and safer to operate and for the sake of perhaps 2 hours extra going into the design and maybe a couple of £ extra during construction why wouldn't you design the safest most reliable thing you could. Sure the staff are highly trained, but that isn't a reason to allow complacency in terms of design - even the most highly trained member of staff will make mistakes when fatigued/under pressure/etc.

Out of interest, where would you draw the line in terms of 'idiot proofing' the railway - guards are highly skilled and wouldn't let a train move with a door open so there's no reason to have door/traction interlocks right?
 

O L Leigh

Established Member
Joined
20 Jan 2006
Messages
4,292
Location
In the cab with the paper
Thanks - I'm not familiar with the connections for Mk5s and didn't realise that the jumper is separate from the coupler.
The RAIB report has a very good photo of the couplings and connections on a Mk5 coach. The Delner only makes the mechanical and air connections. All electrical circuits are completed using jumper cables.

So when ECS runs to Euston/GLC under normal operations, does the ECS loco detach and move forward before the "train" loco starts to provide power to the train?
For ECML diversions at Wembley is there a temporary lack of train power and reliance on batteries whilst the swap is done?
Just wondering what the process is to understand the report better around how this potential issue is normally managed.
I don't know these operational details.

Far better the overrun occurred at Edinburgh instead of Glasgow though....
+1

It doesn't have to be, but it does make it a lot easier and safer to operate and for the sake of perhaps 2 hours extra going into the design and maybe a couple of £ extra during construction why wouldn't you design the safest most reliable thing you could. Sure the staff are highly trained, but that isn't a reason to allow complacency in terms of design - even the most highly trained member of staff will make mistakes when fatigued/under pressure/etc.

Out of interest, where would you draw the line in terms of 'idiot proofing' the railway - guards are highly skilled and wouldn't let a train move with a door open so there's no reason to have door/traction interlocks right?
I'm not sure where the 2 hours and couple of quid figures come from, but I suspect that they are a bit of a guess.

Additional layers of technology do not guarantee greater ease or safety of operation. All they do is add complexity and increase the number of systems that can fail and cause delays and cancellations. Yes I'm sure that you could come up with a system that mechanically locks all driver's key switches in the off position if a key is detected live in another cab, but this won't protect a unit you haven't yet coupled up to nor any unit that has been fully disposed (electrically dead) nor one where the TMS has had to be isolated or is failing to communicate with the rest of the train. Neither would it help matters much if the system fails and locks all the driver's key switches into the off position, as it would be required to do as a failsafe.

I'm not so sure that the charge of "complacency in design" is proven. Trains are designed for a purpose and, like everything else (yes, even your microwave oven), require a degree of competence in order to be operated correctly. They are capable of withstanding a degree of misuse, but if you push them too far beyond their design capabilities they are capable of sustaining damage that can negatively impact on their abilities to operate safely. And there are things that you can do as a user to ensure that you maintain this. Not reheating last nights takeaway curry still in it's foil container would be one, and not connecting two locos to the Cally Sleeper's 61 way connection would be another. It's simply a question of being familiar with and following the manufacturer's instructions.

Technology does get added where it is helpful and necessary. Newer traction now has an in-cab warning to alert the driver to any safety systems that have been isolated, such as EBS or TIS in another cab. Even older traction has been modified to increase the driver's awareness of things amiss with the train, such as an ADD alert on the Cl317s that I used to drive. But technology is not the whole answer. We've become so inured to the idea that we can do so many more things more safely thanks to technology that we have lost sight of it's limitations.

I agree that even highly trained staff can make mistakes from time to time, which is why the processes and procedures also have to be clear, unambiguous and fit for purpose. Human factors and non-technical skills are things that we are hearing a lot about within the industry, even at the operational level. Fatigue, lifestyle considerations and their impact on our fitness for duty are the hot safety topic, and have been for a few years now. Every company will have it's own policies and guidance on best practice for it's staff. We may still be operating on Human 1.0, but don't think that we've forgotten about it. It's getting the same attention and upgrades to ensure safety as the rest of the infrastructure.

I'm not going to play the game of "Spot the Line", except to say that I think that things are just about right. Where care needs to be taken this is ensured by implementing the correct procedures and processes. It's not so arduous to check the TMS on a Voyager before "keying in" or coupling, nor does it require such a huge alteration in the Cally Sleeper's coupling and uncoupling procedures to protect these trains from damage caused by careless use.
 

Bletchleyite

Veteran Member
Joined
20 Oct 2014
Messages
53,267
Location
Up and down the south WCML (mostly)
I'm not so sure that the charge of "complacency in design" is proven. Trains are designed for a purpose and, like everything else (yes, even your microwave oven), require a degree of competence in order to be operated correctly. They are capable of withstanding a degree of misuse, but if you push them too far beyond their design capabilities they are capable of sustaining damage that can negatively impact on their abilities to operate safely. And there are things that you can do as a user to ensure that you maintain this. Not reheating last nights takeaway curry still in it's foil container would be one, and not connecting two locos to the Cally Sleeper's 61 way connection would be another. It's simply a question of being familiar with and following the manufacturer's instructions.
Sort of. With the microwave oven, you get a very clear warning if you've put metal in it by mistake in the form of arcing, and it can usually be turned off (by simply opening the door) well before it has chance to cause any actual damage. Though it wouldn't totally surprise me if some more advanced microwaves had some means of detecting arcing and automatically shutting off if it happens, or that some might have some form of fire/overheat detection in case you overcook something to the point of it catching fire.

The most dangerous risk a microwave would pose to someone if misused, though, would be quite literally to cook them alive if it were to be operated with the door open. Fortunately, literally every model has a feature preventing that from happening. That's a bit more like the analogy of having a feature whereby a train's brakes can be disabled without as a minimum any warning or notification that this is the case and the only visible evidence of it being a small isolating cock hidden well below platform level.

But the point I replied to regarding keying in in two places on a Voyager is an utterly ridiculous piece of design. That would be like, for instance, if you had a television set and you turned it on on the front panel, using the on button on the remote would cause it to fail and require repair. That would be ridiculous.

In summary, there are some dangerous failure modes you can't design out of a product (e.g. a car that you can't crash - but they *are* working on that!) - but if there is one that you can, you really should, regardless of whether it's for professional or personal use.
 

Bletchleyite

Veteran Member
Joined
20 Oct 2014
Messages
53,267
Location
Up and down the south WCML (mostly)
I'm sorry, but you're starting to allow this to get out of proportion. This sort of situation has no parallels whatsoever with the 737Max and any attempt to draw one is just emotionally charged nonsense.
Well, er, it does. The railway was very, very lucky on a number of counts, and the incident caused nothing but embarrassment. But had it collided with another train, potentially a packed commuter DMU or EMU at that time of day, it could have killed people. That is surely a strong parallel.
 

Top