There was limited practical guidance specifically for the Australian rail industry for the application of system safety assurance processes to the development of complex and safety-critical rail systems.
TasRail did not have a reliable process to systematically identify, track and analyse reported faults on its remotely-controlled train or to identify their potential safety implications.
Although TasRail had a detailed change management process in place, and had documented that the project to develop the third-generation remote control equipment was a significant change, the change management process had a limited capability to:
Although there were no previous accidents attributable to TasRail’s use of remote control equipment (RCE) over 19 years, TasRail did not identify or fully assess the safety implications of remotely-controlled train operations, or those of TasRail’s specific implementation. These included the:
TasRail commissioned the manufacture of, and continued to use, redesigned safety-critical remote control equipment for operating a locomotive without systematic assurance of its safety, leading to excessive reliance on the manufacturer. This was because TasRail did not:
Although Air Digital Engineering had safety as a design objective and safety elements were included in the remote control equipment, system safety assurance activities appropriate to its application were not conducted.
The Air Digital Engineering generation 3 remote control equipment (RCE) had several safety-related design and integration problems, which were readily identifiable. These included:
The TasRail cement loading facility at Railton had a downhill grade to the main line, and no devices to protect against a runaway.
Loss of adhesion leading to increased stopping distance was not recognised as a risk source for any type of collision in V/Line’s risk registers.
The processes involved in train preparation did not ensure a required minimum amount of sand in sand boxes.
Maintenance of the VLocity sander units did not include testing of sand discharge flow rates (or some other process) to confirm performance. Without performance checks over time, deficiencies could not be identified and addressed.
There was no suitable assessment of the performance of sanders on the VLocity three-car set against defined acceptance criteria for improved braking performance in low adhesion conditions.
The location of sanding nozzles (for braking) behind the wheels of the lead bogie was inconsistent with design practice existing at the time of the collision and was probably a recurring factor in diminished sander effectiveness on VLocity trains.
Safety controls were ineffective in mitigating against a train arriving at Ballarat Railway Station travelling at excessive speed and being unable to stop before colliding with the crossing gates closed against rail traffic.
Queensland Rail’s fatigue management processes for Citytrain train crew had limited processes in place to actively identify and manage the risk of restricted sleep opportunity resulting from late-notice roster changes.
Queensland Rail's process for the installation of signal aspect indicators (SAIs) did not provide sufficient detail to ensure consistent and conspicuous placement of SAIs at station platforms. This problem, combined with an SAI’s non-salient indication when the platform departure signal displayed a stop indication, increased the risk that an SAI would not be correctly perceived by a train guard.
Limitations in Queensland Rail’s application of risk management and change management processes relevant to the introduction of the new generation rollingstock (NGR) increased the risk of a start against signal SPAD (signals passed at danger).
BHP's fatigue management processes required its train drivers to be rostered on 7 12-hour shifts, followed by a 24-hour break and then 7 12-hour shifts, with the roster pattern commencing at a wide variety of times of day. Such roster patterns were conducive to result in cumulative sleep restriction and levels of fatigue likely to adversely influence performance on a significant proportion of occasions, and BHP had limited processes in place to ensure that drivers actually obtained sufficient sleep when working these roster patterns.
The automatic train protection (ATP) and electronically controlled pneumatic braking (ECPB) systems on BHP’s trains could not interface to dump brake pipe pressure if an ECPB emergency or penalty brake application became ineffective in arresting an uncommanded train movement.
Although operating instructions OI 17-11 (5 April 2017) and then OI 18-72 (3 November 2018) contained a safety-critical action (to apply the automatic brake handle to the pneumatic emergency position), BHP did not clearly communicate the importance and reasons for the safety-critical action to drivers, reducing the potential for the drivers to correctly recall this procedural action.
