Sydney Trains internal safety investigation identified similar incidents i.e., where a freight train failed, that were not managed in accordance with the requirements of NTR 432, Protecting activities associated with in-service rail traffic. Recent ATSB investigations also identified examples where the requirements of NTR 432 and NPR 750 were not adequately applied.
Aurizon did not have measuring equipment available at its Stuart Yard to identify freight loads that were outside the permissible loading profile for transport via rail.
TasRail’s processes for ensuring immediate network control actions in response to emergencies (such as runaway and authority exceedance) fundamentally relied on the experience and knowledge of network control officers and did not include the provision of procedures, tools and checklists detailed enough to support the effective management of specific types of incidents that require a time-critical response.
The guidance provided by the Office of the National Rail Safety Regulator about the requirement to submit a notification of change included limited detail about the extent or type of changes that necessitated a notification. In addition, with regard to ‘a safety critical element of rolling stock’, it did not provide detail with regard to the interpretation of ‘safety critical’ and the applicability to equipment that may not be inherently part of rolling stock (such as remote control equipment).
There was limited practical guidance specifically for the Australian rail industry for the application of system safety assurance processes to the development of complex and safety-critical rail systems.
TasRail did not have a reliable process to systematically identify, track and analyse reported faults on its remotely-controlled train or to identify their potential safety implications.
Although TasRail had a detailed change management process in place, and had documented that the project to develop the third-generation remote control equipment was a significant change, the change management process had a limited capability to:
Although there were no previous accidents attributable to TasRail’s use of remote control equipment (RCE) over 19 years, TasRail did not identify or fully assess the safety implications of remotely-controlled train operations, or those of TasRail’s specific implementation. These included the:
TasRail commissioned the manufacture of, and continued to use, redesigned safety-critical remote control equipment for operating a locomotive without systematic assurance of its safety, leading to excessive reliance on the manufacturer. This was because TasRail did not:
Although Air Digital Engineering had safety as a design objective and safety elements were included in the remote control equipment, system safety assurance activities appropriate to its application were not conducted.
The Air Digital Engineering generation 3 remote control equipment (RCE) had several safety-related design and integration problems, which were readily identifiable. These included:
The TasRail cement loading facility at Railton had a downhill grade to the main line, and no devices to protect against a runaway.
Loss of adhesion leading to increased stopping distance was not recognised as a risk source for any type of collision in V/Line’s risk registers.
The processes involved in train preparation did not ensure a required minimum amount of sand in sand boxes.
Maintenance of the VLocity sander units did not include testing of sand discharge flow rates (or some other process) to confirm performance. Without performance checks over time, deficiencies could not be identified and addressed.
There was no suitable assessment of the performance of sanders on the VLocity three-car set against defined acceptance criteria for improved braking performance in low adhesion conditions.
The location of sanding nozzles (for braking) behind the wheels of the lead bogie was inconsistent with design practice existing at the time of the collision and was probably a recurring factor in diminished sander effectiveness on VLocity trains.
Safety controls were ineffective in mitigating against a train arriving at Ballarat Railway Station travelling at excessive speed and being unable to stop before colliding with the crossing gates closed against rail traffic.
Queensland Rail’s fatigue management processes for Citytrain train crew had limited processes in place to actively identify and manage the risk of restricted sleep opportunity resulting from late-notice roster changes.
Queensland Rail's process for the installation of signal aspect indicators (SAIs) did not provide sufficient detail to ensure consistent and conspicuous placement of SAIs at station platforms. This problem, combined with an SAI’s non-salient indication when the platform departure signal displayed a stop indication, increased the risk that an SAI would not be correctly perceived by a train guard.
