Sydney Trains internal safety investigation identified similar incidents i.e., where a freight train failed, that were not managed in accordance with the requirements of NTR 432, Protecting activities associated with in-service rail traffic. Recent ATSB investigations also identified examples where the requirements of NTR 432 and NPR 750 were not adequately applied.
Although an applicable height of 1,000 ft for stabilised approach criteria in instrument meteorological conditions has been widely recommended by organisations such as the International Civil Aviation Organization for over 20 years, the Civil Aviation Safety Authority had not provided formal guidance information to Australian operators regarding the content of stabilised approach criteria.
The Australian requirements for installing a terrain avoidance and warning system (TAWS) were less than those of other comparable countries for some types of small aeroplanes conducting air transport operations, and the requirements were not consistent with International Civil Aviation Organization (ICAO) standards and recommended practices. More specifically, although there was a TAWS requirement in Australia for turbine-engine aeroplanes carrying 10 or more passengers under the instrument flight rules:
Although the operator had specified a flight profile for a straight-in approaches and stabilised approach criteria in its operations manual, and encouraged the use of stabilised approaches, there were limitations with the design of these procedures.
Although the helicopter manufacturer’s instructions for continuation in service for the clutch shaft forward yoke specified that the condition of the yoke was to be inspected to verify that no cracks, corrosion, or fretting was present, it did not provide specific instructions for the method to be employed. The visual inspection that was employed increased the risk that a crack in that area may not be detected.
Aurizon did not have measuring equipment available at its Stuart Yard to identify freight loads that were outside the permissible loading profile for transport via rail.
TasRail’s processes for ensuring immediate network control actions in response to emergencies (such as runaway and authority exceedance) fundamentally relied on the experience and knowledge of network control officers and did not include the provision of procedures, tools and checklists detailed enough to support the effective management of specific types of incidents that require a time-critical response.
The guidance provided by the Office of the National Rail Safety Regulator about the requirement to submit a notification of change included limited detail about the extent or type of changes that necessitated a notification. In addition, with regard to ‘a safety critical element of rolling stock’, it did not provide detail with regard to the interpretation of ‘safety critical’ and the applicability to equipment that may not be inherently part of rolling stock (such as remote control equipment).
There was limited practical guidance specifically for the Australian rail industry for the application of system safety assurance processes to the development of complex and safety-critical rail systems.
TasRail did not have a reliable process to systematically identify, track and analyse reported faults on its remotely-controlled train or to identify their potential safety implications.
Although TasRail had a detailed change management process in place, and had documented that the project to develop the third-generation remote control equipment was a significant change, the change management process had a limited capability to:
Although there were no previous accidents attributable to TasRail’s use of remote control equipment (RCE) over 19 years, TasRail did not identify or fully assess the safety implications of remotely-controlled train operations, or those of TasRail’s specific implementation. These included the:
TasRail commissioned the manufacture of, and continued to use, redesigned safety-critical remote control equipment for operating a locomotive without systematic assurance of its safety, leading to excessive reliance on the manufacturer. This was because TasRail did not:
Although Air Digital Engineering had safety as a design objective and safety elements were included in the remote control equipment, system safety assurance activities appropriate to its application were not conducted.
The Air Digital Engineering generation 3 remote control equipment (RCE) had several safety-related design and integration problems, which were readily identifiable. These included:
The TasRail cement loading facility at Railton had a downhill grade to the main line, and no devices to protect against a runaway.
Loss of adhesion leading to increased stopping distance was not recognised as a risk source for any type of collision in V/Line’s risk registers.
The processes involved in train preparation did not ensure a required minimum amount of sand in sand boxes.
Maintenance of the VLocity sander units did not include testing of sand discharge flow rates (or some other process) to confirm performance. Without performance checks over time, deficiencies could not be identified and addressed.
There was no suitable assessment of the performance of sanders on the VLocity three-car set against defined acceptance criteria for improved braking performance in low adhesion conditions.
