The Abnormal Distribution

Prof. John McDermid of the University of York asked me if I had documentation for the suggestion in my post on the Buizingen collision that the number of fatalities to trackside workers expected in installing ATP universally on rail tracks might be larger than the number of passenger lives expected to be saved by ATP. I was thinking specifically of British railways. Prof. Dr. Jens Braband of Siemens Rail Automation, who has also taught a course on risk at the Technical University of Braunschweig for many years (if you read German you might like to check out his textbook on it) and who currently does a lot of work for and with the European Rail Authority, took a look at ERA statistics and didn’t find support for the assertion.

This morning I surveyed the annual Safety Performance Reports from the U.K. Rail Safety and Standards Board, from 2000 to 2009. All of them include details of individual fatalities. I only considered fatalities, and not serious injuries, so this is not an assessment of total personal risk. Details follow. There are three columns: Year, Trackside Employee Fatalities, specifically restricted to those struck by moving trains, and Passenger Fatalities, specifically restricted to those occurring in collisions between two moving trains. Note that these figures must be extracted specifically from the descriptions of individual accidents.

Year: Trackside Employee Fatalities: Passenger Fatalities

2009: 1: 0

2008: 3: 0

2007: 2: 0

2006: 2: 0

2005: 5: 0

2004: 8: 0

2003: 0: 0

2002: 1: 0

2001: 4: 0

2000: 2: 0

1999: ?: 31 (Ladbroke Grove)

Note that there are significant passenger-fatal train accidents in 2000, when 4 people were killed in the Hatfield derailment and 10 people, including the driver of the automobile, two train drivers, two other train staff, and five passengers, at Great Heck. In 2002, 6 passengers were killed in the derailment at Potters Bar.

In summary, it is not clear what one may infer from these figures. 31 passengers died at Ladbroke Grove in 1999 as a consequence of a train collision following from a SPAD. In the ten years since then, no passenger has died as a consequence of a train collision following a SPAD. 28 trackside workers have died.

Can we go further back, maybe, to obtain some more figures. Not really – the environment has changed significantly. Because of systematic attention paid to them over the last decade since Ladbroke Grove, the number of SPADs in the last few years has been under 15% of the 2001 baseline level. Pre-1999 statistics come from a different safety environment.

Conclusions? This is a typical case in which the risk of a very rare event is compared with the risk of rare but regularly-occuring events. One big accident, such as Ladbroke Grove, changes the figures completely. It seems that ATP installation risk versus passenger lives saved is a difficult balance to assess.

At 08.30 am MET (07.30 am UTC) on Monday, 15 February 2010, a commuter train and an intercity train collided in Buizingen, in the greater Brussels region. Initial reports mentioned a “head on” collision, but De Standaard reported (in Dutch) that one train ran into the side of another, presumably at a set of points. The high-speed lines for the Thalys Cologne/Amsterdam-Brussels-Paris service, as well as for the Eurostar Brussels-London service neighbor the accident track and services have remained suspended during rescue and investigation operations. An spokesperson for Infrabel, the rail infrastructure maintenance organisation, is reported to have estimated that it will take a further 16 hours after the rescuers and investigators have finished and debris has been cleared to free the high-speed lines for use.

This commentary is based on the best reports I have found on the accident: New York Times, 15 February and New York Times, 17 February. There is already a Wikipedia article on the collision with some useful on-line news references.

There are two themes I wish to address here. First, the premature announcement of «cause» by public figures, and its consequences. Second, the involvement of the judiciary and its operatives (police) as primary investigators.

Lodewijk de Witte, the premier of the local region Flemish Brabant, was reported Monday after the crash as saying that it was likely caused by one of the drivers running through a signal at danger, in English terminology a Signal Passed At Danger, or SPAD. Local dignitaries seem under pressure to make such cursory judgements. I recall the Lathen Maglev accident in September 2006, in which Alexander Retemeyer, the state attorney responsible for the investigation, said on the day of the accident that “human error” was the likely cause, by which he meant the operators and controllers on duty at the time, the people at the “pointy end”. Even our local newspaper, the Neue Westfalische Zeitung (NW), had figured out a day later that, rather than it being all “human error”, certain technical configurations had played a causal role. Indeed, as became clear, a lot of them: the service vehicles were not incorporated into the technical track safety system for the Maglev, the usual waiting position for service vehicles was not covered by the otherwise-ubiquitous CCTV cameras, the two boards showing location respectively of service vehicles and Maglev trains were in separate places in the control room, the controllers of the service vehicle and the Maglev train were two different people, even though all vehicles operated on the same single track, and the voice communications systems were separate for service vehicles and Maglev, all of which became evident over the next few days (see my contribution to the 9th Bieleschweig Workshop in 2007, linked below, for details). Many of these factors have also played a role in other rail accidents, for example separate control/communication systems for two trains using the same track played a causal role in the Glenbrook accident in Australia

One of the consequences of de Witte’s premature statement is that train drivers have been striking. The strikes are what the Brits call “wildcat”, that is spontaneous and not organised by the union. 75% of the drivers in the Wallonia region (French-speaking Southern Belgium) are reported to be absent, and in the Flemish region it is “more sporadic”. The strikes began in Leuven, the home town of Johan de Keyser, the driver of the intercity train, who was killed.

State railway statements have been more sober concerning cause. Jochen Goovaerts, the SNCB spokesman, was reported as saying it was too early to know the cause, and “we are not going to speculate about that until the investigation has been completed”.

Maybe this large-scale action by stakeholders will help dampen the tendency towards premature speculation on causes by public figures. I believe that this premature speculation is not helpful for safety. Indeed, it may very well hinder appropriate action on countermeasures. My reasoning to this conclusion is as follows. Case studies show that premature speculation is more likely than not to be misleading; however, the misleading “cause” cited at the time is more likely to remain in the “public mind” than the causal factors which are indentified by the investigation, for these come out months or years later when the incident is no longer “news”; the «instant» but misleading factor is thus more amenable to use in political arguments for specific countermeasures (many countermeasures require political action to implement, and thereby a measure of support from stakeholders such as the travelling public); which in turn may lead to non-optimal countermeasures being preferred.

That all sounds very abstract. Let me make it concrete. Let’s look at a possible political development. De Witte says “driver ran a stop signal”; the public remembers this because it is in the same news from which they learnt about the crash; someone starts a campaign for universal installation of “automatic train protection” (ATP) on Belgian rail; this garners public sympathy as people remember what was said (prematurely) about the cause. Whereas, as far as we know at the moment, it may have been that the signal in question was not showing a red aspect for some reason, or that some points were wrongly set. In neither of those cases would ATP have helped: the appropriate countermeasures for the future would rather involve improvements to the technical reliability and security of signalling systems.

Let me consider the issue of ATP as this debate has played out in Britain.

The various ATP systems work as follows. There are trackside status-transmission devices in the neighborhood of signals and sensors on the trains. When the signal is at danger (red) and a train overruns the signal, the status is read by the sensor on the train and emergency brakes are automatically applied, no matter what the driver does. The German «Indusi» system (for «induktive Signalsicherung», inductive signal protection), based on trackside magnets, has been in operation since 1934.

After the 1999 Ladbroke Grove accident in the neighborhood of London’s Paddington station, which bears some superficial resemblance to Monday’s Buizingen accident, there was a call for universal installation of ATP on British rail services. (At Ladbroke Grove, a local train ran a red signal and ran into the side of a Bristol-London express train. The number of people killed lay in the 30′s. There was a public inquiry, chaired by Lord Cullen, who had previously chaired inquiries into the Piper Alpha North Sea oil platform fire and the Kings Cross underground station fire.) Similarly, in our local paper, the NW, there was a sidebar to the Buizingen accident story on Tuesday morning explaining how «it couldn’t happen here» (in Germany) because of the «Indusi» system.

The two main issues with introducing ATP universally into British rail operations is that it is likely to cause more deaths and injuries than it saves, and that it costs an enormous amount of money to install universally. Maybe that money could better be spent on public safety measures which are likely to save more lives than they cost.

How can this be, that ATP is likely to cost lives in net terms? Trackside workers suffer deaths and injuries which are amenable to statistical treatment. Similarly, statistics are available on deaths and injuries to occupants of trains, and the causes of every accident are investigated. It turns out that the statistics suggest that more trackside workers are likely to be killed or injured during installation of ATP than train occupants are likely to be saved by it. (I have been asked by a colleague for a citation to a definitive statement of this phenomenon, and will provide one in due course.)

Following the 1999 Ladbroke Grove accident, the British Health and Safety Executive began publishing monthly public SPAD reports. This task has been taken over by the Office of Rail Regulation, which publishes quarterly SPAD reports. The Rail Safety and Standards Board publishes monthly public SPAD reports amongst its Safety Performance Reports. I have no idea whether the safety benefits this public reporting brings (for example, quick identification of deleterious trends through many pairs of eyes, many of them volunteer) can be quantified. My intuition tells me that extensive public information on safety is almost always a Good Thing. For one thing, it enables public assessment of countermeasures based on established engineering facts, and not on the whimsical reactions to particular accidents by inexpert public figures.

On to my second theme. The driver of the commuter train in Buizingen saw the accident coming, and retreated into the lead car before the collision after applying the emergency brakes. Apparently he is severely injured, but survived. Here comes another well-known negative factor: he will be interviewed first by the police.

The police and judicial system seem to be the primary investigators. This, also, is not necessarily a good thing, for reasons which are explored in detail using many case studies in my talks to the OFFIS Open Day on transportation safety in Oldenburg and at the 9th Bieleschweig Workshop, in 2007. This is a prominent theme in commercial aviation at the moment, since the public prosecution of various people allegedly involved in the Concorde takeoff accident in 2000 has just started in France, and this is one of a series of recent judicial involvements in aviation accidents that eminent aviation safety organisations such as the Royal Aeronautical Society, the Flight Safety Foundation, the Civil Air Naviation Services Organisation, and the Academie de l’Air et de l’Espace have all deplored. My recitation of their reasons, along with some more case studies of my own, may be found in my somewhat lengthy contribution to the 9th Bieleschweig Workshop in 2007.

The debris at Buizingen is all still in place. The rescuers are not sure they have accounted for all occupants; there is one still missing apparently. After the track debris has been cleared, we then have a further 16 hours for the high-speed lines to be freed. It seems Thalys and Eurostar services will remain suspended until that occurs. This is the second time in two months that Eurostar services from Brussels have been suspended for many days. I am scheduled to use Eurostar again in late March, and in late February the Thalys to Paris. It was pointed out in the article that Brussels is a key node, connecting Cologne, Amsterdam, Paris and London, all within two hours or less of Brussels by high-speed train. Indeed so. This infrastructure connecting four of Europe’s capital cities and one of its most significant non-capital cities is more valuable than anybody has yet seen fit to assess.

There are areas of technological safety which are almost all about people and behavior, for example road safety. Roads form a very open system; there are pedestrians, young children, old people, slow people, cyclists, animals, parked cars, broken-down cars, large users and so on. There are some technical things one can do to improve safety, but in the end there would be very, very few injurious accidents if people were to drive more slowly and pay more attention to the constraints imposed by the immediate environment. Simply enforcing speed limits and permitted blood-alcohol level on motorways (freeways and turnpikes) more rigorously in France in the 1990′s led to an almost-immediate reduction of one-third in motorway fatalities, which persisted. Technology can do some things, such as air bags and crashworthiness, as well as helping enforcement, such as by using GPS-tagged recording of road speed of individual cars to enforce limits on speed, as is being discussed in Great Britain. But measures which need enforcing are a people-behavior thing, not a technology thing, even when means of enforcement are technological.

Then there are areas of technological safety which are far more based on the technological side: operational safety of nuclear power plants, for example, in which appropriate values of physical parameters relevant for safety are more or less well-known, and technically monitored, operators play much more of a supervisory role, and dangerous incidents are far fewer.

Sports is somewhere inbetween. A certain amount of danger, and of skilled overcoming of risk, is part of many traditional sports. Downhill skiing and luge are two examples; bob less so, since I am told one ducks inside the bob when things go pear-shaped. Formula One car racing used to be like that, but manufacturers and circuit designers paid a lot of attention over the decades to not losing their most important assets, the people, and now it has spectacular crashes which are almost devoid of live-threatening injuries.

Then there are sports such as rock climbing, which in the 1980′s evolved the fashion of climbing extreme routes without protection of any sort, pioneered by, amongst others, John Bachar, who died last year in his early 50′s when he fell off a solo climb in the Eastern Sierras (the Economist had an elegant obituary, but I don’t know if it is accessible any more to non-subscribers).

In regard to safety, I would distinguish morally between activities in which an individual decides freely to undertake risk, such as Bachar and his peers who climb without protection, and organised activities in semi-controlled environments, such as downhill ski racing and luge racing. I am sure we can all think up our list of relevant distinctions, and I imagine if we look more closely we will find the spectrum from highly open to very controlled is quite dense.

Sports such as ski racing and luge take place in a far more controlled environment than road travel. The tracks are laid out, prepared, boundaries are secured and foreign objects and people kept out as far as possible. Solid objects are, usually, padded, although there seems to be still no real calculation of effectiveness, which can be accomplished to a first approximation with freshman calculus (speed is more or less known, say S; thickness of padding T = maximum distance from speed S to speed 0; deceleration may be calculated; the decelerations which may be generally withstood by a human body in various configurations are somewhat known; thereby some value of T may be derived). The social norms of safety are looked at when there is a failure, such as the death of two-time Super-G World Champion Ulrike Maier in 1994 at Garmisch-Patenkirchen. Maier lost control, and hit a solid object much too solid for her human body. She had already told TV journalists (in the clip above, in German) that she found the course too dangerous.

Now there comes the shocking death of luge racer Nodar Kumaritashvili while practicing for the Vancouver Winter Olympics. The New York Times has an “interactive graphic” (a sequence of diagrams and photographs) showing the accident. Hindsight is a wonderful thing, but let us look at the configuration. Here is a curve in which racers have attained top speed (somewhere around 90mph, 145kph), and a very short distance after the curve the track boundary appears to be some 2 meters high. Here, outside and above the track, there are metal support pillars, which were unpadded at the time Kumaritashvili hit one.

It appears there have been the usual pronouncements about risky sports, competitors’ knowledge of those risks, and skill levels required to be “safe” (these latter comments manifestly missing when Ulrike Maier died in her broadly similar accident). Still, I looked at those unprotected pillars and thought: Why? I imagine many safety engineers will have a similar reaction. It doesn’t seem to me that organised sports activities of this nature apply similar standards of safety engineering as in aviation or nuclear power. Why not? More to the point, what will it take, socially, to bring the familiar technical safety engineering, including hazard analysis and mitigation, into risky professional sports?

Safety in professional sports is a many-faceted topic. The connections between brain damage and concussions have been known since the 1930′s. The U.S. National Football League has recently commissioned a study into ex-footballers who have suffered from dementia, and there are new guidelines for handling concussed players in professional (American) football. It is much more difficult to see how to protect players from each other than to see how to protect humans from solid objects.

PBL