Tangmere SPAD at Wootton Bassett, 7th March 2015

or: Rail Safety Equipment Designed By Morons

Update: The RAIB report is out - see here for link and comments

On 7th March 2015 at 1725, Bulleid Pacific 34067 Tangmere passed a signal at danger near Wootton Bassett Junction while working a steam-hauled excursion train, reporting number 1Z67. The train eventually came to a stand across the junction. Fortunately, the conflicting movement across the junction which the signal at danger was protecting had just passed the junction and so what could have been a very nasty accident was avoided, with neither injury nor damage occurring.

The preliminary investigation by the Rail Accident Investigation Board (RAIB) has disclosed that:

...at around 17:24 hrs, train 1Z67 was approaching signal SN43 at 59 mph, when it passed over the temporary AWS magnet associated with the TSR. This created both an audible and visual warning in the locomotive's cab. However, as the driver did not acknowledge this warning within 2.7 seconds, the AWS system on the locomotive automatically applied the train's brakes. This brake application should have resulted in the train being brought to a stand. In these circumstances, the railway rule book requires that the driver immediately contact the signaller.

The RAIB has found evidence that the driver of 1Z67 did not bring the train to a stand and contact the signaller after experiencing this brake application. Evidence shows that the driver and fireman instead took an action which cancelled the effect of the AWS braking demand after a short period and a reduction in train speed of only around 8 mph. The action taken also had the effect of making subsequent AWS or TPWS brake demands ineffective.

Well, that sort of arse-faced deliberately obfuscatory language is the sort of thing that immediately gets my back up. "Took an action", for fuck's sake... took what action? Stop being a bunch of tossers and trying to fucking hide things. Either tell us what the fucking "action" actually was or don't bother bloody mentioning it at all. Twats. It's like those stupid fucking newspaper reports of car accidents where they say the car was "in collision with" something (no, it fucking crashed you tits) and show a picture of it on its roof somewhere you couldn't get it to even with a crane, but don't say a blind bloody thing about what actually happened so you are left baffled about how the fuck it could have happened at all. It leaves you more confused and knowing less than before you read it and you never do get to find out exactly how the fuck the car ended up upside down forty feet up in a tree. Stupid uninformative cunts.

So I started googling, and fortunately it turns out that, unlike the car crash cunt reports, in this case it is pretty straightforward to work out exactly what they did.

When the AWS or TPWS equipment decides to put the brakes on, it does so by de-energising an electro-pneumatic (EP) valve, causing it to open and admit air to the vacuum pipe. Here is a picture of the footplate of a Bulleid Pacific (not the same one), with the EP valve at bottom left highlighted in red:

AWS/TPWS isolating valve location on footplate of Bulleid Pacific

Unfortunately that picture is a bit small and shit, so here is a larger and clearer picture of the same valve in the context of AWS/TPWS being installed on a GWR "King":

AWS/TPWS isolating valve location on footplate of GWR "King"

And here is a close-up of the valve:

Close-up of AWS/TPWS isolating valve

With that information, coupled with Network Rail having instructed the train operator concerned to, among other things, "demonstrate there is in place an effective and secure system of tamper-evident seals for train protection isolator cocks on all relevant traction", it is a doddle to solve the mystery.

"Took an action" translates as "They screwed down that wheel on top of the valve thereby preventing it from operating".

And we can also readily determine that Network Rail's instruction isn't actually worth a wank. You can still trivially defeat the operation of the valve without touching the handwheel at all. On the other side of that valve is vacuum. That means that you can wrap around it, covering those meshed holes, a plastic bag, or a wet hanky, or even your hand if you've got big hands, and when the valve opens the obstruction will be sucked against the holes and block them - perhaps not perfectly, but certainly well enough that there will be only a small amount of leakage which will be well within the capacity of the ejector to deal with and so vacuum will be maintained.

What they SHOULD be instructing the operator - and all other operators of steam locomotives on the main line - to do is: reposition the valve so that it is OUTSIDE the cab, so that you can't get to it without first bringing the train to a halt. (Which, be it noted, is no disadvantage, since you're supposed to do that anyway and then get permission to use the valve.)

For fuck's sake. What the fuck is wrong with them that they can't get it through their heads that IF YOU DESIGN A SYSTEM SUCH THAT PEOPLE CAN FUCK WITH IT, PEOPLE WILL FUCK WITH IT? What kind of gormless fucking moron ever set the specifications for AWS/TPWS installations on steam locomotives such that it was acceptable to mount that valve where it is readily accessible with the locomotive in motion in the first place? I'd love to see those fuckers try and write a website, and watch it get hacked to fuck within days of going live.

They seem to think that because it is "against the rules" to fuck with the system then that is enough to stop people doing it. Which is BOLLOCKS. Fuck the fucking "rules". You do NOT rely on fucking "rules" to stop people abusing a system. You design it so that they simply are not able to abuse it, because if you don't, they fucking well will abuse it, rules or no fucking rules.

Yes, I know the railways are stuffed to bursting with dimwitted cunts who have no idea of context and allow exposure to the necessity of obeying the rules of railway operation to program their entire mind into treating all rules, anywhere, as divine writ set down immutably on stone tablets for all time. They are a pain in the fucking arse because they refuse to acknowledge that rules and laws and regulations are an imperfect human creation capable of being changed or abolished or simply considered with complete legitimacy to be bloody stupid, so if anything to do with any sort of rule comes up in discussion with them they immediately get stuck in a logical hole confusing the nature of the rule with the nature of a law of physics and proceed from that point on in a manner which is fundamentally irrational while insisting that it is the opposite, which turns them into instant cunts. They probably wear shapeless grey hooded robes when they are off duty. But just because there are fuck loads who are like that does not mean that there aren't any who are not like that. There most certainly are, and they crop up time after time in railway accident investigation reports... nearly as often, in fact, as thoroughly dedicated Auditors who have suffered a temporary brain fart at a critical moment.

It's not just a few installations on steam locomotives, either. AWS/TPWS installations on modern stock - ie. stuff that runs in regular passenger service - can in at least some cases be defeated by tripping the MCB for the wheel slip protection system. This confuses the AWS/TPWS with the result that it will not apply the brakes in situations where it otherwise would - ie. just like fucking with that valve on a steam locomotive does. And this is on stock in widespread service.

(It is, of course, a prime example of fucking stupid shit design. I guess what they've done is cut corners by having one system use the output from the other system's wheel rotation sensor, or something along those lines. But you do not make a safety-critical system dependent on an unrelated non-critical system's correct operation. That is, like, really basic shit. Because it is a fine way to introduce exactly this sort of stupid-arse vulnerability, and indeed that is what does happen very nearly every time yet another thick cunt does it.)

What the FUCK is wrong with the railways that despite having been going since the early 19th century they STILL have not learned the most basic aspects of designing a secure system? It's not as if they haven't had enough opportunities to learn the fucking lesson. Right at the start they found it necessary to devise tamper-proof safety valves for steam boilers to prevent the engine crew compensating for poor locomotive performance by tying down the safety valve to increase the boiler pressure and causing a massive fucking great explosion. Of course it was against the rules to do that but it didn't stop anyone. Even knowing that doing it meant they would probably end up fucking DEAD didn't stop them. The only way to stop them was to redesign the safety valves so it simply wasn't possible to fuck with them. Because that is how fucking stupid people are.

There are fuck loads of other examples of this sort of shit because no matter what happened the railways have persistently refused to learn that "rules" are not sufficient to stop people doing fucking stupid things. Here, for example, is the report on the Connington South accident in 1967. Although "accident" is hardly the word. The signalling equipment was designed to stop people accidentally doing stupid things, but it was not designed to stop people deliberately doing stupid things, with the result that when some idiotic prick of a signalman decided that it would be a great idea to see what happened if you moved the points underneath a passing train, he was able to do it, and what happened was exactly what you might expect.

A more egregious example of fucking stupid design is demonstrated by the accident at Audenshaw Junction in 1970. When I first read this it took me a long time and a lot of looking up background and context and stuff before I could understand properly what was going on, because I simply couldn't get it through my head that a signalling installation - well, lots of signalling installations, because this was far from the only instance - could be so fucking badly designed. Not only does it expose live electrical contacts during normal operation - never mind that they're at low voltages and so aren't dangerous to touch, you still don't do that in the first place - the position and function of those contacts is such that you can defeat the safety interlocking by shorting them with any handy piece of metal, such as a metal-bodied lamp or a knife or a fireplace poker. Doing this is, of course, against the rules. But equally of course, that didn't stop people doing it when it made the job easier. So they did do it, and the inevitable result was that an accident occurred which would not have happened if the signalling equipment hadn't been designed by a fuckwit.

The report acknowledges that the design was dependent on people following the rules and not deliberately trying to subvert it. It also acknowledges that loads of people knew how to subvert it and that the practice was widespread. It then goes on to say that the other similarly-designed installations on that route were being fitted with shields to prevent people doing it. But plenty more were not, and the practice remained widespread in all areas where the shite design made it possible. It was known as the "knife trick" or "poker trick"; casual references to it by signalmen or ex-signalmen are not uncommon on the net, always in terms of it being something the other chaps did but not me oh no never honest I never did it etc., and it is not possible to say when all the dodgy signalboxes were finally sorted. Indeed it may well be that they never were.

I have even observed for myself a safety system being routinely defeated to make the job easier. On the way to school there was a box-controlled level crossing and we would often get held up there waiting for a train to pass. One afternoon the signalman invited us into the box and showed us round and demonstrated how he worked it. There was some switch or other - I can't remember what it was for, I was only about 7 at the time - which was supposed to be for emergency use only and was enclosed in a little box with a glass front panel, the idea being that in emergency you would break the glass and this event and its subsequent repair would all be recorded. What actually happened was that the enclosure wasn't screwed down and the signalman would simply slide it off and work the switch whenever it was convenient. He even explained that he wasn't supposed to do this but everyone did do it and he did it in front of us while I watched. As far as I know none of the signalmen at that box ever pushed their luck too far doing this, but even at that age and not really understanding what the switch was for I was still aware that this was really not the way to do it, and it is a further example to show that you do not rely on rules to stop people doing things they're not supposed to, you take measures - effective measures, not ones that can be defeated by leaving the screws out - to make sure they can't do those things.

Nevertheless the railway industry refuses to let go of this stupid idea that people not following the rules is somehow unexpected behaviour when in reality it is something that you should anticipate as a matter of course and devote considerable effort to trying to think of every possible dodgy thing they might do and make sure they can't do it. Which is fucking ridiculous and they really ought to take a few years off from the railways and spend them learning to write computer code for the general public to use until the habit of meticulously guarding against any possible misuse becomes second nature.

And they also need to get rid of their poisonous anti-safety culture (concerning which they misguidedly deny the applicability of the "anti-" prefix) that leads people to feel guilty about even knowing methods of defeating safety systems and refusing to talk about it to their superiors in case they get accused of doing it themselves. I have seen this in relation to the Wootton Bassett incident where a driver says he knows what they did but wishes he didn't know and refuses to explain further, which he calls "responsible" behaviour. This is totally the wrong attitude and certainly isn't "responsible", it's the opposite. Again the railways need to take a lesson from the world of computers where there are vastly more possible ways to frig the system and people are accordingly more familiar with methods of dealing with it. You do not keep secret the knowledge of how to break something or feel guilty about having it in the first place. What you do is acquire as much knowledge about it as you can, use that knowledge to work out how to fix it, and then PUBLISH EVERYTHING. That way those in charge of implementing such fixes know there is a need for a fix, know how to make the fix, and are forced to make it as soon as they can because they know that everyone who might want to exploit the flaw is well aware of how to do it. You do NOT pretend it isn't happening and then repeatedly get bitten by people exploiting what you haven't fixed. That is just fucking stupid and since the railways are dealing with people's actual lives instead of just data it is high fucking time they got their fucking heads in order. The abovementioned driver should not be feeling all guilty about even knowing about it, he should be uninhibitedly and openly publishing the details and making bloody sure that everyone knows about it, whether it's any of their business or not, so that those in charge of fixing it know bloody well that it needs fixing pronto and have no excuse for sitting on their arses pretending there isn't a problem. If he had done this when he first found out about it himself there is a jolly good chance that the Wootton Bassett SPAD would not have been possible. Indeed it is partly to compensate for his deficient behaviour that I have written this web page.

I shall await with interest the final complete report on the Wootton Bassett incident in the hope that they do manage to realise by then that putting seals on the knob is no way good enough and insist as well that the EP valve should be mounted outside the cab somewhere you can't get to it without stopping the train. I must say though that I have little hope, and if they do do that I shall take it as a strong indication that they have managed to find this web page, because the track record of the railways in such matters is such that I very much doubt they will manage to figure it out for themselves.

Tangmere AWS isolating valve
Tangmere AWS isolating valve

UPDATE: Well, the report is now out (copy here) - over a year after the original incident, which is fucking pathetic - and oh what a fucking surprise, the lack of hope I mentioned in the previous paragraph turned out to be bang on. Bloody great.

It seems that I was right all along, apart from one minor detail - I'd misidentified the specific valve they were fucking about with. The correct one is shown in the photo at right, taken from the report. This does not affect any of the conclusions - as the photo shows, it's still in the cab (under the driver's seat) and still accessible while the train is in motion, so everything I've said still applies, and the dimwits who were going "I know what they did but I'm not going to tell anyone" are still shown to be just as dim and just as counterproductive.

The report makes it very clear that fucking with that valve in contravention of the regulations was common practice, and indeed it had already been fucked with a few times in the course of depot movements earlier on the same day - which probably explains how the seal came to be missing at the critical point, although quite what the deal was with the seal is not very clear, apparently due to a combination of bad record-keeping and probable arse-covering mendacity on the part of the various people who may or may not have taken it off.

It also points out several times that installing the system such that that valve is accessible with the loco in motion is a breach of regulations, and so the installation should never have been signed off - although it also rather contradicts itself on that. It says that the wording of the regulation is that the valve "shall not be located where the driver can operate it from a driving position"; because the driver would have to turn round/bend down to operate it, he technically wouldn't be in a "driving position" while actually operating it, and so the certifying body deemed it OK to sign it off. Which is splitting fucking hairs to a ridiculous degree. To the point, indeed, of being complete bollocks. Any control inside the cab is "located where the driver can operate it from a driving position", by any interpretation that makes any bleeding sense. Otherwise it's like saying that your car stereo can't be operated from a driving position because you have to take your eyes off the road and peer at the display when you're doing it. (And yes, I do think it's reasonable to insist that people should stop the car when doing that, in case you were wondering. And in case you were also wondering whether I do it myself... I don't have a stereo in my car at all.) The report also notes that the regulations talk specifically of the driver, and do not address or even consider the possibility of the fireman fucking with the valve. Yes, more fucking stupid splitting of hairs. What are they, fucking computers or something? And it says that other locomotives had already had the valve installed in the same place, citing that as a reason for having done this one the same. Last time I looked doing something shit was a reason for doing it different the next time, not doing it the bloody same.

BUT... does it actually do the bleeding obvious thing, and mandate that the valve should be repositioned outside the cab and the loco's certification revoked until that is done? Does it fuck.

Does it make any such comment about any of the locos which have had the valve fitted inside the cab? Does it fuck.

Does it address itself to Resco (the certifying body in question), telling them to pull their fucking socks up, stop using moronic hair-splitting arguments to claim an installation meets the regulations when it patently fucking doesn't, and stop using "they're all like that" as an argument for perpetuating bad practices? Does it fuck.

In fact it's got its knickers in a twist completely over this sort of thing. It contains several statements of the form "we're missing such-and-such a piece of data because the relevant sensor or its connections were buggered so the OTDR (black box) wasn't recording it, but we still managed to work out what was going on OK by looking at the data from other sensors", and it does make a recommendation that the operators should sort out their maintenance procedures so that this sort of shit doesn't happen. Which is all well and good of itself, but taken in the context of the whole it shows a completely fucked set of priorities.

The black box recorder (along with the various sensors feeding it) is NOT a safety-critical system, it DIDN'T contribute to the incident, it WAS installed according to the regulations (as far as we know; they haven't complained it wasn't, just that it wasn't maintained properly) and its partial failure DIDN'T actually cause any problems (it didn't prevent them finding out anything they needed to know). Whereas the AWS/TPWS installation IS a safety-critical system, it DID contribute to the incident, it WASN'T installed according to the regulations, and its deficiencies DID cause problems. So WHY THE FUCKING FUCK are they making a recommendation to sort out maintenance of the black box, but NOT SAYING A FUCKING THING about sorting out the dodgy AWS/TPWS installations on this and other locomotives? SORT YOUR FUCKING PRIORITIES OUT.

Fucksake. This is like if someone broke into your premises and all you were concerned about was getting a better CCTV system that didn't give such shit pictures, even though they were wearing ballies so it wouldn't have helped anyway - and at the same time not doing a bleeding thing about fixing the lock they broke to get in, even though it was a shit lock to begin with and it's still fucked. Well, you fucking wouldn't, would you. But this bleeding shower are. Chicken's tits.

On top of that, they have identified another area in which the installation didn't meet the regulations although actually it did. This problem was concerned with it using a weedy shit hooter which wasn't always loud enough for drivers to hear it. Therefore it didn't meet the regulations. But the regulations also specify the maximum and minimum SPL the hooter should produce. The hooter complied with this specification, and therefore it did meet the regulations. But if it had been loud enough to be reliably audible, it would have been outside this specification, so it's never going to meet the fucking regulations no matter what you do.

Obviously, then, the real problem is that the regulations as they stand are self-contradicting, and they need to be revised such that the maximum and minimum SPL figures for the hooter are determined according to how loud it needs to be to be heard, and not some random numbers pulled out of someone's arse without reference to the actual situation. But does the report make any stipulation that this dumb piece of shit should be sorted out? Yeah, you guessed it... Does it fuck.

What else is in the recommendations? Well, it wants West Coast Rail to sort out their safety culture. Fine. Problem is they've expressed it not only vaguely, but in corporate bollockspeak. West Coast Rail will have no problem at all in generating sufficient corporate bollockspeak of their own to reply in kind and thus show that they've complied, without actually doing anything at all to change or improve matters. There's already ample evidence in the report that West Coast Rail are essentially a bunch of shysters, so for fuck's sake state what you want done in explicit terms using plain English so they can't wriggle out of it. It's fucking daft to use instead a mode of expression which is designed to sound impressive while actually conveying fuck all meaningful information. You're supposed to be trying to fix a fucking problem, not impress some bunch of besuited lardarses at a fucking board meeting or something.

It also wants West Coast Rail to be better at making sure their drivers' route knowledge is up to scratch. Again they're missing the point. They actually admit that the driver's route knowledge ("probably") was up to scratch; he also had over 50 years' experience on the engines, so he'd know fine well how to compensate for any hazy bits and still be driving in a safe manner. So this item isn't addressing anything to do with the actual incident. But it also isn't addressing anything specific to West Coast Rail. Difficulty in acquiring and maintaining a wide breadth of route knowledge is a problem introduced by the privatisation and fragmentation of the rail industry. It affects all operators; admittedly those like West Coast Rail who operate over a wide variety of routes are the worst affected, but on the other hand WCR are only a very minor player. Singling them out for castigation won't achieve anything, and indeed to a large extent there's not a fat lot they can do about it, because it isn't the fault of any one outfit, but of the existence of such a multiplicity of outfits and the lack of any overall system or organisation for coordinating route knowledge and ensuring that drivers have both the facility and the opportunity for keeping themselves up to date. Something like a national route learning college at which operators must ensure all drivers spend a sufficient proportion of their time, perhaps. (With no cost or penalty to the drivers themselves, of course.) Prodding at convenient victims of the current ad-hocery won't help anything.

The remaining two items are related to how Network Rail manage temporary speed restrictions and overrun distances and shit. While the problems they discovered undoubtedly do need to be addressed, they haven't made a convincing case that they had anything to do with the incident in question. They seem to be saying that due to things like assuming distances instead of actually measuring them, the automatic brake application might not have been able to stop the train before the junction even if it hadn't been disabled. Obviously that situation needs to be fixed, but at the same time it's dumb to deal with a potential accidental failure which didn't actually happen and ignore the prevention of an actual deliberate failure which did happen.

What seems to be a lot of the problem is that they haven't got anything useful out of the driver. They ask him whether he did or didn't do something or why he did or didn't do it and he goes "errr... I don't know" or "...I can't remember" (although they express it in poncier language). So they take this at face value and then go thrashing around trying to come up with any old crap that can be used to patch over the gap in the knowledge, instead of either trying to find the correct jigsaw piece or admitting they can't.

There are two things you can get from this, and they should be looking at both of them. One is simply that the poor old boy is getting on a bit and might be getting past it. It's entirely possible that he might be getting to the stage where he occasionally goes off for a walk with the fairies but it's too short/mild/infrequent for either himself or anyone else to notice. Nor would there be anything a single-point medical examination would be able to pick up without a lot of luck. But all they do is note that he had passed his medical, and not a word about whether the procedures might not be adequate for very old drivers.

The other is, equally simply, that he might be saying nothing on purpose in case he gets prosecuted (which he is being). Look, just... fuck this shit. Fuck this punishment revenge scapegoat fucking pointless bollocks. It doesn't achieve anything. The important thing with incidents like this is to find out accurately what went wrong and then devise measures appropriate in the light of that knowledge to stop it happening again. Fucking on people who fucked up won't do any good. It won't stop them fucking up again. They didn't want to fuck up in the first place but they still did it. The best thing for them and for everybody else is to understand why they fucked up, which is required knowledge for understanding how not to. And that requires giving them the security to admit they fucked up knowing that they won't get fucked on for it. Guaranteed immunity from prosecution unless clear evidence emerges that they did do it on purpose (like that "swinging-on-the-levers" cunt who moved the points under a train to see what would happen - fortunately such cunts are vanishingly rare). This has been overdue for as long as railway accident investigations have happened, but at least in Victorian times they usually didn't have to worry about it too much unless several people had actually died, whereas these days if you admit you let off a really loud fart and distracted the driver at the critical moment you risk getting six months for not going up on one cheek just in case.

Of course the two paragraphs above are not unrelated to each other. If the old boy is beginning to lose it but isn't aware of it yet then punishing him for it is both supremely pointless and supremely cuntish.

So, while some of the recommendations are commendable, a lot of what they say misses the point, and they have been completely fucking shite when it comes to actually fixing what went wrong and doing anything to stop the same thing happening again. The more directly relevant or the more obviously fucked something is, the less attention it gets: instead of shooting at the target they are shooting anywhere but the fucking target. Which is shit.

The recommendations are preceded by the following incredible passage:

Joey Deacon
Joey Deacon
The RAIB has identified the following key learning point:

Allowing safety systems such as AWS and TPWS to function without improper interference is vital to the safe operation of the railway. The importance of this cannot be overstated. By-passing safety systems, or isolating them other than in accordance with the requirements of the Rule Book, can have catastrophic consequences.

Well... like... Eeeeeeuuuuuuwwwwwwwnnnnnngggrrrh! >belms< >flaps hands< "Fucking with safety systems tends to make things go horribly wrong." Talk about state the bleeding obvious. We've had public railways for knocking 200 years and they've only just fucking worked that out? Gordon Bloody Bennett.

And if "the importance of this cannot be overstated", then WHY THE FUCK AREN'T THEY FUCKING LEARNING IT THEMSELVES? Why the festering purulent PISSING DOG'S ARSE don't they FUCKING DO SOMETHING ABOUT IT? Like... making sure they can't be fucking fucked with? Like TELLING THE FUCKERS TO MOVE THE FUCKING ISOLATING VALVE OUTSIDE THE FUCKING CAB? Like the most fucking obvious fucking thing to say about the whole fucking business? Yeah, talk about it, that's easy. That's all this fucking web page does. But it's all that I am in a position to do, whereas they are in a position to make sure something gets fucking done about it. So why the FUCK don't they fucking DO IT?

And so we end up right where we were at the start. I suppose the real lesson from the whole bleeding gadabout is that people who are capable of using a phrase like "key learning point" in a serious document without the slightest awareness of how much of a complete fucking twat it makes them look can't be trusted to do bleeding anything properly.

Back to Crap Stuff

Back to Pigeon's Nest

Be kind to pigeons

Valid HTML 4.01!