Concern regarding a vigilance timing cycle
The reporter has raised a safety concern regarding the vigilance timing cycle on [type] locomotives. The reporter is concerned that the frequency, and the design of, the proposed vigilance system is potentially creating more safety risks than it is mitigating on associated routes in which the locomotives operate.
A task-based vigilance system monitors the rail traffic crew activity by intermittently checking the status of task-linked operated controls. For example:
1. Movement of the power handle between any two positions
2. Movement of the brake controller between any two positions (auto included)
3. Operation of the operator enabling pedals (OEP) with vigilance acknowledgement
4. Operation of the town horn
5. Operation of the country horn
6. Operation of the headlight switch
7. Operation of the ditch lights switch
8. Operation of windscreen wipers/washers
9. Momentary operation of the vigilance push button (limited to single use in pre-warning) single voluntary reset (SVR).
The concern on the long-haul trips, is that the above task links are seldom used, resulting in the vigilance systems activating as frequently as every 25 seconds. The current signalling and overall operational infrastructure of the rail network is designed for ‘heads up driving’.
The reporter states that as drivers are required to take their eyes off the road momentarily to look at the vigilance light to verify it is actually the vigilance light and not the constant flashing messages on the various driver display units, it increases the driver’s risk exposure to:
- not seeing a signal, or condition affecting the network and therefore increase the likelihood for Signal Passed at Danger (SPAD)
- a potential strike to a trespasser or workers on track
- recognising network conditions impacting on safety and reliability
- increased fatigue
- increased likelihood of missed signals
The reporter advises that both OEP and operating enabling handles (OEH) were fitted for suburban and Intercity fleets for drivers to acknowledge the vigilance alarm, which enables the driver to aid in remaining ‘heads up’; however, this design has not been fitted on the [type] locomotives as it was identified that the continual static position needed up to 12 hours associated with this type of working, which only increased the likelihood of serious muscular skeletal health issues occurring.
The reporter states that it is well documented that vigilance timing should not fall below 60 seconds within a locomotive environment due to the minimal task linkages that are available, especially on long-haul, and the Australian rail industry collectively agrees that any vigilance timings below 30 seconds should be avoided.
RISSB has released HF guidelines on how operators should determine the appropriate vigilance timing cycles for their specific locomotive types and operations based on AS7511/AS7470 including any outcomes of risk management; however, the reporter believes that [Operator] has not followed these associated tasks and risk assessments correctly.
Random time vigilance is considered a more effective safety control than standard time vigilance in ensuring driver vigilance. The random timing avoids the risk of a muscle memory approach to acknowledging vigilance. From a recommendation out of two mainline incidents, [Operator] made the decision to convert and standardise the entire fleet of [type] locomotives onto a random time vigilance cycle of up to 65 seconds, bringing the locomotive class into line with the majority of [Operator's] fleet of locomotives.
The software used to upgrade the vigilance is the same software used within the fleet of [Operator's] locomotives which also operate on the same routes. The same vigilance timing is also used by other rail operators on the national intermodal routes.
The upgraded version of the [type] vigilance meets the guidelines set out in RISSB standard AS7511:2020 – Onboard Train Protection Systems. Train crew are alerted to acknowledge the vigilance system with a visual alert (via the locomotive cab and HMI screen) and if not acknowledged by train crew, is followed by an audible alert.
An extensive consultation and risk assessment process was completed with internal stakeholders prior to upgrading of the [type] vigilance system and [Operator] project representatives have consulted with the Office of the National Rail Safety Regulator (ONRSR). [Operator] encourages employees to raise safety concerns through the available internal processes (WHS Committees, hazard reporting, manager/supervisors) to enable faster follow-up on issues raised and responses back to individuals.
ONRSR has reviewed the reporter’s concerns and operator’s response. ONRSR will discuss the vigilance timing cycles on the specific locomotive fleet with the operator at the next scheduled stakeholder meeting.
The ATSB notes that Australian Standard (AS 7511:2020) states that:
Vigilance timing cycle details were deliberately not provided or specified in the main body of the standard since the determination and application of a vigilance timing cycle safety SFAIRP [so far as is reasonably practicable] is heavily dependent on the rail operations context (Refer to C4.3.1), which differs from network/RIM to network/RIM.
However, two examples below provide practical vigilance timing cycles based on existing operations / best practice:
...
(e) The latest AC traction freight locomotives (C44ACi, GT46CACe and SDA1) that operate interstate on the DIRN [defined interstate rail network] implement:
i. A random timing (from last reset to 1st stage warning) of no less than 25 seconds but no more than 45 seconds
...
The values provided in the examples above are for guidance only and the RSO shall consult and comply with the RIM’s requirements (as per clause 5.2.3.1.1).