TasRail commissioned the manufacture of, and continued to use, redesigned safety-critical remote control equipment for operating a locomotive without systematic assurance of its safety, leading to excessive reliance on the manufacturer. This was because TasRail did not:
Although Air Digital Engineering had safety as a design objective and safety elements were included in the remote control equipment, system safety assurance activities appropriate to its application were not conducted.
The Air Digital Engineering generation 3 remote control equipment (RCE) had several safety-related design and integration problems, which were readily identifiable. These included:
The TasRail cement loading facility at Railton had a downhill grade to the main line, and no devices to protect against a runaway.
Loss of adhesion leading to increased stopping distance was not recognised as a risk source for any type of collision in V/Line’s risk registers.
The processes involved in train preparation did not ensure a required minimum amount of sand in sand boxes.
Maintenance of the VLocity sander units did not include testing of sand discharge flow rates (or some other process) to confirm performance. Without performance checks over time, deficiencies could not be identified and addressed.
There was no suitable assessment of the performance of sanders on the VLocity three-car set against defined acceptance criteria for improved braking performance in low adhesion conditions.
The location of sanding nozzles (for braking) behind the wheels of the lead bogie was inconsistent with design practice existing at the time of the collision and was probably a recurring factor in diminished sander effectiveness on VLocity trains.
Safety controls were ineffective in mitigating against a train arriving at Ballarat Railway Station travelling at excessive speed and being unable to stop before colliding with the crossing gates closed against rail traffic.
BBC Rhonetal’s managers had not effectively implemented the shipboard safety management system procedures in place to prevent the fire. This was the tenth such fire on a company ship in the past 14 years, and the fourth investigated by the ATSB, identifying similar contributing factors.
Coulson Aviation did not provide a pre-flight risk assessment for their fire-fighting large air tanker crews. This would provide predefined criteria to ensure consistent and objective decision-making with accepting or rejecting tasks, including factors relating to crew, environment, aircraft and external pressures.
Coulson Aviation fleet of C-130 aircraft were not fitted with a windshear detection system, which increased the risk of a windshear encounter and/or delayed response to a windshear encounter during low level operations.
Coulson Aviation did not include a windshear recovery procedure or scenario in their C‑130 Airplane Flight Manual and annual simulator training respectively, to ensure that crews consistently and correctly responded to a windshear encounter with minimal delay.
Coulson Aviation's safety risk management processes did not adequately manage the risks associated with large air tanker operations. There were no operational risk assessments conducted or a risk register maintained. Further, as safety incident reports submitted were mainly related to maintenance issues, operational risks were less likely to be considered or monitored. Overall, this limited their ability to identify and implement mitigations to manage the risks associated with their aerial firefighting operations.
The New South Wales Rural Fire Service procedures allowed operators to determine when pilots were initial attack capable. However, they intended for the pilot in command to be certified by the United States Department of Agriculture Forest Service certification process.
The New South Wales Rural Fire Service had limited large air tanker policies and procedures for aerial supervision requirements and no procedures for deployment without aerial supervision.
The New South Wales Rural Fire Service did not have a policy or procedures in place to manage task rejections, nor to communicate this information internally or to other pilots working in the same area of operation.
The maximum number of passengers that the balloon operator allowed to be carried meant that there was insufficient room in the basket for them to adopt the landing position specified in the operator's procedures to reduce the risk of injury.
Qantas did not have a procedure for a rapid disembarkation, or other similar procedure that would effectively enable rapid deplaning at a slower and more controlled pace than an emergency evacuation. Therefore, the only option for rapid deplaning was an emergency evacuation utilising slides, which unnecessarily increased the risk of injuries in some situations.
