Man and machine

On 9 February 2016 in Bad Aibling, Bavaria, two trains drove into each other head-on on a stretch of single track. Twelve people died, 85 were injured, 24 of them seriously. The case is just starting to make its leisurely way through the German courts.

The signal operator in charge of the stretch of track is currently being hung out to dry in a Munich courthouse. The hanging out is easy: about half an hour after he started his shift that morning he started playing Dungeon Hunter 5 on his smartphone. About half-an-hour after that he acquired a warrior and paid for some units. It appears he had played this game frequently during previous shifts.

In the middle of Dungeon Hunter 5 he managed to give both of the trains heading in opposite directions on the single track permission to proceed. He only noticed his error when it was almost too late. With only seconds to spare he stopped playing, tried to alert the drivers… but pressed the wrong button. Each train was travelling at about 100 km/h and met in a pronounced curving section of track, meaning that the drivers had almost no time to react. The front of the oncoming train was the last thing they saw.

A clear cut case. Off with his head. Except…

The control of the traffic on this short section of track has developed into a technological nightmare. Without burying you in details, over the years safety procedure has been added onto safety procedure to create a system that is fundamentally unworkable. Because it is so procedurally rigid the system has to be manually overriden several times a day to permit reasonable timekeeping.

It requires on a frequent basis a human to give permission for two trains to be heading towards each other at the same time, so that one or the other train can make up for lost time by going forward to an intermediate passing station. Being human, that operator will be just as bored and distracted as humans become carrying out repetitive tasks in any situation.

If one of the trains is substantially delayed, the signal operator is required to make an estimate of whether and when the other train can be allowed to go forwards so that is not delayed too. Stop signals are overriden and other sensors deactivated. In ergonomic and process terms a system which has to be invalidated several times a day in order to operate is a very badly designed system.

In the good old days– not all that long ago, actually – trains on single track lines used a token system. Only the driver with physical possession of the token could set off along the single track. The oncoming train had to wait at the other end of the track until the first train arrived and the token could be handed over. The system worked, was completely foolproof and required no electronics. The token used in Switzerland was a large ring that could be handed easily from person to person. As long as the drivers adhered to the simple rule of 'no token, no go', no accidents could occur. If the traffic is so dense that this rule causes delay, lay a second track.

The system on the Bad Aibling line is a mess. It was truly, as the cliché goes, 'an accident waiting to happen'.

The game-playing driver is an idiot and should indeed be hung out to dry. The suits and engineers who designed this system, ditto.

The paramount assumption of good system design is that idiots playing computer games will be operating the system. It is also generally beneficial to assume that these idiots are drunk and also have psychopathic or suicidal traits.