National Aeronautics and Space Administration

Admiation MARCH 2007 Volume 1 Issue 5

Derailed

In June of 1998, one of Germany's Inter-City Express (ICE) trains slammed into an overpass, killing 101 people. The failure was traced back to a damaged wheel that disintegrated just before the train passed over a switchtrack, causing cars to derail and impact the bridge's supports. Further investigation uncovered evidence of misuse of heritage wheel design, insufficient design verification testing, poor bridge construction and ineffective emergency procedures. As a result of this accident, major engineering changes and safety improvements were implemented on all ICE trains.

BACKGROUND: THE INTER-CITY EXPRESS

A First Generation ICE train traveling through Germany.

n 1964, Japan debuted the first high speed train designed to compete with the growing popularity of air travel. Soon most of Europe had adopted high speed trains, providing quick travel, complete with first class amenities. The Inter-City (IC) rail system, which opened in 1971, connected towns and cities across Germany. During the late 1980s ICE was developed in an effort to upgrade IC trains and to provide high-speed rail service. The ICE was able to run at conventional speeds (below 200kph or 124mph) on existing track and up to 280kph (174mph) on new high-speed track. During the 1990s the ICE expanded throughout Germany and into neighboring Switzerland, Austria, Belgium, and the Netherlands. By the late 1990s the ICE, operated by Deutsche Bahn Fernverkehr, provided luxury rail service on over one hundred trains daily. Amenities included a dining car, telephone services, in-seat video and audio entertainment, and a smoking area. These deluxe accommodations and a perfect safety record helped boost German rail travel by 30% during the decade.

coaches, a service car, a restaurant car, and the rear locomotive. The WCR had made a quick stop in Hanover at 10:30 AM before continuing north towards Hamburg, its final destination. Traveling northward, the WCR was 6km (4mi) outside of Eschede, in Lower Saxony, when a wheel rim on the first passenger coach peeled away from the wheel body, puncturing the floor, and becoming embedded. A passenger reported the piece of metal coming up through the floor to the train crew, but the train man-

InterCity Express Train 884 derails near Eschede, Germany, killing 101
Proximate Cause
Wheel Rim Delaminating Failure to stop the train immediately after wheel delaminating

Contributing Cause
Flawed Emergency Operating Procedures

WHAT HAPPENED?
Wheel-tire Failure
On the morning of June 3, 1998, ICE train 884, the Wilhelm Conrad Rontgen (WCR), consisted of a single locomotive or engine pulling 12 cars, including passenger

Underlying Issues
Insufficient testing under operational conditions Ineffective maintenance requirements Poorly designed overpass collapse

ager let precious time elapse by insisting on investigating the damage himself before stopping the train. The train continued to travel approximately 3km (2mi) until it passed over the first of two track switches. The embedded wheel rim slammed against the guard rail of the switch pulling it away from the railway ties. The switchs steering rail penetrated the floor of the first coach, lifting the axle carriage off the rails. One of the derailed wheels struck the lever of the second switch, changing its setting.

pressure resistant windows and the railcars rigid aluminum frames. The Deutsche Bahn replaced these windows with a new design that included predetermined breaking points to allow for easier access to trapped passengers.

PROXIMATE CAUSE
The Fraunhofer Institute in Germany was tasked with the accident investigation and traced its cause back to an improper application of a street-car wheel design. First generation ICE trains were made with single-cast or mono-block wheels. Engineers realized, however, that this design could result in metal fatigue and out-of-round conditions which caused vibrations at cruising speeds. The mono-block wheel design was modified to include a rubber damping ring 20mm thick between the metal wheel rim and the wheel body. Researchers later learned that, although it reduced vibrations, this new design weakened the wheel, making it much more dangerous than the original. Normal operational wear further weakened the modified (thinner) wheel rims on the WCR, causing one to separate from the wheel body and become embedded in the floor of the first passenger coach.

Germany had never before experienced a train disaster of this magnitude.

The Mishap
The rear axles of the third coach were switched onto a parallel track, twisting the coach perpendicular to the rails, and sending the car careening into the pylons of a 300 metric ton roadway overpass just beyond the second switch. Coach four, derailed by the violent deviation of car three, traveled underneath the bridge impacting an embankment, and killing three railway employees who were working nearby.

German President Roman Herzog called it A modern nightmare

Coach five passed under the weakened bridge as it collapsed, crushing the car completely. The remaining coaches, including the service car, restaurant car, three first-class cars, and the rear locomotive, jackknifed into the collapsed bridge in a zigzag pattern. By 11:07 AM, only 37 minutes after the WCR left Hanover Station, the police declared a major emergency and dispatched rescue teams. Over 1,000 rescue workers descended on the accident site. Despite their efforts, 101 people lost their lives and 88 more were seriously injured in the mishap. The derailment at Eschede was Germanys worst train accident since World War II.

What Might Have Broken the Failure Chain?

A contributing cause was indeed the flawed emergency operating procedures. Had the train been stopped immediately when the wheel disintegrated, the accident might have been avoided and countless lives would have been saved; unfortunately, Deutsche Bahn policy required that the train manager personally investigate any reports of trouble before halting the train. Passengers who witnessed the wheel failure could also have pulled the emergency brake to stop the train, but no one did. This failure to act proved to be fatal.

UNDERLYING ISSUES: THE CAUSAL WEB

Design Verification Flaws
Findings released by the Fraunhofer Institute suggest that poor design and insufficient testing were to blame for the accident. The rubber cushioned wheels, which had been used successfully on streetcars, were not suitable for the heavier load of ICE trains operating at much higher speeds. At the time, Germany did not have the facilities
Page 2

Hobbled Intervention
During the rescue effort, emergency workers found it difficult to remove victims from the wreckage because of

to adequately test such designs, so many of the wheel design decisions were based on analysis and theory rather than test data. The limited testing that was done did not account for the dynamic, repetitive forces that result from extended wear, extreme loads, and high speed operation.

Wheel Design Decisions were based on analysis and theory, not collected data.
Operational Maintenance Decisions
As early as 1992, the Fraunhofer Insitute expressed concern that metal fatigue could lead to wheel rim failure. Experts warned that wheels should not be operated after being worn below 88cm (34.6in) in diameter (as new condition was 92cm or 36.2in), but Deutsche Bahn set the minimum limit at 85.4cm (33.6in). In the months leading up to the accident, the Hanover Transit Authority noticed that metal wheel rims were being worn down at a much faster rate than anticipated and decided to replace many of the wheels ahead of schedule. Unfortunately, the WCRs wheels had not yet been replaced. The failed wheel measured 86.2cm (33.9in) in diameter.
The new Generation 3 ICE train, operational since 2000.

Charges of manslaughter were brought against two Deutsche Bahn officials and one engineer in August 2002. The trial lasted 53 days, with expert witnesses blaming each other for flawed engineering and bad data collection. The case was dismissed in April 2003 and a fine was paid. The train managers decision to investigate the wheel malfunction first before stopping the train was found to be in accordance with company policy and was upheld in court; the train manager was cleared of all charges.

Rim Fatigue

Stress caused by wheel rims being flattened into an ellipse with each revolution (500,000/day) Unseen cracks inside of wheel rim lead to failure Thinning rim exaggerates dynamic forces causing micro-fine cracks to grow larger Flat spots and ridges dramatically increase dynamic forces and accelerate wear

Bridge Design/Switch Location

The placement of the switch (an inherent hazard for high speed trains) in close proximity to overpass bridge supports contributed to the severity of the disaster. The failed overpass was supported by two thin piers instead of by spans anchored to solid abutments on either side. The bridge was rebuilt using a cantilevered design that would have been much less likely to collapse during such an accident.

The ICE 884, the Wilhelm Conrad Rontgen, derailed near Eschede, Germany while en route to Hamburg, Germany.

APPLICABILITY TO NASA
The high-speed train disaster at Eschede illustrates a broad range of systems engineering and engineering management issues relevant to the NASA community. Consider first the use of heritage as the basis for design verification. The ICE wheel-tire design was a heritage or legacy design from a streetcar application. NASA engineers often rely on heritage hardware and software. The lesson is clear to ensure that heritage designs are appropriate for current applications and especially operating environments.

AFTERMATH
After the accident, all ICE operations were suspended until a full scale investigation could be completed. The wheel-tire design was completely discontinued throughout Germany and was replaced by the original mono-block wheel design. Meanwhile, Germanys entire transit network was checked for similar arrangements of switches near possible obstacles.

Page 3

The second issue relates to the degree of analysis appropriate for safety critical design certification when testing is not feasible. At the time the rubber damping wheel design was adapted for high speed rail use, Germany did not have the facilities necessary to perform complete operational (stress, fatigue, crack propagation) testing on the application of the rubber damping design. NASA engineers are often faced with similar challenges in proving a design or a portion of the through analysis alone. A related challenge is ensuring that sufficient independent verification of analysis is carried out. Such verification would likely have identified weaknesses overlooked by the design team (just as the Fraunhofer Institute did in 1992)

Questions for Discussion

To what extent is your project using heritage hardware/software? Has adequate testing in operational environments been conducted? What independent analysis is performed on analysis or simulation based design verification? Are your projects design margins and factors of safety adequate for all operating environments, including off-nominal conditions? Have safety monitoring devices been included in your project designs?

References:
Eschede, Germany: ICE High Speed Train Disaster, Danger Ahead: Historic Railway Disasters, <http://danger-ahead.railfan.net/reports/eschede/eschede.htm>. Eschede Train Disaster, Wikipedia, the Free Encyclopedia, <http://en.wikipedia.org/wiki/Eschede_train_disaster>. InterCityExpress, Wikipedia, the Free Encyclopedia,
<http://en.wikipedia.org/wiki/InterCity_Express>.

Key Issues

Testing and design verification Necessary level of analysis and independent verification Operational margins / acceptable wear and tear Operational safety monitoring Emergency Response Policies & Procedures

InterCityExpress (ICE),
<http://www.railfaneurope.net/ice/ice.html>.

Generation 3 ICE Train [Image],

<http://en.wikipedia.org/wiki/Siemens_Velaro>.

A further topic of common concern is implementation of safety design features to detect and react to anomalous operational conditions. Using the ICE as an example, the change in vibration associated with a failed wheel rim could have been detected by safety monitoring sensors and triggered a shut down, breaking command sequence, and/or alerted the engineer. Another shared challenge is operational maintenance, the establishment of operating margins, and the determination of acceptable wear and tear for operational systems (e.g., Space Shuttle operating until 2010 or beyond). In the case of the ICE wheels, these margins were in place, but were set far too low to prevent wheel failure. An additional subject worth considering is the validity of emergency response policies and procedures. Given the many hazardous and high energy facilities and operations at NASA centers, are emergency response procedures valid? have they been tested? how recently? are workers (people in the process) trained to respond or wait for help? And finally, this case study brings forward the issue of how information flows (or fails to flow) in emergency or contingency operational scenarios, certainly an ongoing issue for NASA mission operations managers, planners, and support teams.

ICE 1 Train [Image],

<http://en.wikipedia.org/wiki/Deutsche Bahn_Class_401>.

Route Map [Image],

<http://danger-ahead.railfan.net/features/eschede.htm>.

Section through Ice Wheel [Image],

<http://danger-ahead.railfan.net/features/eschede.htm >.

Wheel Diagram [Image],

<http://dangerahead.railfan.net/features/eschede>. Prepared by the

OFFICE OF SAFETY & MISSION ASSURANCE

Knowledge

Understanding

Visibility

Review and Assessment Division

Director: John Castellano (Acting) Executive Editor: Steve Wander [email protected] [email protected]

This is an internal NASA safety awareness training document based on information available in the public domain. The findings, proximate causes, and contributing factors identified in this case study do not necessarily represent those of the Agency. Sections of this case study were derived from multiple sources listed under References. Any misrepresentation or improper use of source material is unintentional.

To view this document online and/or to find additional System Failure Case Studies, go to http://pbma.nasa.gov/.

Page 4