← back to the reports
DR-011 Interurban service · CityRail, Australia 2003

Waterfall — A Driver’s Heart Stopped, the Train Did Not, 7 Dead

overspeedpassenger2000s
Killed
7
Railway
CityRail (State Rail Authority, NSW)
Service
Interurban passenger
Status
Driver

Summary

On the morning of 31 January 2003, a CityRail Tangara interurban train left the rails on a tight curve in a rock cutting near Waterfall, about thirty-seven kilometres south of Sydney, killing seven people — including the driver — and injuring some forty more. The train was travelling at roughly twice the speed the curve was rated for. The reason it was travelling so fast was that the man controlling it was already dead or dying, and every system that should have stopped a train without a functioning driver had failed to do so.

The train was set G7, a four-car Tangara of the State Rail Authority's CityRail network, running the early service from Sydney's Central station south toward Port Kembla via the Illawarra line. At about 7:15 a.m., as the train ran through the descending, curving territory near Waterfall, the 53-year-old driver, Herman Zeides, suffered a sudden and fatal cardiac event. He did not brake, did not ease the power, and did not react to the approaching curve. The train accelerated to around 117 kilometres per hour and entered a curve rated for no more than 60. It derailed, the leading cars striking the rock walls of the cutting.

The reason the driver's collapse did not stop the train was a defeated safety device. The Tangara's "deadman" control was a foot pedal that the driver must hold within a defined range; releasing it or pressing it fully was meant to cut power and apply the brakes, on the assumption that an incapacitated driver's foot would slip off. Investigators found that the unconscious driver's body weight held the pedal within its active range, so the system read a live, attentive driver where there was none. The guard, the train's second safety-critical crew member, was not monitoring speed and did not intervene with the emergency brake in time; the inquiry found the vigilance and guard-alerting arrangements inadequate to catch a silently incapacitated driver.

A Special Commission of Inquiry was established under the Honourable Peter Aloysius McInerney, who had also led the inquiry into the 1999 Glenbrook accident. McInerney's final report, delivered in January 2005, located the immediate cause in the driver's incapacitation and the resulting overspeed, while finding that an underdeveloped safety culture and a reactive approach to risk had left the railway without effective defences against exactly this scenario. The finding for this file is Driver — the proximate cause was the incapacitation of the man at the controls — but the report's force lay in showing how predictable that single point of failure was, and how poorly the system had guarded against it.

Timeline

31 January 2003, 06:24
Departure from Central
Tangara set G7 leaves Sydney Central station on the early interurban service bound south for Port Kembla via the Illawarra line.
31 Jan 2003, before 07:15
Through Waterfall
The train works south through Waterfall station and into the descending, curving territory of the cutting beyond it.
31 Jan 2003, ~07:14
The driver collapses
Driver Herman Zeides, 53, suffers a sudden cardiac event and loses consciousness; he does not reduce power or brake for the approaching curve.
31 Jan 2003, ~07:14
The deadman does not trip
The driver's body weight holds the deadman foot pedal within its active range, so the train's safety system does not detect an incapacitated driver and does not cut power or brake.
31 Jan 2003, ~07:14
The guard does not intervene
The guard, the second safety-critical crew member, is not effectively monitoring speed and does not apply the emergency brake in time.
31 Jan 2003, ~07:15
Overspeed derailment
Travelling at about 117 km/h into a curve rated for 60 km/h, the train derails in the cutting; leading cars strike the rock walls.
31 Jan 2003
Seven dead
Seven people are killed, including the driver, and about forty are injured.
2003
Inquiry established
The NSW government appoints a Special Commission of Inquiry under the Honourable Peter McInerney to investigate the accident.
2004
Interim findings and medical reform
McInerney's first report drives changes to the medical assessment of rail workers, including mandatory cardiac screening for certification.
17 January 2005
Final report
McInerney's final report attributes the accident to the driver's incapacitation and the overspeed, faulting an underdeveloped safety culture and a reactive approach to risk; equipment and engineering tests had found no electrical or mechanical traction failure.
2005 onward
Regulatory consequence
A redesigned task-linked vigilance system, data loggers, and a strengthened independent transport-safety regulator follow from the recommendations.

The Service, the Set, and the Curve

The Illawarra line runs south out of Sydney through the national park country toward Wollongong and Port Kembla, climbing and falling through cuttings and curves. The early interurban that became set G7 was a routine, well-worn working: a four-car Tangara, a double-deck outer-suburban design, crewed by a driver in the leading cab and a guard responsible for the doors and for the safety of the train. The Tangara was a modern set with AC traction; the subsequent engineering examination found no fault in its electrical or mechanical systems or its traction equipment that contributed to the accident. The train did exactly what it was told. The problem was what it was told.

The geography south of Waterfall is unforgiving. The line descends through a rock cutting on a curve whose maximum safe speed was 60 kilometres per hour. A train approaching it under normal control would be braking and easing back. There was nothing about the curve that was hidden or novel; it was a known, posted restriction on a route the driver had worked. Taken at the correct speed it was entirely safe. Taken at roughly twice that speed it was a derailment waiting for a train that did not slow down.

The safety of the whole arrangement rested, as on most railways, on the driver — and behind him, as a partial backstop, on two further defences: the deadman vigilance device that should stop a train without an attentive driver, and the guard, a second qualified person aboard. On 31 January 2003 the driver was removed from the equation in an instant by his own heart, and the two backstops that were supposed to cover that exact contingency both failed.

The Heart, the Pedal, and the Guard

Herman Zeides was 53 and, so far as the railway's processes had established, fit to drive. At about 7:15 a.m. he suffered a myocardial infarction and lost consciousness at the controls. From that moment the train had no functioning driver. Whether it stopped now depended entirely on the machinery and the man behind him.

The Tangara's deadman control was a foot pedal of the "active range" type: the driver had to keep it depressed within a band, neither fully released nor fully pressed, and a departure from that band — a foot lifting off as a driver slumped, for instance — was meant to cut traction power and apply the brakes. The design assumed that an incapacitated driver would release the pedal. The inquiry found that assumption false for a significant proportion of drivers: an unconscious driver's leg and body weight could hold the pedal within its active range, so that the system registered a present, alert driver. Investigators determined that a large share of the driver population had sufficient leg mass to defeat the device in just this way. Zeides's collapse held the pedal active. The train read him as in control and ran on under power toward the curve.

That left the guard. On a two-person crew the guard is the redundancy against a driver who fails — able, in principle, to apply the emergency brake. But the guard was not effectively monitoring the train's speed in the seconds that mattered and did not intervene in time; the inquiry found the guard-alerting and vigilance arrangements, and the expectation of the guard's role in watching for overspeed, inadequate to catch a driver who had silently become incapacitated. With the deadman defeated and the guard not intervening, the last two defences fell together, and the train entered the 60 km/h curve at about 117 km/h. It derailed almost at once.

McInerney's Verdict

The Special Commission of Inquiry under Peter McInerney examined both the instant of the accident and the railway that produced it. On the immediate cause it was clear: the driver's sudden cardiac incapacitation, and the consequent failure to control the train's speed, derailed it on the curve. The engineering investigation methodically excluded electrical, mechanical, and traction faults, leaving the human and systemic failures as the explanation. This is why the file's finding is Driver: the proximate event was the loss of the man at the controls.

But McInerney refused to let the verdict rest there, because the entire point of the inquiry was that a driver's collapse should not be a death sentence for a trainload of passengers. He found that the railway had an underdeveloped safety culture and what the Ministry of Transport characterized as a reactive approach to risk management — defences built after accidents rather than ahead of foreseeable failures. The deadman device that could be defeated by ordinary body weight, the guard role that was not equipped or expected to catch a silent incapacitation, the medical regime that had not robustly screened cardiac risk: each was a foreseeable weakness that a proactive safety system would have closed. The finding against the driver, in other words, came wrapped in a finding against the organization that had left him as a single point of failure with no working backup.

McInerney, who had already led the inquiry into the 1999 Glenbrook collision on the same network, was unsparing about the pattern. Twice within four years the NSW railway had killed passengers through failures the system should have anticipated. His report's authority came from refusing the comfortable conclusion that a sudden heart attack was simply bad luck. A railway, he held, must be built on the assumption that drivers will sometimes be incapacitated, and must still bring the train safely to a stop.

The Five Factors

01
A single human controller is a single point of failure
When the safe operation of a train rests on one driver, that driver's sudden incapacitation — by cardiac event, stroke, or seizure — must be assumed and engineered around. Designing as though the driver will always be conscious and attentive guarantees catastrophe when, inevitably, one is not.
02
A vigilance device must detect incapacitation, not merely presence
The deadman pedal could be held in its active range by an unconscious driver's body weight, so it confirmed the driver was there while saying nothing about whether he was alive or alert. A true vigilance system demands a deliberate response at intervals and brakes the train when that response stops coming.
03
Redundancy only counts if it is real
The guard was the nominal second line of defence, but was not equipped, trained, or expected to monitor speed and intervene against an overspeeding train. A backup crew member who is not actually positioned to catch the failure they exist to catch is redundancy on paper only.
04
Overspeed protection should be automatic on hazardous curves
A curve rated for 60 km/h taken at 117 km/h derails; relying on a human to slow the train means relying on the very person who may be incapacitated. Continuous speed enforcement that brakes a train exceeding the curve's limit removes the human single point of failure entirely.
05
Medical fitness must match the consequences of failure
Certifying a driver fit while under-screening cardiac risk treats incapacitation as improbable rather than foreseeable. For a safety-critical role where collapse can kill, medical assessment must be rigorous, recurrent, and aligned to the real likelihood of sudden events.

Aftermath

The Waterfall inquiry reshaped rail safety in New South Wales. Even before the final report, its interim findings drove a 2004 overhaul of the medical assessment of rail safety workers, introducing mandatory cardiac screening as part of certification and recertification — a direct answer to the fact that a driver's heart attack had been allowed to become a fatal single point of failure. The deadman arrangements were redesigned toward task-linked vigilance systems that demand active responses rather than mere continuous pressure, addressing the defeat-by-body-weight flaw at its root. Data loggers recording the actions of driver and guard were fitted, and the guard's safety role was strengthened with clearer monitoring expectations.

Institutionally, Waterfall — coming so soon after Glenbrook, and investigated by the same commissioner — accelerated the separation of safety regulation from the railway operator and the establishment of an independent transport-safety regulator in NSW, with ongoing public reporting on the implementation of McInerney's recommendations sustained for years afterward. For the families of the seven who died, the lasting meaning of the inquiry was its insistence that the accident was not simply an act of God in a driver's chest, but a foreseeable failure the railway had been obliged, and had failed, to guard against.

Lessons

  1. Build every train on the assumption that the driver may be suddenly incapacitated, and ensure the train can still be brought safely to a stop without them.
  2. Make vigilance devices test alertness, not mere presence — a control an unconscious body can satisfy is no safeguard at all.
  3. Where a second crew member is the backup against driver failure, equip, train, and position them to actually monitor speed and intervene.
  4. Fit automatic overspeed protection on curves and gradients so that exceeding a posted limit triggers braking regardless of who, or what, is in the cab.
  5. Scale medical fitness screening to the consequences of failure; for safety-critical drivers, screen rigorously and recurrently for sudden-incapacitation risks such as cardiac events.

References