Back to the LL.M. index.
To my other legal topics index.
Back to Clive's home page.
"Will you go to stationmaster Bunce, and say that I am afraid I have wrecked the Scotch express."
- Alfred Sutton[2]
How is it that a conscientious man, with 26 years' experience in his job, could find himself in the position of being responsible for the death of 12 people? What is the situation that meant his single mistake had such consequences? And what is the relationship between this event and Lawrence Lessig's seminal work on the regulation of the Internet?
Lawrence Lessig wrote the first version of Code in 1999 and the second in 2006. In them he describes how a new technology - the Internet - is regulated in four ways.
As he puts it:
four constraints regulate this pathetic dot-the law, social norms, the market, and architecture-and the "regulation" of this dot is the sum of these four constraints. Changes in any one will affect the regulation of the whole. Some constraints will support others; some may undermine others[3].
In particular, he points out that it is not necessary for law-makers to operate in a vacuum or to treat the other three mechanisms as fixed. Instead, where that is the most efficient approach, the other "regulations" - particularly the code or architecture underlying a system - can be altered to obtain some desired effect. His first example is the story of Dank and Martha and the poisonous flowers in a certain multiplayer game[4]. Petals from these flowers were spreading to other locations and causing harm. The solution was not a law to require Martha to prevent the petals spreading but, rather, to re-code the flowers so that they are only poisonous on her property or if sold[5]. The architectural change is both more practical and a more effective solution; it also has the useful side-effect of making stolen flowers non-poisonous and thus worthless, which eliminates theft by regulating the market rather than by making it against the law. Another example is using speed bumps in the road to enforce a speed limit for cars[6], an approach often more effective than prosecuting offenders.
Lessig wrote about the new technology of the time. From about 1825 another new technology was sweeping the UK and the world. Like the Internet, it brought huge benefits and many people were getting rich from the resulting boom[7]; at the same time it threatened social upset and some believed it was fraught with danger[8]. This new technology was the railway[9]. In this paper I attempt to analyze the regulation of this new technology[10] through the perspective of Lessig's Code; in particular, how architecture has been used to gradually replace "law" to improve regulation and therefore safety.
Literature about the regulation of the Internet is abundant[11] but there is little or no material on the regulation of railways from a theoretical and jurisprudential perspective. Therefore it will be necessary to examine in some detail the problems the rail industry has faced, particularly after major incidents, and the technology used to address them. In contrast, it is assumed that the reader is familiar with Lessig's work; the aim is to present a new application for his theory.
While railway signalling is a very wide field, I look at three particular aspects: the block system for keeping following trains apart, interlocking of points and signals, and the management of single lines.
The railways in the UK were developed privately in the 19th century. Each new railway tended to be a separate company with its own investors, though soon enough there were mergers and takeovers leading to the formation of major companies like the LNWR[12], the GER, and the North Eastern Railway. But at the same time there were many far smaller undertakings, often running on a shoestring. Apart from the first world war, state control only started in 1939[13].
As a result of this commercial freedom, there were no less than three bodies regulating the railways and three creators of "law" governing them. Firstly there was Parliament, though as we shall see it tended to avoid creating safety legislation. Secondly there was the government, through the arm of HMRI (see below). Finally, the railway companies themselves created detailed rules for the day-to-day operation of the railway that must be followed exactly[14]. As far as the staff were concerned, these were as much law as any legislation; indeed, the rulebook had far more daily significance.
While most railways are created by Act of Parliament because of the need for compulsory purchase powers, the legislature has been reluctant to get involved in railway safety. This position might seem curious, considering that on the opening day of the Liverpool and Manchester Railway[15] the popular MP for Liverpool, William Huskisson PC, was run down by Stephenson's Rocket and died a few hours later of his wounds. Despite this, the general view was that it was not for the State to manage this aspect of the railways, since that would make it responsible for safety. An 1873 Select Committee expounded this view: if certain safety features
"were made compulsory, railway companies might rest content with fulfilling the requirements of the law, and be less inclined to expend money on other improvements, which though not enforced by law, may be conducive to public safety. It is desirable, as stated in the report of 1870, that improvements should be introduced by those who are entrusted with the management of railways,"[16]
In other words, railways should not be pushed in one direction but instead should be left to spend money on safety improvements as they feel necessary. Implicit in this is the assumption that the market and social pressure (norms) can be left to regulate[17]: either people will not travel on unsafe railways[18] and the resulting financial losses will encourage them to improve, or the managers will realize that a little spending on safety now is better than much spending on repairs and compensation later[19].
This was reinforced after the Tay Bridge collapse[20], where there were complaints that Major-General Hutchinson of HMRI had inspected the bridge and passed it for operation[21]:
If any public department were entrusted with the power and the duty of correcting and guaranteeing the designs of those engineers who are responsible for railway structures, the result would be to check and control the enterprise which has done so much for this country, and to substitute for the real responsibility which rests on the railway engineer the unreal and delusive responsibility of a public office.[22]
As we shall see, there have been a couple of specific exceptions to this attitude over the years, and Parliament's inactivity was mitigated by the existence of HMRI.
HMRI is a government body that has had a profound effect on the development of railway safety. It was formed in 1840 by the Railway Regulation Act 1840[23], s.5:
That it shall be lawful for the Lords of the said Committee[24], if and when they shall think fit, to authorize any proper Person or Persons to inspect any Railway; and it shall be lawful for every Person so authorized, at all reasonable Times, upon producing his Authority, if required, to enter upon and examine the said Railway, and the Stations, Works, and Buildings, and the Engines and Carriages belonging thereto:
It was staffed by officers of the Royal Engineers, typically 3 or 4 at a time[25]. In practice HMRI carried out two roles: it inspected new railways before they were opened and it carried out investigations into railway accidents. Initially it had no powers to enforce safety, but the Railway Regulation Act 1842[26], s.6 gave the Board of Trade power to postpone the opening if the inspection found that it:
would be attended with danger to the public using the same, by reason of the incompleteness of the works or permanent way, or the insufficiency of the establishment for working such railway,
The effects of this rule were that new lines tended to be built with safety arrangements reflecting the best practice of the time[27], but the Inspectorate could not force these to be fitted retrospectively to lines already open. Accident reports might contain recommendations for change and might "name and shame", but nothing other than public opinion (with two exceptions discussed later) could drive their provision[28]. Even with public ownership and funding of railways in the 20th century, this division of responsibility remained and HMRI could not force British Rail to make any specific change.
Although right from the formation of HMRI it carried out investigations into serious accidents, it was only 30 years later that the Railway Regulation Act 1871[29] gave it formal powers to do so[30]. Inspectors are entitled to enter and inspect any railway facilities and can demand the attendance of railway staff at their inquiries[31]; it is an offence to fail to attend or not answer any question[32]. HMRI accident reports form the primary source material for those interested in railway safety. Typically 5 to 20 pages long, they summarize the event, describe the evidence, reach conclusions as to the cause, and make recommendations for changes to prevent a recurrence.
HMRI inquiries were aimed at finding causes and not assigning blame, though they often did so. Evidence given to the inspector cannot be used in court[33]. This means that other judicial processes continued to operate; in particular coroners would still hold inquests on those killed in railway accidents. This sometimes led to conflicts; for example, following a collision at Brockley Whins near Newcastle[34], Colonel Yolland was somewhat scathing about the ability of coroners' juries to understand the issues:
This verdict and the subsequent remarks supply further confirmation, if any were needed, of the fact that coroner's inquests, as generally conducted, are singularly ill calculated to ascertain the real causes of railway accidents; but they are supposed to be sometimes serviceable, as in this instance, to the railway companies, in concealing the mismanagement of the company from the public.[35]
(In this case the jury had criticized a railwayman for an action that was actually part of his duty.)[36]
In 1919 HMRI moved from the Board of Trade to the newly formed Ministry (later Department) of Transport[37], and then in 1990 to become part of the Health and Safety Executive. Around the same time, increasing press concern over major accidents led to HMRI reports being replaced by formal public enquiries presided over by a judge, notably the Hidden enquiry into the Clapham Junction collision and the Cullen enquiry into the Ladbroke Grove collision. These enquiries tended to be more adversarial and there was a feeling among rail professionals that those conducting them did not properly understand the issues.
On 17th October 2005 a separate Rail Accident Investigation Branch ("RAIB") came into operation. This was established by part 1 of the Railways and Transport Safety Act 2003[38] to investigate accidents on UK railways and tramways[39] and the Channel Tunnel, and to make recommendations (thus taking over this part of HMRI's role); these continue to be purely advisory, though it is noted that "those identified in the recommendations, have a general and ongoing obligation to comply with health and safety legislation and need to take these recommendations into account in ensuring the safety of their employees and others."[40] Its detailed powers are described in the Railways (Accident Investigation and Reporting) Regulations 2005[41], which also implement the relevant part of the Railway Safety Directive[42]. The remainder of HMRI was transferred to the Office of Rail Regulation in 2006 and abolished in 2009.
The characteristic of trains that was most noticeable to the Victorians was their sheer speed - even in the early days a train might be travelling at 20 mph or more, something previously only achieved by a galloping horse and certainly never sustained for mile after mile. Yet it is not speed that eventually led to a comprehensive system of safety on the railways but, rather, the fact that trains can not stop easily.
Today people are used to driving at speed in their cars, but they are also used to being able to stop relatively quickly - certainly within the distance they can see. This is because of the grip that rubber tyres have on a relatively rough road surface. Trains, on the other hand, have smooth steel wheels running on a smooth steel rail. This greatly reduces friction; on the one hand it means that a relatively weak motive power unit can haul large trains, but on the other hand a train is unable to brake hard or stop in a short distance. On level track the worst-case stopping distance (used for determining the placement of signals) is 1218m at 70mph and 2041m at 100mph[43]. On a 1 in 50 downhill gradient[44] the latter increases to 3312m and a train takes 2½ minutes to stop. Yet these figures are far better than they used to be; in the mid-19th century a train might be incapable of stopping from 30mph in 1000m.
What this means is that trains cannot stop on sight nor can the driver simply react to an obstruction ahead of the train[45]. Instead, it is essential to provide drivers with advance warning of any need to stop or to slow down. The whole history and purpose of railway signalling is to provide that advance warning and, as a result, a consequence of speed is the need for a whole new regulatory regime. Speed is another instance where the Internet repeats history: the speed with which it allows information to spread is so great that the existing legal regime to stop unlawful publication is nugatory[46] and a new one is necessary[47].
The majority of railway lines consist of at least two tracks[48], with separate tracks used for each direction of travel. Therefore the most obvious safety requirement is to keep following trains apart.
In the earliest days of the railways, "time-interval" working was in use. Once a train departed from a station, no other train was allowed to follow it for 5 minutes. For the next 5 minutes, the driver of the second train would be given a warning indication[49] and be expected to proceed slowly, looking out for the train ahead. But after the 10 minute gap, trains would simply be given a "clear" indication and allowed to proceed at full speed, even though the first train could be running slowly or even have broken down. The dangers of this system should be obvious. Indeed, they were clear enough to members of the public that in 1853, following a collision at Straffan[50], a book[51] was published suggesting that, whenever a train came to a stop between stations, passengers should get off and wait beside the track until the train was ready to start again rather than risk being killed or injured in a collision.
The solution to this problem was already known. The electric telegraph was patented in 1837[52] and was first used on the railways for signalling purposes in 1844. The principle is simple enough: once a train has been sent from A to B, no other train can follow it until a message has been sent back from B to say that it has arrived complete[53]. Although it eventually became accepted practice, it was resisted by most railways[54] for many years on the grounds that it made it impractical to operate sufficient trains to meet demand[55]. Here we see another clear comparison between railway regulation and the "information superhighway" - not only do both require fast transfer of information, but traditional media resisted use of the Internet for many years on the basis that it "wasn't practical".
The block system is based on signallers following a set procedure aided by some equipment. The signallers communicate by coded messages tapped out on single-stroke bells (that is, pressing the tapper at one signal box causes the bell at the other one to ring once) and a three-position telegraph instrument. This latter has two dials and a single control, each of which can be in one of three positions labelled "normal", "line clear", and "train on line". The lower dial repeats the indication of the control at the same end and is used for trains coming towards the signal box; the upper dial repeats the indication of the control at the other end and is used for trains heading away from the signal box[56].
For example, consider a train wanting to proceed from Carnoustie to Arbroath[57]. The signalman at Carnoustie will alert his colleague at Arbroath and then send an "is line clear?" request. If the line is clear from Carnoustie to the first home signal at Arbroath and a safety margin of 400m beyond it, the signaller at Arbroath will acknowledge the request and turn her instrument from "normal" to "line clear". The Carnoustie signalman will see the upper section of his instrument change and can now clear his section signal to allow the train to proceed. When it does so, he sends the message "train entering section" to Arbroath, who acknowledges it and turns the instrument to "train on line". When the train reaches Arbroath and the signaller has seen the red lamp at its tail to prove it is complete and hasn't left a portion behind, she sends the message "train out of section" and turns the instrument back to "normal".[58] Of course, assuming the train is proceeding onwards, then at an appropriate moment she will request permission from the Inverkeilor[59] signalman in the same manner, using the separate bell and instrument for that section, and as the train passes she will send "train entering section" to him.
As described here, and implemented in practice for many years, the block system is a mixture of "law" and "norms": a code of rules instructs the signallers how to send trains safely on their way, while deviations from those rules, such as failing to change the setting of the instrument, will usually quickly be noticed and a subtle reminder sent. Nevertheless it would be possible for a signalman to allow a train into a section without permission from the signaller ahead. This was solved by the introduction of a piece of "code" called "line clear release". With this, a bolt locks the lever operating the section signal so that it cannot be pulled and the signal remains at "danger". When the instrument for the section moves to "line clear", a solenoid withdraws the bolt and allows the signal to be cleared. However, doing so breaks the circuit and, when the lever is replaced after the passage of the train, the bolt locks it once again even if the instrument is still at "line clear"[60].
Another risk is that a signalman may inadvertently leave the signals clear after one train (perhaps because he was distracted by some other task) and so allow another one through into an occupied section. This is prevented by two other controls built into the system. The first is that the "line clear" circuit runs via a switch operated by the lever for the first home signal, so that the instrument can only be changed if that signal is at "danger" (the signalman can still move his control, but neither instrument will show the new indication). The second is called "rotary" or "sequential" locking, and means that each signal controlled by the signaller can only be cleared if the next one is at danger. Thus if the Arbroath signaller fails to put her signals back to danger behind one train, she can't send the "line clear" message to Carnoustie. If she puts back the home signal but not the section signal, the former will be locked at "danger" until the latter is replaced as well. And once she's done that, she can't clear it again until Inverkeilor indicates "line clear".
Thus three simple bits of architecture ensure that no one signaller can make this mistake. This is "dynamic architecture" rather than "static architecture" - it involves the transfer of information to trigger actions, rather than simply blocking the "wrong" behaviour. It thus compares with Lessig's model of Internet regulation[61] as opposed to the static concepts of "defensible space" and situational crime prevention[62].
In 1935 there was a fatal collision at Welwyn Garden City caused by mistakes on the part of the signalman there. In his report[63] Lt.-Col. Mount suggested what is now known as "Welwyn Control"[64]. To use our previous example, once the signaller at Arbroath has given "line clear" to Carnoustie, she cannot do so a second time until the train has occupied and then cleared a track circuit at the home signal to prove it has actually gone through the section (she still needs to observe the tail lamp to ensure it is complete).
This piece of architecture solves a problem but, as so often happens, introduces a new one. What if the signalman at Carnoustie has cleared his section signal but there is then a change of plan? He restores the signal to "danger", but can't clear it for the next train until the Arbroath signaller gives "line clear" again. But she can't do that until a train comes through the section to work the Welwyn Control logic! The answer to this catch-22 situation is to have some kind of override mechanism but, equally, this reintroduces the original risk. Therefore, to release the Welwyn Control, the Arbroath signaller must wind a handle several dozen times. The 2 minutes or so this requires is officially to give her time to think, but it has the additional benefit of discouraging hasty actions by making them unpleasant[65]! This is almost a fifth kind of regulation beyond Lessig's four, though of those it is perhaps a hybrid of architecture and "norms"[66]. It is perhaps similar to "nagware"[67].
The systems described above prevent two trains being sent through the same section. However, where trains are shunted to and from the running track (for example from a loop platform) they don't prevent the signaller forgetting their presence and signalling another train into them. Over the years there have been a number of accidents like this. In his report on one such at Norton Fitzwarren[68], Colonel Rich wrote:
I am informed that many signalmen put one of their flag sticks in the spring catch of the signal levers of the line that is blocked[69], to prevent their forgetting that a train is waiting to proceed, and pulling off the signals of the line that is occupied.
I would suggest that a slide bar, a loop, a wedge, or some other mechanical contrivance, marked " Train waiting" should be fixed to the levers in the cabin to do this, and prevent these levers from being pulled by mistake.[70]
This suggestion was widely adopted. Today signalmen are provided with collars marked "TRAIN WAITING" that can be placed over the handle of a lever, both preventing the lever from being moved and providing a visible reminder. Nevertheless, even though the rules require their use, and require someone from a waiting train to come to the signal box and check this, it is still possible for this step - and the train - to be forgotten. Which brings us back to poor Alfred Sutton and, later, to the disgraceful events at Quintinshill.
Hawes Junction[72] lies near the summit of the railway from Leeds to Carlisle. In 1910 it was a permanent hive of activity as engines that had assisted trains up the "long drag" were detached and turned round before returning to their depot. Early on Christmas Eve two such engines were waiting to run back to Carlisle and, after a special train went through, they ran forward to wait at the section signal, out of sight of signalman Alfred Sutton because of the driving rain. Sutton received warning of the approaching sleeping-car express to Glasgow and, naturally enough, obtained the route north and cleared all his signals. The engines set off at once but, of course, were swiftly caught up by the express, with fatal results.
While the engine drivers were partly to blame for not reminding him of their presence, the main fault lay with Sutton. During a busy night he had forgotten about them and had failed to put any kind of reminder device on the signal lever (he was not provided with collars, but habitually used the poker to the same purpose). Once having made that mistake, the accident was inevitable. The report notes that a track circuit[73] could be used to operate a "train waiting" indication in the signal box or even lock the signal protecting that section of track at "danger". This latter arrangement replaces the rule of not clearing the signal with a train present by architecture which prevents it.
Two other collisions involving forgotten trains have led, not to changes in the rules or the architecture, but to signalmen's presence in court.
James Holmes was one of the regular signalmen at Manor House in Yorkshire. He came off night shift and walked home to discover that his baby daughter was unwell. Having gone to bed, he was woken by his wife a few hours later because she was worse. He walked the 4½ miles to the doctor's house and back, only to learn that the girl had died. He then walked to the station to telegraph for his mother to come and stay and to report himself unfit to stand duty that night. However, no relief could be found for him[75] and he eventually started work at 8pm, having had only 3 or 4 hours sleep and walked some 15 miles.
Given this, it is hardly surprising that he fell asleep at about 3:45 in the morning, to be woken a few minutes later by the bell from Otterington requesting the line for an express train, which he accepted. Unfortunately he had already accepted a goods train, which was now standing at his signals, and 10 people were killed in the resulting collision.
Compared with modern times, the law moved extremely swiftly. The accident happened early in the morning of 2nd November, and on the 18th a coroner's jury found him responsible for the manslaughter of the victims. There was much public sympathy for Holmes - including letters in the Times - and, when he was committed for trial on the 28th, even the prosecutor "had no wish to press the charge unduly"[76]. The case came to trial on December 5th (33 days after the accident) and Holmes was convicted of the manslaughter of the goods train guard. The judge felt that a custodial sentence was not necessary and "ordered the prisoner to enter into his own recognizances in the sum of £50 to come up for judgement if called upon"; a sentence that was met with tremendous applause[77].
It is interesting to consider how this might have been handled today. The whole basis of the charge against Holmes was that he was negligent to have forgotten the goods train. The lack of protective mechanisms were not mentioned; while his personal circumstances were accepted in mitigation of sentence, they did not form a defence. Today the latter would have been seen as a health and safety matter while the company would have been prosecuted for corporate manslaughter on the basis that they had not provided suitable safety systems. Indeed, after the Southall collision[78], both the driver and Great Western Trains were charged with manslaughter and health and safety offences. Scott Baker J held that the corporate manslaughter charges could not be advanced[79] and GWT pleaded guilty to the health and safety offences, after which all charges against the driver were dropped[80].
Quintinshill, near Gretna Green, was the site of Britain's worst ever railway accident. It led to three men being tried for, and two convicted of, manslaughter.
The local passenger train from Carlisle proceeded as far as Quintinshill, where it was shunted to the other line to allow the following sleeper train to pass. At the same time a train of empty coal wagons was approaching from Kirkpatrick and was routed into the loop on that side. Once it had arrived and "train out of section" sent to Kirkpatrick, the signalman should have followed up with a special code ("blocking back") to indicate that the line was blocked by the passenger train and put his instrument to "line blocked". Kirkpatrick would then have known not to offer another train. He should also have put a collar on the lever protecting the local, whose fireman should have ensured he had done so.
However, on this day things were different. The night signalman - George Meakin - should have handed over to James Tinsley at 6am. But instead of making his own way from Carlisle, he rode on the engine of the local, arriving at about 6:30. Since 6am Meakin had been recording train details, not in the official register, but on a piece of paper, and Tinsley now settled down to copying them across. Meakin should have left, but instead sat and read a newspaper, chatting with other people about the war news. One of them - both denied having done so - sent "train out of section" to Kirkpatrick but whoever it was failed to follow up with the "blocking back" signal. Neither of them collared the protecting signal lever, nor did the fireman of the local - George Hutchinson - ensure he had done so; given that Tinsley, who was now in charge, had just ridden in on the train, he didn't consider it essential.
At 6:42 Kirkpatrick offered a special troop train. Tinsley accepted it, obtained the route forward to Gretna, and cleared all his signals. At 6:50 the troop train ran into the local; a minute or two later a second sleeper train ploughed into the wreckage, which shortly afterwards caught fire. The train was carrying the 7th Royal Scots from their base at Leith to Liverpool, where they would have embarked for war service at Gallipoli. Approximately 226 people were killed[82]; many were soldiers from Leith or Musselburgh, and a special memorial was erected at Rosebank Cemetery, Edinburgh[83].
Meakin, Tinsley, and Hutchinson were all charged with manslaughter and tried at Edinburgh. The case actually involved a conflict of jurisdiction, since some of those on the train died in hospital in Carlisle; under Scottish law the place where the death was caused was significant, while under English law the place of death mattered. The Lord Advocate did not bring any evidence against Hutchinson and he was acquitted, but the jury took only 5 minutes to convict[84] the two signalmen over their gross negligence. As the Lord Justice General summed up:
"They gave the signal that the line was clear and the troop train might safely come on. At that moment there was before their very eyes a local train obstructing that line. One man in the signal box had actually left that train a few minutes before when it was being shunted. The other had, a few minutes before, directed the local train to go on to the up main line. If you can explain that staggering fact consistently with the two men having faithfully and honestly discharged their duties you should acquit them."
Meakin was sentenced to 18 months penal servitude and Tinsley, who had actually signalled the troop train, to twice that. Both were released after serving 12 months after which they returned to work on the railways, though not as signalmen.
The block system is one area where regulation by rules has slowly changed into regulation by architecture. Another, and one that developed rather more quickly, is interlocking.
The purpose of signals is to tell drivers the point where they must stop to avoid danger. Therefore it is essential that signals only be cleared when the line ahead is safe; a prime example of the need for regulation. For example, consider the situation where two tracks converge at a set of points, with a signal on each track:
Clearly signal 1 must only be cleared if points 3 lie reversed, while signal 2 must only be cleared if they lie normal. Yet this apparently simple and obvious principle actually led to a great deal of controversy and innovation.
In the early days of signalling, regulation was done entirely by the rulebook. The signalman would be instructed not to clear signal 1 or 2 unless points 3 were in the correct position. Or, even worse, there might only be one signal for both lines, as was the situation at Hatfield in 1867[85]. Here the points were not operated by the signalman but instead were weighted to stay in the normal position with a lever to reverse them placed alongside. It was usual practice for the signal to be cleared either for a train on the main line or to tell the driver of a train in the siding that it was time to leave. As might be expected, this was eventually misunderstood and trains from the two tracks collided.
The solution to this problem is "the use of mechanical means [such that] no train could be signalled to pass over a certain line until the points had been previously fixed open to that line"[86] or, as it is now known, "interlocking". To put it in Lessig's terms, the "law" prohibition on clearing the signal at the wrong time is replaced by a "code" prohibition[87]. The first interlocking device was demonstrated[88] in September 1856. A range of methods were developed over the next few years and "in the tappet principle is found the survival of the fittest"[89]. This system is staggering in its simplicity. Consider the case of levers 2 and 3 in the above layout; the interlocking must ensure that only one can be pulled at a time. Each lever has a horizontal metal bar - the tappet - attached to it and arranged to slide along its own length as the lever is pulled. There are notches on the right hand side of the tappet connected to lever 2 and on the left hand side of that connected to lever 3. A small piece of metal, known as a "wedge" or "dog", is placed in a channel so that it can slide left or right between the two tappets. Suppose lever 2 is pulled to clear the signal for the main line. Unless it is already there, the dog will be pushed to the right and into the notch on tappet 3, locking lever 3 so that it cannot be pulled. If lever 2 is restored and lever 3 pulled instead, the dog is driven leftwards and now locks lever 2.
In the case of lever 1, this must be locked until lever 3 is pulled. This requires a second dog passing under the tappets[90] and a notch in tappet 3 that lines up with it when the lever has been pulled:
Even in this simplest form interlocking greatly increases the safety of the railway. In actual fact, far more complicated locking requirements can also be implemented through tappets[91]. An interlocking frame is, indeed, a form of mechanical computer implementing a program encoded in the tappet notches: its inputs are the lever positions, its outputs the inability to move the lever, with the internal state represented by the positions of the dogs.
From about 1860 onwards the Railway Inspectorate were encouraging the use of interlocking yet the railway companies were slow to respond. A collision at Walton Junction in 1862[92] resulted in the suggestion that interlocking be added, yet five years later there was another collision at the same place[93] caused by its absence. Colonel Yolland complained in his report:
the unfortunate signalman of 30 years' service, who was, I have no doubt, as he thought, doing his duty properly, is the only person to whom any liability attaches; whereas the expenditure of a small sum would have prevented him from inadvertently committing the act for which he will shortly be tried for manslaughter, and have saved the railway company a very large sum of money that must now be paid as compensation[94]
In other words, the market should have ensured the adoption of interlocking as a form of insurance.
In 1870 a further fatal collision at Brockley Whins found him still complaining about the situation:
Because it appears to me that the company's management is wholly to blame for this accident.
It is now nearly 15 years since I first called attention to the danger[95]
The cause of this delay appears to be nothing more than a reluctance of the major railway companies to spend money. While some of the smaller ones may have been poor, at this period many major railway companies were paying dividends of 7% or 8% per annum (at a time of negative inflation)[96]. In 1873 only 40% of connections on passenger lines were interlocked[97]. In 1880 this had risen to 56%[98] and by 1889 (when the situation changed[99]) it was 90%[100].
While the most common form of interlocking is that using the sort of devices described above, sometimes it is possible to provide regulation without any mechanisms at all! Consider the following layout:
If one train is proceeding from P to Q while another is going from X to Y, then if either ignored a signal they could collide head-on on the diamond crossing. This could be prevented by interlocking, but the approach actually followed is to give both the points marked A the same number so that they are operated by the same lever and therefore synchronized. The latter train will now be diverted towards Z (any resulting side-swipe collision at B or C is likely to be less serious[101].
Lessig does not have a direct equivalent of this example of regulation. It is neither explicit code nor is it an inherent property of the network[102]. Rather, it is a "neat hack"[103].
A third area where Lessig's regulators interact is the operation of single lines. Many early railways were impoverished undertakings and could only afford to construct a single track with loops at the more important stations to let trains pass each other. Unlike double track, this introduces a serious risk of head-on collisions between trains heading in opposite directions between the same two points.
The initial approaches to preventing this were again "law" based, with specific rules that had to be followed. The folly of this approach was most clearly shown by an accident in 1874[104]. Trains normally ran on the single track[105] between Norwich and Brundall in the order specified in the timetable but, if there were problems, the staff at either station could telegraph the other to tell them to hold a train or dispatch it early. In any case, train drivers were always given a written instruction to depart either station. On the night in question Inspector Cooper at Norwich wrote out an order to be telegraphed to Brundall to send the mail train, but did not sign it. Nevertheless the telegraph clerk sent it. Meanwhile Inspector Parker had written an order for the Yarmouth express to depart. He asked Cooper if he had ordered the mail up and Cooper replied "Certainly not". Therefore Parker gave this order to the driver of the express. Cooper then returned to the telegraph office to cancel his message, only to discover that the mail had already left Brundall. The resulting collision killed 25 people.
Despite the regulation by "law" on this line, other railways were already using approaches more akin to "architecture". The most reliable was the "staff and ticket" system. A section of line (say Dunragit to Stranraer[106]) has a wooden or metal staff associated with it, usually engraved with the names of the two end-points. Possession of the staff gives a train driver absolute authority to proceed along the single line, safe in the knowledge that no train can be coming the other way. Of course, the problem is that this requires trains to alternate between the two ends. If Dunragit wants to send two trains in succession to Stranraer, the staff somehow has to be returned between the two[107]. To solve this, each signalman has a bundle of tickets, of the form:
Train number ........
To the Engine Driver
You are authorized, after seeing the train staff coloured
YELLOW for the section to proceed from
DUNRAGIT to STRANRAER
Provided that drivers actually check the staff, and provided that the block system is used to prevent trains following each other too closely, the ticket is an equal guarantee of safety. To prevent tickets being issued wrongly, a "code" solution was used - the tickets would be locked in a box that could only be opened using the staff. In addition, the tickets were numbered and their use logged so that a supervisor could verify the need for them to be used - a form of "norms".
Staff and ticket works when the sequence of trains can be predicted, but fails when the planned schedule is disrupted. In 1878 Edward Tyer solved this when he patented the electric token machine. A machine is installed in each of the two signalboxes; each machine contains several labelled tokens[108] that provide the same authority as a staff or ticket. The innovative step was to link the two machines electrically so that only one token can be outside the machines at a time. The details vary, but the general approach is the same. For a train to run from Dunragit to Stranraer, the signalman at Stranraer presses a button on his machine. If the two machines are "in phase", this unlocks the machine at Dunragit and allows a single token to be removed to be given to the driver. If not, the tokens remain safely locked away. Removing a token takes the machines out of phase; returning it (to either machine) brings them back into phase again, allowing another token to be requested.
The mechanism behind this is simple yet effective. The machines are linked by a pair of wires which enter through a commutator. This either leaves the connections unchanged or crosses them over; . Removing or replacing a token reverses this setting. Pressing the button at Stranraer puts a voltage on the wires[109] to Dunragit, where it is fed through a diode and into the electric lock[110]. If both commutators are in the same position (whether "straight" or "crossover") the lock is released. If they are opposite ways round, the diode blocks the current. A ratchet on the lock means the token can be returned even when the machine is locked. To ensure tokens aren't placed in the wrong machine, tokens for adjacent machines are physically different (e.g. with differently spaced notches)[111].
Obviously token systems rely on drivers checking the tokens. This was brought home at Abermule[112], where owing to confusion the driver of the train heading from Abermule to Newton was given back the same Montgomery to Abermule token he had just surrendered and proceeded without examining it. Following this it became standard to interlock the signals with the token machines, so that the signal leading to the single line can only be cleared if a token had just been issued at that end. While drivers still need to obey signals, the "architecture" of the token machines has made it impossible for a signalman to make a mistake and cause a collision.
Incidentally, despite the fact that the token is their lifeline, drivers often remain casual about checking it. Jack Warland recounts[113] an incident at Halwill Junction where four trains all departed a junction with the wrong tokens (of course, since all the tokens had been issued by the same signal box, there was no danger of a collision).
A lost token is a major cause for concern. While technicians can reset the machines into phase, there is always the concern that the missing token may be found and put into a machine while another token is still out. Therefore, unless evidence can be found such as one part of a broken token, resetting has to be authorized at a high level. One railway company introduced papier-mâché tokens to mitigate this risk: if one was lost, it would soon absorb enough rain or dew to swell to the point that it no longer fitted into the machine.
The laissez-faire attitude of government towards railway safety took a major and historic knock in 1889. A special Sunday school excursion train was arranged to run from Armagh to Warrenpoint. The train was heavier than the driver felt happy with, but he took it anyway, only to stall near the top of the 3.15 mile climb out of Armagh. He then decided to divide the train, pull the first half over the summit and leave the coaches in a siding, then return for the rest. During this process the rear portion was nudged and started to run away down the hill (the train was not fitted with brakes on each carriage and the hand brake on the rear coach appears not to have been fully applied) with the passengers locked inside it and unable to escape. Since the block system was not in use on the line, the following train had left Armagh and the runaway coaches collided with it, killing 78 passengers (including 42 children and teenagers) and injuring 262.
There was much public concern and questions in Parliament about the causes of this accident, particularly because of the number of children involved[115], and an 1873 Bill[116] was hurriedly resurrected and rushed through to become the Regulation of Railways Act 1889[117]. The key points of this Act were to be found in s.1:
1(1) The Board of Trade may from time to time order a railway company to do, within a time limited by the order, and subject to any exceptions or modifications allowed by the order, any of the following things:
(a) To adopt the block system on all or any of their railways open for the public conveyance of passengers;
(b) To provide for the interlocking of points and signals on or in connexion with all or any of such railways;
(c) To provide for and use on all their trains carrying passengers continuous brakes complying with the following requirements[118]
This Act is a perfect example of "law regulating code"[119], and for over a century this remained the one time the law was used to directly amend the architecture of the railway. In 1997 section 1 was repealed and replaced by Regulations[120] requiring railways to take appropriate measures and install equipment to prevent collisions between vehicles, collisions between vehicles and buffer-stops, and the derailment of vehicles on account of excessive speed or incorrectly set points[121]. This new wording allows other kinds of controls than the block system or interlocking, provided that they achieve the same end. Then in 1999 a new set of controls were placed on railways[122], forbidding them from operating certain kinds of rolling stock[123] and stock with hinged doors (unless it had central locking). On the infrastructure side they required the provision of a system that would stop a train that passes a red signal which could cause it to collide with another train (except from the rear) or that is travelling too fast in any of various situations[124]; in practice this refers to TPWS[125].
Any system of control that relies on "code" has to be aware of the possibility of bugs. Software bugs can be classified as design bugs, where the code faithfully does the intended but wrong thing, or implementation bugs, where the code fails to do what the design says. In the case of railway signalling, such bugs are faults in the design or implementation of the signalling mechanisms; a similar classification applies to them.
The night in question was cold with thick falling snow. A coal train from Peterborough was being followed by the Scotch Express, so the signalman at Abbots Ripton decided to shunt it into sidings there. The interlocking meant that in order to reverse the points into the sidings, the distant and home signals had to be at danger. The coal train was reversing into the siding when it was run into by the express, which had passed the signals at Wood Walton even though they were set to danger. The Abbots Ripton signalman put his northbound signals back to danger, but a few minutes later a northbound express ran into the wreckage.
Witnesses all agreed that the various signals were showing white lights[127] even though the levers were at "danger". It was then normal practice to leave the signals at "clear" and only restore them to "danger" when needed. As a result, snow had built up on the arms and controlling wires and its weight held the signals off even when the lever was replaced. As a result of this accident normal practice was changed to hold signals at danger until they needed to be cleared; a "law" fix rather than a "code" one[128].
At Lichfield there are four tracks, two in each direction, through the station. A passenger train had crossed from the fast line to the slow and was standing at the platform when a following fish train on the fast line was erroneously diverted across as well, running into it from behind.
Between the two trains, the signalman had to restore lever 32, unlocking the crossover, then restore 33 to move the points to route the fish train along the fast line, pull 32 to relock them, then pull 4, 5, and 3 to clear all the signals. The interlocking prevents lever 4 from being pulled unless 32 is reversed and 33 is normal, and prevents 3 from being pulled unless 4 is reversed. The lock operated by lever 32 is connected to a fouling bar. In this case, some ballast obstructed the mechanism, preventing the bar lifting and the lock bolt coming out of its slot. When the signalman put back lever 33, the points didn't actually move because the bolt was still inserted; instead, a connecting rod in the mechanism bent. He was then able to pull the other levers and clear the signals, resulting in the collision. A detector box prevented signal 4 clearing with the points in the wrong position, irrespective of the position of lever 33, but this didn't prevent lever 4 being pulled and unlocking lever 3. The green light of the distant signal probably meant that the driver failed to notice signal 4 at red[130].
This accident happened because, in Boolean logic, "(not (not X)) = X". At Farnley Junction there was a facing crossover meaning that an approaching train could be crossed to the other line[132]. To save on wiring costs, this was controlled using polarized relays. Call the two wires A and B. A positive voltage on A relative to B means the points should be moved normal, while a negative voltage means they should be moved reverse. Similarly, the detection circuit uses a positive voltage on A to report that the points are in the normal position and a negative voltage to report the reverse position. Because of the length of the wires, there were intermediate relays at "Location 17".
The power supply at Location 17 was faulty, so on the request of some technicians the signalman set the signals protecting the crossover to red so that they could work on it. Trains came to a stop at both signals. The technicians called to say that they had finished work so the signalman cleared the signals again. One train started off, went across the crossover, and collided with the other.
What had happened was that a new power supply had been installed the wrong way round, reversing the voltages. As a result, the command from the signal box to set the points normal was converted to a command to set them reverse. They were detected in the reverse position, but the reversed voltage meant that the signal box was told they were normal, allowing the signal to clear.
This is an example of a design bug, where the signalling did exactly what it should, but the design was wrong.
A train was signalled into platform 4C at New Street (a dead-end) and received a double yellow at signal 244 rather than the single yellow that is required by the rules. This signal is controlled by two separate sets of circuits. The first (the "HR logic") ensures that a route is set safely and that the correct route indicator is lit; if this test is passed, the signal can clear. The second (the "HHR/DR logic") deduces the next signal along the route and uses its aspect to select whether 244 shows single yellow, double yellow, or green. The fault was in this latter circuit.
Before platform 4C was opened it was a siding and signal 244 could not clear when points 607 led into it. Therefore the HHR/DR logic ignored it and (assuming the conditions corresponding to the dotted lines were correct) simply looked at signal 204. However, when platform 4C was commissioned, only the HR logic was changed. Thus if a route was set correctly into platform 4C, signal 244 would show single yellow if signal 204 was red, but (wrongly) double yellow or green if it wasn't. What should have happened is that the HHR/DR logic was changed to take account of the position of points 607.
The events at Connington demonstrate that devices intended to protect against mistakes cannot always protect against malice. The layout at Connington involved facing points from the fast line to the adjacent goods line. The interlocking required the points to be locked in the normal position before the signal protecting them could be cleared. Both the points and lock levers were electrically locked when a train occupied a track circuit starting 58 feet after the signal. The locks involved a bolt dropping to a hole in the lever tappet when it was in the appropriate position; if the track circuit was unoccupied, pressing a foot button would energise a solenoid that withdrew the bolt and allowed the lever to be moved.
On the night in question the London to Edinburgh express received green signals approaching Connington, but nevertheless half the train derailed on the facing points, killing five passengers. From the technical evidence, three bogies had "jumped" the track, causing the rest of the derailment, but the only way this could have happened was if the points had been unlocked, moved partly over, then restored to their normal position while the train was passing over them. The signalman had clearly replaced the signal lever as the train passed the signal, releasing the mechanical interlocking on the points and lock levers, but the track circuit electric lock should have prevented the latter from being moved and no faults were found. Experiments showed that it was impossible to move all the levers in the time it took the train to travel the relevant distance.
The inspector therefore concluded that locking must have been deliberately interfered with. For example, a flat blade could have been inserted between the bolt and the tappet on the points lever to stop the former dropping into the hole. It would then have been possible for the signal to have been replaced to danger and the points unlocked before the train reached the track circuit, after which the signalman could freely move the points lever (the timings for this are tight, but there is no reason to believe that this was his first attempt). If he had waited until the train was on the points, pulled the lever a bit, then restored it, this would have caused the observed effects. There is speculation[135] that the signalman was experimenting to see whether he could pull and restore the points lever between the two bogies of a carriage.
Signalman Alan Frost was charged with manslaughter and endangering the safety of passengers on the railway[136]. He was acquitted on the former but changed his plea to guilty on the latter during the trial and was sentenced to 2 years imprisonment (upheld on appeal[137]). He thus joins Meakin and Tinsley as being the only signalmen imprisoned for causing an accident[138]. As for the defect in the interlocking that allowed this to happen, Lt-Col. McNaughton commented:
Electrical and mechanical locking of points and signals is provided, however, as a protection to a signalman, to prevent his unwittingly setting up an unsafe situation as a result of his forgetfulness or carelessness. It is not intended to be proof against deliberate circumvention or malicious interference, nor is it necessary or practicable that it should be so.
Lessig showed that there were four main ways in which the Internet was regulated. In this paper we have seen that at least one much earlier technology displays the same regulatory features.
Of course, the analogy is not perfect - no analogy ever is - but I have identified some of the structural similarities allowing the same model to be applied to railways and the Internet. But what are the key features that bring any technology into the position of Lessig's "pathetic dot"[139]? They must be disruptive, causing benefits through major changes that the existing regulatory system is not ready to cope with. They must have universal demand and utility, not just be limited to specialists (while the Internet was a plaything of nerds, up to around 1992, there was little or no demand to regulate it; similarly, the private "plateways" built by mine owners were largely unregulated). Most importantly, there must be significant externalities involved so that the market alone will not correct problems (ISPs have no incentive to install expensive filtering systems to detect unlawful material; people would travel on railways even when they had almost no safety features[140]).
Are there other technologies that have these properties and do Lessig's principles apply? The car is one: while not as disruptive as the railways, it had a major effect on personal travel, is used universally, and causes major costs from pollution to the treatment of accident victims. The architecture of cars are controlled by law[141], petrol prices and road layouts are manipulated to discourage travel, and social norms have changed to discourage speeding and drink driving. Schafer suggests[142] that medicines also fit the model: the externalities involved are the costs from insufficient testing[143] and from overdosing. The results are liability laws to modify the market, information on side-effects to make people less "gung-ho" about taking them (a manipulation of norms), and a form of regulation through inconvenience by limiting sales of painkillers to 32 tablets per transaction[144].
Lessig and his followers present the Internet as a technology with no historical precedent and which introduce brand-new issues in regulatory theory. But the railways were an equally disruptive technology[145], perhaps even more so, and this analysis of railway safety shows that these concepts of regulation through architecture are neither new nor specific to the Internet. They also introduced regulation by inconvenience and by "neat hack"[146]. On the other hand, it also shows that - whether or not he realized it - Lessig's framework has a much wider utility. It has given us an insight into the processes that led to the modes of regulation of at least two new technologies and, by implication, can do the same for others.
Even with modern-day signalling, much of the terminology used dates back to the days of mechanical levers and semaphore signals.
Signals and points are controlled from a lever frame, consisting of a row of levers. Each lever has a single function, such as working a signal, a set of points, or a wicket gate on a level crossing; the lever is connected to the controlled device either through a mechanical linkage or by a wire. The levers are numbered from left to right[147] and the device they operate is given the same number (hence "signal 24" or "15 points").
Levers normally have two positions, either angled backwards or angled forwards. The former position is called the normal position and the latter the reverse position. Any action which on a lever frame would have involved pulling the lever to the reverse position is therefore reversing both the lever and the controlled device, and any action that involved returning it to the normal position is replacing or normalizing them.
A signal is a device for giving the driver information about the state of the line ahead; the visible state of the signal is called its aspect. A semaphore signal is one which gives its indication through the position of an arm or of the stripe on a rotating disc. In UK practice semaphore signals only show two aspects. If the arm or stripe is horizontal, the signal is on; if it is inclined at an angle, the signal is off or cleared. Traditionally the arm lowered when off (hence lowered is another synonym for cleared, even if the arm actually raises), but during the mid-20th century the convention changed to having the arm raise instead, though both arrangements are still seen. At night the indication is given by a small light (traditionally an oil lamp, though today normally electric) shining through a coloured transparency that is coupled physically to the arm.
A stop signal, when on (or at danger), instructs the driver to stop; when off (or at clear) it allows him to proceed towards the next signal. Each signal box will control at least one, and possibly several, stop signals on each line. Where there is more than one, a train can wait at each for the line ahead to clear. The last stop signal, when off, gives permission to enter the section of line leading to the next signal box and is therefore the starting or section signal[148]. The other stop signals are home signals; the first will typically be the outer home and the last the inner home[149]. A home signal is said to read over the line ahead of it up to the next signal; the term is only used in relation to the section signal if there are points ahead of it.
The first signal controlled by the signal box is a distant signal[150]. When off (or at clear), this tells the driver that all the stop signals controlled by the signal box are off. When on (or at caution), it means that one or more of those stop signals is at danger. Therefore the distant signal must be far enough before the first stop signal to give a train enough distance to brake to a stop. Where signal boxes are close together, the distant signal for one signal box is placed underneath the section signal for the previous signal box and mechanically interlocked to ensure that it is at caution when the section signal is at danger. When first introduced distant signals looked the same as stop signals. They then gained the fishtail notch in the end, but continued to show the same aspects at night. Only around the start of the 20th century did they change to their present form of yellow with a fishtail and black chevron and different colours at night for caution.
Where routes diverge (either at a junction, or for a connection between parallel tracks) it is usual to have one stop signal for each route, placed side by side at slightly different heights - the highest applying to the fastest route. The distant signal only applies to the fastest route and remains at caution if a stop signal is cleared for a different route.
Nowadays semaphore signals have largely been replaced by colour-light signals. These give their indication by bright electric coloured lights. A colour-light signal may show many different aspects, and there may be one lamp unit for each colour to be shown, or a single lamp unit may be capable of showing more than one colour[151]. The main aspects in UK mainline practice are:
| Red | Stop - danger |
| Single yellow | Caution - next signal at danger |
| Double yellow | Caution - next signal at yellow |
| Flashing single yellow | Caution - next signal at yellow and indicating a divergence with a speed restriction |
| Flashing double yellow | Caution - next signal at flashing yellow |
| Green | Clear |
On quieter lines signals don't show double yellow and are then called three-aspect signals; on busier lines they do and are four-aspect signals.
At junctions a diagonal line of small white lights, or an illuminated letter or number, shows that the train is taking a diverging route.
Colour-light signals may directly replace semaphore signals, in which case the distant signal will never show red and the section signal will only show red or green. Alternatively the signals may be spaced regularly and all show all possible aspects.
Points[152] are an assembly of components that allow a train to be switched from one track to another. Points are said to lie in the normal or reverse position, corresponding to the position of the controlling lever; even when there is no lever, the terms continue to be used. When between these positions they are mid-stroke or out of correspondence. Usually the normal position corresponds to the main line and the reverse position to a siding or branch, but sometimes the opposite is chosen. On diagrams it is usual to show a small gap in the reverse direction:
Where points are arranged so that they give a train a choice of routes, they are facing points. Where they allow two routes to converge, they are trailing points. Obviously the question of whether they are facing or trailing depends on the direction of travel, but this is usually clear from context.
Two sets of points arranged to allow a train to cross from one line to a parallel running line form a crossover. It is normal for both ends to be worked from the same lever or controlling device, but there are exceptions.
When two tracks cross each other, the arrangement is known as a diamond crossing. If extra rails and points are added so that a train can transfer from one track to the other, the arrangement is known as a single or double slip, or as single or double compound points.
A facing point lock refers to any device which locks a set of points so that it cannot be moved. Typically it consists of a bar joining both blades of the points and with two holes in it, plus a bolt which cannot move sideways but which can be slid into the hole facing it so as to prevent the bar, and so the blades, from moving. The tolerances are such that the bolt will only enter the hole if the appropriate blade is hard against its stock rail and, therefore, the other blade is well clear.
Traditionally only points that were facing points for passenger trains were fitted with locks. This is because if facing points move under a train it will probably derail as some wheels attempt to go one way and others the other way, while if trailing points move under a train the following wheels will knock them back into the correct position.
To prevent the facing point lock being withdrawn as a train approaches or is sitting over the points, they may be fitted with a fouling bar. This is a moving bar placed so that, when it is raised, it fouls the path taken by some part of a train's wheels (usually the flanges). The bar is usually connected to the facing point lock so that it must be raised as part of withdrawing the lock; this is prevented when a train is standing on the bar. Nowadays they are replaced by track circuits controlling electric locks on the lever or other operating device.
A detector box is a mechanical device for ensuring that points are actually in the correct position before a signal reading over them clears. It consists of a signal slide inserted into in the wire working the signal; this is a metal plate mounted vertically that slides along the line of the wire when the controlling lever is pulled. Perpendicular to it are one or more points slides - also mounted vertically - connected to the blades (and possibly the facing point lock bolt) of the relevant points. The slides have narrow slots in them positioned so that the signal slide can only move if the points slides are in the correct position and vice versa. Thus the signal cannot be cleared, even if the lever can be pulled, unless the points are correct and, conversely, if the signal does not return properly to the danger position subsequently then the points cannot be moved.
A track circuit is a device for detecting the presence of a train on a section of track. A voltage is placed across the running rails at one end of the section and detected by means of a relay also connected across them at the other end; small insulated gaps in the rails isolate the circuit electrically from the rest of the railway. If the line is clear, the current will flow to the relay and operate it, while if a train is sitting on the track its wheels and axles will provide a short-circuit and the relay will drop back (note that the same effect happens if a wire or rail breaks). In some arrangements the voltage is not steady but alternates at some frequency; a tuned circuit wired across the rails can then be used instead of gaps to stop the signal progressing any further.
AWS is a system to warn train drivers of the state of signals and ensure they react to them. Initially it was only fitted at distant signals; nowadays it is fitted at most stop signals as well. About 200m[153] before the signal there is a permanent magnet with its south pole uppermost followed by an electromagnet with its north pole uppermost, energised if and only if the signal is showing "clear". As the train passes over the magnets they are detected by a receiver mounted underneath the driving cab. If both magnets are detected a bell rings. If only the permanent magnet is detected then a horn sounds and three seconds later the brakes are applied automatically. Both horn and brakes are cancelled by the driver pressing an acknowledgement button; this also causes a display in the cab to show a distinctive "sunflower" pattern[154].
TPWS is a system to ensure trains stop at red signals; it is fitted where signals protect junctions, buffer-stops, level crossings, and so on, but not where they simply keep trains running in the same direction apart. It consists of four loops (very-short range radio transmitters) mounted between the rails, two on the approach to the signal and two immediately after it. When activated, the first two loops form a speed trap: if a train travels between them in less than a second[155] the brakes are applied. The second pair are a train stop; passing over them at any speed applies the brakes. In both cases, the brake application cannot be cancelled - the train must be brought to a stop before the system can be re-set. The loops and signalling are arranged so that a train trapped by TPWS will stop before reaching a point of conflict, even if it does not stop before the signal.
[1] A note on terminology: the railways, and in particular railway signalling, use their own terminology for many things. For example, "replacing a signal" does not refer to removing one signal and installing another but, rather, changing the state of a signal to indicate "danger". Annex A contains a discussion of relevant terminology.
[7] The best example being George Hudson, "the Railway King", who at one point controlled about a third of Britain's rail network; see [Arnold] and [Beaumont]. There were two or three major "railway booms" in the 19th century; the creation of new wealth, and the hype and unrealistic financial projections of many schemes, show a marked similarity to the "dot.com boom" of the late 1990s.
[8] See the story of William Huskisson below. The death of Charles Dickens may also have been hastened by a railway accident he was in; see [RIStaple].
[9] Like the Internet, railways had in fact been around for many years before then. But it was with the opening of the Stockton and Darlington Railway in 1825 that they first properly hit the public consciousness.
[10] More precisely, this paper is limited to main line railways in the UK, though much of what I describe is universal and thus applies equally in other countries and to systems like the London Underground, the Tyne & Wear Metro, and "light railways" such as preserved steam lines. Obviously the legal regime applying in other countries differs greatly from that of the UK, but even today UK metros and light railways use different signalling technology and are subject to a different legal regime than the main lines - for example, the Railway Safety Regulations 1999 (see text relating to n.122) apply differently to such lines. It should also be noted that the history of railways in the UK means that there were very few universal principles and variation from the principles described here was, and remains, common.
[11] See for example [Lessig], [Johnson], and [Edwards].
[12] Often described as "the largest joint-stock company in the world".
[13] The state took control of the railways in both world wars. After the cessation of hostilities in 1945, this control continued until the end of 1947 when the railways were nationalized: British Railways started operation on 1948-01-01.
[14] Indeed, it can be said in relation to the rulebook that "everything that is not explicitly permitted is forbidden".
[15] 1830-09-15. See The Times, Friday, Sep 17, 1830 (issue 14,334), p3 column 4.
[16] Quoted in [Raynar] p1. The Bill was withdrawn.
[17] Compare with Lessig's example of speech about drug decriminalization ([Lessig] p235), although in that case the reluctance to legislate is from law about lawmaking rather than norms about lawmaking.
[18] The Oxford, Worcester, and Wolverhampton railway had a poor safety record and was colloquially known as the "Old Worse and Worse", though there is no evidence that this discouraged people from travelling on it.
[19] Compare the 1867 quotation at the text relating to n.93.
[21] See below for the status and activities of HMRI.
[22] Presentation by Joseph Chamberlain MP, President of the Board of Trade, to the House of Commons, available at http://www.railwaysarchive.co.uk/documents/Chamberlain_Tay1880.pdf
[23] 3&4 Vict. c.97.
[24] This refers to "the Lords of the Committee of Her Majesty's Privy Council appointed for Trade and Foreign Plantations", more usually known as the "Board of Trade".
[25] According to [Hall], p9-10, there were 41 Inspecting Officers between 1840 and 1990; only the last 3 were civilians. The average length of service of an IO was 14 years.
[26] 5&6 Vict. c.55.
[27] In 1858 this was reinforced by the publication of some basic requirements [Req1]; this eventually expanded into a 38 page book [Req2]. Extracts from two versions may be found at [Raynor] p185-7 and [Tattersall] p7-17.
[28] Compare rightsholder campaigns to make downloading of copyright material socially unacceptable.
[29] 34&35 Vict. c.78.
[30] Ibid. ss.3 and 7.
[31] Ibid. ss.4 and 7.
[32] Ibid. s.11. The penalty is currently a level 1 fine.
[33] I have been unable to find the statutory authority for this rule, but see [RIBrun] para 27.
[34] 1870-12-29; see [RIBrock].
[36] [RIHawes] p6 also contains comments about juries not understanding railway matters.
[37] Ministry of Transport Act 1919, 9&10 Geo.5 c.50.
[38] 2003 c.20.
[39] Except, confusingly, tramways in Scotland since these are a devolved responsibility of the Scottish Executive. It is anticipated that, once such tramways are built, the RAIB will investigate accidents for the Executive on an agency basis.
[40] Boilerplate wording found in various accident reports.
[41] S.I. 2005 No. 1992, amended by S.I. 2005 No. 3261.
[42] Directive 2004/49/EC; OJ L.220, 21.6.2004, p16; articles 19 to 25.
[43] Lineside Signal Spacing, Railway Group Standard GK/RT0034 issue 4 (available online at http://www.rgsonline.co.uk/Railway_Group_Standards/Control%20Command%20and%20Signalling/Railway%20Group%20Standards/GKRT0034%20Iss%204.pdf), table A, used in most circumstances. Other tables include distances as long as 6198m.
[44] The lack of friction also makes it difficult for trains to handle uphill gradients. In steam days 1 in 200 was considered hard work, and even today a gradient of 1 in 50 will tax trains. The steepest gradient found on normal UK railways is 1 in 17 (on the Docklands Light Railway climbing out of Bank station), though 1 in 14 previously existed on the erstwhile Cromford and High Peak Railway. The Snowdon Mountain Railway reaches 1 in 5.5 at places, but it uses a rack-and-pinion system to overcome the friction problem.
[45] Street-running trams do operate on a stop-on-sight basis, but only at slow speeds and with magnetic track brakes for emergencies. These brakes would damage the track and risk derailing the train if used at speed.
[46] Compare, for example, Godfrey v Demon (1999 WL 33285490, [1999] E.M.L.R. 542, and [2001] QB 201) or Bunt v Tilley ([2006] EWHC 407 (QB)), where in both cases it was impractical to prevent dissemination of the material in question.
[47] Not that we have a workable one yet; equally, it took the railways over 60 years to get one. My thanks to B.Schafer for suggesting this speed analogy.
[48] The UIC reports, at http://www.uic.org/plugins/UIC_SPIP_kit/doc_download.php?id=3946, that at the end of 2008 Network Rail operated 15,814 route-km, of which 11,740 route-km, or just over 74%, had two or more tracks.
[49] Initially by a railway policeman standing by the track (hence signallers are still called "bobby" or "officer" by drivers); later by fixed signals.
[50] 1853-10-05; see [RIStraff].
[52] By Cooke and Wheatstone. "Electric" because optical telegraphs (moving arms or opening and closing shutters) had been in use since 1792 in France and 1795 in England, though not by the railways. A readable discussion of the optical telegraph can be found in chapter 1 of [Standage] and it is also a major topic of [Pterry].
[53] A more detailed description of the concept, as applied in the 1850s, can be found in a letter to The Times, Thursday, Oct 20, 1853 (issue 21,564), p8 column 5.
[54] The South Eastern Railway being an honourable exception. See [Peters] p39.
[55] There were also issues with early implementations. A faulty implementation of the block system, combined with human error, were responsible for the Clayton Tunnel collision (see [RIClay]).
[56] Examples of older block instruments can be seen at http://tillyweb.biz/gallery/bb/barryblk.jpg and http://www.signalbox.org/gallery/s/canterburywest-b.jpg, and a British Rail design with an integrated bell at http://tillyweb.biz/gallery/bb/bedlingtonnthblk2.jpg; this latter is commonly known as a "penguin".
[57] These are now adjacent signal boxes on that line; the erstwhile Easthaven and Elliot Junction signal boxes have been abolished with the reduction in traffic over the past 50 years.
[58] The "call attention" message is a single beat on the bell, "train entering section" is 2 beats, and "train out of section" is 2 beats, pause, 1 beat (normally written "2-1"). The "is line clear?" request has a number of codes depending on the type of train: 4 beats for an express passenger train, 3-1 for a stopping passenger train, 2-2-1-2 for an empty coaching stock train, and so on. There are also codes for special situations of various kinds (a full list can be found at http://www.davros.org/rail/signalling/bellcodes.html). Messages are acknowledged by repeating the code back; "is line clear?" is answered "no" by simply not sending any reply.
[59] The next signal box heading north; former signal boxes at St.Vigeans Junction, Letham Grange, and Cauldcots have also been abolished.
[60] Compare DAT and the Serial Copy Management System ([Lessig] p176-7), and later DRM systems, to enforce rules about copyright..
[61] Compare Lessig's discussion of the Harvard network ([Lessig] p34) and the "Identity Layer" ([Lessig] p50-54, where behaviour is regulated through the flow of identity information, or the use of Internet mechanisms that divert certain information to special filtering boxes (see [Clayton], particularly p120-121).
[62] See, for example, [Newman] and [Schafer].
[64] It is normal to name a railway safety mechanism after the place where the accident happened that the mechanism is trying to prevent a repeat of. Thus as well as Welwyn Control there are Caterham Locking, Huddersfield Control, Lime Street Control, Moorgate Control, Morpeth warnings, Nuneaton magnets, Raynes Park Control, and Tollerton Control. See http://www.rgsonline.co.uk/Railway_Group_Standards/Control%20Command%20and%20Signalling/Guidance%20Notes/GKGN0802%20Iss%201.pdf for definitions of some of these. Ironically, after the first Morpeth accident, there was a subsequent accident at Morpeth because no Morpeth warning had been installed there.
[65] Another approach sometimes used with override mechanisms is to have a sealed counter. Any use of the mechanism increments the counter, and this must be recorded and explained to the supervisor - the additional paperwork and the risk of being second-guessed makes this another unpleasant experience to be avoided. Indeed, it is sometimes said that the most feared weapon in the railway manager's armoury is "Form 1", entitled simply "Please Explain".
[66] There is perhaps an analogy with the "inconveniences of architecture and zoning" mentioned in [Lessig] p135.
[67] That is, software where the code imposes inconveniences on users of copies that have not been paid for and registered, such as frequent "please pay" popups, with the intention of persuading the user into paying.
[68] 1890-11-11; see [RINorF].
[69] The catch handle must be pulled to allow the lever to be moved. If something prevents the handle from being pulled, the lever is locked in position.
[71] 1910-12-24; see [RIHawes].
[72] Renamed Garsdale in 1932.
[73] See annex A for technical details.
[74] 1892-11-02; see [RIManor].
[75] It later transpired that the district covering Manor House had 283 regular signalmen with only 17 relief men to cover absences.
[76] The Times, Tuesday, Nov 29, 1892 (issue 33,808), p11 column 5.
[77] The Times, Tuesday, Dec 06, 1892 (issue 33,814), p6, column 4.
[79] R v Great Western Trains, unreported but available on Westlaw.
[80] The issues of corporate manslaughter in this case are discussed more fully in [Christian], and in the context of other transport disasters in [Gault].
[81] 1915-05-22; see [RIQuin].
[82] "Approximately" because the Battalion Roll was destroyed in the accident and the fire meant that not all the bodies were recoverable. [RIQuin] states 227, but 214 names appear on the memorial at Rosebank Cemetery, which would make the total 226.
[83] See http://www.forrestdale.pwp.blueyonder.co.uk/Gretna.html for more details including photographs.
[84] The Times, Thursday, Sep 16, 1915 (issue 40,961), p5, column 5; other sources say 8 minutes.
[86] Lt-Col.W. Yolland R.E. in [RIBrick], p238.
[87] Compare the discussion of high/low flying in real life and Second Life on [Lessig] p110.
[88] By Mr.Saxby, later of the well-known signalling company of Saxby & Farmer.
[90] The connecting bar between the two ends is sometimes called a "brindle iron".
[91] For examples see [Raynar] p130-133 and also figure 307 on p121, or [Tattersall] p97-100.
[92] 1862-01-02; see [RIWalJ1].
[93] 1867-06-29; see [RIWalJ2].
[94] Ibid. p49.
[97] Board of Trade Interlocking Return, cited in [Rayner] p1, on a base of 26,000 connections.
[98] [Rayner] p1, calculated as 4013 stations out of 7144. Cites "Blue Book C 2857".
[99] See the discussion of [RIArm] below, text relating to n.114.
[100] Board of Trade Interlocking Return, cited in [Rayner] p2 as 34,904 connections out of 38,765.
[101] Note that this trick does not work for right-handed, as opposed to left-handed, crossovers.
[102] An example of an inherent property would be that packet switching allows multiple routes between end-points, and therefore it is not in general possible to intercept all of a communication at an arbitrary mid-point.
[103] The nearest example I can think of is the technique of using ethernet card MAC addresses as part of an IPv6 address, thus making it impossible for two machines to have the same IPv6 address.
[104] 1874-09-10; see [RINorw].
[105] Ironically a second track had been constructed but was not yet ready for use.
[106] This section of line now uses token working; see below.
[107] Of course, if the line is a dead-end with no sidings, there is no problem as each train going one way will have to return before another can proceed. Tickets are not used on such lines.
[108] The tokens can be keys, full-size or miniature staffs, or (as with Tyer's original design) tablets. The term "token" is used as a generic term, though rulebooks will also refer to the specific arrangement, such as "key token", "electric train staff", or "electric train tablet".
[109] To save copper, it is normal to only use one wire with the current returning through the earth.
[110] In older implementations the lock itself would be polarized so that it only opens when the current is in the correct direction; rather than working a solenoid, the magnetic field generated by the current running through a coil attracts or repels a fixed magnet.
[111] Examples of tokens can be seen at http://www.trainweb.org/rcn_uk/slt.html; the different configurations used for adjacent machines are visible for some types.
[112] 1921-01-26; see [RIAber].
[114] 1889-06-12; see [RIArm].
[115] Indeed, Armagh could be said to be similar to demands to regulate the Internet to prevent the dissemination of child abuse images: a public moral panic, complete with cries of "think of the children".
[116] See text relating to n.16.
[117] 52&53 Vict. c.57. It gained Royal Assent on 30th August, 79 days after the accident.
[118] The rest of s.1(1)(c) is omitted as being irrelevant to this paper.
[119] See [Lessig] p64 and his discussion of CALEA on p63.
[120] The Railway Safety (Miscellaneous Provisions) Regulations 1997 (No. 553), specifically Regulation 5.
[121] Regulation 6 replaces the requirement on brakes in s.1(1)(c) of the 1889 Act.
[122] The Railway Safety Regulations 1999 (No. 2244).
[123] Specifically "Mark 1 rolling stock", defined as "rolling stock which has a structural underframe which provides its own longitudinal strength and has a passenger compartment created on the underframe which relies mainly on the underframe for its longitudinal strength" (the majority of such stock still in service at the time was of the British Rail Mark 1 design), and rolling stock with hinged doors unless they can be centrally locked.
[124] See Regulations 2(1) and 2(4) for the exact definition.
[125] See Annex A for details.
[126] 1876-01-21; see [RIAbbR].
[127] In those days white was used for "all clear" and green for "caution", rather than the present green and yellow respectively.
[128] Compare any use of law to cope with an unintended effect of technology, such as alterations to copyright laws following the invention of sound recording devices.
[129] 1946-01-01; see [RILich].
[130] He claimed it was green, as did other witnesses, but Lt.Col.Woodhouse, investigating officer, concluded that they were mistaken. See [RILich] p10 paras 24-27.
[131] 1977-09-05; see [RIFarn].
[132] The crossover gave access from Leeds into a siding. Both siding and crossover have since been removed for reasons unconnected with the accident.
[133] 2004-10-04. There is no formal report on this; my information comes from [Wobbly].
[134] 1967-03-05; see [RIConn].
[135] Private communication from a contemporary signalman.
[136] Offences Against the Person Act 1861, 24&25 Vict. c.100, s.34.
[137] R v Frost, [1969] Crim. L.R. 498.
[138] Several signalmen were fined or imprisoned in the 19th century for actions risking an accident. See for example [Kingsford] p18. For a 21st century instance of imprisonment for drunkenness on the job, see http://www.highbeam.com/doc/1P2-5319624.html
[140] Paradoxically, even though the railways are safer now than they ever have been, any report of an accident scares many people into using far more dangerous road transport.
[141] For example, the Road Vehicles (Construction and Use) Regulations 1986 (No.1078) and the MOT test.
[142] Private communication commenting on an earlier draft of this paper.
[143] Notably the thalidomide tragedy of 1961.
[144] Compare the discussion of Welwyn Control above, text relating to nn.63-67.
[145] See text relating to n.7.
[146] See text relating to n.102.
[147] If additional levers are added at the left-hand end, rather than renumber the entire frame they might be "numbered" 0, 00, and 000, or A to D, or X to Z, to avoid renumbering the entire frame.
[148] Technically the starting signal is the one giving permission to depart from the station. In most layouts this is also the section signal, but in some situations there may be separate starting and section signals, in which case the latter is also called the advanced starter.
[149] The exact naming varies both over the years and according to local circumstances. For example, if there are three home signals approaching a facing junction, they might be outer home, inner home, and directing homes.
[150] The term is a corruption of "distance signal".
[151] For historical reasons these latter are called "searchlight" signals.
[152] The use of the plural "points" is correct. A "point" consists of a fixed rail (the stock rail) and a tapered blade that moves up against it. Since there needs to be a point in each rail (except in very special situations) the total assembly is "a set of points" or "a pair of points".
[153] The official specification is 183m unless special circumstances apply.
[154] See http://www.fermit.org.uk/~awr/projects/aws_sunflower/ for an example image.
[155] 1.6 seconds for goods trains.
Directive 2004/49/EC of the European Parliament and of the Council of 29 April 2004 on safety on the Community's railways etc. (Railway Safety Directive); OJ L.220, 21.6.2004, p16.
Ministry of Transport Act 1919, 9&10 Geo.5 c.50.
Offences Against the Person Act 1861, 24&25 Vict. c.100.
Railway Regulation Act 1840, 3&4 Vict. c.97 (original text available online at http://www.railwaysarchive.co.uk/documents/HMG_Act_Reg1840.pdf).
Railway Regulation Act 1842, 5&6 Vict. c.55 (original text available online at http://www.railwaysarchive.co.uk/documents/HMG_ActRegulation1842.pdf).
Railway Regulation Act 1871, 34&35 Vict. c.78 (original text available online at http://www.railwaysarchive.co.uk/documents/HMG_ActRegulation1871.pdf).
Railway Safety (Miscellaneous Provisions) Regulations 1997 (No. 553).
Railway Safety Regulations 1999 (No. 2244).
Railways (Accident Investigation and Reporting) Regulations 2005 (No.1992).
Railways (Accident Investigation and Reporting) (Amendment) Regulations 2005 (No. 3261).
Railways and Transport Safety Act 2003 c.20.
Regulation of Railways Act 1889, 52&53 Vict. c.57 (original text available online at http://www.railwaysarchive.co.uk/documents/HMG_Act_Reg1889.pdf).
Road Vehicles (Construction and Use) Regulations 1986 (No.1078).
Godfrey v Demon, 1999 WL 33285490, [1999] E.M.L.R. 542, and [2001] QB 201.
Bunt v Tilley, [2006] EWHC 407 (QB).
R v Frost, [1969] Crim. L.R. 498.
R v Great Western Trains, unreported.
Note: all URLs, both here and in the main text, were successfully fetched on some date between 14th July and 19th August 2009.
S.Hall, Modern Signalling Handbook, pub. Ian Allan 1996, ISBN 0711024715 (Hall was formerly British Rail's chief safety officer).
L.Lewis and J.Fraser, Railway Signal Engineering (Mechanical), third edition pub. Constable 1932, reprinted P.Kay 1995, ISBN 1899890041.
G.Kitchenside and A.Williams, Two Centuries of Railway Signalling, pub. OPC 1998, ISBN 0860935418.
[Raynar] H.Raynar Wilson, Mechanical Railway Signalling, second edition, pub. by the publishers of Railway Engineer magazine 1904, reprinted P.Kay 1997.
[Tattersall] A.Tattersall (ed.), Railway Signalling and Communications, pub. St.Margarets Technical Press 1946, reprinted P.Kay 1998, ISBN 1899890246.
M.Vanns, Signalling in the Age of Steam, pub. Ian Allan 1995, ISBN 0711023506.
A fair amount about railway signalling, safety mechanisms, and causes of accidents and mishaps can be gleaned from autobiographies of railway signalmen.
H.Gasson, Signalling Days, pub. OPC Railprint 1989, ISBN 0860931188.
A.Vaughan, Signalman's Morning, pub. John Murray 1981, ISBN 0719538270.
A.Vaughan, Signalman's Twilight, pub. John Murray 1983, ISBN 0719539730.
A.Vaughan, Signalman's Nightmare, pub. John Murray 1987, ISBN 0719542855.
[Warland] J.Warland, Light Relief, pub. Patrick Stephens 1992, ISBN 185260381X.
[Req1] The first requirements of the Inspecting Officers of Railways, pub. Board of Trade 1858, available at http://www.railwaysarchive.co.uk/documents/BoT_Inspectors001.pdf
[Req2] Requirements for passenger lines and recommendations for goods lines of the Minister of Transport in regard to railway construction and operation, pub. HMSO 1950.
C.Atkin, A Significant Accident, pub. Upfront 2002, ISBN 1844260461 (specifically about [RIConn]).
[Hall] S.Hall, Railway Detectives (150 years of the Railway Inspectorate), pub. Ian Allan 1990, ISBN 0711019290.
O.S.Nock, Historic Railway Disasters, pub. Ian Allan 1987, ISBN 0711017522.
L.T.C.Rolt, Red For Danger, pub. David and Charles 1982, ISBN 0715383620 (often reckoned as "the" book on the subject).
J.Thomas, Gretna: Britain's worst railway disaster, pub. David and Charles 1969, ISBN 0715346458 (specifically about [RIQuin]).
A.Vaughan, Obstruction Danger, pub. Patrick Stephens 1989, ISBN 1852600551.
A.Vaughan, Tracks to Disaster, pub. Ian Allan 2000, ISBN 0711027315.
More recent accident reports are published by HMSO, while older ones were published in the form of an annual return from the Board of Trade. All these reports are available online at the Railways Archive web site, together with a summary page for each accident.
[RIAbbR] Collision at Abbots Ripton, 1876-01-21, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=47; formal report at http://www.railwaysarchive.co.uk/documents/BoT_AbbottsRipton1876.pdf; 37 pages.
[RIAber] Collision between Abermule and Newtown, 1921-01-26, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=89; formal report at http://www.railwaysarchive.co.uk/documents/BoT_Abermule1921.pdf; 28 pages.
[RIArm] Collision near Armagh, 1889-06-12, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=56, formal report at http://www.railwaysarchive.co.uk/documents/BoT_Armagh1889.pdf; 18 pages.
[RIBrick] Derailment at Bricklayers Arms Junction, 1855-12-07, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=2096, formal report at http://www.railwaysarchive.co.uk/documents/BoT_BricklayersArms1855.pdf; 9 pages.
[RIBrock] Collision at Brockley Whins, 1870-12-29, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=38, formal report at http://www.railwaysarchive.co.uk/documents/BoT_Brockley1870.pdf; 6 pages.
[RIBrun] Collision at Brunton Lane Level Crossing, 1983-03-22, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=384, formal report at http://www.railwaysarchive.co.uk/documents/MoT_BruntonLane1983.pdf; 18 pages.
[RIClay] Accident at Clayton Tunnel, 1861-08-25; summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=24, formal report at http://www.railwaysarchive.co.uk/documents/BoT_Clayton1861.pdf; 10 pages.
[RIConn] Derailment at Connington South, 1967-03-05; summary at http://www.railwaysarchive.co.uk/docSummary.php?docID=415, formal report at http://www.railwaysarchive.co.uk/documents/MoT_Connington1967.pdf; 10 pages.
[RIFarn] Collision at Farnley Junction, Leeds, 1977-09-05, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=650; formal report at http://www.railwaysarchive.co.uk/documents/DoT_Farnley1977.pdf; 22 pages.
[RIHat] Collision at Hatfield, 1867-04-07, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=2829, formal report at http://www.railwaysarchive.co.uk/documents/BoT_Hatfield1867.pdf; 2 pages.
[RIHawes] Collision near Hawes Junction, 1910-12-24, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=78, formal report at http://www.railwaysarchive.co.uk/documents/BoT_Hawes1910.pdf; 40 pages.
[RILich] Collision at Lichfield, 1946-01-01, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=896; formal report at http://www.railwaysarchive.co.uk/documents/MoT_Lichfield1946.pdf; 12 pages.
[RIManor] Collision at Manor House near Thirsk, 1892-11-02, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=60, formal report at http://www.railwaysarchive.co.uk/documents/BoT_ManorHouse1892.pdf; 17 pages.
[RINorF] Collision at Norton Fitzwarren, 1890-11-11, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=5662, formal report at http://www.railwaysarchive.co.uk/documents/BoT_NortonFitzwarren1890.pdf; 4 pages.
[RINorw] Collision near Norwich, 1874-09-10, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=45; official report at http://www.railwaysarchive.co.uk/documents/BoT_Norwich1874.pdf; 22 pages.
[RIQuin] Collision at Quintinshill, 1915-05-22, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=85, formal report at http://www.railwaysarchive.co.uk/documents/BoT_Quin1915.pdf; 28 pages.
[RIStaple] Accident at Staplehurst, 1865-06-09, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=31, formal report at http://www.railwaysarchive.co.uk/documents/BoT_Staple1865.pdf; 4 pages.
[RIStraff] Accident at Straffan, 1865-10-05, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=19, formal report not available.
[RITay] Fall of a portion of the Tay Bridge, 1879-12-28, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=50, formal report at http://www.railwaysarchive.co.uk/documents/BoT_TayInquiry1880.pdf; 51 pages.
[RIWalJ1] Collision at Walton Junction, 1862-01-01, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=2523, formal report not available, but see references in [RIWalJ2].
[RIWalJ2] Derailment at Walton Junction, 1867-06-29, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=2845, formal report at http://www.railwaysarchive.co.uk/documents/BoT_WaltonJunction1867.pdf; 4 pages.
[RIWel] Collision at Welwyn Garden City, 1935-06-15, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=102, formal report at http://www.railwaysarchive.co.uk/documents/BoT_Welwyn1935.pdf; 24 pages.
[Uff] Collision at Southall, 1997-09-19, summary at http://www.railwaysarchive.co.uk/eventsummary.php?eventID=141; the formal report is: Professor John Uff, The Southall Rail Accident Enquiry Report, pub. HMSO 2000, ISBN 0717617572, 312 pages, available online at http://www.railwaysarchive.co.uk/documents/HSE_Southall1997.pdf
[Arnold] A.J.Arnold and S.McCartney, George Hudson: the rise and fall of the railway king, a study in Victorian entrepreneurship, pub. Hambledon & London 2004, ISBN 1852854014.
[Beaumont] R.Beaumont, The railway king : a biography of George Hudson, railway pioneer and fraudster, pub. Review 2002, ISBN 0747232350.
[Kingsford] P.W.Kingsford, Victorian Railwaymen: Emergence and Growth of Railway Labour, 1830-70, pub. Routledge 1970, ISBN 0714613312.
[Peters] W.Peters, Railway Dangers; and how to avoid them, pub. Effingham Wilson, Royal Exchange 1853, available online at http://www.railwaysarchive.co.uk/documents/Peters_RailwayDangers1853.pdf
[Wobbly] "Wobbly Bob", Signals chaos delays commuters, Usenet posting to uk.railway on 2004-10-07; message ID <4165C013.1090202@btinternet.com>, available online at http://groups.google.com/group/uk.railway/msg/c8af922cb61654cc
[Christian] L.Christian, Rail crash litigation - Southall and Ladbroke Grove, J.P.I. Law 2001, 4, 339-355.
[Edwards] L.Edwards & C.Waelde (eds), Law and the Internet, pub. Hart 2000, ISBN 1841131415 (2nd edition) and 2009, ISBN 1841138150 (3rd edition).
[Gault] I.Gault & R.McGrane, Corporate manslaughter in major disasters, I.C.C.L.R. 1991, 2(5), 166-171.
[Johnson] D.Johnson & D.Post, Law and Borders - the Rise of Law in Cyberspace, S.L.R. 1996, 48(5), 1367-1402.
[Lessig] L.Lessig, Code, version 2.0, pub. Basic Books 2006, ISBN 0465039146, available online at http://pdf.codev2.cc/Lessig-Codev2.pdf; note that references are to the book page number and not the PDF page number (which is 15 greater).
[Schafer] B.Schafer & N.Gervassis, How to Derive an "Ought" from a "Can't": Virtual Laws, Artificial Societes and the Idea of Designing out Crime in Cyberspace in R. Polčák, M. Škop, & P. Hrnčíř (ed) Cyberspace 2004: Normative Framework, pub. Masarykova Univerzita 2005, ISBN 8021036907.
[Clayton] R.Clayton, Anonymity and traceability in cyberspace, University of Cambridge Computer Laboratory Technical Report 653 (2005), ISSN 1476-2986, available at http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-653.pdf
[Newman] O.Newman, Defensible Space; Crime Prevention Through Urban Design, pub. Macmillan 1973, ISBN 0020007507.
[Pterry] T.Pratchett, Going Postal, pub.Doubleday 2004, ISBN 0385603428.
[Standage] T.Standage, The Victorian Internet, pub. Weidenfeld & Nicolson 1998, ISBN 0297841483.
Back to the LL.M. index.
To my other legal topics index.
Back to Clive's home page.