90 incidents on record · 2026 Headlights Incident reports by Ellie Harris · Melbourne
10 new this week Library last updated 13 July 2026
← The incident library
HD-INC-041
Mining · Australia · 2015 · Unconstrained / manipulated action

An autonomous mine truck was cleared to drive a path no one had marked on the ground, and it hit a manned water cart

By Ellie Harris · Filed Date not disclosed; report approved for release 11 August 2015

Alleged: Operator not named (WA Mines Safety Significant Incident Report No. 226) developed or deployed the AI system implicated in this incident. Details are drawn from public reports; parties are presumed innocent of any wrongdoing not established by an official finding.

An autonomous mine truck was cleared to drive a path no one had marked on the ground, and it hit a manned water cart

What happened

On a night shift at a Western Australian open-pit mine, autonomous haul trucks were moving mine waste. A control-room operator directed one of them to turn right at an intersection and run a loop so it could be positioned under an excavator on the pit floor. The turn and the loop existed in the autonomous fleet’s control system, the digital map the trucks drive by. They did not exist on the ground in any form a person could see: the intersection was not signposted and not marked, and its intended use had not been communicated to those operating manually controlled vehicles nearby.

A manned water cart was coming the other way. The driver did not know the autonomous truck had been assigned to turn across the road. By the time the driver recognised what was happening and tried to take evasive action, it was too late. The truck, travelling at about 40 km/h, could not stop in time, and the two vehicles collided. The autonomous truck was significantly damaged and the water-cart driver received minor injuries.

Western Australia’s mining safety regulator set out the causes in Significant Incident Report No. 226, approved for release by the State Mining Engineer on 11 August 2015. The direct causes were that the two vehicles’ paths crossed, that the turnaround loop had been released for use in the control system while the matching intersection was not delineated on the ground or its intended use communicated, and that the autonomous truck’s speed and response time meant it could not avoid the collision once the water cart was in its path. The contributing causes were an inadequate process for planning and assigning roads in the control system, and an in-cab awareness system that, on the night, did not leave the water-cart driver fully aware of the truck’s intended path.

What an auditable version would have shown

The question after a collision like this is narrow: what change put the truck on that path, who released it, and what safety checks were tied to that release. The gap was that a road could be made live in the autonomous system without a recorded link to the physical controls (signage, ground marking, crew notification) that make it safe for shared use. An auditable version records each change to the autonomous fleet’s drivable network as a signed event: the road or loop released, who authorised it, and the confirmation that the corresponding ground delineation and crew communication were in place before trucks could use it. With that record, a route released without its safety prerequisites is visible as incomplete before a truck ever drives it, rather than after a water cart is in the way.

Where the gap was

The autonomous system did exactly what it was told. The failure was that what it was told to do had been authorised in software without the conditions that make the action safe in the physical world, and nothing held the one to the other. An autonomous machine sharing ground with people needs a hard constraint: it does not operate a route until that route has been verified safe for mixed traffic and that verification is recorded. A ConstraintGate is that control, refusing or holding an assigned path that has not cleared its physical-safety prerequisites. A ConductRecord preserves the change and its sign-off, so an operator can show that a road was released only after delineation and communication were confirmed, rather than discovering the omission in an incident report. The principle is the same one that governs any autonomous actor: a high-consequence action proceeds only inside conditions that have been verified, and the verification leaves a record.

What governance should have looked like

Autonomous haulage removes the driver, but it does not remove the need to coordinate with the people still on the ground. The lesson of this incident is that the digital permission to drive a path and the physical safety of that path are two different things, and that letting the first run ahead of the second is how an autonomous truck ends up crossing in front of a crewed vehicle that never knew it was coming. The control is to bind the change to its safeguards: no route goes live for autonomous use until its ground marking and crew notification are confirmed, the autonomous system is constrained from operating routes that have not cleared that check, and the whole change is recorded and signed so responsibility is legible afterwards. Those are ordinary change-management disciplines, applied to a machine that will follow an unsafe instruction perfectly.

The reference implementation of ConstraintGate and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. The repository is public now.

Sources

The mailing list

Fresh incident reports every week. One email to match.

We add new incidents to the library regularly, and send a single short email each week with what's new. The library stays free and open; this is just how you keep up with it.

No tracking. Unsubscribe in one click.

The record

An auditable system would have produced a signed, tamper-evident record the moment this happened: what the system did, the version that did it, the basis it acted on, and the action taken, and Operator not named (WA Mines Safety Significant Incident Report No. 226) could have produced it on demand.

This is the record the system as deployed did not produce in a signed, auditable form.

What this teaches
Capture what happened when it happens
What the system did, the version that did it, the basis it acted on, and the action taken, recorded at the moment, not reconstructed after.
Sign it, so no one has to trust the record-keeper
A tamper-evident entry. Edit it later and the signature breaks. The record does not ask for the benefit of the doubt.
Make it verifiable by anyone
A court, a regulator, a customer's lawyer can check the record themselves, without taking the company, or us, at our word.

Headlights summarises publicly reported AI incidents. All summaries are independently written, attributed to their original sources, and intended for research and educational purposes. Allegations are identified as such until established through official findings.

Last reviewed June 2026. This report is based on the sources listed above and reflects information available at the time of review; later developments may not be captured. Where a person is described as charged with or alleged to have done something, that allegation is unproven unless a conviction or a court or regulatory finding is stated. Headlights publishes journalism and commentary, not legal advice.

Want to write back?

Direct to my inbox.

ellie@useheadlights.com →