Paper - International Rail Safety Conference
advertisement
Theme: Safety Management in a Changing World Abstract The author will describe, from the perspective of a recently retired Director of Rail Investigations, how Canadian railway safety management has changed over the last twelve years. Issues covered will include changes to the regulatory, industry and investigative environment and use examples of accidents investigated to highlight problems encountered during the author’s time working at the Transportation Safety Board of Canada. The issues presented will be used to draw conclusions, with lessons learned, which can perhaps have some application in other countries. Acknowledgements The author would like to thank Terry Burtch for his valuable input during the preparation of this report. Reflections on a Career in Rail Safety at the TSB A. Introduction My career in rail safety in the Canadian government started in 1985 and spanned 24 years. In 1998, after 13 years in government in the rail safety regulatory area, I was appointed to the position of Director, Rail and Pipeline Investigations at the TSB, where I remained until my retirement from the federal government in June of 2009. During that time, I was involved in approximately 180 Board investigations. The purpose of this paper is firstly to describe the general Canadian rail safety environment from my perspective at the TSB. Secondly, I will outline issues identified in selected investigations where Safety Management Systems were related to the accidents. Conclusions will be drawn, along with some reflections, on lessons learned from these investigations. B. General Observations 1. The Railway Industry. In 1998 the situation in Canada was as follows: there had been a liberalizing of transportation legislation, commencing in 1967 which continued right through to the 1990s. The rail industry was considered mature and therefore able to manage its operations, including safety, with less and less regulatory input or monitoring. This was reflected in the Railway Safety Act of 1989. In 1990, the Canadian Transportation Safety Board, or TSB, came into being, creating a multi-modal independent accident investigation agency. During the 1990s, relations between industry, the federal regulator and the TSB were all cordial. However, this relationship has become somewhat less cordial. The overall level of safety had been relatively stable, with a total of 1075 reportable accidents in 2008 versus 1143 in 1998. These figures include 214 crossing accidents in 2008 versus 275 in 1998. Canadian railways are primarily freight operations and are vertically integrated, with few exceptions, i.e. almost all operating companies own the track over which they operate. This contrasts with Europe, for example, but is the norm in North America. In terms of traffic movement, the North American Free Trade Agreement came into effect in 1994, which led to a major reorientation from primarily east-west rail traffic in Canada to primarily north-south. In 1996, the government-owned Canadian National Railway (CN) was privatized and it has become a very successful business operation. In terms of technological changes since 1998, there have been substantial improvements in all areas of train operations. For example, there have been major advances in wayside rolling stock inspection systems. CN has hot bearing detectors all linked into a monitoring system so that trends in heat signatures from detector to detector can be monitored to identify potentials for bearing failure. Electronic train braking systems are now being tested on freight trains and appear to offer a strong economic and safety benefit in the medium and long term. Freight train handling systems are also being developed, such as New York Air Brake’s LEADER system now under test in the USA. In the area of corporate safety culture, some Canadian railways still adhere to the approach where, once an accident occurs, the first reaction is to fire someone. Additionally, there are cases where the reward system for operations supervisors is that, the fewer accidents occurring on their territory, the greater their performance bonuses. This seems like a sensible approach, but it can result in the under-reporting of accidents, particularly the easily-overlooked minor ones. 2. The Regulator In 1997, after a series of major rail accidents, the Railway Safety Act underwent a review. As a result of one of the recommendations of the review, Transport Canada’s (TC) Safety Management System (SMS) regulations came into effect in 2001, requiring federally incorporated companies to file safety management plans with the regulator and to be accountable for the execution of the plans. According to information on the TC regulations, a railway company shall implement and maintain a safety management system that includes, at a minimum, 12 components, including a company policy, performance targets, accountabilities, employee participation, regulations and rules, risk control processes, accident reporting and analysis, safety data management systems, internal audit and monitoring systems.: Since 2004, several TSB investigations have identified issues with the application of SMS. Under the regulations, railways are expected to do a thorough risk analysis when introducing new operations and when significantly changing existing operations. In order for an SMS to work effectively in a company, the organizational safety culture has to be robust and pervasive throughout the organization. Several TSB investigations, described below, have revealed this not always to be the case. More recently, following some major derailments, primarily in western Canada in 2005 and 2006, the Canadian government created a panel to review the Railway Safety Act. The resulting report made 56 recommendations, including eight on safety management systems and seven on data collection and reporting. They also recommended an increase in the number of inspectors and auditors in Transport Canada. All recommendations were accepted by the Minister of Transport. Ideally, this means the level of safety monitoring will improve. However, Transport Canada’s organizational structure allows its five regional offices to operate their programs autonomously. They are not accountable to Rail Safety headquarters for delivery of the headquarters’ designed inspection programs. This has been perceived as a problem by some industry and some Transport Canada and TSB managers, both from the point of view of overall consistency and focus of the SMS and inspection programs. 3. Investigation Agency The Transportation Safety Board of Canada, or TSB, came into being in 1990 and is a multi-modal, independent, government agency with the sole mandate of investigating transportation occurrences. It is no fault, no blame and its recommendations are not binding. Prior to 2000, the TSB separated data collection, i.e. investigation in the field, from safety deficiency analysis. Since 2000, there was a revision to the way the TSB has done investigations in all its modes. TSB commenced the use of the Integrated Safety Investigation Methodology (ISIM, see Figure 1). The intent of ISIM is to integrate the generally recognized best practices to follow during an investigation. It incorporates safety deficiency analysis into the investigation process, commencing with the assessment of the initial occurrence notification all the way through to the effective communication of the identified risks to those who can influence the necessary change. Accident 1 2 Occ. Occ.Assessment Assessment 3 Occ. Occ.Events Events Integrated Safety Investigation Methodology (ISIM) Model Data DataCollection Collection Accident Sequence of Events Integrated Investigation Process 4 Unsafe Unsafe Acts/ Acts/ Conditions Conditions Integrated Investigation Process Underlying Underlying Factors Factors Risk Assessment Process 5 Assessed Assessed Risk Risk Defence (Barrier) Analysis Process 6 7 Safety Safety Deficiencies Deficiencies Risk Control Options Analysis Process Risk Risk Control Control Options Options 8 Safety SafetyCommunication Communication Figure 1 ISIM Model In the Rail Branch, the initial notification call comes in to a 24 hour “hot line”. The information is assessed by the on-duty technical coordinator who will decide whether or not to call the responsible manager. If it is decided to deploy investigators, the coordinator will call the investigators and they deploy immediately. Once on site, they assess the situation and call their manager to advise and discuss. If the accident is of major or national, significance, the Director of Investigations will be advised immediately, at any time of the day or night. About one third of deployments result in the decision to do a full Board investigation. On site, the investigators collect pertinent data, including recording the site conditions, obtaining black box downloads and witness interviews. Physical data, such as broken rails or wheels, may be sent to the TSB’s Engineering Laboratory for analysis. The investigation team can be as small as two, or as many as ten, persons. They have specific tasks assigned, but work as a team, identifying significant safety events, unsafe acts, unsafe conditions and underlying factors in the accident. Safety defence barrier analysis is performed to determine systemic safety issues. During the investigation, the TSB will advise the regulator of any systemic problem identified, rather than wait until the formal publication of the Board report. In 1998, it was no t unusual to have a fourteen person team deploy for a major investigation. Over the last eleven years, the size of the teams for major investigations has tended to become smaller. This was done primarily for financial reasons, but has consistently proven to be as effective as the previous approach. Despite the smaller teams, experts from other divisions inside the TSB, or from universities and consultants, can be incorporated into the teams when required, to add needed expertise. Until around 2006, investigations progressed at a pace dependent on the team workload. Competing projects at the Laboratory and other delays could occur just from waiting for one critical piece of information to finalize a report. Since that time, the Board’s expectations have been that staff will produce reports with ever shorter time-lines. The performance of all three modal branches is assessed on this basis. While commendable in many ways, there has been a rushing-out of some final reports, with the result that (in the opinion of the author) there are more errors than has historically been the case. At other times, there is pressure to move other important investigations forward even though key information is still needed. On the other hand, a positive result of these pressures has been a re-thinking of the mix of investigations undertaken, with more crossing accidents, for example, now being investigated. This re-thinking of the mix of various types of report is refreshing as the focus has historically been on derailments, perhaps to the detriment of other types of accident. In any event, these timeliness pressures will continue in the future, as there is continuing Canadian government-wide demand for more departmental accountability and performance. C. Specific TSB Investigations As far as specific Board rail investigations are concerned, the following is a summary of four of the 180 or so investigations undertaken during my eleven years at the TSB. These investigations all have issues relate to safety management systems. The first investigation to be described was commenced in 1996, prior to my arrival at the TSB. It was a complex investigation, which was completed in 1999, one year after I started work as Director of Investigations.. 1. Quebec North Shore & Labrador Railway, 1996, Mai Station, Quebec. The Accident On the morning of 14 July 1996, Quebec North Shore and Labrador Railway (QNS&L) southward iron ore train 45 collided with stationary train 475 at Mile 131.68 of the Wacouna Subdivision in the province of Quebec. The last three wagons of the stationary train derailed and were extensively damaged. The locomotive of train 45 was extensively damaged and its locomotive engineer sustained minor injuries. The QNS&L is an iron ore railway whose main operations are over the 320 km of track between Carol Lake (Labrador City) in the province of Newfoundland and Labrador, and Sept Îles, in the province of Quebec. It carries around 17 million tonnes of iron ore over its tracks annually. Train 475, the train ahead of Train 45, had experienced an undesired emergency brake application and it had come to a stop with its tail end at Mile 131.68. The locomotive engineer contacted the rail traffic controller (RTC) by radio and advised him that train 475 had experienced an undesired emergency brake application and had stopped north of the north siding switch at Mai, Quebec. Train 45, crewed by a locomotive engineer, had departed Carol Lake, in Labrador, at 0650 and continued south towards Mai, which is a crew change point. At around 1030, the RTC contacted the locomotive engineer of train 45, which was then approximately 5.6 miles from the tail end of train 475, and advised him that train 475 was stopped in emergency just before Mai. Around Mile 131.79, as train 45 rounded a curve at 50 km/h, the locomotive engineer observed the rear of train 475 and initiated an emergency brake application. Thirteen seconds later, at approximately 1045, train 45 struck train 475, while travelling at approximately 30 km/h. The locomotive engineer of train 45 remained in the locomotive cab during the impact, taking cover behind the locomotive’s control stand. He sustained injuries to his left thigh, right knee and tail bone. The last wagon of train 475 was destroyed and the two wagons ahead of it were extensively damaged. The lead locomotive of train 45 was severely damaged The short hood of the locomotive was sheared off the frame and the cab was demolished, except for the small area encompassing the locomotive engineer's control stand, seat and right-hand side wall up to the bottom of the window ( Fig. 2) . The accident took place just two days after the railway had implemented one person operation of their trains. Previously, there had been three crew members: a locomotive engineer, a conductor and a brakeman. There had been only limited formal training of operating personnel before the change took effect. As part of the change to one person operations, the maximum hours of work were increased to 12 hours from 10 hours. The locomotive engineer of train 45 had operated trains north from Sept-Îles to Mai and Carol Lake alone, a total of 257 miles (414 km) and was nearing the end of his 133 mile (214 km) return trip from Carol Lake to Mai at the time of the occurrence. Collective Agreement On 11 July 1996, QNS&L and the United Transportation Union had signed a collective agreement that included provisions to operate selected trains with only one person in the operating cab of a locomotive and, in some cases, one-person crews. The following day, the railway began operating trains in accordance with that agreement. The agreement included the following changes: The number of hours an employee was required to work before exercising the right to request rest while en route was increased from 10 to 12. The number of hours rest an employee could book at an away from home terminal was reduced from 9 to 7. Employees in train service were permitted to request a 20 minute nap between their 10th and 12th hour on duty. They had to make a request to the RTC sufficiently in advance so as not to affect train traffic. To the extent possible, the RTC would authorize the employee to stop at the next station. Once the regulator, Transport Canada, became aware of the accident, an inspector immediately imposed a requirement for a minimum of two persons in the locomotive cab, as well as indicating that a formal request would have to be made by the company for exemptions to certain operating rules. Train Information The stationary train 475 consisted of 3 locomotives, 155 ore wagons loaded with iron ore pellets and 1 empty ore wagon at the rear end. The train weighed approximately 16,000 tonnes and was around 1,700m in length. It had been operated without incident between Carol Lake and Mai. Train 45 consisted of 2 locomotives, 15 loaded wagons and 41 empty cars. It weighed approximately 1,900 tonnes and was around 800m in length. It had been operated without incident between Carol Lake and the occurrence site. Board Findings In its findings, the Board determined that the collision occurred because the moving train was operated past a restrictive signal, at a speed at which the locomotive engineer was unable to stop short of the stationary equipment. The implementation of the major operational change to locomotive-engineer-only train operation without a comprehensive analysis of its impact and without the implementation of effective compensatory safety measures contributed to this occurrence. More details from the findings follow: 1. A restricting signal was disregarded and train 45 was operated at such a speed that the locomotive engineer was unable to stop short of the rear end of train 475 in the available sight-lines. 2. There was no other railway employee located in the cab to question the actions taken by the locomotive engineer of train 45 in operating his train at an excessive rate of speed. 3. There was no means of intervention associated with the centralized traffic control system capable of stopping or slowing a train. Furthermore, there was no associated warning system that would alert a locomotive engineer of the train's proximity to points of restriction or rolling stock. 4. The locomotive engineer of train 45 was predisposed to thinking that train 475 was further south than it actually was due to his belief that train 475 had experienced an undesired emergency brake application while preparing to stop for a crew change at Mai. 5. The possibility that fatigue may have contributed to the locomotive engineer's decision not to comply with the governing signal indication cannot be ignored. 6. Established verification procedures were not used to ensure that there was a clear understanding between the locomotive engineer of train 45 and the RTC as to the location of train 475, resulting from their conversation before the collision. 7. There is currently no established crew resource management program in use on the railway that would ensure that all persons involved are aware of the most upto-date, accurate information concerning the movement of trains and engines. 8. Locomotive-engineer-only train operations were implemented on the QNS&L without the benefit of a comprehensive analysis of the impact a further crew reduction would have on their operation and without the introduction of any countermeasures that would ensure an equivalent level of safety. 9. The provisions of Canadian Rail Operating Rule 106 that require the locomotive engineer to assume the responsibility of the conductor in his temporary absence were utilized by QNS&L in support of locomotive-engineer-only train operations. 10. Transport Canada's response to QNS&L's proposal to operate locomotiveengineer-only trains was interpreted as approval to begin locomotive-engineeronly train operations by QNS&L. 11. QNS&L was not aware of Transport Canada's expectation that they provide details of their plans to operate locomotive-engineer-only train after the completion of union negotiations. 12. There was no formal program specifying requirements for the frequency and methodology of supervisory activities for operating employees on QNS&L. 13. According to locomotive engineers interviewed, it was not generally known by supervisors that management expected them to meet on a regular basis and accompany each locomotive engineer on at least one trip a year. Safety Action Taken Shortly after the collision, the railway requested exemptions from specific operating rules to re-establish locomotive-engineer-only train operations. In its letter of reply, TC stipulated 13 specific safety-related conditions that had to be met before the exemptions could be granted. A working group was formed in late July, comprising TC staff, representatives of QNS&L and the United Transportation Union. As a result of intense group discussions, a consensus eventually resulted, mandating changes to the current operating practices to ensure that locomotive-engineer-only train operations would be at least as safe as an equivalent multi-employee operation. The railway met the conditions and the appropriate exemptions were granted on 24 April 1997. There were more than 65 improvements decided upon by the working group. Some of the more significant ones were: Proximity Detection Devices (PDD) were to be installed and operational on all lead locomotives, track units and on-track vehicles operating on the main track between Sept-Îles and Wabush Lake Junction. The only exception was in large track maintenance gangs where only the two machines or pieces of equipment at the extreme ends of the gang needed to be equipped. These PDDs were satellite controlled systems that applied a penalty brake to trains should the locomotive engineer not respond to alert signals of proximity to other equipment; the QNS&L must ensure that the passenger train crews are assigned and scheduled, and that all through freight trains are scheduled from Sept-Îles; no switching is to be carried out unless a second qualified employee assists; to facilitate napping, locomotives will be equipped with a napping radio channel, masks, timers for locomotive engineers, and reclining seats; locomotive engineers will receive 120 to 130 hours of training in train operations, simulator training, first-aid training, fire extinguisher training, proper interpretation and application of those rules affected by locomotive-engineer-only train operation, the proper use of the PDD system, and training in emergency procedures applicable to locomotive-engineer-only operations; rail traffic controllers will receive similar training to locomotive engineers regarding locomotive-engineer-only operation. TC has implemented a system to monitor the training program; there will be increased supervision of locomotive engineers; locomotive engineers must transmit on the standby channel of the train radio, in a clear and audible manner, the indication by name of each fixed signal they are required to identify; QNS&L will implement and maintain a system to record data related to the performance indicators and tracking The Railway Safety Act was amended in 1999 based on the results of reviews in 1994 and 1997. One of the key recommendations of its review in 1997 was to adopt a more modern regulatory regime by requiring the railway to implement safety management systems. The QNS&L accident and regulatory approach to resolving the safety issues played a significant part in the thinking relating to SMS. On March 31, 2001, Transport Canada’s SMS Regulations came into force. 2. 2003, McBride, British Columbia The Accident On 14 May 2003, an eastward freight train derailed two locomotives and five wagons loaded with lumber on a bridge near McBride, British Columbia. A fire ensued and the bridge, the two locomotives, including their event recorders, and the five wagons and their contents were destroyed. Both crew members were fatally injured. Early that morning, the train departed Prince George, British Columbia, destined for Edmonton, Alberta. The crew was to change at McBride, British Columbia, where a new crew was expecting the arrival of the train at around 1230, to take over operation. In prior communication with the rail traffic controller (RTC), they had determined that the train was operating approximately one hour late due to engine problems. Shortly after 1300, the conductor attempted to contact the train, but there was no response. He then called the RTC to determine what the further delay might be. The RTC had not heard from the crew since approximately 1140. He attempted to contact the train 12 times between 1323 and 1335, but received no response. The last confirmed location of the train was identified by a wayside inspection system at 1201:08. At 1339, the RTC called the Assistant Track Supervisor (ATS) on the Tete Jaune Subdivision and, at 1344, he called the Track Supervisor (TS) at Mile 56 on the adjacent Fraser Subdivision to request their assistance in locating the train. At 1354, the outgoing conductor at McBride and a track maintenance employee were sent by road to locate the train. The location of the train at the bridge at Mile 7.9 was apparent because of black smoke in the area. Road access to the bridge was not available; however, they were able to get within approximately 1 km, from which point the conductor walked westward to the east end of the bridge. He observed that the locomotives and a number of the cars were in the gully and on fire. The heat from the fire was so intense that access to the locomotives was impossible. The RTC was advised that two locomotives and several cars of lumber had derailed at the bridge at Mile 7.9 and were engulfed in flames. Police arrived at the scene at 1430 and ambulance and fire personnel arrived at the scene at approximately 1530. A helicopter arrived on site at 1550 and commenced dumping of water over the last derailed car to prevent the fire from spreading. The locomotive engineer and the conductor were fatally injured in the accident. The fire was contained within the immediate bridge area. The entire bridge, two locomotives, and five cars loaded with lumber were destroyed by fire. Several acres of the surrounding terrain were damaged by the fire and by the ensuing clean-up operation. The derailment site was subsequently restored to the satisfaction of environmental regulators. Train and Track Information The train was approximately 1,800 m in length, weighed about 8000 tonnes, and was powered by two locomotives. The train consisted of 85 freight wagons: 68 loads, 4 empties, and 13 residue tank cars. A timber trestle bridge was located across a dry gully at Mile 7.9. The track alignment on the bridge was tangent, with a 0.33 per cent ascending grade in the eastward direction. Sight-lines approaching the bridge from the west were approximately 640m. A track geometry car tested the track on 10 May 2003. There were no deficiencies detected at the bridge location. A rail flaw detection car had tested the rail for internal defects on 29 October 2002; no defects were found in the vicinity of the bridge. The track had last been inspected on 12 May 2003 by a supervisor riding in a hi-rail vehicle. No deficiencies were noted at the bridge. The investigation also determined that train crews and track maintenance personnel traversing the bridge in the days prior to the accident had observed no unusual conditions. The Bridge The bridge (Fig.3) was an open deck timber pile trestle comprised of 26 spans with a total length of 90m. The maximum height of the bridge was 8m. The bridge had been rebuilt in 1969. The properties of the timber used for the superstructure of the bridge followed the CN timber material specification for Douglas fir (larch). The substructure of the bridge consisted of 27 pile bents. The central bents (bents 8 to 20) had 6 piles and the remaining bents had 5 piles. The spans were constructed with eight stringers per span, which were bundled in two chords of four stringers each, centred under each rail. The bridge was built over a gully through an unstable ground area. There was no record of any bridge movement in recent years. Figure 3 Side Elevation of Bridge (not to scale) Examination of Wreckage The wreckage of the train was examined; there were no pre-derailment defects that may have contributed to the accident. Examination of samples of broken and sheared rail pieces found at the west end of the bridge indicated that the rail pieces broke as a result of instantaneous excessive stresses sustained during the derailment. No rail defects or signs of a progressive failure mechanism were found. Staff Changes From the mid-1990s until mid-2000, there had been four management changes in responsibilities for bridge inspection and maintenance in the area. These changes had resulted from reorganizations and workforce adjustments. Furthermore, there were personnel changes involving both the Planning & Inspection Engineer and the Bridges & Structures Supervisor positions, which had, at differing times, the responsibility for bridges and structures on the line. In addition to these supervisory changes, between the time that the 1999 detailed inspection was carried out on the bridge at Mile 7.9 and the time that bridge repairs were made between 2001 and 2002, as many as five different foremen had worked on the bridge. At the time of the occurrence, the Planning & Inspection Engineer in the Pacific Region was responsible for inspecting and planning required maintenance work for approximately 600 steel and concrete bridges, 550 timber bridges, and over 10 000 culverts. Bridge Inspections The bridge at Mile 7.9 was visually inspected in 1998, 1999, 2000, and 2002. There was no visual inspection performed in 2001. Cursory inspections were also performed, but these were not documented. Following the 1999 (July 23) visual inspection, a detailed inspection was recommended and was carried out between 31 July and 02 August 1999. The inspectors prepared a summary report with these indications: Various components were identified as reject, but Cap 15 was assessed as "possibly reject" due to nine inches (22.5cm) of internal rot on its north side. There was one reject pile at bent 10. A detailed inspection, including drill testing of the main components of the bridge (deck, stringers, caps, and piles) was performed between 31 July and 02 August 1999. The drilling details were reported on separate forms as specified in the railway’s training guide. According to the Board report, the urgency and severity of the defects was never fully recognized after the detailed inspection, and maintenance work on the bridge was not given a high priority, because: The planning undertaken in 2000 and 2001 did not accurately reflect the defects identified in the 1999 drilling report. In 2000, the planned work was not performed, nor was any precautionary measure taken to ensure the safety of the bridge. The work planned in 2001 was partially completed. No measures were taken to ensure that the work not completed was rescheduled. Cap 15, which was planned for replacement in 2001, was not replaced in that year nor when the repair crew returned in 2002. The failure to identify the urgency and the severity of the condition of the bridge was not recognized, despite subsequent inspections, because of shortcomings in the inspection, assessment, planning, and maintenance processes. These processes rely on the adequacy of, and compliance with, safety standards and procedures. Several shortcomings associated with the conduct of inspections and quality assurance, and pressures created by workload and job transitions were identified. Board Findings Some of the Board findings were: 1. It is most likely that Cap 15 crushed under the weight of the lead locomotive when its bearing capacity was exceeded, leading to the bridge caving in and the subsequent derailment. 2. As the load shared by stringers 5 and 6 of span 15 was increased due to the internal rot of the adjacent stringers, the reaction load transferred to Cap 15 was concentrated over a smaller area, thus exerting increased stresses over the existing void in Cap 15. 3. The condition of Cap 15, identified as reject in the 1999 detailed report, was not reflected in subsequent inspection reports. Therefore, its continuing deterioration was not reassessed. 4. The failure to identify the urgency and the severity of the condition of the bridge was not recognized, despite subsequent inspections, because of shortcomings in the inspection, assessment, planning, and maintenance processes. 5. As a result of heavy workload, and overlapping duties during job transitions, the Planning and Inspection (P & I) Engineer relied on the inspectors' overall assessments and most recent visual inspection reports, which did not indicate any deficiencies on the bridge. Therefore, the severity and urgency of the condition that was identified in 1999 was not recognized. 6. Even though Canadian National (CN) Standard Practice Circulars (SPCs) acknowledge the use of occasional audits to ensure the quality of work of inspectors and their immediate supervisors, the audits that were carried out were not effective. 7. Because there was no Transport Canada (TC) audit of work procedures, there was no opportunity to identify the deficiencies associated with such bridge inspection and maintenance procedures. As a result of heavy workload, overlaps of duties during job transitions, and reliance on overall system assessments, the severity and urgency of the condition that was identified in 1999 was not recognized, and the continuing deterioration was therefore not reassessed. This was the first time that TSB had identified an issue related to the imperfect functioning of an SMS, in that there were deficiencies in record keeping by the railway and lack of audit follow-up by the regulator. The railway company raised vigorous objections to the Board’s findings, submitting numerous consultants’ reports suggesting that the cause was a broken rail. However, based on an expert consultant’s assessment of the Board’s most likely scenario compared with the railway’s scenario, the Board found that it was far more likely that the nonrepaired bridge structural components had led to the bridge collapse. The Board made two recommendations: Canadian National verify the condition of its timber bridges and ensure their continued safety with effective inspection and maintenance programs; and that Transport Canada incorporate in its compliance reviews a comparison of railway working procedures and practices with railway inspection and maintenance records. Safety Action In response, the railway advised that, as of April 2004, all timber bridges had been inspected in full compliance with CN Standard Practice Circular 4000, Inspection of Steel, Timber and Concrete Bridges, and that Bridge Summary Reports (five-year plans), identifying required repair and maintenance activities, were current. TC revised its existing inspection and monitoring programs to integrate monitoring and inspection activities of railway infrastructure, equipment, and operations into its assessments of SMS. 3. 2006 White Pass &Yukon Route runaway train and derailment. The Accident On September 3rd, 2006, a northbound White Pass and Yukon Route work train, consisting of one locomotive and eight loaded ballast wagons, ran uncontrolled down a steep grade and derailed the locomotive and the first six ballast wagons at near Log Cabin, British Columbia. One person was fatally injured and three others sustained serious injuries. The six derailed ballast wagons were destroyed (Fig. 4). Figure 4: Derailed Work Train WP&YR WP&YR is an excursion railway that extends 177 km between Skagway, Alaska and Whitehorse, Yukon. It is a “short line”, employing a maximum of 175 people in peak season with 150 in the United States and 25 in Canada. Despite this small size, it transported approximately 440,000 passengers between April 2006 and the end of September 2006 on its trains. There was no regular freight train service. The Canadian Subdivision begins at White Pass in British Columbia and extends 176km to Whitehorse, Yukon Territory. The Canadian Subdivision has a maximum authorized track speed of 32km/h. It is a narrow-gauge track with a maximum grade of 3.5 per cent and a minimum horizontal curvature radius of 97.5m. Between Log Cabin and Bennett, the track elevation drops 230m in about 11.2km. Work Train Operations For the first time, eight loaded ballast cars had been stationed together at Log Cabin. Before this particular work assignment, four ballast cars had typically been stationed together. The roadmaster expected all cars to be loaded to the top with ballast in accordance with regular practice. The ballast wagon load capacities were not known to the employees on site. None were stencilled with their maximum load capacities. Typically, only four loaded wagons were taken northward from Log Cabin. Where more than four loads were taken, additional locomotives and empty wagons were included in the train, which provided extra braking capacity. No train handling procedures were provided to work crews instructing them on safe train marshalling practices for mountain grade territory. Only three of the cars had had retainer pressure valves installed; two with four-position retainers and one with a three-position retainer. TSB estimated that each wagon was overloaded somewhere between 31 and 64 tonnes.. The Canadian Subdivision portion of the railway’s timetable did not provide any requirements concerning use of retainers on wagons. In addition, there were no special operating instructions or best practice guides provided to train crews when operating over sections of track with mountain grades. The single locomotive pulling the eight wagons had had a defective dynamic brake from the date of purchase. When used, only maximum braking effort was available. Because of the rapid build-up of dynamic brake effort that occurred each time dynamic braking was activated on this locomotive, the locomotive engineers avoided using it. In June 2003, TC had conducted a general verification audit. It concluded that WP&YR was in non-compliance with 2 of the 12 mandatory SMS components (Risk Management and Corrective Action Development) and gaps were noted in 9 of the remaining 10 components. A gap is a discrepancy between the process and what is actually occurring. TC concluded that this was a reasonable start but that additional work was required for an effective SMS. Safety Management System WP&YR's SMS submission to TC met the minimum requirements. However, the investigation determined that a number of the company’s safety management procedures and practices were deficient, for example: training of employees; maintenance of ballast cars and locomotives; use of locomotive event recorders; operating on mountain grades without specific train handling and marshalling instructions; loading of ballast cars; and communications between the dispatcher (rail traffic controller) and work train operations. Board Findings Some of the Board’s findings were 1. The overloaded work train derailed after it ran away down the steep mountain grade with its degraded brake system unable to control its speed. 2. The effective braking force of the locomotive brake system had been diminished by the effects of heat fade. 3. Each of the wagons was overloaded by somewhere between 30 and 67 tonnes 4. The overloaded condition of the wagons, the number of wagons marshalled in the train and the steep mountain grade worsened the effect of the already diminished braking capacity of the wagons. 5. Without comprehensive training material and well-established policies and procedures, training at WP&YR was not entirely effective. 6. Safety management on the WP&YR was not sufficiently developed to have ensured the progression of safety philosophy through to policies, procedures, and practices. Safety Action In June 2007, TC conducted an audit of WP&YR’s SMS. The audit made a number of findings, including: Risk assessments were not being carried out. WP&YR was in non-compliance with the Employee Minimum Qualification Standards. There was no documented process describing how the company carries out air brake tests and how it ensures compliance with the Railway Freight and Passenger Train Brake Rules. On 11 June 2007, TC issued a Notice to WP&YR concerning several hazards/conditions related to the reliance by the railway on employee familiarity to protect against each other on the main track. This reliance could result in an increased likelihood of a collision taking place between a train and maintenance-of-way forces, which might not be expecting the movement of a train or engine. This risk was greatly magnified by the lack of reliable radio communications. Several other communications were made to the railway relating to deficiencies in rolling stock loading and operations. 4. 2007 Non-Main Track Derailment, Prince George, British Columbia On the morning of August 4th, 2007, at Prince George South Yard, a remote control assignment, pulling 53 loaded wagons, ran away northbound, striking freight train M357, which was entering the north end of the yard. The assignment struck a gasoline tank car, derailing it as well as the next tank car ahead, another tank car of gasoline. Two locomotives, a slug unit and a loaded centre-beam flatcar in the remote control train, derailed. The subsequent fire destroyed the two tank cars, a lumber flatcar, as well as the two locomotives and slug unit of the remote control assignment. There were no injuries. Approximately 172 600 litres of fuel were spilled, most of which was consumed by fire. The assignment was operated by two management employees due to crew shortages. Prior to the accident, the operator had accelerated the assignment to 1.98 mph. He then placed the operator control unit (OCU), which is the remote control device, to position 7, accelerating to 5.71 mph, after which he reverted to position 4 with the train travelling at 6.93 mph. He then made a full independent brake application and detrained at a switch. While throwing the switch, he looked back and saw the train continuing to roll. At that time, the locomotive engineer on train M357 contacted the operator to advise that they were preparing to enter the yard. The operator responded that he had been in the stop position for ten car lengths but his train was still moving. The locomotive engineer on M357 stopped his train and attempted to apply some handbrakes on the yard assignment, but it collided with a carload of gasoline on his train at approximately 9 mph. The yard assignment derailed to the west side of the track, with locomotive CN 7222 ending on its side down the embankment by the Fraser River. The resulting derailment and fire is shown below (Fig. 5). Figure 5 Post-collision fire Photo 1 - Po The collision and subsequent derailment occurred at the crossover between the “pub” track and the “subdivision” track. The Fraser River runs along the west side of the tracks and there is an ascending slope adjacent to the tracks on the east side. When pulling cars from the north end to gain access to the classification yard, crews would encounter a grade which varied between 0.49 and 1.13 per cent, depending on how far down the pub track they had to travel. The average grade was approximately 0.70 per cent. The remote control operation on this track was protected by a point protection zone (PPZ) which, using signs, allowed operation without having an employee riding the point (front) of the movement. Anyone else wishing to access this area of the track would have to get permission from the yard crew before being able to do so. At approximately Mile 464.3 of the pub track, there was a crossover connecting it to the subdivision track. The track was in good condition. Locomotive and Car Equipment The yard assignment was pulled by two GP9RM locomotives and a slug unit 1 handling 53 loaded cars. The total tonnage was around 7000 tonnes and the length was 1350m . The cars were being pulled by remote-controlled locomotives using locomotive independent brakes only (the train air brake system was not normally charged during switching movements). An inspection of the equipment revealed no pre-derailment defects. Remote Control Operations Locomotive control systems in use in Canada provide railways with a method for operating yard locomotives using a remote control device. In the late 1980s, this technology was introduced in Canada and was approved by Transport Canada (TC) for yard switching and humping operations. Since its introduction, remote control systems have become the primary means for locomotive and train control in yard operations. With these operations, the operator uses an OCU, a three to five pound box attached to the operator’s safety vest, to remotely control the locomotives (Fig. 6). Radio commands transmitted by the OCU are received and processed by a computer onboard the locomotive. The OCU is equipped with a speed selector, a forward and reverse selector, and a brake selector that includes an emergency brake feature. 1 A yard slug, or booster unit, is a unit which provides tractive and braking effort when connected to a locomotive through electrical connections, although it has no diesel engine itself. Figure 6 Beltpack operator control unit The Prince George South Yard, north end, assignment typically classified cars and built trains, taking cuts of between 20 and 30 cars. In July 2007, an operational change was implemented whereby the north end assignment classified cars only and was instructed to begin handling longer cuts of cars to increase productivity. There was no maximum or minimum number of cars specified to crews at this time. Crews were expected to determine how to handle longer, heavier cuts of cars on their own without adding additional braking capacity by cutting-in the air brake systems of extra cars. CN conducted some testing with different lengths and tonnages of cuts of cars utilizing the operating crews on this assignment, but none of these tests were documented. The Remote Control Crew Although the duties of the remote control yard assignment were normally performed by operating employees, two management employees: the area superintendent and the senior engineering manager, were doing the work due to a shortage of staff. It was common practice for management employees to be assigned to operating positions at any time or location across the company’s network when there were shortages of regularly trained operating personnel. Although trained and qualified to perform the work, management employees could be tasked with working over unfamiliar territories or track, using skills they might not have employed for some time. Both employees had participated in trial runs, made when the operational change to handling longer/heavier cuts of cars was taking place. However, neither had actually used the OCU to control the speed and braking of the longer, heavier cuts of cars on the descending grade in that part of the yard. Although a risk assessment was in draft form, no operating procedures or special instructions had been issued. Work Pattern Both managers involved in this occurrence had worked approximately 60 hours in the previous five days in their respective management roles, prior to commencing the switching assignment on 04 August 2007. The managers had not had a full day off in over two weeks. Both worked a full day on August 03 in their supervisory capacities and were able to report for the yard assignment the following morning, rested. Risk Assessment Risk-assessment processes were enhanced by the railway as part of its implementation of a Safety Management System (SMS) and in compliance with the Canada Occupational Health and Safety Regulations. The railway company’s approach to risk assessment is that it is a distributed function, with all employees responsible for identifying risks at their working level with support provided by regional experts and the CN head office. These groups provide standards, guidance material, and training but do not normally provide a quality assurance function. Each manager or supervisor is responsible within their respective jurisdictions for taking action deemed necessary to ensure that work is performed by employees in a manner that minimizes risks. The railway’s Risk Assessment Protocol provided guidance on when different types of assessments should be conducted. This was in the form of a matrix, resulting in a choice between three levels of risk assessment: Level 1: No formal risk assessment required, but local officers to review hazards and consider control strategies (for example, safety briefings, safety flash, field monitoring, job aids, etc.). Level 2: Risk matrix (frequency/severity) required with risk-control strategy. Involvement of employees and/or health and safety committees required when appropriate. Level 3: Risk matrix and more elaborate hazard/risk assessment required. Involvement of employees, and/or health and safety committees and/or other employee representatives required when appropriate. On 03 August 2007, the day before the occurrence, CN assembled a team to perform a level 2 risk assessment on the remote control operation when “coupling to and pulling rail cars (loads and/or empties) from the Prince George South Yard northward for the purpose of switching trains.” The accident took place the morning after the risk assessment when the train was being controlled by the Superintendent. No controls had been put in place at that time. Board Findings Some of the Board’s Findings were that: 1. The collision occurred when the excessive tonnage of the 53 wagons and the descending track gradient of the pull-back track combined to exceed the braking capacity of the switching locomotives and the uncontrolled movement contacted the opposing train at the crossover. 2. The management employees operating the remote control switching assignment on the day of the occurrence were inadequately trained and had no experience switching long, heavy cuts of wagons on the pull-back track descending grade. 3. The risk assessment conducted immediately prior to the accident was inadequate to identify the hazards. 4. The lack of a formal quality assurance program to establish consistency in risk analyses increases the likelihood that the controls identified and implemented may not be sufficient to address the risks. In August 2007 Transport Canada ordered the railway company that, in the area where the derailment occurred, the railway must meet the following conditions: 1. The maximum number of wagons permitted to be handled is restricted to 30 loads or 40 wagons. 2. A sufficient number of wagons handled must have operative air brakes which will permit control of the movement. It was further ordered that remote control locomotive operators switching between these locations be properly trained, qualified, and familiar with the equipment and the territory over which they are operating. D. Discussion and Conclusions There has been significant change in the rail industry over the last eleven years in Canada, much of it positive. For example, railways are profitable despite a severe economic downturn, and the record shows that accidents are not increasing. However, while technology is moving forward, with many positive initiatives underway, it can be argued that there are ongoing deficiencies in the areas of corporate safety culture and in safety management systems application. The QNS&L working group’s 1997 results and the railway’s subsequent adoption of the 60 plus management changes constituted something of a prototype for at least part of an SMS process. The results of that company’s changes seem to have been positive, because one person freight train operations have been in place for over twelve years, with no similar accident having occurred on that line to date. This “prototype” of an SMS approach confirms that it is possible to do a comprehensive analysis of operations, set goals, have a safety plan, train employees, do risk analyses and monitor, among other things. However, the three other investigations described above all revealed SMS related issues. In the case of McBride, organizational changes, employee reductions and job reassignments led to loss of corporate knowledge, reduced communications, reduced risk awareness, changing accountabilities, as well as a situation of staff multi-tasking and a lack of good data management (record keeping). The WP&YR case demonstrates that, although the company had a fully documented SMS, there was a series of shortcomings in the way SMS was being implemented, including lack of training, weak internal audit and monitoring systems (there was evidence of insufficient documentation of equipment deficiencies as well as of maintenance) and poor risk control processes (for example, the lack of a formal risk assessment of taking a heavier than normal train, with a locomotive with a defective dynamic brake down a steep grade). In the final case, the Prince George yard derailment, a management decision was made to marshall longer trains without completion of a formal risk assessment, resulting in a serious accident and a post-crash fire. Both the McBride and the Prince George accidents demonstrate that, in times of change, even a good SMS can break down. As a postscript to this issue, the author attended a meeting of regulators, labour organizations and industry in January 2009, where an update was given on progress in the SMS area. The response from three different companies on how SMS was working is as follows: i. Company A: There was acceptance throughout the organization, from the top level of management right through to the front line operators. Training was complete, committees were working well and all was proceeding well. This good news was somewhat tempered by feedback from one of the union representatives present. He said that, although SMS had been working well, with strong front-line worker buy-in, the most recent round of job reductions had led the workers to be unsure on how their roles had changed vis-à-vis SMS and therefore the system was now suspect. ii. Company B: There was acceptance throughout the organization of the concept and functioning of SMS, with the sole exception of the front line operators. The company was working diligently on remedying this situation. iii. Company C: There was strong acceptance of the concept and approach at the highest managerial levels and at the front line. Unfortunately, line supervisors in the organization were resisting the concept. On the regulatory side, from some inspectors have not completely accepted the SMS audit concept, despite its having been in place for over eight years. Just as SMS concepts have to be accepted throughout a railway company’s organization, acceptance by those persons who audit and inspect is also required. One challenge, therefore, is how to ensure that acceptance. Does it mean a new kind of inspector / auditor is required, or does it simply require a change in current regulatory staff’s attitude or mindset? Perhaps the way forward is for the regulator to identify those companies with effective SMS’s to be identified and to present those examples to regulatory staff to get their full acceptance. Although SMS regulations have been in place for more than eight years, it is clear that SMS is not yet mature in the rail industry in Canada and it is still a work in progress. There is also an indication that some railway companies are not as mature as safety legislation has implied. The SMS concept requires strong corporate safety cultures throughout all railway companies. It also requires the regulator to have the capability to quickly identify, and to take strong remedial action against, those companies not applying SMS properly. E. Reflections Reflecting on the past eleven years, and 180 Board investigations, there has been only one major accident that occurred with unique circumstances in that time period. That is the McBride bridge collapse. On the other hand, some major derailments, such as the WP&YR, involving runaway trains and causing deaths, have occurred very seldom, but have always been recognized as having the potential to happen. These can be big news events, but both industry and government do expect them and therefore have a plan for handling them in terms of employee training and supervision, accident response and public response. At the other end of the spectrum, some types of accident occur relatively frequently. Safety action taken in these cases, if any, is normally limited and local. Rail yard derailments and collisions, such as the Prince George collision, fall into this category. McBride can perhaps be considered a situation which fits a recent concept known as a “Black Swan” event. These are events which are extreme outliers, are high-impact, hardto-predict, and rare events. They are beyond the realm of normal expectations as they are a perceived impossibility but they may actually come to pass. While the McBride bridge collapse was the first in many decades on a Canadian railway, it could be argued that, when multiple organizational changes and personnel changes take place over a short period of time, the probability of what might otherwise be considered a “Black Swan”, unexpected event, will increase. Finally, although I have had a very busy 11 years in investigations, with a maximum of ten relatively quiet days during that time, readers may be interested in this quote, which is food for thought for those in the safety business: When anyone asks me how I can best describe my experience in nearly forty years at sea, I merely say, uneventful. Of course there have been winter gales, and storms and fog and the like, but in my experience, I have never been in an accident of any sort worth speaking about. I have never seen but one vessel in distress in all my years at sea...I never saw a wreck and never have been wrecked, nor was I ever in any predicament that threatened to end in disaster of any sort. E.J. Smith, 1907 On April 14, 1912, RMS Titanic sank with the loss of 1500 lives - one of which was its captain - E.J. Smith References Transportation Safety Board of Canada, www.tsb.gc.ca: Rail Reflexions Magazine, Issue 17, Winter 2001 TSB Rail Investigation Report R96Q0050 TSB Rail Investigation Report R03V0083 TSB Rail Investigation Report R06V0183 TSB files: Rail Investigation Report R07V0213 (not available on website) Investigating for Organizational and Management Factors, TSB internal document, Joel Morley, February 2002 Marcel Ayeko, A/Director, Marine Investigations, TSB Steve Henderson, Research Analyst, Operations Services Branch, TSB Transport Canada website, www.tc.gc.ca Labrador West Official Website: www.labradorwest.com http://en.wikipedia.org/wiki/The_Black_Swan_(Taleb_book) Railway Association of Canada www.railcan.ca
