BHP derails runaway iron ore train

 
  YM-Mundrabilla Minister for Railways

Location: Mundrabilla but I'd rather be in Narvik
What's a relative ECP manual?
fzr560
The Instruction Book - to be consulted when all else has failed ............... Rolling Eyes

Sponsored advertisement

  potatoinmymouth Chief Commissioner

Better to spend a couple of hours well, pursuing logical trial and error, than to waste a couple of minutes reading the instructions. Wink
  BrentonGolding Chief Commissioner

Location: Maldon Junction
Better to spend a couple of hours well, pursuing logical trial and error, than to waste a couple of minutes reading the instructions. Wink
potatoinmymouth
Must have been a bloke driving Laughing. RTFM! (that's read the effin manual YM, sorry)

BG
  YM-Mundrabilla Minister for Railways

Location: Mundrabilla but I'd rather be in Narvik
Better to spend a couple of hours well, pursuing logical trial and error, than to waste a couple of minutes reading the instructions. Wink
Must have been a bloke driving Laughing. RTFM! (that's read the effin manual YM, sorry)

BG
BrentonGolding
Thank you BG for the explanation.
I rode an ore train from Redmont to Hedland years ago and there was a driver change enroute.
The difference in the train handling techniques between the two drivers was nothing short of incredible. Drivers and drovers, chalk and cheese, black and white had nothing on it.
This was before ECP brakes on BHP, of course (although FMG had them).
  M636C Minister for Railways

I don't think there is very much doubt as to what happened.

Given that the derailment was intentional, not much would be gained by investigating the derailment site.
The cause of derailment was well known. There wasn't much doubt as to why the train ran away, either.

The fact that the ECP brake application would release automatically after one hour was probably not well understood
The need to make a pneumatic application, not so much to do anything except to signal to the ECP system not to automatically release after one hour is not immediately obvious to someone who hasn't read up on the subject.

I expect that the separation of a connector is pretty uncommon, since the connectors were designed for general service wagons and locomotives where connection and disconnection would occur multiple times daily so in fixed rakes of iron ore wagons you would expect that they would stay connected.

It is likely that the driver in question had never experienced an ECP cable separation. In that case, it seems likely that he didn't know that the ECP brake application would release in an hour unless he made a pneumatic brake application, even if this was indicated in written instructions.

Had train control been familiar with an ECP line separation and the release after one hour, the controller should have told the driver to ensure that he had made a pneumatic application before leaving the locomotive.

Having read AAR S-4200, after one hour, the ECP cable shuts down as well as the application being released. This appears to be the real problem.

My interpretation of the train not being stopped by the ATP system is that the ATP gave a stop command to the inactive ECP system and it was not interfaced to the air brake system that was still fully operational on all 268 wagons and four locomotives.

This is the real problem.

The train could have been stopped one kilometre from the location it first stopped, at Garden South, the first signal location at 210km. Of course, the train might have passed that location before control were aware of the runaway, but there were plenty of locations where the ATP system might have stopped the train except that apparently the ATP system designers did not anticipate a train running with the ECP system turned off.

It will be interesting to see if this restriction is changed.

Since Rio Tinto had their In Cab Signalling System well before ECP brakes were introduced, their system would be interfaced with the air brakes and this should not be a problem for them.

Peter
  F4PhantomRAAF Locomotive Driver

Urgent Safety Bulletin Issued by ONRSR (Office of the National Rail Safety Regulator) to All Australian Operators:

BHP train derailment in the Pilbara sparks urgent alert over brake safety fears


"The regulator said it had found that in the event of a roll-away and the failure of the ECP system, the ATP system does not fall back on the mechanical pneumatic system. The alert orders all operators to check whether the 60-minute release system has been programmed into their ECP braking software."


And here is the alert from the horses mouth:

https://www.onrsr.com.au/__data/assets/pdf_file/0020/22475/Safety-Alert-RSA-2018-002-ECP-Braking.pdf
  M636C Minister for Railways

My reading of S-4200 suggests that any reduction in the train pipe pressure would signal to the ECP system that the emergency ECP application should not release after one hour. The ONRSR appears to suggest that the train pipe needed  "the air pressure within the braking system released to atmosphere"

Peter
  theanimal Chief Commissioner

And in the news today

https://www.abc.net.au/news/2019-01-10/bhp-driver-sacked-after-train-derailment/10705776


BHP has sacked the driver of a train which was deliberately derailed in Western Australia's remote Pilbara last year, carrying 30,000 tonnes of iron ore.
[color=#310099]The fully-laden train, pulling 268 carriages, was derailed[/color] early on November 5, about 120 kilometres south of Port Hedland.
While the driver was out of the cabin, the train took off and travelled more than 90km before being derailed from BHP's Integrated Remote Operations Centre in Perth, about 1,500km away.
The driver was notified of his dismissal in the week before Christmas.
It is understood the man has lodged an unfair dismissal claim.
BHP iron ore president Edgar Basto said in November initial findings had shown the train had stopped automatically after a braking system control cable became disconnected.
The driver was then asked to carry out an inspection, and the train started to move.
"Our initial findings show that the emergency brake for the entire train was not engaged as required by the relevant operating procedures," Mr Basto said at the time.
"The electric braking system that initially stopped the train automatically released after an hour while the driver was still outside.
"Due to integration failure of the backup braking system, it was not able to deploy successfully."
Mobile phone footage obtained by the ABC showed the twisted and mangled wreckage of the train lying strewn alongside the track.
Investigations by the ATSB and the Office of the National Rail Safety Regulator are continuing.
BHP has been contacted for comment regarding the unfair dismissal claim.
  justapassenger Chief Commissioner

Big call to make at a time when the investigations into the incident* are still ongoing.

Suspended on pay or redeployment to duties which are not safety critical would be better options. Fair call for him to challenge it.

* I prefer not to use the word 'accident' as most rail incidents are preventable.
  bingley hall Minister for Railways

Location: Last train to Skaville
* I prefer not to use the word 'accident' as most rail incidents are preventable.
justapassenger

As are most road crashes Razz
  justapassenger Chief Commissioner

* I prefer not to use the word 'accident' as most rail incidents are preventable.

As are most road crashes Razz
bingley hall
Quite so.

The decision to avoid the use of “accident” in relation to road crashes is where I took the lead from.
  Nightfire Minister for Railways

Location: Gippsland
* I prefer not to use the word 'accident' as most rail incidents are preventable.

As are most road crashes Razz
Quite so.

The decision to avoid the use of “accident” in relation to road crashes is where I took the lead from.
justapassenger
The term "accident" Is over used / miss used

Crash or collision better describes the situation.
  ANR Chief Train Controller

Brake integration failure would imply that some key component that should have been incorporated as a fail-safe was missing.... Surely this is not the driver....
  fzr560 Chief Train Controller

Brake integration failure would imply that some key component that should have been incorporated as a fail-safe was missing.... Surely this is not the driver....
ANR
Given the choice between blaming the driver for not following procedure, and admitting that their safeworking system was not as safe as it could be, which do you think BHP would choose?
  justapassenger Chief Commissioner
  M636C Minister for Railways

Fairfax has published more comments from the driver's lawyer

https://www.smh.com.au/business/companies/pretty-sh-y-christmas-derailed-train-driver-sues-bhp-over-sacking-20190110-p50qow.html
justapassenger
Certainly the NYAB driver's manual linked earlier in this thread does not appear to clearly state the problem of automatic release of an ECP emergency application after one hour.

It is fairly clear that the designers of the ATC elements of the signalling system did not envisage a train rolling with the ECP system shut down to preserve the batteries.

Had the "signals" at Garden South been set to danger and had the ATC worked, the train would have stopped after about one kilometre.

Ironically, the battery preservation feature is not needed on BHP's line, since all the locomotives are equipped for ECP.

It might be time to delete that routine from the software.

Peter
  justapassenger Chief Commissioner

Ironically, the battery preservation feature is not needed on BHP's line, since all the locomotives are equipped for ECP.

It might be time to delete that routine from the software.
M636C
Isn't the battery preservation routine still needed for the times that the power supply from the locomotive cuts out?

Finding a way to have it default to applying the brakes rather than releasing them would be the key to solving that.
  freightgate Minister for Railways

Location: Albury, New South Wales
The driver was dismissed prior to Christmas and has subsequently filed a claim against BHP for unfair dismissal.
  DBclass Chief Commissioner

Location: Western Australia
Does every driver get the sack when they make a mistake? If the train had of rolled and stopped in a valley would he still get the sack, or is just because it made a mess. I don’t really see the justification based on the consequense if that’s the case.
  M636C Minister for Railways

Ironically, the battery preservation feature is not needed on BHP's line, since all the locomotives are equipped for ECP.

It might be time to delete that routine from the software.
Isn't the battery preservation routine still needed for the times that the power supply from the locomotive cuts out?

Finding a way to have it default to applying the brakes rather than releasing them would be the key to solving that.
justapassenger
The ECP cable is two wires carrying 250 volts DC.
The ECP control signals are superimposed on the 250 v DC.
Loss of the 250 v means loss of the ECP control signal (which is what happened in the BHP incident when the cable parted.)

The batteries are indeed needed to apply the brake when 250 volts is lost, along with the control signal.
But they are not needed once the power is restored.
I believe the AAR standard was conceived around the need to move an ECP train with non ECP locomotives.
If the cable is connected correctly and an ECP locomotive is coupled to the train the batteries aren't needed (and will be recharged).

As to the later point about the driver making a mistake:
He only made a mistake if his instructions included the specific need to make a train pipe reduction after an ECP emergency application. If his training didn't cover this (as opposed to his being told but forgetting) he was not at fault.

It is clear that  the possibility of a train moving with the ECP system shut down was not considered as part of the ATC system.

Peter
  justapassenger Chief Commissioner

Ironically, the battery preservation feature is not needed on BHP's line, since all the locomotives are equipped for ECP.

It might be time to delete that routine from the software.
Isn't the battery preservation routine still needed for the times that the power supply from the locomotive cuts out?

Finding a way to have it default to applying the brakes rather than releasing them would be the key to solving that.
The ECP cable is two wires carrying 250 volts DC.
The ECP control signals are superimposed on the 250 v DC.
Loss of the 250 v means loss of the ECP control signal (which is what happened in the BHP incident when the cable parted.)

The batteries are indeed needed to apply the brake when 250 volts is lost, along with the control signal.
But they are not needed once the power is restored.
I believe the AAR standard was conceived around the need to move an ECP train with non ECP locomotives.
If the cable is connected correctly and an ECP locomotive is coupled to the train the batteries aren't needed (and will be recharged).
M636C
The problem is around what happens if the power from the loco is not restored before the batteries run low.

An improved version of the battery preservation routine is needed for those cases.
  M636C Minister for Railways

The problem is around what happens if the power from the loco is not restored before the batteries run low.
An improved version of the battery preservation routine is needed for those cases.

Without the 250 v DC, the brakes can't be applied or released.
The batteries are not needed for anything when the 250 v DC is present.

As I tried to explain above, the batteries apply the brakes in emergency on that part of the train disconnected from the 250 v DC.
They are also required for the brakes to operate with a non ECP locomotive.as normal Westinghouse brakes.

Since BHP don't ever require the vehicles to run in Westinghouse emulation mode since all of their locomotives have ECP brakes.

A complete train with flat batteries could run as normal, and charge the batteries at the same time.
Were a connector to separate before the batteries were charged, brakes would not apply automatically or manually beyond the separation point, either as ECP or air pipe reduction.

Peter

  theanimal Chief Commissioner

The driver was dismissed prior to Christmas and has subsequently filed a claim against BHP for unfair dismissal.
freightgate
Yes, and posted by myself 24 hours before your needless repetition, it is only 10 posts up, suggest you look.
  aussiealco Station Master

Location: Bathurst NSW
G'day,
One also wonders if Rio Tinto are now "quietly" looking at their ATP interface for their autonomous trains.
No driver to not apply Westinghouse over the top of ECP during an incident.
I remember back when QR were testing ATP on freighters.
Allowing the "black box" to control a train descending a hill approaching a crossing loop.
NO ECP brake system naturally, just good ole Westinghouse.
The train ran out of air due to the repeated applications and release in an attempt to control the train at nominal speed.
The boffins had to adjust the black box software a number of times.
I also remember the Hamersley Iron Epic brake system problems during initial introduction in the mid 1990s.
The "black box" suddenly putting the train into emergency, and locos needing to be exchanged as a result.
The only "black box" that I had to endure while driving trains was the 82 class computer.
The 81 class "black box" being very limited in capacity.
And, you could "tinker" with the module circuit board reset switches etc.
The 82 class black box created a number of problems, thankfully not in regard to braking.
To this day, I don't know what a Code 66 shut-down is, nobody at Ready Power could enlighten.
The last ditch resort of pulling the battery knife switch to reset the stupid computer did not work.
I discovered one night that if you need to isolate the Main Res tank on an 82 due to an air leak, you LOOSE the loco brakes.
Naturally within a multiple unit lash-up, so not a drama in that I had loco brakes functioning on the others, including lead unit.
Had the 82 class possessed a standard 26L control valve, then the loco brakes would have still functioned on that unit.
It was either continue with the loud air leak and possibly cooking the compressor, or isolate the main res and not have loco brakes on that unit.
A feed pipe had broken loose from the tank.
I had to laugh at the instructions issued to me; jam something into the air leak pipe.
Yeh right.
I utilize a computer every day, but I still DETEST the things.
Nothing will ever be perfect, and we just hafta put up with the occasional glitches.
Steve.
  RTT_Rules Dr Beeching

Location: Dubai UAE
Does every driver get the sack when they make a mistake? If the train had of rolled and stopped in a valley would he still get the sack, or is just because it made a mess. I don’t really see the justification based on the consequense if that’s the case.
DBclass
I saw a similar comment in LinkedIn, "should forgetfulness be enough for dismissal? Rather should we not be focused on prevention of re-occurrence?

Without commenting on the specifics for this incident as the details are obviously still not fully well known. My comment is this,
If converting a $20m train into scrap metal because someone forgot is not enough for dismissal, then what is? Do people need to be injured or die for there to be significant disciplinary action? I can tell you there are alot jobs we all do that if forgot something and we caused 1% of the damage we would be sacked. The question is, at what point do we accept accountability for the damage we caused such that its a deterrence to others to ensure they are more thoughtful?

Sponsored advertisement

Display from: