Railway Investigation Report R07V0213

The Transportation Safety Board of Canada (TSB) investigated this occurrence for the purpose of advancing transportation safety. It is not the function of the Board to assign fault or determine civil or criminal liability.

View document in PDF

You need a PDF reader to access this file. Find out more on our help page.

Non-Main-Track Collision
Canadian National Railway
Beltpack Assignment YPSS01-04
Mile 464.33, Chetwynd Subdivision
Prince George, British Columbia
04 August 2007

Summary

On Saturday 04 August 2007 at 1040 Pacific daylight time, the Prince George South Yard Beltpack ® assignment (YPSS01-04) was pulling 53 loaded cars from track PA02 at the north end of the yard. While attempting to clear the switch in order to access the classification tracks, the movement ran away northbound, striking Canadian National train M35761-30 which was entering the north end of the yard. The Beltpack movement struck a car load of gasoline, derailing it as well as the next car ahead, also a loaded car of gasoline. Two locomotives, a slug unit and a loaded centre beam flatcar in the yard consist, derailed. The subsequent fire destroyed the two tank cars, the centre beam flatcar, as well as the two locomotives and slug unit of the yard consist. There were no injuries. Approximately 172 600 litres of fuel (1600 litres of diesel and 171 000 litres of gasoline) were spilled. Most of the fuel was consumed by fire.

Ce rapport est également disponible en français.

Factual information

The Accident

On Saturday 04 August 2007 at approximately 1040 Pacific daylight timeFootnote 1 the 0700 BeltpackFootnote 2 yard assignment was working at the north end of the Prince George South Yard. The assignment was operated by two Canadian National (CN) management employees due to crew shortages. Figure 1 shows the yard layout.

Figure 1. Prince George Yard layout showing derailment location at Mile 464.3 and the bull switch at Mile 463.2

After waiting for another train to finish switching, the yard assignment went to track PA02 (arrival/departure track 3) to lift 53 of the 95 loaded cars in the track. The 95 cars were coupled onto and pulled northward. The movement was stopped and a cut was made behind the 53rd car, just clear of the switch. In order to access the classification yard, the movement then had to clear the "bull switch"Footnote 3 by moving approximately 12 car lengths further north.

Event recorder data indicated that the Beltpack operator placed the OCU (operator control unit) into throttle position 4 and accelerated to 1.98 ph. He then placed the OCU to position 7, accelerating to 5.71 ph, after which he reverted to position 4 with the train travelling at 6.93 ph. He then made a full independent brake application of 49.4 psi and detrained at the switch. While throwing the switch, he looked back and saw the train continuing to roll. At that time, the locomotive engineer on CN train M35761-30 (train M357) contacted the Beltpack operator to advise that they were preparing to enter the yard using the crossovers from the pub track to the subdivision track. The Beltpack operator responded that he had been in the stop position for ten car lengths but his train was still moving.

The locomotive engineer stopped his train and attempted to apply some handbrakes on the yard assignment, but it collided with the 13th car from the head end of train M357, a carload of gasoline, at approximately 9 ph. The resulting derailment and fire destroyed the yard locomotive consist as well as car AOK 21236, a centre beam flat car loaded with lumber, and cars AGCX 10203 and CGTX 40948, two loaded tank cars of gasoline on train M357. A third tank car loaded with diesel fuel (UN 1202) that was positioned immediately behind the two loaded cars of gasoline remained upright and was not involved in the fire.

Table 1 shows the sequence of events as recorded by the event recorder.

Table 1. Sequence of events just prior to, and including, the collision
Time Event
1013:37 Operator brings 95 cars to a stop and makes cut at 53rd car at PA02 switch
1013:39 Operator places unit to position 4 to begin northward movement with 53 loads
1014:51 Operator places unit to position 7, independent 0, speed 5.71 ph
1014:58 Operator places unit to position 4, independent 49.4 psi (full), speed 6.93 ph
1015:38 Operator places unit to "Stop", independent full, speed 7.46 ph
1017:27 Operator puts unit into "Emergency" independent full, speed 8.66 ph
1019:03 Yard movement collides with train M357 at a speed of 9.33 ph

Post-Accident Description

The collision and subsequent derailment occurred at the crossover between the "pub" track and the "subdivision" track. The Fraser River runs along the west side of the tracks and there is an ascending slope adjacent to the tracks on the east side.

The yard movement had contacted tank car AGCX  0203, a load of gasoline (UN 1203) on train M357, tearing a hole in the side of the car and igniting a fire (see Photo 1). A second carload of gasoline from train M357 also derailed and burned.

Photo 1. Post-collision fire

The yard movement derailed to the west side of the track, with locomotive CN 7222 ending on its side down the embankment by the Fraser River. CN 256, the yard slug, was derailed on its side to the west partially down the embankment, with locomotive CN 7043 derailed upright closer to the track. The carload of lumber was derailed and upright near the track.

Figure 2. Derailment schematic showing the derailed cars from the Belpack assignment and the derailed cars from Train M357

The tank car of gasoline had one set of trucks on the subdivision track and the other derailed on the crossover. Of the other two tank cars, PROX 40948, a load of gasoline, was derailed and leaning approximately 30 degrees to the east and CGTX 30666, a load of diesel (UN 1202), was upright and on the rails.

The track

When pulling cars from the A yard at the north end to gain access to the classification yard through the "bull switch", crews encounter a grade which varies between 0.49 and 1.13 per cent, depending on the number of cars being moved and how far down the pub track they have to travel. The average grade is approximately 0.70 per cent. The Beltpack operation on this track was protected by a point protection zone (PPZ) which, using signs, allowed operation without having an employee riding the point of the movement. Anyone else wishing to access this area of the track would have to get permission from the yard crew before being able to do so. At approximately Mile 464.3 of the pub track, there is a crossover connecting it to the subdivision track. The track was in good condition.

Locomotive and car equipment

The yard consist was pulled by two 1800 horsepower GP9RM locomotives and a slug unitFootnote 4 handling 53 loaded cars. The total tonnage was around 7000 tonnes and the length was 4410 feet. The cars were being pulled by Beltpack-controlled locomotives using locomotive independent brakes only (the train air brake system is not normally charged during switching movements). Maintenance and repair histories for both the locomotives and car equipment were checked and no anomalies were found. The tank cars were all 111A100W1 specification, low-pressure tank cars and an inspection of the equipment on site revealed no pre-derailment defects. Smoke emanated from the locomotives' wheels prior to impact, indicating that the brakes were being applied.

Beltpack operations

Beltpack and other equivalent technologies in use in Canada provide railways with a method for operating yard locomotives using a remote control device. In the late 1980's, this technology was introduced in Canada and was approved by Transport Canada (TC) for yard switching and humping operations. Since its introduction, remote control Beltpack-type systems have become the primary means for locomotive and train control in yard operations.

With Beltpack operations, the operator uses an OCU, a three to five pound box attached to the operator's safety vest, to remotely control the locomotives (See Photo 2). Radio commands transmitted by the OCU are received and processed by a computer onboard the locomotive. The Beltpack OCU is equipped with (but not limited to) a speed selector, a forward and reverse selector, and a brake selector that includes an emergency brake feature.

Photo 2. Beltpack operator control unit

In Canada, Beltpack operations are performed by two conductors usually positioned at each end of the movement, each one responsible for control of the movement. At other times, as in this occurrence, one Beltpack operator is solely responsible for the control of the movement, but is assisted by a helper in the performance of switching activities. This practice is accepted by both the railway and the regulator.

CN General Operating Instructions (GOI), section 6, governing Beltpack operations defines a Beltpack operator as an operating employee who through training, experience, and knowledge is qualified to perform switching operations and provide engine movement signals using the Beltpack technology.

YPSS01 operation

The 0700 Prince George South Yard north end assignment typically classified cars and built trains, taking cuts of between 20 and 30 cars. In July 2007, an operational change was implemented whereby the north end assignment classified cars only and was instructed to begin handling longer cuts of cars to increase productivity. There was no maximum or minimum number of cars specified to crews at this time. Crews were expected to determine how to handle longer, heavier cuts of cars on their own without adding additional braking capacity by cutting in the air brake systems of extra cars. CN conducted some testing with different lengths and tonnages of cuts of cars utilizing the operating crews on this assignment, but none of these tests were documented.

The Beltpack crew

Although the duties of Beltpack yard assignment YPSS01-04 are normally performed by operating employees, two management employees, the area superintendent and the senior engineering manager, were called in to do the work due to a shortage of staff on the day of the occurrence. The area superintendent operated the Beltpack unit to control the locomotives while the engineering manager's main functions were those of a yard helper, to line switches, couple and uncouple cars, and review switch lists.

Both management employees working the Beltpack assignment the day of the occurrence were familiar with the yard, had received training, and were considered qualified to do the work they were assigned (area superintendent as Beltpack operator and the senior engineering manager as yard helper). Although the area superintendent was formally trained and qualified in the operation of a Beltpack, his practical experience switching cars at this location was limited to two previous occasions for short periods of time and with fewer cars. The senior engineering manager had no experience with, nor was he trained or qualified to operate a Beltpack. He had, however, been given an introduction to the Beltpack unit, shown how to place the locomotives into emergency, and how the tilt featureFootnote 5 on the Beltpack unit operated.

It is common practice for CN management employees to be assigned to operating positions at any time or location across the company's network when there are shortages of regularly trained operating personnel. Although trained and qualified to perform the work, management employees may be tasked with working over unfamiliar territories or trackage, using skills they may not have employed for some time.

Both employees had participated in trial runs made when the operational change to handling longer/heavier cuts of cars was taking place. However, neither had actually used the Beltpack to control the speed and braking of the longer, heavier cuts of cars on the descending grade in the area of the occurrence. Although a risk assessment was in draft form, no operating procedures or special instructions had been issued.

Hours of service

Both managers involved in this occurrence had worked approximately 60 hours in the previous five days in their respective management roles prior to commencing the switching assignment on 04 August 2007. The managers had not had a full day off in over two weeks. Both worked a full day on August 03 in their supervisory capacities and were able to report for the 0700 yard assignment the following morning, rested.

The work/rest rules for rail operating employees approved by Transport Canada for federally-regulated railways and adopted by the Railway Association of Canada (RAC) and its member railways define the hours of work and rest for such persons. In compliance with subsection 6.1.1, CN has implemented its "Specific Fatigue Management Plan for Supervisors Performing the Duties of Operating Employees". Both TC O-050, section 5, subsection 5.1.7 and the CN fatigue management plan state "Where a supervisor, non-operating employee, or third party is deemed to be an operating employee, the on-duty times of the supervisor, non operating employee, or third party in the immediately preceding 24-hour period shall be taken into account in calculating maximum available on-duty time and mandatory off-duty times."

In addition, CN's fatigue management plan states that all supervisory time, "in addition to the time actually worked as an operating employee, is to be treated as on-duty time under the work/rest rules and must be taken into account when determining whether or not the supervisor has had sufficient rest under the rules, prior to performing the operating employee duties, and to determine the amount of time available under the maximum duty times (12, 16, 18, and 64/7 "clocks") to complete the operating employee duties." Both supervisors had obtained sufficient rest in the 24-hour period prior to the accident to reset the 12, 16, and 18 hour clocks. Regarding the 64/7 clock, their total time worked in the previous 7 days was not recorded and could not be accurately validated. TC regulations are silent on including all time worked in a supervisory capacity when calculating the maximum on-duty times for the established 64/7 limitations.

To assist supervisors in determining the amount of time they have available to work as an operating employee, CN has developed CoLog, a program designed to keep track of time spent working as an operating employee and time spent on supervisory activities in the 24 hours prior to working as an operating employee. It is each individual company officer's responsibility to maintain an up-to-date record of the appropriate hours required by the work/rest rules, with no exception. This applies to any supervisor who performs operating duties, regardless of the employing department.

The environment

Most of the 1600 litres of diesel and 171 000 litres of gasoline released from the derailed locomotive consist and tank cars were consumed in the fire; however, an undetermined amount seeped into the ground or flowed into the river. As a result of the collision and subsequent release of fuel, the British Columbia Ministry of Environment, on 17 August 2007, issued a Pollution Prevention Order which required that CN:

  • contain and collect hydrocarbons that enter the Fraser River;
  • monitor the site daily; and
  • retain a qualified professional to assess the extent of contamination and to develop a clean-up plan to prevent further release of contaminants into the Fraser River.

In response, CN retained a qualified company to develop an excavation, site assessment, and final remediation plan for the site. In order to attempt to capture any run-off to the Fraser River from the spill site, booms and hydrocarbon collection pads were deployed. Field inspections performed following the incident did not reveal much fuel being collected on the river. It was believed that fuel that was not burned by the fire was absorbed by the underlying soils and that surface run-off to the Fraser River was minimal.

The contractor retained by CN concentrated on remediation of the impacted soil. As part of the preliminary response work, two remedial excavations were completed at the end of August 2007, covering the area of the fuel release and down-slope to the shoreline of the Fraser River. In total, approximately 2000 m3 of soil was excavated and removed from the spill area for offsite remediation and disposal. Two sumps were installed to intercept residual light non-aqueous phase liquid (LNAPL) for potential manual recovery. Approximately 90 litres of LNAPL was manually recovered.

In November 2007, the contractor installed groundwater and soil vapour monitoring wells on benches down-slope of the tracks in order to delineate the extent of hydrocarbons in soil and groundwater. In July 2008, additional work was completed on the slopes to the north and south to further investigate the area. Preliminary results suggested that the extent of soil and groundwater contamination was adequately delineated and additional work over the next year would focus on developing and implementing remediation/management plans.

Hazard and risk analysis

"Hazard"Footnote 6 and "risk"Footnote 7 are words which are synonymous in common use but in safety management they have different meanings. A hazard can be identified as anything that may cause harm, such as working conditions or working situations; on the other hand, risk can be identified as the chance, high or low, that someone or something could be harmed by these or other hazards together with an indication of how serious ( high, medium, or low) that harm could be.

The aim of a "risk assessment"Footnote 8 is to identify the hazards associated with an activity, to assess the seriousness of these hazards and to formulate systems of work, training, or other methods (controls) to reduce the associated risks to a minimum or at least to an acceptable level. Risk assessment should be undertaken when any new work is being planned, when a significant change occurs to the job, after an incident, or at regular pre-determined intervals. The people that should be performing the assessment are individuals with a good working knowledge of the process at hand. These individuals should be supervisors and workers who are actively involved in the process as they would be the most familiar with the operation and the risks and they would also be aware of any new hazards that a change of process would yield.

An accepted method of performing a risk assessment is to:

  • establish the context which is an understanding of the end objective of the overall task;
  • identify hazards;
  • analyze the risks that may result because of the hazard by determining:
    • - the consequences (outcome of an incident);
    • - the exposure (interaction with hazard); and
    • - the probability (likelihood that consequences will occur once an individual is exposed);
  • evaluate the risks;
  • identify preventive measures;
  • record the assessment;
  • implement the control measures:
    • - by developing work procedures in relation to the new control measures, which may involve clearly defining responsibilities of management, supervisors, and workers.
    • - by informing all relevant persons about the control measures being implemented; in particular the reasons for changes.
    • - by providing adequate supervision to verify that the new control measures are being implemented and used correctly; and
    • - by verifying the control measures to ensure their effectiveness; and
  • review and monitor the risk to ensure all adequate controls are effective.

Hazard analysisFootnote 9 or assessment is one way to increase the knowledge of hazards in the workplace. One of the methods used to identify these hazards is to perform a job safety (hazard) analysisFootnote 10. This analysis should be undertaken where accidents occur frequently or when there are disabling injuries, newly established jobs, when jobs are being modified for any reason, or when jobs are performed on an infrequent basis. In this type of analysis, each basic step of the job is examined to identify potential hazards and to determine the safest manner to perform the job. The basic steps to be followed when performing this assessment are:

  • Select the job to be assessed.
  • Break the job into a sequence of events or steps.
  • Identify the potential hazards for each event or step.
  • Determine the preventive measures required to overcome these hazards.

Once this assessment has been completed, then the person or position to implement the preventive measures is to be identified, along with an acceptable time frame for the implementations to be completed. This action timeline should be monitored to ensure it is completed; otherwise, the identified deficiency or hazard will remain within the job action. The approach most commonly utilized for this analysis is to have experienced workers and supervisors complete the analysis by means of a discussion. This method has the advantage of involving a wider base of experience and promotes a more readily-acceptable resultant work procedure. The members of the company's joint occupational safety and health committee should be participants in this process.Footnote 11

Safety management systems and risk assessment

The Railway Safety Management System Regulations are the result of amendments to the Railway Safety Act, which came into effect on 01 June 1999. These amendments included a requirement for safety management systems (SMS) as well as a new authority for Transport Canada (TC) to monitor safety performance and compliance with the regulations through auditing and analysis of safety performance indicators.

Under Part 2 (e) of these regulations, effective 31 March 2001, all federally-regulated railway companies are required to implement and maintain a SMS that includes a process for:

  1. Identifying safety issues and concerns, including those associated with human factors, third parties, and significant changes to railway operations, and
  2. Evaluating and classifying risks by means of a risk assessment.

Part 2 (f) of these regulations requires railway companies to include risk-control strategies in their SMS. When a risk assessment is carried out by a company before a major operational change, there is no requirement for the company to provide the risk assessment to TC (other than in response to an audit request).

Risk assessment at CN

Risk-assessment processes were enhanced by CN as part of its implementation of a Safety Management System (SMS)Footnote 12 and in compliance with the Canada Occupational Health and Safety RegulationsFootnote 13. CN's approach to risk assessment is that it is a distributed function, with all employees responsible for identifying risks at their working level with support provided by regional experts and the CN head office. These groups provide standards, guidance material, and training but do not normally provide a quality assurance function. Each manager or supervisor is responsible within their respective jurisdictions for taking action deemed necessary to ensure that work is performed by employees in a manner that minimizes risks.

CN aims to have safety and risk assessment become common concepts and practices at the working level so that safety is moved beyond simple rules compliance. This approach is supported by a variety of risk-assessment processes. For instance, these processes range from the "Four second focus" job preparation assessment and Safety for Everyone (SaFE) peer safety programsFootnote 14 carried out informally for daily operations, to more sophisticated risk-assessment techniques carried out to examine complex operational issues that have a broad scope. CN has a risk-assessment policy and guidelines that describe its formal approach to risk assessment.

The CN Risk Management Process StandardFootnote 15 states that risk assessment is most effective when conducted early in the planning process. The CN Risk Assessment Protocol provides guidance about when different types of assessments should be conducted. This is in the form of a table of scope/magnitude of issue versus risk/complexity level resulting in a choice between three levels of risk assessment:

  • Level 1: No formal risk assessment required, but local officers to review hazards and consider control strategies (for example, safety briefings, safety flash, field monitoring, job aids, etc.).
  • Level 2: Risk matrix (frequency/severity) required with risk-control strategy. Involvement of employees and/or health and safety committees required when appropriate.
  • Level 3: Risk matrix and more elaborate hazard/risk assessment required. Involvement of employees, and/or health and safety committees and/or other employee representatives required when appropriate.

Risk-assessment training at CN

As part of its SMSS, training in CN's formal risk assessment processes has been delivered since 2002. The initial courses contained detailed technical content about risk assessment and were delivered to approximately 100 risk management officers across the country. The approach to training has evolved since then and the technical content reduced as the training was increasingly provided to a wider audience. This included supervisors and occupational health and safety committee members who were required to have an overall understanding of the topic and an understanding of the documents required and whom to contact for support. One of CN's key challenges in providing training to this breadth of audience is ensuring that it matches the technical background of the trainees. The most recent training, released in 2008, is web-based and designed to provide easy access to the training and provide readily-available reference material.

The content of both the current training and the training provided in 2002 during the Line Management Safety Practices (LMS) course includes guidance on how to identify hazards. Hazard identification is identified as the most critical step in a risk assessment. It is described in several paragraphs of the training material. The process that is described is group "brainstorming", with the key elements of the process being the experience of the participants and the use of visualization to identify what could go wrong in an operation. This is the most commonly used approach to hazard identification within CN. Activity hazard analysis and job hazard analysis are identified as other potential tools for identifying hazards but there is no guidance material on these processes. The LMS course provided in 2002 documented the need to describe the major steps in job processes and to break the operation into "bite-sized" chunks. More complex tools such as flow diagrams and multilinear event sequences are listed as ways of analyzing tasks. The current web-based training does not include this level of detail.

On 03 August 2007, the day before the occurrence, CN assembled a team to perform a level 2 risk assessment on the Beltpack operation when "coupling to and pulling rail cars (loads and/or empties) from the Prince George South Yard northward for the purpose of switching trains." The concern was that there are limitations on the number of cars that can safely be pulled by yard assignments due to the grade of the pull-back track. This team was led by a manager from regional risk management for CN in western Canada; also participating were the senior engineering manager, the manager of locomotive operations, and a locomotive engineer who was an alternate member of the health and safety committee. The only member of the team who had actually worked on the operation being assessed was the locomotive engineer; however, he had acquired his experience before CN had introduced Beltpack operation. The locomotive engineer had not attended risk-assessment training.

Hazards were identified by the team through a process of group brainstorming. Consideration was given to the recent testing of the pull-back switching activities, although no written record had been made of the results of those tests. The assessment included a review of accident data for these operations over the previous five years; however, no relevant information was found for that period. Seven hazards were identified by the team, including the hazard associated with the track gradient. The following are two of the hazards identified by this process, the controls, and actions required:

Hazard:

  • Track gradient.

    If employees do not exercise good judgment in train handling, there is potential for the movement to "run away," causing a derailment.

    Probability: Seldom

    Consequences: Critical

    Initial Risk Level: Medium

Controls:

  • Employee education and compliance to the rules and supervisory monitoring.

    Residual Risk Level: Low

    Implementation Date: Immediate

    Person Responsible: Superintendent

Risk-Control Strategies:

  • Develop instructions for employees to follow outlining the criteria for switching moves on the pull-back.

Action:

  • Superintendent is responsible for ensuring a General Notice is posted by 08 August 2007. Additionally, information will be predominantly displayed on Prince George switch lists until end of August 2007.
  • Perform hands-on instruction and monitoring.

Action:

  • Superintendent to ensure each yard crew and any new employees, while working, are accompanied by a supervisor to review the instructions and address questions and concerns of employees. These will be documented. Completion date: 31 August 2007.

The accident took place the morning after the risk assessment when the train was being controlled by the Superintendent. None of the controls had been put in place at this time.

Following the accident, the same group of employees, with the addition of another risk management officer, conducted a level 3 risk assessment. Preparation for this assessment included further testing of the equipment, including a measurement of the speed of the cars, and computer modeling by CN technical experts to confirm the test data. The assessment identified the hazard noted above concerning the gradient and documented the same controls with an immediate implementation date. In addition, the assessment identified a hazard related to the application of braking control:

Hazard:

  • Not knowing or understanding at which point "control" must be implemented to ensure safe operation and ability to stop.
    Probability: Seldom

    Consequences: Critical

    Initial Risk Level: Medium

Controls:

  • Perform live tests and receive feedback from experienced employees and develop procedures for issue to employees.

    Residual Risk Level: Low

    Implementation Date: Live tests and feedback from employees has been completed.
  • Need to issue procedures to employees.

Person responsible:

General manager, operations, Mountain Division, for CN in Prince George, British Columbia

The operating instructions were issued to employees on 17 August 2007Footnote 16. These included identification of the grade of the pull-back track, specific instructions on the need to control the movement to be able to come to a safe and controlled stop prior to reaching the PPZ sign, a maximum speed beyond the PPZ sign, and when to take in the slack and start reducing speed. The following chart was also provided to give specific guidance on how to handle specific numbers of loaded cars and overall trailing tonnage:

Pull-back operating instructions

To ensure sufficient braking for switching operations in the PPZ, the following chart will govern the maximum number of loaded cars and/or maximum tonnage that can be handled with and without air cut-in on cars.

Locomotives: (or slug units) Number of Loaded Cars Number of Cars with Air Cut-in Maximum Trailing Tonnage
1 unit 1 - 10 cars - not required - 1300 tonnes
2 units 1 - 20 cars
21 - 35 cars
- not required -
4 cars minimum
2500 tonnes
4500 tonnes
3 units 1 - 30 cars - not required - 4000 tonnes
31 - 40 cars 3 cars minimum 5200 tonnes
41 - 50 cars 4 cars minimum 6500 tonnes
4 units 1 - 40 cars - not required - 5200 tonnes
41 - 50 cars 4 cars minimum 6500 tonnes
5 units 1 - 50 cars - not required - 6500 tonnes

For movements handling all empties, a maximum of 30 cars can be handled by one locomotive and a maximum of 60 cars can be handled by two locomotives without requiring additional cars with air brakes cut-in.

No changes were made to the CN risk-assessment process following the accident and no specific feedback was provided to the team that carried out the initial risk assessment. The initial risk assessment was used as a model of an operational risk assessment in the web-based risk-assessment training.

Review of a selection of risk assessments across CN operations

In the course of the TSB investigation, a selection of CN formal risk assessments was reviewed. The assessments had been carried out in  2006 and 2007 and were stored on the CN intranet. These risk assessments were available for employees to use as examples. While several of these risk assessments were comprehensive and followed the processes documented in the CN risk-assessment training material, a number of them did not. The investigation revealed:

  • The risk-assessment template was not consistently followed.
  • Tasks of the operation being reviewed were only broken down to a very high level.
  • Hazard statements did not identify the hazard; for example, "Air hose replacement" was listed as a hazard.
  • Consequences were incorrectly stated; for example "Flying debris" was noted as a consequence.
  • A "risk event" was identified instead of a hazard and the meaning of the risk event was unclear; for example: "Qualified engineer not trained in DP".
  • Controls were not described in detail and often referred to very generic topics such as "Employee awareness" and "CN Safety Policy and Procedures" rather than specific, actionable controls for the hazard identified.
  • The employee required to implement the control was not identified.
  • The implementation date of the control was missing.

Some of the assessments provided clear statements of the purpose of the analysis, detailed task breakdowns, clear statements of hazard, and controls and conclusions drawn from the assessments. Overall, however, the risk assessments varied extensively.

Analysis

Post-accident inspection of the brake shoes, blueing of the wheels, and smoke coming from the wheels of the switching movement locomotives indicated heavy application of the brakes just prior to the collision. Moreover, the mechanical maintenance records for the locomotives and slug unit and a review of the locomotive event recorder data confirmed that the yard locomotive consist's air brake systems were serviceable. The analysis will therefore focus on Beltpack operations in the Prince George Yard, employee training, managers' hours of service, and risk assessment at CN.

After pulling 53 cars from track PA02, the Beltpack operator brought the switching movement to a speed of 7.29 ph by the time the last car was at the "bull switch" when a full independent brake was applied. The switching movement failed to stop and continued moving until it sideswiped train M357 as it was entering the yard at the crossover. The collision occurred due to the combination of speed and excessive tonnage exceeding the capacity of the switching locomotives' braking system on the pull-back track descending grade.

Although the superintendent was qualified from a regulatory perspective with regard to Beltpack operation, the management employees operating the Beltpack switching assignment on the day of the occurrence had no experience switching long, heavy cuts of cars on the pull-back track descending grade. Management employees assigned to temporary operating duties may have performed the work in the past, but skills decline and experience loses its effect over time through lack of use. Additionally, when they are required to work in unfamiliar territory, there is an increased risk of an accident.

The railway managers, in addition to their supervisory duties, routinely worked long hours as operating employees due to operational demands and employee shortages. CN's supervisory employees are to maintain an up-to-date record of time spent working as an operating employee and time spent on supervisory activities in the 24 hours prior to working as an operating employee. CN's fatigue management plan requires that supervisory time in the 24 hours prior to working as an operating employee be taken into account when determining whether or not a supervisor has had sufficient rest. The investigation revealed that supervisory time was not always recorded as prescribed.

Both TC's work/rest rules and CN's fatigue management plan focus on a supervisor's on-duty time in the 24 hours prior to working as an operating employee. According to the CN Fatigue Management Plan, supervisory employees must be in compliance with all aspects of the work/rest rules, including the maximum of 64 hours worked in 7 days. While both regulatory and company work/rest rules address fatigue in the short term, regulatory requirements give inadequate consideration to the cumulative effects of working extended hours over the longer term because there are no specific limitations placed upon any employee who exceeds 64 hours of work in seven days.

Prince George risk assessment

Normally, when industry applies a risk-assessment process, it is used to identify and rank the seriousness of hazards for an operation. This type of process takes into consideration all aspects of an operation including cost aspects. Each hazard is then analyzed to identify the control measures required to mitigate the risks. The initial assessment performed prior to increasing the number of cars to be handled on the Prince George pull-back applied only part of a risk assessment process and part of a job safety (hazard) analysis process.

This initial assessment did not break down the operation into a detailed sequence of tasks, as required by CN's own risk-assessment protocol and in accordance with industry best practice. As a consequence, the assessment did not identify the particular hazard that led the operator to lose control of the train during the accident. In addition, the lack of detail in the hazard statement did not enable a sufficiently detailed control measure to be identified. In particular, no training needs analysis was carried out to ensure safe movement of trains in these circumstances. The risk assessment of the operations conducted immediately prior to the accident was inadequate to mitigate the hazards of switching long, heavy cuts of cars on the pull-back descending grade.

Other CN risk assessments

A review of a sample of other CN risk assessments showed considerable variation. Nearly the entire sample of assessments used the "group brainstorming method" for identifying hazards and few indicated that a detailed task analysis had been conducted or other techniques used to identify potential hazards. Many were similar to the first Prince George pull-back switching risk assessment where the hazards were not clearly stated and, as a consequence, the controls identified were at a very high level. None of the sample of assessments had an implementation date of controls identified as "immediate," although the second, post-accident switching risk assessment did have this type of target.

CN's current web-based risk assessment training provides very little information on how to identify hazards even though it is the most critical step in the risk-assessment process. The training also does not cover the management of a risk assessment – the planning of the assessment, how to carry it out in the context of live operations, or how to ensure that controls are effectively planned and implemented. In addition, there is no formal quality control function provided within CN to ensure that risk assessments are carried out according to the CN risk-assessment standard or protocol.

The sample of risk assessments indicates that CN is carrying out assessments of risk across its operations but it is clear that the program is still evolving. CN's current web-based risk assessment training program is inadequate and the lack of a quality assurance program increases the risk that the controls implemented may not be sufficient to mitigate the identified hazards.

Clean-up response by CN and environmental remediation following this occurrence were timely and comprehensive.

Findings

Findings as to causes and contributing factors

  1. The collision occurred when the excessive tonnage of the 53 cars and the descending track gradient of the pull-back track combined to exceed the braking capacity of the switching locomotives and the uncontrolled movement contacted the opposing train at the crossover.
  2. Although considered qualified from a regulatory perspective for their respective duties, the management employees operating the Beltpack switching assignment on the day of the occurrence were inadequately trained and had no experience switching long, heavy cuts of cars on the pull-back track descending grade.
  3. The risk assessment conducted immediately prior to the accident was inadequate to identify the hazards and mitigate the risks of switching long, heavy cuts of cars on the pull-back track's descending grade.

Findings as to risk

  1. The practice of temporarily assigning management employees to do the work of experienced operating employees may increase the risk of accidents.
  2. The lack of a formal quality assurance program to establish consistency in risk analyses increases the likelihood that the controls identified and implemented may not be sufficient to address the risks.
  3. While both regulatory and company work/rest rules address fatigue in the short term, regulatory requirements give inadequate consideration to the cumulative effects of working extended hours over the longer term because there are no specific limitations placed upon any employee who exceeds 64 hours of work in seven days.

Other finding

  1. Although Canadian National Railway's fatigue management plan required that all supervisory time be taken into account when determining whether or not a supervisor had had sufficient rest under the rules prior to performing operating employee duties, the supervisory time was not always recorded as prescribed.

Safety action taken

TSB

On 14 September 2007, a Rail Safety Advisory Letter (617-12) was issued to Transport Canada regarding training of Canadian National (CN) managers operating a train:

Transport Canada may wish to review CN's policy concerning the use of management employees to perform the duties of train crews to ensure that they are fully familiar with the territory, experienced, rested, and adequately trained.

On 30 November 2007, a Rail Safety Advisory Letter (617-14) was issued on work/rest rules for CN managers in operating positions:

TC may wish to review CN's specific fatigue management plan for supervisors performing the duties of operating employees.

Transport Canada

A Notice and Order was issued by Transport Canada on 05 August 2007 ordering that:

CN Rail must not allow any yard assignment to switch on any track between Mile 463.0 and Mile 465.0, Chetwynd Subdivision, unless the following conditions are met:

  1. Movements will not be protected by a point protection zone and any existing instructions related to the point protection zone are null and void.
  2. An employee must physically be on the leading end of equipment when the view of the leading end is expected to or becomes no longer visible from the switching lead.
  3. The maximum number of cars permitted to be handled is restricted to 30 loads or 40 cars.
  4. A sufficient number of cars handled must have operative air brakes which will permit control of the movement.
  5. All data related to the reported braking performance, inspection, and repairs for yard engines assigned to switching duties be retained for thirty (30) days and immediately provided to a railway safety inspector upon request.

It was further ordered that remote control locomotive operators switching between these locations are properly trained, qualified, and familiar with the equipment and the territory over which they are operating.

This report concludes the Transportation Safety Board's investigation into this occurrence. Consequently, the Board authorized the release of this report on 26 February 2009.

Footnotes

Footnote 1

All times are Pacific daylight time (Coordinated Universal Time minus seven hours).

Return to footnote 1 referrer

Footnote 2

Beltpack is the trade name of the remote control locomotive operations technology that was developed and marketed by Canac, a former subsidiary of CN.

Return to footnote 2 referrer

Footnote 3

The "bull switch" is the name commonly used for the high mast hand throw switch located at the north end of the yard that northward movements from the PA yard (arrival/departure tracks) must clear to facilitate a southward movement into the classification yard.

Return to footnote 3 referrer

Footnote 4

A yard slug, or booster unit, is a unit which provides tractive and braking effort when connected to a locomotive through electrical connections, although it has no diesel engine itself.

Return to footnote 4 referrer

Footnote 5

When the Beltpack OCU is tilted beyond a certain angle, as when an operator falls or is otherwise incapacitated, the locomotive(s) being operated automatically shut down.

Return to footnote 5 referrer

Footnote 6

The Canadian Dictionary of Safety Terms defines hazard as a dangerous object, event, behaviour, or condition which can interrupt or interfere with the expected orderly progress of an activity.

Return to footnote 6 referrer

Footnote 7

The Canadian Dictionary of Safety Terms defines risk as the probability during a period of activity that a hazard will result in an accident with definable consequences.

Return to footnote 7 referrer

Footnote 8

The Canadian Dictionary of Safety Terms defines risk assessment as: (a) information, hazard analysis method, and control program evaluation which permit estimation of risk; (b) amount or degree of potential danger perceived by a given individual when determining a course of action for a given task.

Return to footnote 8 referrer

Footnote 9

The Canadian Dictionary of Safety Terms defines hazard analysis as the functions, steps, and criteria for the design and plan of work which identify hazards, provide measures to reduce the probability and severity potentials, identify residual risks, and provide alternative methods of further control.

Return to footnote 9 referrer

Footnote 10

The Canadian Dictionary of Safety Terms defines job safety (hazard) analysis as: (a) breaking down into its component parts any method or procedure to determine the hazards connected with it and the requirements or qualifications of those who are to perform it; (b) method for studying a job in order to (1) identify hazards or potential accidents associated with each step or task and (2) develop solutions that will eliminate, nullify, or prevent such hazards and potential accidents.

Return to footnote 10 referrer

Footnote 11

Canadian Centre of Occupational Health and Safety (CCOHS) - Job Hazard Analysis

Return to footnote 11 referrer

Footnote 12

Railway Safety Act, Regulations, Safety Management Systems - 2. (e) a process for (i) identifying safety issues and concerns; (ii) evaluating and classifying risks by means of a risk assessment.

Return to footnote 12 referrer

Footnote 13

Canada Occupational Health and Safety Regulations, Canada Labour Code, Part II 125.(1) - Duties of Employer

Return to footnote 13 referrer

Footnote 14

Leadership in Safety, CN Rail, March 2008

Return to footnote 14 referrer

Footnote 15

CN Risk-Management Process Standard, 05 October 2006

Return to footnote 15 referrer

Footnote 16

"Prince George South Yard Pull-back Switching Operating Instructions", CN, 17 August 2007

Return to footnote 16 referrer