Rail safety investigations & reports

Runaway and derailment of loaded ore train M02712 Near the 211 km mark south of Port Hedland, Western Australia, on 5 November 2018

Investigation number:
RO-2018-018
Status: Completed
Investigation completed
Phase: Final report: Dissemination Read more information on this investigation phase

Final

Download Final report
[Download  PDF: 4.29MB]
 

What happened

On 5 November 2018, train M02712, loaded with iron ore, was being operated by BHP on its Newman to Port Hedland railway, Western Australia. The train consisted of 2 locomotives, a rake of 134 wagons, 2 remote locomotives and a second rake of 134 wagons. It was fitted with an electronically controlled pneumatic braking (ECPB) overlay system.

At about 0337, M02712 was travelling at 60 km/h on a downhill grade on the west track, approaching the BHP access road level crossing at the 211.6 km mark. Shortly after, trainline communication between the lead locomotive and the combined end of train monitor was lost, triggering an automated 120% ECPB emergency brake command, stopping the train as it approached Garden South.

Following confirmation with train control of the location of the train and receiving instruction on the number of handbrakes required to secure the loaded train on the falling track grade at Garden, the driver left the locomotive cab to commence applying the brakes from the front of the train. The controller also tasked a support team to attend M02712 and help the driver with applying the handbrakes.

About 60 minutes after the loss of trainline communication, as the driver continued to apply handbrakes to the first rake of ore cars, the train began to move forward. Shortly after, train control received an emergency call from the driver of M02712 alerting that the brakes had ‘bled off’ and the train was now a ‘runaway’.

Train M02712 continued, reaching a speed of 162 km/h before slowing on the rising grades toward Woodstock. After Woodstock, the track grade again began to fall toward Port Hedland and M02712 gained speed to about 130 km/h approaching Abydos.

At about 0520, Hedland control set the crossovers at Turner South and Turner North to switch train M02712 between adjacent tracks to derail the train as it traversed the crossover at speed. About 6 minutes later, the head end locomotives travelling at 144 km/h traversed the crossover at the 119.4 km mark at Turner South.

The locomotives and the first ore car separated from the rest of the train but remained coupled, travelling about 1.6 km further before stopping. The derailment destroyed the 2 remote locomotives, 245 ore cars and 2 km of track infrastructure at Turner South. There was no injury to any person from the runaway or derailment.

What the ATSB found

Between 2011 and 2015, BHP implemented an ECPB system as an overlay to the conventional pneumatic train braking system and undertook an associated modification to the automatic train protection (ATP) system. It predominantly managed the implementation of these changes at an individual system level rather than through the application of a structured engineering approach. BHP did not subsequently identify and manage significant characteristics of how the ECPB, ATP and conventional pneumatic braking systems interacted in response to certain fault conditions. As a result, BHP’s trains configured for ECPB operation were potentially vulnerable to a runaway event should a unique combination of events and conditions occur.

The BHP risk assessment associated with a rail-mounted equipment interaction incident was broad in scope and had limited focus on the causes and critical controls of a train runaway event. In addition, the risk assessment did not include the procedure for responding to brake pipe emergencies and penalties as a critical control. BHP’s material risk control assessments (MRCAs) did not then test the effectiveness of this procedural control for preventing an uncommanded movement of a train during main line operations.

The procedure for responding to brake pipe emergencies and penalties relied extensively on a driver’s memory, with limited processes in place to facilitate or cross-check a driver’s performance to ensure all safety-critical actions were completed. Although the procedure contained a safety-critical action (to apply the automatic brake handle to the pneumatic emergency position), BHP did not clearly communicate the importance and reasons for this action to drivers, reducing the potential for the drivers to correctly recall this action

As M02712 approached Garden on 5 November 2018, one of the 12 trial inter-car connectors disconnected. This caused a loss of ECPB trainline communication and power supply continuity affecting most of the train and triggering an automatic emergency ECP brake application. The driver responded to the ECPB system’s emergency brake application by commencing the brake pipe and penalties and emergencies procedure, but exited the locomotive cab to apply handbrakes to the ore cars without placing the automatic brake handle in the pneumatic emergency position. Without this safety-critical action being done, the brake pipe air pressure was not vented to atmosphere to hold the ore cars brake application via the pneumatic system.

The car control devices (CCDs) on the disconnected ore cars and the end of train monitor continued to run using the internal battery power of each device to hold the brake application. Consistent with how they were designed however, the CCDs released their ECP brake application on shut down after 60 minutes. At this time, while the driver was applying handbrakes, M02712 began to roll away.

The ATP system detected the rollaway and other events, with each generating a penalty brake request to the ECPB system. However, the requests had no effect as the ATP and ECPB systems could not interface to dump brake pipe pressure if an ECPB application became ineffective in arresting an uncommanded train movement.

The ATSB also identified that the response crew tasked to aid the driver did not confirm whether the driver had implemented the BHP three-step protection process prior to approaching a train to begin the application of handbrakes. This increased the risk of injury to personnel working on the rolling stock. Additionally, following becoming aware of the runaway, the BHP emergency response procedures did not ensure rail infrastructure managers that interfaced with the BHP rail network were alerted to an emergency event that could affect safety at the interface.

Given that the train stopped at 0340 and the driver was conducting a series of 7 night shifts, the ATSB examined BHP’s processes for managing train driver fatigue. The ATSB found that the BHP roster patterns for fly-in fly-out train drivers were conducive to result in cumulative sleep restriction and levels of fatigue likely to adversely influence performance on a significant proportion of occasions, and BHP had limited processes in place to ensure that drivers actually obtained sufficient sleep when working these roster patterns. Due to cumulative sleep restriction over several days of night shifts, the time of day (0340) and other factors, the driver of M02712 was probably experiencing a level of fatigue known to adversely influence performance. However, based on the available evidence, the ATSB did not conclude that fatigue contributed to the runaway of M02712.

What has been done as a result

Following the runaway and derailment accident involving M02712, BHP reviewed the risk management framework associated with rail-mounted equipment interaction, updated the risk assessment, and added additional controls related to potential train runaway events. Additionally, BHP implemented a systems engineering and assurance framework to manage the future integration of systems utilised within the BHP rail system.

With regard to procedural controls, BHP revised its operating instruction for responding to brake pipe emergencies and procedures by requiring the driver to complete a form confirming the actions undertaken in response to an emergency ECPB application and confirming these actions with train control prior to leaving the locomotive cab. In addition, the operating instruction was amended to clearly advise the importance and rationale for drivers to place the automatic brake handle in the pneumatic emergency position in response to an emergency ECP brake application with the end of train monitor displaying ‘off’ or ‘?’.

BHP also revised the work instruction associated with handbrake application and release during main line recovery to require that a work group supervisor be appointed to communicate directly between the driver and the work group tasked to render assistance.

BHP has commissioned external fatigue subject matter experts to undertake a range of evaluation and development activities. BHP has recognised that its roster design was not conducive to minimising fatigue and has formed a working group to optimise rosters. It has also undertaken additional work to improve fatigue training and fatigue monitoring of drivers.

Safety message

A train runaway can cause injury or loss of life, substantial damage to rolling stock and infrastructure, and disrupt rail operations for an extended period. Rail transport operators should therefore ensure that they conduct thorough risk assessments to ensure that relevant causes and hazards associated with runaway events are identified and managed.

In addition, rail transport operators considering changes involving the integration of complex systems should utilise a systems engineering approach to identify hazards and then manage risk to ensure that the railway’s operations remain safe, so far as is reasonably practicable. Rail transport operators must then ensure the preventative controls mitigating the hazards will be effective in managing the risk. They also need to place adequate emphasis on critical controls to signify their importance and ensure that the rail safety workers who are required to implement procedural controls clearly understand why the specified actions are required.

Emergency procedures communicate critical tasks that must be fully actioned by rail safety workers responding to atypical or unexpected situations. Rail safety workers must therefore ensure they take sufficient time to methodically perform and verify the effectiveness of each required action.

Download Final report
[Download  PDF: 4.29MB]
 
 
 

The occurrence

Context

Safety analysis

Findings

Safety issues and actions

Glossary

Sources and submissions

Appendix A – Operating Instruction 18-72

Appendix B – Research associated with various roster patterns

Appendix C – ONRSR Safety Alert

ATSB

Preliminary report

Download preliminary report
[Download  PDF: 649KB]
 

Preliminary report published: 12 March 2019

The occurrence

Overview

At approximately 0440[1] on 5 November 2018, loaded BHP ore train M02712 rolled away from the 210.7 km mark located near Garden South on the Nelson Point to Newman railway, Western Australia. There was no driver on board the train at the time. The train travelled uncontrolled on the west track for about 91 km before Hedland train control decided to derail the train by routing it from the west track to the east track at a crossover located at Turner South.

At about 0526, the head end locomotives traversed the crossover. Shortly after, 245-ore cars and the two remote locomotives, located mid consist, derailed. There was significant damage to rolling stock and track infrastructure at Turner South (Figure 1). There was no injury to any person from the derailment.

Figure 1: Train M02712 wreckage at Turner South

Figure 1: Train M02712 wreckage at Turner South. Aerial image viewed in a southerly direction of train wreckage and track damage at Turner South. The lead locomotives 4420 and 4434 and one ore car (out of frame in the foreground) remained on track Source: BHP, annotated ATSB

Aerial image viewed in a southerly direction of train wreckage and track damage at Turner South. The lead locomotives 4420 and 4434 and one ore car (out of frame in the foreground) remained on track.

Source: BHP, annotated ATSB

Sequence of events

At about 0337 on 5 November 2018, train M02712 was travelling at 60 km/h on the west track approaching the BHP access road level crossing at the 211.6 km mark. The driver had set the throttle control for maximum dynamic braking and commenced moving the Electrically Controlled Pneumatic (ECP) braking control toward a 39 per cent application.

At about 0339, communication between the lead locomotive and the combined end of train monitor (CEOT) was lost, triggering an automated 120 per cent ECP emergency brake application, stopping the train as it approached Garden South. Shortly after, the driver made an emergency radio call to Hedland train control reporting the occurrence, his location (at the 210.737 km mark between Shaw and Garden), and the details of alert messages displayed to him by the locomotive on-board systems.

The train controller placed blocks to signals on the adjacent east track between Garden South and Shaw North to protect the train (from other rail movements) and contacted personnel from the Redmont[2] maintenance gang to assist the driver. The controller advised the driver that assistance was en route and requested he confirm the train’s location from a kilometre mark[3] closest to the lead locomotive.

The driver stated that the FIRE[4] system displayed 210 km, but would detrain and check the kilometre mark on the ground to confirm. At about 0351, the driver placed the reverser[5] control to the centre (neutral) position, turned the generator field[6] off and fully applied the locomotive independent brake before exiting the locomotive cab. The 120 per cent emergency brake application was active and the automatic brake handle remained set at the position equating to a 39 per cent ECP brake application.[7]

After receiving confirmation of the 210.7 km mark, the controller instructed that 101 per cent handbrakes[8] were required to secure a loaded train on the falling track grade. The controller asked the driver if he wanted to start applying them now or go back up to the locomotive and wait for the arrival of personnel from the Redmont gang. At about 0353, the driver decided to commence applying handbrakes to the 268 ore cars from the front of the train.

At about 0355, an empty ore train (M02727) travelling on the adjacent east track toward Yandi Junction stopped at Garden South due to the blocking protections set up previously. About 30 minutes later, personnel from the Redmont gang advised train control of their arrival at the 210 km mark to assist the driver in applying handbrakes. The train controller suggested the gang start applying handbrakes from the rear of the train and proceed toward the driver who was working from the front.

Hedland control continued to maintain contact with the driver of M02712 at 10-minute intervals during which the driver advised that he had found a disconnection in the train-line cable[9]. The train-line cable was located on the opposite side of the train and not accessible safely, so the driver continued to apply handbrakes to secure the train. During one of the scheduled calls, the driver reported to the controller that the application of handbrakes was progressing well despite having trouble walking along the ballast shoulder next to the stationary train. The driver also reported that he was aware the Redmont gang had arrived to check the integrity of the rear of the train and to apply handbrakes. The driver said that he planned to continue working toward the locomotives mid train, report to train control then return to reinstate the break in the train-line cable.

At about 0440, the driver heard air venting from the ore car brakes and shortly after noticed the train begin to move forward. The driver first attempted a radio call to the Redmond gang alerting that the brakes had ‘bled off’ but there was no response. Shortly after train M02712 began to roll away, the ATP system requested a penalty brake application but it was ineffective in stopping the train.

About four minutes later, the driver of the empty ore train standing at Garden South (M02727) contacted train control advising train M02712 was moving and had passed his location at an estimated speed of about 50 km/h with brakes dragging.[10]

At 0446, train control received an emergency call from the driver of M02712 alerting that the brakes had bled off and the train was now a ‘runaway’. Train control acknowledged the emergency call and advised he had set signal GNN4 at Garden North to red, attempting to stop the train by triggering the locomotive on-board automatic train protection system. Train M02712 passed signal GNN4 at about 80 km/h and continued to increase in speed. Although the ATP system requested a penalty brake application in response to signal GNN4 at red and to an over speed, these penalty applications were also ineffective in stopping the train.

About 80 km ahead, another train (M02728) travelling on the eastern track was approaching Abydos North. Hedland control contacted its driver instructing him to stop, detrain and move to a safe place. Hedland control also contacted the drivers of the two other trains (M02729, M02710) operating between Garden North and Port Hedland, instructing the drivers to stop, detrain and move to a safe place. Trains M02729 and M02710 stopped at locations north of Turner (Figure 2).

At about 0502, the driver of the empty ore train (M02727) stopped at Garden South, contacted Hedland control advising that the Redmont gang had mistakenly applied handbrakes to his train rather than to train M02712.

Train M02712 continued through Spring and Coonarie reaching a speed of 162 km/h before slowing on the rising grades toward Woodstock (Figure 2). At about 0509, train M02712, travelling at about 128 km/h, passed over the level crossing at the 154.3 km mark before Woodstock South. After Woodstock, the track grade again began to fall toward Port Hedland and train M02712 gained speed to about 130 km/h as it passed train M02728 stopped at the 130.5 km mark on the eastern track north of Abydos.

At about 0520, Hedland control set the crossovers at Turner South and Turner North to switch train M02712 between adjacent tracks in an attempt to derail it as the traversed the crossover at speed. About six minutes later, the head end locomotives travelling at 144 km/h traversed the crossover at the 119.4 km mark at Turner South. Locomotives 4420, 4434 and the first ore car remained coupled and on track, travelling about 1.6 km further before stopping. Ore cars in position two to 134 of the first rake, the remote locomotives 4472 and 4440 and ore cars one to 112 from the second unit rake derailed near the crossover. The last 22-ore cars of the second unit rake remained coupled and on track.

The derailment destroyed two locomotives, 245-ore cars and 2 km of track infrastructure at Turner South.

Figure 2: Location map BHP Port Hedland railway

Figure 2: Location map BHP Port Hedland railway. Source: BHP, annotated ATSB

Source: BHP, annotated ATSB

Context

Train information

Train M02712

The ore train operated as a unit train weighing approximately 42,500 t and was 2,860 m long. It consisted of two SD70ACe type locomotives (4420, 4434) leading , a unit rake of 134-ore cars, two remotely operated SD70ACe type locomotives (4472, 4440) located mid-train, and a second unit rake of 134-ore cars. The ore train was operating between the loading facility at Mining Area C situated on the spur line extension from Yandi, and the unloading facility at Nelson Point, Port Hedland (Figure 2).

Locomotive on-board automatic train protection system

The four locomotives on train M02712 were each equipped with an Alstom Ultra-Cab II (UCII) microprocessor controlled automatic train protection (ATP) system. The UCII system was not a standalone system; it interfaced electronically with other on-board equipment including FIRE, Electrically Controlled Pneumatic (ECP) braking systems, wayside transponders[11] and other control systems that combined to provide for the safe operation of the train within the parameters defined in the BHP iron ore rules and regulations.

The ATP functions included monitoring the locomotive speed and supervising its operation within the limits imposed for the track section. If the locomotive was moving faster than the target speed limit, alarms would sound prompting the driver to reduce speed.

The locomotives carry a radio transmitter, transponder reader and antenna. Transmissions are relayed between the locomotive and transponders fastened to the track cross-ties (sleepers) at key locations such as ATP entry and exit points and interlocked wayside signals along the railway. Unique location identification and target speed data is relayed from the track mounted transponders to the locomotive UCII microprocessor.

The driver must reduce speed to the target limit within a predetermined time. If this does not occur, the ATP automatically interfaces with the braking system to initiate a brake application to stop the train. The type of brake application is dependent on the setup of the locomotive at the time of the command. If the locomotive is configured for conventional pneumatic braking, the ATP initiates a service brake application. If this was ineffective in slowing the train, the ATP then initiates a penalty brake application. For an ECP braking configuration, the ATP requests a penalty brake application.

Additionally, when the locomotive was stationary with its reverser in the neutral (centre) position and the ATP detected a train movement of more than 0.5 m, the ATP requested a penalty brake application to prevent a potential locomotive runaway.

Each ATP automatically configures to mirror the ECP brake setup for that locomotive as a head end unit (HEU), trail or remote unit. The ATP would not enforce target speed limits or runaway protection on locomotives configured as either a trail or remote unit. The ATP in each of the four locomotives in train M02712 (4420, 4434, 4472 and 4440) functioned respectively as a HEU, trail and two remote units.

Braking and Distributed Power systems

Train M02712 was equipped with an EP-60 New York Air Brake electrically controlled pneumatic (ECP) braking system. The system consisted of locomotive equipment, ore car braking control equipment, an end of train monitor, and a power and communications distribution system.

Locomotive equipment comprised a train-line communications controller, power supply and identification module. The lead locomotive 4420 functioned as the HEU. The HEU communicated with each of the 268-ore car braking control devices (CCD) and remote locomotives via embedded transmissions in the train-line cable comprised of a single set of wires forming the intra-train power and communications network. The CCD unit used 230 Volt Direct Current power from the train-line to charge its batteries and supply power to its electronics.

In ECP mode, the EP-60 system used the position of the HEU automatic brake handle to control the operation of the locomotive and ore-car brake cylinders. The FIRE system provided the interface to the driver displaying braking parameters related to the ECP system mode, alarms, diagnostic messages and brake command input.

The FIRE system displayed the level of brake command input as a percentage (%TBC)[12], typically a number between 0 and 100 per cent or as 120 per cent:

  • 0% = Release
  • 10% = Minimum Service
  • 100% = Full Service/Penalty application
  • 120% = Emergency.

The Combined ECP end of train monitor (CEOT) installed on the last ore car coupler marked the end of the train, provided a termination point for the train-line and a transducer for end of train information, such as brake pipe pressure, back to the HEU to establish the integrity of the train-line and train consist. The CEOT used 230 Volt Direct Current power from the train-line to charge its batteries and supply power to its electronics.

If the power from the train-line is lost, the CCD and CEOT devices each continue to operate on battery power until the batteries run low or a 60 minute time period elapses. The CCD and CEOT devices will then enter shutdown mode. When a CCD shuts down it releases its ECP brake application and relinquishes control of brake cylinder pressure to the conventional pneumatic braking system. If the brake pipe is charged and a pneumatic application is not in effect, the brake cylinder pressure will release.

The BHP locomotive fleet was equipped to enable control of multiple distributed power units within the train. Communication of synchronous control and indication signals between the HEU, trailing and remote locomotives, located mid consist, also occurred via the train-line system.

As a contingency, the ECP overlay braking system and train-line could be shut down and the HEU configured to communicate power and brake commands via UHF radio communications to the remote locomotives. This configuration disables ECP braking and train braking reverts to conventional pneumatic operation via the train brake pipe. The HEU configuration establishes communication with the CEOT by radio.

The locomotive independent brake handle is located immediately below the automatic brake handle and controls the locomotive braking independently of the automatic train brake. It also applies the brakes on other locomotives in the train. The independent brake control only apples to the locomotives (lead and remote) and not the ore cars in the train. The independent brake control operates pneumatically irrespective of the HEU configuration.

The independent brake control handle can be positioned to:

  • REL (release), releasing the locomotive brakes provided the automatic brake handle is also in the REL position
  • SERVICE, moving the handle through the service zone increases locomotive braking effort
  • APPL position applies full braking effort on the locomotive(s)
  • Bail off function, depressing the handle in either the REL position or SERVICE zone suppresses any automatic train brake application in progress on the locomotive(s).

Vigilance control

The vigilance control system functions to monitor driver activity and stop the locomotive/train when there was no response from the driver to aural and visual warnings displayed via the FIRE system. The vigilance system uses random timing and task linking to monitor driver activity.

The vigilance system is active when the locomotive air brake is set as HEU and the air brake cylinder pressure is less than a predetermined level. Vigilance system suppression occurs when the locomotive air brake cylinder pressure is greater than a predetermined level, when the braking system is set to trail or remote, when the reverser is in the centred position, or when the locomotive configuration is set for operation at a defined slow speed.

Track

The BHP iron ore railway is a standard gauge track structure constructed with continuously welded 68 kg/m rail fastened with resilient clips to concrete sleepers. The sleepers are contained in crushed rock ballast. The track structure configuration enabled the operation of rolling stock with 40 t axle load.

In the direction of travel, the track gradient from Mining Area C was primarily a rising grade approaching Shaw located in the Chichester Range before transitioning to a mainly falling grade toward Nelson Point. The roll away occurred between Shaw North and Garden South where the track gradient was -1.5 per cent—the steepest track gradient of the track section between Yandi Junction and Nelson Point.

The ATP governed the maximum permissible track speed for the various sections dependent on the mode of operation, with the target speed displayed to the driver via the FIRE system. The maximum track speed for the Newman to Port Hedland railway was 75 km/h for loaded ore trains.

Train control

BHP manages train movements remotely from its train control centre located in the Integrated Remote Operations Centre in Perth. The train control centre has five operational control areas (desks) identified as Hedland, Newman, 6PG, Hub control and Yard control. All communications between the Perth control centre, train movements, control systems and wayside equipment is via a dedicated VHF radio system.

The runaway occurred within the operational area managed by Hedland train control that extended from the 67 km mark located south of Walla to the 260 km mark located south of Cowra.

Safety action

The BHP preliminary investigation recommended a series of actions for implementation over the short (prior to recommencing movements of trains), medium (within approximately one year) and long term (over one year).

Short term

  • Issue communications to all train drivers regarding the release of ECP brakes under certain conditions.
  • Amend operating instruction related to Brake Pipe Emergencies and Penalties.

Medium term

  • Investigate improvements to ECP braking system Handbook in relation to any of the short term controls.
  • Review the processes for issuing operating instructions and disseminating information to drivers and assess value in presenting a measure of criticality with each operating instruction to avoid dilution of critical instructions amongst non-critical information.
  • Undertake a review of the ECP braking system timeout function to explore software options to increase timeout period at a sacrifice to ECP braking system battery performance.
  • Investigate a hardware/software solution whereby the on-board control system, FIRE or brake computer automatically dumps the air from the train brake pipe under different conditions.

Long term

  • In conjunction with the BHP existing signalling upgrade project, introduce new automatic train protection system on-board every locomotive, track maintenance machine and Hi-rail in the BHP fleet.

Ongoing investigation

The ATSB investigation has obtained relevant material and conducted interviews with a number of BHP staff. The ATSB is continuing to gather documentation about the design of train braking systems operated by BHP and the procedures contained in the BHP safety management system for the management of risk and the development and dissemination of safety critical information to rail safety workers.

The ongoing ATSB investigation will include consideration of the following:

  • examination of factors associated with train-line cable connectors
  • design, operation and serviceability of the locomotive and ore car electrically controlled pneumatic and pneumatic braking systems, and the interface between them at time of the occurrence
  • effectiveness of critical control management process in identifying and managing operational risk from a runaway occurrence
  • arrangements for the dissemination of safety critical information and associated driver training
  • effectiveness of recovery controls—runaway protection
  • effectiveness of emergency management plan response systems and actions
  • factors influencing the driver’s response to a penalty brake application
  • train handling, driver qualifications, experience and health information
  • Status of BHP short, medium and long term actions following the occurrence.

_____________

The information contained in this interim report is released in accordance with section 25 of the Transport Safety Investigation Act 2003 and is derived from the initial investigation of the occurrence. Readers are cautioned that new evidence will become available as the investigation progresses that will enhance the ATSB's understanding of the accident as outlined in this report. As such, no analysis or findings are included.

 

__________

  1. WST, Western Standard Time, UTC plus 8 hours.
  2. Redmont is a remote maintenance camp accommodating track workers. Redmont was located near Garden South.
  3. Kilometre markings on rail.
  4. Functionally Integrated Railroad Electronics (FIRE) system forming the interface between the operating crew and locomotive computer systems.
  5. Lever in locomotive cab to select ‘forward’ ‘centred/handle-out’ or ‘reverse’ for the direction of operation.
  6. Power source for generator field excitation.
  7. Automated ECP penalty brake application overrides manual setting of the automatic brake handle.
  8. Handbrake calculator tool determined number of handbrakes required based on track grade and loaded/empty state of train.
  9. The interruption in the train-line cable was due to a disconnected connector between the tenth and eleventh ore-car in the first unit rake.
  10. Brakes applied on head end locomotives and a number of ore cars from the first rake.
  11. Signalling and other associated equipment located adjacent to the rail track.
  12. Train Brake Command.
Download preliminary report
[Download  PDF: 649KB]
 
 
 

Safety Issues

Go to RO-2018-018-SI-01 - Go to RO-2018-018-SI-02 - Go to RO-2018-018-SI-03 - Go to RO-2018-018-SI-04 - Go to RO-2018-018-SI-05 -

Risk assessment for a rail-mounted equipment interaction incident

Although BHP’s risk assessment for a rail-mounted equipment interaction incident identified numerous causes and critical controls for such an incident, it was broad in scope and had limited focus on the causes and critical controls for a train runaway event. In addition, the risk assessment did not include the procedure for responding to brake pipe emergencies and penalties as a critical control and BHP’s material risk control assessments (MRCAs) did not test the effectiveness of this procedural control for preventing an uncommanded movement of a train during main line operations.

Safety issue details
Issue number: RO-2018-018-SI-01
Status: Closed – Adequately addressed

Task design – brake pipe emergencies and penalties

The task of responding to brake pipe emergencies or penalties relied extensively on a driver’s memory, with limited processes in place to facilitate or cross-check a driver’s performance to ensure all safety-critical actions were completed.

Safety issue details
Issue number: RO-2018-018-SI-02
Status: Closed – Adequately addressed

Operating instructions – brake pipe emergencies and penalties

Although operating instructions OI 17-11 (5 April 2017) and then OI 18-72 (3 November 2018) contained a safety-critical action (to apply the automatic brake handle to the pneumatic emergency position), BHP did not clearly communicate the importance and reasons for the safety-critical action to drivers, reducing the potential for the drivers to correctly recall this procedural action.

Safety issue details
Issue number: RO-2018-018-SI-03
Status: Closed – Adequately addressed

Recovery controls – ATP/ECPB interaction

The automatic train protection (ATP) and electronically controlled pneumatic braking (ECPB) systems on BHP’s trains could not interface to dump brake pipe pressure if an ECPB emergency or penalty brake application became ineffective in arresting an uncommanded train movement.

Safety issue details
Issue number: RO-2018-018-SI-04
Status: Closed – Adequately addressed

Fatigue management of train drivers

BHP's fatigue management processes required its train drivers to be rostered on 7 12-hour shifts, followed by a 24-hour break and then 7 12-hour shifts, with the roster pattern commencing at a wide variety of times of day. Such roster patterns were conducive to result in cumulative sleep restriction and levels of fatigue likely to adversely influence performance on a significant proportion of occasions, and BHP had limited processes in place to ensure that drivers actually obtained sufficient sleep when working these roster patterns.

Safety issue details
Issue number: RO-2018-018-SI-05
Status: Open – Safety action pending
General details
Date: 05 November 2018   Investigation status: Completed  
Time: 0440 AWST   Investigation level: Systemic - click for an explanation of investigation levels  
Location   (show map): 211 km from Port Hedland (Nelson Point to Newman Railway)   Investigation phase: Final report: Dissemination  
State: Western Australia    
Release date: 17 March 2022   Occurrence category: Accident  
Report status: Final   Highest injury level: None  

Train details

Train details
Line operator BHP  
Train operator BHP  
Train registration M02712  
Type of operation Freight  
Sector Freight  
Damage to train Substantial  
Departure point Newman Mine, WA  
Destination Port Hedland, WA  
Last update 17 March 2022