Limitations in Queensland Rail’s application of risk management and change management processes relevant to the introduction of the new generation rollingstock (NGR) increased the risk of a start against signal SPAD (signals passed at danger).
BHP's fatigue management processes required its train drivers to be rostered on 7 12-hour shifts, followed by a 24-hour break and then 7 12-hour shifts, with the roster pattern commencing at a wide variety of times of day. Such roster patterns were conducive to result in cumulative sleep restriction and levels of fatigue likely to adversely influence performance on a significant proportion of occasions, and BHP had limited processes in place to ensure that drivers actually obtained sufficient sleep when working these roster patterns.
The automatic train protection (ATP) and electronically controlled pneumatic braking (ECPB) systems on BHP’s trains could not interface to dump brake pipe pressure if an ECPB emergency or penalty brake application became ineffective in arresting an uncommanded train movement.
Although operating instructions OI 17-11 (5 April 2017) and then OI 18-72 (3 November 2018) contained a safety-critical action (to apply the automatic brake handle to the pneumatic emergency position), BHP did not clearly communicate the importance and reasons for the safety-critical action to drivers, reducing the potential for the drivers to correctly recall this procedural action.
The task of responding to brake pipe emergencies or penalties relied extensively on a driver’s memory, with limited processes in place to facilitate or cross-check a driver’s performance to ensure all safety-critical actions were completed.
Although BHP’s risk assessment for a rail-mounted equipment interaction incident identified numerous causes and critical controls for such an incident, it was broad in scope and had limited focus on the causes and critical controls for a train runaway event. In addition, the risk assessment did not include the procedure for responding to brake pipe emergencies and penalties as a critical control and BHP’s material risk control assessments (MRCAs) did not test the effectiveness of this procedural control for preventing an uncommanded movement of a train during main line operations.
There were inconsistences with Sydney Trains’ application of their fatigue management system, in particular the the use of a bio-mathematical model to predict individual fatigue risk. (Safety issue)
Sydney Trains did not provide supervision at Granville signal box to ensure there was adequate coverage on both signalling panels. (Safety issue)
The ASB rule NWT 308 and procedure NPR 703 did not provide sufficient description for the task of using protecting signals for an alternative route. (Safety issue)
The absence of authority-overrun protection (such as TPWS) at signal SST535 increased the potential consequences of a SPAD.
The train crew had not been trained to use forced lead function which would likely have allowed the train crew to regain control of the locomotives
Aurizon did not ensure train crews had a consistent understanding of how to safely change ends on banking locomotives
The park brakes were ineffective in holding the locomotives on the grade in Ardglen Yard
There was an unapproved practice occurring during Track Work Authority of asking the Outer Handsignaller to remove Railway Track Signals from the track as a train was closely approaching in order to let it run free, which placed the Outer Handsignaller at risk of being struck by the train.
Prior to the signal passed at danger (SPAD) occurrence in January 2018, Queensland Rail did not routinely and systematically analyse recorded data to determine driver compliance with key operational rules that had been designed to minimise the risk of SPADs.
After mandating the use of risk triggered commentary driving (in 2011) to mitigate the risk of signals passed at danger, Queensland Rail Citytrain did not provide the necessary support to its trainers, assessors and drivers to effectively maximise the potential benefits of the technique and minimise the potential limitations or risks associated with the technique.
The automatic warning system (AWS) provided the same audible alarm and visual indication to a driver on the approach to all restricted signals (that is, double yellow, yellow, flashing yellow and red aspects). The potential for habituation, and the absence of a higher priority alert when approaching a signal displaying a red aspect, reduced the effectiveness of the AWS to prevent signals passed at danger (SPADs). This placed substantial reliance on procedural or administrative controls to prevent SPADs, which are fundamentally limited in their effectiveness.
Queensland Rail’s management oversight of the Citytrain driver maintenance of competency (MOC) process did not include planned assurance activities or regular and effective auditing of how the MOC assessments were being conducted, even after there were multiple indications that the process was not being conducted as designed.
Pacific National’s inspection processes did not identify key structural points for inspection on RRYY class wagons, including the susceptibility to cracking in the junction between container loading outriggers, pull rod boxed opening, and the bottom centre sill sections. This reduced the likelihood of cracks being detected.
The ARTC systems for managing track lateral stability did not lead to the location being managed as a location potentially vulnerable to instability.
Response by Australian Rail Track Corporation (ARTC)
