 |
Web Hosting by Netfirms | Free Domain Names by Netfirms |
|
|
|
by Greg Gordon.
Introduction
Reliable computer assisted technologies are a fact of everyday life. Radio,
communication, food preparation,
entertainment, personal transport and medical life support systems all
require the successful involvement of
computers. Some applications of computer technology, like air and space
flight, require a high degree of
effective and reliable computer support without which such endeavours would
not be possible.
In
December, 1995, C.N. Rail introduced computer assisted, remote controlled
locomotive control system (LCS)
to its rail yard operations in Kamloops, British Columbia. The introduction
of this technology has allowed the
railway to further reduce the yard crew from three members (locomotive
engineer, yard conductor and assistant
yard conductor) to two (yard conductor and assistant yard conductor) allowing
the railway savings in labour and
other expenses.
This report attempts to summarize operating shortfalls, dangers and employee
concerns filed with the United
Transportation Union (UTU) in regards to the implementation and operation
of LCS technology in Kamloops
Yard.
Overview of Belt Pack Technology
It seems a relatively simple matter to operate a locomotive from a remote
location. The actual application,
however, has proven to be far less than simple, particularly to those whose
lives and jobs depend upon the
system.
According to the C.N. training manual, Beltpack Operator (flat yard), April
1995: “LCS equipment consists of:
• a ground based Repeater that extends the operating range of the Beltpacks
when operating in the yard;
• hand operated Beltpack controllers to send commands to the locomotive;
• locomotive based equipment that carry out the commands of the operator.”
The LCS system normally operates within the flat yard with the aid of a
repeating station which is located at the
east end of Kamloops yard. “The Repeater is a stationary amplification
device located at a central location in
the yard. It receives signals from the various controlling Beltpacks and
sends them to the operating locomotive.
The Repeater doubles the operating range of the Beltpack to approximately
2 miles.”
The LCS system requires that a minimum of two components maintain radio
communication with each other.
Simplistically, the receiver, on board the locomotive, and the senders,
worn by the operators, must maintain a
radio link of more six seconds or the LCS unit will initiate a built-in
“fail safe” device and apply train braking
systems.
Problems and Discrepancies
According to the C.N. training manual, Beltpack Operator (flat yard) of
April, 1995 (page 2 -3): “Locomotive
Control System (LCS) equipped locomotives can be remote controlled with
one or two radio operated Beltpack
controllers.
“Each controller is a small (6.5 lb. including harness) hand operated device
that gives an operator complete
speed and braking control of the locomotive up to approximately one mile
away.”
However, the LCS technology has allowed considerably less than complete
control to those operating the
equipment as evidenced by the considerable documentation filed with the
United Transportation Union. Hence,
operators appear to have little faith in the ability of LCS to stop their
trains, in the ability of the LCS “fail safe”
system to stop itself and, therefore, the employees ability to comply with
Canadian Rail Operating Rules
(CROR), General Operating Instructions (GOI) and C.N. Rail instructions.
1) Communication Failures
LCS communication (comm.) failures occur when radio communication between
the LCS components is
disrupted for a period longer than six seconds.
Between February 19, 1996, and March 20, 1997, there have been 40 UTU Belt
Pack Incident Reports (example
on page 15) filed by 19 C.N. Rail employees detailing specific problems
encountered with comm. failures.
During that time, there were 10 reports of continuous comm. failures (too
numerous to tabulate) and 182
individual comm. failures.
During a comm. failure, after six seconds of operator loss of control,
the fail safe device begins to set up a “soft”
train brake which, depending on the speed and consist of movement, may
take more than one minute to fully
bring to a stop. The operator may not know that the event is underway and
may also not know that he or she
may not have control of the movement. There is no warning that the event
is occurring. The operator may not
have access to the braking or emergency features of the Belt Pack system.
The operator may not have access
to the horn or bell features and therefore cannot provide warning to those
who are not in radio contact. The
headlights go to dim.
Belt Pack Incident Report filed Feb. 11/97 by C.N Rail employee B.T. Kilba:
“While ‘B’ box in control, loss of communication while switching when pulling
out of KF02 west with 1 CBRY flat car. I
had to put the consist into emergency to avoid a head-on collision
with an east bound train.”
Belt pack Incident Report filed Mar.23/96 by C.N. Rail employee Deborah
Kuipers:
“12 communication errors at Petro Canada probably due to heavy air traffic.
One of the communication errors occurred coming up to
McLean St. crossing. Headlights went to dim and bell stop ringing and we
slowly came to a stop. Fortunately we did not foul crossing.”
Belt Pack Incident Report filed Mar.9/97 by C. N. Rail employee Brian Campbell:
“10:47 Comm. Int. B box serial #BP055 recover & OK
1214 Comm. Int. A box serial # BP 055 recover & OK
1215 Comm. Int. A box Recover & start moving
1220 Pitching to B box and Comm Int. A box recover
1222 Comm. Int. recover train brake from A and B box now
1225 OK & moving again,
1229 Comm. Int. A box recover OK
1231 Comm. Int. A box changed battery in A box (battery =green charge)
1237 Comm. Int. A box again
1238 switched to B box only & set train
1253 only B box being used in selector ‘B’ & now Comm failure ‘B’ box
unit stopped in KF05 & tied down & waiting for LCS Mang to check
out unit.”
According to LCS Sub Committee Minutes of March 20, 1997: “Batteries continue
to be a challenge. Lots of
volts but no amps. T. Mang states that when a command is requested, train
brake for example, the request will
result in a communication failure.”
This is the first and only reference by C.N. Rail regarding this particular
LCS problem and it appears particularly
dangerous. At a time when an employee is requesting a train brake, the
system fails and, after a six second
time lapse, begins to slowly set up a soft train brake.
Belt Pack Incident Report filed Dec.26/96 by C.N. Rail employee G.S.Gordon:
“At approx. 1300, Dec. 20/96 both operating boxes rendered themselves inoperable
simultaneously. ‘B’ box died completely, ‘A’ box
(controlling) emitted a high pitch squeal, most lights came on and would
not control the movement. Nether my helper or I had access to
the emergency feature. Fortunately the movement was stopped while this
event occurred.”
Comm. failures can occur at any time and anywhere and, as the following
report details, are particularly
dangerous in confined circumstances.
Belt Pack Incident Report filed Dec. 19/96 by C.N. Rail employee J.S. Huntington:
“B box powered down resulting in loss of control of unit. Lost ability
to use emergency and, as a result hit hard and continued to push. 1
car derailed, 1 damaged. B box shut itself off while selector switch was
still turned on. The LCS locos should put themselves into
emergency in cases of comm. failure.”
The result of that particular comm. failure was derailment of equipment
with great potential for employee injury.
(Kamloops Scrap Iron spur (KN16) derailment Dec. 19, 1996, LCS communication
failure source: Root Cause
Investigation, Kamloops Inter-Departmental Safety and Health Committee).
There is no advice from C.N. Rail on
how operators should effectively deal with communication failures which
occur, on average, five to six times per
shift according to C.N. Rail LCS technicians.
1a) Self-Initiated Comm. Fail Tests
During a self-initiated comm. fail test conducted on the flat of the South
track at Kamloops at a speed of 15
MPH with two units and eight loads, it took 45 seconds for the fail safe
device to stop the movement
(Gordon/Pusiewich, March 1997).
Another self-initiated comm. fail was conducted in the presence of Brent
Harradine, Transport Canada Surface,
at the west end of Kamloops Yard, moving at 7 MPH from the Jitney track
to the City Main (slight uphill grade)
with two light units (7044-45). The units traveled for six to seven car
lengths without any apparent initiation of the
fail safe device. The movement had to be placed into emergency to stop
(Gordon/Pusiewich/Harradine, March
1997).
Recommendations:
A. That LCS operations be discontinued until such time as constant, uninterrupted
communication and
control can be maintained between the LCS components. LCS operators must
have the ability to control
their movements at all times.
B. The fail safe device activated during a communication failure be recalibrated
to place the movement in
the most restrictive brake application (emergency). Belt Pack operators
must thereafter be prohibited
from riding on the sides or ends of cars to prevent being thrown from,
or under, their movement.
C. That the LCS system be redesigned to issue an audible warning during
communication failures,
regardless of duration.
2) Operator Box Failures.
In
the field there have been a multitude of box failures ranging from complete
shut downs to squealing, multi
light-ups. There has been one recorded occurrence of simultaneous box failures
at which time neither operators
box was functional (Gordon/Collins, Dec. 26, 1996). All box failures result
in a communication failure.
Belt Pack Incident Report filed Feb. 5/97 by C.N. Rail employee Mike Baril:
“Fell down while crossing between cars. A box made the noise signaling
tilt time out but unit did not go into emergency. (Box was in tilt
position long enough for emergency application.) When I stood up A box
would not stop squealing and 4 MPH and Coast B lights would
not go out. Independent brake and speed controls did not respond. Had to
turn box off and on again to regain control”
Recommendation:
D. The operators LCS control box must be redesigned to provide safe and
reliable service.
3) Other LCS Failures
Belt Pack Incident Report filed March 14, 1996 by C.N. Rail employee Elliot
Arnouse:
“Slow to respond to commands. On return from Tolko, when selector lever
in 15 MPH position, attained speed of 25 MPH constantly.”
Belt Pack Incident Report filed Oct. 23/96 by C.N. Rail employee Jeff Stark:
“Stopped Beltpack unit at KF06. Went westward at 10 MPH on select lever.
Engine surged to 20+ MPH then engine was put to
emergency. Tim Mang called.”
Belt Pack Incident Report filed March 20/97 by C.N. Rail employee Brian
Campbell:
“0938 - Putting light units 7044 - 7045 to KF02 going 4 MPH and approx.
3 cars from joint I put selector lever to couple. I heard units start
revving up so I put selector to stop. Units were still increasing in speed
so I put units into emergency and stopped approx. 2 feet short of
joint.”
Belt Pack Incident Report filed Feb. 17/97 by C.N. Rail employee Tim Priestley:
“While in control of the consist 7045 & 7012 with ‘A’ box I tied onto
two cars in KF02. Proceeding westward approximately 6 car lengths at
4 MPH the consist was struggling to reach the speed of 4 MPH which the
box was set at and didn’t seem to go much more than 1 or 2
MPH until I set the box to stop the consist seemed to surge and speed up.
I had to put the box into emergency stop to actually stop it."
Recommendation:
E. That on board LCS components be redesigned to provide safe, reliable
service.
4) Variations in the Operation of the LCS Fail Safe Devices.
There appears to be a great deal of variation between the reactions of
the fail safe device that the
locomotive control system applies during a comm. failure. That variance
currently is an unknown factor to
operators and there is no applicable instruction or advice from the railway
on testing.
Recommendation:
F. That testing of the fail safe feature be undertaken by the railway to
determine safe operating practises
and parameters. This information must be made available to employees.
5) Micro Communication Failures (Loss of Control under Six Seconds).
As well as communication failures in excess of six seconds there are also
those that occur with a
duration of less than six seconds which have been termed micro-comm. failures.
Operators currently
have no way of knowing when there has been a loss of control of the movement
of under six seconds.
This type of failure makes it difficult for operators to develop consistent
work habits as they never know
how the equipment is going to react to their commands. For example, on
one occasion, an operator
might stop well short of a joint. On the next, because of an unknown loss
of control, the operator might
slam into the equipment on the standing track.
It also seems possible that a series of under six second comm. failures
could occur with very brief
periods of control returning in between those events. Again, as with all
communication failures, the
operator has no knowledge that the event is occurring.
Recommendation:
C. That the LCS system be redesigned to issue an audible warning during
communication failures
regardless of duration.
6) LCS Brake Failures
There appears to be evidence that water collecting in the compressor tanks
of the units interacts with the
LCS equipment to the detriment of the braking system. As a result, on four
reported occasions, brake
failures have caused units to overrun switches. It has been reported that
during those events, the brake
cylinder pressure gauge read a maximum of 15 PSI instead of approximately
40 PSI, indicating that a
much reduced braking effort had taken place.
CN Rail LCS Defect Notice filed Feb.5/97 by employee G.S.Gordon:
“Locomotive number 7222
Engine sometimes sets up an independent brake of 15 PSI light unit when
stop is requested.”
Belt Pack Incident Report filed Feb. 20/97 by C.N. Rail employee G.S.Gordon:
“At 15:08 I requested full stop. Unit 7222 set up 15 PSI on Independent
brake only causing me to overrun switch by one car length.
Checked independent brake cylinder pressure gauge to confirm which still
only read 15 PSI after stop.”
Recommendation:
G. Belt Pack operators must be trained to remove condensation from compressor
tanks. C.N. Rail must
determine frequency schedule.
7) Lack of Reporting among Operators
Currently, there is no reporting between shifts. Given the considerable
documentation of operator
encountered problems and safety concerns, there appears a value in requiring
Beltpack operators to fill
out Form 538 D, if only to ensure continuity of reporting.
Recommendation:
H. Belt Pack operators must report locomotive and LCS system defects and
anomalies on C.N. Form
538 D.
8) Inadequate and/or Dangerous Beltpack Controls
The Beltpack control box currently has a nullifying feature, the tilt time
extend, which temporarily
disables a safety feature, the tilt time out.
According
to the Belt Pack Operator (flat yard), April 1995, page 2 - 8:
“Tilt Time Extend button extends the allowable tilt time. If the operator
anticipates having to tilt the Beltpack for
more than a few seconds, pushing the Time button extends the allowable
tilt time to 60 seconds.”
In practise, the nullifying feature is usually activated at a time when
the safety feature is needed most—when
the worker is in close proximity to moving equipment. The tilt time extend
feature violates C.N. Rail safety
instructions found in G.O.I.
CN Operations Safety Rules page 10, item 1.8:
“Employees are prohibited from any act which defeats the purpose of a safety
device, electrical fuse or pressure
safety valve.”
Recommendation:
I. That the tilt time extend feature be removed from the operator’s box.
An ever present danger to operators is that the speed and brake selector
levers can be inadvertently
struck and the movement accelerated or decelerated accordingly.
Belt
Pack Incident Report filed Feb.29/96 by C.N. Rail employee Deborah Kuipers:
“1615 - Communication error from ‘A’ - cause unknown
1650 - Communication error from ‘A’ cause unknown
1755 - bumped brake toggle to emergency while entraining
1810 - tilt-time out while pulling pin
2035 - bumped brake toggle to emergency while riding in unit
Braking delay with the 7046 is very long. Unit is jolty in couple and 4
MPH. Both of us lost our balance while walking on the catwalk of the
unit in 4 MPH.”
Belt Pack Incident Report filed Mar.7/97 by C.N. Rail employee G.S. Gordon:
“While lining north track switch I placed unit in couple. When I lined
switch, the unit surged ahead. To stop, I placed movement in
emergency to protect private crossing. Box had placed itself in 15 MPH
without my knowledge.”
Belt Pack Incident Report filed June 17/96 by C.N. Rail employee Pierre
Trottier:
“I was lining up two long drawbars in KC13 when I heard the bell on engine
go off. Engine was approx. 4 cars away. I immediately
removed myself from between the cars thinking I had actually tripped the
bell. I looked down at my box and my selector lever was in 10
MPH and the cars, at the same time as I looked down, began to move. I immediately
put it to stop.
“Somehow, and I have no idea how, I must have knocked the reset button
and the speed selector button causing a movement.
“Quite often the bell toggel switch does get accidentally turned on and
I initially thought that’s what had happened but much to my
horror, I accidentally caused a movement.”
Belt Pack Incident Report filed June 17/96 by C.N. Rail employee G. Payer:
“Tied onto car. Stopped throttle control, went into to do up hose and in
an instant my arm must of touched the speed control and the
engine bell started ringing and the engine started moving.”
Belt Pack Incident Report filed June 6/96 by C.N. Rail employee Mike Baril:
“While removing hand brake of car at Balco unit started to move. Somehow
red button and speed lever were activated and unit and cars
were headed for end of track and fence. Just had time to stop it before
it caused damage.
Recommendation:
J. That Belt Pack operator boxes be redesigned to provide positive locking
features on the speed, braking
and reverser controls.
9) Movement Control Problems
LCS is very slow to respond to operators’ commands. It is also difficult
to operate Beltpack box selectors
when riding on the side of a car, particularly when the movement might,
at any moment, decelerate or
accelerate to point where the operator can be thrown from the side of the
car.
Recommendation:
K. Operators should be prohibited from riding the sides or ends of moving
equipment other than
locomotives.
10) Leading Point Protection
Currently, the railway has defined “known to be clear” in the Rule 83 monthly
reissue of bulletins as
“seen to be clear of equipment” and also states that advice to that effect
can be accepted from
supervisory personnel. No mention is made about the yard conductor’s responsibility
towards coworkers
or other persons who might be in the area. This ambiguity can lead operators
to believe that leading end
protection is not required if no equipment is seen in the area; however,
one must again refer to the
training manual Beltpack Operator (flat yard), April 1995, to determine
responsibilities. According to
“Changes to GOI and CROC, GOI-Section 6, Item 6.1 General [4]:
“When
operating in remote mode (under Beltpack control), the controlling operator
must always be stationed at
the leading point of the movement or in clear view of it. Such crew member
must also be in position to warn
persons standing on, or crossing, or about to cross the track.”
Clearly, the Yard Conductor must always require his assistant to be on
the leading end of, or in front of, the
equipment as those are the only positions that afford a clear view of both
sides of the movement.
Recommendation:
L. That all ambiguity in regards to LCS operations be removed from CROR
and GOI rules, and that all
safety instructions take into account the unique operating characteristics
that Belt Pack presents.
11) Potential for Rule Violations and Non-compliance
In
practise, C.N. Rail violates Rule 83 by compelling Belt pack operators
to work with defective equipment.
Rule 83, Pacific District re-Issue of Bulletins for the Month of March,
page 11 (in part) reads: “BeltPack Failure
If a Beltpack fails during a shift, it must be changed out at the earliest
opportunity. The shift may continue by
placing the Beltpack selector lever switch to either A or B and operating
with only one Beltpack until the
defective Beltpack is replaced. B/O Beltpack must be delivered prior to
release of spare.”
Belt Pack Incident Report filed Mar.26/97 by C.N. Rail employee G.S.Gordon:
“Eng.7214 @ 0855 ‘A’ box failed (dead) requested replacement.
Eng. 7214 @ 0900 ‘B’ box failed (dead) requested replacement.
Eng. 7044 @ 0916 ‘A’ box failed (dead) requested replacement.
At 0914 I was asked to use the same 7214 boxes. I refused acct. they were
not replaced or repaired. At 1002 LCS Tech. Mang gave me
back 7044 “A” box. No repairs--no replacement. I’m being forced to work
with defective equipment.”
Belt Pack Incident Report filed March 21/97 by C.N. Rail employee G.S.Gordon:
“At 1501 ‘A’ box malfunctioning (dead) requested box to be changed per
monthly reissue. Not done. Finished shift with ‘B’ box only.”
Belt Pack Incident Report filed Mar.21/97 by C.N. Rail employee G.S. Gordon:
“‘A’ box fail at 10:03. Tried to comply with instructions found in Monthly
Re-Issue but told to change battery and keep working.”
Belt Pack Incident Report filed March 24/97 by C.N. Rail employee G.S.
Gordon:
“ At 09:50 ‘A’ box went dead. I requested that the yard coordinator have
the box changed per monthly re-issue instructions. I changed
system set up to ‘B’ box only. At 0957 ‘B’ box went dead. We couldn’t move
as no boxes were functioning.
“At 10:11 I was asked to attempt to restart the system and keep working
under the authority of David James, Assistant Superintendent. I did
that and we had another comm. failure at 10:25. The failed boxes never
were changed out or repaired.”
It should also be noted that is no available training or instruction in
regards to operating with only one operator’s
box functioning. In practise, and in consideration of the loss of operator
control resulting from frequent
communication failures, it is imperative that the assistant yard conductor
be in close proximity to the
emergency brake valve in the locomotive at all times.
Recommendations:
M. That C.N. Rail comply with its instructions in regards to defective
LCS equipment.
N. That C.N. Rail issue adequate training to operators regarding single
Belt Pack box operation.
There are many rules and regulations that operators may have difficulty
in complying with in
consideration of the frequent loss of operator control, for example:
CROR Definitions (CROR page 7)
“Reduced Speed
A speed that will permit stopping within one-half the range of vision of
equipment.”
How are operators expected to comply with this rule in consideration of
communication failures and the
apparent variations of the application of the LCS fail safe feature (i.e.
soft brake)?
CROR
Rule 13 (CROR p. 18, in part)
“Engine Bell
(a) The engine bell must be rung when:
(iv) one-quarter of a mile from every public crossing at grade (except
within limits as may be prescribed in
special instructions) until the crossing is fully occupied by the engine
or cars.”
How do Belt Pack operators comply with this rule during a communication
failure which renders bell, whistle
and headlight control box features inoperable from the LCS control box?
Belt Pack operators are also required by rule to stop their movements between
6 - 12 feet from all joints, not
only those on passenger equipment, and/or locomotive consist of three or
more units. In consideration of
communication failures, how do employees approach such circumstances? There
is no advice from the railway
on any of these important issues.
Recommendations:
O. That C.N. Rail rewrite the CROR and GOI, safety instructions and Belt
Pack training manuals to
adequately reflect the unique and dangerous operating characteristics of
Belt Pack.
P. That C.N. Rail provide adequate training to employees in regards to
complying with rules and
instructions.
12) Operator Abilities and Other Safety Concerns
It is interesting that many jurisdictions within Canada and the United
States are considering banning the
use of cellular telephones while in moving vehicles. The rationale appears
to be that most human beings
are not capable of safely performing the two tasks at the same time and
that the drivers attention should
not be diverted from the safe operation of the automobile.
In the application of that rationale to LCS technology, the Beltpack operator
not only has to perform
those functions, but has the further disadvantage of doing it from a remote
location. The LCS yard
conductor is solely responsible for the safe operation of his/her train,
must answer or initiate inquiries on
his/her radio, and must properly instruct the assistant yard conductor.
The yard conductor must also
ensure the integrity of the movement’s consist, is responsible for the
leading end protection of the
movement, and must be aware of other railway and vehicular movements that
occur in very close
proximity.
Under these conditions, it seems very easy to succumb to sensory and information
overload.
Recommendation:
Q. That, where possible, vehicular traffic in close proximity to Belt Pack
operations be restricted to 20
KPH.
Revised and reprinted in the interest of safety, August 14, 1997.
