The more I am reading about the 1 hour release makes it seem like the Boeing people that hid operating features from pilots in the 737 MAX the Lion Airlines crashed had a hand in the logic stream
If operators KNOW how things actually work, they tend to make them work correctly even when s..t happens.
Never too old to have a happy childhood!
Thanks Balt. Great description of the MCAS issue. Boeing is in for a big liability case I suspect. I wonder what defense they have as to why they didn't provide meaningful knowledge to the airlines and their pilots.
In reading through the AAR instructions, I am looking for something like “System-Generated Total Brake Release.” So far, I have not found anything like that.
Look carefully at section 4.3.17 of AAR S-4200.
What happened to the BHP train is clearly indicated in that paragraph, but in about four disconnected sentences.
As you said, the cable break cut off the EOT signal which resulted in a 120% ECP brake application.
If no action was taken to make a pneumatic brake application, the power to the CCD was cut to conserve the batteries and the ECP brake application was released as part of the power down feature.
However, I must correct my earlier misapprehension. This state still allowed brakes to be operated pneumatically using the ECP valves and battery power. Only the ECP system was isolated.
Had BHP's ATP system been able to direct a pneumatic brake application rather than commanding an ECP application (as appears to be the case) the train could have been stopped at low speed at the signal location (there are no actual signal lights) at Garden South, one kilometre from the emergency stop location.
I guess nobody expected a train to be moving on the main line with ECP completely shut down. In retrospect this was a serious omission.
But the whole situation is clearly set out by 4.3.17 in S-4200.
Peter
ECP does not equal K.I.S.S.
Okay Peter, I do see that now in section 4.5.17.
So, if this system is running its one hour timer, and a pneumatic application is not in effect, why not have the system recognize the lack of pneumatic application and not release the brakes? Why not error on the side of not causing a catastrophic runaway, just to conserve battery power? Where is the common sense?
This is a death trap just waiting for somone who thinks a train that has been stopped by applied brakes will remain stopped unless someone intentionally releases the brakes.
I'm still trying to figure out someone's logic in deciding the piority when designing the system: In order to save battery power you release the brakes on a train.
(Edit:) I was writing this while Euclid was writing his entry. Doesn't the system still have the emergency application capability if the train air drops? It seems like that would be the logical way to do it when the time expires.
_____________
"A stranger's just a friend you ain't met yet." --- Dave Gardner
Euclid Okay Peter, I do see that now in section 4.5.17. So, if this system is running its one hour timer, and a pneumatic application is not in effect, why not have the system recognize the lack of pneumatic application and not release the brakes? Why not error on the side of not causing a catastrophic runaway, just to conserve battery power? Where is the common sense? This is a death trap just waiting for somone who thinks a train that has been stopped by applied brakes will remain stopped unless someone intentionally releases the brakes.
Like the unfortunate driver who is currently being blamed for the whole catastrophe....
But the guys in the AAR committee made their decisions in a conference room or at their desks, with a full understanding of how the system was configured.
It probably didn't seem strange to them that an additional pneumatic brak application should be made to indicate to the system that braking would continue to be required.
They weren't on the ground in the dark, 130 miles from the nearest town on the steepest grade on the system with a radio and a flashlight looking for a separated cable connector.
So far we don't know where the separated connector was in the 238 cars, except that it probably wasn't in the first twent cars from the locomotive if it was still being looked for an hour after the stop.
An emergency ECP application is a very serious reponse to a failed connector. How much ECP braking capability was lost? Since the air pipe was intact, the train could have continued on Westinghouse alone, perhaps at reduced speed if the system had bee able to determine what proportion of ECP braking remained active and if that permitted a controlled stop.
I'm sure the AAR guys were thinking of a train separation or derailment when the arrangements were decided. If most of the train is off the track, what's the danger in releasing the brakes?
Remember that much recent ECP discussion in the USA was wheher ECP would stop a train of tank cars faster in a derailment. So a rapid emergency response was top of the list.
But clearly, nobody expected what happened when the train ran away.
M636C Euclid Okay Peter, I do see that now in section 4.5.17. So, if this system is running its one hour timer, and a pneumatic application is not in effect, why not have the system recognize the lack of pneumatic application and not release the brakes? Why not error on the side of not causing a catastrophic runaway, just to conserve battery power? Where is the common sense? This is a death trap just waiting for somone who thinks a train that has been stopped by applied brakes will remain stopped unless someone intentionally releases the brakes. Like the unfortunate driver who is currently being blamed for the whole catastrophe.... But the guys in the AAR committee made their decisions in a conference room or at their desks, with a full understanding of how the system was configured. It probably didn't seem strange to them that an additional pneumatic brak application should be made to indicate to the system that braking would continue to be required. They weren't on the ground in the dark, 130 miles from the nearest town on the steepest grade on the system with a radio and a flashlight looking for a separated cable connector. So far we don't know where the separated connector was in the 238 cars, except that it probably wasn't in the first twent cars from the locomotive if it was still being looked for an hour after the stop. An emergency ECP application is a very serious reponse to a failed connector. How much ECP braking capability was lost? Since the air pipe was intact, the train could have continued on Westinghouse alone, perhaps at reduced speed if the system had bee able to determine what proportion of ECP braking remained active and if that permitted a controlled stop. I'm sure the AAR guys were thinking of a train separation or derailment when the arrangements were decided. If most of the train is off the track, what's the danger in releasing the brakes? Remember that much recent ECP discussion in the USA was wheher ECP would stop a train of tank cars faster in a derailment. So a rapid emergency response was top of the list. But clearly, nobody expected what happened when the train ran away. Peter
I would hate to be on the scene of a derailment of a ECP train, where after an hour the brakes released on a portion of the train that was still on the rail stopped on a down grade and those cars take off rolling into the main scene of derailment.
Seems as if the people that designed this standard had very little real knowledge of train operations and how to ensure safety.
Paul of Covington I'm still trying to figure out someone's logic in deciding the piority when designing the system: In order to save battery power you release the brakes on a train. (Edit:) I was writing this while Euclid was writing his entry. Doesn't the system still have the emergency application capability if the train air drops? It seems like that would be the logical way to do it when the time expires.
At least in theory, you have the oprtion to tell the system to leave the brakes on by making a pneumatic brake application. This apparently tells the system that brakes are required and the ECP Emergency Application does not cancel after one hour.
If you don't make such an application, the system u nderstands that brakes aren't required and turns of the ECP signal and the CCD units, releasing the brakes.
It probably seemed quite logical to the Committee at the time.
The problem is that this is a very little known feature and in the case of BHP with fixed formation unit trains, separation of a connector was a very rare occurence so loco crew had no experience of what to do.
But I'm not trying to say that it was a good idea.
The thinking was that after a breakdown of ECP communication, the train would have to continue using air brakes and the batteries were needed to operate the air valves. BHP only have one type of locomotive, around 180 SD70ACes, all of which have ECP braking, so the likelihood of needing to use the air brakes isn't that great. But this was an AAR Committee who expected ECP to be an exception among conventional trains. So their thinking was to be able to run the train using air brakes after any ECP failure.
Writing standards at a conference table leaves a lot of 'field intellegence' behind.
When you are out of the elements - the elements are out of you!
M636C Paul of Covington I'm still trying to figure out someone's logic in deciding the piority when designing the system: In order to save battery power you release the brakes on a train. (Edit:) I was writing this while Euclid was writing his entry. Doesn't the system still have the emergency application capability if the train air drops? It seems like that would be the logical way to do it when the time expires. At least in theory, you have the oprtion to tell the system to leave the brakes on by making a pneumatic brake application. This apparently tells the system that brakes are required and the ECP Emergency Application does not cancel after one hour. If you don't make such an application, the system u nderstands that brakes aren't required and turns of the ECP signal and the CCD units, releasing the brakes. "It probably seemed quite logical to the Committee at the time." But I'm not trying to say that it was a good idea. The thinking was that after a breakdown of ECP communication, the train would have to continue using air brakes and the batteries were needed to operate the air valves. BHP only have one type of locomotive, around 180 SD70ACes, all of which have ECP braking, so the likelihood of needing to use the air brakes isn't that great. But this was an AAR Committee who expected ECP to be an exception among conventional trains. So their thinking was to be able to run the train using air brakes after any ECP failure. Peter
"It probably seemed quite logical to the Committee at the time."
Seems like 'an unexpected problem'; maybe unanticipated? Humans wrote the program, and humans rested and approved the program... So here is the poor Driver, reacting in a situation that was complicated by a prograned system that was not designed to function within those parameters.(?).
It just cost $$ 50 MIllion Bucks (Aus), more or less; and see who walks the plank?
The Australian Office of the Rail Safety Regulator has shut the stable door some days after the horse bolted...
https://www.onrsr.com.au/__data/assets/pdf_file/0020/22475/Safety-Alert-RSA-2018-002-ECP-Braking.pdf
If anyone finds an ECP system not configured to AAR S-4200, i'd be amazed...
The week after the derailment, BHP was fined $A 500 million for tax evasion.
The derailment was not significant compared to that.
From BHP Safety Alert No. RSA-20ID-002 (in red text):
“ECP braking systems that comply with the American Association of Railroads standard AAR S-4200 have a software feature designed to preserve battery life on the ECP fitted wagons by releasing the electronic brakes on a train in circumstances where:
An electronic brake is applied by the ECP system
There is no communications between the ECP system on board the lead locomotive and the end of train; and
Sixty minutes has elapsed from the last communication.
Where these conditions exist the ECP braking system will release creating the risk of a rollaway incident unless the air pressure within the braking system has been released to atmosphere.”
In this wreck, the three conditions did exist, and so the system automatically released the brakes for the purpose of preserving battery life. This seems characteristic of the programing culture that tends to include features intended to snare us to prove a point. Walmart automatic checkout has a handy feature in which it dumps all of your scan data if you pause just a little too long—Gotcha! Then you must take all your items out of the bags and scan them again.
In the case of BHP, the need to make a pneumatic application in order to prevent ECP from automatically releasing in one hour is entirely counter-intuitive, relying solely on a human operator to remember the procedure step. If the operator happens to overlook this fine point—Gotcha! The automatic system proves it is smarter than the operator who is left to take the blame for a $50 million runaway.
Which is worse: A massive wreck that destroys most of an entire loaded train; or a train with dead batteries?
The first thing to remember about railroad rules in the 21st Century. The Lawyers get the final say on how the rules are stated no matter what the railroader or the bean counters want the rules to state. Second - Lawyers write the rules in a language known as 'Gotcha'. Once rules have been written in Gotcha the employee is always the violater and the company is held harmless. I suspect this applies to all the the companies that operate trains on steel rails for whatever the purpose and whatever the language.
It seems to me that BHP releasing this new directive about the hidden hazard of the brake program is admitting that they were blindsided by it just like the engineer was. I think they owe an apology.
Your quote was from the bulletin issued by the Office of the National Rail Safety Regulator, not BHP, the operator of the train.
The purpose of the bulletin was to warn the other operators using similar ECP brakes that this condition could affect them.
Trains with ECP braking complying with AAR S-4200 operate on three other iron ore systems in Western Australia and coal trains are operated by three operators on state owned track in the New South Wales Hunter Valley and by three operators in Central Queensland. There are stone aggregate trains in southern NSW that use S-4200 ECP brakes. All the trains outside Western Australia operate on track shared with frequent passenger trains.
This is an official warning to operators from a Federal Government agency.
The following actions should be taken by rail transport operators utilizing ECP braking systems:
Conduct an assessment of the interaction between the ECP braking system and the mechanical pneumatic braking system following an unexpected (penalty) braking intervention on a train configured for ECP braking.
Determine whether the ECP braking system is designed to the AAR S-4200 standard
Determine whether the sixty minute release has been programmed within the ECP braking software
Conduct a risk assessment on the use of ECP braking for the prevention of the event of a rollaway incident.
Conduct a risk assessment on the effectiveness of the ATP system in the event of an ECP braking system failure.
This advice is effective immediately
Peter,
Thanks for clarifying that. I don’t quite understand the basis of the above recommendations from the National Rail Safety Regulator. The statement uses terms such as “determine whether” and “conduct a risk assessment,” and “conduct an assessment of the interaction.”
The terms suggest that the behavior of these operational details is not known and must be learned due to what has been revealed by the BHP runaway. Why would there be any question as to the risk, the programming, the interaction between braking types, and effectiveness of the ATP system? It would seem that the entire system did what was intended.
Euclid. Why would there be any question as to the risk, the programming, the interaction between braking types, and effectiveness of the ATP system? It would seem that the entire system did what was intended.
BaltACD Second - Lawyers write the rules in a language known as 'Gotcha'. Once rules have been written in Gotcha the employee is always the violater and the company is held harmless.
Second - Lawyers write the rules in a language known as 'Gotcha'. Once rules have been written in Gotcha the employee is always the violater and the company is held harmless.
That pretty much applies to rules established by any employer. OTOH, the one-sidedness of the rules have on occasion been used against the employer in court.
Euclid The following actions should be taken by rail transport operators utilizing ECP braking systems: Conduct an assessment of the interaction between the ECP braking system and the mechanical pneumatic braking system following an unexpected (penalty) braking intervention on a train configured for ECP braking. Determine whether the ECP braking system is designed to the AAR S-4200 standard Determine whether the sixty minute release has been programmed within the ECP braking software Conduct a risk assessment on the use of ECP braking for the prevention of the event of a rollaway incident. Conduct a risk assessment on the effectiveness of the ATP system in the event of an ECP braking system failure. This advice is effective immediately Peter, Thanks for clarifying that. I don’t quite understand the basis of the above recommendations from the National Rail Safety Regulator. The statement uses terms such as “determine whether” and “conduct a risk assessment,” and “conduct an assessment of the interaction.” The terms suggest that the behavior of these operational details is not known and must be learned due to what has been revealed by the BHP runaway. Why would there be any question as to the risk, the programming, the interaction between braking types, and effectiveness of the ATP system? It would seem that the entire system did what was intended.
That bulletin is the first thing I have ever seen from the Office of the National Rail Safety Regulator. I've checked their website since and they have some interesting annual statistical summaries. They issue occasional bulletins as listed on the website.
Normally, we would expect the Australian Transportation Safety Board to investigate this incident. A preliminary summary is on their website. But apparently ATSB didn't go up to the site, but ONRSR did.
This might be explained by your comment that everything worked as designed.
ONRSR may have gone to site precisely because everything worked as designed and a serious incident resulted.ATSB didn't because there was nothing to investigate - the problem was the system working as intended.
I know nothing about the ONRSR personnel but I assume some of them have rail experience. The location of the head office was decided by determining which state needed the most Federal Money to stay solvent and they got the new organisation.
The statements about the ECP system suggest there may be ECP systems that don't comply with AAR S-4200. If so I haven't seen any. Every connector I've seen on any system is to the AAR pattern. Every labelled control box indicates S-4200 compliance. Perhaps they are just hedging their bets or perhaps they haven't actually gone out and looked.
The ATP comments are different. Each system has probably specified slightly different systems, although they are probably built from a standard set of components. As has been indicated earlier, I don't think BHP realised that their system would not stop a train under the conditions that occurred as a result of the ECP shutdown. In retrospect, the problem is clear, but it probably didn't occur to the ATP designers that some features buried in S-4200 would rise up and bite them.
Operators should check their ATP systems, if any, to see if an ECP shutdown will render it ineffective. I don't know if FMG and Roy Hill have ATP but I doubt it. Rio Tinto obviously have such a system although the Autohaul remote control should allow directed air brake application indepedent of ECP or an ATP warning anyway.
ATP is used in Queensland but on main lines, not on the heavy haul coal lines and I think ECP is only used on the coal lines (but not by all operators yet).
I have a photo taken in August 2004 from the 210km, showing a train hauled by an AC6000CW and an SD40 approaching. in the background, I can see the train continuing through the 211 km where the train in question was stopped by the open connector.
It is early afternoon and the sun is shining from a blue sky on the blue green bluffs forming the Chichester ranges.
Had the ATP worked, the runaway would have been stopped as it passed the location from which I took the photo.
The locomotive crewman's error allowed the train to run one kilometre.
The failure of the ATP system allowed to run another 91 km, accelerating to 110km/h (70mph).
BaltACDOnce rules have been written in Gotcha the employee is always the violater and the company is held harmless. I suspect this applies to all the the companies that operate....
Technically, the battery-saving automatic release of air brakes is fine if the operator follows the procedure to prevent the automatic release under circumstances in which that release poses a danger.
But the reasoning behind the automatic release has a fatal flaw because there is a great likelihood that an operator would forget or overlook the fact that a full brake application made for a safety reason would then turn around and cancel itself on its own, with no warning, after a timer runs one hour. With just a tiny bit of common sense, one can see that it is a major accident waiting to happen.
The system should not be made to default to a potentially catastrophic brake release that will automatically execute for the purpose of saving battery charge unless the operator overrides that default action. Instead, the system should default to the safe condition of sustained brake application, and then give the operator the option to override that default action for the purpose of saving battery charge. That is common sense.
Making this automatic response even more dangerous is the fact that it would rarely occur, thus making any practical awareness or anticipation of it unlikely. The process is also counter-intuitive with all train brake practice developed and understood by practical use over decades.
Nobody would naturally expect an advanced brake system that boasts greater safety, to make an autonomous brake application to stop the train for safety reasons; and then a little later, automatically release that brake application; simply because the operator did not make a second manual brake application in order to switch off the sudden release of the first brake application. I doubt than anybody in the committees that developed the procedure thought it through and considered all of the consequences.
The AAR represents an industry that does not use ECP brakes and also opposes the use of them. So why would the pioneering users of ECP brakes in other countries follow the programing and protocols developed by the AAR? Why wouldn’t those pioneers just develop their own programming and procedures, so they know they are reliable?
My suggestion to the AAR is to write a few LOC and subroutines that interrogate and activate functions of the vigilance device(s) on the locomotive starting about 5% above critical battery voltage. And set the brakes via the 'penalty' arrangements of the vigilance system if the right response isn't received by the time automatic reset is received.
In essence, if there is no one responding in the cab to handle the impending brake release, the brakes will automatically be applied fully.
A little extra tinkering will give a 'distinctive ring' on the vigilance HMI for this specific function, to distinguish it from train-control concerns. I would be tempted to use synthesized voice clips.
This fixes the issue completely with no further Mickey Mouse FSM mislock opportunities...
Nothing brake related should ever FAIL with movement being a option. Brakes must fail with the braked vehicle being stopped - ALWAYS.
If we're going to discuss operation of ECP brakes, maybe we should look at the operator's manual. I haven't looked at completely yet, but here is NYAB's info.
www.nyab.com/media/nyab_1/documents_1/technical/instructionpamphletsip/IP-237.pdf
Jeff
jeffhergertIf we're going to discuss operation of ECP brakes, maybe we should look at the operator's manual. I haven't looked at completely yet, but here is NYAB's info. www.nyab.com/media/nyab_1/documents_1/technical/instructionpamphletsip/IP-237.pdf Jeff
NYAB Technical Manual5.10.1.10 Low T/L Voltage A. If the trainline power remains off, the % operable brakes will decrease until an alarm or penalty occurs. To make it more visible and attract the driver’s attention, a crew message will display "LOW T/L POWER" whenever the trainline power is turned off. B. This alarm will be provided in either ECP RUN or SWITCH mode. If trainline power is being commanded ON (sections 4.1 & 4.2) and the ECP EOT or Trainline Power Supply determines that trainline power is not active (less than approximately 100 VDC) an alarm message Low T/L Voltage will be displayed, the TL PWR display turns yellow and an audible tone will be given. C. This alarm is an indication that trainline power is very low and may no longer be available. Refer to Section 5.0 to correct this problem. The CCDs will continue to operate normally using their battery power. If the CCDs then cut-out, the ECP braking on that car will release and ECP braking will not be available on that car. When operating in ECP RUN mode, as CCDs cut-out, the percent operable will decrease and a penalty brake will be applied as described in section 5.10.2.5, 5.10.2.6 and 5.10.2.10. When operating in ECP SWITCH mode, the percent operable is not monitored and is therefore unknown.
blue streak 1We believe that it has been stated that the US system retains the triple valve?
I didn't see this before.
This isn't an AAR standards issue; it's a (possibly proprietary by manufacturer) way to implement 'turnkey' ECP operability on a given car already working in interchange service with 1-pipe/triple valve brakes. It puts a separate electronically-actuated manifold and valve arrangement between the triple valve and its mounting, so that the single train line and all the functions work correctly for ECP when the system is 'set' for ECP, but can be run as Westinghouse or easily converted back to run as Westinghouse when needed without removing the ECP components.
It has been a while since I read descriptions of this conversion equipment, so I no longer have current links, but it should not be hard to find them. I do think it is unlikely that the triple on a 'conversion car' would act to set the brakes if this common-mode fault in S-4200 released them in ECP 'mode'...
I think this is the applicable section of the BHP situation, communcations line disconnetion. On Page 81: (emphisis by me)
5.10.4.2 T/L COM TEST A Trainline Communications Diagnostic Test (T/L COM TEST) should be performed when there is a problem with the trainline communications. This test should be performed in the event that there is a problem, such as ECP EMER - NO EOT – T/L Power Shutdown. If there is a break in the trainline, such as a disconnected inter-car connector, this test will determine the location / vehicle where the break may be. The test may be performed when the locomotive is in ECP lead and RUN, SWITCH or Initialization mode and not moving. The Automatic brake handle must be placed into the full-service position before this test will be performed.
No mention of the brakes being released after a specific interval.
But memorizing 110 pages of somewhat repetitive instructions is something I would not expect an above average engineer to be responsible for, much less the average employee. I'm an Electrical Engineer and I found reading all 110 pages mind numbing. Perhaps with more hands on training, it would make more sense and maybe its my age but to blame an employee for failing to know that the train might release its brakes when I find NO mention anywhere in the 110 page publication is rediculous. I think any lawyer sould be able to defend this. Or have missed a line in the publication?
It seems, that to avoid a single-point-of-failure, the battery running down, they created another, failure to set the brake independantly.
It also sounds like this anomaly was missed on a systems-level analysis. Why would ATP rely only on ECP if the ECP could be a single-point-of-failure?
I would not be surprised if nobody in the official body foresaw the possibility of the ECP protocol leading to a disaster such as it did with the BHP train. I suspect there may be a great controversy over how this could have gotten past so many people.
Probably the simplest explanation is this which Peter posted above, which is a safety alert by the Office of the National Rail Safety Regulator (my emphasis in red):
1 Subject
Use of Electronically Controlled Pneumatic braking and Automatic Train Protection systems.
2 Issue
An incident with serious safety concerns occurred following the runaway of a loaded freight train that was utilizing Electronically Controlled Pneumatic (ECP) braking.
The train received a penalty brake application while operating in ECP braking mode as a result of a disconnected electrical connector between two wagons. The train came to a stand on a gradient.
The driver has alighted from the cab to carry out an inspection. After one hour, during the course of applying the handbrakes, the train rolled away down the gradient. The train was run through a crossover in an attempt to purposefully, and successfully, derail it.
Initial enquiries into the incident have revealed a potential safety issue with respect to the effectiveness of the Automatic Train Protection (ATP) systems when configured for ECP braking.
Trains traditionally operate with a mechanical pneumatic braking system and some rolling stock has been fitted with an electronic overlay braking system commonly known as ECP braking.
ECP braking systems that comply with the American Association of Railroads standard AAR S-4200 have a software feature designed to preserve battery life on the ECP fitted wagons by releasing the electronic brakes on a train in circumstances where:
1) An electronic brake is applied by the ECP system
2) There is no communications between the ECP system on board the lead locomotive and the end of train; and
3) Sixty minutes has elapsed from the last communication.
Where these conditions exist the ECP braking system will release creating the risk of a rollaway incident unless the air pressure within the braking system has been released to atmosphere.
I suspect that this BHP wreck holds the world record for the most cars derailed in a derailment. The train was 268 cars long, and I count 26 cars still on the rails at the end of the train. So that is 242 cars derailed and destroyed when the 50,000 ton train was intentionally derailed at about 70 mph.
What we see in the video are hopper cars mostly buried in an elongated heap of iron ore with mangled metal car parts visible as they emerge from the pile of ore.
In this elongated heap, are the 242 derailed cars apparently tightly jackknifed and accordioned, and mostly buried in the iron ore they carried. That line of wreckage of the 242 ore cars is about the same length as the 26 cars still on the track.
Our community is FREE to join. To participate you must either login or register for an account.