Railway Investigation Report R02V0057
The Transportation Safety Board of Canada (TSB) investigated this occurrence for the purpose of advancing transportation safety. It is not the function of the Board to assign fault or determine civil or criminal liability.
Main-Track Collision and Derailment
Canadian Pacific Railway
Train 861-009 and Train 604-014
Mile 12.89, Cranbrook Subdivision
Natal, British Columbia
28 April 2002
At approximately 0255 Pacific daylight time, on 28 April 2002, westward Canadian Pacific Railway freight train 861-009 was proceeding on the Cranbrook Subdivision near Natal, British Columbia, and collided with stationary freight train 604-014. Train 604-014 had been left unattended in the siding at Natal, at approximately 2120 on 27 April 2002. Sometime between 0246 and 0251 on 28 April 2002, train 604-014 was moved forward approximately 120 feet by an unknown person or persons, placing it foul of the main-track switch at Mile 12.89. The lead locomotives of both trains derailed. The conductor on train 861-009 received minor injuries. The locomotive engineer was not injured. There were no dangerous goods involved.
Ce rapport est également disponible en français.
Other Factual Information
On 27 April 2002, Canadian Pacific Railway (CPR) train 604-014 (train 604), an eastward empty unit sulphur train on the Cranbrook Subdivision, was set out on the siding at Natal, British Columbia, to await loading instructions. The head end of the train was stopped clear of the main track in proximity to the east siding switch. The train consisted of 2 locomotives, 112 empty cars, weighed 3330 tons, and was 6708 feet in length. The lead locomotive was CPR 9550. It was expected that the train would be required for loading at another location in the next 24 to 48 hours. At 2124 Pacific daylight time,1 the train was left unattended and clear of the siding switch at Mile 12.89, with hand brakes applied on both locomotives and the first 12 cars. At Natal, the main track is situated immediately north of, and adjacent to, Highway 3. There is a hotel immediately south of the highway, east of the occurrence site.
The controls on lead locomotive CPR 9550 were left as per railway instructions. The generator field switch had been placed in the "off" position, the engine run switch was left in the "on" position, the control/fuel pump switch was left in the "on" position, the independent brake (locomotive brake) was "cut in" and fully applied, the automatic brake (train brake) was "cut in" and in the release position, and the reverser handle was put in the off position, removed and retained by the departing locomotive engineer. The windows and doors were not locked.
After the crew on train 604 had finished securing their train in the siding at Natal, they were transported to the Sparwood bunkhouse and later transported by taxi to Crowsnest, Mile 0.0, Cranbrook Subdivision, where they were assigned to train 861-009 (train 861) and instructed to proceed to Cranbrook through the Cranbrook Subdivision. Train 861 consisted of one locomotive (CPR 9620), 95 empties, weighed 2847 tons, and was 5712 feet in length.
At approximately 0255, while proceeding westward at 20 miles per hour (mph), the crew of train 861 observed train 604 foul of the main track at the west end of the Natal siding and placed the train brakes in emergency. train 861 side collided with train 604 at Mile 12.89 at a speed of about 14 mph. After striking train 604 and pushing it back 53 feet, train 861 came to a stop in approximately 100 feet. The conductor suffered minor injuries as a result of the collision. There was no one on train 604 at the time (see Figure 1 for a schematic of the collision area).
The crew, composed of a locomotive engineer and a conductor, were qualified for their respective positions and met fitness and rest standards designed to ensure the safe operation of trains. The temperature was about 2ºC with a light wind from the southeast. The skies were clear.
Train movements on the Cranbrook Subdivision are governed by the Occupancy Control System, authorized by the Canadian Rail Operating Rules, and supervised by a rail traffic controller located in Calgary, Alberta. There are no wayside signals on the Cranbrook Subdivision.
Natal is a designated siding 8443 feet in length. The track gradient is ascending to the east. It is common practice for the railway to temporarily store trains at this location. There was no derail at the east end of the Natal siding to protect unintended movements of rolling stock from entering the main track, nor is it common practice to use such devices where there is an ascending grade.
Between 2124 and 0246, three trains passed train 604. No unusual activity was noted at Natal by the crews of the three trains.
Figure 1. Schematic of Natal - Collision of train 861 and train 604
Information from the CPR 9550 locomotive event recorder indicated that, at 0246:33 on 28 April 2002, the independent brake on the locomotive was released. At 0246:38, the reverser2 was placed in the forward position. At 0248:35, the combined power handle3 was moved into the power zone, position 1, and the generator field circuit breaker4 was moved into the "on" position. When the train began to move between 0248:35 and 0249:30, the combined power handle was advanced to position 3. At 0250:05, train 604 reached its maximum speed of 3.2 mph. At 0250:12, the power controller was returned to idle and moved into the dynamic brake zone. The generator field circuit breaker was moved to the off position. At 0250:17, forward motion stopped; the combined power controller was moved to idle. About six seconds later, the reverser was returned to the off position and the train brakes were placed in emergency. At 0251:01, the engine control switch5 was moved into the isolate position.
The train had been moved eastward about 121.5 feet and left just foul of trains travelling on the main track. The hand brakes remained applied on the 2 locomotives and the 12 lead cars during this movement. In the absence of a wayside signal system, the crew of train 861 had no advance warning that a train was foul of the main track.
As a result of this collision, the CPR police and the Royal Canadian Mounted Police initiated a criminal investigation in order to identify the person or persons responsible for moving train 604 into the path of oncoming train 861.
CPR's General Operating Instructions (GOI), section 16, item 17.3(a) details the conditions under which locomotives should be shut down in order to conserve fuel, that is, when the ambient air temperature is expected to remain at or above 5ºC and it is known that the locomotive will be standing for 30 minutes or more. The unattended locomotives were left running due to the forecast temperature drop below -5ºC.
GOI, section 14, item 1.0, "Hand Brake Policy," provides guidance on the use of hand brakes and specifies the minimum number of hand brakes to be applied given the number of cars to be secured. The policy indicates that a minimum of 13 hand brakes must be applied to secure 110 to 119 cars.
GOI, section 14, item 3.0, "Leaving a Train Unattended," states, in part, that the reverser handle must be removed and taken from the cab of all locomotives, all unnecessary lights turned off, and doors and windows closed. CPR's GOI do not require that the doors and windows be locked.
The GOI also require that the control stand be left as follows:
- Independent brake cut-IN and FULLY applied.
- Automatic brake cut-IN and handle in RELEASE.
- Generator Field OFF, Engine Run ON, Control/Fuel Pump ON.
- Reverser handle removed.
- Take the reverser handle from the cab of all locomotives in the consist except as specified by Section 15 - item 10.36, or except as specified by special instructions, subdivision footnotes or operating bulletin.
There is presently no requirement that the engine control switch be placed in "isolate" on locomotives being left unattended. Railway personnel indicated that it had once been a requirement, but that requirement had been dropped many years ago. When only the lead locomotive of a multiple locomotive consist is "isolated," it is still possible to operate the other locomotive(s) from the lead locomotive. Rather than make it a requirement to isolate all locomotives in the consist, the railway dropped the practice altogether.
Locomotive CPR 9550 was left with the cab doors and windows closed, but unlocked. There had been no instructions, or keys issued, to lock the locomotive cab doors. A review of procedures used by other major railways operating in Canada revealed that the locking of locomotive cab doors and windows is a common practice. At the time of the occurrence, there was no other means of security or surveillance to prevent unauthorized persons from gaining entry into the unattended locomotives.
The reverser mechanism that controls the forward and reverse movement of locomotives is located inside the control stand. The locomotive control stand is an area upon which the air brake controls, reverser handle, throttle and dynamic braking control are mounted within convenient reach of the locomotive engineer. Air gauges and some control switches are also located on the control stand. Some control stands are oriented vertically beside the locomotive engineer, as opposed to the desktop orientation which locomotive CPR 9550 used.
Figure 2 - Standard reverser handle (figure is not to scale)
Photo 1 - Photo of locomotive desktop control stand, reverser handle receptacle indicated with arrow
The design of the reverser handle is detailed in the Association of American Railroads (AAR) Operations and Maintenance Department, Mechanical Division, Manual of Standards and Recommended Practices, Section F. The standard7 stipulates, in part, that:
Reverser handles will all be standard, making them interchangeable regardless of a manufacturer of locomotive.
The handle, as indicated in Figure 2, is to have a round shape. It is designed to be the key to lock and unlock the reverser mechanism. The standard states:
The reverser handle must be inserted before the throttle handle may be moved out of "IDLE" or the dynamic brake handle may be moved out of the "OFF" position. When the reverser handle is removed, neither the throttle handle nor the dynamic brake handle may be moved out of the "IDLE" or dynamic brake "OFF" positions, respectively.
Because the reverser handle is to act as a form of key for locomotive operation, all Canadian railways require that it be removed from the control stand when the locomotive is left unattended. The reverser mechanism has an internal locking/release pin that is activated by insertion of the AAR standard handle, and intended to facilitate the key function. Informal interviews with a number of locomotive engineers indicated that, in extenuating circumstances, where a reverser handle had been forgotten, they had personally, or knew of someone who had, operated the train with a makeshift reverser handle.
Thirty-nine reverser mechanisms from General Motors and General Electric locomotives, which were manufactured since the 1950s, were examined under controlled conditions to determine if the reverser mechanisms could be activated with anything other than the standard reverser handle. Various items were inserted into the reverser control mechanism and the locking/release pin depressed in the same manner as a reverser handle. These items allowed the reverser mechanism on the control stand to be placed into either forward or reverse on 35 of 36 locomotives designed to use the AAR standard reverser handle. In addition, once the reverser mechanism was engaged with one of these items, the throttle and the dynamic brake on the majority of the locomotives tested could be operated in the normal fashion. On approximately half of the locomotives tested, after the foreign objects had been used to bypass the mechanism and were manipulated, the standard design reverser handle could be reinserted and operated in the normal fashion, without first having to manually return the locking/release pin to the normal position.
There was no indication that the reverser mechanism had been bypassed on locomotive CPR 9550. The reverser handle had been removed by the last authorized crew to operate that train. At the time of the post-accident inspection of the cab of CPR 9550, there was no reverser present. North American-manufactured locomotives are sold and distributed to various .countries around the world. These locomotives are generally equipped to the AAR standard. Unless the owner requests a change in design, the controls are configured consistent with that standard.
In a controlled setting, using a locomotive that had all control positions set as per railway instructions for leaving locomotives unattended, a TSB investigator with no rail industry background was asked to observe the locomotive controls and switches and explain what he thought would be necessary to initiate movement of the locomotive. He was able to determine the necessary control manipulations within five minutes.
The investigation determined that the information necessary to operate a locomotive is readily accessible from a number of sources, even if the act may be unlawful for other than the company's qualified locomotive engineer. For example, the information is available on the Internet and from locomotive operation simulation software, which is commercially available to any interested person.
The unauthorized entry into the cab of locomotive CPR 9550 and the movement of train 604 is the subject of an ongoing criminal investigation. However, these issues will be analyzed to the extent necessary to identify safety deficiencies. The analysis will also focus on the risks that result from unauthorized access to, and operation of, unattended locomotives and on the current level of security surrounding unattended locomotives.
Both the locomotives and cars of train 604 were secured, consistent with railway operating practices. However, there remained a number of factors that affected the risk exposure of this unattended train. These factors include:
- the location where the train was left unattended;
- the ease of accessibility to the locomotive cab;
- the absence of an effective means to lock out the locomotive controls;
- the absence of increased surveillance by security personnel;
- diesel engines left running due to cold weather; and
- the abundance of generally available information on how to operate a locomotive.
In normal railway operating practice, when a train or locomotive is to be left unattended, the crew will require transportation after the equipment has been secured. Therefore, trains are often left unattended in areas that are easily accessed by road vehicles. Although Natal was frequently used to temporarily store trains, there was no increased security at this location.
CPR's instructions for leaving locomotives unattended required, in part, that the doors and windows of the locomotive cab be closed. However, the absence of a requirement that they be locked demonstrated that unrestricted access to locomotives represents a significant safety risk. Securement of doors and windows in the operating cab would act as a deterrent.
The knowledge necessary to set a train in motion can be easily obtained from sources such as the Internet and computer games. This, combined with easy access to unattended locomotives and the fact that it is often necessary to leave the engines running, creates a particularly vulnerable situation. An unauthorized person need only manipulate, in proper sequence, a number of well-marked locomotive controls and switches.
The ability of a TSB investigator with no rail industry background to quickly determine the appropriate control settings to initiate movement of a locomotive (or train) further supports the need for enhanced security measures. In contemplating any new security measures, the Board believes that it would be prudent to assume that locomotive operations-related information will continue to be easily accessible. Therefore, new security measures need to be designed to prevent unauthorized persons who possess the requisite knowledge to set a locomotive in motion from doing so.
North American locomotive manufacturers supply locomotives to many countries around the world; yet, the controls are often built without significant security modifications to the AAR standard configuration. While it is true that occurrences such as this have historically been rare in Canada, given recent world events and the presence of similarly configured locomotives in other countries around the world, the operation of trains by unauthorized persons should be regarded as a potentially serious security and safety issue both nationally and internationally.
The mechanical interlock protection that prevents the movement of the combined power handle when the reverser is removed was undoubtedly intended, in part, to provide some protection against unauthorized locomotive operation. However, as shown by the tests conducted during this investigation, the interlock was easily bypassed and the fact that it could be bypassed was common knowledge among operating crews. Although this interlock is likely successful in protecting against unintended locomotive movement from inadvertent control manipulations, its effectiveness as a defence against unauthorized persons is questionable.
In addition, the absence of a requirement to isolate each unattended locomotive, when operating circumstances permit, is an example of an available defence barrier that is not being used.
Information from the locomotive event recorder shows a sequence of locomotive control manipulations clearly intended to set train 604 in motion and to stop it shortly thereafter. Further, certain events, such as placing the engine control switch into the isolate position after the train was moved foul of the main track, indicate that the individual likely possessed some knowledge of locomotive operations. However, the investigation indicated that individuals without prior knowledge of locomotive operations could interpret the labelled information on the control console, such as forward/off/reverse, power/idle/dynamic brake, accurately enough to choose the desired control position to initiate movement.
There was no advance warning available to train 861 of the impending danger at Natal. Without the additional safety defence afforded by signals, there is a continuing risk.
Findings as to Causes and Contributing Factors
- Railway procedures for securing locomotive cab doors and windows did not deter or prevent the unauthorized persons from entering the lead locomotive on train 604 and moving the train foul of the main track.
- The absence of a standard reverser handle, designed to be the "key" to permit operation of locomotives, did not prevent the locomotive from being operated by unauthorized persons.
- The manipulation of various locomotive controls and switches that led to the enabling of the locomotives on train 604 and the manner in which the train was operated indicated that the individual(s) involved had a rudimentary knowledge of locomotive operations.
Findings as to Risk
- Given the relative ease of access to the cabs of running locomotives, the properties of the reverser mechanism, and the general availability of locomotive operations-related information, there is a continuing potential for the unauthorized operation of locomotives.
- The ease with which the mechanical interlocking between the reverser handle and the combined power handle can be bypassed and the extent to which this is common knowledge, compromise the effectiveness of the reverser as a safeguard against the unauthorized operation of locomotives.
- Not requiring locomotives to be taken off line or isolated when left unattended removes an available defence against unauthorized movement.
- There were no security measures established to ensure surveillance of unattended locomotives at Natal.
Safety Action Taken
On 25 July 2002, the TSB issued Rail Safety Advisory 05/02, entitled Locomotive Reverser Handles, concerning the field testing of locomotive reverser mechanisms in both General Motors and General Electric models, noting that various devices could be used to act as reverser handles.
On 25 July 2002, the TSB also issued Rail Safety Information Letter 07/02, entitled Securement of Unattended Locomotives, concerning unauthorized access to locomotive cabs.
As a result of these, Transport Canada (TC) officials canvassed the railway industry, and their responses follow:
- Canadian National (CN) has specific instructions in place to ensure that employees leaving locomotive consists at locations where shop staff are not available lock all locomotive windows and doors. These instructions are currently contained in CN's Locomotive Engineer Operating Manual, under Section B3, "Leaving Locomotive Consists."
- Canadian Pacific Railway (CPR) has inspected a total of 1398 locomotives to ensure the operability of the locking and latching mechanisms of the locomotive cab doors and windows. In addition, CPR has distributed reverser handles to all locomotive engineers in order that no reverser handles are left unattended. However, CPR does not plan to issue system-wide instructions to lock the doors of unattended locomotives. Notwithstanding, CPR issued an operating bulletin to the train crews on the Cranbrook and Windermere subdivisions, instructing them to lock unattended locomotive doors and windows at locations other than crew change locations. Also, CPR has instituted precautionary procedures to store locomotives at locations where they can be more easily monitored. They are also reviewing other locations that have been identified as high-risk areas of vandalism for the possible implementation of similar arrangements.
- VIA Rail Canada Inc. (VIA) has reviewed its internal procedures pertaining to the securement of unattended locomotives. TC was advised that VIA would be reinforcing the importance of these procedures among locomotive engineers, with particular emphasis on the locking of windows and doors when the equipment is left unattended in an unprotected area.
- The Railway Association of Canada indicated that, aside from one or two railways that operate in very remote areas, the vast majority of railways have full securement practices similar to CN's in place. The requirement to secure windows and lock doors is also part of local instructions.
This report concludes the TSB's investigation into this occurrence. Consequently, the Board authorized the release of this report on 16 July 2003.
- Date modified: