An unmanned, half-mile long train “bomb train” carrying tank-cars full of highly explosive crude oil barrels toward a city where it is doomed to derail on a curve, killing everyone in its wake. Luckily, Denzel Washington and Chris Pine show up to save the city at the last second. Everyone lives happily every after.
That was the plot of the 2010 film “Unstoppable.” It’s a fun film. I recommend it.
In real life, however, in the small town of Lac-Mégantic in Quebec, Canada on July 5, 2016, Denzel and Chris never showed up.
At around 1:00 am on July 6, 2013, an unmanned train carrying 72 tank-cars of highly combustible crude oil barreled down a hill at 65 mph, three times the normal speed, and careened off the track, disgorging six million liters of highly combustible petroleum crude. Within moments the oil exploded. The resulting inferno obliterated most of the downtown and incinerated 47 persons.
As might be expected, there were many stories to be told here, and hopefully someone is writing a book: the safety of transporting highly hazardous crude oil in fragile tank cars over thousands of miles of poorly maintained track; the impact of an out-of control fossil fuel economy on the environment, on workers in the industry and on citizens in its wake; the damage caused by a rapacious rail company focused more on cost cutting than safety; and the weakness of government oversight (even in Canada.)
But the story we’ll be telling here is one that we’ve heard many times before — the tendency of those who have responsibility for a catastrophe to shift blame onto individual workers instead of identifying the root causes and systemic problems that, if addressed, could prevent future catastrophes. In this case we’re focusing on the arrest of the engineer and sole crew member, Tom Harding, as well as traffic controller Richard Labrie and manager of train operations Jean Demaitre. Harding, Labrie and Demaitre were were handcuffed and frog-marched to prison. All three have pleaded not-guilty to 47 counts of criminal negligence causing death. Jury selection is currently under way.
I’ve been writing this on and off for several months, since I attended a music benefit for the rail workers. As I began looking into their story, in injustice and plain stupidity of their prosecution became alarmingly evident. I could probably write a book on this one incident (and hopefully someone is already doing that), but out of consideration for my readers, I’m going to make this as short as possible. As those of you who read Confined Space have probably guessed, this is going to be an article on the stupidity of blaming workers for this tragedy when as we will see, there was a train-car load of other systemic causes that, if not addressed, will result in many more of these catastrophes.
Also note that I will frequently refer to Andrew Hopkins’ book Lessons From Longford: The Esso Gas Plant Explosion which lays out many of the principles of conducting a root cause investigation of the systemic causes of an industrial disaster.
First, let’s review the events. On the evening of July 5, 2016, Tom Harding, the engineer and lone crew member of the 72-car train, operated by the now-bankrupt Montreal Maine and Atlantic Railway (MMA) parked the train on a hill a few miles above the town Lac Mégantic, in Quebec, Canada, after having mechanical problems with the lead engine. Per instructions from headquarters, Harding set the air brakes on the lead locomotive, which he left running to keep air pressure supplied to the air brakes. He also applied a number of hand brakes. Per instruction, he then took a taxi to a nearby hotel, planning to deal with the locomotive’s mechanical problems in the morning.
Shortly before midnight, the lead locomotive, spewing oil from multiple leaks, caught fire. The fire department arrived to put out the fire and also shut down the lead locomotive to keep more oil from into the fire. After the fire department left, the airbrake, which was dependent on the operation of the locomotive that had been shut down, began to lose pressure. The train began descending down the hill, picking up speed along the 7.2 miles to Lac Mégantic. When it hit the curve in Lac Mégantic, the train derailed, rupturing many of the petroleum filled rail cars and bursting into an inferno that killed 47 people in the town.
The Transportation Safety Board of Canada (TSB) conducted a thorough report in 2014, issuing 18 “Findings as to causes and contributing factors” and 16 additional “Findings as to risk.” The second “Finding as to causes and contributing Factors” concluded that “The 7 hand brakes that were applied to secure the train were insufficient to hold the train without the additional braking force provided by the locomotive’s independent brakes.”
On that basis, Tom Harding, along with two colleagues, traffic controller Richard Labrie and manager of train operations Jean Demaitre were arrested and accused of being responsible for he disaster. Harding’s crime was not setting enough hand brakes to keep the train from rolling down the hill and his arrest was not pretty. He was “surrounded at his home by a SWAT team and led away in handcuffs to face charges of criminal negligence causing death, despite the fact that his lawyer had notified the police that Mr. Harding would voluntarily come to the court when asked to appear to face charges. He was escorted to a makeshift courtroom in full view of the news media.” Conviction on a charge of criminal negligence causing death carries a maximum penalty of life in prison.
The Causes of the Lac Mégantic Disaster
As avid readers of Confined Space understand quite well by now, resolving safety issues is not as simple as finding a couple of workers to blame and firing them or throwing them in jail for life. Because if you don’t identify the root causes of a problem, everyone may feel a lot better for a while, but the problem will inevitably repeat itself.
In any accident investigation, there are direct causes (e.g. failure to set enough hand brakes) of the incident and then there are the systemic, inherent or root causes. It is those indirect, systemic causes for which changes can actually make meaningful change. As Hopkins describes, the latent conditions (poor design, gaps in supervision, maintenance failures, shortfalls in training, etc. etc.), if not corrected, will eventually “combine with local circumstances and active failures to penetrate the system’s many layers of defences.”
Blame the Worker: It is always convenient for management, and in this case even governments, to ignore the latent conditions described above, and blame workers for incidents. And the bigger the disaster, the greater the temptation to find and easy and convenient scapegoat. So before we explore this disaster, let’s look at the concept of blame the worker.
First, it is indisputable that Harding set too few hand brakes. But as Hopkins points out,
human beings inevitably make errors and errors by operators must be expected. Thus, rather than focusing on the operators who make the errors, modern accident analysis looks for the conditions which make the errors possible. It is nearly always the case that there was a whole series of contributory factors which created an operator error and set up the situation which made the error critical. Accident analyses which aim to prevent a recurrence seek to identify these factors. From this perspective, errors are seen as consequence rather than principal causes.
And if the focus in on “blame” instead of “why” — and the blame starts and stops with a worker who made a mistake, then the real causes of the incident will never be identified, never addressed and the same thing will eventually happen again.
So let’s start looking at principal causes.
Layers of Protection: Also known as “defense in depth” or “safety redundancy,” in its simplest explanation having more than one way to keep a catastrophic even from occurring so that a “single-point failure” does not lead to catastrophic consequence . Ideally, these layers of protection should be independent of each other, so that the failure of one does not mean the failure of any others. Harding’s train, for example, had three brake systems: the hand brakes which were set on each individual car, the locomotive air brake (also known as the independent brake), which secures the locomotives and the automatic brake that holds the rail cars in place. Harding set seven hand brakes and also set the independent brake. This was enough to hold the train when Harding was told to leave for the evening. But during the fire, the engine was shut down to keep it from leaking any more flammable oil into the flames. The problem was that without engine power, the independent brake gradually lost pressure and the hand brakes weren’t enough to hold the train on the hill. The train began to descend down the track, eventually speeding up to 65 mph into Lac-Mégantic, where it derailed. Harding was accused of not setting enough hand brakes on each car to keep the train from rolling down a hill.
But the Toronto Globe and Mail, which looked deeper into the incident noticed something important in the TSB report:
On page 105 of the 179-page report, a single paragraph suggests the accident “likely” would have been avoided had the air brakes on the rail cars (the automatic brake) been set as a backup safety precaution before the train was left unattended. However, Montreal Maine and Atlantic Railway (MMA) instructed its staff not to use the automatic brakes. Transport Canada [which regulates and oversees Canadian railroads] either didn’t notice this practice or saw no problem with it.
Specifically, the TSB report said that “While MMA instructions did not allow the automatic brakes to be set following a proper hand brake effectiveness test, doing so would have acted as a temporary secondary defence, one that likely would have kept the train secured, even after the eventual release of the independent brakes.”
And why did MMA instructions not allow the automatic brake to be set? According to the Globe,
because air needs to be pumped back into the brake line in order to reset the system and get the automatic brakes on each car to release, it can sometimes take from 15 minutes to an hour to get a train moving again once it’s been parked. For this reason, some railways don’t like using the automatic air brakes as an added assurance or backup to the hand brakes, because it can cost time and money, the rail industry expert said.
It is far-fetched to think the automatic brake wouldn’t have played a direct role in preventing the accident, the person said. “This common sense, 10-second procedure has been used to secure rail cars for the last hundred years,” the rail industry source said.
When the Globe asked the TSB why this important finding was buried in the report, the TSB responded that “it didn’t want to distract from the main point that trains should be secured with the correct number of hand brakes.”
But that’s not all. The locomotive involved in the Lac Mégantic incident should have had yet another fail-safe device. The locomotive was equipped with a reset safety control (RSC) which activates alarms and then applies a penalty brake if the train begins to run away, even when the engine is shut down. Unfortunately, MMA had rewired the RSC incorrectly and did not stop the train when it began to run away.
Run to Failure Maintenance: You may not change a light bulb until it burns out or change the washers on your faucet until it starts leaking, but if you’re running a refinery, steel mill — or a railroad — just letting things break down before you fix them isn’t a very safe way to operate. High reliability organizations have strong preventive maintenance programs and a major element of OSHA’s Process Safety Management standard is “Mechanical Integrity,” which aims to prevent catastrophic incident by ensuring that procedures are implemented to prevent incidents through the proper maintenance of equipment.
In this case, the lead locomotive was in terrible shape. Several months before, it has been to the repair shop. Instead of a lengthy standard repair, the company decided to essentially glue it back together with an epoxy-like material that lacked the required strength and durability of a permanent repair. The TSB report called this “a non-standard and less costly method” of repair. The night of July 5, the lead locomotive broke down on a hill above Lac-Mégantic. The Globe noted that “MMA, which declared bankruptcy after the derailment, had a reputation as one of the most aggressive cost-cutters in the rail industry.”
Profit: Even after the fire started, MMA did not call Harding, the Lead Engineer, back to the train to start another engine “due to the impact that it would have on train departure time the following morning and due to mandatory rest provisions.”
Normalization of Deviance: Normalization of deviance or of abnormality occurs when people become accustomed to violations of procedures or small incidents that don’t result in catastrophe. In this case, the official procedure was to perform a “handbrake effectiveness test” to confirm that the handbrakes alone could hold the train. This was supposed to be performed by releasing the independent brake to see if the hand brakes alone would hold the train. Harding did not release the independent brake when performing the test. Other MMA Lead Engineers also did not release the independent brakes when securing trains, which is indicative that poor train securement practices were not isolated to this accident. The Globe speculated that the absence of previous problems may have been taken as an indicator of future success.
The TSB report that in previous cases, Harding had also not set the officially required number of brakes, but nothing bad had happened. The report suggested that “The absence of previous problems may have been taken as an indicator of future success.”
But Wasn’t The Engineer Still At Fault?
OK, even with all of that, Harding did not set enough brakes. Why didn’t he set the correct number of brakes and why shouldn’t he be convicted? Let’s keep looking at other factors that led to the incident.
Training: The TSB report named “weaknesses in the process for ensuring adequate employee training” as one of the crucial indicators that MMS did not have a functioning safety management system. More specifically, the report found that “Montreal, Maine & Atlantic Railway did not provide effective training or oversight to ensure that crews understood and complied with rules governing train securement. ”
One of the reasons training was important is that figuring out how many hand brakes to set was complicated — too complicated for me to explain here, but go ahead and read the report if you’re really interested. To simplify, the number of handbrakes that had to be set was a function of the total number of cars, how many of them were loaded, the weather conditions, and the grade of the track. Each rail company in Canada had slightly different rules for how many hand brakes had to be set.
The engineer set the air brakes on the locomotive an 7 brakes on the individual cars. According to MMS procedures, the basic formula was 10% of the cars plus 2, which meant he should have set 9 brakes . But “TSB testing showed that this number would not have provided sufficient retarding force to hold the train once the air pressure in the independent brake system was reduced.” In fact, the TSB concluded that, depending on various scenarios, the engineer would have needed to apply between 12 and 26 hand brakes in order to hold the train.
The TSB report speculated that Harding
was not fully conversant with relevant rules and special instructions on train securement. Although the LE’s results from his requalification tests indicated that he had correctly answered questions relating to the minimum number of hand brakes, these questions were relatively simple and did not demonstrate that the LE possessed knowledge of the significance and rationale behind the rules. Furthermore, the LE was never tested on the procedures for performing a hand brake effectiveness test, nor did the company’s Operational Tests and Inspections (OTIS) Program confirm that hand brake effectiveness tests were being conducted correctly. In addition, the LE did not have all of the required documents with him on board the train, and could not easily refer to rules and company instructions.
Rail employees were required to pass re-certification exams every three years. According to the TSB report, the multiple choice re-qualification exam “repeated the same question on the minimum number of hand brakes for leaving unattended equipment. They did not have questions on the hand brake effectiveness test, the conditions requiring application of more than the minimum number of hand brakes, nor the stipulation that air brakes cannot be relied upon to prevent an undesired movement.” Hopkins notes that this type of “competency based training” just allows for specific knowledge of procedures, but does not test for understanding of the process.
So in summary, determining how many hand brakes to set is complicated, training is problematic, re-certification exams don’t test for competency or understanding of the whole complex process of securing a train.
Single Person Train Operation (SPTO): Harding, as mentioned above was the Lead Engineer, and also the lone crew member on the giant 72 car train. SPTO is permitted in Canada, and although the TSB could not find any evidence that SPTO led to the incident, they did describe some of the problems with it:
There are also demonstrated risks to SPTO, including reduced joint compliance (which can help catch errors), a tendency to take shortcuts, additional physical and time-related requirements for a single person to perform tasks, the possibility that individuals working alone will be subject to fatigue and cognitive degradations, and the need for additional training to properly prepare Lead Engineers (LEs) to work alone. It is also important to consider how a single operator might deal with the abnormal conditions that may arise, as well as whether all safety-critical tasks (such as the application of hand brakes and the performance of a hand brake effectiveness test) can be performed in a reasonable amount of time.
The TSB also noted that “The minimum hand brake requirement was more consistently met when trains were operated by 2 crew members.” Finally, the reported noted that although TC Canada (the regulatory agency) had required that MMA conduct a risk assessment of SPTO, “TC did not follow up to verify that the mitigation measures identified in MMA’s risk assessment had been implemented and were effective.”
Would another crew member on board the train have made a difference? Would two heads have been better than one in determining the correct number of hand brakes? If there were two crew members at the hotel, would one of them been able to return to the train and realize that another engine needed to be started to secure the air brakes? Who knows?
Oversight: The TSB report also criticized the railroad’s regulatory body, TC Canada’s (and more specifically TC Quebec’s), for weak oversight of MMA, despite the fact that “for several years, MMA had been identified as a railway company with an elevated level of risk requiring more frequent inspections.” TC Canada had identified several repeated problems in the past, including problems with train securement (identified on multiple occasions since 2005), and were still present at the time of the accident, training deficiencies, and problems with track conditions. And “TC Quebec Region did not follow up to ensure that recurring safety deficiencies at MMA were effectively analyzed and corrected; consequently, unsafe practices persisted.”
The Other Rail Employees
In addition to Harding, rail traffic controller (RTC) Richard Labrie and manager of train operations Jean Demaitre also face 47 counts of criminal negligence causing death. Labrie was the main rail employee that Harding communicated with that night. According to the TSB report, Labrie
was aware that no locomotive was left running. “However, he knew that train securement should not be dependent on a running locomotive, and assumed that the train had been adequately secured with sufficient hand brakes. Without a compelling cue to the contrary, the RTC did not consider that shutting down the locomotives would affect the securement of the train.
RTC’s are a also a critical component of safe Single Person Train Operation (SPTO) — the lone engineer is supposed to be in frequent contact with the RTC. But the report also noted serious shortcomings in implementation of SPTO safety procedures:
The SPTO training did not include a review of securement rules and instructions. Furthermore, no job task analysis was discussed with employees, nor were all of the potential hazards associated with the tasks identified, notably the risks associated with single-operator train securement at the end of a shift. Consequently, no mitigation measure was identified for this critical task, such as confirming with an RTC how a train was secured, or even questioning the practice of leaving a train on the main track in Nantes when securement relied on a single operator.
Furthermore, although MMS had a process where supervisors could conduct unannounced monitoring of employees for adherence to railway safety rules and instructions. But no such inspection had ever occurred to ensure proper train securement in the area of Lac Megantic. Labrie reported to Demaitre, the manager of train operations.
OK, I could go on and on about addition issues that the TSB report raises (tank care integrity, track condition, lack of audits, and on and on), but I think we’ve discussed enough. What we have here in a nutshell is a railroad that cuts corners on safety and maintenance wherever it could, a lousy training program for a very complicated, safety sensitive operation. And an oversight agency that didn’t do very good oversight.
In other words, only the most superficial analysis of this horrible tragedy would conclude that Tom Harding, the Lead Engineer and sole crew member, should be blamed for the deaths of 47 people, dragged into jail, prosecuted and possibly sent to prison for the rest of his life. It may make some people feel good, and it may take the blame off of others. But it will do nothing to prevent future catastrophes.
That’s no way to run a railroad.
More information on the Campaign to Defend the Lac-Mégantic workers here.