Tag Archives: collision

Root Cause Analysis - Incident Investigation

Investigators Blame “Human Error” for Train Collision

By Kim Smiley

On February 9, 2016, two commuter trains collided head-on in Upper Bavaria, Germany.  Eleven people were killed and dozens were injured.  Investigators are still working to determine exactly what caused the accident and the train dispatcher is currently under investigation for involuntary manslaughter and could face up to five years in prison if convicted.

Although the investigation is still ongoing, some information has been released about what caused the crash.  The two trains collided head-on because they were both traveling on the same track toward each other in opposite directions.  Running two trains on the same track is common practice in rural regions in Germany and these two trains were scheduled to pass each other at a station with a divided track. The drivers of both trains were unaware of the other train.  The accident occurred on a bend in a wooded area so the drivers could not see the other train until it was too late to prevent the collision.

The dispatcher failed to prevent a situation where two trains were running towards each other on the same track or to inform the drivers about the potential for a collision.  Investigators have stated that the dispatcher sent an incorrect signal to one of the trains due to “human error”.  After realizing the mistake – and that a collision was imminent – the dispatcher issued emergency signals to the trains, but they were too late to prevent the accident.

All rail routes in Germany have automatic braking systems that are intended to stop a train before a collision can occur, but initial reports are that the safety system had been manually turned off by the dispatcher.  German media has reported that the system was overridden to allow the eastbound train to pass because it was running late, but this information has not been confirmed.  Black boxes from both trains have been collected and analyzed.  Technical failure of the trains and signaling equipment have been ruled out as potential causes of the accident.

The information that has been released to the media can be used to build an initial Cause Map, a visual root cause analysis, of this issue.  A Cause Map visually lays out the cause-and-effect relationships and aids in understanding the many causes that contributed to an issue. The Cause Map is built by asking “why” questions. A detailed Cause Map can aid in the development of more effective solutions.

One of the general Cause Mapping rules of thumb is that an investigation should not stop at “human error”.  Human error is too general and vague to be helpful in developing effective solutions. It is important to ask “why” the error was made and really work to understand what factors lead to the mistake.  Should the safety system be able to be manually overridden?  Is the training for dispatchers adequate?  Does there need to be a second check on decisions by dispatchers?  Should two trains traveling in opposite directions be sharing tracks?  I don’t know the answers, but these questions should be asked during the investigation.  Charging the dispatcher with involuntary manslaughter may prevent HIM from making the same mistake again, but it won’t necessarily reduce the risk of a similar accident occurring again in the future.  To really reduce risk, investigators need to dig into the details of why the error was made.

Root Cause Analysis - Incident Investigation

5 killed and dozens injured when duck tour boat collides with bus

By Kim Smiley

Five people were killed and dozens more injured when an amphibious Ride the Ducks tour boat collided with a charter bus in Seattle on September 24, 2015.  The circumstances of the accident were particularly unfortunate because two large vehicles carrying tour groups across a busy bridge were involved.  Traffic was mangled for hours as emergency responders worked to treat the high number of victims, investigate the accident and clear the roadway.

The National Transportation Safety Board (NTSB) is investigating the accident to determine exactly what led to the collision and if there are lessons learned that could help reduce the risk of a similar crash in the future.  Potential issues with the duck boat are some of the early focuses of the investigation.  In case you are unfamiliar, duck boats are amphibious landing craft that were used by the U.S. Army during World War II that have been refurbished for use as tour vehicles that can travel on both water and land to give visitors a unique way to experience a city.  Their military designation DUKW was changed to the more user-friendly duck boat moniker that is used by many tour companies throughout the world.

Eyewitnesses of the accident have reported that the duck boat unexpectedly swerved while crossing the bridge, slamming into the driver’s side of the tour bus.  Reports are that the left front wheel of the duck boat locked up and the driver lost control of the vehicle.  NTSB investigators have stated that the duck boat didn’t have a recommended axle repair done that was recommended in 2013 and that they are working to determine whether or not this played a role in the accident.

Investigators are also looking into whether or not Seattle Ride the Ducks was notified of the repair.  Photos of the wrecked duck boat show that the front axle sheared and the left wheel popped off the vehicle, but it hasn’t been conclusively determined whether the damage was the cause of the accident or occurred during the accident.  The issues with the axle certainly seem like a smoking gun, but a thorough investigation still needs to be performed and the process will take up to a year.  If there was a mechanical failure on the duck boat unrelated to the already identified axle issue, that will need to be identified and reviewed to see if it applies to other duck tour vehicles.

This severity of this accident is raising concerns about the overall safety of duck tours.  The duck boat involved in this accident underwent regular annual inspections and was found to meet federal standards.  If a mechanical failure was in fact involved, hard questions about the adequacy of standards and inspections will need to be asked.  The issue of the recommended repair that was not done also raises questions about how the recommendations are passed along to companies running duck boat tours as well as incorporated into inspection standards.

Click on “Download PDF” above to see an outline and Cause Map of this issue.

Uncategorized

March 27, 1977: Two Jets Collide on Runway, Killing 583

By ThinkReliability Staff

March 27, 1977 was a difficult day for the aviation industry.  Just after noon, a bomb exploded at the Las Palmas passenger terminal in the Canary Islands.  Five large passenger planes were diverted to the Tenerife-Norte Los Rodeos Airport, where they completely covered the taxiway of the one-runway regional airport.  Less than five hours later, when the planes were finally given permission to takeoff, two collided on the runway, killing 583, making this the worst accident at the time (and second now only to the September 11, 2001 attacks in the US.)

With the benefit of nearly 40 years of hindsight, it is possible to review the causes of the accident, as well as look at the solutions implemented after this accident, which are still being used in the aviation industry today.  First we look at the impact to the goals as a result of this tragedy.  The deaths of 583 people (out of a total of 644 on both planes) are an impact to the safety goal.  The compensation to families of the victims (paid by the operating company of one of the planes) is an impact to the customer service goal.  The property goal was impacted due to the destruction of both the planes, and the labor goal was impacted by the rescue, response, and investigation costs that resulted from the accident.

Beginning with one of the impacted goals, we can ask why questions to diagram the cause-and-effect relationships related to the incident.  The deaths of the 583 people onboard were due to the runway collision of two planes.  The collision occurred when one plane was taking off on the runway, and the other was taxiing to takeoff position on the same runway (called backtracking).

Backtracking is not common (most airports have separate runways and taxiways), but was necessary in this case because the taxiway was unavailable for taxiing.  The taxiway was blocked by the three other large planes parked at the airport.  A total of five planes were diverted to Tenerife which, having only one runway and a parallel taxiway, was not built to accommodate this number of planes.  There were four turnoffs from the runway to the taxiway; the taxiing plane had been instructed to turn off at the third turn (the first turn that was not blocked by other planes).  For unknown reasons, it did not, and the collision resulted between the third and fourth turnoff.  (Experts disagree on whether the plane would have been able to successfully make the sharp turn at the third turnoff.)

One plane was attempting takeoff, when it ran into the second plane on the runway.  The plane  taking  off was unaware of the presence of the taxiing plane.  There was no ground radar and the airport was under heavy fog cover, so the control tower was relying on positions reported by radio.  At the time the taxiing plane reported its position, the first plane was discussing takeoff plans with the control tower, resulting in interference rendering most of the conversation inaudible.  The pilot of the plane taking off believed he had clearance, due to confusing communication between the plane and the air traffic control tower.  Not only did the flight crews and control tower speak different languages, the word “takeoff” was used during a conversation that was not intended to provide clearance for takeoff.  Based on discussions between the pilot and flight crew on the plane taking off have, investigators believed, but were not able to definitively determine, that other crew members may have questioned the clearance for takeoff, but not to the extent that the pilot asked the control tower for clarification or delayed the takeoff.

After the tragedy, the airport was upgraded to include ground radar.  Solutions that impacted the entire aviation industry included the use of English as the official control language (to be used when communicating between aircraft and control towers) and also prohibited the use of the word “takeoff” unless approving or revoking takeoff clearance.  The potential that action by one of the other crew members could have saved the flights aided in the concept of Crew Resource Management, to ensure that all flight crew members could and would speak up when they had questions related to the safety of the plane.

Though this is by far the runway collision with the greatest impact to human life, runway collisions are still a concern.  In 2011, an Airbus A380 clipped the wing of a Bombardier CRJ (see our previous blog).  Officials at Los Angeles International Airport (LAX) experienced 21 runway incursions in 2007, after which they redesigned the runways and taxiways so that they wouldn’t intersect, and installed radar-equipped warning lights to provide planes with a visual warning of potential collisions (see our previous blog).

To view the outline, Cause Map and recommended solutions from the Tenerife runway collision of 1977, click on “Download PDF” above.  Or, click here to read more.

Root Cause Analysis - Incident Investigation

Houston Ship Channel Closed After Ships Collide

By Kim Smiley

On March 9, 2015, two large ships collided in the Houston Ship Channel, one of the busiest waterways in the United States.  There were no major injuries reported, but the accident resulted in the release of methyl tertiary-butyl ether, commonly called MTBE, a chemical that is used as a fuel additive.  The clean-up and investigation of the collision closed the channel from the afternoon of March 9 until the morning of March 12.

At the time of the collision, the tanker Carla Maersk was traveling outbound in the channel transporting MTBE.  The bulk carrier Conti Perido was heading inbound with a load of steel.  Both ships were significantly damaged by the collision and three cargo tanks ruptured on the Carla Maersk, spilling the MTBE. Limited information has been released about what caused the accident, but a National Transportation Safety Board investigation is underway.  Initial reports are that both vessels were traveling at about 9 knots, which is typical for this stretch so excessive speed does not appear to be a cause.  It has also been reported that it was foggy at the time of the accident which may have played a role in the accident.

An initial Cause Map can be built using the information that is available.  The first step in the Cause Mapping process is to fill in an Outline with the basic background information along with the impacts to the goals.  Like many incidents, this collision impacted several different goals.  The safety goal was impacted because MTBE is toxic and has the potential to cause injuries.  The environmental goal was clearly impacted by the release of MTBE.  The multiple-day closure of the Houston Ship Channel is an impact to the production/schedule goal and the impact to local businesses resulting from closure is an impact to the economic goal.  The damage to the ships is an impact to the equipment goal.

On the outline, there is also a line to record the frequency of how often a similar event has occurred.  It’s important to consider the frequency because a small problem that occurs often may very well warrant a more detailed investigation than a small problem that has only been seen once.  In this example, there have been previous ship collisions.  This accident was the second ship collision to occur in the channel in a week.  Two large ships bumped on March 5, 2015, which did not result in any injuries or pollution.

Release of MTBE is a significant concern, but the impacts of this ship collision could easily have been worse.  MTBE is volatile and flammable so there could have been a fire or the ships could have been carrying something more dangerous.  It may be difficult to get the data, but it would be interesting to know how many near misses have occurred between ships traveling in the channel. The frequency that accidents are occurring needs to be considered along with the details of any individual incident when conducting an investigation. Two collisions in a week is a pretty clear indication that there is potential for more to occur in the future if nothing is changed.

Root Cause Analysis - Incident Investigation

Deadly Train-Car Collision

By Kim Smiley

On February 3, 2015, an SUV was struck by a commuter train near Valhalla, New York.  The driver of the vehicle and 5 train passengers were killed in the accident.  The National Transportation Safety Board (NTSB) is investigating the accident to determine what went wrong.

An initial Cause Map, a visual root cause analysis, can be built to analyze and document what is known about this train-car collision.  A Cause Map visually lays out the cause-and-effect relationships that contributed to an issue and focuses on understanding all the causes, not THE root cause.  Generally, identifying more causes results in a greater number of potential solutions being considered.

So why did the train hit a vehicle?  Eyewitnesses have stated that the SUV was hit by a crossing gate as it descended.    It is not clear why the SUV didn’t stop prior to entering the railroad crossing area. The driver pulled the SUV forward onto the tracks rather than backing up and the train struck the vehicle shortly after.  Investigators don’t know why the driver stopped on the tracks, but initial reports are that all safety features, such as the crossing gate, signs and train horn, were functioning properly at the time of the accident.

Unfortunately, it’s not unusual for passengers in a vehicle struck by a train to be injured or killed, but it is less common for fatalities among the train passengers.  Investigators are working to determine what made this accident particularly dangerous for train passengers.  The NTSB plans to use information about the passengers’ injuries and a diagram of where people were sitting on the train to try to understand what happened during the collision.  Post-accident photos of the train show that significant fire damage occurred, likely fueled by the gas in the SUV.

One of the open questions is whether the electrified third rail contributed to the accident and subsequent injuries. Metro-North uses an unusual “under-running” third rail design where power is taken from the bottom of the rail.  During the collision, 400 feet of the third rail broke apart and 12 pieces pierced both the SUV and the train. This rail design uses a metal shoe that slips underneath the third rail and some think that the force of the collision may have essentially pried up the rail and threw it into the train and vehicle.

Open questions can be documented on the initial Cause Map with a question mark.  As more information becomes available, the Cause Map can quickly be updated.  Typically, Cause Maps are built in Excel and different versions can be saved as different sheets to document the investigation process.

Click on “Download PDF” above to view an initial Cause Map of this accident, built from the information in the media articles on the accident.

Root Cause Analysis - Incident Investigation

Prison Bus Collides With Freight Train

By Kim Smiley

On the morning of January 14, 2015, a prison bus went off an overpass and collided with a moving freight train.  Ten were killed and five more injured.  Investigators believe the accident was weather-related.

This tragic accident can be analyzed by building a Cause Map, a visual root cause analysis.  A Cause Map visually lays out the cause-and-effect relationships to show all the causes (not just a single root cause) that contributed to an accident.  The first step in the Cause Mapping method is to determine how the incident impacted the overall organizational goals.  Typically, more than one goal needs to be considered.  Clearly the safety goal was impacted because of the deaths and injuries.  The property goal is impacted because of the damage to both the bus and train (two train cars carrying UPS packages were damaged).  The schedule goal is impacted because of the delays in the train schedule and the impact on vehicle traffic.

The Cause Map itself is built by starting at one of the impacted goals and asking “why” questions. So why were there fatalities and injuries?  This occurred because there were 15 people on a bus and the bus collided with a train.  The bus was traveling between two prison facilities and drove over an overpass.  While on the overpass, the bus hit a patch of ice and slid off the road, falling onto a moving freight train that was passing under the roadway.  No one onboard the train was injured and the train did not derail, but it was significantly damaged.  The bus was severely damaged.

The prisoners onboard the bus were not wearing seat belts, as is typical on many buses.  They were also handcuffed together, although it’s difficult to say how much this contributed to the injuries and fatalities.

Useful solutions to prevent these types of accidents can be tricky.  The prison system may want to review how they evaluate road conditions prior to transporting prisoners.  This accident occurred early in the morning and waiting until later in the day when temperatures had increased may have reduced the risk of a bus accident.  Transportation officials may also want to look at how roads, especially overpasses, are treated in freezing weather to see if additional efforts are warranted.

To view a high level Cause Map of this accident, click on “Download PDF” above.

You can also read our previous blogs to learn more about other train collisions:

Freight Trains Collide Head-on in Arkansas

Freight Train Carrying Crude Oil Explodes After Colliding with Another

“Ghost Train” Causes Head-on Collision in Chicago

Deadly Train Collision in Poland

Root Cause Analysis - Incident Investigation

Safety Concerns Raised by 5 Railroad Accidents in 11 Months

By ThinkReliability Staff

The National Transportation Safety Board investigates major railroad accidents in the United States. It was not only the severity (6 deaths and 126 injuries) but the frequency (5 accidents over 11 months) of recent accidents on a railroad that led to an “in-depth special investigation“. Part of the purpose of the special investigation was to “examine the common elements that were found in each”.

When an organization sees a recurring issue – in this case, multiple accidents requiring investigation from the same railroad, there may be value in not only investigating the incidents separately but also in a common analysis. A root cause analysis that addresses more than one incident is known as a Cumulative Cause Map, and it captures visually much of the same information in a Failure Modes and Effects Analysis, or FMEA.

The information from the individual investigations of each of these accidents can be combined into one analysis, including an outline addressing the problems and impacts to the goals from the incidents as a whole. In this case, the problems addressed include issues on the Metro-North railroad in New York and Connecticut from May 2013 to March 2014. The five incidents during that time period resulted in 4 customer deaths and 126 injuries, 2 employee deaths, and over $23.8 million in property damage.

The analysis of the individual accidents can be combined in a Cumulative Cause Map to intuitively show the cause-and-effect relationships. The customer deaths and injuries, and the property damage, resulted from train derailments and a collision. The train collision resulted from a derailment. In two of the cases, the derailment was due to track damage that had either been missed on inspection or had maintenance deferred. In the third derailment (discussed in a previous blog), the train took a curve at an excessive rate of speed due to fatigue of the engineer. Inadequate track inspections and maintenance, and deferred maintenance were highlighted as recurring safety issues to the railroad.

Both of the employee fatalities resulted from workers being struck by a train while performing track maintenance. In one case, the worker was outside the designated protected area due to an inadequate job safety briefing. In the other, a student removed the block while working unsupervised, allowing a train to travel into the protected area. The NTSB also identified inadequate safety oversight and roadway worker protection procedures as areas needing improvement. While the NTSB already released recommendations with each of the individual investigations, it plans to issue more based on the cumulative investigation addressing all five incidents. View an overview of all 5 incidents by clicking “Download PDF” above.

Root Cause Analysis - Incident Investigation

Years of Uncontrolled Leakage Lead to Fatal Mall Collapse

By ThinkReliability Staff

The problems that led to the collapse of a shopping mall’s parking structure were present over its thirty-plus year history says the Report of the Elliot Lake Commission of Inquiry. Multiple opportunities to fix the problem were missed, culminating in the deaths of two on June 23, 2012. Says the report, “Although it was rust that defeated the structure of the Algo Mall, the real story behind the collapse is one of human, not material failure.”

Yes, corrosion of a connection supporting the parking garage decreased its strength to 13% of its original capacity, meaning that on that fateful day, one car driving over it resulted in its fatal collapse. But the more important story is that of how the corrosion was allowed to increase unchecked, due to leakage that had been noted since the opening of the mall.

Multiple causes were discovered resulting in the fatal collapse. The report that addresses them and suggests improvement is more than 1,000 pages long. Though the detail in the report is outstanding, an overview of the information from the report can be diagrammed in a Cause Map, or visual root cause analysis, allowing a one-page overview that clearly shows the cause-and-effect relationships.

It’s important to begin with the impact to the goals. Doing so gives a starting point – and focus – to the cause-and-effect questioning. In this case, the safety goal was impacted due to the 2 fatalities and 19 injuries caused by the collapse. The mall experienced severe damage, and the rescue and response efforts were comprehensive and time-consuming. Additionally, an engineer was criminally charged due to negligence from issues with the mall’s structural integrity.

The fatalities, property damage, and rescue efforts all resulted from the catastrophic collapse of the mall’s rooftop parking structure. The collapse was caused by the sudden failure of a connector. Material failure results from stress on an object overcoming the strength of the object. In this case the stress on the object was a single vehicle driving over the connection in question (evidenced by a video of the collapse). The strength of the connection had been significantly reduced due to corrosion, caused by the continuous ingress of water and chlorides on the unprotected beam.

The leakage was found to stem from a faulty initial design of the waterproofing system from construction of the mall in 1979. Specifically, the architect’s suggestions regarding waterproofing were ignored due to cost and land availability concerns, and the waterproofing system was installed during suboptimal weather because of construction delays. After construction, the architect signed off on the design without inspecting the site, beginning the first in a long list of failings that would eventually cost two women their lives.

Over the years, there were multiple warnings (not the least the need to use buckets to collect leaking water on a fairly constant basis) that were never resolved. According to the report, the problem was never fully addressed with maintenance and repairs but rather pushed off with cheap, ineffective repairs or by selling the structure (as happened twice in its history). For the most part, the local government did not investigate complaints or enforce building standards, apparently unwilling to interfere with the operation of a large source of local revenue and employment

When the local government finally did get involved and issued an Order to Remedy in 2009, the building owner appeared to provide deliberately false information that suggested that repairs were underway, leading to a rescinding of the order later that year. After an anonymous complaint in late 2011, an engineer with a suspended license performed a visual-only inspection which had to be signed off by a licensed engineer. After it was signed, the engineer testified that he had changed the contents of the report at the request of the owner, leading to the criminal charges against him for negligence.

Although plenty of failings were discussed in the report, it states very clearly, “This Commission’s role is not to castigate or chastise; its only purpose in finding fault, if it must, is to seek to prevent recurrence. Criticism of prevailing practices serves only to suggest their improvement or, if necessary, elimination.” In the report, the Commission discusses multiple suggestions for improvement – specifically clarifying, enforcing, and providing public information regarding building standards. Hopefully, the lessons learned from this tragic accident will allow for implementation of these solutions to ensure that thirty years of negligence isn’t allowed to cause a fatal building collapse again.

Root Cause Analysis - Incident Investigation

Freight Trains Collide Head-On in Arkansas

By Kim Smiley

On August 17, 2014, two freight trains collided head-on in Arkansas, killing two and injuring two more.  The accident resulted in a fire after alcohol spilled from a damaged rail car ignited, prompting evacuation of about 500 people from nearby homes.  The trains were carrying toxic chemicals, but none of the cars carrying the toxic chemicals are believed to have been breached during the accident.

The National Transportation Safety Board (NTSB) is currently investigating this accident, but an initial Cause Map, or visual root cause analysis, can still be built to help document and illustrate the information that is known.  One of the benefits of a Cause Map is that it can easily be expanded to incorporate information as it becomes available.  The first step of the Cause Mapping process is to fill in an Outline with the basic information for an incident.  In addition, anything that was different at the time of accident is listed.  How the incident impacts the overall goals is also documented on the bottom of the Outline.

Like many incidents, there are a number of goals that were impacted by this train collision.  The safety goal is obviously impacted by two fatalities and injuries.  The property goal is impacted because of the significant damage to the trains and freight.  The labor/time goal is impacted because of the response effort and investigation that are required as a result of the accident. Potential impacts or near misses should also be documented so the potential release of toxic chemicals is considered an impact to the environmental goal.

The second step is to perform the analysis by building the Cause Map.  To build the Cause Map, start with one impacted goal and ask “why” questions.  Each answer is added to the Cause Map.  Each impacted goal should be considered and the cause boxes should all connect at some location on the Cause Map.  Starting with the safety goal in this example, the first question would be: why were two people killed?  This occurred because there was a train collision.  The trains collided because they were traveling toward each other on the same track.  No details have been released about how the trains ended up on the same track.  The trains’ daily recorders (which provide information about the trains’ speed, braking and throttle) have been found and will be analyzed by investigators. The NTSB has stated that they will be looking into a number of factors such as the train signals and fatigue since the accident occurred late at night.

The final step in the Cause Mapping process is to develop solutions that can be implemented to reduce the risk of a similar problem recurring in the future.  Since the investigation is ongoing, talk of solutions is premature at this point.  Once more is known about the causes that contributed to this issue, the lessons that are learned can be used to develop solutions.

Root Cause Analysis - Incident Investigation

“Ghost Train” Causes Head-On Collision in Chicago

By Kim Smiley

On September 30, 2013, an unoccupied train collided head on with another train sending 30 people to the hospital in Chicago.  In a nod to the season and the bizarre circumstances of the accident, the unoccupied train has been colorfully dubbed “the ghost train”. 

So what caused the “ghost train” and how did it end up causing a dangerous train collision?  Investigators from the National Transportation Safety Board (NTSB) are still reviewing the details of the accident, but some information is available.  An initial Cause Map, or visual root cause analysis, can be built to capture what is already known and can be expanded to incorporate more information as the investigation progresses.  A Cause Map is built by asking “why” questions and documenting the answers to visually lay out all the causes that contributed to an accident to show the cause-and-effect relationships from left to right.

In this example, the trains collided because an unoccupied train began moving and the safety systems in place did not stop the train.  Investigators still haven’t determined exactly what caused the train cars to move, but a key piece of the puzzle is that there was still power to the cars while they were being stored in a repair terminal awaiting maintenance.  The NTSB believes that it was common practice to leave power to cars so that the lights could be used to illuminate the terminal.  Workers used the lights to discourage graffiti and vandalism because the terminal was located in a high crime neighborhood. 

Investigators will need to not only determine why the train started rolling, but also learn more about why the safety systems didn’t prevent the accident.  Before colliding with another train, the unoccupied train traveled through five mechanical train-stop mechanisms, each of which should have stopped a train without a driver.  Emergency brakes were applied at each train-stop that caused the train to pause momentarily, but then it started moving because the setting on the master lever caused the train to restart.  Review of the safety systems will need to be part of the investigation to ensure that adequate protection is in place to prevent anything similar from occurring again.

The NTSB investigation is still ongoing, but the NTSB has stated that de-energizing propulsion power and using an alternate brake setting could help prevent unintended movement of unoccupied train cars. Additionally, the NTSB believes the use of a wheel chock and/or derail would ensure that a train stopped by a mechanical train stop mechanism remains stopped.  Based on the information already uncovered, the NTSB has issued an urgent safety recommendation to the Federal Transit Authority (FTA). The NTSB recommended that the FTA issue a safety advisory to all rail transit properties to review procedures for storing unoccupied train cars to ensure that they were left in a safe condition that wouldn’t allow unintended movement and to ensure that they had redundant means of stopping any unintended movement.  There is more information that is needed to fully understand this accident, but these precautions would be effective solutions that can be quickly implemented to reduce the risk of train accidents.