02.19.14

Dear NTSB.gov

Posted in Uncategorized at 18:56 by Administrator

The NTSB has released an open letter to Metro-North Railroad containing its initial safety recommendations derived from the ongoing investigation into the December 1, 2013 derailment of train 8808 which killed four passengers and injured 59 people.

I’d reproduce the letter, or the link to it, but the NTSB decided, in addressing the letter to Joe Giulietti,  Metro-North’s current president, to include Mr. Giulietti’s email address for all the word to see, and copy to its address books.  Nice touch, isn’t that? I really don’t want to add another vector for every bot on the web to use to bombard Mr. Giulietti with invitations for cut-rate Viagra, or chances to purchase penny stocks for just…….well pennies.

The recommendations are that MNR 1) systematically install “approach permanent speed restriction” signs, and presumably “permanent speed restriction” signs and “resume” signs along its right of way.  Although the NTSB does not mention specifically the latter two fixed indicators, those who are conversant with, and responsible for rail operations know we don’t do one, we can’t do one, the approach permanent speed restriction sign, without doing the others. 

Word.

There is nothing wrong, and only good, in installing such fixed indicators, particularly along a railroad which has no fixed automatic signals save those at interlockings.  It’s good to have physical reference points.  The templates for many railroads’ operating rules—GCOR, NORAC, the old Consolidated Code—have provisions for the installation and use of such signs.  There’s nothing wrong, and nothing new, in that.   It costs little, it’s helpful, and of course, to be effective operating a railroad with permanent fixed indications, requires the exact same thing(s) that operating a railroad without these fixed indicators requires: proper training of employees, proper supervision of employees, and proper enforcement in incidents of non-compliance.

The NTSB recommendations do not address those three root (or in today’s jargon, “core”) requisites (or in today’s jargon, “values”) which of course are the same root (or in today’s jargon, “core”) requisites (or in today’s jargon “values) for any, and every, function on a railroad, any railroad (or in today’s jargon, “system”). 

Enough of “today’s jargon,” which has induced successive waves of nausea in me ever since it became popular, which was yesterday, or some collection of yesterdays.  You might call me “old-fashioned” but actually I’m not retro enough to be chic.

So, since that recommendation, helpful and innocuous as it is, doesn’t address the root requisites, the basis  for preserving the vitality of train operations (to use my language), it’s not  likely to have any real significance for the safety of employees and passengers.

In making its recommendation, NTSB gets some of the details wrong—stating for example that “As a result of the accident, Metro-North installed approach permanent speed restrictions signs to aid operating crews at the derailment location,” when in actuality MNR installed a code in the rail triggering a 30 mph speed restriction enforced by the on-board ATC system. 

I know it’s just a detail, but those who are conversant with and responsible for safe train operations know that the devil, the lord, and the vitality of the railroad are all in the details.

Word.

NTSB also fails to mention the impact of FRA’s Emergency Order 29, specifically requiring MNR to provide additional protection in areas where decelerations of 20 mph or greater are required, and the mandatory adaptation of the train control system to enforce such decelerations.

Just another detail.

So much for the first recommendation:  nice, helpful, good, innocuous, and……..superficial.

The second recommendation isn’t new either, but unlike the first, there isn’t a long history of the use of the “inward- and outward- facing audio and image recorders to assist in accidents investigations and with management and regulatory oversight of rules compliance.”

There’s some history, particularly with outward facing video cameras.  These cameras have been quite valuable in recording incidents at grade-crossings and…..signal violations.  As a matter of fact, the UP freight train lead locomotive that was struck by the Metrolink commuter train in Chatsworth, California was equipped with an outward facing video camera.  I’ve seen the video, and if you haven’t, believe me, you don’t want to.

The point, of course, is that while the outward video camera can be helpful after an incident for reviewing the circumstances, and for confirming in all probability what we already know to have occurred from other evidence, it does nothing to prevent the specific incident. 

Short version:  Outward video cameras are of some benefit; a benefit limited to post-accident analysis.

I’m pretty sure that NTSB does not seriously intend for railroads to equip locomotives with “outward-facing” audio recorders.  Just another detail I guess. But maybe not.  So what about inward audio recordings?

Here we confront not just a recommendation of extremely limited value, but a recommendation that is pointless.  First, commuter train operations are overwhelmingly single person cab operations.  Exactly what do we expect to hear from the internal audio recorder?  Snoring?  MP3 players?  Radio transmissions? 

Those of us conversant with and responsible for railroad operations know that railroad radio transmissions involving main line operations are already recorded and available for playback.  So what role would an internal audio recorder play in a) either the investigation of an accident or b) review of employee performance in order to identify failures, weaknesses and thereby prevent a future accident? 

The application of internal video recorders may or may not be pointless, but this is one case where I myself might apply a cost benefit analysis, given the fact that of the extremely paltry return of investment derived from the use of the data available from such recorders.  

Let me explain: If the video record after an incident shows the locomotive engineer utilizing a cell phone, exactly of what significance is that to the current investigation, or future accident prevention, when the data is derived after the fact?  We already have regulations against the use of such devices, and more importantly, we already know a certain number of employees are going to violate those regulations.  So we should already know that our obligation, those of conversant with and responsible for train operations, is to oversee, confirm, and enforce, by and through our repeated and persistent physical presence, to the employees’ compliance with the rules.  And you can’t do that “virtually.”   So exactly what are we going to learn that we don’t already know?

Returning to the Chatsworth collision, does anybody want to watch a video of a locomotive engineer on his cell phone, blowing by a stop signal and colliding head on at 47 mph, with various parts being separated from what was once a whole body?  And the UP engineer?  Do we want to watch what happens to him?  Maybe with a sound track?  Exactly what do we need to hear?  “Oh shit!”???    “JUMP!”??

Short version:  You can’t supervise the railroad “virtually.”  You actually have to be there.  You actually have to know what you’re doing, what you’re supposed to do.  You have to know the details.

NTSB does not recommend real-time monitoring of video recorder data—the transmission of images to a human observer.  Nor does NTSB even acknowledge, much less recommend, that new locomotives and MU locomotives are capable of real time transmission as to location, speed, braking effort, etc.  It would make a least some sense to monitor those operating parameters in real time, even if  the monitoring would present an unmanageable burden to the railroads, given the person-hours required to provide that monitoring.  Such monitoring might actually prevent an accident.  Indeed such “pro-active” (to use today’s jargon) monitoring is the basis for the algorithms that will drive PTC systems.  PTC is where we need to be, or rather, a PTC that defines the limits to one train’s movement authority as the rear end of the train ahead, not “restricted speed” at a signal location.

There’s another aspect of  NTSB orientation that makes this recommendation superficial, and ineffective, at its best.  That aspect is NTSB’s reluctance to acknowledge, support, and endorse  a critical component of enforcement—which is the application of  discipline.

NTSB has been explicit in its criticism of railroads’ “punishment-based” culture  regarding employee failure.  The Board has spoken against the “unjust culture” prevalent on railroads where a “good employee” can, for a first, but serious, violation of the operating rules, face mandatory suspension without pay. 

NTSB isn’t alone in its uncharitable assessment of railroad disciplinary processes.  Associates of the Volpe Institute have made similar evaluations.  Apparently,  FRA has also joined in the chorus at it intends, in its next IMOU for C3RS reporting to include decertifiable offenses (like stop signal violations; like exceeding the limits to a movement authorization)  under the protective umbrella of C3RS.

Well, we, those of conversant with and responsible for safe train operations need to clear the air about this, and refute these characterizations whenever and wherever they arise.  Let’s get this out of the way (this one time) in a hurry.  The fact that a “good employee” can, after years of good service, can be suffer serious consequences for an operating rule violation is not an indicator of an “unjust culture.”  It is an indicator that, indeed, the consequences for an operating rule violation in and of itself can be so much more severe than even the most severe disciplinary rendering.  The consequences can be death, and death to more than just the employee violating the rule.

That’s how we, those of us conversant with and responsible for safe train operations,  judge discipline; that’s how we determine “justice” in our culture.  We, those of us conversant with and responsible for safe train operations, are actually doing the employee a favor.  We are being lenient when we assess a 30 day or 60 day penalty for a serious rule violation.  We, those of us conversant with and responsible for safe train operations, are taking a real risk; a risk that our decision to only suspend, rather than dismiss in all capacities, the employee, will not come back to haunt us. 

The risk, the “haunting” is not confined to simply that individual employee returning to work and violating the same or similar rule with the “penalty” being assessed by the laws of physics against him/her and others who committed no such violation.  The risk and the haunting is that the employees collectively, will ignore, disregard not the disciplinary consequences of a rule violation, but those consequences of the laws of physics if and when we, those of us conversant with and responsible for safe train operations act in anything other than the most serious, determined, and responsible manner. 

Our use of progressive discipline is an attempt at leniency, and it is a conscious acceptance of risk and responsibility, something that some individuals, those not conversant with and responsible for safe train operations may never understand.

 Now that’s  OK, if  they don’t understand it.  Just don’t let it, or them, get in your way.  Don’t let it, or them stop you from meeting your responsibility in removing from service, permanently if conditions so warrant, an employee who represents a threat to the safety of himself/herself and/or others. 

So the next time, someone who has conducted studies on C3RS says to you, as was said to me,  when you question the functioning and the benefits of such a program, “From your questions, you sound like that old school-railroader with that attitude  we’re trying to overcome,”  smile and just say “thank you,”  because I’ll tell you a not so secret secret—the problems some of the commuter railroads are now experiencing are the results of years of trying to “get rid of” that “old-school railroader attitude.”

I have to tell you, if I were running a railroad today, Class 1 or passenger, facing the mandatory implementation of PTC (which I support) at the same time as I am being subjected to such conflicting, and nonsensical pressures regarding enforcement, I really would look to technology rather than supervision for a solution.  And I would look at all this news about drones, drones for Amazon.com deliveries, drones for fire departments, drones for everything, and I would put all that droning together and think how wonderful it would be if I could “drone” my trains—operate all of them no matter where they are remotely, with a joystick, from a single location.  Let the track database, the train handling algorithms, the outward facing video cameras (giving your drone controllers a view of the right of way) actually give you a return for the investment, in this case the return being “no-bang” for the buck.  The controller is there only in case an event arises that the algorithm cannot handle—say a pedestrian trespasser walking along the right of way, not paying attention.

Imagine the “just culture” we could create.  Imagine how little fatigue would be a factor in employee performance.  Imagine how much we could save on “away from home” terminal status; on initial terminal delay; on crew calls; on arbitraries; on training and certification.

I know that’s years away and I’m a dreamer.  But I’m a practical dreamer, and I want to make a practical contribution to accident elimination, so I propose the following.  Since the MOU for C3SR programs specifically exempts “real-time observations” of rule violations from its protective mandate;  and because examination of real-time data can include immediate transmission from a moving train;  and because the amount of real-time data transmitted from moving trains presently exceeds the capacity of immediate railroad response; and because only 60,000 miles of the general railway network will be equipped with PTC systems;  therefore any review of data from any source– locomotive event recorder,  digital archive and replay of control center’s record of train movements, or review of wireless train data transmissions etc.– that provides evidence of an operating rule violation will qualify as “real-time observation” and will not be subject to C3SR protections.

That’s what I would do, thoroughly modern old school railroader dreamer that I am, with a thoroughly modern  old-school railroader dreamer attitude for which I’m grateful.  I’d do my level best to put the NTSB out of business.  And that’s an attitude the NTSB should welcome.  

dmschanoes@ten9osolutions.com

February 19, 2014

 

11.10.13

I Wanna Testify Part 3

Posted in Uncategorized at 01:12 by Administrator

How did we get here,  to that point where those strongest advocates of safety culture and risk assessment do not recognize the need to evaluate the  risk to safety their own recommendations pose?  Is it yet another example where we depreciate our systems?

To figure that out, we have to go back a bit in the history of the railroad to determine the real “core values” of railroading.

So let’s begin.  Railroads are businesses.  Initially they are organized to make money through the more rapid movement and delivery of goods and people to destination.  To do that, to make that money, to deliver those people and goods, railroads are compelled, and not always or even most of the time by their own volition, to adopt and adapt measures that promote the safe movement of trains.

Today we call that a “core value.”  Back in the day, we called it the vitality of the railroad.  The vital process of the railroad was the authorization for the safe movement of trains.  The vital process of the railroad could not be fulfilled simply through granting authority.  The conditions for that authorization had to be created and more than created, they had to be reproduced in every component, each facet– infrastructure, train control, vehicle maintenance, and human performance.  Creating that code for reproduction of the vital authority was and is embodied in the operating rules and timetables.  So important was/is the integrity of that code, alterations and adaptations of that code for specific circumstances not established by the timetable or its special instructions require(d) written authority  issued over the signature or initials of the railroad superintendent.

As railroads developed, their importance to the movement of goods and people grew to the point that they could not, and did not, function solely as private enterprises, but also as public utilities.  This dual nature, this “socialization” of the railroad, is the product of its very success as a safe means of transportation.

None of this was accomplished easily, and not much of this was accomplished by the “invisible hand” of the market place.  The “invisible hand” doesn’t really exist,  the three “A”s– Ayn Rand, Alan Greenspan, and Adam Smith– to the contrary notwithstanding.  Public pressure, government intervention and/or the threat of government intervention, demands from labor have been essential to the evolution of the vital process.

No less essential to this evolution has been enforcement of the elements of this code.  The rules and procedures for safe train operations are useless if they are not applied.  They cannot be applied without being enforced.  Violations of the vital process of the railroad are just that– threats to the safe train operations and must be treated as such.

Let’s dispel some, if not all, the distortions and myths that characterize enforcement, and the ways railroads ensure compliance.  First and foremost, and contrary to the impression one could obtain at these hearings, railroads do not unilaterally, arbitrarily, capriciously utilize enforcement to “punish” employees.  Doesn’t mean railroads or its officers are perfect.  Doesn’t mean that officers aren’t susceptible to prejudice, vindictiveness, or simply errors of judgment.  It does mean that the processes of enforcement are not expressions of such frailties.

It does mean that railroads don’t solely rely on discipline.  It does mean enforcement is not exclusively the application of discipline and punishments.  It does mean that the railroads do extend extraordinary efforts to train, educate, explain, qualify, re-qualify, counsel and assist employees.  It does mean all those things make up enforcement.

Railroads do not immediately turn to punishment in cases of rule violations.  Again efforts are made to train, educate, explain, qualify, demonstrate requirements to employees prior  to initiation of disciplinary proceedings, depending on the severity of the violation, and the assessment of risk to the vitality of the railroad that the violation presents.

If and when violations occur that jeopardize safe train movements, railroads must immediately act to remove that person or persons from a position where he or she can be a threat to the safety of other employees or the public.  To fail to do so, to fail to enforce this, is a failure discharge a responsibility as a public utility.

Employees facing disciplinary proceedings are not “helpless individuals” facing a corporate giant.  Employees are represented, and represented quite effectively by their labor organizations which are very successful in reducing and/or eliminating the assessment of punishments.  The record of the ACRE organization on Metro-North is the best example of that I had, or have, ever encountered in my 30 years as a railroad officer.

None of the incidents that occurred on Metr0-North railroad has its cause in the arbitrary use of discipline, the improper application of discipline, the “lack of communication” between tops, bottoms, or sides of the railroad, “intimidation,” “lack of trust,”  “asymmetrical applications of authority,” or any other characterization of relations between management and labor.

So let’s look a bit more closely at what is proposed as a new paradigm to move railroads away from this mythic model of “crime and punishment.”  And let’s see how these alternatives actually apply or don’t apply when violations of the vital process, the conditions for safe train operations, occur.

One such innovation is “close call confidential reporting.”  FRA describes close call reporting as, “a voluntary, confidential demonstration program for railroad carriers and their employees to report close calls without receiving disciplinary action.”

That’s cool.  Get comfortable, because I’m going to tell you a story.  Years ago, Metro-North equipped its Hudson and Harlem lines, and the equipment operating on those lines, for cab signal/automatic speed control operation.   Every controlling cab was equipped with an audible indicator denoting a change in the cab signal which required a reduction in speed.  The audible indicator was affixed in such a way, however, that it could be unfastened from its position within the cab and literally shoved behind a metal panel, thus deadening the sound.  And sure enough, sooner rather than later, engineers began reporting over the radio the absence of the audible indicator in its proper location and the inability to hear the alarm when conducting the cab signal pre-departure test.

Certain enterprising locomotive engineer(s) were unscrewing the securing ring and shoving the indicator behind the plate.  The fact that such an action was tampering with a safety device and could damage the apparatus, thus placing co-workers and public at risk was of little consequence to the perpetrator(s), and I use the term perpetrator(s) with deliberate intent.   A little bit of leg work and I had figured out pretty much who the perpetrator(s) was/were.

Now, let’s substitute the “close call confidential reporting system” for the leg work. I get a call from a conductor, who in confidentiality tells me that the engineer he/she works with has been disconnecting the audible indicator on the cab signal system.  Now what? What does a line officer do?  Got out there and “re-educate” the engineer about his/her duty to not tamper with a safety device?  And in so doing make it obvious that the conductor is the one who has provided the information?  Exactly what benefit is such a system?

It is argued that such a system will provide new streams of information enabling officers to better understand the causes of trends in operating violations.  Specific reference was made in the hearing to the increase in stop signal violations in Metro-North’s Grand Central Terminal.

I know a little bit about Grand Central Terminal and a little bit more about trends in stop signal violations.  We experienced three such “abnormal” increases in the rates of stop signal violations in the terminal during my tenure.  The first was among conductors assigned to yard and switching service in the terminal and occurred when the conductors were making reverse movements through the interlocking.  We conducted interviews with each of the individuals involved and quickly determined that these employees were not properly trained and should not have been qualified as yard conductors in the terminal.  The operating officers in GCT then developed their own qualification tests, both written, and “ridden” for employees seeking to qualify as yard conductors.  The trend quickly reversed itself and fell back within its historical average.

In response to a second uptick in violations, we conducted extensive sight distance testing on the placement of signals in the terminal and moved certain signals to provide a greater preview, in some cases elevating the signals.

A third unusual increase in the rate of stop signal violations in the terminal provoked another series of investigations, and  we found the training process for engineers in Grand Central was not adequate for the demands of service in that terminal.  This time we called upon the office of the General Road Foreman of Engines (staffed by two of the most talented individuals I have ever encountered in this industry) to change the training and qualification process.

What we never did, and never would do is waive the discipline for an actual stop signal violation.  The speed requirement in GCT is restricted speed, prepared to stop short within half the range of vision etc. etc. etc. and nothing relieves the engineer of his/her responsibility to comply with that requirement.

It is somewhat astounding to me that when supposed experts talk about the rail industry, they talk about the  supposed backward state of its “communication channels,” its supposed “disconnects,”  its “adversarial relations” with labor, its “failure” to embrace  “just society” parameters, all those things that are so debilitating to “safety culture”  “core values”  “partnering”  “teamwork” and safe train operations.  You would never guess that rail is the second safest mode of public transportation in the US,  trailing only travel by air, which is, and better remain the safest mode.

In the two days of hearings, I never once heard any board member, any “expert,” any “investigator” and not even a witness state that fact. If in fact the rail safety record is being hampered by these vital flaws, then I recommend that the other modes of transportation adapt these flawed elements for their own benefit.

I heard no mention by a board member or investigator or an expert on the panels of inquiry of the tremendous, measurable improvements in rail safety made since 1986.  It’s as if 25 years of progress, development, lives saved hasn’t occurred.  Well, it has occurred. And its driving elements have NOT been close-call reporting, or waiving discipline.  Let’s speak clearly here.  The improvements have been brought about in large part  by mandatory regulations:  by random and mandatory alcohol and drug testing, and by enforcing the penalties for violations; by locomotive engineer certification and penalties for failure of railroads to properly train, certify, audit, recertify the locomotive engineers; by roadway worker protection and the requirement to properly train employees and enforce the requirements of the regulation; by the installation of cab signal/speed control systems for passenger service in the Northeast Corridor region.  They all cost money, they all take time, they all require training, education, application, enforcement, effective supervision.

I’m for effective regulation, just like I’m for effective supervision.

Yes, to err is human.  To forgive is divine.  Enforcement is more important than either.  We’re not in the divinity business.  We’re in the vital process of safe train operations.

Done testifying.

 

November 10, 2013

 

 

 

 

 

 

 

11.08.13

I Wanna Testify, Part 2

Posted in Uncategorized at 22:25 by Administrator

Video record of the two days of hearings is here and here.

The Day 1 PM session was devoted to a discussion of the crash-worthiness of the M8 cars involved in the derailment.   As much responsibility as Metro-North, and specifically Metro-North management,  must accept for the cause of the derailment, a responsibility it did not attempt to deny, exactly that much credit should be awarded to MNR, the car builder, Kawasaki, and the FRA (for the crash-worthiness regulation standards) for the performance of the M8 vehicle. There were no fatalities.  To my knowledge, there was no loss of life or limb.

Certainly, the crash speed, a combined 23 mph (1548 was stopped, 1581 was in emergency braking) was of primary significance.  Speed is the critical factor, with energy increasing by the square of the speed.  Design for crash worthiness, however, is based on a) probability of occurrence b) level of risk for each type of incident adjusted for probability of occurrence c) preserving the ability of the vehicle to provide the necessary service, the performance requirement, during normal, intended operation– the non-crash environment d) the accumulated knowledge from previous collisions e) the technical ability to actually construct and install the crash management feature.

“Progress,” such that it is, is necessarily and always incremental.  Short version:  You have to make the decision before you can get the information for further decisions.  Even if the M8 cars had not performed so “valiantly,” no reproach to MNR, Kawasaki, FRA would be warranted.  There was no negligence, no carelessness in the process of a) establishing the crash-worthiness standards b) design and specifications for the vehicle  c) construction of the vehicle  d) testing, validation, and acceptance of the vehicle.  I know a little about this, since I was involved in formulating some of the requirements for the M8 vehicle. I have been involved in the previous testing and acceptance of other systems and rolling stock while employed by Metro-North.

David Tyrell from the Volpe National Transportation Center, who I think knows more about rail vehicle crash management, and the history of the regulation,  than any other single person explained the process by which the collision strengths were determined, that  such determinations were a product of this calculus.

The NTSB board members were focused on the fact the “collision strength specification” for the B end (“B” is the rear end, derived from the “B for brake” as the handbrake is located in the “B” end.  Cars, including MU cars have an “A” end, as in “A is for head.”  Locomotives have an “F” end, as in “F for front,” and the F end is designated by the letter “F” applied to both sides of the F end) is approximately half of that required for the head end, the A end, of the vehicle.  A board member stated that, since the energy of a collision, even a head-on collision, is transmitted throughout the train, the train is “only as strong as its weakest link.”

Wrong.

The energy is not simply transmitted throughout the train.  The energy is dissipated, absorbed, mitigated as it is transmitted throughout the train even when “hardened” elements are not installed.  When crash energy management systems are installed at the head end of the vehicle, that dissipation, absorption, mitigation is even greater and provides greater security throughout the entire vehicle, throughout the entire area of occupancy as the M8s did in this derailment.

If such energy were not dissipated by the structure of the vehicle, then we would expect to see the deformation and destruction at the rear end of the car equivalent to that at the point of impact, and if that were the case, we’d have to do a lot more than get a new set of specs, we’d have to revise the very physics we’re using.

It’s always a surprise to me when those who talk about risk assessment, measuring risk, and responding appropriately to actual evaluations of risk seem to forget the fundamental elements of risk assessment– meaning exactly “what is the risk?”  The M8 configuration is that of back-to-back “married pairs.”  Control cabs on opposite ends, “B” ends  coupled together almost in a fixed arrangement.   The “risk” of the B end receiving impact energy equivalent to what the head end may receive is greatly reduced by the configuration of the equipment.

The B end is only “half as strong”?  OK, let’s assess that risk in this incident.  Speed at initial point of contact?  Approximately 23 mph, 33.73 ft per second.  Distance before the head end of 1581 contacts the B end of the head car, or second head car,  of 1548?  Approximately 85 feet, the length of one car.  Approximate rate of deceleration of the M8 in emergency brake, (based on previous experience with EMU pairs) 2.7 mph/sec,  3.96 ft/sec/sec; estimated speed of A end of 1581 impacting B end 1548, head car or second head car, 14.31 mph, or 62% of the speed at the initial A end to A end impact.  Because the energy is a factor of the square of the velocity, 62% of the original velocity transmits an impact energy at the B end  equivalent to 38% of the energy at the initial point of impact on the A ends.

Now, I’m only using paper and pencil here to make these calculations, and using simple math, but it seems to me that somebody made a damn good call, a pretty good assessment of risk in requiring that the collision strength at the B end to be half of the strength at the end.  It’s simple math, sure, but you know what? I’m a simple person.  Railroading is a simple business.  Railroading is all about simple math.  It’s time, speed, distance.

It was then and there that,  I heard  the all too mortal words of Frost in Aliens playing in my head: “Man, I’m telling you, I got a bad feeling about this drop.”

A member of the technical panel questioning the witnesses focused on the fact that when it comes to design specifications of the vehicle, and/or field modifications, the safety department of the railroad does not have input or right of review.  Let’s stop and think about that for a second.  Imagine we take a panel of safety experts, professional investigators, analysts, etc. and provide them with the  power to investigate, review, and recommend changes to policies, procedures, performance requirements, structures etc. on a railroad.  Now we formally establish this safety group,  invest them with the a status equal to that of the other groups on the railroad, and we call the group the “Safety Department.”  We send them the design specifications and field modifications for construction of a passenger rail vehicle and ask that board to evaluate, review, validate, and certify those specifications.  What would that department would do?  It would not itself evaluate and review that material.  That department, recognizing the limits to its expertise, would a) acknowledge it does not have the knowledge to discharge such an obligation b) turn to the engineering, design, and capital groups of the railroad to undertake the evaluation c) ask the mechanical department to ensure the compliance of the vehicle with all applicable regulations, MNR requirements, performance and operating standards…and recommend the hiring of outside parties to assist the internal departments of the railroad in these efforts– in short, the very same process that is currently used by railroads in procuring passenger equipment would be the result of engaging the safety department.

I had a bad feeling. I thought, excuse me, for speaking bluntly, that somebody was trying to make something out of nothing.  When that happens, I know that means something else that shouldn’t is going to be made into nothing.

I had a bad feeling. And there was nobody there to tell me “You always say that, Frost. You always say,  ‘I got a bad feeling about this drop.’ ”

 

November 8, 2013

 

Don’t touch that dial, the fun is just starting.  Coming Day 2.

 

 

 

 

 

 

I Wanna Testify, Part 1

Posted in Uncategorized at 16:30 by Administrator

I attended in person for several reasons:  1)I could.  I’m retired I have the time 2) I could.  I’m retired I have the time and I have the money 3) I could.  With time and money I could purchase a ticket on Amtrak and arrive, theoretically before the hearing started  4) I could.  With time money ticket and faith in Amtrak, I could return the same day.  I would not have to stay in DC overnight… something else that gives me the shivering willies, and which explains, by the way, why I opted to catch day one of the hearings via the streaming webcast.  Brave new world, everything you need to know is on a flat screen.

Wait, there are more reasons: 4) I worked for Metro North for 23 years, establishing accruing a certain degree of authority, responsibility, credibility, and establishing a certain level of performance of which I was, I am, I will always be proud.  Not just pride of self, but pride in how the railroad improved, developed– how it established its authority, discharged its responsibilities, achieved its level of performance  5) I have friends,  colleagues,  and co-workers still there whom I look forward to seeing with such selfishness that I wasn’t worried about how they might feel seeing me.

There’s still more: 6) Most importantly of all, I wanted to attend because the two accidents in May, one a derailment due to failure of a joint under train movement producing a raking collision between two trains, yielding damage and injuries; the other a fatality of a roadway worker when a train was improperly allowed into the work zone, critically demonstrate the greatest challenge we face– human factor.  Not human error.  Not human mistakes. Not human ignorance, human weakness, not the inexplicably human behavior of behaving in an inexplicable manner.  But human performance.   That is to say that tendency to, literally, live off, draw down, consume the “capital” embedded in previously, and properly, engineered track, train control, and vehicle systems; to subject and encumber the railroad system with creeping minimalism, where we organize, supervise, institutionalize, work to a minimum standard, to a “condemnable limit” and then convince ourselves that the minimum acceptable standard, the condemnable limit is indeed “good enough,” and indeed can be, if not broken, at least “pushed.”

We no longer have to assess, much less require, the level of effort in maintenance,  in execution, and most of all, in supervision that corresponds to the level of effort previously embodied in the design, construction, and supervision of those systems.

We are human beings.  We depreciate the systems, the value of the very systems we rely upon for performance. 

And then we develop an ideology, with an impressive vocabulary, to excuse our depreciation, our unwillingness to maintain, execute, and most of all supervise.   Hell, we develop whole disciplines to justify our unwillingness and explain how the problem is somewhere else– in “attitudes”  in “bad employee relations,” in “poor communication channels,”  in utilizing “obsolete” “punishment and discipline” to enforce the effort necessary to performance.

We get a world of buzzwords, and I’m here to tell you, buzzwords kill.

It was established early, and clearly, that the  May 17, 2013 derailment and raking collision was the result of a failure to take proper actions regarding a repeatedly appearing and worsening track defect.   It was established by the Metro North witnesses that the incident was the product of a systematic failure of supervision.  Now supervision, like performance, is, but is not solely, a question of individual human performance.  The field officer has exactly that:  field responsibility.  Supervision is also a system.  The system requires that somebody supervise the supervisor.   Systems require that the “checking loop” go all the way to the very top.

However, we have labored for too long under what I call “the nonsense theory of management”  that says a) a good manager doesn’t have to know the details of the operation to make the operation good.  He/she has to be able to “manage people.”  and b) managers should “delegate.”  These abstractions “managing people” as opposed to knowing the requirements, the methods and means to a good operation, and “delegation” are complemented by the criticism and dismissal as “micro-managers,” “detail obsessed,”  of those supervisors who do take the checking loop seriously.

So let’s get it straight and early:  Knowing the details of the operation, of the systems required to make the operation perform is essential to managing the operation.  You cannot be responsible for the performance of a railroad and not know what “safe separation of trains” means.  Having such knowledge is not sufficient, but it sure is necessary.

You cannot manage an operation in real time by looking at performance indicators as such performance indicators even in their most current form are lagging indicators.  The real time for systems management is always the level of effort going forward.  

That’s just my personal observation, and I may be wrong.  But I’d be willing put up my experience, my performance, and the performance of the railroad in every category under my supervision for inspection and evaluation.

Stay tuned…………more to come.

 

 

04.25.13

If, if only, only…

Posted in Uncategorized at 20:58 by Administrator

I was lucky enough to attend the recent 3rd Annual PTC World Congress in Orlando, Florida,  organized by the UK based Global Transport Forum.   The conference itself was pretty well organized by the GTF team.  Lucky indeed as the temperature in Orlando was 80° Fahrenheit and more, and as Lefty Gomez is reputed to have said, “Better to be lucky than good.”  Some attribute that line to Joe Dimaggio but that only makes sense if he uttered the remark after Marilyn Monroe accepted his proposal of marriage.

I was lucky enough to meet colleagues, friends (believe it or not) and co-workers from my former employing railroads, and I even made some new friends.  Passed out a lot of business cards, too, which gets my inventory down to a mere 15,000 remaining cards.  Did I mention I intend to live forever?

Anyway, one of my former co-workers asked me during  a break between sessions:  “If you knew then what you know now, what would you have told the RSAC  way back at the beginning of the discussion of PTC?”

Usually I don’t care much for the “what if” type questions; speculation being something best left to commodity traders, asset managers, and quantum physicists.  I remember clearly someone saying to me “If my aunt had a ____________, she would have been my uncle.”  You get to fill in the blank with the word or phrase of your choice.  My personal favorite is “y chromosome instead of that double x…”

But this intrigued me because it seems to me that this whole PTC process, rule-making, testing, validation,  roll out, implementation, has become well.. like a food fight in a high school cafeteria– messy, nasty, with moments of unintentional hilarity, and with hell to pay sooner or later.

Certainly, Amtrak has its ACSES™ system on the NEC, and the ITCS™ operating on a section between Chicago and Detroit, and the Alaska RR has PTC, and BNSF has ETMS™ installed on one (or more?) subdivision.  And Metrolink promises to have its interoperable version of I-ETMS™ fully deployed by 2015, if not 2014.  But let’s speak frankly, the AAR has declared that meeting the mandated installation date of December 31, 2015 highly improbable, if not downright impossible.  FRA has seconded, more or less, the AAR’s assertion.   So reassessment didn’t seem completely uncalled for on my part.

Hmmh….. what would I have told the PTC RSAC then knowing what I know now?  Well, the first thing I would say, based on what I know now is:  “We better do something quick before Congress gets involved and we get told to do something we don’t want to do, or don’t know how to do, with mandates for things we don’t need to do.  While we’re discussing braking algorithms, some jerk somewhere is going to blow a stop signal and kill a lot of people, and then, as Hudson said in Aliens: ‘That’s it man, game over man, game over!’ ”

The other thing I would have said is what I did say, about 7 years ago regarding PTC:  “We don’t need this on our railroad.  We have ATC.  What we need is positive train stop at interlockings.  That’s where the risk is, at interlockings.  That’s where you kill people.  We just need to add the positive stop function.”

Well, I was getting into the swing of this “if, if only, only” and I thought I would have told the railroads and the suppliers and the labor organizations and anybody who would listen:  “You know, it would probably be better if we separate the train control function from the wireless data platform.  It might even be better if we put the train control/positive stop system in the ground at, and at the approach to,  interlockings.  Simpler that way, in my opinion.  We know this technology.  We know how to calculate and enforce the required rate of deceleration.  We know intermediate signals are pretty much irrelevant, what counts is the distance to zero velocity.  We know railroading is supposed to be simple.  So maybe we should separate train control from the system’s potential for traffic management and then the traffic management capabilities can be rolled in when the business case for the traffic management function warrants it.  Let’s keep the safety functions separate from the business case, even if that means using separate technologies.  Less computer code needed, that way.  Fewer layers on top of layers compounding the chance of error.  Less chance for the error to jeopardize the vitality of the operation, that is to say the safe separation of trains.”

I would have said those things, arguing essentially that by doing these things now, meaning then, we were buying time– that as long as we prevented collisions involving passenger trains, Congress would be less likely to act, and we could take the time to work out what we needed to do regarding dark territory, switch position, and roadway worker positive protection  (enforcement of temporary and permanent speed restrictions being completely unnecessary in any system of automatic train control– I would have said that too).

That’s what I would have said.  And I also know now, as I knew then, that it wouldn’t have mattered.  My aunt, after all, was my aunt.

 

April 25, 2013

 

 

 

 

 

03.14.13

All Screwed Up, 2

Posted in Uncategorized at 21:38 by Administrator

All Screwed Up, Part 2

 

Dancing with the carcass

Subpart I—Positive Train Control Systems

§236.1001 Purpose and Scope

(a) This subpart prescribes the minimum, performance based-safety standards for PTC systems required by 49 USC 20157…

(b) Each railroad may prescribe additional or more stringent rules…

§236.1005 Requirements for Positive Train Control systems.

(a) PTC system requirements. Each PTC system required to be installed under this subpart shall:

(1) Reliably and functionally prevent:

(i) Train to train collisions—including collisions between trains operating over rail-to-rail at-grade crossings in accordance with the following risk based table or alternative arrangement providing an equivalent level of safety as specified in an FRA approved PTCSP

(ii) Overspeed derailments, including derailments related to railroad civil engineering speed restrictions, slow orders, and excessive speeds over switches and through turnouts:

(iii) Incursions into established work zone limits without first receiving appropriate authority and verification from the dispatcher or roadway worker in charge….; and

(iv) The movement of a train through a main line switch in the improper position as further described in paragraph (e) of this section.

(2) Include safety-critical integration of all authorities of a wayside or cab signal system…in a manner by which the PTC system shall provide associated warning and enforcement

(b)(4)(B)Absent special circumstances related to specific hazards presented by operations on the line segment, FRA will approve a request for relief under this paragraph for a rail line segment:

(1)Consisting exclusively of Class 1 or 2 track as describe in part 213 of this title;

(2)That carries less than 15 million gross tons annually;

(3)Has a ruling grade of less than 1 percent; and

(4)On which any train transporting a car containing PIH materials (including a residue car) is operated under temporal separation for other trains using the line segment as documented by a temporal separation plan…


(C) FRA will also consider and may approve requests for relief under this paragraph for additional line segments where each such segment carries less than 15 million gross tons annually and where it is established to the satisfaction of the Associate Administrator that risk mitigations will be applied that will ensure that risk of release of PIH materials is negligible

 

(e)(1)(i) (A PTC system shall enforce restricted speed over any switch :) Where train movements are made with the benefit of the indications of a wayside or cab signal system or other similar appliance, method, device, or system of equivalent safety proposed to FRA and approved by the Associate Administrator in accordance with this part; and

(ii)Where wayside or cab signal system or other similar appliance, method, device, or system of equivalent safety, requires the train to be operated at restricted speed.

(2)A PTC system shall enforce a positive stop short of any mainline switch, any switch on a siding where the allowable speed is in excess of 20 mile her hour, if movement of the train over the switch:

(i) Is made without the benefit of the indications of a wayside or cab signal or other similar appliance…; or

(ii)Would create an unacceptable risk. Unacceptable risk includes conditions when traversing the switch, even at low speeds, could result in direct conflict with the movement of another train (including a hand-operated crossover between a main track and an adjoining siding or auxiliary track or a hand-operated switch providing access to another subdivision or branch line, etc.).

(f)Train-to-train collision. A PTC system shall be considered to be configured to prevent train-to-train collisions within the meaning of paragraph (a) of this section if trains are required to be operated at restricted speed and if the onboard PTC equipment enforces the upper limits of the railroad’s restricted speed rule…This application applies to:

(1) Operating conditions under which trains are required by signal indication or operating rule to:

(i)Stop before continuing; or

(ii)Reduce speed to restricted speed and continue at restricted speed until encountering a more favorable indication or as provided by operating rule.

The parts in bold are the sections of the regulation that give me pause—like in 236.1005 (a)(1)(iii) (and as long as I have to use the parentheses key, I might as well state here, that FRA’s numbering and lettering program for the internal structure of the regulation brings me close to tears). Anyway back to 236.1005 (a)(1)(iii)- where PTC must prevent a train from entering a work zone unless it has received authority from the train dispatcher… or the employee-on-charge (EIC).

There should be no “or” in this section, because there should be no train dispatcher in this sentence. It must be only from the EIC. The point is that in creating a work zone, the train dispatcher has ceded his or her authority over that section of track. The train dispatcher is no longer, to use the extremely accurate designation developed by my friend Ron Lindsey, the “vital employee.”

The work zone, by definition is under the authority of the roadway worker-in-charge. Movements within the work zone are under the supervision of that employee-in-charge (EIC). Even other on-track equipment which is to be used in the work zone cannot be admitted without first obtaining the permission of the EIC. To allow any person other than the person in charge of the track
to authorize movement into a work zone is to effectively eliminate the positive function of PTC.

Certainly, dispatchers can relay communication between the EIC and other equipment and personnel seeking access to the work zone. The train dispatcher, however, is not, and cannot be, the source for movement authority. To allow that is to violate the field-office separation which is at the heart of operating vitality.

Then there’s (a)(2) of the same section, (2) Include safety-critical integration of all authorities of a wayside or cab signal system…in a manner by which the PTC system shall provide associated warning and enforcement.

The good news is PTC has to enforce a positive stop. The bad news is PTC has to enforce signals, based on a pre-existing, and now obsolete, indeterminacy in calculating train location, in registering occupancy. Positive stop? That’s for interlockings. For (almost) everything else there’s supposedly “approach” “approach medium” “approach limited” “limited clear” “slow approach” “approach slow” “slow clear” “medium clear” “advance approach medium” “diverging approach” “approach diverging” etc.—all those souvenirs of the day when braking steps were the closest we could get to the braking curve; when the inability to determine the train’s location made enforcement reactive rather than predictive.

This represents the failure of FRA and the railroads to embrace, or at least grasp, the qualitatively distinct and superior capability of the wireless data platform supporting PTC; of the real advance in the technology of location, occupancy, and route that the wireless platform embodies. PTC does not only “overlay” the pre-existing train control system, it also overlays a data communication platform which platform works quite literally ahead of the curve.

Following the logic of the illogic, of the inability to embrace the capability of PTC as an application of the data communication platform, we turn to (e) (1)(i) and the substitution of restricted speed for safe separation of trains. Yes, we have faith in our machines, but it’s in restricted speed that we trust. In this case we trust in restricted speed in governing train movements where the switch is improperly lined for the train’s route.

First, the regulation accepts the enforcement of the numerical quantity assigned to restricted speed, when that numerical quantity is the “non-vital” feature of restricted. The critical feature is the ability to stop the train within half the range of vision. Three miles per hour can be a violation of restricted speed, depending on the physical characteristics encountered at the point of restriction. Last time I checked, PTC was not capable of enforcing the ability to stop within half the range of vision.

The regulation does not require positive stop except where the authorized speed is greater than twenty mph and block signals or cab signals are not used or such movement would create unacceptable risk.

Let’s look at this for a second. Suppose the maximum authorized speed of the line is 49 mph. Suppose the speed of the line segment where the switch is located is 20 mph (with 20 mph, coincidentally being the numerical “upper limit” of restricted speed.

Now can a train operating at 20 mph be safely stopped when a switch is observed by the train crew to be improperly lined for further movement? Depends, doesn’t it? The ability to stop depends on sight distance, crew vigilance, train weight/length, grade, curvature, etc, all those elements, variables, that PTC is specifically designed to overcome.

Moreover, on this line, and this line segment, timetable permanent (“civil”) speed restrictions and temporary speed restrictions have to be enforced by PTC in order to fulfill the requirement to prevent overspeed derailments, so while the regulation appears to provide relief from detecting, recording, and transmitting the actual position of the individual switch, the regulation will still require PTC to enforce a 20 mph speed restriction in the approach to the switch.

While enforcing such a restriction may be cheaper than attaching a wayside-interface-unit to the switch points (as the speed restriction can be created and stored in the database of the track configuration that resides in the memory of the on-board computer, thus involving no additional hardware, and installation of hardware), unnecessary braking of every train will drive the overall operating cost higher.

The regulation also requires positive switch position detection under any circumstances where movement over the improperly lined switch presents unacceptable risk, with unacceptable risk defined in essence as the possibility of conflicting routes and potential collision.

I know of no hand- operated main line switches to or from sidings, to or from industrial spurs, where unauthorized movement does not present such risk. If such movement did not present such unacceptable risk, there would be no need for the operating rules that prescribe and proscribe the methods and actions for utilizing such switches.

So what do you have with the “restricted speed/switch regulation”? “You got nothing,” to quote an infamous deceased Chicago gangster. Actually we have an illogical application, a self-contradictory, self-negating mess.

FRA needs to answer these questions directly: 1) where automatic block signals are in use, and such signals display a “restricted speed” indication when a switch in the block in advance of the signal is “open” “reversed” or otherwise lined against movement on the main line, does FRA require the switch position to be communicated to the locomotive’s on-board PTC computer so the on-board computer can enforce a positive stop to the rear of that switch? 2) where block signals are not used and the authorized speed for the track segment is less than 20 mph, does FRA require that the switch position, whether open or closed, reverse or normal, be communicated in any manner with sufficient time and distance for the train to be brought to a safe stop if that position of the switch is not the proper position for the intended route of the train?

The caveat of “unacceptable risk” is just nonsense when it comes to main line hand-operated switches, as there is no acceptable risk in the use or operation of main line hand thrown switches. FRA itself, in its issuance of Emergency Order 24 explicitly recognizes the dangers that are present to low speed operations when main line switches are improperly lined, or improperly reported as properly lined.

In its background discussion to the issuance of the emergency order, FRA provided details to five collisions all of which occurred at speeds less than 40 miles per hour, with three of those five occurring at or below the speed of 30 mph. The collisions produced significant destruction of equipment, severe injuries, and at least one fatality.

Three other accidents, not described in detail in the emergency order, but involving improper operation of, or reporting of, the position of hand-operated switches occurred over a 28-day period and resulted in one fatal employee injury, the evacuation of civilians and property damage in excess of two million dollars.

“Furthermore,” wrote FRA, “each of these accidents could have been worse, as each had the potential for additional deaths, injuries, property damage or environmental damage. Two of the accidents could have involved catastrophic releases of hazardous materials as these materials were present in least one of the train consists that collided.”

“Each of the accidents,” continued FRA, “…either resulted in, or had the potential to result in serious injuries fatalities and catastrophic releases of hazardous materials. As previously stated, the industry achieved only temporary respite from accidents of this type after the Safety Advisory’s publication, instead of the long term solutions FRA expected…Only with additional action can FRA secure compliance with these important railroad operating rules…As described above,
FRA is currently seeking a permanent solution through rulemaking. This issuance of this EO is intended to accomplish what the Safety Advisory could not: Implement safety practices that will abate the emergency until FRA can complete rulemaking….”

That was in 2005.

And there’s more in EO 24 that throws light on how seriously FRA regarded the issue of hand thrown switches in non-signaled territory. The background material brought forward by FRA included the following:

“…the Nation has experience more accidents resulting from improperly lined hand operated switches on main track in non-signaled territory than it experienced in any of the previous five years. To date in 2005, there were nine accidents resulting in 640 injuries and 10 fatalities. Given the cloud of chlorine that covered much of Graniteville, South Carolina, on January 6, 2005, as a result of one of these accidents, it is fortuitous that the death toll is not significantly higher: in additions, the same could be said for the Nickerson, Kansas and Shepherd, Texas accidents…as train involved in those accidents were transporting tank cars containing hazardous materials. Any reasonable extrapolation of the current trends of wrecks, deaths, and injuries makes clear that more accidents of this type will result in injuries or deaths, or both, that a significant percentage of those wrecks will involve trains carrying hazardous materials, and that each of those wrecks will pose a significant risk that a large amount of hazardous material will be released. Considering the severity of accidents related to improperly lined hand-operated switches in non-signaled territory, the prevalence of hazardous materials on trains in non-signaled territory, and the recent and dramatic increase in the rate of occurrence of these accidents, decisive action is necessary now.

FRA concludes that non-compliance with certain operating rules and practices on the Nation’s railroads concerning the proper positioning of hand-operated main track switches in non-signaled territory lacking the safeguards of facing point protection is a combination of unsafe conditions and practices which causes an emergency situation involving an imminent and unacceptable hazard of death or personal injury.
FRA further concludes that reliance solely on employee compliance with railroad operating rules related to the operation of hand-operated switches in non-signaled territory, without a Federal enforcement mechanism is inadequate to protect the public safety. {Bold added}

Emergency Order 24 specified what railroads were obligated to do to comply with FRA’s mandate to eliminate such accidents. FRA’s emergency order 24 did not offer a de minimis exemption. The order did not offer relief where the track was exclusively class 1 or class 2. The order did not offer relief if the ruling grade was below 1 percent; if less than 15 million gross tons operated over the track annually; if temporal separation was utilized to segregate trains carrying hazardous materials from the general train population. The order did not make an exemption for “acceptable risk.”

But that was then. And this is now. Now there is no longer the sense of urgency as evinced in the tone, the language, and the very issuing of the emergency order. Now, when the Congress has provided FRA with the ability to permanently prevent such collisions, which at high or low speed, whether one or one hundred tank cars of hazardous material are involved, present a significant risk to the safety of public, FRA argues for extending the deadline date for installation of PTC. FRA decrees exemptions from PTC in precisely those sections of railroads, those tracks that it targeted with its emergency order.

Has FRA in fact forgotten that the issue is not the operating rules of the railroad, or the maximum authorized speed allowed by the timetable special instructions or bulletin? The issue is human error. The issue is human failure to observe and execute those rules. The issue is that human beings violate authorized speeds. Human beings operate hand-thrown switches incorrectly. PTC is designed to prevent such error, not react to it by issuing an order for emergency reinstruction of all personnel.

Why are certain sections of the tracks covered by EO 24 now identified as exempt from PTC installation? For one reason only, which is that despite the legislation by Congress, despite the fact that the law mandates FRA to regulate the installation of PTC purely on the basis of the benefit to public safety, FRA is still concerned with a “business case” scenario. FRA is still confined, and confounded, by a “cost-benefit” analysis.

 

David Schanoes

 


 

03.10.13

ALL SCREWED UP, Part 1

Posted in Uncategorized at 08:34 by Administrator

ALL SCREWED UP, Part 1
–with love to Lina Wertmuller

As good a place as any…

…to start is with the law:

20157. Implementation of positive train control systems
(a) In General.—
      (1)…each Class 1 railroad carrier and each entity providing regularly scheduled intercity or commuter rail passenger transportation shall     develop and submit…a plan for implementing a positive train control system by December 31, 2015, governing operations on—
           (A) its main line over which intercity rail passenger transportation or commuter rail passenger transportation or commuter rail              transportation, as defined in section 24102 is regularly provided;
          (B) its main line over which poison-or toxic-by-inhalation hazardous materials…are transported; and
          (C) such other tracks as the Secretary may prescribe by regulation or order.

(g) Regulations.—The Secretary shall prescribe regulations or issue orders necessary to implement this section, including regulations specifying in appropriate technical detail the functionalities of positive train control systems…
(h)
      (i) Definitions. In this section:
           (1) Interoperability.—The term ‘interoperability’ means the ability to control locomotives of the host railroad and tenant railroad to communicate with and respond to the positive train control system, including uninterrupted movements over property boundaries.
          (2) Main Line.—The term ‘main line’ means a segment or route of railroad tracks over which 5,000,000 or more gross tons of railroad traffic is transported annually except that—
                 (A) the Secretary may, through regulations under subsection (g) designate additional tracks for this section; and
                 (B) for intercity rail passenger transportation or commuter rail passenger transportation routes or segments over which limited or no freight railroad operations occur, the Secretary shall define the term ‘main line’ by regulation.
         (3) Positive train control system.—The term ‘positive train control system’ means a system designed to prevent train-to-train collisions, over-speed derailments, incursions into established work zone limits, and the movement of a train through a switch left in the wrong position.

And there it is. Everything we need to know about PTC—where, when, what, even the why, which is provided in the title of the law itself—railroad safety improvement. The how? Come on now, we know Congress looks at the big picture. We know Congress has the vision. We know Congress pays others the not-so-big money to worry about the how, wrestle with the devils and their details.

Notice how the law defines PTC—by its functionality, not its technology. Notice that the law says nothing about restricted speed, stop signals, block signals, de minimis exceptions, business case justifications, etc. etc. etc. The law is mandating positive train control, and has defined the minimum functionalities, locations, and operational dates. The law defines the minimum acceptable circumstances. That’s what laws and regulations do—they establish minimums.

For years, FRA coaxed, urged, encouraged railroads to develop and install advanced train control systems. FRA did not mandate the installation of such systems because it felt it had to demonstrate a “business case”—a cost-benefit analysis where the dollar approximation of benefits balanced or almost balanced the dollar approximation of costs.

There’s nothing wrong with a regulatory agency undertaking a cost-benefit analysis before mandating installation of expensive safety systems across an entire transportation network. That’s just good management, provided…

Provided that when we’re comparing costs to benefits, we are actually comparing apples to apples, or even apples to oranges.

FRA estimates costs based on the estimated willingness to pay to avoid the harms, in other words, before an event occurs how much would the average member of society be willing to pay to avoid the expected harm, which is the probability of that harm times the consequence of that harm.

For example (I think): How much would the average commuter utilizing rail transportation be willing to pay to achieve a 99.999 certainty that his/her train will not collide with another train at a combined speed of 90 miles per hour, as opposed to the amount he/she would pay to achieve a 98.999 certainty? An extra dollar per ride?

That’s an interesting exercise, but of course it breaks down when we come to that devil and the details. For example, put the question this way: how much would you pay to prevent the train you are on right now from colliding with another train at a speed that guarantees that you have a 50% chance of dying or sustaining serious injury? Bet you get a number different than one.

It breaks down because the process is attempting to take an “average individual” assessment of potential, hypothetical, personal risk as a basis for social action eliminating real, demonstrable risk.

Assuming the passengers on a commuter train are in their right minds, if you put the issue to them in terms not of possibility but of immediacy, not of risk but of necessity, then money, cost, is revealed to be an inadequate measure, mediation, offset to benefit. Every passenger in his or her right mind will say, “What kind of question is that? What kind of railroad is this? Stop this train immediately and let me off.” This will be followed up (probably) with “And stop that other train, too, and let those people off.”

Go to any train, passenger or freight; ask anybody, commuter or crew or shipper.

Cost? Money talks to be sure, but the vocabulary is limited.

As railroad professionals it is our responsibility to pose the issues in those most immediate terms; with the knowledge that we eliminate individual, specific potentials for failure in order to attack the necessity of failure. To me, that’s just part of the 5 (or 6) Ps: proper planning prevents ( ) poor performance.

Such are the limits of “business case” modeling, such are the limits of “market responses” that we subjugate the individual, particular assessment, which is nothing other than an individual’s ability to pay, to the “general good;” to the public interest.

I know “public interest” isn’t held in high esteem by certain elements of the business community, by theoreticians of the American Enterprise Institute, by Ayn Randists, or Rand Paulists and other members of Congress, but look for a second at the level of esteem the public has for the business community as a whole; Congress as an institution. Get the point? Payback is fair play? Maybe, but it gets us nowhere.

Events occur that demonstrate, in the most painful way possible, the limits to cost-benefit analysis; the fumbling of the invisible hand of the markets; the inability of the “business model” to account for anything other than itself. One such moment was the 2008 collision near Chatsworth, California between a Metrolink commuter train and a Union Pacific freight train.

Congress acted, superseding the cost-benefit analysis, the business model and the inertia of the Class 1 railroads, mandating the installation of PTC. Congress acted within the limits of its authority and within the historical tradition of regulating the railroads. Railroads are not just private enterprises. They are also public utilities. The public interest is the basis for the law.

The secret to safe train separation

What is PTC designed to prevent? We know the four core functions, but what at core, is PTC preventing? The answer is fairly simple: train accidents due to human error. Most such errors are a result of crew failure—that is failure of the train’s operating crew to comply with the limits, conditions, stipulations, restrictions, of its movement authority. PTC enforces those parameters.

There is a second source of possible human error in the generation and communication of improper movement authorities; authorities for movements that overlaps each other and thus violate the core principle of safe train separation. PTC does not, by itself, prevent this type of human error. PTC is, in its design and function, train, actually, locomotive centric; applying and enforcing movement restrictions on individual trains through wireless data communication with the controlling locomotives of those trains.

So “train-borne” human error is the target. Other technologies exist, and are in widespread use to automatically prevent most instances where movement authorities improperly generated or transmitted and are lapped.

The three keys to safe separation of trains are: location, location, and location. If trains can be located, then they can be separated. If trains can be separated, they can be moved safely. The wireless data and GPS platforms allow PTC to identify, independently of any crew or employee reporting, and with accuracy never before achieved, the location of each train under its “umbrella.”

Other train control systems in use in the US did not/do not have the ability to locate trains with the accuracy and continuity that can be achieved by making the train itself the beacon, the transmitter of its own location. Consequently, prior to the adaptation of the wireless/GPS platform, the safe separation of trains has depended upon “awarding” trains the exclusive “right” to a defined section of track, a block, for its movement. The “award,” the right(s) of the train(s) was (were) governed by precisely bestowing a block of time during which a train could occupy any number of imprecise locations in a section of track— right did not authorize a train to occupy point A or point B, but rather the entire section from A to B.

The block is/was an indicator for occupancy, a proxy for location.

Following and opposing movements depended upon the status of the block, occupied or unoccupied, rather than the location of the primary train in the block. Braking distance could be calculated from any point to the fixed point at the entry to the block. Communicating the requirement to brake could only be accomplished through other fixed points on the railroad, signaled at the entry to the blocks prior to, or as we say on the railroad “to the rear of” the point where zero velocity must be achieved.

Dr. William Robinson developed the closed track circuit, connecting it to both audible and visible signals for indicating occupancy. His design, and intended functioning of the design, was of and as a safety apparatus, not for the purposes of expediting traffic or increasing railroad capacity.

The signal was driven by the condition of the block and could display either “clear” (not occupied) or “danger.” The danger signal was considered an absolute stop signal. The authority of a train ended at the danger signal regardless of the train’s timetable schedule, its class, or its rights. Only later did railroads decide to accept the inherent risk in allowing trains to overlap authorities, to occupy the same section of track at the same time, stipulating and signaling a restriction to the speed of a train following another in a block. This change was one made in the interests of increasing capacity.

Subsequent refinements and advances of block signaling systems, including automatic cab signal and automatic train control systems, have all been determined by the inability to specify location of a train in the block.

The wireless data/GPS platform, however, can specifically locate both the head and the rear ends, of a train on any section of the railroad.

Locating the head end is “easy” since the locomotive carries communication modules. The rear end of a train can be specifically located also.

For PTC to generate and enforce a braking curve for a train, the length of the train must be incorporated into the calculus. Train brakes are pneumatic, air actuated and air-signaled. Changes in the air pressure in the common shared brake pipe provide the instructions to the brake valves in each individual car making up the train. The air has to travel the length of that brake pipe for all the brakes in the train to apply. Distance is time, and that time of brake set-up translates back into a distance the train consumes before effective braking is established.

If the train length must be calculated to establish effective braking, then the end of the train is a known. In addition, freight trains operating on main lines are equipped with end-of-train (EOT) telemetry devices that record the brake pressure and air flow at the rear end of the train. That data is transmitted by radio to the lead locomotive of the train. That EOT signal can be utilized by the GPS platform to determine the rear end of the train; to mark the rear end of the train as the absolute limit to movement by any following train; to identify the rear end of the train as the point of “danger” so imperfectly identified by Robinson’s closed track circuit signal.

So…if the actual points marking the limit to a train’s authority can be identified, whether that point be the rear end, or head end of another train; or a switch not properly lined; or the beginning of a work zone on a track, there is no need for PTC to communicate with intermediate block signals; no reason to communicate those signals to a locomotive; and no reason to enforce those signal indications as the PTC system supersedes all that by establishing the braking requirement to the point of zero velocity.

PTC will have to communicate with and enforce signals at interlockings and controlled points in that such locations display positive stop indications; because such locations are in fact points for the generation of movement authorities. Speed requirements for various routes through interlockings and controlled points will also be enforced. However, once the braking curve has been established to conform to the authority granted or nullified at the interlocking or controlled point, no enforcement of intermediate block signal aspects conveying reductions in authorized speed are necessary.

In addition, the substitution of restricted speed, which speed is the conscious overlap of movement authorities to expedite traffic, in place of positive separation of train can be eliminated. There is no need for PTC to communicate and enforce a block signal even one indicating “restricted speed”—which it really cannot do anyway as the numerical value assigned to such speed is irrelevant—for a train approaching an improperly lined switch, a stop signal, or a work zone. The requirement for zero velocity supersedes the intermediate signal indications.

This is not an argument for “moving block” systems; for abolishing automatic block signal indications. Nor is it an argument for abolishing “restricted speed” requirements on main lines. There are many reasons for establishing a restricted speed. Positive separation of trains is not one of those reasons. The law does not require PTC to enforce intermediate block signal indications. The law does not require PTC to enforce restricted speed.

FRA will certainly argue the need for maintaining restricted speed as providing protection against broken rails in signaled territory, and that’s fine. The law, however, does not require PTC to enforce broken rail protection.

The weakness of most automatic train control systems in use on the general US railway network is that these systems, in fact, cannot and do not distinguish between a requirement for a positive stop, and a requirement for restricted speed, just as the closed track circuit makes no distinction regarding the point of occupancy anywhere in the block.

Consequently, the enforcement of intermediate block signals and restricted speed leaves railroads vulnerable to a “high speed-low speed” collision, where a train operating in accordance with signals authorizing its movement at maximum speed may be obstructed by a train operating at low speed, up to 20 mph in many cases, overrunning a signal requiring a positive stop as well as “low speed-low speed” collision where both trains are operating under restricted speed authorization.

PTC can positively eliminate the risks of  both high speed-low speed collisions  and low speed-low speed collisions.   It should not be subordinated to signal systems that can positively do neither.

Next: All Screwed Up, Part 2— Meet the regulation

 

D M Schanoes

http://www.ten90solutions.com

 

03.03.13

With Faith In our Machines

Posted in Uncategorized at 17:43 by Administrator

I woke up at 4 AM on February 27, 2013, washed, brushed, ate, dressed, stepped into the wet, muffled darkness of the pre-dawn, hailed a cab, and headed to Pennsylvania Station.  There, with faith in our machines, I boarded Amtrak 111 for the 195 minute, 210 mile, journey to Washington, DC to attend the NTSB’s Forum: PTC:  Is It On Track?

Full disclosure, the last time I had to get up that early to be somewhere, my plane was landing in Paris.

Train 111 departs NYC at 0530 hours, and is scheduled to arrive in DC at 0845 hours, leaving me 15 minutes to get the metro, actually two metros, to L’Enfant Plaza. I figured, with faith in a multitude of machines, I’d make it within 5 minutes of the scheduled 0900 start time of the forum. Close enough to be considered on-time, close enough for government work.

I had confidence I would get there on-time. I had, and have, more than confidence, absolute certainty actually, that I would arrive in DC safely, with all limbs still connected to their original connections, all internal organs properly secured and nourished by the blood that I was certain would remain within my body.

My confidence about my on time arrival was based upon, derived from, depended on my certainty. That’s the way conduct our lives, we calculate arriving on time based on the certainty of arriving period.  Everybody does that. Shippers, passengers, crews…. otherwise, none of us would use the railroad, right? We are certain of our safety. What, really, does that, certainty, mean?

Putting denial aside for the moment, as in denying one’s own mortality (something I practice daily, like meditation), the certainty means that we expect that everybody will pay attention to the tasks, requirements, rules of providing a safe service; that risk has been minimized.  In short, our certainty, like our confidence, is a calculation.

My calculation for the performance of train 111 was a bit off, to say the least. The train arrived in DC 35 minutes late– 195 minute schedule, plus 35 minutes of delay. Lousy work, and unfortunately you get it all too often without trying. My certainty of my safety was not a bit off.
I fumed. Others were making calculations that negated mine. We were, for example, held outside Baltimore for the Acela to run around us… the very Acela that was supposed to arrive in DC five minutes after our scheduled arrival. Priorities, priorities, priorities….

Then again, we were held for ten minutes outside Washington Union Station—ten minutes in the AM peak period when our movement was with, not against, the peak direction. I’ve been in this business long enough to know what was happening and why. We had lost our slot. It had been given to the Acela, the bigger money train. So we had to wait for another Amtrak train to depart Union Station in order to clear a track for our arrival. That other train, of course, was scheduled to leave after our scheduled arrival. So we sat. All passenger trains are first class, but some first class trains are more first class than others.

Some things I know…

I’ve also been in this business long enough to know that this game is all about three things: supervision, supervision, and more supervision.

I know that technology is no substitute for supervision.

I know that whenever and wherever and whatever question you are asking about railroad performance, railroad safety, railroad efficiency, you are only asking the same question: “Who’s in charge?”

Some things I don’t

So I arrived late to the PTC forum. I missed the opening remarks by the NTSB chair. I missed Steve Ditmeyer’s presentation on the former BN’s former ARES experiment. I missed Grady Cothen’s presentation on the short, and unhappy, history of FRA’s conversion of legislation into regulation, but I was there for everything else.

I’ve taken the time to read the presentations I missed. You can read them too at:  http://www.ntsb.gov/news/events/2013/ptc/presentations.html. What I heard, and what I read does not exactly inspire confidence, much less approach certainty, that PTC “is on track,” that PTC would be installed on the designated lines by 2015…or 2018 or 2020, for that matter.

The chairperson of the NTSB, Deborah Hersman, summed up neatly, concisely, and accurately the problem with the opening presentations when she expressed her dismay (or what I interpret as her dismay) that what had originally been regarded, and legislated, as the “floor,” the minimum functionality for PTC was now regarded as basically unattainable and had been transformed into a “ceiling,” an ideal, a wish.

Now from my viewpoint, that of a professional in the industry who has been trained to be intolerant of delay, I thought that was 1) an astute assessment and 2) particularly galling for the NTSB which had had PTC on its “most wished for” list for almost 20 years.

I also thought that insight should have been the focus, the investigative focus, for the rest of the forum. Why has the floor become the ceiling? Why indeed has FRA advised Congress that the 2015 date is unobtainable, even after FRA has relaxed the requirements of the functionality and deployment, of PTC? Prevent train-to-train collisions? Positively? Nope. Most of the time? Hopefully.

Deployed on “other lines,” lines not carrying passenger trains or poisonous/toxic by inhalation hazardous materials, but requiring, due to density of traffic, or elevated risk factors (as determined by the Secretary of Transportation, in actuality the regulatory agency)? Polite answer? Doesn’t look that way. Painfully accurate answer? Not before major incident(s) that produce(s) death(s) and injury(ies). So much for positive(s) prevention(s).

I thought that, even if none of the NTSB technical staff asked the hard questions of the right people– “Mr. Wilson, you represent Wabtec. Representatives of railroads belonging to the AAR have stated that, to date, your company which has been contracted to provide the platform capable of executing the core functions of PTC across the various railroads, has not been able to provide the back office system to do exactly that. Could you explain to the Board exactly what problems you have encountered, where you are in resolving those problems, and a date by which you think you will have a workable system? Take as much time as you need.”

Or, “Mr. Thelen, Mr. Lonegro, Mr. Young, you represent, respectively, the Norfolk and Southern, CSX, and the Union Pacific railroads, 3 of the big 4 railroads in the US. You all seem to be in agreement that the 2015 date for PTC installation and interoperability is unrealizable. The Board is interested in the opinion in the fourth member of the big four, the BNSF. What’s that railroad’s view? As a matter of fact, why isn’t a representative of the BNSF here today as a representative of the AAR?”

…the senior board members themselves, from the chairperson on down would ask those questions.

I don’t know, but I think those are interesting and important questions.

Are those hard questions? Confrontational? Blunt? Even, heaven forbid, rude? Come on, we’re talking railroads here, where use of harsh language is a rite of passage; where status is measured and rewarded by how many times you tell how many people “cut the bulls**t and tell me how you’re going to prevent this in the future.”

Oh, the railroads have a big job, or big jobs to do, no doubt about it. Oh we can reel off strings of numbers—18,000 locomotives that have to be equipped with data radios, on-board computers, GPS transponders; 38,000 wayside interface units that have to be able to transmit signal indications, switch positions, derail positions, to said locomotives; maybe 17,000 signal locations that have to be modified, upgraded, or even installed; 30 server configurations for transportation control centers to process information, register authorities, issue alerts, restrictions, etc. etc; 60,000 miles of railroad to be fitted out with PTC; rule books to be changed; 100,000 employees to be trained; not last and not least, billions of dollars to be spent. Versions upon version of software has to be written, validated, managed; the megahertz of radio spectrum to be obtained and parceled out for use. And the biggest number of them all—which is the smallest, the number of rail carriers that have to make their proposed PTC enforcement systems interoperable. Big numbers

Except…

Railroads are used to big numbers. Railroads are big number operations. Billions of ton-miles, hundreds of thousands of employee hours, Thousands of cars dispatched daily. Millions of dollars. Big operations. Dense operations. Big money operations. BNSF’s proposed capital budget for 2013, for example, is $4.1 billion. CSX’s is more than $2 billion.

Representatives from the AAR (theoretically representing the seven Class 1 freight railroads operating in the United States; practically representing three of the US big four) were united in arguing that the original December 31, 2015 deadline could not be met. In this view they were supported by FRA, which is no surprise, since FRA went on record August 2012 recommending a revision of said date to 2018.

I don’t know what the holdup is, but then, in my opinion neither do they. If they do know, then they sure aren’t making it clear to me, or again in my opinion, to anyone else.

There’s not enough bandwidth? There is enough bandwidth according Tom Schnautz, president of PTC220 the “holding company” of the 220 megahertz band the railroads intend to utilize for data radio communications.

There is enough bandwidth according to the FCC.

Too many locomotives, switches, signals, track to be fitted out? Please, those are logistical burdens, certainly not challenges to the very feasibility of PTC. I don’t know, but again in my opinion, I think what the AAR representatives and even the FRA are trying to say without saying is that they don’t think PTC is feasible. Period. They can’t say that of course, regardless of what I think and do or don’t know, but they can argue for delay, suspension, reduction in requirements.

Some first principles…

The vital process, the organizing principle, of main line railroad operations is the authorization of train movement such that no two or more authorities overlap, authorizing two or more trains to occupy the same space at the same time. The principles by which movement authorities are generated form the vital process of the railroad. We call this safe separation of trains.

What information is essential to the generation of movement authorities, to the safe separation of trains? In a word, occupancy. Is the section of track clear or occupied? Is there a condition or an authority already in existence that will conflict with the issuance of an authority to occupy that space of track at that specified time? Everything railroads do in generating a movement authority depends on the determination of occupancy. Timetable, Train Order, Track Warrant? Occupancy. CTC? Occupancy.

Back in the day, the timetable, train order, telegrapher day, the agent issuing the authority and the arbiter of occupancy were one and the same—embodied in the telegrapher/operator or the train dispatcher or both. While occupancy existed in the field, it was registered and communicated by the office. The vital equipment was on the train dispatcher’s desk and it was called the record of train movements.

Unfortunately then, office failures could compromise the vital principle of safe separation of trains and result in the issuance of overlapping authorities in the field. “Lap authorities” were a rare event, to be sure, but one is too many. More frequent than the issuing of lap authorities, however, back in the day, were failures of compliance by the train crews responsible for executing and adhering to those authorities.

As a consequence, three separate, but inter-connected, issues arose: 1) how to separate the field determination of occupancy from the office generation of authorities such that the field determination would always supersede the office’s communication of authorities 2) how to communicate that field determination to trains following or opposing the “train of occupation” 3) how to assign and enforce restrictions on the movements of those following and opposing trains so as to preserve the safe separation of trains. Item (1), of course, contains the advancement of the railroad’s core operating principle, of the generation of movement authorities that do not overlap.

Enter the William N. Robinson and the track circuit. Electricity was applied to sections of the rail or rails. These sections were identified as blocks. . When the block was not occupied, the electricity was able to traverse the full length of the track section. When the block was occupied, the path was short-circuited.

The “normal” condition of the track was unoccupied. “Unoccupied” or “clear” was the condition where the electricity made its complete circuit. Any deviation from the normal condition, any break in the electrical circuit, even a break in the physical continuity of the rail itself, or failure of the electrical power source, would register as a loss of electricity, as “occupied.”

The track circuit then was the vital process of the railroad, determining occupancy. This vital process was in turn protected by a fail-safe logic in its functioning. Loss of power registered as occupancy. The fail-safe functioning however is not the vital process—it is the ensuring, the protection, of the vital process.

As things often happen over the course of time, the distinction between the process and the protection for the integrity of the process has been obscured, even lost, so that today “vitality” is thought to mean fail-safe functionality.

Anyway, with the application of track circuits the determination of occupancy and the agency for issuing movement authorities were separated, and happily so, to the benefit of all parties. Field and office separation were, and remain, the basis for safe train operations. While the train dispatcher or operator requests the authority for movement, it is the field apparatus that registers occupancy, and that field apparatus is the arbiter as to whether or not the request is in conflict with already existing authorities.

The second task, communicating that pre-existing authority/occupancy to following and opposing trains was logically easy, and logistically complicated, or at least expensive. Fixed signals displaying different colors or positions, or both, of lights, depending on the changes in electricity were installed, linked, sequenced, and the automatic block signal system was born.

What did these block signals really tell the following or opposing train? The signals were communicating, in essence, the limits to the following or opposing (let’s call them ‘secondary’) trains’ authorities for movement. At a certain point, these secondary trains must stop, must achieve zero velocity. The signals then were telling the trains nothing other than what speed was allowed at a particular point. All signals, in essence, are, and are nothing other, than speed indications.

Now this gets us to an interesting point, a point of a great deal of contention. In an automatic block signal system are the signals themselves “vital”?

The signals are the means for communicating the conditions, the limits to authority, based on the determination of occupancy. Like any means of communication, they are not in themselves “vital.” If the signals fail when other means of communication fail, i.e. the radio and/or block line/and or telegraph/and or telephone for issuing an authority movement, the failure means that no authority for movement has been transmitted even if the failure occurred after the language of the authority was transmitted and repeated but not made “complete” by the issuance of a time complete. With signals we get, “When a signal is missing from its authorized location, or when the signal displays an improper aspect, the train will be operated in accordance with the most restrictive indication the signal can display at that location.” In other words, get ready to stop.

So the answer is “no, signals themselves are not vital.” There are special cases, of course, where the conditions for generating the authority and the transmission, communication of that authority, are so intertwined that they appear to be practically inseparable. Interlockings are such cases because 1) the authority for a train’s movement from A to B does not include the authority to enter or occupy the interlockings between A and B and 2) presence of a route established in an interlocking, and the absence of conflicting occupancy cannot be regarded as authority for any train to occupy the interlocking.

Special cases are special cases, and are handled as such. However, the vital principle of safe separation of trains can be achieved without utilizing signal indications. Information regarding occupancy can still be captured, registered, and communicated without the use of signals. This can be done while still maintaining the superiority of the field determination of authority from the office request for authority. In fact, this is exactly what GPS identification can and does do. The train identifies itself in the field. The information is registered outside the office and transmitted to the office. The office can then be prevented from issuing conflicting authorities.

Secondary applications and considerations…

And now we come to (3)… enforcement, and to PTC. Remember that, PTC? How do we enforce the limitations to authority conveyed by the signal indications? How do we enforce compliance automatically to protect the vital process?

PTC is just that, an enforcement system. As such, it is not vital. It need not be vital. It does not generate authorities to operate a train from A to B at track speed. It does enforce the limit of a train’s authority between A and B, not to exceed track speed. Big difference. PTC overlays the generation of, and limit to, movement authorities. To the degree that signals communicate such generation and restrictions, PTC enforces that.
Remember all those block signals are conveying is a speed indication, a speed to a target velocity, sometimes zero velocity. The signal indications are steps, steps up or steps down to a target speed, which is either maximum authorized speed, less than maximum authorized speed or zero speed. However, PTC does not have to repeat those steps. PTC has to enforce train braking to the point of maximum restriction of movement authority, to the target.

So can it do that? Yes. Certain sub-divisions of BNSF are already PTC territory. The BNSF utilizes Wabtec’s ETMS platform for its PTC application. Train 123 approaches a stop signal at location X. The stop signal indication is transmitted to the approaching locomotive’s on board computer at a distance sufficiently in advance of the required stop to allow safe braking of the train.

Now it’s important to distinguish between the platform, and its application. The platform is a wireless data system through and in which the train identifies itself. That transmission of the identification is utilized by GPS systems (supplemented by other systems) to accurately determined the train’s location, which is to determine the train’s extent of occupancy. PTC is the application of that information to enforce restrictions on the train’s further movement.

Is GPS vital? If there are no other means of determining train location, then indeed, GPS is vital and its failure would require all train movement to stop until such time as an alternative means for determining safe separation of trains could be instituted. However, there are alternate means. More than half the track in the US, moving 80 percent of the freight traffic is equipped with block signals. The other half is governed by an iteration of the old timetable –train order-telegrapher rules called “track warrant control territory” where written and verbal communication, “warrants” to occupy track are issued by train dispatchers and executed by the crews who report back to the train dispatcher on their fulfillment of, and compliance with the restrictions of, the issued warrants.

Can ETMS enforce safe separation of trains in such TWC territory, familiarly known as “dark” territory? Yes. Same principles apply, except the PTC system can’t use signals as targets for enforcement as there are no signals. And this lack, as we shall see, has some benefits. PTC can however utilize specific locations, points, for enforcement once a database of the track geometry is provided to be compared to the GPS locations of any train(s) operating on that territory. Train 123 is authorized to operate between A and B. As the train approaches B, its location is communicated and determined by both the on-board computer and the GPS system. The movement authority of the train, limiting its movement to point B was transmitted to the on-board computer prior to the train’s departure from A. As the train approaches B, a warning regarding the end of movement authority is displayed, and a braking curve is calculated sufficiently ahead of the limitation to allow for safe braking.

There is nothing in either dark or signaled territory that requires the PTC application to become the means for generating the authorities for movement. If, in dark territory, train 123 has authority to operate from A to B and the locomotive’s on-board computer enforcing the limit to that authority fails, train operations continue as they did before PTC was installed. The train crew has the responsibility for complying with the limits of the authority whether or not PTC is operating.

The representatives of the AAR aren’t satisfied with ETMS. They have opted instead for Wabtec’s I-ETMS, Interoperable Electronic Train Management System, which these railroads claim will be deployed as a vital system. I don’t know the functional differences between ETMS and I-ETMS that account for the “vitality” of I-ETMS vs. the “non-vitality” of ETMS. And indeed, no practical or functional differences between ETMS and I-ETMS were discussed at the forum.

If I-ETMS is being designed to function in accordance with “fail-safe” principles—that defects in any of the critical “nodes” – locomotive on-board computer, data radio devices and systems, GPS network, back office servers—will enforce a brake application bringing a train, or all trains to a stop, that does not make the system more “vital” than ETMS.

It might mean, however, that the railroads want these critical nodes to be more reliable than they are at present to avoid such failures. There are ways to improve reliability, and protect against “false enforcements”—stopping trains due to either component failure or errors in calculation. Redundancy is one method.

No presenter explained the issues to the Board, and no member of the Board, or its technical staff requested an explanation from those making presentations. I think that’s a damn shame.

The AAR in its presentations at the forum stated that there was, as of yet, no back office server systems satisfying the requirements for PTC functionality and interoperability. It was not clear whether this referred to the hardware system for the BOS, or the software that would provide the functionality. Actually, a lot of things weren’t clear in the AAR presentations.

And I don’t think I’m alone in that estimation.

Now PTC is supposed to calculate a braking curve accounting for train length, train weight, braking characteristics of the cars and locomotives making up the train, the track geometry (curve or tangent, ascending or descending), current speed of the train, and the distance to the target speed. The locomotive engineer must control the train speed to conform to the curve in order to prevent an automatic application of the train brakes.

The question that arises is: “Is that curve calculated to the point of the greatest restriction, the limit to authority, or is it being calculated signal-to-signal?” If, theoretically train 123 operating at 70 mph is approaching a signal requiring a reduction to 45 mph because the next signal requires 30 mph because the signal after that requires zero velocity, is the system producing and requiring compliance with a braking curve reducing the speed of the train from its current 70 to the target of 45 mph at that signal location? Or, is the PTC system calculating the braking curve on the total distance available to the point of the zero velocity required by that third signal, since the third signal is, when displaying stop, the limit to the train’s movement authority? At least the question arose to me. No presenter addressed that issue. No Board member or member of the technical staff raised that question. I don’t know, but I think that too is a damn shame.

“What’s the difference?” It’s big, really big. Different railroads have different signal design distances based on different braking tables dependent upon different presumed rates of deceleration. If I-ETMS is required to calculate braking curves signal-to-signal, across numerous railroads, well that makes interoperability somewhat problematic and very, very expensive.

Have the Class 1s put themselves in a bind by agreeing to enforce the indications of intermediate block signals, as part of the deal to accept signal indications as proper protection for 1) switch position protection and 2) end of train? To put it another way, has the substitution of signals indicating restricted speed as an adequate proxy for positive stop, for positive train separation, created additional complexity rather than simplicity in the design and functioning of an interoperable system?

The regulation states that PTC will enforce the indications of existing block signal systems, but what matters is the distance, and the braking to the limits of authority. The intermediate speeds are approximations established because of a lack of precision in measuring train speed, train braking, train performance, and train location in earlier technologies that were used to ensure safe separation of trains.

With advanced train control systems, of which PTC is one, in operation it is possible, and perfectly safe, to cover, literally “bag” all such block signals—the locomotive engineer need never see an intermediate signal. With PTC in operation, the signal need only transmit one of two indications to the locomotive—“go” or “no go”- with “go” meaning continue to the point of the governing restriction according to the braking curve established by the on-board computer, and “no go” meaning this is the point of determining restriction.

Finally…or not

When the forum concluded, after a mere seven plus hours, after all were thanked, after the various speeches and the urgings to be fruitful, go forward and multiply solutions to the difficulties not clearly articulated, I walked out of L’Enfant Plaza, accompanied by friends and colleagues, thinking “Maybe there’s something wrong with me.”

I’m sure my friends, colleagues, and particularly those who had to work for me over the years are glad to hear of my insight, knowing all along and for many years that there ain’t no maybe about it. But that’s a different story. What I mean is that after seven hours I had no greater clarity regarding the obstacles to PTC operation than I had prior to getting on train 111 at Pennsylvania Station. Either the technology, the logic, the mechanisms can work, or they can’t. Seems to me, they can. Either interoperability can be achieved or it cannot. It seems to me that if interoperability is a big obstacle, the AAR has the obligation to identify, to the public since PTC is required by public law, the specific details of the obstacles to interoperability.

But what I do know is that whenever you’re asking a question about a problem on a railroad, or railroads, what you’re really asking is “who’s in charge?” So I conclude that a real failure exists with FRA’s accommodation to the railroads’ requests for reducing the requirement and extending the time line. FRA should never have urged Congress to reconsider the implementation date.

And I also know, despite what may or may not be wrong with me, I’m no fool. So leaving DC and returning to New York, I put up the extra money and took the Acela home. If time is important enough to you, you find a way; you spend the money, don’t you?

David Schanoes

dmschanoes@ten90solutions.com

http://www.ten90solutions.com/