03.03.13

With Faith In our Machines

Posted in Uncategorized at 17:43 by Administrator

I woke up at 4 AM on February 27, 2013, washed, brushed, ate, dressed, stepped into the wet, muffled darkness of the pre-dawn, hailed a cab, and headed to Pennsylvania Station.  There, with faith in our machines, I boarded Amtrak 111 for the 195 minute, 210 mile, journey to Washington, DC to attend the NTSB’s Forum: PTC:  Is It On Track?

Full disclosure, the last time I had to get up that early to be somewhere, my plane was landing in Paris.

Train 111 departs NYC at 0530 hours, and is scheduled to arrive in DC at 0845 hours, leaving me 15 minutes to get the metro, actually two metros, to L’Enfant Plaza. I figured, with faith in a multitude of machines, I’d make it within 5 minutes of the scheduled 0900 start time of the forum. Close enough to be considered on-time, close enough for government work.

I had confidence I would get there on-time. I had, and have, more than confidence, absolute certainty actually, that I would arrive in DC safely, with all limbs still connected to their original connections, all internal organs properly secured and nourished by the blood that I was certain would remain within my body.

My confidence about my on time arrival was based upon, derived from, depended on my certainty. That’s the way conduct our lives, we calculate arriving on time based on the certainty of arriving period.  Everybody does that. Shippers, passengers, crews…. otherwise, none of us would use the railroad, right? We are certain of our safety. What, really, does that, certainty, mean?

Putting denial aside for the moment, as in denying one’s own mortality (something I practice daily, like meditation), the certainty means that we expect that everybody will pay attention to the tasks, requirements, rules of providing a safe service; that risk has been minimized.  In short, our certainty, like our confidence, is a calculation.

My calculation for the performance of train 111 was a bit off, to say the least. The train arrived in DC 35 minutes late– 195 minute schedule, plus 35 minutes of delay. Lousy work, and unfortunately you get it all too often without trying. My certainty of my safety was not a bit off.
I fumed. Others were making calculations that negated mine. We were, for example, held outside Baltimore for the Acela to run around us… the very Acela that was supposed to arrive in DC five minutes after our scheduled arrival. Priorities, priorities, priorities….

Then again, we were held for ten minutes outside Washington Union Station—ten minutes in the AM peak period when our movement was with, not against, the peak direction. I’ve been in this business long enough to know what was happening and why. We had lost our slot. It had been given to the Acela, the bigger money train. So we had to wait for another Amtrak train to depart Union Station in order to clear a track for our arrival. That other train, of course, was scheduled to leave after our scheduled arrival. So we sat. All passenger trains are first class, but some first class trains are more first class than others.

Some things I know…

I’ve also been in this business long enough to know that this game is all about three things: supervision, supervision, and more supervision.

I know that technology is no substitute for supervision.

I know that whenever and wherever and whatever question you are asking about railroad performance, railroad safety, railroad efficiency, you are only asking the same question: “Who’s in charge?”

Some things I don’t

So I arrived late to the PTC forum. I missed the opening remarks by the NTSB chair. I missed Steve Ditmeyer’s presentation on the former BN’s former ARES experiment. I missed Grady Cothen’s presentation on the short, and unhappy, history of FRA’s conversion of legislation into regulation, but I was there for everything else.

I’ve taken the time to read the presentations I missed. You can read them too at:  http://www.ntsb.gov/news/events/2013/ptc/presentations.html. What I heard, and what I read does not exactly inspire confidence, much less approach certainty, that PTC “is on track,” that PTC would be installed on the designated lines by 2015…or 2018 or 2020, for that matter.

The chairperson of the NTSB, Deborah Hersman, summed up neatly, concisely, and accurately the problem with the opening presentations when she expressed her dismay (or what I interpret as her dismay) that what had originally been regarded, and legislated, as the “floor,” the minimum functionality for PTC was now regarded as basically unattainable and had been transformed into a “ceiling,” an ideal, a wish.

Now from my viewpoint, that of a professional in the industry who has been trained to be intolerant of delay, I thought that was 1) an astute assessment and 2) particularly galling for the NTSB which had had PTC on its “most wished for” list for almost 20 years.

I also thought that insight should have been the focus, the investigative focus, for the rest of the forum. Why has the floor become the ceiling? Why indeed has FRA advised Congress that the 2015 date is unobtainable, even after FRA has relaxed the requirements of the functionality and deployment, of PTC? Prevent train-to-train collisions? Positively? Nope. Most of the time? Hopefully.

Deployed on “other lines,” lines not carrying passenger trains or poisonous/toxic by inhalation hazardous materials, but requiring, due to density of traffic, or elevated risk factors (as determined by the Secretary of Transportation, in actuality the regulatory agency)? Polite answer? Doesn’t look that way. Painfully accurate answer? Not before major incident(s) that produce(s) death(s) and injury(ies). So much for positive(s) prevention(s).

I thought that, even if none of the NTSB technical staff asked the hard questions of the right people– “Mr. Wilson, you represent Wabtec. Representatives of railroads belonging to the AAR have stated that, to date, your company which has been contracted to provide the platform capable of executing the core functions of PTC across the various railroads, has not been able to provide the back office system to do exactly that. Could you explain to the Board exactly what problems you have encountered, where you are in resolving those problems, and a date by which you think you will have a workable system? Take as much time as you need.”

Or, “Mr. Thelen, Mr. Lonegro, Mr. Young, you represent, respectively, the Norfolk and Southern, CSX, and the Union Pacific railroads, 3 of the big 4 railroads in the US. You all seem to be in agreement that the 2015 date for PTC installation and interoperability is unrealizable. The Board is interested in the opinion in the fourth member of the big four, the BNSF. What’s that railroad’s view? As a matter of fact, why isn’t a representative of the BNSF here today as a representative of the AAR?”

…the senior board members themselves, from the chairperson on down would ask those questions.

I don’t know, but I think those are interesting and important questions.

Are those hard questions? Confrontational? Blunt? Even, heaven forbid, rude? Come on, we’re talking railroads here, where use of harsh language is a rite of passage; where status is measured and rewarded by how many times you tell how many people “cut the bulls**t and tell me how you’re going to prevent this in the future.”

Oh, the railroads have a big job, or big jobs to do, no doubt about it. Oh we can reel off strings of numbers—18,000 locomotives that have to be equipped with data radios, on-board computers, GPS transponders; 38,000 wayside interface units that have to be able to transmit signal indications, switch positions, derail positions, to said locomotives; maybe 17,000 signal locations that have to be modified, upgraded, or even installed; 30 server configurations for transportation control centers to process information, register authorities, issue alerts, restrictions, etc. etc; 60,000 miles of railroad to be fitted out with PTC; rule books to be changed; 100,000 employees to be trained; not last and not least, billions of dollars to be spent. Versions upon version of software has to be written, validated, managed; the megahertz of radio spectrum to be obtained and parceled out for use. And the biggest number of them all—which is the smallest, the number of rail carriers that have to make their proposed PTC enforcement systems interoperable. Big numbers

Except…

Railroads are used to big numbers. Railroads are big number operations. Billions of ton-miles, hundreds of thousands of employee hours, Thousands of cars dispatched daily. Millions of dollars. Big operations. Dense operations. Big money operations. BNSF’s proposed capital budget for 2013, for example, is $4.1 billion. CSX’s is more than $2 billion.

Representatives from the AAR (theoretically representing the seven Class 1 freight railroads operating in the United States; practically representing three of the US big four) were united in arguing that the original December 31, 2015 deadline could not be met. In this view they were supported by FRA, which is no surprise, since FRA went on record August 2012 recommending a revision of said date to 2018.

I don’t know what the holdup is, but then, in my opinion neither do they. If they do know, then they sure aren’t making it clear to me, or again in my opinion, to anyone else.

There’s not enough bandwidth? There is enough bandwidth according Tom Schnautz, president of PTC220 the “holding company” of the 220 megahertz band the railroads intend to utilize for data radio communications.

There is enough bandwidth according to the FCC.

Too many locomotives, switches, signals, track to be fitted out? Please, those are logistical burdens, certainly not challenges to the very feasibility of PTC. I don’t know, but again in my opinion, I think what the AAR representatives and even the FRA are trying to say without saying is that they don’t think PTC is feasible. Period. They can’t say that of course, regardless of what I think and do or don’t know, but they can argue for delay, suspension, reduction in requirements.

Some first principles…

The vital process, the organizing principle, of main line railroad operations is the authorization of train movement such that no two or more authorities overlap, authorizing two or more trains to occupy the same space at the same time. The principles by which movement authorities are generated form the vital process of the railroad. We call this safe separation of trains.

What information is essential to the generation of movement authorities, to the safe separation of trains? In a word, occupancy. Is the section of track clear or occupied? Is there a condition or an authority already in existence that will conflict with the issuance of an authority to occupy that space of track at that specified time? Everything railroads do in generating a movement authority depends on the determination of occupancy. Timetable, Train Order, Track Warrant? Occupancy. CTC? Occupancy.

Back in the day, the timetable, train order, telegrapher day, the agent issuing the authority and the arbiter of occupancy were one and the same—embodied in the telegrapher/operator or the train dispatcher or both. While occupancy existed in the field, it was registered and communicated by the office. The vital equipment was on the train dispatcher’s desk and it was called the record of train movements.

Unfortunately then, office failures could compromise the vital principle of safe separation of trains and result in the issuance of overlapping authorities in the field. “Lap authorities” were a rare event, to be sure, but one is too many. More frequent than the issuing of lap authorities, however, back in the day, were failures of compliance by the train crews responsible for executing and adhering to those authorities.

As a consequence, three separate, but inter-connected, issues arose: 1) how to separate the field determination of occupancy from the office generation of authorities such that the field determination would always supersede the office’s communication of authorities 2) how to communicate that field determination to trains following or opposing the “train of occupation” 3) how to assign and enforce restrictions on the movements of those following and opposing trains so as to preserve the safe separation of trains. Item (1), of course, contains the advancement of the railroad’s core operating principle, of the generation of movement authorities that do not overlap.

Enter the William N. Robinson and the track circuit. Electricity was applied to sections of the rail or rails. These sections were identified as blocks. . When the block was not occupied, the electricity was able to traverse the full length of the track section. When the block was occupied, the path was short-circuited.

The “normal” condition of the track was unoccupied. “Unoccupied” or “clear” was the condition where the electricity made its complete circuit. Any deviation from the normal condition, any break in the electrical circuit, even a break in the physical continuity of the rail itself, or failure of the electrical power source, would register as a loss of electricity, as “occupied.”

The track circuit then was the vital process of the railroad, determining occupancy. This vital process was in turn protected by a fail-safe logic in its functioning. Loss of power registered as occupancy. The fail-safe functioning however is not the vital process—it is the ensuring, the protection, of the vital process.

As things often happen over the course of time, the distinction between the process and the protection for the integrity of the process has been obscured, even lost, so that today “vitality” is thought to mean fail-safe functionality.

Anyway, with the application of track circuits the determination of occupancy and the agency for issuing movement authorities were separated, and happily so, to the benefit of all parties. Field and office separation were, and remain, the basis for safe train operations. While the train dispatcher or operator requests the authority for movement, it is the field apparatus that registers occupancy, and that field apparatus is the arbiter as to whether or not the request is in conflict with already existing authorities.

The second task, communicating that pre-existing authority/occupancy to following and opposing trains was logically easy, and logistically complicated, or at least expensive. Fixed signals displaying different colors or positions, or both, of lights, depending on the changes in electricity were installed, linked, sequenced, and the automatic block signal system was born.

What did these block signals really tell the following or opposing train? The signals were communicating, in essence, the limits to the following or opposing (let’s call them ‘secondary’) trains’ authorities for movement. At a certain point, these secondary trains must stop, must achieve zero velocity. The signals then were telling the trains nothing other than what speed was allowed at a particular point. All signals, in essence, are, and are nothing other, than speed indications.

Now this gets us to an interesting point, a point of a great deal of contention. In an automatic block signal system are the signals themselves “vital”?

The signals are the means for communicating the conditions, the limits to authority, based on the determination of occupancy. Like any means of communication, they are not in themselves “vital.” If the signals fail when other means of communication fail, i.e. the radio and/or block line/and or telegraph/and or telephone for issuing an authority movement, the failure means that no authority for movement has been transmitted even if the failure occurred after the language of the authority was transmitted and repeated but not made “complete” by the issuance of a time complete. With signals we get, “When a signal is missing from its authorized location, or when the signal displays an improper aspect, the train will be operated in accordance with the most restrictive indication the signal can display at that location.” In other words, get ready to stop.

So the answer is “no, signals themselves are not vital.” There are special cases, of course, where the conditions for generating the authority and the transmission, communication of that authority, are so intertwined that they appear to be practically inseparable. Interlockings are such cases because 1) the authority for a train’s movement from A to B does not include the authority to enter or occupy the interlockings between A and B and 2) presence of a route established in an interlocking, and the absence of conflicting occupancy cannot be regarded as authority for any train to occupy the interlocking.

Special cases are special cases, and are handled as such. However, the vital principle of safe separation of trains can be achieved without utilizing signal indications. Information regarding occupancy can still be captured, registered, and communicated without the use of signals. This can be done while still maintaining the superiority of the field determination of authority from the office request for authority. In fact, this is exactly what GPS identification can and does do. The train identifies itself in the field. The information is registered outside the office and transmitted to the office. The office can then be prevented from issuing conflicting authorities.

Secondary applications and considerations…

And now we come to (3)… enforcement, and to PTC. Remember that, PTC? How do we enforce the limitations to authority conveyed by the signal indications? How do we enforce compliance automatically to protect the vital process?

PTC is just that, an enforcement system. As such, it is not vital. It need not be vital. It does not generate authorities to operate a train from A to B at track speed. It does enforce the limit of a train’s authority between A and B, not to exceed track speed. Big difference. PTC overlays the generation of, and limit to, movement authorities. To the degree that signals communicate such generation and restrictions, PTC enforces that.
Remember all those block signals are conveying is a speed indication, a speed to a target velocity, sometimes zero velocity. The signal indications are steps, steps up or steps down to a target speed, which is either maximum authorized speed, less than maximum authorized speed or zero speed. However, PTC does not have to repeat those steps. PTC has to enforce train braking to the point of maximum restriction of movement authority, to the target.

So can it do that? Yes. Certain sub-divisions of BNSF are already PTC territory. The BNSF utilizes Wabtec’s ETMS platform for its PTC application. Train 123 approaches a stop signal at location X. The stop signal indication is transmitted to the approaching locomotive’s on board computer at a distance sufficiently in advance of the required stop to allow safe braking of the train.

Now it’s important to distinguish between the platform, and its application. The platform is a wireless data system through and in which the train identifies itself. That transmission of the identification is utilized by GPS systems (supplemented by other systems) to accurately determined the train’s location, which is to determine the train’s extent of occupancy. PTC is the application of that information to enforce restrictions on the train’s further movement.

Is GPS vital? If there are no other means of determining train location, then indeed, GPS is vital and its failure would require all train movement to stop until such time as an alternative means for determining safe separation of trains could be instituted. However, there are alternate means. More than half the track in the US, moving 80 percent of the freight traffic is equipped with block signals. The other half is governed by an iteration of the old timetable –train order-telegrapher rules called “track warrant control territory” where written and verbal communication, “warrants” to occupy track are issued by train dispatchers and executed by the crews who report back to the train dispatcher on their fulfillment of, and compliance with the restrictions of, the issued warrants.

Can ETMS enforce safe separation of trains in such TWC territory, familiarly known as “dark” territory? Yes. Same principles apply, except the PTC system can’t use signals as targets for enforcement as there are no signals. And this lack, as we shall see, has some benefits. PTC can however utilize specific locations, points, for enforcement once a database of the track geometry is provided to be compared to the GPS locations of any train(s) operating on that territory. Train 123 is authorized to operate between A and B. As the train approaches B, its location is communicated and determined by both the on-board computer and the GPS system. The movement authority of the train, limiting its movement to point B was transmitted to the on-board computer prior to the train’s departure from A. As the train approaches B, a warning regarding the end of movement authority is displayed, and a braking curve is calculated sufficiently ahead of the limitation to allow for safe braking.

There is nothing in either dark or signaled territory that requires the PTC application to become the means for generating the authorities for movement. If, in dark territory, train 123 has authority to operate from A to B and the locomotive’s on-board computer enforcing the limit to that authority fails, train operations continue as they did before PTC was installed. The train crew has the responsibility for complying with the limits of the authority whether or not PTC is operating.

The representatives of the AAR aren’t satisfied with ETMS. They have opted instead for Wabtec’s I-ETMS, Interoperable Electronic Train Management System, which these railroads claim will be deployed as a vital system. I don’t know the functional differences between ETMS and I-ETMS that account for the “vitality” of I-ETMS vs. the “non-vitality” of ETMS. And indeed, no practical or functional differences between ETMS and I-ETMS were discussed at the forum.

If I-ETMS is being designed to function in accordance with “fail-safe” principles—that defects in any of the critical “nodes” – locomotive on-board computer, data radio devices and systems, GPS network, back office servers—will enforce a brake application bringing a train, or all trains to a stop, that does not make the system more “vital” than ETMS.

It might mean, however, that the railroads want these critical nodes to be more reliable than they are at present to avoid such failures. There are ways to improve reliability, and protect against “false enforcements”—stopping trains due to either component failure or errors in calculation. Redundancy is one method.

No presenter explained the issues to the Board, and no member of the Board, or its technical staff requested an explanation from those making presentations. I think that’s a damn shame.

The AAR in its presentations at the forum stated that there was, as of yet, no back office server systems satisfying the requirements for PTC functionality and interoperability. It was not clear whether this referred to the hardware system for the BOS, or the software that would provide the functionality. Actually, a lot of things weren’t clear in the AAR presentations.

And I don’t think I’m alone in that estimation.

Now PTC is supposed to calculate a braking curve accounting for train length, train weight, braking characteristics of the cars and locomotives making up the train, the track geometry (curve or tangent, ascending or descending), current speed of the train, and the distance to the target speed. The locomotive engineer must control the train speed to conform to the curve in order to prevent an automatic application of the train brakes.

The question that arises is: “Is that curve calculated to the point of the greatest restriction, the limit to authority, or is it being calculated signal-to-signal?” If, theoretically train 123 operating at 70 mph is approaching a signal requiring a reduction to 45 mph because the next signal requires 30 mph because the signal after that requires zero velocity, is the system producing and requiring compliance with a braking curve reducing the speed of the train from its current 70 to the target of 45 mph at that signal location? Or, is the PTC system calculating the braking curve on the total distance available to the point of the zero velocity required by that third signal, since the third signal is, when displaying stop, the limit to the train’s movement authority? At least the question arose to me. No presenter addressed that issue. No Board member or member of the technical staff raised that question. I don’t know, but I think that too is a damn shame.

“What’s the difference?” It’s big, really big. Different railroads have different signal design distances based on different braking tables dependent upon different presumed rates of deceleration. If I-ETMS is required to calculate braking curves signal-to-signal, across numerous railroads, well that makes interoperability somewhat problematic and very, very expensive.

Have the Class 1s put themselves in a bind by agreeing to enforce the indications of intermediate block signals, as part of the deal to accept signal indications as proper protection for 1) switch position protection and 2) end of train? To put it another way, has the substitution of signals indicating restricted speed as an adequate proxy for positive stop, for positive train separation, created additional complexity rather than simplicity in the design and functioning of an interoperable system?

The regulation states that PTC will enforce the indications of existing block signal systems, but what matters is the distance, and the braking to the limits of authority. The intermediate speeds are approximations established because of a lack of precision in measuring train speed, train braking, train performance, and train location in earlier technologies that were used to ensure safe separation of trains.

With advanced train control systems, of which PTC is one, in operation it is possible, and perfectly safe, to cover, literally “bag” all such block signals—the locomotive engineer need never see an intermediate signal. With PTC in operation, the signal need only transmit one of two indications to the locomotive—“go” or “no go”- with “go” meaning continue to the point of the governing restriction according to the braking curve established by the on-board computer, and “no go” meaning this is the point of determining restriction.

Finally…or not

When the forum concluded, after a mere seven plus hours, after all were thanked, after the various speeches and the urgings to be fruitful, go forward and multiply solutions to the difficulties not clearly articulated, I walked out of L’Enfant Plaza, accompanied by friends and colleagues, thinking “Maybe there’s something wrong with me.”

I’m sure my friends, colleagues, and particularly those who had to work for me over the years are glad to hear of my insight, knowing all along and for many years that there ain’t no maybe about it. But that’s a different story. What I mean is that after seven hours I had no greater clarity regarding the obstacles to PTC operation than I had prior to getting on train 111 at Pennsylvania Station. Either the technology, the logic, the mechanisms can work, or they can’t. Seems to me, they can. Either interoperability can be achieved or it cannot. It seems to me that if interoperability is a big obstacle, the AAR has the obligation to identify, to the public since PTC is required by public law, the specific details of the obstacles to interoperability.

But what I do know is that whenever you’re asking a question about a problem on a railroad, or railroads, what you’re really asking is “who’s in charge?” So I conclude that a real failure exists with FRA’s accommodation to the railroads’ requests for reducing the requirement and extending the time line. FRA should never have urged Congress to reconsider the implementation date.

And I also know, despite what may or may not be wrong with me, I’m no fool. So leaving DC and returning to New York, I put up the extra money and took the Acela home. If time is important enough to you, you find a way; you spend the money, don’t you?

David Schanoes

dmschanoes@ten90solutions.com

http://www.ten90solutions.com/

 

 

 

5 Comments »

  1. Mark Campbell said,

    March 4, 2013 at 10:47

    Excellent job, Dave. Interesting and entertaining. It’s sending me back to my collected PTC documentation to refresh on some of the issues raised.

    Also glad to see you’re still washing and brushing even in semi-retirement.

  2. Administrator said,

    March 4, 2013 at 11:19

    Thank you. My wife is also gratified that I’m still washing and brushing

  3. E Perez said,

    March 6, 2013 at 10:14

    Here we have a perfect example of genius reaction and a perfect approach as to how business should be handle . Well excecuted .

    Congratulation Mr. Schanoes

  4. Administrator said,

    March 6, 2013 at 10:16

    You keep talking like that, Emiliano, and people will think you work for me. But thank you.

  5. Administrator said,

    March 6, 2013 at 10:20

    Speaking of which, in thinking about this, I need to make a correction. If anybody wants to know what I consider to be a “vital overlay”– then, in my opinion, in dark territory, GPS is exactly that vital overlay in that it embodies the FIELD DETERMINATION of occupancy. GPS overlays the existing mode of operation and does not change that operation, but it provides the vital component to safe separation of trains and “blocking,” you should pardon the expression, the possible overlap of authorities.

Leave a Comment

You must be logged in to post a comment.