Part 2: 'Reliance' and 'distraction' effects in PTC automation
White Paper, 11/28/99
(Part 2, continued from January 2000 Newsletter)
3.4.1. Benefits of maintaining operating skills.
In maintaining their judgment and skills through on-the-job experience, the LE and C team (coordinating with the train dispatcher) protect a number of personnel from danger: themselves, any other personnel on their train, personnel on other trains, other railroad employees along the track, persons on passenger trains, and the public along the right-of-way. In their vigilance, this coordinated team also protects from damage to material property: their engine and cars; any lading of these cars; other engines and cars; railroad structures such as track, wayside signaling, buildings, bridges, and tunnels; and nonrailroad property along the right-of-way. Besides material property are railroad assets of incorporeal (nonmaterial) property. The courts have ruled that even incorporeal things such as a company's good name and reputation for conducting business constitute property. The assets safeguarded by the LE, C, and train dispatcher thus include a railroad's business reputation as a carrier, unhindered flow of traffic, cost-effective turnaround time on equipment, and freedom from penalties in contractual performance. In the few times when the experience-based judgment and skills of the LE, C and train dispatchers were not maintained, the result has made the headlines. Not to maintain experience-based judgment and skills for operating crews engenders unacceptable safety risks to all of the just-enumerated kinds of persons and property.
Most railroad operating rules are written for an at-the-moment-of-event assessing of the appropriateness and range of interrelations of their applications. Such assessment must be constantly altered as the operating conditions change during a single run. Different assessments must be made as operating conditions vary across several trips. Several of the many interrelated rules must be, first, selected to form what could be called a rule set, then, mentally sequenced, and, finally, applied to an operating situation.
Every train-train collision and cut of rolling equipment moving out of control results from a hazardous combination of a number of operating events. Sometimes preventing the occurrence of just one of these events makes the combination of the others non-hazardous. Maintaining the experience-based skills and judgments in applications of the rules by the C and LE is one way to remove such a crucial event from a chain of accident events.
3.4.2. The nature of the skills to be maintained and the railroad environment.
First of all, "you've got to know the territory," through hands-on experience. For safe, efficient operations, a LE, among other things, must learn and continually re-experience the train handling constraints of every upgrade, downgrade, curve, turnout, crossover, auxiliary track such as passing siding, fixed signal location, crossing at grade, and engineering and operating speed restriction. Given knowing the territory, the LE can have little advance information on a particular train's handling characteristics. These comprise a large number of dynamic variably simultaneous and sequential events to be monitored continuously by the LE for constantly changing inputs.
Above all, the LE is the operator of a long (often a mile or more), heavy (usually many thousands of tons), fragile (it is easy to carelessly "break a train in two" or more parts or derail a train) mobile, (at speeds from 5 to 100 + mph and having great braking distances, proportionate to speed and weight), highly dynamic (averaging a foot of drawbar slack for each entrained car and with individual car air brakes of varying power) electromechanical system -that is, a North American freight train.
Control responses of a freight train are delayed and must be given advance time. Often a rear car on a mile-long train will not begin a brake release until 1/2 minute after the brake pipe signal is initiated by the LE. A power throttle or dynamic brake cannot be rapidly advanced or shut off without adverse train (and track) dynamics. Too great of an initial reduction of automatic air brake pressure or too great of an increase of independent air brake pressure can cause a violent lading-damaging and potentially derailing run-in of draft-gear slack. In all, the LE must always plan ahead for any operating contingency. He does this by knowing the then current intricate dynamics of his train with regard to the territory over which he now advances and will advance.
The North American LE handles and dynamically monitors (by hands on the responsive controls and eyes and ears on the informing indicators) a machine system with complex subsystems, each having ever-varying critical statuses, while transiting an ever-changing environment, which itself is alterable from trip to trip. The LE can have little information on the handling characteristics of the these interrelating variables upon his train, because the exact consist of most freight trains differs considerably. A LE manipulates and monitors variables such as velocity, drawbar pull and compression on draft equipment, amperage in traction motors, train brake pipe pressure and thus car brake cylinder pressure, brake pipe leakage, independent engine brake cylinder pressure, statuses reported by the end-of-train device, statuses reported by any remotely controlled "rear" and "swing" helper units back in his train consist, profile of train by car weight and type and by weight of blocks of cars, and power of dynamic electrical brake. Although failure of the dynamic brake necessitates a short cycling of the automatic air brakes, perhaps with car wheel-cooling stops, too many operative dynamic brakes can cause a light car to compress in its draft gear with buff forces causing its wheel flanges riding up over the ball of a rail to a derailment.
For a narrow example, in cresting an upgrade, the LE must be aware of the slack status and the location of the equilibrium point in his train of cars. Thereby he knows, when descending from the summit, where to begin bunching the slack of his stretched train, and thus how gradually to reduce the power throttle and change over to how much dynamic electrical brake in concert with what rule-allowed reductions of the (air) brake pipe pressure, perhaps prior to easing up on the braking forces, for a determined while, when coming to a short decrease in descending gradient at a "drawbar flats." In reducing the braking systems' power on the head end, he must not allow the heavy engine (of perhaps four 200-ton units) to run out and perhaps break the train in two.
Some of the LE's skills and knowledge were first explored in the studies of the 1970s, fueled by the FRA's empowerment, in 1970, to superintend railroad safety. Accordingly, speaking of the LE's cognitive and motor skills in train handling and in general operations, researchers of railroading A. Hale and H. H. Jacobs say: "Fundamentally, the engineer is a sophisticated information processor and controller of a very complex, and often difficult to maintain, man-machine system" (1975:11). A study, analyzing the work of the LE, found: "Concerning safety of operations, these [data] reveal that approximately 65% of these tasks, if improperly performed, may lead to potentially hazardous situations" (McDonnell Douglas 1972:14).
4. Concerns and recommendations with respect to safety of PTC Automation.
4.1 PTC Functions in an Open Railroad Operating Environment
A concern with a fully automated PTC at levels 5, 6, and 7 (as previously discussed) is degradation of operating skills and judgment developed during continuous experience. The motor skills and judgment of the LE, especially, and also the C, will degrade (that is, degenerate, deteriorate) from lack of practice in the unpredictable and therefore constantly skills-testing operating environment. Skills maintenance includes maintenance for coping with unpredictable events in the open operating environment.
We posit that railroad transportation is necessarily an open system, with all manner of events extraneous to the (relatively closed) systems of the locomotive and the railroad traffic control impinging on it.1 Excluding some airport and urban guideway transit systems, the typical railroad system can never be closed.
The highly complex railroads are not operationally like the automated or highly automated rail transit systems. Railroads have danger from ever-increasing numbers of hazardous loads and the kinetic energy of enormous tonnages, while operating across and through humanly congested, economically costly, and ecologically fragile public spaces. These train-consist tonnages have increased over the years and will continue to do so, consistent with strength of coupler and draft gear components. Automated rail transit systems move in a sequestered right-of-way and have a much more limited number of operational variables and no hazardous lading. Accordingly, we cannot derive suitable operational models from transit systems under forms of automation for application to the nation's railroads under PTC. An automated subway and a people mover can be operated by someone without many railroad operating skills, or can even have no operator at all. Given the kinds of public spaces they operate across, the railroads, however, have a safety necessity of maintaining the experience-based judgment and skills for operating crews.
(* - Footnote 1: In the sciences, a closed system is considered as isolated from the environment. An open system is not isolated. It comprises a set of elements forming a connected whole which is not a bounded, sealed entity. In other words, the set is not demarcated to consist of a finite (hence, predictable or knowable) number of interacting elements. In the open railroad system, because of later, varying numbers of unpredictable, impinging conditions, a final state cannot be predetermined by initial conditions, say, a train's consist, tonnage, authorized speeds, track occupancy authority, and crewmember experience. A particular final state can be reached from different initial conditions, and the same initial conditions can result in different final states.)
Part of the central problem of skills and knowledge maintenance, then, is such maintenance for coping with both extrasystemic and failure operating events. A fully automated PTC cannot handle all adverse extrasystemic and failure events in the unpredictable railroad operating environment. A few examples are: local police place a red fusee along a main track, an employee or contractor equipped with only red fusees and a white light advances toward a train that must be stopped, a civilian signals danger ahead by violently waving his arms while adjacent to a main track, a trespasser sabotages the train, a trespasser sabotages the right-of-way, an automotive vehicle fouls but does not touch a main track when not at a grade crossing, in the face of an approaching train a roadway worker fouls the track with movable equipment without touching the rails, the PTC system is inoperable during maintenance, a train not equipped for PTC must be run, a PTC-equipped trainexperiences bad-order PTC equipment, and a PTC command requires stopping a train in a hazardous place, e.g., in the vicinity of a leaking tank car or burning gasoline truck.
Furthermore, a PTC system cannot monitor and control the range of failures of the dynamic brake, the pressure maintaining feature, and the automatic braking system (including excessive piston travel, kinked air hose, and ice blockage of train line). Given that accurate, detailed train consist data are required for accurate PTC operations, how are the consist data assured regarding their safety-critical quantities? Communication failures and informational errors regarding train consist and tonnage are not rare events. Under restrictive speed, in foggy or other vision-blocking weather, how does PTC judge stopping within the rule-mandated one-half the range of vision? Currently, under some such restrictions, the LE must not move his train until a flagman has been sent ahead to view the obscured track to be occupied. It might well be that with certain mechanical and communication failures found in railroading, and just enumerated, the PTC braking paradigm on grades of about 2 percent could sometimes have a stopping distance of infinity-that is, an unstoppable runaway train.
In each of these just-enumerated, safety-critical events, the C and LE must react promptly and correctly to the stimuli they rapidly approach with great kinetic energy. Such reaction is only afforded by skills maintenance of the C and LE.
In the open railroad environment, we find that in 1997, more than half of the 3,446 train-automotive vehicle collisions involved grade crossings equipped with active warning devices. Motorists simply did not heed them. During 1997, Amtrak passenger trains were in 245 collisions with automotive vehicles, and 183 were attributable to motorist inattention or impatience. Each year, the number of automotive vehicles, including heavy trucks, increases and the number of passenger trains (largely commuter and regionally financed) grows. Thus the potential for deadly accidents in the open railroad environment grows, from just this narrow range of inputs. The cheap and easy fixes for eliminating grade-crossing collisions, by now, are almost exhausted. Under the worthy FRA aegis, some 33,000 little-used, unsignaled, grade crossings have been closed to highway traffic. But the average cost of a grade separation is $3 to 5 million, and more in a built-up area (Coston, 1999; FRA, 1998; GAO, 1995). Thus closing crossings will provide less and less of a solution for decreasing deadly accidents at grade crossings.
Furthermore, about 60 percent of grade crossings have no active warning device. Perhaps as many as 20,000 crossings need at least some kind of active warning devise (Savage, 1999:58, 1998: chapter 8; FRA, 1998). The enormous cost of installing such devices means that, even with some kind of a fully-automated PTC, innumerable grade crossings can still be heedlessly and inattentively occupied by motorists and pedestrians who put themselves in a danger not protected by PTC. And this does not take into account the innumerable, customary trespassers walking across and along live tracks, which might be subjected to rules-permitted blind shoves of a train. Motorist inattentiveness and heedlessness plus their lack of confidence in active warning devices has long been demonstrated. Additionally, motorists exhibit an uncertainty in decision making at grade crossings (Wilde, Cake, and McCarthy, 1975; Aurelius and Korobow, 1971). Motorists decisions at grade crossings are thus less predictable than in other driving situations.
4.2 Achieving Safety through a Human-Centered PTC
"Human-centered" means that human operators are an integrated part of the problem solving process, and they are not automated out of the system. Maintaining the judgments and skills promotes knowledgeable assessment for action and informed compliance with the governing rules during times of any failure of the PTC system and in times of potentially hazardous extraneous events not controlled by this system. Therefore the PTC should not be totally automated. It should provide cognitive tools that assist the human operators (C and LE) in making decisions and solving problems in operations, and should provide a level-6 safeguard of last resort in operations.
A potential exists for an overall reduction in system safety, at times, with the introduction of PTC, especially if it becomes either inoperable or unreliable. Human-centered PTC systems should recognize the LE as providing coverage for system failures and for the unpredictable open railroad environment. In no way should our advocacy of PTC diminish that ability. Why is this potential for reduction in system safety extant? The reasons are inherent in advanced safety technology, as follows.
The benefits of technology always balance against the costs. Technological innovations such as the aircraft Traffic Alert and Collision Avoidance Systems, TCAS, (warning aircraft that they are closing upon one another and coordinating the responses by directing pilots to perform specific evasive maneuvers) are promoted for safety. The application of the new, advanced technology, however, produces profound reverberations that may introduce new risks - especially when the technology is the sort of automation that has been labeled strong, silent, and hard to direct. Why is advanced automation often difficult to direct?
First, the technology itself is often frangible (breakable because of the use to which the item is subjected) in ways that produce new forms of failure. In the case of hard-to-direct automation, these new forms of failure are often difficult for operators to anticipate, detect, or accommodate. Thus pilots may receive commands for instant action that do indeed require immediate acts in order to be safe but that result in behavior sometimes incorrect for the desired safety.
Second, the "safety" that new technology seems to produce frequently becomes dissipated in increases in production or efficiency of operations. Thus the ability of TCAS to warn the pilots is one factor that encourages planners to move to a system with less separation between aircraft. This inevitably erodes safety margins, something the planners reject as a valid assessment of their planning outcomes.
In all, the kinds of outcomes possible with advanced technology are many. However, new information technology - including control information, and use of flexible blocks on fixed guideways -inevitably will create new forms of failure difficult to foresee, detect, and accommodate. Moreover, it will simultaneously encourage more efficient (that is, less costly) approaches which could diminish safety in ways difficult to anticipate, until accidents make them quite apparent.
4.3 Implications of the Great Western Accident
We have learned limited information about the tragic, two-train collision on October 5, 1999 just outside of London's Paddington Station, on the privatized Great Western, resulting in as many as 100 deaths by incineration. Detailed information now becomes available from the investigation of the two-train collision during 1997 in the same area on the same passenger carrier, as follows (BBC, 1999):
"The driver of the high-speed passenger train that crashed in 1997 killing 7 and injuring 150 had been seen earlier on that trip with both feet up on the dashboard of his cab, leading to speculation that he had weighted down the dead-man's switch. He later drove through two (amber) warning signals and a red stop signal before colliding with a freight train crossing the line in front of him at Southall, in West London, en route to Paddington Station in London. The inquiry has now finally begun. The inquiry heard that the train's Automatic Warning System (AWS) - which sounds a klaxon when the train goes through danger lights - had been switched off after apparently malfunctioning earlier in the day. The train was also fitted with Automatic Train Protection (ATP), but this was also switched off because the engine driver who had been in charge of the train earlier in the day was not trained to use it; that system would have automatically prevented the train from running the stop signal. Great Western was already fined a record 1.5M pounds for a breach of the Health and Safety Act (for this accident)."
The account of the Great Western collision of 1997 reported in the news media, above, stated simplistically that three safety subsystem were made inoperable. Such a statement focuses attention on the engine driver. Why would he cut out and his supervisors allow these vital safety features to be negated? A fully informing - and safeguarding-investigation into the social factors of the Great Western accident reveals more than single operator error. The accident indicated errors by the human operator and supervisors (defeating the deadman feature and cutting out the ATP system). Further investigation also shows that in commuter and other passenger rail service having tight headways and brief platform dwell times great performance pressures exist upon operators of equipment and local supervisors to keep the trains moving-even if this means cutting out technological safety features. After all, without a balancing informed reflection on the potentially catastrophic nature of an accident, the probability of such event is correctly judged by involved actors to have a quite low incidence. On the Great Western line having the 1997 accident, day after day, the various safety subsytems prevented collisions of trains. With complacency involved (as discussed in sections 3.2 and 3.3 above), actors had little or no experientially-based fear of defeating safety subsystems on a train. Accordingly, the various safety subsystems in place on most trains would prevent collisions, or so it was reasoned. What is the remedy to prevent involved actors from defeating safety subsystems for the movement of a train?
Rail safety subsystems could be designed so that cutting them out is impossible, and a failsafe design could not be compromised. The operational costs of doing this are considerable, and rail safety systems are ordinarily designed to be cut out, to permit the authorized moving of trains under most circumstances of single or multiple faults. The great intricacy of modern safety systems means that designers do not mandate a system dependent on all components functioning as intended.
Thus far, then, the investigation of the Great Western collision of 1997 is incomplete. Safety questions must still be answered, among these are the following. During failure of rail safety subsystems, in what ways do operators and their supervisors react locally, to obey and infract the rules? What are the varied local, property-specific, incentives for maintaining productivity - keeping the trains moving and traffic fluid? Does such "make-do" reacting render failure of the entire system -for rail passenger service, always in the media spotlight-an infrequent event? How well do the local operators and supervisors understand all of the systemic safety-critical variables of the potentially catastrophic operating world in which they work and react to ever-changing problems? These are the often-unfathomable questions in the real world of rail operations, as opposed to a designer's analytic world in which many key variables are excluded-by accident or design.
4.4. What Kinds of Distraction Matter?
It should be noted that many displays are present in the LE's workspace and any amount of added/overlay PTC displays could arguably be cited as the final straw that overburdened the camel. The overlay, in this instance, would be in some degree of partial PTC -automation level 5 or lower. For example, a modern locomotive has the normal, either analog or integrated, cab electronics (ICE) screen displays for running the engine and handling the train. These normal items include those for using the end-of-train-device, which itself has a number of displays to be monitored. In addition, the locomotive could have displays and controls for distributive power (for controlling from the head-end locomotive a number of remote locomotive consists distributed throughout the length of the train). Distributive power can be operated by the LE in two modes. In the synchronous mode, all sets of entrained locomotives receive the same commands from the LE, for example, throttle run-7 or, perhaps, minimum dynamic brake. In the nonsynchronous mode, if, for example, the LE has two sets of locomotives further back in the train, when cresting a mountain grade, he might have his head-end set, which he occupies, increasing toward full dynamic braking, his mid-train or "swing" set gradually throttling down from run-8 to idle, and his rear-end set shoving in run-8 to keep slack bunched. The locomotive could have displays for electronically controlled electro-pneumatic ECP brakes. In ECP braking, air brakes-using ordinary brake cylinders and brake rigging-are electrically controlled and the brake pipe serves as an air-reservoir supply pipe, permitting the reservoirs always to be charged fully.
What practicing LEs have concern about is not distraction with a PTC failure on level 6 or higher, but, instead, manually operating with some form of partial PTC and still having all of the normal functions noted in the previous paragraph. Then, some of the ordinary range of variation of PTC displays and other alerts could cause a task overload. We emphasize the distinction between (1) overload/distraction with full PTC and (2) overload/distraction within a range of partial kinds of PTC (including most overlays) added to normal functions, where the latter may be the worse culprit.
4.5. Practical Understanding of the Issues, and Discussion of the Levels of Intended Design Reliance on PTC
Current plans for PTC, as they relate to the reliance and distraction effects, have not been sufficiently clarified and formatted because there is no clear understanding of the levels of automation in the speculated systems. To develop a clear understanding of this automation requires analyses of typical operating procedures in the railroad environment. We have thus chosen a scenario of civil speed restriction (CSR) on four levels of automation and discuss their implications.
Most present-day methods of operation under CSR work similar to the following:
(1) CSR is one assigned to a specific limit within a specified segment of track.
(2) The LE and C are usually advised of the limits and speed requirement in a mandatory directive. A mandatory directive means any movement authority or speed restriction that affects a railroad operation. It may be found in a track bulletin, special instruction, timetable, Superintendent's notice or some other authorized and written form.
(3) It may be preceded with advance warning signs or flags.
(4) There are rules requiring train crews to discuss the existence of the CSR at timely intervals to assure compliance.
(5) It is the train crew's responsibility to comply with all mandatory directives assigned to them as well as all track flags associated with the movement of the train.
(6) The LE exercises the skills required to bring the train within the limits established in the CSR. That performance is based on the LE's skill level/knowledge of the territory and train handling information, compliance to all rules governing operations and air brake/train handling and factors associated with equipment, weather, track condition, and the LE's knowledge associated with those variables.
Included in this operating rules scheme are several redundant features that, if complied with, greatly limit the probability of over speed in the CSR.
All hazards associated with the CSR are mitigated by this skills/rule knowledge based operating system if there is compliance. With no PTC available and where the skill/rule/knowledge-based system, as we know it today, is not changed we can assume the reliance effect to be 0 (zero).
If we look at the same operating scenario of CSR regarding a PTC system where the evolution of the automation is extremely limited in its capacity as it relates to control, and, incrementally, to a system where the train's behavior is fully automated by the system. We can then speculate as to the numerical value of the intended "design-reliance" effect.
Reliance level 1. To the existing method of operation described above we add a system component that provides an audible warning in advance of a CSR (For discussion purposes the train's speed is not enforced by a wayside or on-board component or subsystem.) The audible warning adds a level of safety but does not replace any of the required rules or does not control the train's brakes. The reliance on that...
Part 3 of the PTC White Paper will be published in the March 2000 issue of the Locomotive Engineer Newsletter.
A complete copy of the 23-page report can be found on the BLE webpage in PDF format.
© 2000 Brotherhood of Locomotive Engineers