Tuesday, July 26, 2016

PTC, legacy train control and vitality

Written by 
PTC, legacy train control and vitality

Steve Ditmeyer’s article “PTC vs. Legacy Train Control Redux” is very thought-provoking. Yes, Congress did define PTC by functionality, not technology. No, PTC need not be tied to fixed wayside block signals (interlockings are a whole other issue).

But yes, PTC is precisely an enforcement system, an overlay atop existing systems for authorizing train movements. PTC does not, as it has been configured and developed, confer authority for movement upon a train. It enforces modifications, restrictions and alterations to the train’s authority for movement. The enforcement capabilities therefore depend upon a pre-existing platform: either GCOR or NORAC, or CCOR.

Two major factors determined that PTC would have to overlay and enforce intermediate signal indications. The first fact is/was broken rail protection. Now, we can argue about the efficiency of track circuits for detecting broken rails, but the fact is, unless there is a sea change in the regulatory environment, broken rail detection is a requirement for train operations above certain speeds, and the detection of a broken rail requires trains to operate at a restricted speed, prepared to stop short of the broken rail, and that restriction must be enforced. I know of no way, currently, to precisely locate a broken rail in a block and establish that precise location itself as the “target” for a braking curve from maximum authorized speed to zero mph.

Besides broken rail protection, within blocks that contain more than one hand-thrown switch entering or exiting the main track, it is easier and less costly to utilize and enforce the signal indication as a proxy for the switch positions rather than deploying multiple switch-position detectors.

The second critical factor that drives PTC to enforcing signal indication is safe separation of trains, which requires some way to measure, detect and validate train integrity, where the end of one train really is, as that rear end is obviously the limit to any following train’s authority for movement. When I was working in Egypt with Ron Lindsey developing a model for the installation of PTC on the Egyptian National Railway, we had to confront this issue of train integrity, particularly for operation in the legacy “token-block” and “tokenless-block” territories. I proposed that ENR attach EOT devices to each train, not to measure brake pipe continuity, but for the signal the device transmits. That signal could be processed and relayed to WIUs to confirm train integrity and that, in fact, no part of the train had been left in the previous block.

However, unless and until railroads properly register in the field, independently of office or crew determinations, the end of one train, therefore positively determining when one train has cleared a block; or until the control platform can make the end of a train the target for all following trains—which of course is “moving block”—then fixed signal indications, whether they be block limits in manual block territory, or “restricted speed” operations mandated by automatic block signal, are the best the system can do.

I’m not too happy about that either, as I think “restricted speed” operation is a poor substitute for positive train separation.

The examples Steve Ditmeyer uses to show the vulnerabilities of the “signal-linked” PTC systems are instructive. Those examples are not instructive of the weakness of the system, but of the human operators supposedly governed by the rules that the PTC system enforces. In both cases, Amtrak 89 on the NEC, and Amtrak 350 near Niles, Mich., failure of the human users to properly perform their work defeated the protections provided by PTC. And that’s the sad truth about all train control systems. PTC is no exception.

Human beings can always ignore and defeat the systems designed to protect themselves and others. For the backhoe at Chester, Pa., to have been made a PTC “target” for a zero-mph braking curve, the backhoe would have had to be identified on the track. The “explanation” that says “ACSES works in conjunction with the cab signal system, and the cab signals rely on coded pulses, and those coded pulses are measures of occupancy, and that is a vulnerability,” doesn’t mean that same vulnerability, that same necessity for identification, wouldn’t exist if the PTC system was not linked to signal indications. The same tragic scenario is possible if the entire system is based on digital radio transmission identifying vehicle and location—an operator could easily disable the radio on the backhoe and then move it onto the track without permission, and the PTC system would not register occupancy.

Ditmeyer says (regarding the incident near Niles): “A properly designed and implemented PTC system would have informed the control center computer, the dispatcher, the locomotive on-board computer, and the train crew that the switch had been aligned into the siding ....” That is correct. It’s also quite possible that “a properly designed and implemented PTC system” would itself have vulnerabilities to tampering, vandalism and human error, defeating the system’s intended functions.

The PTC system being deployed by the Class I’s is in fact capable of functioning without linkage to automatic block signal systems. It has to be, as it will be used in “dark territory” to perform exactly the same functions it performs in signal territory. However, even in dark territory, PTC is an overlay to the manual block, or track warrant, or timetable-train order operating systems that authorized train movement. PTC will enforce the limitations to that authority based on the fixed “data points,” the physical markers of a railroad: stations, mileposts, crossings, etc.

There are business benefits to be derived, not from PTC, but from the wireless data platform upon which PTC rests, and of which PTC is just one application. PTC itself, as defined functionally by Congress to prevent train-to-train collision, overspeed derailments, operation through an improperly lined switch, unauthorized incursion into an out-of-service-track, provides business benefits only in the elimination of those human-error-caused accidents.

Which brings me to the definition of “vitality.” I think there might be some confusion regarding “vitality,” what vitality is on the railroad, and how vitality is “satisfied.”

Vitality refers to the primary function of the railroad: the organization of train movement and multiple train movements so that no two authorities for such movements conflict with, intrude upon, overlap each other.

This is the core to a railroad’s existence. It is the vital process of the railroad. It “predates” signal systems, telegraphs, train orders, speed control, train control, centralized traffic control, cab signals with wayside signals, cab signals without wayside signals. It exists independently of any hardware, although not “software” as it is codified in the book of operating rules.

That this is in fact the essence to vitality can best be illustrated by a bit of the old “what if...” For example, what is every signal engineer’s nightmare? The signal that displays the “false clear.” “What if” the signal displays a false clear? Well, the signal is the rule, and complying with the rule, a falsely displayed clear, laps authorities and will lead to a collision.

What is every train dispatcher’s nightmare?

Writing a “lap order.” What if a “lap order” is written? Then acting on the order actualizes overlapping authorities and leads to collision, and train orders must be acted upon because train orders must be executed by those to whom the orders are addressed. Because executing the order is the rule, and in complying with the rule, the vitality of the railroad is jeopardized.

From this we derive the necessity to design signals and systems that authorize train movements, with the fail-safe feature—so that a failure, which may very well be “invisible,” cannot lead to violation or lapping of authorities.

Vitality is not derived from fail-safe functionality. Rather, fail-safe functionality is necessitated by the vital process communicated in the apparatus.

Contrast those expressions of the vital process, the signal, the train order, with a means of enforcement, say automatic speed control. What if …

• The cab signal displays “medium,” and medium speed is defined in the book of rules as not to exceed 30 mph. Train speed is 40 mph. The locomotive engineer acknowledges the cab signal change but takes longer than 8 seconds to take the necessary steps, i.e., applying the brake to reduce the speed of the train to 30 mph. As a matter of fact, after 12 seconds, the engineer realizes he/she has not taken proper action and has not received a penalty, at which point the proper action to bring the speed down to 30 mph is taken by the engineer.

• There is a speed control failure, but not a vital failure, as the locomotive engineer is still required to reduce the speed of the train, and if he or she does that, complies with the rule as expressed by the cab signal, there is no risk of overlapping authorities. In the case of the false clear, complying with the rule overlaps authorities—vital failure. In the case of the speed control failure, complying with the rule expressed in the signal indication prevents overlapping authorities. The integrity of the vital process is not compromised.

Ron Lindsey loves to ask signal engineers “What’s vital in dark territory?” and watch them struggle for an answer. His reply is (usually) “the train sheet.” He’s correct, but that’s not solely where vitality resides. It resides in the timetable, “the authority for the movement of regular trains. It contains classified schedules and special instructions.”

Vitality resides in the operating rules, defining the operation of non-scheduled trains. Vitality resides in the clearance cards issued prior to train dispatchment. Vitality resides in the train registers at terminals. And vitality resides, strangely enough, not in the centralization of railroad train control, but in the separation of authorities.

Hope that helps.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

David Schanoes

David Schanoes is Principal of Ten90 Solutions LLC, a consulting firm he established upon retiring from MTA Metro-North Railroad in 2008. David began his railroad career in 1972 with the Chicago & North Western, as a brakeman in Chicago. He came to New York 1977, working for Conrail’s New Jersey Division. David joined Metro-North in 1985. He has spent his entire career in the operating division, working his way up from brakeman to conductor, block operator, dispatcher, supervisor of train operations, trainmaster, superintendent, and deputy chief of field operations. “Better railroading is ten percent planning plus ninety percent execution,” he says. “It’s simple math. Yet, we also know, or should know, that technology is no substitute for supervision, and supervision that doesn’t utilize technology isn’t going to do the job. That's not so simple.”

Get the latest rail news

Rail news and analysis from Railway Age, IRJ and RT&S by email