Friday, July 08, 2016

PTC vs. Legacy Train Control Redux

Written by  Steven R. Ditmeyer, for Railway Age
  • Print
  • Email

The title of Larry Light’s “PTC vs. Legacy Train Control” article in the June 2016 issue of Railway Age (full text follows this article) promised a balanced discussion of the differences between newer and older versions of train control. In reality, the article focused on why he believes that legacy train control systems need to be maintained.

Mr. Light had a long and distinguished career as a signal engineer, but he seems to view PTC as simply an advanced signal system that is supposed to enforce the indications of wayside signals. The Rail Safety Improvement Act of 2008, which mandated the implementation of PTC on certain railroad lines, does not define PTC that way. The RSIA’s definition of PTC is technologically neutral, only saying that it must prevent “train-to-train collisions, over-speed derailments, incursions into established work zone limits, and the movement of a train through a switch left in the wrong position.”

PTC systems come in two different versions: those tied to the wayside signal systems with their “vital” relay logic in the field, fixed blocks, and voice (augmented by some data) communications between trains, maintenance vehicles and dispatchers; and those that operate on a paradigm similar to air traffic control, using GPS positioning, digital data communications, sensors and “vital” on-board control center computers so there is continuous, accurate, real-time location and speed information of everything on the tracks that can be acted upon.

There is an explanation for the differences between these two versions of PTC. After the RSIA was passed in 2008, railroad signal engineers, signal union representatives and signal manufacturer representatives on FRA’s Railroad Safety Advisory Committee (RSAC) recommended PTC rules that implied, but did not actually require, the tying of PTC to wayside signal systems. Then, the signal people on the Interoperable Train Control (ITC) Committees formed by the four major railroads wrote specifications that indeed tied the PTC systems they were implementing to the wayside signals, and also called for replacing the existing wayside signals with new ones that could be connected with data radio transmitters and antennas at each wayside signal. Control center computers were left “non-vital.”

To fill in a bit more of the history, nearly 20 years earlier, staff at the AAR, CN, CP, BN, and Rockwell designed the original ATCS and ARES PTC systems with a completely different architecture that did not tie them to any wayside signals. Here is the description of this type of PTC system that was posted on FRA’s website from 2002 through 2012:

“PTC systems are comprised of digital data link communications networks, continuous and accurate positioning systems such as GPS, on-board computers with digitized maps on locomotives and maintenance-of-way equipment, in-cab displays, throttle-brake interfaces on locomotives, wayside interface units at switches and wayside detectors, and control center computers and displays. PTC systems may also interface with tactical and strategic traffic planners, work order reporting systems, and locomotive health reporting systems. PTC systems issue movement authorities to train and maintenance-of-way crews, track the location of the trains and maintenance-of-way vehicles, have the ability to automatically enforce movement authorities, and continually update operating data systems with information on the location of trains, locomotives, cars, and crews. The remote intervention capability of PTC will permit the control center to stop a train should the locomotive crew be incapacitated. In addition to providing a greater level of safety and security, PTC systems also enable a railroad to run scheduled operations and provide improved running time, greater running time reliability, higher asset utilization, and greater track capacity. They will assist railroads in measuring and managing costs and in improving energy efficiency.“

Published reports show the differences between these two types of PTC systems in terms of benefits. The Oliver Wyman, Inc. report in 2010 for the AAR entitled “Assessment of the Commercial Benefits of Positive Train Control” examines PTC systems tied into the wayside signal systems but not integrated with precision dispatching and other information systems. The report concluded that continuous, real-time information from PTC would be unlikely to increase line capacity or improve running times, which could be obtained in other ways. In fact, the report acknowledges that by tying PTC to wayside signals, train performance could actually be degraded.

On the other hand, the Zeta-Tech Associates report in 2004 for FRA entitled “Quantification of the Business Benefits of Positive Train Control” examined PTC systems that were not tied into the wayside signal systems but were integrated with precision dispatching, work order reporting systems, and locomotive health reporting systems. This report indicated significant benefits from the continuous, accurate, real-time information from PTC in terms of shorter train running times, improved running time reliability, improved track capacity, and improved asset utilization.

Mr. Light states that the U.S. “has a safe, reliable signal infrastructure supporting the freight system and passenger services,” and that locomotive engineers have “an extraordinarily high compliance ratio” when operating trains on signal indications. That has been generally true, but nonetheless there have been many instances in the past where failures on the part of engineers have resulted in train accidents that collectively have resulted in hundreds of fatalities. Two recent ones come to mind: the overspeed derailment of Amtrak 188 in Philadelphia on ATC territory on May 12, 2015, and the head-on collision of two BNSF intermodal trains at Panhandle, Tex., on CTC territory on June 28, 2016. The signal systems did not fail, per se, in either case, but they permitted locomotive engineers to make mistakes that caused the accidents. The NTSB and FRA believe that PTC could have prevented them from occurring.

As Mr. Light points out, the ACSES system on Amtrak’s Northeast Corridor (of which he was a key designer) met “only safety concerns,” implying it did not attempt to address operational efficiencies. And even though ACSES “was a blend of mature technologies,” it still allowed a fatal collision between Amtrak 89 and a backhoe at Chester, Pa., on April 3, 2016. The ACSES system did not prevent the train from entering a work zone as the RSIA required; the architecture of ACSES apparently did not enable the dispatcher or the control center computer to know that the backhoe was on the same track on which Amtrak 89 was running at 110 mph.

The other PTC system with which Mr. Light was involved, and that can also be called “a blend of mature technologies,” is the ITCS PTC system on Amtrak-owned trackage in Michigan. This system almost permitted a fatal collision to occur near Niles, Mich., on Oct. 21, 2012. Amtrak 350 received a clear signal to proceed, but was “kicked off the main line by a low-speed switch into a rail yard, where empty Amtrak ballast hoppers were parked,” according to a media report. As an overlay system, ITCS relies on block signals to relay switch position information to it, but because of signal and track maintenance activity (a signal maintainer had applied a jumper cable and lined the switch for a diverging move to allow for a tamper to enter the siding, and then failed to remove the jumper cable), the block signal system did not detect that the switch was aligned for a diverging move, and consequently ITCS could not prevent Amtrak 350 from derailing and stopping 21 feet short of the ballast hoppers. This near-miss was not caused by a failure of a locomotive engineer, but by the architecture of the ITCS system. ITCS, tied to the wayside signal system, did not detect that a jumper cable had been applied. Thus, it did not meet the RSIA requirementthat a PTC system “must prevent the movement of a train through a switch left in the wrong position.” A properly designed and implemented PTC system would have informed the control center computer, the dispatcher, the locomotive on-board computer, and the train crew that the switch had been aligned into the siding, and the train would have been stopped before it entered it.

Mr. Light touts the “vital” fail-safe logic of wayside signal systems, but he does not seem to recognize that there is an alternative architecture that can achieve even greater safety and reliability. That is the fault-tolerant system architecture using dual-redundant components that is used in air traffic control, self-driving automobiles and trucks, and “vital” communications-based PTC systems not connected to wayside signals. And even though FRA may not yet have a “clear path to certification” of “vital” PTC systems, other agencies at the U.S. Department of Transportation—the Federal Aviation Administration and the National Highway Traffic Safety Administration—are developing certification processes for NextGen air traffic control and for automated road vehicles. These processes, with appropriate modifications, could be used for certification of PTC systems.

PTC systems, as Mr. Light points out, are viewed by some as “costing too much,” but only, I argue, if the continuous, accurate, real-time train and maintenance vehicle location and speed information is used exclusively for safety purposes. Nothing prevents this continuous, accurate, real-time information from being used simultaneously for “vital” safety applications as well as for “non-vital” operational applications. One railroad has installed a second GPS receiver and data radio on each of its road locomotives for non-safety, business-related applications; they served to raise costs for that railroad while enabling it to say that many of the benefits of continuous, accurate real-time are not attributable to PTC.

It is too late for railroads to reduce the cost of their PTC implementations significantly; their new wayside signal systems have mostly been installed along with data radio transmitters and antennas at each of the wayside signals. By disconnecting their PTC systems from the wayside signal systems and installing “vital” control center computers to insure safety of operation, however, the business benefits that come along with it will more than cover the costs of their complete PTC installations.

Getting PTC designs and implementation strategies right have been elusive goals, and the debate over them has been unnecessarily contentious. I hope that in this article I have contributed more enlightenment than contention.

 

PTC vs. legacy train control

Positive Train Control developers could pay closer attention to history.

By LARRY LIGHT, for Railway Age

The investment of blood, sweat, tears, experience and wisdom bound up in our current signal infrastructure is a very rich resource. This valuable investment has resulted in the extraordinarily safe operation of trains on our national networks in North America today—but it was not an easy road to get where we are today.

As the 20th century dawned, railroads were installing new interlockings and automatic signal systems to cope with the rapid rise in traffic, speeds and accidents continuing from the 1880s and ’90s. The new systems were proving effective, but as many track-miles of these new systems were installed, unsafe failures began to be revealed. It became increasingly apparent that the engineers who had begun to trust the new concept of moving by signal indication needed something better.

By 1907, the railroads were experiencing several hundred false-proceed failures per year, the same year that the number of passenger train fatalities peaked. However, a new discipline of railroad signal engineering was beginning to really “get it,” and signal experts from 21 railroads serving the greater New York City area began to meet regularly to examine every false-proceed signal failure to take corrective action. By 1914, their efforts began to pay off, and the slight decline in passenger fatalities from 1907 changed to a more rapid decline, as the systems got better and many more miles were installed. Signal experts have continued this process to this day. Further breakthroughs in the past 30-plus years have eliminated jointed rail and bond wires, replaced wire lines with digital technology, and replaced relays with microprocessors. This has further enhanced safety, greatly improved reliability, and reduced the cost of our current signal systems. However, because of a loss of institutional knowledge, this very valuable up-to-date resource is often taken for granted, and even ignored as obsolete when planning improvements. This has certainly been the case in much of the “hype” that has driven too much of the thinking about PTC.

If you don’t know your history, you are doomed to repeat it—the quest for the “silver bullet.”

As signal engineers were stamping out signal failures, and began in 1907 to set the standard for the continuous improvement that continues today, the ICC and the press were losing faith. Fatalities per thousand passenger-miles were declining, yet there were rare but tragic high-profile collisions, ultimately resulting in the 1922 mandate for 49 passenger-carrying railroads to install one division with ATC or ATS. After WWII came the 1947 edict requiring ATC or ATS for maximum operating speeds of 80 mph or higher. Two systems have survived, the intermittent inductor ATS, and the continuous coded ATC, reaching its highest development in the NEC as the backbone of Northeast PTC.

A similar quest for the “silver bullet” is now being pursued as PTC. What is never emphasized is the extraordinarily high compliance ratio when it comes to our nation’s locomotive engineers operating their trains on signal indication. As we spend ever-increasing billions on PTC in our asymptotic approach to perfection, when will we realize that an asymptote can consume everything you have, but you can never quite make it?

One other element of signal history often overlooked was the “vital” concept, clearly demonstrated with the introduction of Centralized Traffic Control. In 1928, the first coded CTC went into service, where locations, switch/signal controls and indications were transmitted by codes to and from a central office. This matured into high-speed data transfer that has made possible the control centers of today.

The concept that made this breakthrough possible is “vital” logic vs. “non-vital” logic—separating more costly fail-safe logic from all the other logic not directly affecting the safety of train movement, and reliably executed at less cost.

At any control center, screen data is driven by non-vital logic. Fail-safe vital logic that protects train movements is in the field at sites controlled and indicated. Non-vital indications are reliable for observing and planning train movement, but they cannot be relied upon to execute safety functionality.

In addition to the obvious liability benefit, the genius of the “vitality” concept is simply that it permits signaling and train control systems to be kept simple and affordable in achieving their basic mission: ensuring that individual trains do not exceed their safe speeds or limits of authority within their safe braking distances. Any additional feature that does not directly contribute to this mission can be more economically and efficiently handled separately from fail-safe logic.

The prevalent idea that the “new PTC” should try to make a “business case” has been a costly myth. It is like cancer, metastasizing basic architecture, fatally mixing vital and non-vital elements. If there is no business case for PTC, how can we justify this complexity?

Three basic threads are woven into our current signal infrastructure: continuous safety improvement, simple and effective train control, and the concept of vitality and non-vitality. Each have greatly contributed to making our current S&TC infrastructure safe, reliable and affordable. However, there is a problem.

Loss of institutional knowledge of the significant gains made by signal engineers over the years has been costly in the PTC creation, causing considerable pain in three areas:

• PTC is costing too much, and we haven’t even touched on future operational and maintenance costs of unnecessary complexity. However, initial estimates of the cost of “failures enroute” when compared to signal-generated train control are not pretty.

• PTC is taking too long to design and install. For example, ACSES on the Northeast Corridor was purposely kept simple to meet only safety concerns. It was a blend of mature technologies. What would have happened if these cardinal principles had driven creation of the “national standard”?

• Submission to political pressure raises the grave danger of compromising our previously very high standards of fail-safe design. The U.S. has a safe, reliable signal infrastructure, supporting the freight system, and passenger services with ability to meet future demand. However, the national standard for PTC does not currently have a clear path to certification as a vital system.

This raises three significant questions:

• History shows when a signal aspect is missed enroute coincident with a false-clear failure in any system designed to enforce that aspect, human nature will likely interpret the unseen aspect as a “clear” when a stop is required. How can it be safer to give an engineer a non-vital system to interpret and enforce a vital system, when simpler vital PTC systems are available?

• There is rising demand for intercity passenger services in high-performance corridors for 110-mph operation, yet only PTC systems certified as vital will be allowed to support any of these operations at speeds exceeding 90 mph. How will these operations be supported?

• The pressure is very subtle, but still strong, to force the industry down the road toward a more costly, less-safe operation. How are we to justify this negative trend nationally? And why would we want to?

The good news is that there are forms of PTC that have taken advantage of our signal and train control history to strongly mitigate against negative forces. The bad news is that much of the national network is in danger of being, to a certain extent, compromised by forms of PTC that have failed to take full advantage of our railroad heritage.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Get the latest rail news

Rail news and analysis from Railway Age, IRJ and RT&S by email