The only way to be sure

The Feb. 4, 2018 fatal accident in Cayce, S.C., when Amtrak 91, operating over track where the automatic block signal system had been removed from service for modification and upgrade to PTC, was diverted from the main track by a switch left improperly lined.

The Federal Railroad Administration has issued a Draft Safety Advisory, 2018-01, Related to Temporary Signal Suspensions. For the first time I can recall, FRA is soliciting public comment “on all aspects of the Draft Safety Advisory.”

The proposed advisory intends to “identify existing industry best practices railroads utilize when implementing temporary signal suspensions.” The precipitating event is the Feb. 4, 2018 fatal accident in Cayce, S.C., when Amtrak 91, operating over track where the automatic block signal system had been removed from service for modification and upgrade to PTC, was diverted from the main track by a switch left improperly lined. Amtrak 91 then collided with a CSX freight train standing on a siding adjacent to the main track, killing the Amtrak locomotive engineer and conductor.

Nine days after the event, the NTSB issued Safety Recommendation Report 1801, Train Operation During Signal Suspension, which concluded with the following “urgent safety recommendation”:

To the Federal Railroad Administration: 

Issue an Emergency Order directing railroads to require that when signal suspensions are in effect and a switch has been reported relined for a main track, the next train or locomotive to pass the location must approach the switch location at restricted speed. After the switch position is verified, the train crew must report to the dispatcher that the switch is correctly lined for the main track before trains are permitted to operate at maximum-authorized speed. (R-18-005) (Urgent).

FRA states that its draft safety advisory is consistent with NTSB’s recommendation, but a safety advisory is not the equivalent of an Emergency Order. An EO compels the target railroad or railroads to take specific, defined steps and actions to mitigate an unsafe condition. An advisory requires … nothing.

That’s more than a technical or legal distinction—it is the operating environment, as was made so painfully clear to the most casual observer by Amtrak’s overspeed accidents at Frankford Jct. and DuPont, Wash.

When automatic signal systems are removed from service, the operating environment reverts to that existing on 40% of the U.S. rail network: “dark territory.” How very 19th century. Indeed, the train control systems in dark territory are one or another iteration of the 19th century systems of “absolute block” or “manual block,” updated with radio technology to the 20th century’s track warrant control system. All of these are the legacy of the British “philosophy” that a single train cannot collide with itself. Seriously. Apparently the British had, once again, failed to account for Yankee Ingenuity.

The original version, “token block,” bestowed a symbol of authority, a token, upon a train to utilize the track. No other train could use that section until the token had been returned. The shadow of monarchy, with its token, a scepter representing sovereign authority, is preserved in the substance of British railroading.

A single train is given absolute authority to enter and utilize a section of track. That train becomes the “sovereign” in that block. This means that all switches that might allow for conflicting movement with our “sovereign” train must be known to be lined and locked for the sovereign and against the movement of any “pretender” train to the throne of authority. There is no independent field indication of the switch positions to the trains in the field. The requirement is that the switches are lined and locked for the train with authority to operate through the block.

Requirements, without field indications, are mere assumptions, and we know what “assuming” does, don’t we? The absolute block system works until it doesn’t.

Now, NTSB figures that, when a signal system is suspended, the reversion to an absolute block system from an automatic block system makes the assumption questionable in that the assumption is not the regular practice. Consequently, there is a greater likelihood that crew X will screw up, and report “clear” with all switches restored for normal operation when the switches have not been restored. That increased risk can be offset if crew Y, when given its authority, has its sovereignty restricted so that it must approach those switch locations at restricted speed, prepared to stop, and must report the switch position to the train dispatcher before proceeding at the normal speed.

The track warrant authorizing crew Y to operate into the block would contain a separate line of information, to be transmitted by the dispatcher, and copied and repeated by the crew, requiring the train to operate at restricted speed approaching the switch (designated by name and location).

The theory here is, of course, that two crews are less likely to screw up than one. What could be wrong with that? On the face of it … nothing—except.

Except, when we install automatic block signal systems that “protect” or convey information regarding the positions of switches for main track operations, we are, in theory and in practice, making the switch an integral part of the signal system itself. The switches have become part of the signal system. If and when we remove the signal system from service, we are compelled to remove the switches from service also.

Consider a situation where the automatic block signal system is still in service, but the signal “protecting” the approach to a specific main track switch fails to display the proper indication when the switch was “opened” or reversed for a diverging movement, creating in essence a “false clear.” Would we allow that switch to be utilized prior to correcting that defect? Of course not.

Consider a situation where the automatic block signal system is still in service, but the same signal displays a “stop and proceed” indication as if the switch were open. Visual inspection reveals the switch is properly lined and locked, that there is no broken rail, and that the block is not occupied. Would we instruct, or allow, a train to ignore the stop and proceed at restricted speed requirements? Of course not. That’s what the requirements of the integration of the switch into the signal system means, regardless of the “on line” or “off line” status of the signal system itself.

The “best practice” with respect to hand-operated switches in automatic block signal system territory when the signal protection is disabled is simply to remove those switches from service, and block them, spike them or clamp them, until such time as the signal system is restored. 

And what if the railroad requires use of the switches to maintain its normal service? That’s the thing: We are not in a “normal” condition. “Normal service” requires a degree of throughput, the economics of which are the justification for automatic block signal systems. When we suspend the signal system we cannot pretend we are going to provide normal service. We have to adjust the service to the abnormal condition.

And in an emergency? In an emergency, we always do what needs to be done to remedy the emergency.

When a train is disabled in a block where absolute block requirements are in effect, we know how to authorize a rescue train to enter into the occupied block. If, in an emergency, the blocked and spiked switch must be used, it can be used under the supervision of a qualified signal department employee. Then, under emergency circumstances, we can rely on the extra lines of paperwork on the track warrant to provide a substitute degree of safety.

We can do all those things FRA lists in its Draft Safety Advisory:

• We can ensure sufficient personnel are present to perform the necessary work on the signal system.
• We can establish the “smallest limits” for the duration of the suspension in both time and space.
• We can attempt to minimize operations that require the manipulation of the switches.
• We can mandate special safety briefings and switch position awareness forms.
• We can increase supervisory oversight.

We can do a lot, but nothing amounts to being sure that the human beings making the briefings, signing the forms and operating the switches have not succumbed to the human condition of making a mistake.

FRA is soliciting comments. Here’s mine that I will post on the regulations.gov website (Docket No. FRA-2018-0037):

Take the switches out of service. Block them. Spike them. Clamp them. It’s the only way to be sure.