The Latest Amtrak Crash: A Deadly Combination

Many accidents in complex systems happen when two or more failures align like tumbler pins in a lock, opening the way to tragedy.  That is apparently what happened around 2:45 AM on Sunday, Feb. 4, outside the central South Carolina town of Cayce.  Here's what led up to the crash.

For the last several years, U. S. railroads have been under the federal gun to complete installation of Positive Train Control (PTC), a complicated system involving GPS receivers on trains, transponders along the tracks, and coordinated data links that will automatically slow down trains that are going too fast and stop those heading toward disaster.  Lack of PTC has been cited in every recent fatal train wreck, and so at the time of this crash, installers were working on the South Carolina section of track in question to put in the necessary PTC equipment.  The only trouble was, as part of the process they had to shut down the safety block signals—the red-yellow-green lights beside the track that inform the engineer as to whether the track ahead is clear. 

Railroads have a way of dealing with the absence of block signals, which is to dispatch trains by means of documents called "track warrants."  Obviously, there has to be a special procedure for this, with good communications by radio to the dispatcher, because running through an area with no signals is a little like flying an airplane blind.  It can take more than a mile to stop an average train, so by the time the engineer sees an obstruction on the track it's usually too late to do anything more than set the brakes, blow the horn, and hope.

At this writing, it is unclear whether the track-warrant procedure was followed correctly.  But what is clear is that earlier in the evening, after a railroad employee set a switch to allow a freight train to pull off to a siding out of the main line that the Amtrak train was going to use later, the switch was locked in place,  still set to the siding.  In other words, any train coming down the main line in the same direction was going to head straight onto the siding, toward the sidelined freight.

Normally, this switch setting would cause the signals on the main line to change to yellow or red.  But due to the work going on to install PTC, the signals were inoperative.  So all that stood between the southbound Amtrak train that was coming along about 2:45 AM and disaster was good communications among the person who set the switch, the train dispatcher (many miles away in a CSX control center, CSX being the freight railroad that owns the track which Amtrak uses), and the Amtrak crew.

The third thing that is clear is that the communications broke down.  The last thing the Amtrak engineer saw was the end of the freight train, as his engine barreled off the main line at 56 MPH onto the siding and crashed.  He and the conductor were killed, and about 100 passengers were injured in the resulting Amtrak car derailments, some critically.

Amtrak officials were quick to throw blame to CSX, whose tracks they were using, as it was CSX's responsibility to ensure that any switches their crew used were set back to the proper direction.  Records indicate that the freight-train crew reported that they had set the switch correctly, so it is unclear at this point how the switch ended up in the wrong position anyway. 

While this is only the latest in a string of several fatal Amtrak accidents, each one has apparently had a different set of contributing factors, and accusations that Amtrak's safety culture is at fault are premature, to say the least.

The irony of this particular accident is that it was apparently caused at least partly by the rush to install PTC—a safety feature—which indirectly led to the accident.  It reminds me of the recent Takata air-bag-inflator fiasco, in which millions of cars had to be recalled, and many people were killed by defective inflators that shot shrapnel at them in accidents that would have otherwise merely bent a few fenders.

This is not to say we shouldn't have airbags, or we should call a halt to installing PTC.  And here is where we fall back on a philosophical method which engineers use almost without thinking—utilitarianism, otherwise known as the greatest good for the greatest number.  Utilitarianism is not the only way to decide ethical issues, by any means, but it has its uses.  Clearly, it makes sense to complete PTC installations even if it means shutting down signals temporarily here and there.  But the problem comes when those responsible for safety measures get too focused on the future good they will do, and neglect the present potential harms such installations can cause.  I don't know what went wrong with the track-warrant system in this case, but clearly something did.  And once a decision is made to install a safety feature, it is easy to allow too many temporary compromises in present safety in view of the greater good that the ultimate installation will lead to.

But that temptation has to be resisted.  Takata shouldn't have been as sloppy as they were in making crummy airbag inflators that would turn into bombs down the road a few years.  And everyone involved—train dispatchers, PTC installers, and above all, the freight train crew who apparently left the switch in the wrong position—should have been doing a better job communicating in the absence of the usual track signals. 

Sometimes people who work on safety features get careless because most of the time, the features don't see action.  But they are really like a standing army ready for battle.  When the crisis comes, the safety features rise to the top of the priority list.  Never mind the usual function of the system—transportation, communication, or whatever.  If the user is injured or killed, it would have been better not to have made the product at all.  So although Amtrak's safety culture alone may not be at fault, clearly something went wrong in Cayce that night.  And more work needs to be done to make sure that a complicated system like a railroad runs even more safely with PTC than it does without it.  Just installing PTC won't guarantee that, because PTC itself has the potential to cause trouble.  Let's hope that it doesn't, and that the recent flurry of fatal train mishaps are the last ones before PTC makes train-passenger fatalities as rare as airline-passenger fatalities are today.

Sources:  I referred to a thorough report on the accident carried by NPR on their website on Feb. 5 at https://www.npr.org/2018/02/05/583455540/ntsb-looks-at-disabled-signals-locked-switch-in-latest-deadly-amtrak-crash.

Cornfield Meet Near Panhandle, Texas: How?

On Tuesday morning, June 28, the stretch of U. S. 60 leading east from Amarillo, Texas past the small town of Panhandle was quiet in the early morning sun.  The flat horizon was broken only by the spinning blades of a wind farm in the distance and a towering grain elevator near the double BNSF tracks, which run straight as an arrow from Amarillo east-northeast for many miles.  U. S. 60 parallels the tracks until the road nears the grain elevator, where it takes a bend southward for a quarter mile or so around the elevator and rejoins the tracks on the other side.

           

At about 8:25 AM, a BNSF intermodal freight train was heading west on one of the pair of tracks.  At the same time, a few miles west of that train, another train was heading east—on the same track. 

Railroads have faced this kind of problem ever since there were railroads.  In England, the main customers of an early form of electric telegraph were railroads, who saw in it a way of coordinating train movements on single tracks carrying two-way traffic.  Later, block signals were developed that turned red any time a train entered a section of track (or "block"), warning other trains to slow down or stop.  The main idea of double tracks is to allow only one-way traffic on each track, eliminating any chance of head-on collisions.  And most recently, a new communications and control system called Positive Train Control (PTC) has been adopted by most U. S. railways, but its implementation has been slowed by problems with radio-channel allocations and hardware issues.  On June 28, PTC was not implemented in the section of tracks that run past the grain elevator near Panhandle.

So it was that the two trains that morning, each with a crew of two, met in a fiery head-on collision that is known in railroad circles as a "cornfield meet."  One person managed to jump from the train before the collision.  Two bodies were recovered after the accident, and as of July 10, the fourth person's body had not yet been found. 

A passerby on nearby U. S. 60 made a phone video of the wreck even as it was occurring.  You can see cars flying off the track, and eyewitnesses testified to the horrific noise that seemed to go on forever.  A train running at speed can take up to a mile to stop after the brakes are applied, and it is not clear at this point when, if at all, the brakes were applied on either train.  Many trains, including those involved in the wreck, are equipped with digital video cameras and recorders at the front and rear, but the National Traffic Safety Board spokesman in charge of the NTSB investigation said that some of these were heavily damaged.  However, other data recorders on board the trains may have survived to help understand how this accident happened.

It will probably be some months before the NTSB has time to sift through the wreckage and other evidence that could show why, in 2016, it's still possible to have such an accident.  As in other railroad accidents involving fatalities in the last few years, PTC could very well have prevented this one.  If operating properly, the system calculates a safe maximum speed for the train at each point in its travels, and if another train is heading for yours, presumably it would put on the brakes in time to prevent a wreck. 

Trains are dispatched these days by means of centralized train-traffic control centers linked to the individual trains by microwave radio.  One of the dispatch centers for trains in Texas is in Fort Worth, so investigators will probably be reviewing all communications between the controllers and the two trains involved.  Like air-traffic controllers, the dispatcher's word is law as far as the in-train operator is concerned.  So if both trains were told they had a clear track ahead, and saw something that looked like a train in the distance, each might have thought the other one was on the other track instead of the same track.  With radio control, it's not clear to me how much significance the operators attach to block signals, which should have indicated a problem in this case soon enough to prevent the accident.

As train wrecks go in the last few years, this accident was not the worst in terms of fatalities.  In this space in 2013 I wrote about a commuter-train wreck in New York that killed four, and in Philadelphia in 2015 another commuter train derailed, killing eight passengers and injuring over 200.  But the Panhandle wreck is disturbing because it seems to reveal a systemic problem, either with the dispatching system or training or both.  Those trains never should have been on the same track heading toward each other in the first place.  And once they were, it sure seems like block signals should have let the drivers know something was seriously amiss.  It is likely that this accident was the product of a combination of unlikely events, each one of which by itself does not typically lead to a major tragedy. 

But to know for sure, we'll have to wait for the results of the investigation.  And hope that BNSF and the other railways can speed up their implementation of PTC, which promises to make cornfield meets as rare in the future as deaths due to runaway horse-drawn buggies. 

Sources:  I used reports on the accident from KFDA-TV in Amarillo at http://www.newschannel10.com/story/32408347/search-ends-for-body-of-conductor-killed-in-train-wreck and a video of the NTSB news conference held after the wreck at https://www.youtube.com/watch?v=mCBTmxKx2vA.  A video of the wreck itself can be viewed at https://www.youtube.com/watch?v=YiPE8e-fqKU.  I blogged about PTC and train wrecks at http://engineeringethicsblog.blogspot.com/2013/12/positive-train-control-and-commuter.html on Dec. 9, 2013 and at http://engineeringethicsblog.blogspot.com/2015/05/for-want-of-spectrum-allocation.html on May 25, 2015. 

For Want of a Spectrum Allocation: The Philadelphia Train Derailment

There's a proverb of uncertain origin that begins, "For want of a nail, the shoe was lost, for want of a shoe the horse was lost; and for want of a horse the rider was lost; being overtaken and slain by the enemy, all for want of care about a horse-shoe nail."  That particular version is attributed to Benjamin Franklin, but all the various versions make the same point:  lack of attention to apparently minor details can sometimes have major consequences.  As more information emerges about the tragic AMTRAK train derailment in Philadelphia on May 12, it looks like what began as a minor kerfuffle over frequency allocations may well have kept a new train-control system from preventing the deaths of eight passengers and the injuries of many more.

At this writing, no one seems to know for sure why the Northeast Regional train heading from Washington, DC to New York City sped up to 106 MPH (169 km/hr) as it entered a curve near a rail intersection called Frankford Junction.  The maximum recommended speed for the curve was 50 MPH (80 km/hr).  All the train's cars left the track, killing eight passengers and injuring at least 200 others.  There were some reports that an object might have hit the train's cab in the minutes before the wreck, but presently the reason for the train's excessive speed is not definitely known.  At the time of the wreck, the train was under the manual control of engineer Brandon Bostian, who was apparently knocked temporarily unconscious in the crash and claims to have no memory of the moments immediately before the derailment.

In many parts of the U. S. including the Northeast, railroads have installed an automatic system called Positive Train Control (PTC) that could well have prevented the May 12 tragedy.  A fully operational PTC system continuously monitors a train's position by means of radio links to trackside transmitters, and calculates the maximum speed that is allowed at each point along the route.  If the system notes that the train is going too fast, it will automatically apply the brakes to reduce speed. 

Why wasn't the Northeast Regional using PTC in Philadelphia?  Because AMTRAK hasn't been able to purchase a 220-MHz radio-frequency allocation (channel, essentially) to put it into operation there yet.  And thereby hangs a rather tortuous bureaucratic tale.

On their own over the past decade or more, railroads have developed pieces of what amounts to PTC using various existing equipment, and the most popular type of train-control radio systems use the 220-MHz frequency band.  For most of its existence since the 1930s, the U. S. Federal Communications Commission (FCC) allocated the limited resource called the radio-frequency spectrum through a purely administrative process, and in principle at least, money had nothing to do with it.  In practice, political pull and other arbitrary factors influenced the FCC's decisions.  Partly in response to accusations of unfairness, in 1994 the FCC began auctioning spectrum slots to the highest bidder, and most observers say that auctions have led to a fairer and more efficient set of allocations.  But in the case of the railroad's need for 220-MHz slots for its PTC system, the market method of frequency allocations may have failed.

The legal requirement for railroads to use PTC originated with a Congressional mandate passed in 2008 mainly to improve safety.  In that legislation, Congress told the railroads to finish the job by December of 2015.  Most railroads have largely complied by now, despite problems with interoperability of different systems developed by different lines and the fact that one railroad may operate on tracks owned by several other railroads.  When PTC was passed into law, the most common frequency band used for these types of train control and monitoring operations was 220 MHz, so the railroads decided to use their existing 220-MHz hardware and to require all PTC equipment to use that band.  If more bands were used, a single train might have to carry equipment that works with three different bands, for example, and as PTC was already costing billions of dollars to implement, they stuck with 220 MHz.

That was fine for most areas, but the railroads ran into a snag in some regions, including Philadelphia.  There the 220-MHz slots were either not available, or were priced at a prohibitive level.  The railroads asked the FCC simply to allocate the needed frequencies for free, so that they could meet the Congressionally-mandated deadline, but the FCC essentially said tough beans, go buy them like everybody else does.  And Congress did not fund the costs associated with the PTC mandate, so the rail lines have been doing it on their own dime.  So at the time of the Philadelphia crash, PTC was not working, but not because of any hardware problems.  The bureaucracy had simply not done its job yet.

PTC is not a flawless system, and it is not absolutely certain that it could have prevented the Philadelphia crash even if it had been working at the time.  Putting on the brakes for a train is not as simple as jamming your foot on the brakes of your car.  A friend of mine is a locomotive engineer on an excursion train that operates near Austin.  He has explained to me how the brakes on each car have to be applied at a certain carefully judged rate, and sometimes even in a certain order, so that the train doesn't undergo stresses that can cause severe shocks or even break couplings and separate the cars.  Even just locking the brakes so the train skids along the track can severely damage the wheels, necessitating extensive repairs.  But sometimes it's necessary in an emergency.

We will never know whether PTC could have prevented the Philadelphia train wreck.  But excessive-speed wrecks are exactly the sort of thing that PTC was designed to prevent.  While making everybody pay for frequency allocations seems to be the fairest way to do things in most cases, the FCC ought to consider making exceptions in situations involving serious safety issues.  Sometimes the old ways are better, and allowing for emergency no-fee allocations in situations where an organization is caught between an FCC rock and a congressional hard place seems like a good idea.  But it won't bring back those who are no longer with us because of what happened in Philadelphia. 

Sources:  I referred to news articles on Brandon Bostian at http://www.cbsnews.com/news/amtrak-crash-brandon-bostian-cellphone/, a list of fatalities in the wreck at http://6abc.com/news/name-released-of-8th-victim-in-deadly-amtrak-crash/719973/, and the Wikipedia articles "2015 Philadelphia train derailment," "Positive Train Control," and "For Want of a Nail."

Positive Train Control and Commuter Lines: A Train Wreck of Another Kind

Early Sunday morning, Dec. 1, dozens of people living in Westchester County and points north of New York City along the Hudson were riding in a southbound Metro North commuter train driven by veteran engineer William Rockefeller Jr.  The scenic rail line follows the east bank of the Hudson and makes a sharp curve just north of the Spuyten Duyvil station.  According to information leaked by a union official later, Rockefeller "basically nodded" at the controls in his booth at the front of the train, which was electrically linked to the locomotive that was pushing the train from behind.  Whatever Rockefeller's state of mind was, the speed recorder recovered from the train verified that it hit the curve at 82 MPH (131 km/hr), well above the 70-MPH (112 km/hr) speed limit for the straight stretch of line north of the curve, and way too fast for the 30-MPH (48 km/hr) zone in the curve.  The result?  The locomotive and all seven cars derailed, four persons were killed, and over 60 were injured.  As bad as this literal train wreck was, it highlights a different kind of train wreck that is taking place at commuter lines across the U. S.:  one involving a federally-mandated system called Positive Train Control (PTC).

There is little doubt that if the Metro North train operated by Mr. Rockefeller had been equipped with PTC, the accident would never have happened.  As passed into law by Congress in 2010 and required in all trains by the end of 2015, PTS is a system that takes information on a train's location and automatically enforces speed limits in accordance with track regulations, operating conditions, and other factors.  (Think of it like a car equipped with a cruise control that would automatically slow you down to 20 MPH (32 km/hr) in a school zone even if you stomped on the gas.)  So even if Mr. Rockefeller had fallen asleep with his foot on the "dead-man" control (which automatically stops the train if a driver lets go of it), the train would have slowed down safely before it reached the 30-MPH zone.

So why didn't Metro North install PTC already?  Many freight lines have completed their installations, and even the Brotherhood of Locomotive Engineers and Trainmen, a union which does not happen to count Mr. Rockefeller as one of its members, has issued a call for PTS to be installed as soon as possible in all commuter trains. 

There are a couple of reasons, which can be summarized as suitability and cost.  PTC was developed and intended mainly for long-distance freight lines to prevent derailments and other accidents involving hazardous cargo.  Freight-train engineers are often on 24-hour call, and so sleep-deprivation-induced inattention is a real danger, which is one reason freight lines have adopted it so fast.

Commuter lines, with their regular schedules, frequent starts and stops, and much more dense traffic and line networks, are a different sort of problem.  While PTC often relies on GPS for some of its functions, GPS doesn't work underground, which is where many commuter lines spend a good bit of time.  It turns out that the unfunded mandate to install PTC on all U. S. commuter lines might cost as much as $2 billion, which is a lot of change for cash-strapped municipalities.  Even before the crash, many commuter lines had given notice that they were going to miss the deadline, and there was talk of legislating an extension for such lines.  But clearly, PTC was too late to help the four victims of Sunday's crash. 

Not all engineering ethics issues are clear-cut, and rail safety is one of them.  One of the first ethical cases to draw the attention of the IEEE, the largest professional organization of electrical engineers in the world, involved a commuter rail line.  In 1972, as BART, the Bay Area Rapid Transit System of San Francisco, tested its new state-of-the-art automatically controlled train cars, a non-injury accident occurred which led whistleblowers to go public with their doubts about the design.  There are similar concerns that PTC technology is not ready for commuter lines, and if fully installed would either slow down the trains so much that schedules would have to be changed, or might take automatic actions that could cause accidents instead of preventing them. 

Metro North trains already have several safety systems installed such as the "dead-man" switch, but reportedly a second type of "alerter" system, which required the engineer to respond to a beep by tapping a control every 25 seconds, was available only in the locomotive itself at the rear of the train, not in the front cab where Rockefeller was.  Investigations of many kinds of accidents often reveal that safety equipment was installed that could have prevented the mishap, but it was either not operating at the time, was disabled, or not available under the particular circumstances that prevailed. 

As the controls and software capable of replacing some, if not all, of the functions of a human driver become more available, either economic forces or the force of law will push both private and public entities to adopt them.  We are seeing this already with Google's self-driving cars, and while PTC does something close to the same thing, it has been out of the public eye until now.  But the same type of tradeoff exists for both PTC and self-driving cars.  The promise of much lower accident rates is offset by the expense and administrative headaches of implementing the systems. 

The immediate cause of Sunday's accident is pretty clear by now.  Mr. Rockefeller did the honest thing by admitting he was sleepy.  When even locomotive-engineer unions call for the installation of potentially job-threatening systems such as PTC, it's a sign that the technology's time has come.  As long as it can be adapted safely and economically to the demands of commuter lines, we can look forward to the chance that the four people who died on Dec. 1, 2013 might be the last lives lost in a U. S. train accident for many years.

Sources:  I referred to reports on the accident carried in the New York Daily News on  Dec. 5 at http://www.nydailynews.com/new-york/bronx/metro-north-engineer-sleep-disorder-article-1.1538717, a statement issued on Dec. 5 by the Brotherhood of Locomotive Engineers and Trainmen at http://www.blet.org/pr/news/newsflash.asp?id=5507, a CNN report on the crash published on Dec. 4 at http://www.cnn.com/2013/12/04/us/new-york-train-crash/, and the Wikipedia article on Positive Train Control.