charlie hebdoBoeing deliberately omitted any mention of the fatal, faulty system on the 737-Max from training manuals: profits and obscene compensation packages for executives over safety and human lives.
The Boeing Executives along with the Sackler family (Purdue Pharma) should be stripped of their riches and put in jail.
Overmod charlie hebdo How were the speed restrictions communicated? They describe the procedure in the report. The problem, again, is in a paper system that is both inadequately communicated and inadequately back-checked for compliance. In 'the old days' on the New Haven, an emergency civil slow order for sun kink or other rapidly-developing track-geometry problem would probably have required the recipient to read it back word-for-word to 'show understanding' as well as confirm receipt. We could argue whether rote recitation is different from 'confirming the sense in one's own words', but in any case the order didn't make enough 'impression' on the engineer concerned to be memorable.
charlie hebdo How were the speed restrictions communicated?
They describe the procedure in the report.
The problem, again, is in a paper system that is both inadequately communicated and inadequately back-checked for compliance.
In 'the old days' on the New Haven, an emergency civil slow order for sun kink or other rapidly-developing track-geometry problem would probably have required the recipient to read it back word-for-word to 'show understanding' as well as confirm receipt. We could argue whether rote recitation is different from 'confirming the sense in one's own words', but in any case the order didn't make enough 'impression' on the engineer concerned to be memorable.
Don't know Metro-North's procedures.
On CSX when the Train Dispatcher issues a 'Mandatory Directive' (Slow Order, Stop & Flag, Track Warrant Authority or ANYTHING else that AFFECTS the operation of the train getting the Directive) the Directive must be repeated by the person getting the authority - the Dispatcher will compare what is repeated against the 'read back screeen' for the authority on his CADS computer - if not repeated correctly the Dispatcher will not 'activate' the authority and demand that the person repeat the authority again - UNTIL IT IS REPEATED CORRECTLY. Only then will the Dispatcher activate the authority in the CADS computer. The person copying and repeating the authority, by CSX Rules, cannot be at the controls of a moving train - the train must be stopped for the Engineer to handle the authority OR the Conductor must be brought to the operating Cab to copy and repeat the authority.
On CSX, if not on Metro-North, Slow Orders were a BIG DEAL.
Never too old to have a happy childhood!
BaltACDDon't know Metro-North's procedures.
The procedure was explained in an above post.
243129 BaltACD Don't know Metro-North's procedures. The procedure was explained in an above post.
BaltACD Don't know Metro-North's procedures.
So on Metro-North Slow Orders were a little deal. Got it.
BaltACDSo on Metro-North Slow Orders were a little deal. Got it.
I know this is going to sound weird, and perhaps I'm looking in the wrong place or for the wrong thing ... but I can't find anything regarding issuance or acceptance of emergency slow orders anywhere in the 18th edition of NORAC. Neither can I find any 'safety instructions' for Metro-North that don't refer to personal employee safety of more or less actionable kinds.
What is the precise Metro-North rule specifying the correct method of informing operating employees of critical slow orders related to track defects (rather than just trackwork or other maintenance-related zones)? And how is receipt of such an order supposed to be acknowledged, including the 'issuer's' reasonable assurance that the order has been communicated and received properly?
Overmod BaltACD So on Metro-North Slow Orders were a little deal. Got it. I know this is going to sound weird, and perhaps I'm looking in the wrong place or for the wrong thing ... but I can't find anything regarding issuance or acceptance of emergency slow orders anywhere in the 18th edition of NORAC. Neither can I find any 'safety instructions' for Metro-North that don't refer to personal employee safety of more or less actionable kinds. What is the precise Metro-North rule specifying the correct method of informing operating employees of critical slow orders related to track defects (rather than just trackwork or other maintenance-related zones)? And how is receipt of such an order supposed to be acknowledged, including the 'issuer's' reasonable assurance that the order has been communicated and received properly?
BaltACD So on Metro-North Slow Orders were a little deal. Got it.
Not a Form D?
-Don (Random stuff, mostly about trains - what else? http://blerfblog.blogspot.com/)
The procedure of having a crucial speed restriction passed on to the conductor by the engineer so that the conductor can act as a fail-safe on the engineer is comical in its absurd circularity. Also, in this electronic age, both should be directly communicated with. And what about PTC? Wouldn't a properly designed system prevent this?
Reading over the report, it appears that the medical monitoring for sleep apnea for engineer 1373 was inadequate. The monitoring for diabetes mangagement compliance was inadequate for engineer 1373. It certainly should have been much stricter, given that he had previously fallen asleep on duty.
charlie hebdoThe procedure of having a crucial speed restriction passed on to the conductor by the engineer so that the conductor can act as a fail-safe on the engineer is comical in its absurd circularity.
I think that in the 'old days' of passenger operation, the idea was that the conductor 'back in the train' would be watching the mileposts, and if he saw the train was coming up on a slow order or restriction at too high a speed he would pull the air to stop it. That would make somewhat better sense if the conductor's air were in fact either proportional or graduated, so that they could reduce speed in the manner of TVM, even right down to 10mph, without irrecoverably causing a 'penalty-brake' like full stop.
There's also the unavoidable conclusion that mandatory sharing of the order is also mandatory sharing of any eventual blame, a bit like making everyone working a shift in a Waffle House responsible for any shorting that turns up in the cash drawer. In my opinion such a thing should be universally condemned, no matter how expedient it may prove to be 'from time to time'.
Also, in this electronic age, both should be directly communicated with.
Where, of course, we collide squarely with the evil legacy of the railfan's friend whose accident was the major stimulus giving us the PTC mandate... and the ban on electronic devices on duty. It would be wholly logical to communicate slow orders through something as simple as datastream over pager frequencies, with the pager 'backchannel' being effective at acknowledging at least receipt. But this accomplishes only part of what the 'correct' imparting of safety-critical orders needs to involve, and any device to do this 'direct communication' would:
1) get the entire foreground attention of both engineer and conductor;
2) require acknowledgement that the message has been received, and is being read;
3) require that the order be read back, either 'word for word' or in plain language, the same being sent to a radio channel that is being recorded in voice with adequate quality;
to which we should fairly promptly add
4) the device should then provide adequate reminding to background attention when the time or place of the received order(s) is being approached -- e.g. by GIS/GPS following.
I humbly submit that any device capable of actually doing these things competently would be banned under current restrictions, and a device that isn't would be functionally worthless at assuring safety.
And what about PTC? Wouldn't a properly designed system prevent this?
A properly-designed set of systems that accomplished at least the four separate purposes contained in the mandate would probably contain the ability to transmit not only slow orders, but any emergent 'civil' consideration in any reasonably complex form desired. together with the redundant 'backchannel' bandwidth to acknowledge the order both in voice and from the electronic "train control" oversight systems.
As I noted, it's almost impossible to believe that critical slow orders wouldn't be fully (and nearly immediately) implemented by the display of a cab signal system. There are a couple of incidental 'gotcha' situations, like the one that produced the Highliner crash in 1972, but I don't find them insurmountable showstopping kinds of thing. As far as I know, PTC is designed to control either speed or braking in the 'civil safeguarding' mode, where presumably slow orders respecting track condition would be implemented. Certainly setting roadway-worker safety limits at some arbitrary mph is supported, and so any emergent restriction like the one in the present case could be 'updated' with whatever frequency the system supports, perhaps 'every six seconds' or more frequently, so that an order for 30mph at 1:00 is updated 'for everybody' when it changes to 10mph at 1:15 as someone in the field reports worsened kink.
Of course this rules out the original point being made here, which is that a slow order ought to be a warning with a reason behind it, and a slow order with a history of increasing restriction ought to be understood for the critical thing it is, more than just a note to watch out. I think much of how we look at this issue is concerned with the semantics of the actual order that was issued, and in where the procedures to issue and acknowledge came to appear to have been so badly perverted: while I squarely place responsibility on the engineer 'no matter what' (as Joe is saying) I also think he may have been ill-served by what, and how, he was told.
Whether or not the existing cobbled-up camel that is modern PTC would have effectively caught the revised speed decrease and operated on the two speeding trains is a technical discussion I can't speak definitively on. It's certainly better than nothing, which was the effective situation on the Metro-North New Haven line then, and may still be now.
Perhaps this story from 1996 will be of interest ... or serve as added fuel ... in this discussion, with particular respect to engineers with 'the wrong stuff' in some ways:
https://www.nytimes.com/1996/07/22/nyregion/few-engineers-commit-most-of-rail-errors.html
Says who?
oltmanndNot a Form D?
Clearly the form D is supposed to be used for the purpose - the specific problem here being that while it's good for initial listing of slow orders or other concerns when starting a trip, or adding new issues that come up during a trip, it's not nearly as well suited to new issues that then steadily change, perhaps in a timeframe of minutes, while the train is moving at high speed.
I can't find a copy of Metro-North Operating Rules, but I'd assume that the "Line C" is supposed to refer to something like NORAC 165 (C) which concerns receipt of 'electronically transmitted' material en route. The actual provision there says:
Employees receiving a Form D by electronic transmission must examine each copy for completeness and legibility. They must communicate with the Dispatcher to verify the number and date of each Form D received.
What the procedures really don't cover is a situation in which multiple updates of a quickly worsening concern are being sequentially sent, each overriding the previous in importance. The requirements of the other provisions in 165, and in 166 following, would be difficult to observe in a moving commuter train on an assumedly tight schedule -- not that that's an excuse, but that may explain somewhat how an excessively rigorous procedure might come to be treated with less rigorous observance. To the point that actual forgetfulness intervenes...
As of this time, the report is again available in PDF at the link that rdamon provided:
https://www.ntsb.gov/investigations/AccidentReports/Reports/RAB1905.pdf
OvermodI can't find anything regarding issuance or acceptance of emergency slow orders anywhere in the 18th edition of NORAC.
Metro North does not participate in NORAC.
Overmod And how is receipt of such an order supposed to be acknowledged, including the 'issuer's' reasonable assurance that the order has been communicated and received properly?
In this case and in compliance with Metro North rules an addition was made to the DTOBO via radio and should have been repeated to the dispatcher and shared with the conductor. This was not done.
That system worked for years before and while I was still working. We worked together cohesively and watched each other's butt. That form of operation has been eroded by what the title of this thread denotes.
charlie hebdo And what about PTC? Wouldn't a properly designed system prevent this?
Given the acumen of today's 'railroaders' I agree.
However PTC is not the be all to end all. Such systems can, do and will fail and most of today's 'railroaders' would become lost as has been in evidence with Amtrak's recent disasters. Automated addiction.
243129Metro North does not participate in NORAC.
But Metro-North was one of the 'founding' six railroads in the organization that went on to create NORAC, their current rules are heavily based on NORAC, and their current deputy director of operating rules is involved in the revision process for NORAC. So I thought it might be appropriate, in the absence of the actual Metro-North rules, to provide the NORAC equivalent as the 'next best thing' to look at ... until such time as someone provides the correct actual rules and procedures.
I do not have any of my old rulebooks here, ut I do not remember any signal telling the engineer to slow down. Besides the signal to release brakes and to stop (the same signal--if standing it meant to release the brrakes and if running it meant to stop. There were the signals to stop at the next station (applicable to flag stops?), back up, increase train heat, cut train heat off (that was quite useful if cars were to be cut or added at the next station stop), and a few others.
Johnny
DeggestyI do not have any of my old rulebooks here, but I do not remember any signal telling the engineer to slow down.
It would have involved a more complex code than simple whistle or cord signals would convey, and its purpose would be worth less than the operating benefits. Even a code that meant 'check your Form D information right now' was never thought necessary -- although I certainly think that some form of 'heads up' code, even as a request for alerter-like response by the engineer, would be a useful thing in many situations.
In the Metro-North case, an important thing that was happening was a need to transmit (and to receive formal acknowledgement for) several specific reductions to progressively lower speeds over a comparatively short time interval. A non-radio signal would need the specific code for 'change to a slow order', then the information about the limits for the order, then the specific speed CHANGE for the order, including unambiguously both the current speed and the new speed. All this information would then have to be sent back via the channel (as in NORAC 165 and 166) to confirm that the conductor had received and understood it. (That all this would have to occur with the train not moving is implicit in the rules, but is an added concern if trying to get a train over the road!)
Radio greatly shortens this by permitting voice operation (which is one of the NORAC things rolled into the current Form D procedure, if you look at NORAC history) but I don't think even now it's possible to assume that one radio transmission to both employees gets the formal job done: you still have the engineer running the train being responsible for receiving and then acknowledging each change in detail, and then communicating and receiving acknowledgement, also in detail, from the conductor.
Not incidentally, the great physical separation between engineer and conductor on one of these MU trains is an important difference from a Form D confirmation done between two people in the same cab.
BTW, I can't help but agree with Joe that the correct response would have been to take the deflicted portion of Track 3 between crossovers entirely out of service instead of putting a "10mph" slow order on it. That would involve more careful setting and use of crossover switching ... which may be why that wasn't done.
243129 BaltACD So on Metro-North Slow Orders were a little deal. Got it. Says who?
Consecutive trains operating through a 10 MPH slow order at speeds well above that speed.
BaltACDConsecutive trains operating through a 10 MPH slow order at speeds well above that speed.
That would represent a big deal to me.
243129 BaltACD Consecutive trains operating through a 10 MPH slow order at speeds well above that speed. That would represent a big deal to me.
BaltACD Consecutive trains operating through a 10 MPH slow order at speeds well above that speed.
If Metro-North considered it a big deal - neither of the trains would have exceeded the 10 MPH. It is only a big deal because it was such a small deal to the engineers that they seriously violated the Slow Order because 'they forgot'. If it is ingrained to be a Big Deal - you don't forget!
BaltACDIf Metro-North considered it a big deal - neither of the trains would have exceeded the 10 MPH. It is only a big deal because it was such a small deal to the engineers that they seriously violated the Slow Order because 'they forgot'. If it is ingrained to be a Big Deal - you don't forget!
It would seem that Metro North is also afflicted with poor vetting, hiring, training and supervision procedures also.
Back when orders were issued at a place where the engineer and conductor could meet, they would compare their orders so each would know what the other understood. This could not be done when orders were hooped up along the way, and each had to have confidence that the other understood the order--and if the baggageman (who was often the headend brakeman) also received the orders there had to be a three way confidence.
Now, with radio communication, everyone concerned can make certain that all understand the orders, no matter what the circumstances of the receipt of orders are
I am trying to remember the circumstances .of why a flagstop was not made at Oak Ridge (above Knoxville) during WWII--Oak Ridge was added as a stop duirng the war because of the improtant work done there.
Deggestyduring WWII--Oak Ridge was added as a stop duirng the war because of the improtant work done there.
As in nuclear development?
An "expensive model collector"
n012944 charlie hebdo And what about PTC? Wouldn't a properly designed system prevent this? Yes, it does.
What happens when the "properly designed system" fails?
243129 n012944 charlie hebdo And what about PTC? Wouldn't a properly designed system prevent this? Yes, it does. What happens when the "properly designed system" fails?
You'd have to show that a properly designed PTC-type system has a higher fail rate than the current human system that's out-of-date by your own admission due to inadequate personnel.
charlie hebdoYou'd have to show that a properly designed PTC-type system has a higher fail rate than the current human system that's out-of-date by your own admission due to inadequate personnel.
You are in the field and the system you depend on goes kaput, now what?
243129You are in the field and the system you depend on goes kaput, now what?
In this particular case, you do have to be more specific about what 'kaput' means.
Of course, the 'fail-safe' alternative is to have the system go to a safe speed, or restricted speed if necessary, should any component that goes into the cab-signal display go bad (or if input to it is corrupted). You then have the problem at Cayce, where your methods of dealing with 'inadvertent dark territory' may turn out to have enforcement or technical holes. Even then, a proper implementation of PTC would be reading switch positions with physical wireless transponders that the locomotive would detect 'early enough' to allow a stop if the switch were facing, or avoid a split if trailing.
But the present case is interesting, because a "failure" would be a failure to get the lower speed restriction to 'register' in the system by the time the engineer would need to respond to it. And that might be true whether or not the engineer had received and acknowledged a Form D update regarding any previous version of the slow order.
In a computerized system, the whole process of 'issuing and confirming' an updated order with the train personnel and coding it into the cab signals should be treated as a 'transaction', not fully complete in the same way that changes in interlocking are not deemed 'done' until everything is fully locked and right.
And under that scheme, you have the desirable redundancy that both the engineer's expectation and his observation of signals involve the latest information; if the situation changes after the last Form D an engineer didn't 'zone out on', the signal will catch it; if for some reason there's a glitch or failure in the cab signals, the Form D would have alerted personnel to it. You'd need either two separate failures or a common-mode problem to cause that ... and the most likely constellation of complex failure would produce a stop or delay rather than a runthrough or runover.
Of course, chronic failures or known-bad information is in itself a kind of failure, and the only real defense against that is to fix the underlying problems or points of failure...
243129 charlie hebdo You'd have to show that a properly designed PTC-type system has a higher fail rate than the current human system that's out-of-date by your own admission due to inadequate personnel. You are in the field and the system you depend on goes kaput, now what?
charlie hebdo You'd have to show that a properly designed PTC-type system has a higher fail rate than the current human system that's out-of-date by your own admission due to inadequate personnel.
About 20 years or so ago - the CSX Main Frame computers got infected from some form of virus or other computer malady. The virus affected communication lines with various remote computers that depended upon the Main Frame system to provide data to the remote systems and to distribute data that the remote systems generate to the users of the Main Frame system
One of the remote systems attached to the Main Frame was the Computer Aided Dispatching System. CADS runs the Train Dispatching system for the entire CSX System - lining signals, throwing switches, granting and annuling track occupancy authorities for both trains and MofW personnel.
The virus busied up the Communications Lines between the Main Frame and CADS. The busied them to the extend that CADS would crash to inoperatability after about 10 minutes after rebooting from the previous crash. With the continual rebooting, the Dispatcher's ability to properly keep track of the trains and personnel on their territory became tenuous. After several hours of such operation the decision was made to STOP all trains and have them report their locations. The repeated rebooting of the system would not permit Dispatchers to be able to move train ID's to keep up with their actual locations - and thus know where their trains actually were.
Approximately 12 hours from the start of the computer attack, the 'Computer Detectives' discovered what the problem was, that being said, at that time the had no idea of what the FIX would be. The stop gap band aid that was put in place was to sever the communication lines between the Main Frame and CADS. Once the communications lines were severd, CADS could be rebooted and run as a stand alone system.
With CADS running in stand alone - Main Frame originated data such as Crew Names, train loading and a number of other data (high-wide and a number of other train restrictions) elements would have to be manually input by the Train Dispatcher - rather than have the Main Frame supply the data automatically. CADS depended upon the communications system of the Main Frame to distribute Train Messages to the 'Train Messges Only' printers in each crew on duty location, so train messages could not be sent to the printers. CSX has in place a means for CADS to Fax train messages to the crew locations - however, that Fax system operates by going through the Main Frame and the CSX Rules require faxed messages to have 'Transmitted by CSX Technofax' printed on the bottom of messages faxed through that system - that system could not be used.
The back stop band aid was to print out train messages on local printers attached to CADS and then 'hand fax' the messages to the proper crew location. Another element of CSX Rules requires Train Messages recieved at the crew location by means OTHER than the dedicated Train Message Printer or by fax with the CSX Technofax legend on them to be REPEATED to the Dispatcher to insure that everything that was sent was actually received.
To facilitate the handling of train messages in accordance with the rules - virtually ever Extra Train Dispatcher that was not actually working a Dispatching Desk was called in to handle sending the train messages via normal fax machines and then handling the read back after the Train Messages were received by the crews
The 'alternate means of operations' continued for about two days before 'The Masters of Bits and Bytes' discovered how to defeat the virus and then return the communications lines to remote computers to normal operations.
If the normal means of control for a operation fail - bring the operation to a stop until effective control can be reestablished. PTC on today's railroads is a overlay on the Automatic Block Signals that are in effect - those signals are operated by track occupancy circuits, with PTC merely relaying the 'signaled block indications' with the PTC logic 'enforcing' less than full track speed conditions - the automatic block signals would still be operating if only PTC fails - if the automatic block signals and PTC fail - then trains will have to get Dispatcher's permission to pass absolute signals and proceed at restricted speed - the same as is done in signaled territory without PTC.
Take the SAFE course of action.
OvermodIn this particular case, you do have to be more specific about what 'kaput' means
This particular case is the result of procedures indicated in the title of this thread. Again PTC and whatever other high tech systems to govern train movements fail most engineers, and I speak of Amtrak and Metro-North of which I have had personal experience witnessing some of their 'performances', become lost resulting in massive delays and on occassion catstrophic accidents.
Our community is FREE to join. To participate you must either login or register for an account.