LINKS

ARCHIVES

Discussion of Information in the SOFA Reports Regarding the Question of Locomotive Engineer Unreceptivity or Making Wrong Move

F.  Appendix:  Discussion of Information in the SOFA Reports Regarding the Question of Locomotive Engineer Unreceptivity or Making Wrong Move

Frederick C. Gamst      12.10.04  (fcgamst@aol.com)

1.1.  The Two Issue Questions 

One feature of Remote Control Locomotive (RCL) operations posited as an improvement in safety is that it eliminates or significantly reduces railroad switching accidents caused either by (1) the locomotive engineer being unreceptive to a hand or voice-radio signal or by (2) his making the wrong move.  An engineer's unreceptivity could be for whatever outside physical reason (e.g., radio interference, or engineer could not hear or see a sent signal given the physical circumstances).  Alternatively, unreceptivity could be for whatever internal personal reason (e.g., engineer was preoccupied and failed to or did not correctly hear or see a sent signal, or acted on a signal not meant for him).  In (1), the engineer misses correctly seeing or hearing a hand or voice-radio signal given by groundmen to guide his movement, i.e., sometimes an engineer's error of omission.  In (2), the engineer makes the wrong move, which could mean moving in the direction opposite of that signaled, i.e., an engineer's error of extraneousness.  The two issue questions are, To what extent are posited error (1) and posited error (2) each a documented occurrence?  The Switching Operations Fatality Analysis (SOFA) reports should shed the available light on the two issue questions (SOFA 1999, 2000, 2001, 2004). 

A parallel pair of errors potentially obtain (1) when a Primary Remote Control Operator receives from another employee, who is on the point, hand or voice-radio signals for guiding his RCL movement or (2) when a Primary Remote Control Operator makes the wrong move, which could mean moving in the direction opposite that signaled to him.  Or the Primary RCO could move his RCL and cars in the direction opposite to the one he intended.

1.2.  The SOFA Reports

One of the few places to look for data, other empirical information, and discussion concerning the two issue questions of posited detriment to operational safety owing to (1) an unreceptive or (2) a wrong-move engineer is in the pioneering reports of the SOFA Working Group.  Federal Railroad Administration (FRA) databases provide data for the SOFA reports.  The FRA formed SOFA, among various parties in and concerned with the railroad industry, to review recent fatal incidents in switching operations and to make recommendations for reducing them.  These parties are:  the United Transportation Union, the Brotherhood of Locomotive Engineers and Trainmen, the Association of American Railroads, and the American Short Line and Regional Railroad Association.  The Federal Railroad Administration, and the Volpe Transportation Systems Center also participated in the work of the SOFA group.  

The SOFA Working group noted regarding the FRA data used, "none of them could be interpreted reliably because there were not sufficient exposure data."  Better exposure data are required for understanding the frequency of variables (SOFA 1999:xi).   Furthermore, "there were still information gaps in the fatality reports that had originally been collected by the FRA."  Moreover, the existing switching fatality files need "a much broader range of information that can support the interpretation of possible contributing factors associated with FEs [employee fatalities]" (SOFA 1999xii).

All SOFA materials for 2000 and earlier concern conventional, i.e., with engineer, switching operations and pertain to train and engine service employees.  Materials beginning in 2001 additionally concern RCL operations with their Remote Control Operators (RCOs).  The first SOFA report (1999) used the information in the 76 case files of the FRA on fatal switching accidents between January 1992 and July 1998.  A second SOFA report (2001) included severe injuries, counting fatalities, from January 1, 1997 to March 31, 2000.  And a third SOFA report (2004) fully covered these human accidents through December 2003.  In the twelve-year period from January 1992 through December 2003, 124 US switching fatalities occurred (2004:2, 10).  The fatalities data might permit identifying certain trends or patterns in these accidents.

The SOFA group used three of four of the FRA's standard "Train Accident Cause Codes" relating to failure to receive or comply with hand and voice-radio signals: 

H207 Hand signal, failure to comply;

H210 Radio communication, failure to comply; and

H212 Radio communication, failure to give/receive.

SOFA did not use the related code H209 Hand signal, failure to give/receive.

Following modern accident theory, the SOFA group explains:  "Most incidents do not happen because of a single cause.  They are the result of the convergence of a series of contributing factors. The absence of any one of which might have prevented it" (SOFA 1999:3-7).  Thus, for the purpose of fully understanding operational safety, the issue questions cannot be taken to a final causal analysis apart from studying a chain of events.  As explained in the second paragraph of section 1.2, insufficient information exists, however, in the SOFA synopses and in the FRA databases used to assess all the intermediate and root causes.  (See various entries under Cause, below)

1.3.  The Two Issue Questions and the SOFA Reports

The SOFA group notes that two of the "major causal contributors" included "Unexpected Movement and then Intra-crew Communication" (SOFA 1999:3-13).  The group's explanations of accidents to humans sometimes use a quite general noting of an unexpected movement of equipment.   This noting, however, does not illuminate the issue question as to source of such movement.  As of July 1 1998, more specifically, the group has a "major finding and recommendation," no. 4 of 5, stating:  "Ten of the 76 fatalities occurred because of a combination of radio/hand communication, or initial and/or ongoing movement of equipment without specific distances given" (SOFA 1999:4-10).  SOFA's 2004 report updates the cases of switching fatalities, all briefly synopsized in its various reports.  

One of the ten cases cited by SOFA in 1999 and again in 2004 specifically depicted an engineer moving dangerously on a signal.  In (A) case FE-04-97, the engineer heard and moved upon a voice- radio signal from someone not a crewmember, killing his conductor.  Whatever the reason, the move, therefore, was unsafe (SOFA 1999:4-11, 2004:31).  From the information in the SOFA scenario, the engineer committee a fatal error.  Or did he?  See section 1.4, below, last two paragraphs.  Remember the problem noted in the last paragraph of section 1.2, above, of insufficient information extant in the databases used.

The last two paragraphs in section 1.4  raise still another issue.  How do we know something in accident and error assessments when the data for analysis come from a database necessarily limited in causal information?  What we "know" might be just a byproduct (a frequency artifact) of the limited data available.  Were more data available, we might "know" something quite different.  

Finding a similar problem with data for analysis of effects of whistle-blowing bans on crossing accidents, Metaxatos, et al. explain that a first-level approach yields positive correlations between safety and whistle blowing.  Such a first-level study, however, is insufficient in finding contributing factors in a complex problem such as crossing accidents.  "Individual factors are never at work in isolation.  The deeper one delves into the interactive effects of crossing-specific characteristics on the number of collisions, the more confounded the impact of individual factors becomes so that the interaction effects may even negate the effects of individual factors" (Metaxatos, et al. 2004:114).  As Wiegmann and Shappell conclude, "databases that house human error data are often poorly organized and lack any consistent or meaningful structure."   Furthermore, "there is generally no theoretical or functional relationship between the variables, as they are often few in number and ill defined" (2003:16).

Of another three cases cited in SOFA 1999 where one might implicate the engineer for unreceptibility or wrong move, one was clearly a wrong move.  This wrong move is in (B) case FE-26-94, "engineer moved locomotive in the wrong direction coupling [brakeman] up" (SOFA 1999:4-9, 2004:23).  This is engineer's fatal error.  Are there any other factors in the chain of error, however?  Can we be sure?  See the discussion paragraph immediately above.

In (C) case FE-12-95, as reported in 1999, at first, we find an ambiguity, "engineer shoved that cut back over him [brakeman]" (SOFA 1999:4-2).  Not explained here is whether the engineer acted correctly upon a signal given to him, moved without the authority of a signal, was unreceptive to a stop signal, or moved in the wrong direction.  For this same case in 2004, the reworded brief synopsis is, "crew shoved back to kick two cars that ran over the brakeman" (SOFA 2004:23).  This newer wording, citing free rolling cars "that ran over the brakeman," removes the engineer from even an ambiguous contributory cause.

In (D) case, FE-29-94, we find an ambiguity because the engineer moved on the authority of his conductor's hand signal and "thought he would hear by radio from" his brakeman in the field, who had been working continuously by voice-radio signals from the conductor. The movement hit and killed the brakeman.  Not discussed among the three crewmembers was who would give what mode of signal to the engineer and when (SOFA 1999:4-11, 2004:30).  A contributory accident cause rests with all three crewmembers because they did not reach an understanding regarding signals to the engineer.  The ad hoc practice of the entire crew regarding an undiscussed movement, having no job briefing on responsibilities for communication, led to killing the brakeman.  Accordingly, the engineer alone cannot be assessed contributory cause here. 

In (E) case, FE-22-00 we also find an ambiguity.  A conductor voice-radioed his engineer to back up their light locomotive.  The engineer backed up to the place where he always stopped without further radio contact from his conductor.  Thus, we find an accord between the engineer and his conductor.  His locomotive struck and killed his conductor whom he found underneath it (SOFA 2004:32).  If the engineer, by formal, fixed crew practice, backed up and stopped without further command from the conductor, then, such practice, undiscussed for the particular move because it had been previously agreed, could have led to killing the conductor.  Alternatively, for whatever reason, the conductor could have fouled the movement.   Accordingly, the engineer alone cannot be assessed contributory cause here.   Obviously, the engineer was not continuously viewing his conductor, including as a passive signal.  This matter brings up a factor for analysis in switching accidents, in the following section 1.4.

1.4.  An Unexplored Communication Factor in Switching Accidents

One unexplored factor in railroad switching accidents to humans and property could be in the procedures, by written rule, in signaling, whether in conventional or RCL operations.  Hand signals are continuous in that during a movement under control of a hand signaler, he (at night, his lantern) must be continuously in sight.  Under the rules, his disappearance from view for any reason is a stop signal.  The hand-signaler's visible presence is a signal of "it is safe to continue with the current move" and is passive, performed without any additional action by him.  Conveying the same information during the same kind of move by voice-radio is via discrete (discontinuous) signaling.  Under the rules, the signaler must speak the voice signals at prescribed fixed intervals.  Under the rules, his lack of spoken signal within such interval is a stop signal.  In reality and by crew accord, he sometimes radios these spoken signals at time intervals greater than prescribed.  The voice-radio-signaler's signal is active, performed by an action.

In hand signaling, the signal recipient operator, engineer or RCO, must continuously view with no exception the manual signals from the sender.  Even when the sender gives no specific hand signal, his very visible presence is a signal to continue with the ongoing action.  The locomotive operator (engineer or RCO) is tasking more than just receiving signals.  Continuously and simultaneously, he is viewing visual signals, the signaler, and the physical environment of the signaler, including subtle cues regarding all of these.  For example, has the signaler tripped or fallen?  Is some unwanted object or person in this environment that should not be present?  In voice-radio signaling, the recipient need not and often does not look to see the signaler and his environment.  Indeed, the signaler need not be in sight for a move to continue.  Accordingly, a procedural safeguard from continuously viewing a target in its environment is eliminated.  Thus, a safeguard afforded by this monitoring is defeated.  (For Safeguard, see definitions section C.)

Voice-radio signals of the ordinary uncoded variety can be partially distorted or even lost without the recipient knowing this radio failure.  Signal fading, however, would be known to the recipient.  Such fading could be to a varying degree, thus with varying confusion to a recipient regarding the message received.  Occasional inability to receive a voice signal from the recipient's crewmember signaler but ability to receive from a different crew could cause confusion.  Radio signals are also subject to electronic deduction, which can lead to temporary loss of signal or to reception of a distant signal not intended for the recipient's area.  Deduction comes from refraction of radio waves caused by weather conditions.

When visually tracking a hand-signaler of a crew, this signaler's recipient is able to track him more accurately as well as continuously compared to radio signaling.  That is, the recipient can visually track without a gap or interruption in his tracking but aurally must track radio signals, sometimes "from out of the blue," of a discrete nature which can be distorted or lost.  These factors might have affected the (A) case in 1.3, above.  Could they have affected the (B) case also?  Probably not, But with what data can we be absolutely certain?  In general, the factors just discussed could affect other accident and near-miss cases.

1.5.  Conclusions 

Specific:  Finding only two clearly, fully supporting cases (labeled A and B, above), review of the set of comprehensive SOFA reports fails to find meaningful evidentiary support for switching accidents owing to either (1) an unreceptive or (2) a wrong-move locomotive engineer (SOFA 1999, 2000, 2001, 2004).   The overriding question is, Indeed, are there "two clearly, fully supporting cases"?  See the previous two paragraphs and the third paragraph in section 1.3, above.

General:  Given the limitations of most human-related databases, How do we know; how can we know; what can we know?  Must we frequently invoke a convenient, subjective--hence not impartial--closure or cutoff rule to facilitate human reliability, risk, error, and accident assessments? ("The data can take me only so far; nevertheless, let me show you my findings.")  In other words, must we frequently invoke a chain of causal events incomplete by an arbitrary closure for our findings?  If so, we are frequently doomed to produce inconsistent findings.  What goal accident and error analyses?

Definitions

Cause:  An event resulting in an effect, which see, below.    See also, Event and Dependency, below.

Cause/causal chain:  A cause and effect sequence of events where an action either contributes to a following, intermediate event or terminates in a final or end event.  In a lengthy chain, one action leads to another event, which changes conditions, which lead to the next event in the chain, and so forth.  Preceding events in a chain are sometimes labeled those further "upstream."  A causal chain could have root cause(s), then, intermediate causes, and, then, end in a final triggering event.

Cause(s), contributing:  Alone will not cause an accident, near miss, or error.

Cause, root:  Is the most fundamental/basic and "upstream" aspect of causation that can be identified for a final or end event.  The main purposes of analytic tracing to a root cause of an unwanted event is to develop corrective or mitigating actions to protect the health and safety of workers, members of the public, and the geographic environment or to develop a business efficiency.

Cause, triggering/direct:  The cause that immediately resulted in a final event, such as a physical failure of a component or an operator's error of omission.  Also called immediate cause.

Closure/cutoff rule:  Often, for reasons of limiting the scope for ease of closure or political pragmatism, a conscious decision is made not to trace back to ur-roots of cause.  This action is an invoking of a subjective closure rule.  Thus limiting the scope does not lead to effective results for business efficiency and safety or for regulatory actions.  As the Environmental Protection Agency notes:  "Root cause analyses should focus on an exhaustive and diligent identification of all causal factors to properly identify long-term solutions" (USEPA 1999:45). 

Dependence n. /dependent adj.:  A causality relation between two phenomena where a change in one results in a change in the other.  See Cause, above.

Effect:  Anything contributing to shaping an outcome.  See Cause, above.

Event:  A real-time happening of any phenomenon, including a human error, physical failure, or geographical occurrence

Fail-safe:  This often-used term is a referent in design, a planned arrangement of components in a system.  This referent means that, if a system, subsystem, or component fails (stops operating, or, at times, operates to a design designation of less effectively, reliably, or tolerably than planned), the item goes to a more restrictive condition.  A common popular and incorrect view or connotation of fail-safe regards a device, having a capability to fail without harm to property, persons, or environment.  Given a complex, heavy, and mobile machine, such as a locomotive and attached cars, a fail-safe status does not prevent continued undesired, even unsafe, function of a system for some period of time.  Going into a fail-safe state, accordingly, does not insure an automatic instantly going into a safe operating mode in the event of a failure of a system, a subsystem, or component, and it cannot guarantee eliminating a hazard fully or immediately by automatically reacting to a failure.  To the contrary, a so-called fail-safe subsystem of a device could operate to ”fail-dangerous.”

In other words, the more restrictive condition in fail-safe design does not necessarily insure safety.  For example, steam locomotives and tank cars have several (redundant) safety (pressure relief) valves atop the boiler or tank shell.  The valves automatically self-actuate by an increase of internal pressure beyond a design maximum.  Such safety valves have not insured that the boiler or tank car shell does not rupture, sometimes in a violent explosion.  In RCL operations, for one fail-safe example, if radio communication is lost between the RCO's Remote Control Device (RCD) and the Onboard Control Computer (OCC), the OCC brings the locomotive to a stop automatically with a penalty brake application.  Such a fail-safe, automatic stop, however, does not mean that the stop is completed instantly before property damage, human injury, or unauthorized fouling of track by rolling equipment occurs.  Accordingly, a statement such as, an RCL is designed as fail-safe and if communication is lost between the OCC and the RCL the RCL automatically stops, must not provide any sense of automatic safety in operation.

Fail-safe is an old concept in railroad design, e.g., for automatic block and cab signal systems controlling the safety-critical spacing of movements on main tracks.  Here the validity of the concept stems from using system components having well-established failure modes, with a safe condition resulting from a failure of a component.  Thus, a signal designer labels such signal systems as vital, i.e., they will have the most restrictive indication that a particular signal can display if components fail--but this is only under certain design conditions.  (A false clear signal is always possible under certain conditions, with a track relay for a signal stuck in the closed, or picked-up position, e.g., where the signal is wired incorrectly to falsely display a clear indication or where a mechanical impact to a signal causes it to falsely display a clear.)  One could argue that the design is, nevertheless, vital but that, in the rail world, an intervening human error or physical impact defeated the vital characteristic. 

Accordingly, even a relatively simple, over-a-century-old system such as for automatic block signals can fail unsafely and is not always vital, to a fail-safe state.  The validity of fail-safe concept is even more in question for large-scale systems, especially those with microprocessor components.  Here we do not need an initiating human error or physical impact.  The almost-infinite number of failure combinations of such systems could well mean that the concept now has no validity.  Perhaps, designers must abandon the traditional determinism of fail-safe and vital, having their experiential, observational underpinnings, and resort to the probabilism of risk assessments, having their weaknesses of subjective, judgmental underpinnings.

Loss:   Includes injury and death to humans; damage to property and environment; and harm to business and government procedure, well-being, reputation, and good will.  See Mitigation.

Mitigation:  Is rendering the loss consequences of a hazard less severe, if the hazard is realized.  See Loss.    Mitigation is not prevention (to eliminate happening by a previous action).  For example, for driving at night in rural Australia, I mitigate by renting an auto with "roo bars," i.e., steel bars on the front to lessen the damage if a large kangaroo suddenly materializes by hopping in front of my car.  I could prevent by not driving at night, or at all.

Recover/ recovery, human:  A human regaining of control without which a loss could occur.  Recovery is usually by returning to an original, pervious state prior to human error, physical failure, or geographic disturbance.  Partial recovery returns to a state near a previous state.  Recovery could prevent a loss and partial recovery could mitigate severity of a loss.  Decreasing the number of actors in a team decreases the collective ability of the remaining actors to recover.  See Severity.  See Fail-safe.

Safeguard:  Any device, procedure, or person that protects against loss.  Thus, safeguards can be physical, procedural, or human.  The human cognition is a multifaceted safeguard, at times guarding where the physical and procedural kinds cannot provide protection.  An important human safeguard is the ability to recover (which see, above) after an error or physical failure.

Severity:  The amount of effect that a human error, physical failure, or geographic occurrence has on a system, subsystem, or component.  In this report, differentiated among are errors caused by humans, on all societal levels; failures in physical systems, subsystems, and components; and occurrences, possibly leading to a loss from elements of the geographic environment, such as wind, storms, rain, snow, hail, dust, heat, freeze, humidity, glare, darkness, and so forth.  The significance of an error depends on the severity of any loss it creates.  A railroader might err in pushing the wrong selection button on a soda-dispensing machine or in running his movement with great kinetic energy past an absolute stop signal having rolling equipment immediately beyond it.

The Guttmann-Swain Error Typology

A useful tripartite typology of error, of value is a classification of individual error developed by A. D. Swain and H. E. Guttmann (1983; Bahr 1997:152-155) and adapted for use in this report.  The two main types are omission and commission.

1.  Errors of omission, required acts not performed, includes nonviolation rules infraction;

2.  Errors of commission, required acts performed too little, too much, too late, too early, in the wrong sequence, imprecisely, or not completely, includes nonviolation rules infraction; and

3.  Errors of extraneousness, acts not required and done instead of or in addition to a required act, wrong acts, includes nonviolation rules infraction.

References

Bahr, Nicholas J.

1997  System Safety Engineering and Risk Assessment:  A Practical Approach.  Philadelphia:  Taylor and Francis.

Metaxatos, Paul, P. S. Sriraj, Siim Sööt, and Joseph DiJohn

2004  "Effects of Whistle Blowing Bans on Accidents at Gated Rail-Highway Crossings:  The Northeastern Illinois Experience."  Journal of the Transportation Research Forum 43(2):101-116. 

SOFA Working Group

1999  "Findings and Recommendations of the SOFA Working Group."  Report Nos.  DOT-VNTSC-FRA-00-08, DOT/FRA/ORD-00/04.

2000  "Volume II - Appendix.  Findings and Recommendations of the SOFA Working Group."

2001  "Severe Injuries to Train and Engine Service Employees:  Data Description and

Injury Characteristics."

2004  "Switching Operations Fatality Analysis:  Findings and Recommendations.  .  .  ."  August 2004 update.

Swain, A.D. and H.E. Guttmann

1983  A Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications.  Albuquerque, NM:  Sandia National Laboratories. Nureg/CR-1278.

(USEPA) US Environmental Protection Agency

1999  "EPA/CMA Root Cause Analysis Pilot Project:  An Industry Survey."  No. EPA-305-R-99-001."  May.

Wiegmann, Douglas A. and Scott A. Shappell

2003  A Human Error Approach to Aviation Accident Analysis:  The Human Factors Analysis Classification System.  Aldershot:  Ashgate.

Last update: 5/25/2005; 5:09:47 PM.