LINKS

ARCHIVES

Gamst Report from NTSB PTC Symposium

Last week, I was away at the National Transportation Safety Board (NTSB) Academy in Ashburn, VA, for the NTSB's "PTC Symposium."  Curiously, although, over the years, both the NTSB and the Federal Railroad Administration (FRA) have repeatedly stated in various ways that most railroad accidents involve human factors, specifically, human errors, only one presentation was programmed on the human factors of Positive Train Control (PTC) (and only partially on human factors at that).

The long and the short of the symposium are that the freight carriers do not feel comfortable with the accuracy of the train-stop aspect of the PTC technology.  PTC braking algorithms must comprehend the range of freight train consists having a variable mix of, car brake valves (AB, ABD, ABDX, etc.), individual car lengths, total train brake pipe lengths, variations in actual car weights, numbers of inoperative car brakes, variations in effectiveness of car brake force, etc.  Given the, consequently, necessarily broad braking algorithms, the control computer onboard a PTC-equipped locomotive is not as efficient as is the locomotive engineer, various carrier speakers explained.  (The engineer uses experience, other knowledge, and kinesthetic feedback from the train to his sense organs and brain for his own human, intricate, cognitive braking "algorithm."  F.C.G.).

Furthermore, the wide range of variation that the braking algorithms must span means a decrease in velocity of trains on a given line, hence, a decrease in transportation productivity.  In short, the PTC benefit to the carriers would cost doubly, for its implementation and maintenance and for its causing loss of overall train velocity.

Additionally the FRA's 1999-estimated nationwide cost of PTC--ranging from $1.2 billion for a simple level 1 to $7.8 billion for the most advanced level 4--makes implementation, today, economically unfeasible for any governmentally unsubsidized implementation.  All of the several test-bed PTC programs now underway are, in part, federally (and sometimes state) subsidized.  For example, the NAJPTC, or IDOT, project begun in 1998 in Illinois has only $1 million of carrier funding.  The project extends for about 120 miles from Springfield to Mazonia, Illinois.

One presentation created discussion concerning, given a line having either ABS or else ABS with CTC, if PTC were implemented on it, safety would increase.  (This is generally, true, although new technology would raise new hazards, potentials for loss.)  First, if the wayside ABS signals consequently were removed--as is proposed for much PTC as a cost saving--and the PTC, later, failed temporarily, then, Would the fallback operations (usually some form of TWC or DTC) be as safe as before the PTC was installed?  Such PTC failure does not necessarily allow operations to revert to the level of safety of the original pre-PTC operations.  Second, even if no removal of the ABS signals, How much complacency and reliability on PTC would have affected crewmembers?  In both cases, we have a human and social factors consideration of the issue of error recovery by crewmembers.

I note at least four physical and human and social factors problems with a failure-forced, temporary reversion to a pre-PTC mode of operations.  1.  ABS track circuits provide protection for some forms of broken rail.  Such protection would now be lacking, unless some technological provision was made for broken-rail detection.  2.  The ABS provided a classic form of distance-spacing of trains, introduced in the US during the 1890s.  This spacing would now be absent, in a consequently dark territory. 3.  With or without removal of the ABS, after a period of using PTC, veteran ABS/TWC/DTS operating employees would have their pre-PTC-relevant skills diminished.  Some degree of human-factors complacency under and reliability on PTC would have set in, variably for each employee (Sheridan, Gamst, and Harvey 1999).  4.  Furthermore, post-ABS/TWC/DTS employees would not have all the pre-PTC-relevant skills.  This paragraph is just one example of the human and social factors of PTC operations and training. (See also my relevant seminar notes and concepts, below.)

The "NTSB Most Wanted Transportation Safety Improvements 2004-2005" includes, "The Federal Railroad Administration should act to:  Implement Positive Train Control Systems."  At the PTC Working and Human Factors groups periodically convened by the FRA since fall 1997, that agency demonstrated it realized that PTC's encompassing Human-Machine Interface (HMI) is not separable into a machine-only consideration.  This inseparability regards a novel, safety-critical, large-scale, brittle, and opaque operating technology having catastrophic hazard.   Under PTC's HMI, we have the crucial subordinate considerations of a human interaction with an autonomous and sometimes authoritarian control computer.  (See my seminar notes and concepts, below.)

The NTSB did not demonstrate its realizing of an HMI for PTC in its symposium, which the NTSB summarized as intended to invigorate dialog by presenting for PTC, a history and update, a highlighting of problems, and an exchange of ideas and future directions.  All this the NTSB intended with scant reference to human and social factors.  Humans do not work by technology alone.

/FRED/

Frederick C. Gamst

fcgamst@.com

**

From Seminar Notes: 

In complex automated systems, the direct operating team consists of human(s) and control computer.  For such systems, increasingly, a human communicates with as well as operates a machine.  Automated systems have been implemented which are more autonomous and authoritarian than previously (see concepts, below), while giving the human operator inadequate feedback (Billings 1997:4).  In these systems, What are the limitations of the role of the operator in executing control actions?  The machine in the system is not a passive but an agent-like device functioning at high levels of autonomy and authority.  This machine can autonomously operate without an immediately preceding operator input and can authoritatively override operator intention.  Such operating can engender novel responsibilities and events for the operator.  These events can include sometimes-serious problems of breakdowns in interactions of the human and the control computer.  Root causes of the events go beyond just the operator at the point of control and reach up to include the limitations set by the designer/suppliers and the manager-implementers of a system not to mention governmental regulators and investigators.  Implementers of a system could find unexpected consequences because their system did function as a team player (Norman 1990; Sarter and Woods 1995, 1997; Sarter, Woods, and Billings 1997; Mitchell and Sunström 1997). 

The key issue with automation autonomy in a system is, How does it interact with operators and how might it enhance or degrade their performance?  Does autonomous computer control shape the actions and thoughts of operators in ways unforeseen by its designers and managers who implement it (cf. Parasuraman and Riley 1997)?   To what extent, if any, do inadequacies in the HMI foster accidents and near misses?  Does the placing of automation between the operator and his machine, at times, remove him from the elements of operation? 

In operating systems having autonomous control computers, a cognitive dimension of human trust exists.  When and why does the operator allow autonomous control and when does he assume manual control?  Trust is contingent on an operator's ability to predict performance of the autonomous control and to comprehend overall system function, hence, dependability (Lerch and Prietula 1989; Lee and Moray 1992; Sharit 1997:322).  Moreover, he often must quickly make decisions in what he experiences as an abstract rather than concrete situation, without sufficient or any kinesthetic cues and with feedback largely or only in symbolic displays or, perhaps, none at all.

When a human operator interacts with an autonomous control system, he loses some occasions to practice needed cognitive and psychomotor skills.  Furthermore, the direct relation between what he manipulates and what he senses occurring as a result may be degraded or even absent, including effects of reliance and complacency (Parasuraman, Molloy, and Singh 1993; Riley 1996; Sheridan, Gamst, and Harvey 1999).

Central to any system having safety-critical automation from microprocessors is assessment of the interaction of controlling human(s) and controlling computer(s).  Who or which controls a system under what dynamic circumstances and how much is the human operator informed about control?  Adapting from Klaus Christoffersen and David D. Woods (2002) on the subject, problems can exist, generated by the uncertainties of interfaces of human operators and computer-based automated systems, i.e., a Human-Automation Interface (HAI). This is a critical part of today's steadily developing and enveloping Human-Machine Interface (HMI).  In what ways do these problems of interface exist in the various kinds of PTC automation?  What we must question is, How close is a particular subsystem of automation to the limits of its competence?   Furthermore, although designers intend automation to reduce human cognitive and physical workload, Does it ever increase either of the two and, if so, under what circumstances (cf. Harris, Hancock, Arthur and Caird 1995)?  And under what circumstances, if any, do operators sharp shoot or override the automation teammate and resort to human action?

From Seminar Concepts:

Human-Machine Interface (HMI):  The HMI could be considered as an abstract plane across which operator and machine exchange information.  HMI, then, involves study and application regarding factors of interaction between human operator(s) and a machine including human, perception, decision-making, information-processing, capabilities and performances, task procedures, reactions to equipment layout and design, and integrations of physical stimuli and learning experiences.  Hence, the designation HMI is often indistinguishable from human factors.  A human's interface with a machine could be with one to some degree autonomous.  See Autonomous, control system, Human-Automation Interface.

Specifically, HMI is a human's interaction with a machine through controls, displays, and data input devices.  When an operator does a task involving direct contact with a machine, the components of the machine that he manipulates and/or observes are his HMI, for the task duration.

Autonomous, control system:  An automated system can be to varying degrees or entirely autonomous, where it functions independently without control by a human operator.  Thus, the system independently executes actions without immediately preceding specific human commands.  In advanced automated systems, the human operator shifts tasks from active to supervisory control of the machine.  Such system might also be to varying degrees or entirely authoritarian in not providing adequate or any feedback to the human operator regarding his supervisory freedom for independent judgment and action.  For an operator, seamlessly hidden and thereby rendered opaque to him could be an automated system's autonomous action and, additionally, its physical failure resulting in autonomous "fail-safe" action that cannot not guarantee operational safety.  Autonomous authoritarian systems are often tightly coupled.  See Fail-safe, Tightly coupled.  Christoffersen and Woods hold that the central issue is not the levels of autonomy and authority but, instead, the amount of coordination between the human and machine components of an automated system (2002). 

Fail-safe is an old concept in railroad design, e.g., for automatic block and cab signal systems controlling the safety-critical spacing of movements on main tracks.  Here the validity of the concept stems from using system components having well-established failure modes, with a safe condition resulting from a failure of a component.  Thus, a signal designer labels such signal systems as vital, i.e., they will have the most restrictive indication that a particular signal can display if components fail.  But this is only under certain design conditions.  (A false clear signal is always possible under certain conditions, with a track relay for a signal stuck in the closed, or picked-up position, e.g., where the signal is wired incorrectly to falsely display a clear indication or where a mechanical impact to a signal causes it to falsely display a clear.)  One could argue that the design is, nevertheless, vital but that, in the rail world, an intervening human error or physical impact defeated the vital characteristic. 

Accordingly, even a relatively simple, over-a-century-old system such as for automatic block signals can fail unsafely and is not always vital, to a fail-safe state.  The validity of fail-safe concept is even more in question for large-scale systems, especially those with microprocessor components.  Here we do not need an initiating human error or physical impact.  The almost-infinite number of failure combinations of such systems could well mean that the concept now has no validity.  Perhaps, designers must abandon the traditional determinism of fail-safe and vital, having their experiential, observational underpinnings, and resort to the probabilism of risk assessments, having their weaknesses of subjective, judgmental underpinnings.

[30]

Last update: 5/25/2005; 5:09:48 PM.