Larry Light, with years of experience in those vital systems that ensure the safe separation of trains, examines the flaws, complexities, and vulnerabilities in the development and installation of PTC on North American railroads.
Larry quite rightly points out the advances in safe train operations embody and are dependent upon the application of vital logic,i.e if train A occupies or has authority to occupy or is to be given authority to occupy (route, location, position) n, n+1, n+2... n+x, then no trains not-A can be given authority to occupy (route, position) n....n+x.
This is, of course, the basic logic of interlocking machines, and it is the expansion of this vital interlocking logic to the entire network of train movement that defines centralized traffic control.
The interlocking machine is the first, and best, example of the fundamental advance in train control, which is separation of the office from the field. Regardless of the desires of the office, of the operator, the vital logic, drilled and wired literally into the machinery, prevents the issuance of overlapping authorities.
Cool? More than cool, it's positively brilliant.
More than brilliant, it's vital.
The vitality itself depends upon the field registration and communication of the condition of occupancy. The logic, then, is a closed circuit, driven by the measurement of a material condition, occupied, unoccupied; or if, then, or on, off, or... 1, 0 where zero is everything that is not-1.
The track circuit, registering occupancy, is vital.
Are signal systems vital? They are when we say they are. When we use signal systems, linked to the method for registering occupancy, to convey the authority for train movements, the signal system is vital. It is configured vitally. It uses the condition of occupancy to authorize train movements. Hence, we say precisely that in our operating rule books-- something along the lines, "In territories so designated by the timetable, signal indications will authorize train movements (in the designated direction/for both directions), and will supercede the superiority of trains." I think I remember that right.
Signals are vital. Enforcement of signal indications not-vital. Enforcement is separate from authorization. Cab signal? Driven by occupancy, therefore vital. Automatic speed control enforcing the speed associated with a cab signal indication? Not vital.
PTC enforcing signal indications? Not vital
PTC expensive, it's very complicated, it depends on algorithms that are, and can only be, based on expected behaviors, that are, at best, best estimations; it requires the recording and integration of every change made to the physical configuration of track and wayside structures maintain.....and it's not vital. It cannot authorize train movements; it can limit authorities in accordance with field registered conditions.o
Signal design expert and signal engineer that Larry is, he recognizes the importance of the separation between vital and non-vital; between safe separation of trains and traffic management; between authority and enforcement; between occupancy and indication; between office and field.
He sees that just because the vital logic of safe separation can be expressed as 1s and 0s, safe separation itself is not a function of, nor can it be conflated with "information technology." He sees a problem in the attempt to design and install PTC as some sort of synthesis of movement authorization and traffic management, when it is neither. I think he's right.
Steven Ditmeyer, Professor of Railway Management at Michigan State University, former director of FRA's Office of Research and Development, and "moving force" behing the then Burlington Northern's earlier 1990s experiment with advanced train control, ARES, has a differing view.
He argues that, in a sense, the promise and potential for PTC as an integrated train control and train information system has been constrained, if not shackled, by linking PTC to the enforcement of wayside signal indications:
"PTC systems come in two different versions: those tied to the wayside signal systems with their “vital” relay logic in the field, fixed blocks, and voice (augmented by some data) communications between trains, maintenance vehicles and dispatchers; and those that operate on a paradigm similar to air traffic control, using GPS positioning, digital data communications, sensors and “vital” on-board control center computers so there is continuous, accurate, real-time location and speed information of everything on the tracks that can be acted upon.
There is an explanation for the differences between these two versions of PTC. After the RSIA was passed in 2008, railroad signal engineers, signal union representatives and signal manufacturer representatives on FRA’s Railroad Safety Advisory Committee (RSAC) recommended PTC rules that implied, but did not actually require, the tying of PTC to wayside signal systems. Then, the signal people on the Interoperable Train Control (ITC) Committees formed by the four major railroads wrote specifications that indeed tied the PTC systems they were implementing to the wayside signals, and also called for replacing the existing wayside signals with new ones that could be connected with data radio transmitters and antennas at each wayside signal. Control center computers were left “non-vital.”
Of course that's not really the way air traffic control systems operate. It might be the way they hope to operate in the future, but in the here and now, and most probably by 2018, that's not how they operate.
All that to one side, I agree with Steve that "chaining" PTC to fixed wayside signal indications limits the enforcement capabilities of the system, and adds additional expense and complexity. Except....except PTC is what it is today in the US not because it is tied to wayside signal indications, but rather because it must be able to enforce limits to a train's authority for movement in both signaled and non-signaled territory. Forty percent of the track in the US is non-signaled, "dark territory."
PTC requires a platform that authorizes train movement and provides for safe train separation in both environments. It "rests" upon a system of operating procedures that define the parameters for train operations in "dark territory" as well as CTC, cab signal territory-- and that system of procedures is.... the operating book of rules of the railroad.
In both signal and non-signal territory the limitation to PTC isn't in the signal aspects displayed or not displayed but in defining, measuring, identifying train integrity; detecting, measuring, and validating the rear end of the train, the rear end of all trains.
Put all the radios you want, put all the radios in the world on the locomotives of the train and what do you have? You have the means of identifying the head end of the train. You do not have the means for identifying the train integrity, the end of the train. And guess what? Air traffic control systems never have take into account the rear end, the length, of a plane. Planes don't follow each other, or overtake each other, on a fixed guideway. That's more than a technical difference.
Clearly, the rear end of one train must be the limit to the authority for movement of any following train. So given that critical piece of information, or rather, given the criticality of that piece of missing information, the design and implementation of PTC must make do with the "next best thing" with the proxies, the markers railroads use to indicate the rear end the train, in the field not in the office,-- the track circuits expressed via signal indications; or the reporting of the crews themselves, or station operators, in dark territory.
And so we get to the preservation of wayside signals, and "restricted speed" authorizations, which are a helluva bad way to ensure safe train separation.
When I worked in Egypt with Ron Lindsey, developing a model for the installation of PTC on the Egyptian National Railway, we had to confront this issue of train integrity, particularly for operation in the legacy "token-block" and "tokenless-block" territories where no field registry of occupancy, or train integrity was available I proposed that ENR attach EOT devices to each train, not to measure brake pipe continuity, but for the signal the device transmits. That signal could be processed and relayed to WIUs to confirm train integrity and that, in fact, no part of the train had been left in the previous block.
However, until and unless US railroad take that course, PTC must be based on the existing means for determining occupancy.
There is another reason why PTC is tied to wayside signal indications in signaled territory, and that is broken rail protection. Now we can argue about the efficiency of broken rail detection using track circuits, but broken rail protection is a requirement for all train movements above certain speeds and we're not about to get rid of that regulatory stipulation.
PTC is required to enforce the operating restrictions associated with possible broken rails.
Mr. Ditmeyer envisions a PTC system that is not an enforcement system, but an actual system for authorizing train movement, and which eliminates the separation between office and field. He writes:
"PTC systems issue movement authorities to train and maintenance-of-way crews, track the location of the trains and maintenance-of-way vehicles, have the ability to automatically enforce movement authorities, and continually update operating data systems with information on the location of trains, locomotives, cars, and crews. The remote intervention capability of PTC will permit the control center to stop a train should the locomotive crew be incapacitated. In addition to providing a greater level of safety and security, PTC systems also enable a railroad to run scheduled operations and provide improved running time, greater running time reliability, higher asset utilization, and greater track capacity. They will assist railroads in measuring and managing costs and in improving energy efficiency.“
Steve is advocating a vital office system for railroad control centers. Think about this for a second when we're considering complexity, expense, and security. Today, with the vital logic "field resident," a dispatcher in an OCC sends a command to a switch and signal arrangement in the field. Except it's not really a "command." It's a request. The field apparatus then checks the request against the vital indications generated in the field to determine if the request can be accepted-- if acting upon that request is consistent with the vital logic.
The code lines, the means of communication between the field apparatus and the OCC are not vital. They need not be vital because no matter what the command, it is secondary to the vital field logic and field indications.
In Mr. Ditmayer's PTC system, those means of communication have to be vital means of communication. They become the determination and the communication of the authority for movement. I suspect that's going to be an extremely expensive proposition for any and all railroads.
Vital process= safe separation of trains
Non-vital process= real time train data: speed, location.