Engineering Ethics Blog: The Latest Amtrak Crash: A Deadly Combination


Many accidents in complex systems happen when two or more
failures align like tumbler pins in a lock, opening the way to tragedy.  That is apparently what happened around
2:45 AM on Sunday, Feb. 4, outside the central South Carolina town of
Cayce.  Here’s what led up to the
crash.

For the last several years, U. S. railroads have been under
the federal gun to complete installation of Positive Train Control (PTC), a
complicated system involving GPS receivers on trains, transponders along the
tracks, and coordinated data links that will automatically slow down trains
that are going too fast and stop those heading toward disaster.  Lack of PTC has been cited in every
recent fatal train wreck, and so at the time of this crash, installers were working
on the South Carolina section of track in question to put in the necessary PTC
equipment.  The only trouble was,
as part of the process they had to shut down the safety block signals—the
red-yellow-green lights beside the track that inform the engineer as to whether
the track ahead is clear. 

Railroads have a way of dealing with the absence of block
signals, which is to dispatch trains by means of documents called “track
warrants.”  Obviously, there
has to be a special procedure for this, with good communications by radio to
the dispatcher, because running through an area with no signals is a little
like flying an airplane blind.  It
can take more than a mile to stop an average train, so by the time the engineer
sees an obstruction on the track it’s usually too late to do anything more than
set the brakes, blow the horn, and hope.

At this writing, it is unclear whether the track-warrant
procedure was followed correctly. 
But what is clear is that earlier in the evening, after a railroad
employee set a switch to allow a freight train to pull off to a siding out of
the main line that the Amtrak train was going to use later, the switch was
locked in place,  still set to the siding.  In other words, any train coming down
the main line in the same direction was going to head straight onto the siding,
toward the sidelined freight.

Normally, this switch setting would cause the signals on the
main line to change to yellow or red. 
But due to the work going on to install PTC, the signals were
inoperative.  So all that stood
between the southbound Amtrak train that was coming along about 2:45 AM and
disaster was good communications among the person who set the switch, the train
dispatcher (many miles away in a CSX control center, CSX being the freight
railroad that owns the track which Amtrak uses), and the Amtrak crew.

The third thing that is clear is that the communications
broke down.  The last thing the
Amtrak engineer saw was the end of the freight train, as his engine barreled
off the main line at 56 MPH onto the siding and crashed.  He and the conductor were killed, and
about 100 passengers were injured in the resulting Amtrak car derailments, some
critically.

Amtrak officials were quick to throw blame to CSX, whose
tracks they were using, as it was CSX’s responsibility to ensure that any
switches their crew used were set back to the proper direction.  Records indicate that the freight-train
crew reported that they had set the switch correctly, so it is unclear at this
point how the switch ended up in the wrong position anyway. 

While this is only the latest in a string of several fatal
Amtrak accidents, each one has apparently had a different set of contributing
factors, and accusations that Amtrak’s safety culture is at fault are
premature, to say the least.

The irony of this particular accident is that it was
apparently caused at least partly by the rush to install PTC—a safety
feature—which indirectly led to the accident.  It reminds me of the recent Takata air-bag-inflator fiasco,
in which millions of cars had to be recalled, and many people were killed by
defective inflators that shot shrapnel at them in accidents that would have
otherwise merely bent a few fenders.

This is not to say we shouldn’t have airbags, or we should
call a halt to installing PTC.  And
here is where we fall back on a philosophical method which engineers use almost
without thinking—utilitarianism, otherwise known as the greatest good for the
greatest number.  Utilitarianism is
not the only way to decide ethical issues, by any means, but it has its
uses.  Clearly, it makes sense to
complete PTC installations even if it means shutting down signals temporarily
here and there.  But the problem
comes when those responsible for safety measures get too focused on the future
good they will do, and neglect the present potential harms such installations
can cause.  I don’t know what went
wrong with the track-warrant system in this case, but clearly something did.  And once a decision is made to install
a safety feature, it is easy to allow too many temporary compromises in present
safety in view of the greater good that the ultimate installation will lead to.

But that temptation has to be resisted.  Takata shouldn’t have been as sloppy as
they were in making crummy airbag inflators that would turn into bombs down the
road a few years.  And everyone
involved—train dispatchers, PTC installers, and above all, the freight train
crew who apparently left the switch in the wrong position—should have been
doing a better job communicating in the absence of the usual track
signals. 

Sometimes people who work on safety features get careless
because most of the time, the features don’t see action.  But they are really like a standing
army ready for battle.  When the
crisis comes, the safety features rise to the top of the priority list.  Never mind the usual function of the
system—transportation, communication, or whatever.  If the user is injured or killed, it would have been better
not to have made the product at all. 
So although Amtrak’s safety culture alone may not be at fault, clearly
something went wrong in Cayce that night. 
And more work needs to be done to make sure that a complicated system
like a railroad runs even more safely with PTC than it does without it.  Just installing PTC won’t guarantee
that, because PTC itself has the potential to cause trouble.  Let’s hope that it doesn’t, and that
the recent flurry of fatal train mishaps are the last ones before PTC makes
train-passenger fatalities as rare as airline-passenger fatalities are today.

Sources:  I
referred to a thorough report on the accident carried by NPR on their website
on Feb. 5 at https://www.npr.org/2018/02/05/583455540/ntsb-looks-at-disabled-signals-locked-switch-in-latest-deadly-amtrak-crash.



Source link