Risk Analyses for the IDOT Positive Train Control, Lecture notes of Control Systems

Download Risk Analyses for the IDOT Positive Train Control and more Lecture notes Control Systems in PDF only on Docsity! U.S. Department of Transportation Federal Railroad Administration Risk Analyses for the IDOT Positive Train Control System to Determine Optimum Communications Timeout: Comparison to Cab Signal Systems with Continuous Train Stop and with Speed Control Office of Research and Development Washington, DC 20590 DOT/FRA/ORD-09/21 Final Report November 2009 NOTICE This document is disseminated under the sponsorship of the Department of Transportation in the interest of information exchange. The United States Government assumes no liability for its contents or use thereof. NOTICE The United States Government does not endorse products or manufacturers. Trade or manufacturers’ names appear herein solely because they are considered essential to the objective of this report. iii ACKNOWLEDGEMENTS The authors of this study would like to express their gratitude to Mr. Terry Tse of the Federal Railroad Administration’s Office of Research and Development for his support of this study as well as his insightful guidance throughout the effort. The authors also wish to express their gratitude to Ms. Karen McClure and Mr. Wayne Minger for their thorough review of all calculations and drafts of this document. Their meticulous consideration of the material proved to be an invaluable service. The authors would like to acknowledge the efforts of Mr. Don Wiles, Dr. Lori Kaufman, and Mr. Paul Stangas of Booz Allen Hamilton for the critical inputs on some of the technical aspects and design considerations of the control systems, detailed information on the IDOT corridor, and their analysis of accident scenarios. The information they provided to the analysis proved to be essential. The authors would also like to thank all of those affiliated with the North American Joint Positive Train Control Program who took the time to answer questions and honor the requests of those participating in this analysis effort. iv Contents Executive Summary ........................................................................................................................... 1 1. Introduction ........................................................................................................................................ 6 1.1 Background ............................................................................................................................... 6 1.2 Problem Statement .................................................................................................................... 7 1.2.1 Analysis Objectives and General Approach ................................................................ 9 1.3 Report Overview .......................................................................................................................... 10 2. Description of Analysis ...................................................................................................................... 11 2.1 General Approach ..................................................................................................................... 11 2.2 Risk Analysis and Model Description ...................................................................................... 14 2.3 Representing the Corridor and Control System in the Models ................................................. 18 2.3.1 Temporal and Spatial Variations on the IDOT Corridor ............................................. 18 2.3.2 Operating States ........................................................................................................... 20 2.4 Accident Scenarios Included in the Analysis ........................................................................... 23 2.5 Key Model Inputs ..................................................................................................................... 26 2.5.1 Route, Traffic, and Train Data ..................................................................................... 26 2.5.2 Train-to-Train Collision Frequencies and Distribution ............................................... 26 2.5.3 Collision Accident Consequences ............................................................................... 28 2.5.4 Frequencies and Consequences for Other Accident Scenarios .................................... 28 2.5.5 Preventability Factors .................................................................................................. 31 2.6 Measures of Risk Calculated by the Model .............................................................................. 33 3. Risk Analysis Results ......................................................................................................................... 35 3.1 Introduction .............................................................................................................................. 35 3.2 Summary of Results – IDOT PTC Timeout and Latency ......................................................... 37 3.2.1 Effect of Varying Timeout on IDOT PTC Safety Performance .................................. 37 3.2.2 Effect of Latency on Risk ............................................................................................ 39 3.3 Comparisons among IDOT PTC, Cab Signals with ATS, and Cab Signals with ATC ............ 39 3.4 Sensitivity Analyses ................................................................................................................. 48 3.4.1 Sensitivity of Results to Estimated Collision Preventability ....................................... 48 3.4.2 Sensitivity of Results to Severity Reduction ............................................................... 51 3.5 Closing Remarks ....................................................................................................................... 52 4. Conclusions and Recommendations ................................................................................................... 53 v Contents Appendix A: Description of Risk Model and Calculations in Worksheet 1 – Segment Definitions and Timeout Effects ................................................................ A-1 Appendix B: Description of Calculations in Worksheet 2 – Collision Probability and Preventability ............................................................................................................... B-1 Appendix C: Description of Calculations in Worksheet 3 – Risk Calculations ................................ C-1 Appendix D: IDOT Corridor ............................................................................................................. D-1 Appendix E: Accident Descriptions .................................................................................................. E-1 Appendix F: Model Inputs – Sources and Analyses .......................................................................... F-1 Appendix G: Model Calculations ...................................................................................................... G-1 1 Executive Summary Background Positive train control (PTC) refers to a system of train control involving the application of wireless communication technologies, locomotive tracking with global positioning system (GPS)/inertial navigation systems, and central processors. The functional capabilities of PTC are to prevent collisions by enforcing movement authorities, to prevent derailments as a result of overspeed, and to prevent violations of work zones leading to casualties among roadway workers. In January 1998, the Federal Railroad Administration (FRA), in conjunction with the Association of American Railroads (AAR) and the Illinois Department of Transportation (IDOT), began to develop a high-speed PTC project for the St. Louis–Chicago corridor. These efforts were integrated into the North American Joint Positive Train Control Program (NAJPTC), whose major participants included FRA, AAR and the Transportation Technology Center, Inc. (TTCI), IDOT, the National Railroad Passenger Corporation (Amtrak), and major freight railroads. The implementation of PTC on the St. Louis–Chicago corridor, called the IDOT PTC system in this report, was intended to be on the St. Louis Line of the Union Pacific Railroad (UP) between Ridgely, IL, and Mazonia, IL, a total of 120 miles currently equipped with a centralized traffic control (CTC) system. In general, two types of messages are communicated through the PTC digital radio system— those carrying functional data (e.g., location and speed of equipped trains, train movement authorities, track circuit status, switch status, etc.) and safety heartbeats. The heartbeat message generated by each system element informs other elements, including the central office system, that the originating system is healthy and that the communication is intact, thereby achieving a closed loop. During development of the IDOT PTC, it was determined that the throughput of the data radios originally specified for use in the system was not sufficient to support the message load generated by the IDOT PTC system as it performed its functions. As a result, messages may not be carried through properly when the communication network is loaded with the combination of functional data and safety heartbeats. Two fundamental measures of communication system performance are defined as follows: • Timeout – the length of time the PTC system detects no communication or heartbeat message from a device within the system before it declares a “fault condition” and imposes appropriate actions for fail-safe protection. • Latency – the length of time passing between when a communications message is initiated at the point of origin and when appropriate actions corresponding to that message are initiated at the destination system. This time includes the response time of any PTC subsystems involved in the message path and communications queuing delays. Naturally, a quicker detection of a problem reduces the risk of PTC failing to respond correctly to a hazard. However, more frequent heartbeat messages place a heavier load on the communication network, which could lead to communications overload, delayed messages, and timeout events. The requirement of the communication network will be driven largely by the 2 heartbeat frequency needed to ensure safe operation. If the total traffic (including heartbeats) exceeds the communication system capacity, this will generally lead to message loss and therefore unnecessary forced train stops due to unknown equipment states as a result of the closed-loop design. Given the importance of communications system performance to the safety and operability of PTC systems, FRA initiated this risk analysis to investigate optimum communications timeout and latency values that would ensure safety while minimizing demands on the radio communications network as a result of heartbeat and functional messages. The approach to this analysis was based on FRA’s Standards for Processor-Based Signal and Train Control Systems (49 CFR Part 236, Subpart H, effective March 7, 2005). This standard requires the operator of a rail line segment equipped with a novel system to submit a risk assessment that demonstrates that rail operations under the novel system are at least as safe as they were under the train control system previously used on the line segment. If installation of the novel system is accompanied by substantial changes in traffic mix, traffic density, and/or speed, then the risk comparison must be conducted with an alternative base case representing the line equipped with a conventional train control system that would normally be used under the proposed operating conditions. The specific requirements for the risk analysis and safety performance are contained in paragraphs 236.907(7), 236.909, and Appendix B of the rule cited above. With this risk analysis approach, the safety performance of the IDOT PTC system with different timeout and latency values was compared with two conventional train control systems that would provide adequate safety for proposed operations on the IDOT test corridor, including 110-miles per hour passenger service. These base case control systems were a cab signal system with continuous automatic train stop (ATS) system and a four-aspect cab signal system with speed control or an automatic train control (ATC) system, configured as currently used in Amtrak’s Northeast Corridor (NEC) for high-speed passenger trains. The ATS system was the base case originally used in the IDOT PTC risk assessment for setting the level of risk that the proposed PTC system would not exceed. This document focuses on the comparison among the IDOT PTC system operated with a mix of equipped and unequipped trains, the cab signal/ATS system, and the NEC cab signal/ATC system operated with all trains equipped. After the initiation of this study, the development of the IDOT PTC was terminated, and a new PTC development program was initiated at TTCI in Pueblo, CO, to build on the previous successes of the NAJPTC program. However, for the purpose of this analysis—which was intended to determine the optimum latency and timeout periods—using the IDOT PTC territory as a test case is still valid. Analysis The relevant train accident risks associated with the IDOT PTC system operated with different timeout values were compared with the same set of risks associated with the ATS base case and the NEC ATC base case control systems operating on the same IDOT corridor with the same traffic levels. The comparison provided a determination of the maximum timeout that could 3 exist in the PTC system that would introduce no greater level of risk than the risk associated with ATS or ATC base cases. Because there is very limited operating experience with the NAJPTC system, the risk estimates for the IDOT PTC case must be built from the bottom–up by using estimates of the failure modes as well as reliability and availability of individual system components and subsystems. Many of these values will not be known with any accuracy, and confidence in the end result could be much lower than for the base cases, which in turn means there will be a lower confidence in the comparison between base cases and the IDOT PTC case. To minimize this comparability problem, the methodologies used that make the risk analyses for the base cases and the IDOT PTC case must start from a common reference point and follow parallel paths as much as possible. This reference point is designated as the reference case. An approach of this nature has been adopted for this analysis and is described in detail within this report. The risks associated with the cab signal system with ATS and the cab signal system with ATC, both operated on the IDOT corridor, and the IDOT PTC were determined by considering accident scenarios in which PTC or cab signals with ATS or ATC could reduce the frequency or severity of accidents. These scenarios include train-to-train collisions (those occurring between trains on the same main-line tracks), intrusion collisions, collisions at diamonds, overspeeds, work zone violations, grade crossing accidents, and incidents involving broken rails. The analysis omitted most derailment accidents caused by track and equipment mechanical failures (except broken rails) and several miscellaneous accidents such as fires and collisions with obstructions other than rail vehicles and shifted loads. The analysis did not include the effects of operating in fallback mode after a known failure of on-train or wayside equipment, because the fallback method of operation (conventional CTC with wayside signals) and the train-miles operated in fallback mode were assumed to be the same in each case and would not affect the comparisons. Results The following conclusions were drawn from the analysis of the systems considered in this effort: • A series of model runs were performed to explore the effects of varying timeout and latency on the safety performance as measured by the dollar value of harm. On the basis of this analysis, the following statements can be made: – When the IDOT PTC system is considered, even when the elevated risk during timeout is taken into account, the overall impact of this risk increase on the overall risk of operating the corridor is very small. Timeout does not have a material effect on the overall safety performance of the IDOT corridor. This is because the aggregate train-miles operated in the timeout state is very small, not exceeding 0.5% of total train-miles, and the heightened risk over this period, although significant, cannot have much impact on the overall result. – It is difficult to recommend a timeout value based on safety alone, and other factors such as operations benefits should be considered, such as the avoidance of delays because of slow system response or unnecessary timeout events. Note that this conclusion applies only to this corridor, and the conclusion in areas of higher traffic density or with more unequipped trains could be different. 6 1. Introduction 1.1 Background Positive train control (PTC) refers to a system of train control involving the application of wireless communication technologies, locomotive position tracking using global positioning system (GPS)/inertial navigation systems, and central processors. The functional capabilities of PTC are to prevent train collisions, derailments as a result of overspeed, and incidents involving roadway workers operating within the equipment’s authority limits. In January 1998, the Federal Railroad Administration (FRA), in conjunction with the Association of American Railroads (AAR) and the Illinois Department of Transportation (IDOT), began to develop a high-speed PTC project for the St. Louis–Chicago corridor. These efforts were integrated into the North American Joint Positive Train Control (NAJPTC) program, whose major participants included FRA, AAR, and the Transportation Technology Center, Inc. (TTCI), IDOT, the National Railroad Passenger Corporation (Amtrak), and major freight railroads. The resulting system will be referred to as the IDOT PTC system in this report. The implementation of the IDOT PTC system on the St. Louis–Chicago corridor, heretofore referred to as the IDOT PTC, was intended to be on portions of the Joliet and Springfield Subdivisions of the Union Pacific Railroad (UP) between Ridgely, IL, and Mazonia, IL, a total of 120 miles (mi). The territory is equipped with a centralized traffic control (CTC) system with PTC envisioned as an overlay to the current control system. This corridor is referred to as the IDOT PTC Test Corridor in this report. The implementation of IDOT PTC requires that trains be equipped with position monitoring systems and direct digital radio communications with the central processor in the control center. The PTC system monitors both equipped and unequipped trains. Unequipped trains are monitored through the block occupancy information from conventional track circuits transmitted to the PTC central processor via wayside interface units (WIUs). A simplified diagram depicting the PTC system is provided in Figure 1.1. 7 Figure 1.1. General Depiction of IDOT PTC System It would not be practical to equip all freight trains operating on the IDOT test corridor with PTC. The proposed application of PTC by train type was as follows: • All Amtrak passenger trains are to be PTC equipped 100 percent of the time. • Seventy-five percent of UP local freight trains are to be PTC equipped. • No UP through general freight or grain trains will be PTC equipped. Generally, the General Code of Operating Rules (GCOR) adopted by most western railroads and UP’s special instructions govern those train movements not affected by PTC. Appropriate additions and amendments to these rules would apply to operations of PTC-equipped trains in an active PTC system. 1.2 Problem Statement This study is concerned with the performance of the communications network that provides the connections among trains, wayside devices, and the PTC server in the central office, in particular focusing on the potential for communications delays to have an adverse effect on the safety performance of the PTC system. In general, two types of messages are communicated through the PTC system—those carrying functional data (e.g., location and speed of equipped trains, train movement authorities, track circuit status, switch status) and safety heartbeats. The heartbeat message generated by each system element informs other elements, including the central office system, that the originating system is healthy and that the communication is intact, thereby achieving a closed loop. During development of the IDOT PTC, it was determined that the throughput of the data radios originally specified for use in the system was not sufficient to support the total message load 8 generated in the IDOT PTC system as it performs all its design functions. Messages may be delayed or the communication system will declare a fault condition when the communication network is overloaded with the combination of functional data and safety heartbeats. Two fundamental measures of communication system performance are defined as follows: • Timeout – the length of time that the PTC system detects no communication or a heartbeat message from a device within the system before it declares a “fault condition” and imposes appropriate actions for fail-safe protection. Timeout can be triggered by an actual fault or by delayed heartbeat messages due to overload. • Latency – the length of time passing between when a communications message is initiated at the point of origin and when appropriate actions corresponding to that message are initiated at the destination system. This time includes the response time of any PTC subsystems involved in the message path and communications queuing delays. The interval between heartbeat messages governs the time during which a PTC communications fault will be undetected. Naturally, quicker detection of a communications problem reduces the risk of a potential hazardous condition under PTC operation. However, more frequent heartbeat messages place a heavier load on the communication network and could increase the frequency of timeout events because of communications overload. The requirement and the extent of the communication network upgrade will be driven largely by the heartbeat frequency needed to ensure safe operations. The communications system must be able to carry the total communications traffic without excessive delay, which would lead to timeout events and unnecessary forced train stops because of apparent communications faults. Given the importance of communications system performance to the safety and operability of PTC systems, the railroad industry is establishing a standard for high-performance data radio networks for current and future PTC system developments. With such an improved communications network, the necessary throughput and safety of the system can be achieved without overloading through more frequent exchanges of heartbeat messages among various elements of the system. An analysis method is required to determine the optimum timeout period for a vital PTC system. The approach to this analysis follows procedures established in FRA’s Standards for Processor-Based Signal and Train Control Systems (49 CFR Part 236, Subpart H, effective March 7, 2005). These standards require the operator of a rail line segment equipped with a novel system to submit a risk assessment that demonstrates that rail operations under the novel system are at least as safe as they were under the train control system previously used on the line segment. If installation of the novel system is accompanied by substantial changes in traffic mix, traffic density, and/or speed, then the risk comparison must be with an alternative base case representing the line equipped with a conventional train control system that would normally be used under the proposed operating conditions. The specific requirements for the risk analysis and safety performance are contained in paragraphs 236.907(7), 236.909, and Appendix B of the rule. Several discussions have taken place since publication of the FRA rule cited above, leading to preliminary agreement between the industry and FRA concerning the magnitude of speed and traffic changes that would trigger a requirement to define an alternative base case. 11 2. Description of Analysis 2.1 General Approach A central problem in the risk comparisons in this analysis is the inevitable difference between the methods that are available to estimate risk for the base and PTC cases. The most obvious approach to estimating base case risk is to use historical accident data for comparable railroad operations, with adjustments to reflect the specific operating parameters of the line segment being analyzed (traffic density, speed, passenger/freight mix, etc.). Since there is a substantial volume of historical data, it is reasonable to have high confidence in the base case risk estimate, say ±20%. However, there is usually very limited information about the performance of individual train control system components that yielded this performance. Also, there is the implicit assumption that operating and maintenance practices, operating employee training and experience, and similar factors are typical of industry practice. Where historical accident data are used to estimate risks for a specific operation, taking into account highly localized variations in plant, equipment, personnel, and operations is nearly impossible. With very limited operating experience with the NAJPTC system available, the risk estimates for the PTC case must be built from the bottom–up by using estimates of the failure modes, reliability, and availability of individual system components and subsystems. Many of these values will not be known with any accuracy, and therefore, confidence in the end result could be much lower than that associated with the base cases. This in turn means there will be diminished confidence in the comparison between base and PTC cases. The way to minimize this comparability problem is to use a methodology in which the base cases and PTC case risk analyses start from a common reference point and follow parallel paths as much as possible. This reference point is termed the reference case. The reference case is one for which extensive historical accident data are available (accident frequency and consequence values for all relevant scenarios). Then accident frequencies and consequences for operations with the base and IDOT PTC cases are estimated as variations from the reference case. An approach of this nature has been adopted for this analysis and is described in the following paragraphs. • Step 1: Define and analyze a reference risk analysis case The reference case for the IDOT corridor serves as the starting point for both the two base cases and the IDOT PTC case. The reference case for this analysis is an operation with the same passenger and freight traffic operated with conventional CTC with maximum passenger train speeds of 79 mph. There is a large amount of historical experience with this type of operation from which to derive estimates of accident frequency and consequences for the relevant accident scenarios. Safety performance for the reference case is quantified by the estimated number and consequences of main-line accidents per year on the corridor, broken down by cause, and focusing on PTC-relevant accident scenarios. All accidents that a PTC, ATS, or ATC system might prevent were be designated as PTC relevant for this study, but only a subset of these would be potentially preventable by a specific individual PTC, ATS, or ATC system, depending on detailed system capabilities. 12 • Step 2: Define and analyze the safety performance of the base cases The base cases considered in the study described in this document are briefly described as follows: ATS base case – a system using conventional-technology ATS combined with cab signals, enabling 110-miles per hour operations under current FRA regulations and guidelines. The ATS system will initiate braking if the engineer fails to acknowledge a more restrictive indication at a block or interlocking signal within 8 seconds (s). Directional coded track circuits are used for track-to-train communications. ATC base case – an ATC system combined with cab signals. The ATC system is similar to ATS with the additional capability to enforce approach and restricted speeds in response to signal indications. ATC does not enforce an absolute stop at block or interlocking signals. Historical data are drawn from the ATC systems used on the NEC and elsewhere. Both base cases analyzed in this study were developed by applying the aforementioned control systems on the IDOT corridor. Two methods were used to estimate the safety performance of the base case system and the results compared to reach a final estimate: a) Develop estimates of how many “reference case” accidents would be prevented by the ATS and ATC, taking into account system functionality, failure rates, time to repair, mix of equipped and unequipped trains, and similar factors. b) Derive an estimate from actual historical experience with the ATS and ATC in existing applications. Historical performance was adjusted for the base case operating conditions—speeds, number of running tracks, traffic mix, and traffic density. • Step 3: Analyze the IDOT PTC case The safety performance with PTC is analyzed under the same operating conditions as the base cases, also by estimating the number of “reference case” accidents that would be prevented by PTC, based primarily on system functionality, failure rates, time to repair, mix of equipped and unequipped trains, and similar factors. The lack of operating experience with PTC means that it was not possible to compare this result with actual historic data. For both the base and the IDOT PTC analysis cases, the risk analysis considers the adverse effects on safety of operating in a degraded state after a failure, because of possible unfamiliarity with backup operating procedures, the “complacency effect” and similar factors. The complacency effect comes into play when an operator unconsciously relies on the backup provided by ATS, ATC, or PTC, even when it is known to be out of service. The more severe consequences associated with passenger trains operating at higher speeds (exceeding 79 mph) have been taken into account in each of the base cases and the PTC case. 13 The IDOT Test Corridor and Operation with PTC The route over which all control systems are analyzed is UP’s Joliet and Springfield Subdivisions between Ridgely, IL, and Mazonia, IL; the total length of the route is 120 mi. This corridor is equipped with conventional wayside automatic block and interlocking signals and CTC. PTC and the base case train control systems would be installed as an overlay on this existing signal system as originally envisioned in the NAJPT effort. It would not be practical to equip all freight trains operating on the IDOT test corridor with PTC. The proposed application of PTC by train type was as follows: • All Amtrak passenger trains are to be PTC equipped 100 percent of the time. • Seventy-five percent of UP local freight trains are to be PTC equipped. • No UP through general freight or grain trains will be PTC equipped. The IDOT PTC system monitors trains that are equipped with the necessary PTC hardware as well as those trains that do not have the necessary equipment, referred to as unequipped trains. Unequipped train locations are monitored through the block occupancy information from conventional track circuits transmitted to the PTC via PTC WIUs and the UP Computer-Aided Dispatching (CAD) System. The passenger trains operate over the full length of the IDOT test corridor. However, most freight trains operate over only a portion of the corridor, leading to variations in traffic level along the corridor. To capture the effect of these variations, the corridor was divided into three Sub-corridors. Details on the Sub-corridors and other spatial and temporal divisions used in the analysis are provided in Section 2.3.1. ATS and Cab Signal Base Case The ATS base case considered in the analysis documented in this report is the UP four-aspect cab signal system, configured as currently used elsewhere on UP, with all trains equipped. This system has a continuous train stop system. Whenever there is a downward change of cab signal aspect, the engineer is expected to acknowledge such a downward change by moving a lever within 8 s or a full service penalty brake application will be imposed. This alerts the engineer to the approaching signal aspect, which is also displayed by the cab signals, and can prevent collision accidents. The capabilities of ATS with cab signals differ significantly from those of the IDOT PTC system. The differences that can affect accident risk as compared with the IDOT PTC case, and which are considered in the analysis, are: • Speed, whether it is civil speed, maximum track speed, or signal speed, is not enforced. • All trains are equipped to leave the terminal in accordance with operating rules and FRA regulations. Speed restrictions are imposed if the cab signal equipment fails en route and the equipment is cutout. 16 is less critical for the base cases, where there is no timeout effect, and there are no unequipped trains. The purpose of Worksheet 1 is to estimate the probability that a signal violation by an unequipped train will result in a collision with an equipped train. This probability is a function of the location of the equipped train relative to the signal at which the violation occurred and whether the equipped train would be alerted of the violation in time to stop before colliding with the unequipped violating train. To carry out this calculation, risk zones were defined for the position of the equipped, or “innocent,” train at the time of the signal violation, as illustrated in Figure 2.1. Figure 2.1. Risk Zones for Equipped Train Approaching a Point of Conflict The ability of the equipped train to stop before Point Z depends on its risk zone location at the time of violation and, for PTC, timeout status. The zones for the location of the equipped train at the time of the violation are as follows: • Risk Zone A1, between Points Y and Z: equipped train is unable to stop or reduce speed significantly before reaching the point of conflict. • Risk Zone A2, between Points X and Y: equipped train can reduce speed sufficiently to reduce the consequences of a collision but is unable to stop before reaching the point of conflict. • Risk Zone B, between Points W and X: equipped train has passed the intermediate signal at point W but receives a warning, or the IDOT PTC timeout expires and can stop before the point of conflict. • Risk Zone C, before the intermediate signal at Point W: if the equipped train is in this zone at the time of the signal violation by the unequipped train, the engineer can see the intermediate signal change to “approach” or “stop” aspect. The detailed approach to estimating the length of the risk zones and the relationship to collision risk is described in further detail in Appendix A. • Worksheet 2: “Collision Probability and Preventability.” This worksheet calculates an estimate of the frequency of train-to-train collisions for each train type pair that could be involved in a collision (freight and passenger, equipped and unequipped) and type of 17 collision (head-on, side rear-end) as a function of the mix of train types, characteristics of track segments, and collision preventability data from the Worksheet 1 calculations. • Worksheet 3: “Risk Calculation.” This worksheet carries out the basic risk calculations to estimate risks (injuries, fatalities, property damage) for all other PTC-relevant accident scenarios, including overspeed, grade crossings, work zones, and broken rails. Each worksheet of this type calculates risk for one route Sub-corridor, season, and train control system operating state (normal, in timeout). The capability of a control system to reduce accident severity is estimated by performing risk calculations within this worksheet by using slightly modified values of accident consequences. A separate worksheet titled “Inputs” contains lookup tables providing the required model inputs, such as: • Per-accident consequences by speed, collision scenario, and train type; • Route segment lengths, speeds, traffic volume and mix, and grade crossing characteristics; • Reference case accident frequency for each PTC-relevant scenario; and • Accident preventability estimates for the analysis case for each accident scenario. Multiple risk calculation modules, each consisting of one set of Worksheets 1, 2, and 3, are used to make up the full analysis of one train control system. Individual calculation modules are devoted to: • Each of the three Sub-corridors; • Each season (along this route there is a seasonal variation in the number of grain trains operated); and • Each operating state (e.g., operating normally and in timeout, where applicable). Model inputs can be categorized by whether they change from control system to control system or whether they are fixed for all systems or analysis cases. In general, model inputs can be associated with one of three categories: • Fixed inputs used in all analysis cases/control systems. These inputs have a limited effect on comparison results and include: - Infrastructure details and segment definitions, including speed limits for passenger and freight trains, except for the CTC reference case where passenger train speeds are limited to 79 mph; - Train braking formulas; - Reference case accident frequencies; and - Accident consequences by scenarios and speed. • Fixed inputs used in all analysis cases/control systems that may have moderate effect on comparison results. These include: - Traffic volume and patterns (by altering the relative exposure of different trains and/or differently equipped train types to collisions). 18 • Inputs that vary between analysis cases and that can have significant impact on comparison results. These include: - Control system capabilities (which accidents can be prevented or mitigated and how effectively this can be done); - Accident preventability characteristics; and - Characteristics specific to the IDOT PTC system and analysis case such as timeout and latency. A final Excel worksheet entitled “Results Summary” provides risk subtotals and totals for a given analysis case/control system. Track and route parameters, passenger and freight train speeds, and train schedules are held constant across all risk assessments. In addition, a separate Excel workbook was prepared to assemble the results summaries from all analysis cases in one place, rather than scattered among a number of individual workbook models. This “Results” workbook was the primary reference for the results section (Chapter 3) of this report.Detailed descriptions of the calculations carried out in each portion of the risk model are provided in the appendices; Appendix A contains material related to Worksheet 1 (“Segment Definition and Timeout Effects”), including a detailed treatment of the use of the risk zones, Appendix B provides information pertaining to Worksheet 2 (“Collision Probability and Preventability”), and Appendix C includes details on Worksheet 3 (“Risk Calculation”). 2.3 Representing the Corridor and Control System in the Models Many factors have to be considered in constructing a risk model. In this case, the model had to be structured to take into account special and/or temporal variations in infrastructure, traffic mix, and traffic volume as well as in the operating states of the control systems. This section provides a discussion of how these variations were represented in the risk model in the analysis of the IDOT PTC case, the ATS base case, and the ATC base case. 2.3.1 Temporal and Spatial Variations on the IDOT Corridor Accident risk on a rail corridor is primarily a function of operating conditions, specifically: • Traffic density (trains/day); • Traffic mix, relative numbers of passenger and freight trains, and whether they are equipped with train control devices; • Speeds of passenger and freight trains; • Signal system types, layout (block lengths), and capabilities; • Number of main tracks (which especially affects traffic density per track and the frequency of potentially conflicting movements); and • Special features that can represent a hazard, such as diamond crossings and/or moveable bridges. 21 automatically reset as if a heartbeat message had been received. However, the heartbeat checks use the limited communications capacity of the IDOT PTC system, and the timeout period has to be on the order of 100 s or greater to avoid timeout events as a result of communication delays. A failure of one of the links in the system during the timeout period can mean that a key safety message could be interrupted and fail to reach an affected train or trains. The PTC system would appear to be working correctly to the on-board system until the timeout period expires without receiving a normal communications or heartbeat message, at which point the system will assume a problem exists, announce a failure, and initiate braking. Thus, accident risk increases during timeout. • Operation in fallback mode: After a system failure of any kind, affected trains will stop and will then continue operating in a “fallback” operating state. Since the IDOT test corridor is equipped with CTC and wayside block and interlocking signals, the fallback state is assumed to be CTC, under which passenger trains may operate at up to 79 mph. The challenge is then to estimate what fractions of train-miles are operated under each of the three operating states. Then risk analyses can be performed for the period each operating state is in effect and summed to get an estimate of overall risk. In the case of the IDOT comparative analysis, risks are estimated for a period of 10 years of operation, primarily so that risk can be expressed in terms of estimated injuries, fatalities, and property damage without many results being very small and hard-to-interpret numbers. As far as can be determined, no information is readily available about the frequency of occurrence of timeout events or duration of the following outage for the IDOT PTC system or for the two base case train control systems. Anecdotal information suggests that trains will be operating in a fallback state (CTC in all cases) for between 3 and 8 percent of train-miles operated. The duration of an individual outage might vary widely. A fault in the on-board system of an individual locomotive would not be repaired until the train completed its trip and the locomotive could receive attention from maintenance staff. A fault in wayside or central office equipment might take anywhere between 30 minutes (min) to several hours to repair, depending on the complexity of the problem, how far maintainers have to travel, and availability of the required part. A timeout event due to communications congestion or an unknown intermittent fault could be checked out, and the system returned to service in a few minutes. The fraction of train-miles operating in timeout can be estimated from the duration and frequency of timeout events, starting from an estimate that 5 percent of train-miles are operated in the fallback mode, and assuming a timeout precedes each period of operation in fallback mode. The calculation is performed separately for passenger and freight trains and for on-board and wayside failures. Passenger Trains, On-Board Failure Passenger trains will traverse the whole IDOT corridor (118 mi) in a period of approximately 2 hours at an average speed of 60 mph (88 feet (ft)/s), including stops. In a typical failure, the train will travel approximately half this distance (59 mi) in fallback mode. The distance traveled in timeout will be a function of average speed and timeout. If the duration of timeout in seconds is 22 represented by TO, then the ratio between train-miles in timeout and train-miles in fallback mode is as follows. Ratio = [TO × speed (ft/s)] / [59 × 5280] = TO / 3540, if average speed is 60 mph (88 ft/s), including stops ......... (1) Freight Trains, On-Board Failure Most freight trains travel over approximately half of the corridor (59 mi north or south of Bloomington) over a period of 1.5–2 hours, depending on the number and duration of stops. Average speeds are approximately 35 mph (51 ft/s) including stops. Using the same logic as for passenger trains, the ratio between distance traveled in timeout and distance in fallback mode is: Ratio = [TO × speed (ft/s)] / [0.5 × 59 × 5280] = TO / 3100, if average speed is 35 mph (51 ft/s), including stops ...... …(2) Wayside Failure The ratio between train-miles during timeout and train-miles in fallback mode is simply given by the following formula: Ratio = [TO] / [(duration of downtime in hours) × 3600] .................................... (3) A detailed analysis was carried out to confirm that this relationship was independent of train speed, traffic levels, and the length of track affected by the communications failure, as follows: If: L = length of track affected by the failure (miles) N = number of trains/day A = average speed of trains (mph) D = duration of downtime (time to repair) (hours) DO = duration of operations in a day (hours) then the chance that a train is in the failed zone is given by: Chance = [N × L] / [A × DO] ................................................................ (4) Distance traveled during timeout is given by: Distance (ft) = TO × Chance × A × 88/60 = [TO × N × L × 88] / [DO × 60] ....................................... (5) where the ratio 88/60 is used to convert speed in mph to ft/s. Distance traveled in fallback mode (in the failed zone during the duration of the failure) is given by the formula: Distance (ft) = [D × N × L × 5280] / DO ................................................ (6) 23 The ratio is given by dividing Formula 2 by Formula 3 in which the parameters N, L, and OP cancel out, giving: Ratio = [TO × 88] / [D × 60 × 5280] = TO / [D × 3600] ..................... (7) Taken together, Formulas 1, 2, and 3 all indicate that the ratio between train-miles during timeout and train-miles in the fallback mode is between TO/3000 and TO/5500 where the time to repair for a typical wayside failure is 1.5 hours. TO is measured in seconds. The ratio is sensitive to train speed and trip length for on-board failures but not for wayside failures. Because no information on the relative incidence of wayside and on-board failures exists, and train speeds in timeout are the same as when operating normally, a mean ratio of TO/4300 was used in all IDOT PTC analysis cases. As an example, for TO of 120 s and 5-percent train-miles operated in fallback mode, the percentage of train-miles operated in timeout is given by: 5% × 120/4300 = 0.14% The analysis considers only normal operation and timeout operating states. The fallback mode (conventional CTC operations) is assumed to be the same for all analysis cases, both in aggregate duration and safety performance, and thus does not affect the risk comparison between the IDOT PTC system and the base case systems. 2.4 Accident Scenarios Included in the Analysis Accident scenarios are discussed in more detail in Appendix E. This section summarizes the accident scenarios as they pertain to this analysis. The objective of the risk analysis is to evaluate the relative safety performance for the IDOT PTC system relative to that for each of the base cases. Thus, the analysis includes all accident scenarios where the frequency or consequences of an accident could be changed by PTC or cab signals with ATS and/or ATC. These are termed PTC-relevant scenarios and are composed of the following: • Train-to-train collisions of all kinds, including collisions at diamond crossings with trains on another rail line. • Collisions between an active train and a rail vehicle or vehicle lading that has intruded on the track occupied by the active train. • Overspeed derailments. • Broken rail derailments, where the broken rail can be detected by the train control system. • Work zone violations. • Grade crossing collisions with a highway vehicle, where a crossing warning system malfunction can be detected by the train control system. 26 2.5 Key Model Inputs The risk model requires a large number of numerical inputs to perform the risk calculations as described in Section 2.2. In many ways, determining appropriate values for model inputs is the most critical and time-consuming activity in a risk analysis of this type. Estimating the input values require extensive statistical and engineering analyses, operating simulations, or reviews of past analyses conducted for similar projects. Examples may include statistical analysis of historical accident data, detailed engineering analyses (e.g., of crushing and train dynamics in collisions), or simulations of train operations over a route to determine the occurrence of meets and passes. In many cases, analyses carried out for past similar projects can be adapted for the current project, reducing the total effort involved. To facilitate risk calculations for varying input parameters, all model inputs have been concentrated into a series of lookup tables on a single worksheet in the model, which is referenced by the worksheets that carry out the risk calculations for each operating state, Sub- corridor, and season. In most instances, additional model runs can be accomplished with modest effort by only changing the parameter of interest on the input worksheet. A full description of the data and their sources is given in Appendix F. The following sections provide a summary of the principal groups of inputs and the data sources and analyses performed for this effort. 2.5.1 Route, Traffic, and Train Data These data groups essentially define the operations and operating environment on the IDOT test corridor. The data and data sources used are as described in following paragraphs. Route Data The model calculates risk along the IDOT test corridor segment by segment, where segments are signal blocks as described in Section 2.3.1. The input table used in the risk calculation spreadsheets provides milepost locations for the beginning and end of signal blocks and a representative speed for freight trains as well as conventional and high-speed passenger trains for the signal block. Also listed in the table is the type of segment (because risk varies by segment type) and representative speed, which is the typical average speed at which trains may be expected to operate through the segment. Separate tables are provided for each Sub-corridor along with counts of diamond crossings and grade crossings by type of crossing warning system. Route data was taken from track charts and other information provided by the IDOT PTC project as presented in Appendix D. Traffic Data Traffic data provided by FRA are summarized in Table 2.1. 27 Table 2.1. Traffic Data by Sub-corridor and Season Train Type Average One-Way Trips/Day Joliet Sub-corridor Bloomington Sub-corridor Springfield Sub-corridor Summer Rest of Year Summer Rest of Year Summer Rest of Year Passenger 6.00 6.00 6.00 6.00 6.00 6.00 Equipped freight 1.07 1.07 1.07 1.07 0.86 0.86 Unequipped freight 0.36 0.36 0.36 1.21 0.87 2.30 Operating days 91 274 91 274 91 274 Train Data The primary train characteristic used in the model is braking distance as a function of speed. Braking distance formulas, including safety factors, were obtained from Amtrak and the IDOT PTC project. It is understood that these are the same formulas as have been used in previous risk analyses for the IDOT corridor. 2.5.2 Train-to-Train Collision Frequencies and Distribution This category includes all collisions between active trains, including head-on, rear-end, and side collisions involving two or more active trains, as reported to FRA, but not with cuts of cars during switching operations or cars that have rolled out from a siding. Collisions at diamond crossings are also analyzed separately. The basic approach used in the model, as described in Section 2.1, is to estimate accident frequencies for a reference analysis case (conventional CTC with wayside signals and 79 mph maximum speed) and then estimate what fraction of those accidents would be prevented by each train control system being analyzed. Thus all accident frequencies are for CTC operations without train control of any type. The frequency for train-to-train collisions for this corridor for CTC operation was estimated to be 0.030 collisions per million train-miles. This number was obtained from analyses of FRA accident data performed by ICF for previous risk analyses, with adjustments for traffic density, single track, absence of major passenger terminals, and similar factors. Historical data suggest that these collisions are not uniformly distributed along the corridor but tend to be concentrated in high-risk areas, especially on single-track segments before and after a passing siding. Because of this effect, collision frequencies were adjusted to reflect risk for each segment type. A full description of the derivation of this frequency and all other details pertaining to accident frequencies is provided in Appendix F. 28 Then the distribution of collision accidents among different train pairs involved in collisions, and among head-on, rear-end and side collisions, was estimated. A distribution of collisions among all possible combinations of train types (passenger, equipped freight and unequipped freight trains) was estimated from the relative numbers of daily trips, modified by a review of string chart simulations of operations on the IDOT test corridor. Finally a distribution of collisions between head on and rear-end or side collisions was developed from the detailed accident scenarios, the mix of meets and passes shown in the operations simulations and historic data. 2.5.3 Collision Accident Consequences Because of substantial differences in consequences (injuries, fatalities, and property damage) between passenger trains and freight trains, consequences are estimated per train involved in a collision. Separate consequence values are estimated by representative speed and whether the colliding vehicle in the train is a locomotive or a car and whether the locomotive hit another locomotive (as in a head-on collision) or a car (as in a side or rear-end collision). All consequence data were derived from FRA accident reports and reflect the severity thresholds used in those reports. As much as possible, use was made of consequence estimates developed by ICF for previous risk analyses. One potentially important aspect of the risk analysis involving comparisons between several control systems is variation in the ability of each system to reduce the severity of accidents that occur. The effect of this variability was examined in a set of sensitivity analyses, one for each train control system. To implement the capability to analyze the effect of this variability in the risk model for each control system considered in this analysis, consequence adjustment factors were applied to the base consequence values. The consequence adjustment factors are multipliers, estimated for each accident scenario, which when applied to the base consequence values provide the adjusted consequence values that are used to arrive at the model result. For the IDOT PTC model, two separate sets of consequence adjustment factors and adjusted consequence values are required— one set for the system in the normal operating state and one set used in a timeout state. With a timeout of 120 s or greater, there are no reduced consequence accidents; it is not possible for the IDOT PTC system in timeout to respond quickly enough to reduce the consequences of an accident. More details on the adjustment of consequences are provided in Appendix F. 2.5.4 Frequencies and Consequences for Other Accident Scenarios Rollout and Other Intrusion Collisions Two types of intrusion collision were analyzed—accidents occurring at or near a switch where a cut of cars rollout onto the main line and into the path of an active train and other intrusions caused by a derailment on an adjacent track or a shifted load. The frequency and consequences of both kinds of intrusion were estimated from historic accident data, reviewing collision descriptions in FRA reports to distinguish between rollouts as here defined and train-to-train collisions. 31 Table 2.2. CTC Reference Case Accident Frequencies Scenarios Units Accident Frequency Passenger Freight Train-to-train collisions Per million train-miles 0.03 0.03 Rollout Intrusions Per million train-miles 0.0086 0.0144 Other intrusions Per million train-miles 0.0144 0.0086 Broken rails Per million train-miles 0.0167 0.0556 Overspeed Per million train-miles 0.0110 0.0160 Work zone intrusions Injuries/fatalities per million train-miles 0.164/0.0164† 0.083/0.0083† Diamonds Per million diamond passes 0.100 0.100 Grade crossings Per million crossing passes 0.80‡ 0.36‡ †Varies by train speed; these are for passenger trains at 79 mph and freight trains at 50 mph. ‡Varies by speed and crossing type; these are for crossings with gates and lights, passenger trains at 79 mph and freight trains at 50 mph. 2.5.5 Preventability Factors Preventability factors are the fraction of accidents that would have happened with CTC that are estimated to be prevented by the train control system being analyzed. They are the most critical inputs to the models because they drive the results of the comparison between the different train control systems. For example, if a particular preventability factor is 0.8, then this means that 80 percent of the accidents that would have occurred with CTC are prevented by the particular train control system being considered and 20 percent still take place. Table 2.3 gives a basic set of preventability factors for the IDOT PTC operating normally and in timeout and for cab signals with both ATS and ATC. Full details of the derivation of these data and variations for sensitivity analyses for all analysis cases are provided in Appendix F. 32 Table 2.3. Preventability Factors for IDOT PTC and Cab Signals with ATS/ATC Scenarios Preventability Factor IDOT PTC Normal IDOT PTC in Timeout UP Cab Signals with ATS NEC Cab Signals with ATC Train-to-train collisions 0.90† 0.90† 0.70 0.85 Rollout intrusions 0.30 0 0.35 0.43 Other intrusions 0.05 0 0.10 0.12 Broken rails 0.04 0 0.06 0.08 Overspeed 0.80 0.50 0 0 Work zone intrusions 0.50 0.25 0 0 Diamonds 0.90† 0.90† 0.70† 0.85† Grade crossings 0.04 0 0 0 Comments on the derivation of preventability values are: • For the cases in Table 2.3 marked with (†), there is a chance of a conflict between equipped and unequipped trains, which reduces preventability, because all through trains and some local freight trains are unequipped. With diamond crossing collisions, the crossing train (always belonging to railroad companies other than UP) is also assumed to be unequipped. The model assumes an equipped train responds to any control system input with a reliability represented by the preventability factor. The model performs a separate calculation of the probability that an accident resulting from a signal violation by an unequipped train can be prevented by the response of the equipped train. In the PTC case, this calculation is done for both the normal operating state and the timeout state. In the ATS and ATC analysis cases, all freight and passenger trains are assumed equipped with the control system, and the separate calculation is not needed. • The value of 0.90 for the preventability of train-to-train collisions among PTC-equipped trains is a conservative estimate. PTC will prevent almost all collisions, except for collisions with on-track maintenance equipment outside of designated work zones, collisions caused by brake failures, incorrect or out-of-date data entered into the PTC system for any reason, and very rare “wrong side” or false “all clear” indications by PTC. Model runs with PTC preventability set at high and low values of 0.94 and 0.88 illustrate the sensitivity of results to this estimate. • Preventability for cab signals with ATS of 0.70 is estimated from the actual performance of UP cab signals compared with CTC. Because the estimate depends on sparse data, risk calculations were also carried out for values of 0.60 and 0.80. • Likewise, risk calculations with preventability set at 0.80 and 0.90 were carried out for cab signals with ATC to illustrate the sensitivity of results to preventability estimates. 33 • Preventability of collisions between a PTC-equipped and an unequipped train is calculated in the model as a function of train speeds and of equipped train location relative to the unequipped train when the violation takes place. A similar calculation provides an estimate of the preventability of collisions at a diamond crossing for all control systems analyzed. • Rollout intrusions will be detected by track circuits and switch position monitors. The estimate of 0.30 for PTC in normal state is derived using the same calculation regarding train locations speeds as was used for collisions with unequipped trains. Preventability is higher for cab signals with ATS or ATC because of the quicker response of coded track circuits and the ability of these track circuits to detect intrusions ahead of an approaching train in the same signal block. • It is judged that very few “other intrusions” and broken rails will be prevented by any of the train control systems, because only a small fraction of these accidents will be detectable by the track circuits in any case. Cab signals with ATS or ATC perform better than PTC because of the quicker response of coded track circuits to a detected event. • PTC will prevent most overspeed derailments because of the speed monitoring and enforcement feature. Preventability will be reduced in the timeout operating state because of possible delays to messages advising the train of new slow orders. Although rare, such a delay could result in a very dangerous “false all clear” situation. Cab signals with ATS or ATC do not monitor or enforce civil speed restrictions and cannot prevent overspeed derailments. • The preventability of work zone casualties is based on a review of casualty data and an estimate of what fraction of these casualties are potentially preventable, because they occurred in a designated work zone. As with overspeed accidents, and for similar reasons, preventability is reduced in timeout. In addition, PTC cannot protect against accidents caused by the incorrect entry of work zone or temporary slow order locations in the system. Cab signals with ATS do not monitor or enforce work zone restrictions. • Grade crossing collisions can be prevented by PTC only where the collision was caused by a crossing warning system malfunction. The preventability estimates are based on FRA data regarding such malfunctions. 2.6 Measures of Risk Calculated by the Model The model calculates five measures of risk for each of the accident scenarios described in Section 2.4, and for each Sub-corridor, season and operating state as defined in Sections 2.3.1 and 2.3.2. These are: • Estimated number of FRA-reportable accidents for each accident scenario and in total over a 10-year period. FRA-reportable accidents are those that exceed the FRA’s threshold cost of damage to railroad-owned plant and equipment. • Estimated number of injuries in FRA-reportable accidents over 10 years of operation of the IDOT test corridor. • Estimated number of fatalities in FRA-reportable accidents over 10 years of operation of the IDOT test corridor. 36 Table 3.1. List of Risk Analyses Performed and Included in the Results Workbook in Appendix G Train Control System Analyzed Ref. Number Title Used in Results Summary Workbook Description of Analysis Case IDOT PTC system 1 PTC Basic TO120 Basic PTC case: timeout 120 s, latency 10 s 2 PTC TO240 PTC Case: timeout 240 s, latency 10 s 3 PTC TO360 PTC Case: timeout 360 s, Latency 10 s 4 PTC TO60 PTC Case: timeout 60 s, Latency 10 s 5 PTC TO20 PTC Case: timeout 20 s, Latency 10 s 6 PTC Lat 20 PTC Case: timeout 120 s, Latency 20 s 7 PTC Lat 5 PTC Case: timeout 120 s, Latency 5 s 8 PTC Basic 88% PTC case w/ preventability reduced from 90 to 88 % 9 PTC Basic 94% PTC case w/ preventability increased from 90 to 94% 10 PTC Basic Red. Sev’ty Basic PTC case w/ reduced severity of consequences UP cab signals + ATS 11 ATS Basic, 70% Basic case: cab signal and ATS, 70% preventability 12 ATS 80% Cab signal and ATS, 80% preventability 13 ATS 60% Cab signal and ATS, 60% preventability 14 ATS Basic 70% Red. Sev’ty Basic ATS case w/ reduced severity of consequences Northeast Corridor ATC 15 NEC-ATC Basic 85% Basic NEC-ATC case w/ 85% preventability 16 NEC-ATC 80% NEC-ATC w/ 80% preventability 17 NEC-ATC 90% NEC-ATC w/ 90% preventability 18 NEC Basic 85% Red. Sev’ty Basic NEC-ATC case w/ reduced severity of consequences CTC reference case 19 CTC Ref CTC reference case All data presented in this report are taken from the corresponding model results worksheets. Model results are presented and discussed in the following sequence: • IDOT PTC risk analyses showing the effects of varying latency and timeout; 37 • Comparisons between the IDOT PTC system and the ATS and ATC systems with cab signals; • Sensitivity of analysis results to variations in accident preventability estimates for the three train control systems; and • Sensitivity of analysis results to differences in consequence estimates among the three train control systems. Some suggestions for further model runs are also provided. 3.2 Summary of Results – IDOT PTC Timeout and Latency 3.2.1 Effect of Varying Timeout on IDOT PTC Safety Performance A series of model runs were performed to explore the effects of varying timeout on the safety performance as measured by the dollar value of harm. The full details of the results are provided in the spreadsheet containing the results sheet for each of the model runs (see Appendix G). Timeout was varied in the analyses from a base value of 120 s. Given the capacity of the radio communications system originally proposed for the IDOT PTC system, 120 s was judged to be the lowest practical timeout that would not lead to communications delays and delay-related timeout events. A higher capacity communications system would be needed if timeout needs to be lower to achieve required safety or operational performance. The first point to note from the analysis is that the number of train-miles operated during timeout is a tiny fraction of total train-miles. Thus, even if there is elevated risk during timeout, the overall impact of this risk increase on the overall risk of operating the corridor is very small. On the basis of the assumptions regarding the occurrence of timeout events discussed in Section 2.3.2, the relevant values are as follows: Estimated percentage of train-miles operated in the timeout state: 0.1395% (Model Input) Total harm in the timeout state (PTC 120-second timeout case): $4,378† Total harm with PTC operating normally: $2,733,539‡ Estimated percentage of harm in the timeout state: 0.1602% (from above numbers) Ratio (harm in timeout)/ (harm operating normally over the same train-miles): 0.1602/0.1395 = 1.148 or 14.8% increase †from Table R6d of IDOT Risk Model, Basic PTC Case TO120 Lat10 Final.xls ‡from Table R7d of IDOT Risk Model, Basic PTC Case TO120 Lat10 Final.xls Thus, operations during timeout contribute only 0.16% of total risk in combined normal and timeout operation. The primary reason that the contribution is so modest is that PTC-preventable collisions between two equipped trains will still be prevented, even if the system is in timeout. Both trains will comply with previously issued nonconflicting authorities. Risk increases in otherwise preventable collisions with unequipped trains and in some of the other potentially preventable accident scenarios such as grade crossings, and because of broken rails and 38 intrusions, where the warning will not reach the PTC-equipped train in time to prevent an accident. The estimate of the number and duration of timeout events needed to perform this calculation was determined by considering timeout duration and the total percentage of train- miles operated in fallback mode. A simple example of this calculation is if timeout is 2 min and the time to repair is 90 min, then the distance traveled by trains during timeout is 1/45 of distance in fallback mode. If the total distance in fallback mode is 5 percent of total mileage, then the distance traveled in timeout is 5/45 or 0.11%. The detailed calculation takes into account the difference in characteristics and effects of on-board and wayside PTC failures. Table 3.2 gives the results of varying timeout between 20 and 360 s; latency was held constant at 10 s. Timeout values are the total time the train is operating between receiving the last valid communication and the expiration of timeout. The risk increment in the table is the increase in risk during timeout compared with the same period of normal operation with 10-second latency. Table 3.2. Effect of Varying Timeout on Risk Associated with IDOT PTC with Latency of 10 Seconds Timeout (s) Total Harm in Whole Corridor† ($1,000s) Total Harm in Timeout‡ ($1,000s) Percent of Total Corridor Harm (%) Percent Train- Miles in Timeout¤ (%) Risk Increase (%) 20 2,733.181 0.675 0.0247 0.0233 6.0 60 2,733.294 2.126 0.0778 0.0698 11.5 120 2,733.539 4.378 0.1602 0.1395 14.8 240 2.733.896 8.750 0.3201 0.2791 14.7 360 2,734.247 13.115 0.4797 0.4186 14.6 † Table R7d on “PTC TO20,” “PTC TO60,” “PTC Basic TO120,” “PTC TO240,” and “PTC TO360” sheets of Results Summaries PTC, ATS and ATC Cab Sigs complete.xls, Appendix G. ‡ Table R6d on “PTC TO20,” “PTC TO60,” “PTC Basic TO120,” “PTC TO240,” and “PTC TO360” sheets of Results Summaries PTC, ATS and ATC Cab Sigs complete.xls, Appendix G. ¤ Percent miles in timeout are model inputs. As would be expected, the impact on risk is roughly proportional to timeout, because this directly affects train-miles operated in timeout. The percentage increase in risk per train-mile during timeout versus regular operation increases up to a timeout of approximately 120 s, after which it stays roughly constant. At low timeout values, performance approaches that of regular operation (with a latency of 10 s). Hypothetically, if timeout were reduced to 10 s, identical to latency, then safety performance during timeout would be identical to that in normal operation. When timeout equals or exceeds 120 s, there is no further increase in the per train-mile risk during timeout, but the aggregate risk increment during timeout increases as a result of the increase in train-miles operated during timeout. 41 Table 3.4. Comparison of Total Accident Costs for IDOT PTC (Timeout = 120 s, Latency = 10 s), UP Cab Signal with ATS (70% Preventability) and NEC Cab Signal with ATC (85% Preventability) Base Cases, PTC-Relevant Accidents Train Type Accident Scenario IDOT PTC with TO = 120 s, Lat = 10 s ($1,000s)† UP Cab Signal with ATS, 70% Prev. ($1,000s)† NEC Cab Signal with ATC, 85% Prev. ($1,000s)† Comparison, IDOT PTC to Cab Signal with ATS & ATC Difference PTC-ATS ($1,000s) Difference PTC-ATC ($1,000s) Pa ss en ge r Train-to-train collision 309 790 395 -481 -86 Intrusion collision 321 303 291 18 30 Diamond collision 3 4 3 -1 0 Overspeed 60 301‡ 301‡ -241 -241 Broken rail 439 430 421 9 18 Work zone violation 98 196‡ 196‡ -98 -98 Grade crossing collision 1384 1442‡ 1442‡ -58 -58 Total – all scenarios 2,614 3,466 3,049 -852 -435 Fr ei gh t Train-to-train collision 9 8 4 1 5 Intrusion collision 3 3 3 0 0 Diamond collision 2 3 2 -1 0 Overspeed 7 10‡ 10‡ -3 -3 Broken rail 34 33 32 1 2 Work zone violation 23 30‡ 30‡ -7 -7 Grade crossing collision 40 41‡ 41‡ -1 -1 Total – all scenarios 118 128 122 -10 -4 Total, passenger + freight 2,732 3,594 3,171 -862 -439 † Table R7d on “PTC Basic TO120” sheet and Table R3d on “ATS Basic 70%” and “NEC_ATC Basic 85%” sheets; Results Summaries PTC, ATS and ATC Cab Sigs complete.xls, Appendix G. ‡ These values represent full accident costs; no risk reductions are present in these accident scenarios with these control system combinations. Overall, the results show that IDOT PTC is estimated to reduce accident costs by 24 percent (a savings of $862,000 against costs of $3,594,000) when compared with ATS base case for the set of PTC-relevant accident scenarios analyzed. When the ATC base case is considered, the IDOT PTC is estimated to reduce accident costs by 14 percent (a savings of $439,000 against costs of $3,171,000). Even given the uncertainty regarding the estimates for the values of model inputs and calculations for the effectiveness of the train control systems in preventing accidents, these results indicate that the IDOT PTC is likely to pass the test of providing a level of safety equivalent to or better than either of the base cases considered in this analysis. 42 A comparison of accident costs over a 10-year period between the ATS and ATC base cases shows that the ATC base case has total costs $423,000 (12 percent) less than those for the ATS base case. The principal sources of the advantage of the IDOT PTC system over the UP cab signal system with ATS and the NEC cab signal system with ATC are fewer train-to-train collisions, overspeed derailments, and work zone incursions. The difference in train-to-train collisions between the IDOT PTC and the UP ATS base case is much more pronounced than the difference between the IDOT PTC and the NEC ATC base case. The following paragraphs discuss how the differences in the capabilities of the three control systems contribute to the advantage of IDOT PTC over the cab signal base cases: • Train-to-train collisions: For the purpose of this analysis, train-to-train collisions are defined as collisions between two trains operating on the main tracks of the IDOT test corridor. PTC will enforce safe speeds down to a stop. Cab signaling with ATS will warn the engineer of a more restrictive signal aspect; it will not enforce that aspect if the warning is acknowledged. ATC will enforce speed reduction in accordance with signal indications down to restricting speed but not to an absolute stop. The practice of slowing the PTC-equipped passenger trains to 79 mph when near an unequipped train also contributes to the advantage. With cab signals and ATS/ATC, there are no unequipped trains, and this practice does not apply. On the basis of a review of FRA-reported main-line accidents on the NEC between 1986 and 2006, clearly ATC is highly effective in preventing collision accidents and will reduce collision speed for those accidents that do occur. The data also show that a significant fraction of NEC collision accidents are low-speed “fender benders” in major passenger terminals (e.g., New York Penn Station and Washington Union Station) that have relatively minor consequences. With no major stations or terminals on the IDOT test corridor, these accidents were not considered in estimating accident frequencies for the ATC analysis. • Overspeed accidents: PTC will enforce temporary and permanent speed limits but cab signals do not. From accident data, most passenger train overspeed accidents appear to be due to failing to slow down to take a turnout or crossover rather than exceeding a main track speed limit or slow order. • Work zone violations: Fewer work zone violations, leading to fewer casualties among track maintenance employees and contractors (12.2 percent of the difference): PTC can provide this protection but cab signals do not. This number is more speculative than the others, and more work is desirable on the exact circumstances of casualties to better determine the effectiveness of PTC in work zone protection and the related issue of collisions with on-track maintenance and inspection equipment moving to and from formal work zones. Diamond collisions are between a train operating on the main track of the IDOT test corridor and a train operating on another railroad that crosses the IDOT test corridor. Diamond collisions are also collisions between trains, but the risk calculation is different. An intrusion collision is between a train operating on the IDOT test corridor and a car or a cut of cars (not a train) that has incorrectly moved onto the main track from a connecting track. More information on accident scenario definitions can be found in Section 2.4. 43 Passenger train costs dominate the results. Freight train accident costs on this corridor are almost insignificant. However, it should be noted that there are only an average of about two freight train trips over the corridor (averaging Sub-corridors and seasons) versus six passenger train trips. Freight train accidents would be more significant if there were, say, 10 freight train trips daily. Table 3.5 provides estimated injuries and fatalities for the same IDOT PTC and the cab signal cases addressed in Table 3.4, again using FRA reporting criteria for casualties in train accidents. Table 3.5 gives the corresponding accident counts for the three train control systems. 46 would have taken place with the CTC reference case is conservatively estimated at 90 percent. The only collisions possible would be those involving unequipped trains and on-rail maintenance equipment outside of formal work zones, those not preventable by any train control system (such as due to braking failures), or very rare “wrong side” PTC system failures. In the cab signal with ATS case, the corresponding best estimate for effectiveness in preventing train-to-train collisions is 0.70 (or 70 percent), based on historic data. Unlike PTC, the ATS does not enforce signal indications after the train crew has acknowledged a warning; there are examples of collision accidents with ATS taking place after the warning was acknowledged. Causes include inattention, falling asleep, failure to observe restricted speed rules, and misjudged braking. If cab signals with ATS and PTC are considered equally effective in preventing train- to-train collisions, PTC will have higher costs for train-to-train collisions than cab signals because of the presence of unequipped trains. The 70-percent estimate for cab signals with ATS is based on rather sparse data (per Appendix F), so sensitivity analyses were performed with effectiveness set at 60 and 80 percent; results of this consideration are provided in Section 3.4. As stated earlier, a review of FRA-reported main-line accidents on the NEC has shown that ATC is highly effective in preventing collision accidents and will reduce collision speed for those accidents that do occur. The primary challenge in interpreting these data lies in the very large differences in the operating environment between the NEC, which is predominately high-density, high-speed, multiple-track territory, and the IDOT test corridor with single track and low to moderate traffic density. After an effort to adjust for these differences is made, preventability for main-line train-to-train collision accidents of approximately 0.85 (or 85 percent) was estimated and used in the model and for operations away from major passenger terminals. Given the uncertainties in this estimate, a sensitivity analysis comprising model runs with 80 and 90 percent preventability values was prepared to help support analysis conclusions. The results of these analyses are also tabulated and discussed in Section 3.4. Observations on the results include: • Considering Table 3.4, cab signals with ATS/ATC exhibited a small advantage (lower accident costs) over PTC only for freight trains involved in train-to-train collisions and in intrusion and broken rail accidents. In intrusion/rollout events and broken rail derailments, coded track circuits are able to better detect the event and provide prompt warning to the approaching train. The total advantage these systems offer in terms of accident costs are massively offset by the advantage of PTC in all other accident scenarios. It is also noteworthy that the IDOT PTC advantage is still significant, even if the benefits from additional PTC functionality (overspeed, work zones, and grade crossings) are disregarded. • The results for injuries and fatalities in accidents (Table 3.5) show the same pattern as overall accident costs. This is as expected, given that casualties (mainly in passenger train accidents) are the largest individual contributor to total costs. • The costs of freight train accidents have little influence on the overall results, given the high costs associated with passenger casualties and damage to passenger equipment. The freight/passenger difference is less marked in counts of trains in accidents (Table 3.6), which show that passenger and freight involvement are as would be expected from relative train- miles operated and the lack of PTC on many freight trains. 47 • PTC is able to prevent only a relatively small fraction of grade crossing collisions and broken rail derailments. This is mainly because the detectable hazardous conditions (total rail break before train arrival or malfunctioning crossing warning systems) are a minor part of the overall risk from those scenarios. However, the financial benefit from preventing even a small fraction of these accidents is substantial. • Harm to passenger trains and their occupants dominate the risk. This is entirely logical and is derived from the differences between passenger and freight equipment and their operations: - Passenger trains have about 200 occupants at risk of becoming casualties in an accident (in this analysis), compared with two or three people that make up a freight train crew. - Passenger trains operate at a higher speed, increasing accident consequences. - Passenger equipment is more valuable and more costly to repair than freight equipment. - Finally on this corridor, six daily one-way passenger train trips are compared with an average of two to three freight train trips. It should be noted that both PTC and cab signal-based systems with trains operating at up to 110 mph provide a substantial safety improvement over the reference case of conventional CTC at speeds up to 79 mph (as the line is currently being operated), as shown in Table 3.7. If the acceptability criterion had been a comparison with the current operation, then any of the systems would be acceptable. Also noteworthy, PTC provides an estimated benefit of $58.4 million from prevented grade crossing collisions and $18.8 million from prevented broken rail derailments, compared with CTC. Table 3.7. Comparison of Total Accident Costs for Conventional CTC, IDOT PTC (Timeout = 120 s, Latency = 10 s), UP Cab Signal with ATS (70% Preventability) and NEC Cab Signal with ATC (85% Preventability) Base Cases, PTC-Relevant Accidents Total Accident Costs in $1,000s for PTC-Relevant Accidents† CTC Reference Case IDOT PTC Case, Timeout = 120 s, Latency = 10 s UP Cab Signal w/ATS, 70% Preventability NEC Cab Signal w/ATC, 85% Preventability Max. Speed (mph) 79 110 (79 mph when passing unequipped freight trains) 110 110 Scenarios Train-to- Train Collisions All Accidents Train-to- Train Collisions All Accidents Train-to- Train Collisions All Accidents Train-to- Train Collisions All Accidents Passenger 2,089 4,855 309 2,614 790 3,466 395 3,049 Freight 26 150 9 118 8 128 4 122 Total 2,115 5,005 318 2,732 798 3,594 399 3,171 † Table R7d on “PTC Basic TO120” sheet and Table R3d on “ATS Basic 70%,” “NEC_ATC Basic 85%,” and “CTC Ref” sheets; Results Summaries PTC, ATS and ATC Cab Sigs complete.xls, Appendix G. 48 3.4 Sensitivity Analyses 3.4.1 Sensitivity of Results to Estimated Collision Preventability Preventability in the model is defined as the fraction of accidents of each type that would occur under conventional CTC operation with wayside signals that will be prevented by a specific train control system. The preventability factor in collisions between equipped trains has been estimated at 0.90 (or 90 percent) for the IDOT PTC, 0.70 (or 70 percent) for the UP cab signal system with ATS and 0.85 (or 85 percent) for the NEC cab signal system with ATC. All these estimates are subject to some uncertainty. Sensitivity analyses using higher and lower estimates for preventability estimates were carried out to investigate whether this uncertainty might influence the conclusions from the analyses. Where PTC will enforce operating authorities down to an absolute stop before authority limits are exceeded, cab signals with ATS provide an in-cab display and a warning whenever the train is subject to a more restrictive signal aspect. If the train crew acknowledges the warning, the train can proceed under the engineer’s control. Only if the warning is not acknowledged will the train be stopped. Thus, the crew possibly may acknowledge a warning but then fail to observe the signal. An example of this kind of accident was described in National Transportation Safety Board (NTSB) Report RAR 99/04.1 At Delia, KS, the crew of a UP freight train equipped with cab signals acknowledged the restricting signal at the entry to a passing siding but fell asleep as the train traveled through the siding. The train passed the red signal at the end of the siding and collided head-on with a train approaching the siding from the opposite direction. ATC differs from ATS in that it enforces braking to reduce speed when the cab signal indicates a more restrictive signal aspect. A penalty brake application is initiated if the engineer fails to apply the brakes, and brakes cannot be released until the speed is at or below the speed corresponding to the signal indication. Because enforced stops well short of a red signal would disrupt operations, ATC does not enforce below 20 mph, allowing a train to approach a red signal and, if the engineer in inattentive or incapacitated, pass the signal at this speed and collide with another train. An example of this type of accident was described by NTSB in its Railroad Accident Brief RAB-03-01.2 An Amtrak train approaching Baltimore station on the NEC at restricted speed failed to observe an interlocking signal at danger and collided with another train. Although the speed enforcement means that ATC will be more effective than ATS in preventing collisions caused by signal violations, such collisions are still possible. Thus, preventability values for ATC will lie between those for ATS and PTC. PTC preventability was conservatively estimated at 90 percent, as described in Section 3.2.3. The cab signal preventability estimate of 70 percent was based on a limited analysis of past accidents. Given the small sample size, there is substantial uncertainty as to the correct figure. In the case of ATC, preventability was estimated at 85 percent, based principally on experiences 1 National Transportation Safety Board, 1999. Collision between Union Pacific Freight Trains MKSNP-01 and ZSEME-29 near Delia, Kansas. July 2, 1997. Railroad Accident Report NTSB/RAR-99/04. Washington, DC. 2 National Transportation Safety Board, 2003. Collision of Amtrak Train No. 90 and MARC Train No. 437, Baltimore, Maryland, June 17, 2002. Railroad Accident Brief NTSB/ RAB-03-01. Washington, DC. 51 3.4.2 Sensitivity of Results to Severity Reduction The capability to estimate the effect of reducing accident severity was implemented by adding a step in compiling the accident consequences tables used as the inputs to the risk models. The consequence adjustment factors are multipliers, estimated for each accident scenario, which when applied to the base consequence values provide the adjusted consequence values used in separate runs of the risk models conducted for each train control system. Details associated with the determination of the severity reduction factors are provided in Appendix F. Differences in the severity of accidents between the three train control systems were thought to be a second-order effect and have been ignored in the primary risk calculations. Consideration of the ATC Base Case, where speed enforcement is a key capability, prompted a reconsideration of this assumption. Therefore, the capability was added to the risk models, and the effect was analyzed for each control system. The results are shown in Table 3.9. Table 3.9. Comparison of Total Accident Costs for IDOT PTC (Timeout = 120 s, Latency = 10 s), UP Cab Signal with ATS (70% Preventability) and NEC Cab Signal with ATC (85% Preventability) with and without Severity Reduction, PTC-Relevant Accidents Train Control System Total Accident Costs† ($1,000s over 10 years) Without Severity Reduction With Severity Reduction Difference IDOT PTC 2,732 2,662 70 UP Cab Signal with ATS 3,594 3,454 140 NEC Cab Signal with ATC 3,171 3,052 119 † Table R7d on PTC-related sheets and Table R3d on ATS/ATC sheets; Results Summaries PTC, ATS and ATC Cab Sigs complete.xls, Appendix G. The effect of including severity reduction is to slightly narrow the difference between IDOT PTC and the other two systems. Including the severity reduction effect also reduces estimated total accident costs with IDOT PTC by $70,000, by $119,000 with NEC ATC, and by $140,000 with ATS/cab signal. Thus, including severity reduction in the analysis has only a limited effect on the comparison between the three systems. 52 3.5 Closing Remarks It should be noted that the analysis did not cover all accident scenarios, only those where PTC or the base case system could reduce the frequency or severity of accidents. Notably the analysis has omitted most derailment accidents caused by track and equipment mechanical failures (except broken rails) and a number of miscellaneous accidents such as fires and collisions with obstructions other than rail vehicles and vehicle lading. Such accidents contribute about one- third of passenger train accident consequences and 75 percent of freight train accident consequences. Furthermore, the analysis does not include the effects of operating in fallback mode after a known failure of on-train or wayside equipment. This mode was omitted from analysis because both the method of operation itself (conventional CTC with wayside signals) and the train-miles operated in fallback mode were assumed to be the same in each case and would not affect the comparisons. 53 4. Conclusions and Recommendations The risks associated with IDOT PTC, the UP cab signal system with ATS, and the NEC cab signal with ATC—all operated on the IDOT Corridor—were determined when considering all accident scenarios in which PTC or cab signals with ATS or ATC could reduce the frequency or severity of accidents. These scenarios include train-to-train collisions (those occurring between trains on the same main-line tracks), intrusion collisions, collisions at diamonds, overspeeds, work zone violations, grade crossing accidents, and incidents involving broken rails. The analysis omitted most derailment accidents caused by track and equipment mechanical failures (except broken rails) as well as a number of miscellaneous accidents such as fires and collisions with obstructions other than rail vehicles and shifted loads. The analyses did not include the effects of operating in fallback mode after a known failure of on-train or wayside equipment, because both the method of operation itself (conventional CTC with wayside signals) and the train-miles operated in fallback mode were assumed to be the same in each case and would not affect the comparisons. With these qualifiers in mind, the following conclusions were drawn from the analysis of the systems considered in this effort: • A series of model runs were performed to explore the effects of varying timeout and latency on the safety performance as measured by the dollar value of harm. On the basis of this analysis, the following statements can be made: – When the IDOT PTC system is considered, even when accounting for the elevated risk during timeout, the overall impact of this risk increase on the overall risk of operating the corridor is very small. Timeout does not have a material effect on the overall safety performance of the IDOT corridor. This is because the aggregate train-miles operated in the timeout state is very small, not exceeding 0.5 percent of total train-miles, and the heightened risk over this period, although significant, cannot have much impact on the overall result. – It is difficult to recommend a timeout value on the basis of safety alone, and other factors such as operations benefits should be considered, such as the avoidance of delays because of slow system response or unnecessary timeout events. Note that this conclusion applies only to this corridor, and the conclusion in areas of higher traffic density or with more unequipped trains could be different. – As with timeout, the effects of varying latency are limited and can be attributed primarily to the increase in collisions between equipped and unequipped train as latency increases, with limited additional risk increments as a result of increasing risk from intrusion collisions and other accidents. • The IDOT PTC operating with a timeout of 120 s and a latency of 10 s is estimated to reduce accident costs by 24 percent when compared with ATS base case and 14 percent when compared with the ATC base case for the set of accident scenarios analyzed. These results indicate that the IDOT PTC is likely to pass the test of providing a level of safety equivalent to or better than either of the base cases considered in this analysis. On the basis of accident costs during a 10-year period, the performance of ATC base case lies between that of the IDOT PTC and the ATS base case; the analysis resulted in the ATC A-1 Appendix A: Description of Risk Model and Calculations in Worksheet 1 – Segment Definitions and Timeout Effects A.1 Introduction This appendix is the first of four appendices that fully describe the IDOT risk model in all its versions. Appendix A contains a description of the overall model structure, the way the model represents railroad operations and infrastructure on the IDOT test corridor, and a detailed description of the first of the three Microsoft Excel worksheets that make up the core of the model. Appendices B and C provide similar descriptions of Worksheets 2 and 3 of the models. Appendix F provides full information of the sources and derivation of numerical inputs to the models. The descriptions include details for versions of the model established for NAJPTC, cab signal with ATS, and cab signal with ATC. A.1.1 Structure of the IDOT Test Corridor Risk Model The overall structure of the model is illustrated in Figure A.1. Figure A.1. Overall Structure of the IDOT Test Corridor Risk Model The analysis starts with a model Inputs Worksheet that contains lookup tables providing all the input data needed by the model, including: • Relevant signal system and train performance parameters such as timeout and latency values, braking distances for each train type, etc.; Worksheet 1 Segment Definitions and Timeout Effects Worksheet 2; Collision Probability and Preventability Estimates Worksheet 3 Risk Calculations Summary of Results The three linked worksheets in this box are the core of the model and are repeated for each Sub-corridor, season of the year and operating state. Model Inputs Worksheet A-2 • Basic infrastructure and traffic data, such as the number of main tracks, posted speeds, signal block boundaries, passing siding locations, diamond locations, and average trains per day by train type and season; • Accident frequency and consequence estimates for each accident scenario; and • Estimated fraction of accidents in each scenario that would be prevented by the train control system being analyzed. Concentration of all input data onto one worksheet minimizes the effort involved in setting up the model for each analysis case. In most cases, it is only necessary to change selected numbers on the Inputs Worksheet. These numbers are then referenced by the other worksheets in the model. The sequence of Worksheets 1, 2, and 3 accesses the input data to perform the detailed risk calculations, taking into account all applicable operating conditions. Because risk depends on traffic level and mix and the operating state of the train control system, separate sets of worksheets are required for each Sub-corridor, season, and operating state. Operating state worksheets are only needed for the NAJPTC system, where there may be significant differences in accident frequency or consequences between the normal and timeout operating states. Three Sub-corridors have been selected with boundaries at points where rail traffic enters or leaves the corridor, and two seasons, summer and “rest of year,” to account for seasonal traffic variations on the “Bloomington” and “Springfield” Sub-corridors. Figure A.2 illustrates the detailed structure of the model developed to account for all the traffic and operating state variants for the NAJPTC version. The spatial and temporal divisions of the corridor are described in more detail in Section A.1.3. A-3 Figure A.2. Organization of Worksheets 1, 2, and 3 in the Risk Model As shown in Figure A.2, a total of 26 worksheets are in the NAJPTC risk model in addition to the worksheets containing the inputs and summarizing the results. For the versions of the model that address cab signal with ATS and cab signal with ATC, there is no separate timeout operating state, and the number for worksheets reduces to 13 in addition to the worksheets that summarize the inputs and results. The specific calculations carried out on each worksheet can be summarized as follows: Worksheet 1 – Segment Definition and Timeout Effects This worksheet concentrates on the analysis of the probability that collisions between a PTC- equipped train and an unequipped train can be prevented by the PTC system. The scenario analyzed is that the unequipped train has passed a stop signal. The violation is detected by PTC, which issues a stop command to the equipped train. The location of the unequipped train relative to the location of the violation and PTC timeout and latency is the key parameters in estimating whether the collision can be prevented or mitigated. The calculation also takes into account train braking performance, signal spacing, and track layout. The output is a set of collision preventability estimates for different collision and equipped train location scenarios. A full description of Worksheet 1 and related analyses follows in this appendix. Worksheet 1 remains in the versions of the model used for the cab signal systems, but the results are not used in subsequent worksheets, because in those cases, all trains are considered to be equipped with ATS or ATC. The results of Worksheet 1 would be used if the models were used to analyze an ATS or ATC system where unequipped or differently equipped trains were operated. Overall IDOT Test Corridor Joliet Bloomington Springfield Normal, WS 1 Timeout, WS 1 Normal, WS 1 Timeout, WS 1 Normal, WS 1 Timeout, WS 1 Full Year WS 2, 3 Full Year WS 2,3 Summer WS 2, 3 Rest of Year WS 2, 3 Summer WS 2, 3 Rest of Year WS 2, 3 Summer WS 2, 3 Rest of Year WS 2, 3 Rest of Year WS 2, 3 Summer WS 2, 3 S ub-corridor Operating s tate S eas on WS = Worksheet A-6 • Bloomington Sub-corridor – Siding at Bunge (MP 88.35) to the Yard at Bloomington, IL (MP 124.86); Bloomington represents a point of origination for local freight trains and a point at which trains from other lines enter or leave the IDOT test corridor. • Springfield Sub-corridor – from the Yard at Bloomington (MP 124.86) to Interlocking at Ridgley (MP 180.99); Ridgley is considered an end point of the corridor. Seasonal and Other Temporal Variations The grain trains do not operate during the summer months of July, August, and September. Thus, there is a significant change in traffic density and mix between these summer months and the rest of the year. Two seasonal periods are represented in the model: • A 3-month summer period, without grain trains; and • A 9-month fall, winter, and spring period with grain trains. Although there are day-of-week traffic variations, with selected local and through freight train trips operating between 1 and 5 days/week, attempting to perform model runs for each day of the week would have made the model excessively complex. Average traffic level and mix are assumed for all 7 days of the week for estimating collision frequencies, combined with reviews of day-by-day operating string charts. Spatial Variations within Sub-corridors The most critical issue in this risk analysis is the ability of the NAJPTC and the base case train control systems to prevent collision accidents and the influence of NAJPTC communications timeout on those risks. In the NAJPTC case, the traffic mix includes both equipped and unequipped trains, and the collision scenario most influenced by timeout is when an unequipped train fails to stop at a stop signal and is in danger of colliding with an equipped train. In this situation, signal block length is a critical parameter in calculating risk, along with timeout and latency. Therefore, each Sub-corridor was divided into segments corresponding to signal blocks for the risk calculation. The signal blocks are typically between 2 and 3 mi. Grade crossings and diamonds are analyzed separately as point hazards. Risk associated with a track segment (signal block) depends on the features within and adjacent to a signal block. Most notably, accident data and descriptions indicate that the most likely location for head-on collision accidents in a single-track signal block adjacent to a passing siding, where a “guilty” train exits the siding after failing to stop at the control point signal at the end of the passing track. To reflect this type of risk variation in the model, track segments have been divided into six types: • Monitored sidings (where the passing siding track is track-circuited for train detection); • Unmonitored sidings that lack track circuits on the siding track. There are two unmonitored sidings in the IDOT test corridor; • Single-track segments adjacent to a monitored siding (called “CP adjacent (M)” in the model table headings); A-7 • Single-track segments adjacent to an unmonitored siding (called “CP adjacent (U)” in the model table headings); • Single-track segments that are not adjacent to a siding. These are called plain track segments in model table headings; and • Diamond crossing segments, considered as point hazards (i.e. with no length). There are no double-track segments on the IDOT test corridor, but if there were, they would be another segment type. Operating States All train control systems have at least two operating states: • Normal operation, where all train control functions are working normally; and • Fallback mode, where there has been a control system failure and the system has been cut out on an individual train or over a portion of the line. For the NAJPTC system only, there is also a timeout mode, where either a communications failure or communications queuing is preventing control messages from reaching a train before timeout expires, and the system declares a fault condition and initiates braking. There is no equivalent to the timeout mode with the cab signal systems; any system failure results in no signal from the coded track circuit which is interpreted as a restricted speed command by the on- board system. An on-board failure has the same effect. The analysis considers only normal operation and timeout operating states. The fallback mode (conventional CTC operations) is assumed to be the same for all analysis cases, both in aggregate duration and safety performance, and thus does not affect the risk comparison between the NAJPTC system and the base case systems. If there were availability variations between the control systems, then the train-miles operated in fallback mode would vary, resulting in a significant influence on a safety performance comparison. A.1.4 Accident Scenarios The objective of the risk analysis is to evaluate the relative safety performance for the NAJPTC system relative to that for the base cases (cab signal system with ATS and cab signal with ATC). Thus, the analysis includes all accident scenarios where the frequency or consequences of an accident could be reduced by PTC or cab signals. These are termed PTC-relevant accident scenarios and are made up of the following: • Train-to-train collisions of all kinds, including collisions at diamond crossings with another rail line; • Collisions between an active train and a rail vehicle or vehicle lading that has intruded on the track occupied by the active train; • Overspeed derailments; A-8 • Broken rail derailments, where the broken rail can be detected by the train control system; • Work zone violations; and • Grade crossing collisions with a highway vehicle, where a crossing warning system malfunction detectible by the train control system was a factor in causing the collision. Illustrations of accident scenarios are provided in Appendix E. A short treatment of accident scenarios is provided in the following paragraphs to put the discussions contained in the rest of this appendix into context. Train-to-Train Collisions Train-to-train collisions are collisions between two trains, both of which are moving over the IDOT test corridor under the control of the signal and train control system. Collisions are most commonly caused when one train fails to observe signals and operating authorities or when the engineers receive conflicting instructions from the dispatcher. Less commonly, collisions can be caused by a failure of on-board equipment such as brakes or in the signal, train control, or communications systems. Sub-scenarios of train-to-train collisions have been established to take into account factors that affect either the frequency or consequences of collisions. Those included in the analysis are: • Factors affecting collision frequency: - Traffic density and mix: The number of trains per day and the distribution between passenger trains, PTC-equipped freight trains, and unequipped freight trains. Base collision frequency and the distribution between meets and passes are governed by the traffic mix and operating pattern. Collision frequencies are estimated for each possible combination of train types. - Collision frequency variations as a function of route segment type: Collision risk is not evenly distributed along the line. A review of historic accident data suggests that on a single-track railroad, collision risk is higher at passing sidings and especially the single- track segments before and after a siding. Appropriate frequency adjustments are applied to each segment type. • Factors affecting collision consequences: - Train types involved in the collision: Consequences are much more serious with passenger trains than freight trains, given the numbers of passengers at risk of becoming casualties and the high value of passenger cars relative to freight cars and their contents. - Colliding vehicles in the collision: Whether the collision involves a locomotive hitting another locomotive, a locomotive hitting a freight car or a locomotive hitting a passenger car. Because of the wide differences in consequences between passenger and freight trains, the model calculates consequences separately for each train involved in a collision, taking into account the types of colliding vehicles and trains involved. - Train speed: Consequences vary substantially with train speed broadly as a function of the kinetic energy dissipated in a collision. A-11 A.2 Description of Calculations in Worksheet 1 – Segment Definitions and Timeout Effects As described in the previous section, Worksheet 1 of the risk model estimates the probability that collisions between equipped and unequipped trains can be prevented or mitigated. Estimating these probabilities involves assembling segment data (lengths, types, and speeds) and the performance results of collision preventability calculations for collisions between equipped and unequipped trains based on stopping distances and timeout. This section will describe analysis steps and key factors associated with these processes. A.2.1 Overview of Calculations Worksheet 1 is exclusively concerned with estimating collision probabilities in the scenarios that involve a collision between an equipped train and an unequipped train. Because authority violations by the equipped train will almost always be prevented by PTC, these scenarios involve an authority violation by an unequipped train, followed by a head-on, side, or rear-end collision. Collisions at diamonds are a special case of collisions between equipped and unequipped trains. Trains crossing the IDOT test corridor at diamonds are assumed to be unequipped. Worksheet 1 performs the calculations for one Sub-corridor of the IDOT test corridor and for one operating state of the train control system (normal or in timeout). Some key input parameters are also introduced into the analysis on Worksheet 1, specifically the braking performance of passenger and freight trains, and the lengths and characteristics of route segments. The specific calculations performed on the spreadsheet are illustrated in the block diagram Figure A.3 and described in subsequent paragraphs. A-12 Figure A.3. Block Diagram Illustrating Calculations Performed in Worksheet 1 Step 1: Calculate stopping distances Stopping distances are calculated from applicable braking formulas for freight and passenger trains. This calculation is performed in Table 1.1 of the Microsoft Excel worksheet and described in detail in Section A.2.2 below. Step 2: Define latency or timeout value, as applicable This is simply an input to the analysis and is defined for a specific analysis case and operating state of the train control system. In the normal operating state, the input is the latency expected for the train control system when operating normally (usually 10 s for NAJPTC). In the timeout operating state, the input is the timeout setting for the train control system for the specific analysis case being analyzed. For the cab signal with ATS/cab signal with ATC cases, the corresponding input is the penalty braking response time, usually 8 s. This is the time allowed for the engineer to acknowledge a more restrictive cab signal aspect and forestall an automatic brake application by the ATS/ATC. These inputs are included in the input data to Table 1.1 in the Microsoft Excel worksheet. Step 3: Define segment type, length, speeds, etc. These data are derived from the track information provided on track charts, timetables, and documents prepared for the NAJPTC project office. A master set of data (provided in Appendix D) has been prepared from these sources and used to compile the segment data listed in Table 1.2 of the Microsoft Excel worksheet. In all cases, segments are simply signal blocks plus point segments for at-grade rail crossings (diamonds). A-13 The data comprise: • The beginning and end points (milepost locations) of each signal block segment and the calculation of the length of each segment from the milepost locations. As far as possible, the track charts were reviewed to check for inconsistencies between milepost locations and actual distances. • Segment type, using the designations defined in Section A.1.3. • Posted speeds for all train types, including high-speed trains, permitted to travel at up to 110 mph. • Representative speeds for all train types, derived as discussed in Section A.2.2. The list contains two speeds for high-speed trains, the normal speed used in most of the analysis and a reduced speed of 79 mph used to calculate collision consequences for collisions between a passenger train and an unequipped freight train. This reflects the operating requirement to restricting passenger train speeds when in the vicinity of an unequipped freight train. Step 4: Calculate zone lengths A, B1, and B2 The lengths are calculated from the information assembled in Steps 1, 2, and 3. The zones are portions of the route segment where an equipped train may be located at the time an unequipped train violates its authority. This calculation is performed in Table 1.3 of the Microsoft Excel worksheet. The basis for and the details of this calculation are described in Section A.2.2 below. Step 5: Combine like segments The combined lengths of similar segments (same type and same passenger and freight train speeds) are calculated in Tables 1.4 and 1.5 of the Microsoft Excel worksheet. Table 1.4 is an intermediate step in the calculations to avoid excessively complex cell formulas. The results tabulated in Table 1.5 of the worksheet give the aggregate length of the segments that fall into each train speed and segment type category. Separate totals are calculated for each train type. Step 6: Calculate estimate of collision avoidance or mitigation probabilities These are derived from the zone lengths by segment type and for passenger and freight trains. These calculations are performed in Tables 1.6a to 1.6f for each type of segment, including diamond crossings. The calculation of the collision avoidance and mitigation probabilities is performed for each segment and train type and takes into account: • The zone lengths derived in Step 4 and shown in Table 1.3 of Worksheet 1. • The aggregate length of segments of each type in the Sub-corridor being analyzed. • An estimate of the probability that a train will have entered the now-occupied signal block before or after the violation by the unequipped train. A-16 • For route segments where freight trains enter or leave the route segment at reduced speed, a representative speed of 40 mph is used. • For all other segments, the representative speed will be the nearest value below the actual posted speeds. These conventions are expected to cover all route segments in the IDOT test corridor and operations under each of the train control systems being analyzed. Calculation of Stopping Distances The stopping distances are derived simply from applicable stopping distance formulas for passenger and freight trains. The formulas discussed in this section are those to bring the train to a stop from the moment that an unequipped train violated its movement authority, such as by passing a stop signal, including adding (at this stage in the calculation) the “free-running” distance traveled by the train during timeout, latency and/or allowances in the on-board system for engineer response. Passenger trains: The analysis uses a standard formula for Amtrak trains provided by Amtrak and used for all braking distance calculations for the NAJPTC project. The formulas are of the form: Braking distance in feet from speed V to stop on level track is given by: [{(A × V2) + (B × V)} × (safety factor)] + [C × V × 1.467] ........................................................ (1) where: V is train speed in miles per hour. A is a coefficient representing the average braking effort and, therefore, deceleration of the train, and depends on consist makeup and the braking performance of the cars in the consist. B is a coefficient representing the time taken for the braking system to build up to full effort after braking is initiated by the engineer and also some nonlinearity’s in brake system performance. The value of B also depends on the consist and car brake performance specification. The safety factor is a multiplier on the braking distance to allow for low rail adhesion, defective brakes, very cold weather, and similar factors. A value of 1.25 for the factor is used. C is a delay in seconds in initiating braking caused by either timeout (with NAJPTC) or with cab signal systems, the delay between the locomotive detecting a more restrictive signal aspect and the initiation of penalty braking. The factor 1.467 converts speed in miles per hour into feet per second. A-17 Equation 1 accounts for grade compensation within the coefficients. The coefficients used in the calculations have been established in previous studies and are chosen on the basis of the type of train being considered. All passenger traffic on the test corridor has been categorized by Amtrak as described in Table A.2. Once a particular passenger train is “assigned,” a set of coefficients for use in Equation 1 is identified. Table A.2. Categories Used to Identify Passenger Trains Established by Amtrak Type Subtype Description B B1 A maximum of 2 P-40 or P-42 engines and not less than 2 and nor more than 14 Amfleet/Horizon cars in the consist. No nonpassenger carrying or Superliner cars are permitted. B2 A maximum of 1 P-40 or P-42 engine and 14 cars or fewer with no more than 1 nonpassenger carrying car for each Amfleet/Horizon car in the consist. No more than 2 of the nonpassenger carrying cars may be MHC cars (Series 1400-1569), and no Superliner cars are permitted. B3 A maximum of 1 P-40 or P-42 engine, and 14 cars or less with no more than 2 RoadRailer vans for each Amfleet/Horizon car in the consist. No MHC cars, baggage cars, or Superliner cars permitted. C† C1 A maximum of 2 P-40 or P-42 engines and 14 cars or fewer with a minimum of 3 Amfleet, Horizon, or Superliner cars. A maximum of 11 nonpassenger carrying cars are permitted. C2 A maximum of 3 P-40 or P-42 engines and 15–30 cars with a minimum of 7 Amfleet/Horizon or 9 Superliner cars. Not more than 1 baggage car is permitted. No MHC cars are permitted. The remaining cars in the consist may be express cars, including RoadRailers. D – All trains not fitting the above categories, with speed is limited to 90 mph. †Train Type “C” has a maximum speed of 90 mph. Superliners are currently qualified to go up to 90 mph, but it is Amtrak’s belief that on a Class 6 track with a qualified train control system, Superliners can be qualified to go up to 110 mph. This could result in Type “C” trains under Subtype C1 being qualified to operate up to 110 mph, if all nonpassenger carrying cars are MHC and/or baggage cars. All passenger trains considered in this analysis are taken to be Train Type “B” and the appropriate coefficients are applied to Equation 1. Freight trains: The freight train braking distance formula is a version of the Davis formula. The braking distance to a stop from speed V on level track is given by: [1.467 × V × (brake application time)] + [P × (train weight in pounds (lbs)) × V2 /(braking force)] + [C × V × 1.467] .................. (2) where: V is train speed in miles per hour. A-18 Brake application time (seconds) is 0.1 times the number of cars in the consist. P is a coefficient equal to 0.035 for typical freight trains. Braking force is a function of the number and types of cars in the consist and is expressed in pounds. C is a delay, in seconds, in initiating braking. For NAJPTC, this is a function of timeout or latency. In cab signal systems, the delay is between the locomotive detecting a more restrictive signal aspect and the initiation of penalty braking. 1.467 is the multiplier converting speed in miles per hour to feet per second. Equation 2 assumes very limited braking capabilities (worst case margin) and is effective for a very nominal grade. The coefficients used for braking distance calculations are summarized below: Table A.3. Values Used in Braking Distance Calculations Train Type Coefficients Values Passenger Coefficient A 0.666 Coefficient B 0 Safety factor 1.25 Coefficient C Latency or timeout in seconds Freight Coefficient P 0.035 Application time 0.1 × number of cars in train Train weight 37,600,000 lbs Brake force 779,683 Coefficient C Timeout or latency in seconds A-21 • Almost all encounters between trains on the IDOT test corridor meet where trains traveling at opposite directions meet at a controlled passing siding. Because of the sparse traffic operating on single track and the specific scheduling shown in the string charts, relatively few overtaking moves take place (that could lead to the scenarios on pages E-28 and E-29 or of trains leaving an industrial siding) when another train is nearby. This means that the scenarios on pages E-15 and E-16 involving trains traveling in opposite directions are more likely to occur on this corridor than the other scenarios. • The logic of whether the PTC system can prevent or mitigate a collision is similar in all scenarios. Although there will be detailed differences in accident preventability, these are thought to be not great enough to seriously distort the end result. • The relative likelihood of head-on, rear-end, and side collisions and differences in consequences between head-on and side or rear-end collisions are still represented in the model in the analyses in Worksheet 2. In either Sub-scenario shown in Figure A.4, the presumption is that the stop signal violation by the unequipped train is detected, either by a switch monitor (due to “run through” of the switch that is not aligned for the movement of the guilty train) or by the track circuit of the next block. This information is transmitted to the PTC server, which generates a command to the equipped train to stop. This command is then transmitted to the train; the manner in which the violation is detected and the stop command is transmitted to the equipped train is shown in Figure A.5. Figure A.5. NAJPTC Communications Links Intermediate S ignal C P S ignal S P AD Unequipped C ommunications Network NAJ P T C S erver Dis patc hers Des k C AD S ys tem S witc h, s ignal, trac k c ircuit s tatus from WIUs L oc ation, S peed, Direc tion P T C Movement Authorities A-22 After a signal violation by the unequipped train, the NAJPTC system underwent the following sequence of events: • The signal violation is detected by switch position sensors and, if the PTC-equipped train has not passed the intermediate signal (to the left of the diagram Figure A.5), by the track circuit in the signal block between the trains. • The sensor information is transmitted to the WIUs at the Control Point signal and then transmitted by digital radio to the NAJPTC server. • The intermediate signal turns from all clear (green) to stop (red), because the violating train occupies the next block. If the PTC-equipped train has passed the intermediate signal, the block is already occupied, and the intermediate signal is behind the equipped train and does not play any part in subsequent events. • The NAJPTC processor in the server interprets the sensor data, determines that the unequipped train has passed a stop signal, and issues a message to the equipped train, cancelling its previous authority and requiring an immediate stop. • The equipped train starts to brake in response to the stop command to prevent or mitigate the collision. • The unequipped train that passed the red signal may continue to travel through the block, getting closer to the approaching PTC-equipped train, or the crew may become aware of the error and stop. In this analysis, the unequipped train is assumed to continue moving at 15 mph, and collision points are calculated taking into account the distance traveled at this speed. The time interval between the original signal violation and the receipt of the stop command by the equipped train is the sum of the processing time at each stage, in the WIUs, the radio transmitters and receivers, processing time at the central server and processing time on the equipped locomotive. If the PTC system is working normally, this time is called latency and may include radio transmission delays as a result of message queuing or congestion of the radio channels. If the PTC system is in timeout due to a communications failure or overload, the message is interrupted at some point in the process and does not reach the equipped train. The equipped train continues running under the previous authority until the timeout expires and the brakes are applied. The response of the equipped train depends on timeout status and its location when the signal violation takes place. For the purposes of risk calculations, a series of risk zones are defined for the position of the equipped or “innocent” train at the time of the signal violation by the guilty (unequipped) train. An illustration of these risk zones is provided on Figure A.6. In this case, Point Z corresponds to the signal at the switch that is shown as the green signal in Figure A.4. A-23 Figure A.6. Risk Zones for Equipped Train Approaching a Point of Conflict The ability of the equipped train to stop before colliding with the violating train depends on its risk zone location at the time of violation and timeout status. The zones for the location of the equipped train at the time of the violation are as follows: Risk Zone A1, between Points Y and Z: equipped train is unable to stop or reduce speed significantly before reaching the point of conflict, which lies to the left of Point Z The calculation of the length of this and the other risk zones includes an estimate of the distance traveled by the guilty train after passing the signal at the end of the siding. Risk Zone A2, between Points X and Y: equipped train can reduce speed sufficiently to reduce the consequences of a collision but is unable to stop before reaching the point of conflict. A discussion of what speed reduction is needed to reduce consequences significantly is provided later in this section. Risk Zone B, between Points W and X: equipped train has passed the intermediate signal at Point W but receives a warning or the NAJPTC timeout expires and is able to stop before the point of conflict. Note that Figure A.6 illustrates the situation where Points X and Y are located between Point W (location of intermediate signal) and Point Z. However, the lengths of Zones A1 and A2 depend on train speed, latency, timeout, and braking performance. Therefore, it is possible for the length of either Zone A1 or Zones A1 + A2 to exceed the distance between Points W and Z. In this case, there is no Zone B, and the end of either Zone A1 or Zone A2 remote from Point Z is always at Point W. Practically, this situation typically arises at higher speeds and when the NAJPTC system is in timeout, because distances between signals are typically longer than the braking distance from maximum posted speed. However, with timeout exceeding 120 s and a speed of 79 mph, the distance traveled during 50 percent of the timeout is on the order of 7,000 feet, which when added to braking distance often exceeds signal block length. Risk Zone C, before the intermediate signal at Point W: if the equipped train is in this zone at the time of the signal violation by the unequipped train, the engineer can see the P oint W Intermediate S ignal C P S ignal Zone A1 Zone A2 Zone B Zone C P oint X P oint Y P oint Z A-26 Most likely there is so much variability in freight train consists—length of train, length of individual cars, whether cars are loaded or empty, and so on—that there is no specific speed at which different accident consequences come to the fore. The predominant derailment mode of freight trains is buckling, and given the strength and rigidity of typical freight locomotive structures, it is likely that the bulk of collision energy is dissipated in car derailment and buckling. No further information is readily available without carrying out further detailed analysis of the FRA database. Given this rather sketchy information, it is only possible to make an arbitrary decision regarding a speed threshold for reduced consequences in freight train collisions of 35 mph. At this speed it is likely that most collisions result in the derailment and buckling of several cars in the train. Calculation of Zone Length Using the arguments detailed above, risk zone lengths are calculated as follows: Risk Zone A1 (between Points Y and Z in Figure A.6): If within Zone A1, the equipped train is unable to stop or significantly reduce speed before reaching the point of conflict. Length of zone is estimated by calculating the braking distance to stop as derived from the above formulas for the specific train type, representative speed in the signal block, train control system and timeout status, and subtracting the distance needed to brake from 80 percent of the representative speed for the segment for each applicable train type. Then the distance traveled by the guilty unequipped train in the time needed for the PTC-equipped train to reduce speed to 60 mph is added to the braking distance to calculate the total distance between Points Y and Z (at the switch at the siding exit). For both passenger and freight trains, the brakes are assumed to be fully applied when the train has slowed to 60 mph for passenger trains or 35 mph for freight trains, and that the train will continue to slow down at constant retardation to a stop. With constant retardation, the distance to stop from of the initial speed is given by the V2 term in both the freight and passenger formulas. Thus the formulas for the length of Zone A1 are: Passenger Trains: [Distance to stop from the representative speed V per Equation 1)] – [A × 602] + [Distance traveled by guilty unequipped train in the time needed to reduce speed to 60 mph] ............................................................... (3) This formula reflects the convention discussed earlier in this section, where reduced consequences apply when speed is reduced to 60 mph or below. If initial speed is below 60 mph, then consequences are unchanged through Zones A1 and A2, and there is no difference in consequences between the zones. A-27 Freight Trains: [Distance to stop from the representative speed V per Equation 2] – [P × (train weight in lbs) × 352 / (braking force)] + [distance traveled by guilty unequipped train in the time needed to reduce speed to 60 mph] ......... (4) This formula reflects the convention discussed earlier in this section, where reduced consequences apply when speed has been reduced to 35 mph. As with passenger trains, if initial speed is below 35 mph, no difference is found on consequences between Zones A1 and A2. Equations 3 and 4 include a term to represent the distance traveled by the guilty train before the collision, extending the length of Zones A1 and A2. The distances traveled by the slow-moving guilty trains (assumed to be traveling at 15 mph) in the times taken for the equipped (innocent) train to reduce speed or to come to a stop in Zones A1 and A2, respectively. The total length of Zones A1 and A2 is thus the sum of the distance traveled by the innocent train while braking (including free running during latency or timeout) and the distances traveled by the guilty train. As mentioned above, it is possible that with longer timeout periods and higher speeds that the length of Zone A1, as calculated above, will exceed the total length of the signal block between Points W and Z. In this case, the entire signal block is in Zone A1, indicating that a collision following a SPAD violation by the unequipped train cannot be prevented or mitigated, and the lengths of Zones A2 and B are zero. Risk Zone A2 (between Points X and Y in Figure A.6): If within this zone, the equipped train can slow sufficiently to mitigate the consequences of a collision, but the collision cannot be prevented. The length of this zone in every case is the distance to slow from 60 mph for passenger trains and 35 mph for freight trains to a full stop with full service braking. Zone lengths are given by the following formulas, applicable to all control systems and control system states. Risk Zone A2 lengths are independent of whether the NAJPTC system is in timeout. Passenger Trains: Zone A2 = [A × 602] + [distance traveled by guilty train while equipped train stops] ................................................................. (5) Freight Trains: Zone A2 = [P × (train weight in lbs) × 352 / (braking force)] + [distance traveled by guilty train while equipped train stops] ............ (6) As with Zone A1, it is possible that the combined length of Zone A1 + Zone A2 is greater than the block length. In this case, the length of Zone B, between Point X and Point W in Figure A.6 is zero. Also, the combined lengths of Zones A1 and A2 cannot exceed the block length. If the sum of A1 and A2 calculated from the formulas above exceeds block length, but Zone A1 is less than the block length, then the length of Zone A2 is given by: Length of Zone A2 = block length – length of Zone A1 ...................................... (7) A-28 Risk Zone B (between Points X and W in Figure A.6): If the equipped train is within this zone, it can stop before the point of conflict. Zone B exists only if the total length of Zones A1 and A2 is less than the signal block length, and its length is given by the formula: Length Zone B = signal block length – (length of Zone A1 + length of Zone A2) ................................. (8) If the length so calculated is less that zero, then the length of Zone B is zero. Risk Zone C (Before Point W in Figure A.6): As discussed above, if the train is in Zone C and has not passed the wayside signal at point “W,” the engineer will, in almost every case, respond to the changing aspect of the signal at point “W” and may be able to prevent or mitigate the collision independently of PTC state. In the reference (CTC) case, there will be a low but finite probability that the engineer will fail to respond to the point “W” signal. With NAJPTC in normal mode, and with the cab signal systems, the in-cab system will be able to respond after the latency delay after the signal aspect change. Therefore, there is a chance of a “PTC-caused” collision, where overreliance on PTC resulted in a missed wayside signal and a collision. The situation when the NAJPTC system is in timeout is similar to latency, except that the train will potentially travel a greater distance between when the line side signal changes aspect in response to the signal violation by the guilty train and when the on-board PTC system initiates braking after timeout has expired. Thus, the in-cab system and displays will indicate “all-clear” for the remaining duration of timeout after the wayside signal has changed aspect. Although the operating rules require that the train crew comply with the most restrictive aspect in the case of conflicting indications, the “all-clear” on-board display during timeout or latency is potentially misleading, and could increase the chance of the crew failing to comply with the wayside signal. For example, the crew could “see” the aspect they expect at the wayside signal rather than the aspect that is actually displayed. This means that collision risk could actually be greater with PTC than for the reference CTC system when the train is in Zone C. The analysis provides for a risk increment to be added based on the distance the equipped train travels during latency or timeout in Zone C. The distance traveled in timeout state in Zone C is calculated from the formulas below, assuming that: a) The NAJPTC system is in timeout or latency, and b) [A1 + A2] exceeds the length of the signal block and overlaps into Zone C. The distance traveled in timeout or latency in Zone C is then the smaller of the following: Total distance in timeout, given by [C × V × 1.467] or overlap of A1 + A2 into Zone C, given by [A1 + A2] – [signal block length] B-2 observe signal indications or operating instructions. This calculation is performed in Table 2.1a of the Excel worksheet. Table 2.1b performs the equivalent calculation for diamond crossing accidents, assuming all trains operating in the crossing direction are unequipped. Step 5: Develop a preventability matrix The preventability matrix gives numerical estimates of what percentage of CTC base case collisions can be prevented when the control system (PTC, cab signal with ATS or cab signal with ATC) is activated. For example, most collisions between two equipped trains will be prevented by PTC, but collisions between two unequipped trains will not. Preventability estimates for collisions between an equipped and an unequipped train are derived from the calculations in Worksheet 1. All these calculations are performed in Table 2.3a of the Excel worksheet. Table 2.3b performs the equivalent calculation for diamond crossing accidents. Table 2.2 contains the results from the preventability calculation transferred from Worksheet 1. Step 6: Estimate CTC reference case accident frequencies Accident frequencies expressed as collisions per million train-miles were estimated for the CTC reference case from historic accident data and detailed accident reports. The detailed reports were used to obtain a rough estimate of rates by segment type, because these descriptions provide specific information on the location of a collision relative to sidings and other track features. These data, transferred from the Inputs worksheet, are inputs to Tables 2.4 and 2.5 of this Excel worksheet, which calculate frequencies for passenger trains in collisions and freight trains on collisions, respectively. Step 7: Calculate frequencies of trains in collisions for freight and passenger trains The frequencies were estimated by combining the outputs from Steps 4, 5, and 6 and separating freight and passenger trains. The separation is required so that accident consequences can be estimated separately by train type. A vast difference occurs in consequences between freight and passenger trains involved in collisions, thus frequencies must be estimated individually. These calculations for passenger trains are performed in Table 2.4a of the Excel worksheet. Table 2.4b is the equivalent calculation for passenger trains in diamond crossing collisions and Tables 2.5a and 2.5b are the calculations for freight trains. B-3 Step 1: Define Train Pairs in Collisions (passenger/freight, equipped/unequipped) S tep 2: P rimary Dis tribution of C ollis ions by T rain P airs S tep 3: Dis tribution between Head-on and R ear/S ide C ollis ions S tep4: C alculate Dis tribution of C ollis ions by T rain P air, C ollis ion T ype and whic h T rain Is the “ G uilty T rain” S tep 6: R eference C as e (C T C ) C ollis ion F requenc y S tep 5: P reventability Matrix - P ercent R eferenc e C as e C ollis ions P revented or Mitigated by the T rain C ontrol S ys tem (from Works heet 1) S tep 7: C alc ulate F requenc ies of T rains in C ollis ions for F reight and P as s enger T rains Figure B.1. Flowchart for the Calculation of Collision Frequencies by Train Pair in Collisions Conducted in Worksheet 2 Output to Works heet 3 B-4 B.2 Collision Probabilities This section addresses the methodology for estimating the distribution of collision accidents among different types of trains (passenger or freight, and PTC-equipped or PTC-unequipped) and among collision scenarios (head-on, rear-end, or side collisions). The calculations comprise Steps 1 to 4 as illustrated in Figure B1. The end product of this calculation is a tabulation of accident distribution by train and collision type, expressed as a fraction of total train-to-train collision accidents. The distribution is first calculated assuming that the train control system (PTC or other) is inactive, and trains are operating under CTC (i.e., for the reference case). The calculations are implemented for a specific analysis case, route Sub-corridor, train control system operating state, and season of the year. These data form the input to Steps 5 to 7 of the analysis. First, the distribution is multiplied by estimated collision accident frequency to obtain individual accident frequencies for each collision scenario. Then the resulting frequencies are multiplied by a collision preventability matrix that contains estimates of the fraction of collision accidents that would be prevented by activating the train control system. The values for collisions between PTC-equipped and PTC-unequipped trains are obtained from Worksheet 1. The following paragraphs describe Steps 1 to 4 of this procedure Step 1: Identification of train pairs in collisions The traffic on the IDOT test corridor consists of a mix of passenger and freight trains, and in the case of the freight trains and the NAJPTC analysis cases, the locomotives may or may not be equipped with PTC. Thus, head-on, rear-end, or side collisions are possible between any feasible combination of these train types. The feasible combinations, divided into three groups, are listed below: Table B.1. Colliding Train Types in Feasible Collisions Group Colliding train types Collisions between equipped trains Equipped passenger to equipped passenger Equipped passenger to equipped freight Equipped freight to equipped freight Collisions between an equipped and an unequipped train Equipped passenger to unequipped freight Equipped freight to unequipped freight Collisions between unequipped trains Unequipped freight to unequipped freight In the analysis, cases of cab signal with ATS and cab signal with ATC are train control systems in which all trains are equipped and the set of collision pairs to be analyzed are reduced to the three collision pairs in the first group of collisions between equipped trains with a zero probability for the other train pairs.