See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/275853505

Risk Assessment of Positive Train Control by Using Simulation of Rare Events

Article in Transportation Research Record Journal of the Transportation Research Board · December 2012
DOI: 10.3141/2289-05

CITATIONS READS
2 231

4 authors, including:

Daniel Brod
Decisiontek
13 PUBLICATIONS 184 CITATIONS

SEE PROFILE

All content following this page was uploaded by Daniel Brod on 15 February 2019.

The user has requested enhancement of the downloaded file.

Risk Assessment of Positive Train Control
by Using Simulation of Rare Events
Timothy Meyers, Amine Stambouli, Karen McClure, and Daniel Brod

The risk assessment of positive train control (PTC) presents a number In its development of a generalized train movement simulator
of challenges that can be addressed through simulation, a common (GTMS) system, FRA has implemented an alternative to Monte
tool for analyzing large, complex stochastic systems. The combined Carlo simulation. The alternative uses staged simulation, which
analysis of a simulated rail system with safety models that track the generates the sought-after analytic outcomes while using a fraction
propagation of human errors and equipment failures toward hazards of the computer resources. This paper describes the methods that
and accidents (or their eventual safe resolution) enables the predic- were implemented in the GTMS and presents the findings of a PTC
tion of accidents and their probability of occurrence for a base case risk assessment for a nonvital overlay system that was conducted
without PTC and an alternate case with PTC. Accidents are rare with the GTMS.
events, and when probabilities of rare events are estimated, efficiency
is a major concern because the computer resources required for sta-
tistically reliable estimates are usually overwhelming. The problem Research Background
of efficiency can be addressed through multilevel splitting, or staged
simulation. The basic idea of splitting is to create separate copies of The Rail Safety Improvement Act of 2008 mandates the implemen-
the simulation whenever it approaches the rare event. The FRA gen- tation and operation of PTC systems by 2015 on intercity passenger
eralized train movement simulator (GTMS) integrates a rail system rail lines and on Class I freight railroads in which annual tonnage
simulator with safety models and staged simulation to arrive at met- exceeds a specified threshold. PTC provides added safety, at a
rics of safety and risk that meet federal regulatory requirements. The minimum, through in-cab information and enforced braking, which
simulation techniques used and a description of their implementation stops trains at the end of their movement authority and prevents
in the GTMS are presented. The paper concludes with a case study overspeeding and work zone incursions.
risk assessment that uses the GTMS of a nonvital overlay PTC system A nonvital PTC overlay system is a type of PTC system that
for a Class I railroad. operates in conjunction with the existing traffic control and braking
systems. In the event of a PTC system failure, the existing systems
remain fully operational and perform their safety critical functions.
For a number of years FRA has sought to develop tools that support According to the 2010 PTC Rule, the initial installation of nonvital
positive train control (PTC) risk assessment and the evaluation of sys- overlay systems requires a risk assessment as part of the approval
tem safety risk in general, by focusing efforts on simulation methods. process. The risk assessment must demonstrate that the level of risk
These methods derive from simulation of the railroad physical plant, on a rail network using a proposed PTC system is 80% lower than
human agents, and the causal chains leading to accidents provided by the risk before PTC installation. Subsequent PTC installations or
FRA and the railroad industry. As such, the methods hold the prom- modifications on the same rail network must maintain at least the
ise of improved transparency in developing simulated results that same level of safety as the initial PTC installation.
describe risk while confirming likely sequencing of hazardous events The 80% reduction in risk for PTC preventable accidents can
leading to accidents and other unsafe incidents. be expressed by forecast accidents and incidents, or measures of
Conventional simulation methods, such as Monte Carlo, are frequency (i.e., mean time to accident or accidents per million train
adequate for examining the probabilities associated with common miles), that reflect the inherent safety risk in the system. Risk assess-
operational occurrences. However, using Monte Carlo simulation ment results are presented for a base case scenario (before proposed
to derive statistically reliable estimates of rare events, such as acci- PTC implementation) and an alternate case scenario (after proposed
dents and their predecessor events, requires enormous computa- PTC implementation), which permits a side-by-side comparison
tional resources, thus rendering Monte Carlo simulation impractical and straightforward evaluation of the reduction in risk ­provided by
for this purpose. the new technology.
The challenge of conducting PTC risk assessments lies in the
ability to provide results that reflect the accumulated risk of the
T. Meyers, A. Stambouli, and D. Brod, DecisionTek, LLC, 6337 Executive proposed system over its life cycle while ensuring that these results
Boulevard, Rockville, MD 20852. K. McClure, Federal Railroad Administration,
Office of Railroad Policy and Development, 1200 New Jersey Avenue, SE, Mail are statistically reliable. Several approaches exist for assessing rare-
Stop 20, Washington, D.C. 20590. Corresponding author: T. Meyers, tmeyers@ event probabilities. In railroads, the events leading to hazards and
decisiontek.com. the evolution of a hazard to an incident or accident, along with
the severity of the accident, are highly dependent on the operating
Transportation Research Record: Journal of the Transportation Research Board,
No. 2289, Transportation Research Board of the National Academies, Washington,
environment and the specifics of each accident. From the point of
D.C., 2012, pp. 34–41. view of event specificity, simulation techniques are perhaps the best
DOI: 10.3141/2289-05 means for assessing safety risk. Researchers have recognized for

34
Meyers, Stambouli, McClure, and Brod 35

some time that simulation techniques hold significant promise for Staged simulations are conducted in levels. In each level, all
PTC risk assessment. Several studies were conducted on the topic available computing resources are used to generate events of inter-
in the late 1980s and early 1990s by the Draper Laboratory and in est, or occurrences, for that level. In the first level, Level 0, the
the early 2000s by the University of Virginia’s Center of Railroad sought-after events are those that initiate the causal chains that lead
Safety–Critical Excellence. to accidents. With the previous example, a Level 0 event would be
With Monte Carlo simulation, the computer system simulates rail- “train crew fails to initiate on-time braking when approaching its
road operations for an extended period of time and generates acci- end of authority.” During a Level 0 simulation, trains are permitted
dents or other hazardous events of interest to arrive at statistically to run in the system for a specified time period (say, 5 years). When
reliable estimates of the frequency of accident occurrence. However, a Level 0 event occurs, the simulation does the following: (a) the
generating a sufficient number of rare events through simulation for system state is captured and stored and then (b) the human error or
statistically reliable estimates will overwhelm any computing system system failure is corrected for continued safe rail operations. The
and take an unacceptably long time to produce useful results. “system state” is the entire simulated railroad operating environ-
A more appropriate methodology for rare-event simulation is the ment at the time of the occurrence and includes the time, position,
use of a multilevel splitting technique, which splits the simulation and speed of each train; the position of each switch; the aspect of
into stages (or levels) at each of a series of events known to lead each signal; and all movement authorities that have been granted
to an accident. Each time an event occurs that brings the simula- by the central dispatcher and traffic control system. At the end of a
tion closer to the sought-after rare event, the system state is stored. Level 0 simulation, a pool of system states has been captured at each
These stored system states are used as starting points for the next point where a causal chain originating event has occurred.
simulation level. In this way, the problem space is reduced and the The next simulation level, Level 1, seeks to generate the events
analysis focuses on those paths that have some probability of culmi- that extend the causal chains initiated in Level 0. Revisiting the
nating in an event of interest while ignoring those paths that have no previous example, a Level 1 event would be “the train exceeds its
such probability. This technique yields a comprehensive risk assess- authority, entering a block in which it has no authority to proceed.”
ment that is conducted within practical constraints while providing To generate Level 1 events, the Level 1 simulation randomly sam-
­statistically reliable outcomes. ples from the pool of system states captured in Level 0 and resumes
each simulation at the point at which its system state was stored. By
simulating in this manner, each simulation trial begins from a Level 0
Theoretical Approach event and has a better chance of generating a Level 1 event, bringing
the system closer to generating the rare event. When a Level 1 event
In simulation, a rare event probability γ is estimated by dividing the occurs, the simulation does the following: (a) the system state is
number of observed occurrences by the number of trials n (in this captured and stored and then (b) the simulation trial ends and thus
context a “trial” can be viewed as an hour of railroad operations). A prompts the Level 1 simulation to sample a new system state from
measure of statistical reliability is the relative error, defined as the the Level 0 pool.
standard deviation of the estimator divided by its mean. The stan- A staged simulation can have as many levels as needed to control
dard error of the estimator γ is approximately 1 nγ ; therefore, the unfolding of causal chains. All simulation levels after Level 1
the number of required trials grows inversely with the square of the follow the same process, sampling from the previous level’s pool
desired relative error. of system states to generate a new event of interest in the causal
An alternative approach that has been successfully applied to chain. In the final level, rare events are generated. With the pre-
rare event problems is splitting, or staged simulation. The premise vious example of head-to-head collisions, the probability of such
of staged simulation is to create copies of the simulation state at accidents can be estimated after a sufficient number of them are
each split or occurrence of an event that brings the system closer generated by using a series of outputs produced in each level of
to the rare event of interest (1). When sufficient splits are collected, the staged simulation.
they are used as the starting points for the next simulation stage. The probability of a head-to-head collision can be stated as the
By defining multiple stages (or levels) at which a split can occur, mean time to accident, defined as
the staged simulation technique preserves simulation resources, by
focusing only on generating the events that have a better chance of MTTH
MTTA HHC = (1)
leading to the sought-after rare event. The accuracy of this method pHHC EAH
depends on how the splits are defined and the number of events
harvested at each level. where MTTH is the mean time to hazard, or the Level 1 event
Staged simulation is well suited for predicting railroad accidents of interest from which the accident was generated. The variable
or incidents. Generally, the path to a train accident or incident is pHHC|EAH is the probability of a head-to-head collision, given that a
forged by a well-known sequence of events, or causal chain, which hazardous condition has occurred. In this case, a train exceeds its
incrementally elevates the risk of the system until all preconditions authority and encroaches on the authorized path of another train.
for an accident are met. For example, one possible causal chain At each level, the probability of the level event, or p, is equal to
for a head-to-head collision accident occurs as follows: (a) a train the number of occurrences divided by the number of simulation
crew fails to initiate on-time braking when approaching its end of trials required to generate those occurrences. The conditional prob-
authority; (b) the train exceeds its authority, by entering a block ability of a rare event rail accident is p1 * p2 * . . . pn, where n is the
in which it has no authority to proceed; and (c) a second train is number of simulation levels.
granted authority for the block it enters and may collide with the The mean time at each level event is the mean time to the previ-
first train depending on their relative positions and speeds. Each ous level event divided by the current level probability, except for
event in this example brings the system closer to an accident and is Level 0. The mean time to the Level 0 event of interest is equal to
thus defined as the start of a new simulation level. the total hours of Level 0 computer run time divided by the number
36 Transportation Research Record 2289

of errors or failures generated during that time. The formulas for the tractive effort, the braking force, and the resistive force. The dis-
staged simulation metrics are given below. patcher model determines the path of trains through the simulated
rail network and grants authorities for movement.
The GTMS uses a hybrid of fixed time interval and discrete event
Level 0 simulation in which train movements are calculated as discrete
events and are synchronized to fixed time intervals (usually 60 to
Mean time to error or failure is defined as 180 s, but can be reduced to as little as 5 s to capture a very granular
sequence of events when unsafe situations occur).
TE
MTTE = (2)
NE
Train Movement Model
where TE is the total hours of operations in Level 0 and NE is the
number of error and failure events generated in Level 0. The GTMS train movement model replicates realistic train move-
ments over a rail system calculating the forces acting on the train
while considering terrain (grade), track geometry (curvature), track
Level 1 speed limits, and the specific consists of simulated trains. As a train
moves along its route, the changing forces on the train determine its
The probability of a hazardous event, given a human error or equip- position, time, and speed in the simulated system (2).
ment failure, is defined as The train receives its routing information and authority to move
from the dispatcher model, and the train accelerates and decelerates
NH according to its effective speed limit, which is derived from the track
pH E = (3)
nT 1 speed limit, granted authorities, and any speed restrictions in effect.
Given the train consist—the list of locomotives and cars that make
where NH is the number of hazardous events generated in Level 1 up the train—and the track, the trains advance with small incremental
and nT1 is the number of Level 1 trials. changes in speed until the forces on the train are in balance (subject
Mean time to hazardous event is defined as to the speed limit). The resistive force on the train is recalculated on a
car-by-car basis every 500 ft to account for changes in grade and track
MTTE curvature. The train movement model determines a preferred throt-
MTTH = (4)
pH E tle position in accordance with best train handling practice, which
determines the tractive effort for the specified locomotive consist.
The braking algorithm simulates dynamic braking with partial service
Level 2 air braking and full service air braking as the last choice (or as an
“enforced” option in the event of PTC corrective action).
The imputed probability of an accident is defined as

NA Dispatcher Model
pA H = (5)
nT 2
The dispatcher model operates on a node network that is overlaid
on the real-world network of control blocks. A node represents an
where NA is the number of accidents generated in Level 2 and Level 1
area of the simulated rail network that can be authorized only to a
and nT2 is the number of Level 2 trials.
single train at a time. The dispatcher model determines the path of
Mean time to accident is defined as
trains through the network and grants authorities for movement (3).
MTTH Authorities are granted so as to achieve safe separation of trains and
MTTA = (6) facilitate train meets and the overtaking of lower priority trains. The
pA H
dispatcher grants an authority to a train only if the movement of the
train is free of conflict and will prevent deadlock. Authorities are
Conditions for the sufficiency of the duration of the Level 0 simu-
revoked only after a train has executed a movement authority and
lation and the number of trials for Levels 1 and 2 simulations, as
exited the authorized block. Through the dispatcher model and the
well as an optimal allocation of computer resources across levels,
configuration of control blocks, alternative train control systems can
can be derived [see Shortle et al. (1)]. A simple test for the suf- be simulated. The dispatcher model lends itself to parameterization
ficiency of the number of trials at each level is that the estimated and implementation of traffic control strategies that replicate traffic
mean conditional probability and its variance are stable and do not control of real-world alternatives, such as direct traffic control or
change with added trials. centralized traffic control (CTC).

Implementation in GTMS Safety Model and Causal Chains

The theoretic approach described above was implemented in FRA’s The GTMS risk assessment begins by defining the causal chains
GTMS software. The GTMS contains a train movement model and that link hazards, accidents, and incidents. Human errors and equip-
a train dispatcher model, which are overlaid with a risk assessment ment failures initiate the causal chains that evolve into hazards and
model that generates accidents and other rare events of interest. The ­accidents or incidents or resolve safely, depending on the interaction
train movement model calculates the forces on the train, including of trains, train crews, and dispatchers.
Meyers, Stambouli, McClure, and Brod 37

GTMS causal chains were developed in close cooperation with dix B to 49 CFR Part 236. Appendix B outlines the risk assessment
the FRA Office of Safety and the Class 1 railroads through the Rail- criteria for systems that fall under Subpart H of the rule, which
road Safety Advisory Committee process established by FRA. Each includes nonvital overlay PTC systems. The appendix describes the
causal chain begins with either human errors or equipment failures. risk metrics, risk computation principles, and major systems and
The initiating human errors occur when train crews fail to observe subsystems whose risks are to be included in a risk assessment.
operational directives from the dispatcher model. These human The proposed system enforces compliance with the existing
errors include failures to initiate on-time braking, heed work zones, underlying CTC system, operating rules, and procedures and pro-
and heed impending speed restrictions. Initiating equipment failures vides added protection against the consequences of human error and
occur when simulated switches are misaligned or set against move- equipment failure. Railroad systemwide component failure rates
ment authority. Next, each causal chain links the human or equip- and human error probabilities were used for the analysis.
ment response to the initiating errors and failures. For example, Base case accident rates were within 5% of railroad industry rates
train crews or the PTC system can intervene with corrective braking on similar territory and operating environments. Alternative case
measures in response to the initial human errors. results were reviewed by the railroad officials and the FRA Office
After the initiation of a human error or equipment failure event, of Safety and found acceptable. Alternative case results also aligned
the interaction of trains, train crews, and dispatchers can allow one with the PTC component system failure rates.
or more of the following hazards to occur:

• End of authority hazard occurs when a train enters track for Territory of Study and Operational Scenario
which it has no movement authority.
• Misaligned switch hazard occurs when a train intersects a Territory Description
switch that is set in neither the normal nor the reverse position
The rail system under study is 160 mi long and has very mild
(misaligned).
• Unauthorized switch alignment hazard occurs when a train grades—usually less than 0.5%. The territory runs from northwest
to southeast and has an interchange with another Class I railroad.
intersects a switch that is aligned against proper movement authority.
• Work zone incursion hazard occurs when a train encroaches The territory is mostly single-track with passing sidings. The
numerous sidings in the territory have not been upgraded to handle
into a work zone.
• Overspeed hazard occurs when a train crew violates an trains with a 286,000 loaded car weight and will not carry trains in
excess of 12,000 tons. This weight limit restricts traffic of loaded
approaching speed restriction.
unit and coal trains to the main track, and when trains meet, the
lower-weight train is always diverted to the siding. The overall track
Finally, the hazards described above can evolve into one of the
speed limit for the territory is 49 mph. Movements through switches
­following accidents or incidents:
in the reverse direction are restricted to 10 or 20 mph.
• Overspeed derailment,
• Emergency braking derailment,
Traffic Control
• Enforcement braking derailment,
• Work zone accident or incident, The base case traffic control in the territory is CTC. In a CTC sys-
• Unauthorized alignment switch derailment, tem, opposing and following train movements are authorized and
• Misaligned switch derailment, governed by block signals, and the signal indication is the source of
• Head-to-head collision, authority for the train crew. A proceed signal provides the needed
• Head-to-tail collision, and train movement authority.
• Sideswipe collision.

Operational Scenario
GTMS Model Verification and Validation
The high-traffic scenario assumes that 54 coal, unit, and general mer-
The GTMS software developers, FRA staff, and participating chandise trains per week traverse the territory. The simulated trains
Class 1 railroads have conducted GTMS model runs and reviewed operate continuously every day during the simulation period. Daily
the results to confirm that the train movement and dispatcher mod- traffic varies from five to 12 trains per day and is made up mainly
els successfully replicate railroad operations for the traffic levels, of empty and loaded coal trains that are up to 135 cars and 7,300 ft
­signaling systems, and railroad networks under review. long. Loaded cars weigh up to 286,000 lb. The simulated period of
operations is 25 years, which is the assumed life span of the proposed
PTC system. During this period of analysis, 70,435 trains traveling
Case Study 10,285,865 mi were simulated over the subdivision.

GTMS Risk Assessment

Description of PTC System
The GTMS risk assessment of a proposed nonvital PTC overlay
system deployed by a Class I railroad finds that the system would The nonvital PTC system in the alternate case interfaces with the
eliminate up to 95% or more of the accident risk compared with the existing or base case CTC traffic control systems. The purpose of
existing CTC system. The risk assessment was conducted in accor- the PTC system is to mitigate the effects of potentially hazardous
dance with the requirements of the PTC Rule as set forth in Appen- operational errors or equipment failures by enforcing compliance
38 Transportation Research Record 2289

with train movement authorities, speed restrictions, switch ­positions, • Train operator fails to heed impending speed restriction, and
and work zones and includes the following functionality: • Train operator fails to heed an impending work zone.

• Movement authority enforcement Given the rate of error and the train operator unreliability for a
– Predictively enforces end of authority with 75 s of a visual shift t0 hours long, the probability of error when action is required
alert accompanied at the start by a momentary audible alert before (an exponentially distributed random variable) is given by the
enforcement, formula
– Reactively protects against revoked authorities, and
– Includes protection at territory entrance, transition, and exit F ( t ) = 1 − e − βt0 (7)
(predictive on unambiguous track, reactive on ambiguous track);
• Speed limit enforcement where β is the rate of operator error and t is the length of operator
– Pertains to all permanent and temporary speed limits, shift in hours. The analysis assumes an operator shift of 10 h. Each
– Predictively enforces impending reduced speed limits with time a train approaches its end of authority, a speed restriction, or
75 s of a visual alert accompanied at the start by a momentary a work zone, when the operator is required to brake (or heed an
audible alert before enforcement, and impending speed restriction or work zone), a random number is
– Reactively enforces overspeed condition while providing generated on (0, 1) (the interval of real numbers between 0 and 1)
audible and visual alerts (no specific duration) after overspeed and if the value is less than that given by the above formula, then
occurs until enforcement threshold is reached; the simulation model triggers a human error event.
• Work zone enforcement
– Predictively enforces entrance into unacknowledged work Given Train Operator Error, Mean Time Until Corrective Action
zone with 75 s of a visual alert accompanied at the start by a Taken  In the event that a train operator commits a fail to heed end
momentary audible alert before enforcement and of authority error, the simulation model predicts the time elapsed
– Reactively enforces continued movement after stopping in a (in seconds) until the operator realizes his or her error and initi-
work zone and ates corrective action (i.e., applies emergency brakes). The time
• Wayside detection elapsed is modeled as an exponentially distributed random variable,
– Includes misaligned switch detection and broken rail detection ­calculated by using the following formula:
and is provisioned for landslide detection, high-water detection,
t
high-wind detection, high- and wide-load detection, misaligned −
F (t ) = 1 − e µ
(8)
bridge detection, warming bearing notification, dragging equip-
ment notification, failed highway crossing, and other special
signal devices. where µ is the mean time to corrective action (in seconds) and t is
the time elapsed since the occurrence of the human error. The mean
time to corrective action µ is set by using the “given train operator
Risk Assessment Inputs error, mean time until corrective action taken” parameter.

The risk assessment inputs are used to populate the safety model Probability of Misaligned Switch Given Approaching Train   In
and the staged simulation framework. Safety model parameters the event that a train approaches a switch, the simulation model
include human error rates, equipment failure rates, and accident or uses the “probability of misaligned switch given approaching train”
incident probabilities. These parameters intervene at different levels parameter to predict whether the approaching switch is in a mis-
of the staged simulation described in the section on risk assessment aligned state. A misaligned switch is one that is set in neither the
methodology. normal nor the reverse position. If the switch is misaligned, the train
Human errors and equipment failures occur during Level 0 of will not be given authority to proceed (the analysis assumes zero
the staged simulation and determine whether hazardous events are probability of failing to detect a misaligned switch).
generated in Level 1. Accident and incident probabilities determine
whether hazardous events generated in Level 1 resolve safely or Probability That Switch Is Aligned Against Movement Authority
result in an accident or incident in Level 2 of the staged simulation. Given Approaching Train   In the event that a train approaches
a switch, the simulation model uses the “probability that switch
is aligned against movement authority given approaching train”
Human Errors and Equipment Failures parameter to predict whether the approaching switch is set in an
unauthorized position. A misaligned switch is one that is set in nei-
Rate of Train Operator Error   The GTMS Safety Model relies ther the normal nor the reverse position. If the switch is found to
on well-established human factors models and research to estimate be set in the wrong position, the train will not be given authority to
the probability of human error, defined as the number of errors com- proceed (the analysis assumes zero probability of failing to detect a
mitted per 1,000 h of train operations (4). In the simulation model, a switch aligned against movement authority).
train operator commits an error in one of three ways:
Rate of PTC Failure to Warn (Failures per Hour)   In Alternate
• Train operator fails to deploy conventional braking on approach- Case Risk Assessments (i.e., simulations of PTC-enabled rail s­ ystems),
ing the train’s end of authority (in accordance with the simula- a warning is issued to the train crew in the event that
tion model train handling conventions, a full stop is implemented
with dynamic braking combined with partial service air brakes with • The train operator fails to brake on approaching the train’s end
10 psi set), of authority,
Meyers, Stambouli, McClure, and Brod 39

• The train operator fails to heed an impending speed restric- of derailment from enforcement braking” parameter to determine
tion, or whether the enforcement braking results in a derailment.
• The train operator fails to heed an approaching work zone.
Probabilities of Derailments Given Hazards   The probabilities
The parameter “rate of PTC failure to warn” is an exponentially of derailment given hazards were derived from published studies
distributed random variable that determines whether the PTC sys- and expert opinion.
tem fails to operate correctly and warn the train crew to take action
and avoid an unsafe condition. If the PTC equipment fails to warn
the train crew, then it will attempt to enforce braking if the train Safety Model Parameter Values
crew fails to take corrective measures.
The parameters for the case study are shown in Table 1. Many of the
Rate of PTC Failure to Enforce Braking (Failures per Hour)   In safety model inputs were derived from industry averages, published
alternate case risk assessments, PTC enforces braking when studies, and expert opinion, and others were based on empirical or
experiential-based information.
• The train crew fails to acknowledge PTC’s warning of an
impending hazard or
• PTC fails to warn the train crew of an impending hazard. Accident Severity

GTMS uses the “rate of PTC failure to enforce braking” as the Average accident severity costs per accident are based on publicly
parameter of an exponentially distributed random variable to deter- reported railroad data. Each accident type was assigned to one of
mine whether the PTC equipment will enforce braking and stop the two severity categories. The cost per incident in Category 1 (“less
train before a hazard occurs. If the PTC equipment fails to enforce severe”) was $168,837 and for Category 2 (“more severe”) the cost
braking, the train crew may still correct and attempt to manually per accident was $1,829,542. These per accident costs were derived
stop the train. If the crew fails to brake, then a hazard will occur. from the Class I railroad’s average cost per accident for the 10-year
period 1986 to 2005.
More severe accidents included head-to-head collisions, head-to-
Probability of Accident or Incident Given tail collisions, and sideswipe collisions. The less severe accidents
Hazardous Situation Parameters included emergency braking and enforced braking derailments,
misaligned switch derailment, work zone accident or incident, and
Probability of Derailment from Emergency Braking   Given a train overspeed derailment.
operator error, the simulation model calculates the time elapsed until
corrective action is initiated (i.e., deployment of emergency brakes).
When emergency brakes are applied, the simulation model uses the Staged Simulation Parameters
“probability of derailment from emergency braking” parameter to
determine whether the brake application results in a derailment. At each level of the simulation (0, 1, and 2), simulation parameters
were selected to control simulation duration and randomness. Ran-
Probability of Derailment for Misaligned Switch or Unauthorized dom seeds were used to yield a unique sequence of pseudorandom
Switch Alignment   When a train approaches a switch that is mis- numbers to populate random variables at each level.
aligned or aligned against authorized movement, the signaling sys-
tem detects the equipment failure and displays a restrictive aspect. If
the train operator fails to heed the signal, the train can intersect the TABLE 1   Risk Assessment Parameter Values
switch. The simulation model uses the “probability of derailment
for misaligned switch or unauthorized switch alignment” parameter Error or
to predict whether the train’s intersection with the switch results in Safety Model Parameter Failure Rate
a derailment. Rate of train operator error (errors/h) 0.0004
Given train operator error, mean time until corrective 20
Probability of Derailment Given Overspeed Hazard   When a action taken (s)
train operator fails to heed an impending speed restriction, he or she Probability of misaligned switch given approaching train 0.01
can produce an overspeed hazard. The simulation model uses the
Probability that switch is aligned against movement 0.005
“probability of derailment given overspeed” parameter to predict authority given approaching train
whether the overspeed results in a derailment. Probability of derailment from emergency braking 0.05
Rate of PTC failure to warn (failures/hr of train 0.005
Probability of Accident or Incident Given a Work Zone Incursion operations)
When a train operator fails to heed an approaching work zone, a Rate of PTC failure to enforce (failures/hr of train 0.005
work zone incursion hazard can result. The simulation model uses ­operations)
the “probability of accident or incident given a work zone incur- Probability of derailment from enforcement braking 0.005
sion” parameter to predict whether the incursion results in a work Probability of derailment for misaligned or mis-set switch 0.05
zone accident or incident.
Probability of derailment given overspeed 0.005
Probability of accident or incident given a work zone 0.01
Probability of Derailment from Enforcement Braking   When
incursion
PTC enforces braking, the simulation model uses the “probability
40 Transportation Research Record 2289

For the Level 0 simulation, the required values are the start and TABLE 2   Level 0 Events by Type of Error and Failure
end dates for the simulated period of operations. In Levels 1 and 2,
the required values are the number of trials. Number of Mean Time to
Level 0 Events Level 0 Event
For the period of operations set in Level 0, the simulation allows Level 0 Event Scenario in 25 years (MTTE) (days)
for the occurrence of human errors and equipment failures. When an
error or failure event occurs, the GTMS stores the system state at the Fail to heed work Base case 70 130.43
point of occurrence for reuse as randomly sampled initial conditions zone (non-PTC)
in Level 1 trials. After storing the system state, the GTMS rolls back Alternate case 70 130.43
(with PTC)
the failure or error and continues to operate safely until the next
Fail to brake Base case 225 40.58
error or failure occurs. (non-PTC)
In Levels 1 and 2 the number of trials determines the number of Alternate case 225 40.58
times that previous-level stored system states are drawn at random, (with PTC)
reanimated, and simulated until a hazardous occurrence or a safe Fail to heed speed Base case 695 13.14
resolution. The resulting probability of the level of interest event is restriction (non-PTC)
then calculated as the number of occurrences encountered for the Alternate case 695 13.14
(with PTC)
selected number of trials.

Risk Assessment Results ment results, which include the number of Level 0 human errors or
equipment failures that were sampled (trials), the number of haz-
This section presents risk assessment results for a high-traffic ards generated when all sampled simulations were resumed, and the
scenario (54 trains per week). mean time to hazard implied by the results. It is observed from these
results that PTC prevented hazards for a majority of unsafe conditions
originating from human errors or equipment failures.
Level 0 Results

The Level 0 analysis simulation produced 990 Level 0 events during Level 2 Results
25 years of simulated operations for both design cases. Results in
Level 0 for the base and alternate cases are identical because PTC The Level 2 analysis simulation produced 435 Level 2 events in
does not prevent errors and failures from occurring. Table 2 displays the base case and 170 Level 2 events in the alternate case during
the Level 0 simulation results and mean time to event by error and 25 years of simulated operations. Table 4 shows the Level 2 risk
equipment failure type. assessment results. The number of Level 1 hazards sampled (trials),
the number of accidents generated when all sampled simulations
were resumed, and the mean time to accident implied by the simula-
Level 1 Results tion outcomes are presented. It is observed from these results that
the nonvital PTC overlay system prevented accidents of all types
The Level 1 analysis simulation produced 9,195 Level 1 events in stemming from hazardous situations initiated by human errors
the base case and 345 Level 1 events in the alternate case during 25 or equipment failures. The proposed nonvital PTC overlay system
years of simulated operations. Table 3 shows the Level 1 risk assess- ­significantly reduced the overall rail system operational risk.

TABLE 3   Level 1 Risk Assessment Results

Number Number Probability of Level 1 Mean Time to

of Level 0 of Level 1 Event Given a Level Level 1 Event
Level 1 Event Scenario Level 0 Event Event Trials Events 0 Event (MTTH) (days)

Work zone hazard Base case (non-PTC) Fail to heed work 735.00 735 1 130.43
zone
Alternate case (with PTC) Fail to heed work 795.00 50 .06 2,073.79
zone
End of authority hazard Base case (non-PTC) Fail to brake 1,975.00 1,275 .646 62.85
Alternate case (with PTC) Fail to brake 2,405.00 15 .0062 6,505.9
Overspeed hazard Base case (non-PTC) Fail to heed speed 6,995.00 6,995 1 13.14
restriction
Alternate case (with PTC) Fail to heed speed 6,800.00 290 .043 308.03
restriction
Exceeded authority hazard Base case (non-PTC) Fail to brake 135.00 115 .852 47.63
  (misaligned switch) Alternate case (with PTC) Fail to brake 140.00 0 0 More than
300 years
Exceeded authority hazard Base case (non-PTC) Fail to brake 160.00 140 .875 46.37
  (unauthorized switch Alternate case (with PTC) Fail to brake 125.00 0 0 More than
alignment) 300 years
 Meyers, Stambouli, McClure, and Brod 41

TABLE 4   Level 2 Risk Assessment Results

Number Number of Probability of Level 2 Mean Time to

of Level 1 Level 2 Event Given Level 1 Level 2 Event
Level 2 Event Scenario Level 1 Event Event Trials Events Event (MTTA) (days)

Work zone accident Base case (non-PTC) Work zone hazard 830 15 .018 7,216.98
Alternate case (with PTC) Work zone hazard 1,415 0 0 Over 300 years
Head-to-head collision Base case (non-PTC) End of authority hazard 1,650 65 .039 1,596.04
Alternate case (with PTC) End of authority hazard 550 0 0 Over 300 years
Head-to-tail collision Base case (non-PTC) End of authority hazard 1,650 0 0 Over 300 years
Alternate case (with PTC) End of authority hazard 550 0 0 Over 300 years
Sideswipe collision Base case (non-PTC) End of authority hazard 1,650 250 .152 414.97
Alternate case (with PTC) End of authority hazard 550 25 .045 143,130
Emergency brake Base case (non-PTC) End of authority hazard 1,435 65 .039 1,387.65
  derailment Alternate case (with PTC) End of authority hazard 550 10 .018 357,825
Overspeed derailment Base case (non-PTC) Overspeed hazard 7,445 15 .002 6,520.12
Alternate case (with PTC) Overspeed hazard 8,585 135 .016 19,588.42
Misaligned switch Base case (non-PTC) Exceeded authority 100 10 .1 463.7
derailment hazard (unauthorized
switch alignment)
Alternate case (with PTC) Exceeded authority 0 0 0 Over 300 years
hazard (unauthorized
switch alignment)
Unauthorized switch Base case (non-PTC) Exceeded authority 115 15 .1304 482
derailment hazard (misaligned
switch)
Alternate case (with PTC) Exceeded authority 0 0 0 Over 300 years
hazard (misaligned
switch)

Increased Human Error Due to Complacency needs to drop to a level of $1.06 million/million train miles, whereas
PTC with increased complacency reduces risk to $16,900/million
One of the features of nonvital overlay PTC systems is that the train miles).
underlying safety critical systems remain in effect. This means that
should PTC fail in part or in total, train operators and dispatchers
will have pre-PTC capabilities at their disposal. In the event of a Acknowledgments
system failure, train crews will be able to ascertain all locational and
directive information through means that were available in the base The authors thank the following former and current FRA person-
case (i.e., written instructions and signals) and will be able to bring nel: Magdy El-Sibaie and Sam Alibrahim for support and guidance
the train to a stop manually. in developing the GTMS, Olga Cataldi for her valuable input, and
One of the issues to consider is whether the presence of a non­ ­Bor-Chung Chen for his review of the simulation methodology and
vital overlay system leads to a sense of complacency. Because train statistical formulas.
operators will know that PTC warning and enforced braking will,
under normal circumstances, automatically deploy in the event of an
unsafe condition, some believe that operators will develop a sense References
of complacency. Complacency, should it occur, will be manifest in
a higher operator error rate. 1. Shortle, J. F., C.-H. Chen, B. Crain, A. Brodsky, and D. Brod. Optimal
As part of the analysis of sensitivity, the case study ran the alter- Splitting for Rare Event Simulation. IIE Transactions, 2010.
2. USDOT/TSC Train Performance Simulator (TPS) User’s Manual, Ver-
nate (with PTC) case while assuming that the error rate was 25%
sion 5. Transportation Systems Center, U.S. Department of Transporta-
higher, that is, 0.0005 error per operating hour in comparison with tion, 1988.
the previous assumption of 0.0004 error per operating hour. All 3. Lu, Q., M. Dessouky, and R. C. Leachman. Modeling Train Movements
other parameters of the analysis were left unchanged. Through Complex Rail Networks. ACM Transactions on Modeling and
The analysis finds that an increase of 25% in operator error Computer Simulation, Vol. 14, No. 1, 2004, pp. 48–75.
4. Dhillon, B. S. Human Reliability and Error in Transportation Systems.
resulted in a 121% increase in safety-related costs. This result, Springer, London, 2007.
however, still far exceeds the 80% risk reduction threshold that
is required by the PTC Rule (i.e., $5.3 million/million train miles The Railroad Operating Technologies Committee peer-reviewed this paper.

View publication stats