View
4
Download
0
Category
Preview:
Citation preview
New Guidance for CAST: Case Study of a US Freight Rail Stop Signal Overrun & Collision
MeganFrance,JordanMulter,&HadarSafar,U.S.DOTVolpeCenter;EmilieRoth,RothCogniCveEngineering
MITSTAMPWorkshopCambridge,MAMarch27,2018
Objec&ves&BackgroundNewCASTGuidanceFreightRailCaseStudyDiscussion
3
Objectives
q ApplyCASTtoafreightrailcasestudyinordertounderstandsystemiccausesofstopsignaloverruns
q SuggestaddiConalguidanceforCASTtohelpanalystsunderstandwhichtypesofinformaContoinclude
4
Background: Stop Signal Overruns (SSOs)
q Consequencescanincludederailmentorcollision;mayresultininjuries,fataliCes,andmajorpropertydamage
q Railroadstendtoblametheoperators(engineer,conductor),butmanyfactorscontributetotheseincidents!
5
Background: Stop Signal Overruns (SSOs)
q 2priorstudiesatpassengerrailroadsexaminingSSOs
q Focusgroups,interviews,andobservaCons
q IdenCfiedcontribuCngfactorsatalllevelsofthesystemhierarchy!
(Safar,Multer&Roth,2017)
ObjecCves&BackgroundNewCASTGuidanceFreightRailCaseStudyDiscussion
7
Additional Guidance: Mental Model Flaws
Recentwork(France,2017)providedaddiConalguidanceformentalmodelflawsinSTPA;canbeappliedtoCAST
*ThispresentaConusesmentalmodelinplaceofprocessmodelwhenreferringtohumancontrollers.
1.SafetyRoles&Responsibili&es
2.UnsafeControlAc&ons(UCAs)
3.MentalModelFlaws*
4.ContextualFactors
8
Foundation of Mental Model Guidance
STPA–EngineeringforHumansExtension
MentalModels
ProcessState
ProcessBehavior
Environment&Controllers
MentalModelUpdates
ControlAc&onSelec&on
SensoryInputsControl
AcCons
HumanController
(Thomas&France,2016;France,2017)
9
Guidance for Mental Models
MentalModelofProcessStateq Beliefsaboutmodesandmodechangesq Beliefsaboutthecurrentprocessstage
(forprocesseswithmulCplestages)q Beliefsaboutsystemvariables(e.g.true/
false,on/off)
(France,2017)
MentalModels
ProcessState
ProcessBehavior
Environment&Controllers
10
Guidance for Mental Models
MentalModelofProcessBehaviorq Beliefsaboutwhatthesystemcandoq Beliefsabouthowthesystemwillbehave
inaparCcularmodeorprocessstageq Beliefsaboutif-thenrelaConshipsbetween
operatorinputandsystemoutput
MentalModels
ProcessState
ProcessBehavior
Environment&Controllers
(France,2017)
11
Guidance for Mental Models
MentalModelofEnvironment&Controllersq ChangestoenvironmentalcondiConsq Familiarorunfamiliarenvironmentsq Othercontrollers’statesandbehaviorsq SocialandorganizaConalfactors
MentalModels
ProcessState
ProcessBehavior
Environment&Controllers
(France,2017)
12
Additional Guidance: Contextual Factors
Contextualfactorsisabroadcategory,leavinganalystswithpotenCalquesCons:q WhichtypesofinformaConbelongin
“contextualfactors”?q Howshouldfindingslistedunder
“contextualfactors”bestructured?
1.SafetyRoles&Responsibili&es
2.UnsafeControlAc&ons(UCAs)
3.MentalModelFlaws
4.ContextualFactors
13
Foundations of Contextual Guidance
(Leveson,2004;adaptedfromRasmussen,1997andRasmussen&Svedung,2000)
(Safar,Roth,&Multer,2015)
*Note:“PASS”standsfor“passingastopsignal”andissynonymouswith“StopSignalOverrun”orSSO.
*
14
Guidance for Contextual Factors
Fivecategoriesofcontextualfactorstoconsider:q Physicalsystemandtechnologyfactorsq Individualandteamfactorsq OrganizaConalfactorsq Regulatoryfactorsq External/Environmentalfactors;“Other”
NOTE:ThisguidanceDOESNOTreplacetheneedtocreateasafetycontrolstructureandexaminethecontrolandfeedbackloopsspecifictoYOURsystemandcontrolledprocess!ThisisNOTachecklist;it’sarecommendaNontoconsiderfactorsatalllevelsofyoursystem!
15
Guidance for Contextual Factors
PhysicalSystemandTechnologyFactorsq OperaCngenvironmentdesignq Interfacedesign(e.g.displaysandalerts)q Maintenance/operaConalstatusofphysicalsystemsq Availabilityornon-availabilityofjobaidsq Otherphysicalfactors(e.g.weather)
16
Guidance for Contextual Factors
IndividualandTeamFactorsq CommunicaConandteamwork;coordinaConq DistracCons/compeCngdemandsforaoenConq Experiencelevel;qualificaConandtrainingq FaCgue;workscheduleq Medicalfitnessfordutyq ExpectaCons;similarsituaConsencountered
17
Guidance for Contextual Factors
Organiza&onalProcessesq SupervisoryprioriCes/safetycultureq Resourceconstraints&producConpressuresq Policiesandprocedures(workschedules,training,
discipline,etc.)q Degreeoffeedbackfromemployees
18
Guidance for Contextual Factors
RegulatoryAc&vi&esq Degreeofsupportto/controloverorganizaConsq Feedback(data)collectedfromorganizaConsq RegulaConsregardingemployeesq RegulaConsregardingphysicalsystemsand
technologies
19
Guidance for Contextual Factors
ExternalFactorsq High-levelsocietal,governmental,etc.influencesq Economiccontext,fundingsourcesq DemandsforservicedrivingproducConpressuresq PoliCcalclimate’seffectsonfunding,regulaCon,etc.
REMINDER:Theselistsarenotcomprehensive,theyaresimplyasetofexamples!
20
Complete CAST Controller Guidance
3.ProcessModel(MentalModel)FlawsExplainwhyUnsafeControlAcNonsappearedappropriatetothecontroller.
A. MentalmodelofprocessstateB. MentalmodelofprocessbehaviorC. Mentalmodelofenvironment
4.ContextualFactorsSystemicfactorsthatinfluencecontrollers’mentalmodelsanddecisions.
A. PhysicalsystemandtechnologyfactorsB. IndividualandteamfactorsC. OrganizaConalprocessesD. RegulatoryacCviCesE. Externalfactors
1.SafetyRoles&Responsibili&es
2.SafetyConstraintsViolatedorUnsafeControlAc&ons(UCAs)
21
ObjecCves&BackgroundNewCASTGuidanceFreightRailCaseStudyDiscussion
22
Head-On Collision of Two Union Pacific Railroad Freight Trains
q 3fataliCes§ Eastboundtrain’s
engineer&conductor§ Westboundengineer
q 1survivor§ Westboundconductor
q 5locomoCvesand32carsderailed
q $14.8millioninesCmateddamage
Goodwell,OklahomaJune24,2012,10:02a.m
Photosource:theGuymonDailyHeraldcourtesyofMaritEdwards
(NTSB,2013)
23
Accidents and Hazards
ACCIDENTq Atraincollideswithanothertrainonthesamestretchof
track
HAZARDSq Atrainentersanareaoftrackitwasnotclearedtoenterq Atrainentersanareaoftrackalreadyoccupiedbyanother
train
24
System Safety Constraints
q Dispatchersmustusestopandapproachsignalstoalerttraincrewstoareastheydonothaveclearancetoenter
q Traincrewsmustslowdownatapproachsignalsandstopatstopsignals
q TraincrewsmusthaveadequatevisualacuityandcolorvisiontorecognizesignalindicaCons
q Railroadsmustensurethatcrewsareadequatelyqualifiedandmedicallyfitforduty
25
GoodwellSiding
Theeastboundtrainwassupposedtowaitatthestopsignalforthewestboundtraintoenterthesiding.
ZLAAH22EastboundTrain
AAMMLX22WestboundTrain
Event Overview: Planned Route
26
GoodwellSiding
Theeastboundtraincouldthenproceededforwardsafely,followedbythewestboundtrain.
Event Overview: Planned Route
AAMMLX22WestboundTrain
ZLAAH22EastboundTrain
27
GoodwellSiding
Instead,theeastboundtrainpassedthestopsignalandcollidedwiththewestboundtrainbeforeitreachedthesiding.
AAMMLX22WestboundTrain
Event Overview: Actual Route
ZLAAH22EastboundTrain
Run-throughswitch
28
Event Timeline: Eastbound ZLAAH 22
StopSolidred
StopunClgiven
clearancetoproceed
Approx.2miles
AdvancedApproachFlashingyellow
Reducespeedto40mph
9:56am
Approx.2miles
ApproachSolidyellowoversolidred
Reducespeedto30mph;
preparetostop
9:58am 10:00am
Collision
<2miles
AAMMLX22WestboundTrain
10:01am
29
Event Timeline: Eastbound ZLAAH 22
“…the engineer appeared to make throttle and dynamic brake adjustments that maintained train speed close to the 70 mph limit, as would be expected for a train operating on a clear signal”
(NTSB,2013)
30
Physical System Analysis
SafetyControlsandEquipmentq Stopsignalsindicatewheretrainsmustnotgoq “Approach”signalswarnofupcomingstopor
speedrestricConsq Sidingsallowtrainstopasssafelyonsingletrack
SafetyConstraintsViolatedq TwotrainsmovingoppositedirecConswere
allowedonasingletrack
(NTSB,2013)
31
Physical System Analysis
FailuresandUnsafeInterac&onsq SignalsfuncConedasintended,butthe
eastboundtraindidnotobeythemq NoPosiCveTrainControl(PTC)present
ContextualFactorsandAddi&onalQues&onsq Individual:IfsignalswereproperlyfuncConing,
whydidtheengineerpassastopsignal?q OrganizaConal:Whywasn’tposiCvetrain
controlinstalled?
(NTSB,2013)
32
Controller Analysis: Engineer
Speedcontrols(throole&brake)
CurrentspeedSignalindicaCon
Engineer
Physical System (Trains and Signals)
33
Controller Analysis: Engineer
RolesandResponsibili&esq Controltrainspeedinaccordancewithpostedsignals;
calloutsignalindicaContoconductorq BemedicallyfittooperatealocomoCveUnsafeControlAc&onsq Didnotslowdownasrequiredbyapproachsignalsor
stopatthestopsignalq Operatedwhileknowinghehadinconsistentcolorvision
anddiminishedvisualacuity
34
Controller Analysis: Engineer
MentalModelFlaws
ModelofProcessState:q Incorrectlybelievedsignalswere“clear”(green)
ModelofProcessBehavior:q N/A–understoodmeaningofsignals&requiredacNons
ModelofEnvironment&Controllers:q Mayhaveincorrectlybelievedconductorwouldinterveneq Likelyunawareofthepresenceofanothertrain
35
Controller Analysis: Engineer
IndividualContextualFactors:q PerceptuallimitaCons:engineerhadseverevisualimpairments
frommulCplecondiCons;hadfailedacolorvisiontestin2009q CoordinaCon:shouldhavebeencoordinaCngwithconductorto
calloutsignalsandensureproperspeed;whatwasconductordoing?
q ExpectaCons:signalsmaybetypicallyclear,high-visibilityq FaCgue:faCguepossiblebasedonirregularworkschedule
Organiza&onalContextualFactors:q WhatorganizaConalfactorsallowed(orincenCvized)operaCng
despiteseverevisualseverelimitaCons?
36
ConductorEngineer
Physical System (Trains and Signals)
Controller Analysis: Conductor
Emergencybrake
SignalindicaConsCurrentspeed
Calloutsignals
37
Controller Analysis: Conductor
RolesandResponsibili&esq CalloutsignalindicaCons;ensureengineerobeyssignals;useemergencybrakeifnecessary
UnsafeControlAc&onsq Apparentlydidnotcallouttheapproachandstopsignals;didnotwarnengineer
q Didnotpulltheemergencybrake
38
Controller Analysis: Conductor
ProcessModelFlawsModelofProcessState:q WaslikelyunawarethatsignalswereinarestricCvestate
ModelofProcessBehavior:q N/A–wouldhaveunderstoodmeaningofsignals
ModelofEnvironment&Controllers:q Waslikelyunawarethattheengineerwasnotrespondingto
signals;likelybelievedengineercouldreadthesignals
39
Controller Analysis: Conductor IndividualContextualFactors:q DistracCon/inaoenCon:conductormayhavebeenasleeporabsentq ExpectaCons:signalsmaybetypicallyclear,high-visibilitycondiCons,
mayhavebelievedengineerwascapableofrecognizingsignalsq FaCgue:faCguepossiblebasedonirregularworkscheduleq CoordinaCon:engineermayhaveallowedconductortorest
Organiza&onalContextualFactors:q WhatorganizaConalfactorscontributedtolackofrequired
coordinaConbetweentheengineerandconductor?
40
ConductorEngineer
Physical System (Trains and Signals)
Dispatcher
Train Crew
Controller Analysis: Dispatcher
Clearances&instrucCons
LocaCon/issues
Setsignals&switches
Signal&switchstatusTrainposiCons?Trainspeeds?
41
Controller Analysis: Dispatcher
RolesandResponsibili&esq SetsignalsandswitchesforsaferouCngoftrainsq CommunicaterouteinformaContotraincrewsUnsafeControlAc&onsq Apparentlydidnotwarneastboundtraincrewabouttheupcomingstopsignal&othertrain
42
Controller Analysis: Dispatcher
ProcessModelFlawsModelofProcessState:q Didnotrealizeeastboundtrainhadpassedthesignals
ModelofProcessBehavior:q Mayhavebelievedthatifcrewspassedasignal,hewouldbe
alertedandhaveCmetointervene
ModelofEnvironment&Controllers:q Assumedcrewwouldobeysignalsevenifnotgivenwarning
43
Controller Analysis: Dispatcher PhysicalSystemContextualFactors:q DispatcherwasnotnoCfiedthatthetrainwasoverthespeedlimitq DispatcherwasonlynoCfiedoncetheswitchattheendofthe
sidingwaspushedoutofalignmentbytheeastboundtrain
IndividualContextualFactors:q ExpectaCons:didnotexpectcrewstopassastopsignal(veryrare)q CoordinaCon:dispatcherwasresponsiblefor10-12crewsq Timing:accidentoccurredapprox.5minsarerfirstmissedsignal,
andlessthan2minutesarerthedispatcherreceivedanalert
44
Controller Analysis: UP Management Railroad Management
ConductorEngineer
Physical System (Trains and Signals)
Outside Medical Providers Dispatcher
Train Crew
DocumentaConofVisionTestResults
Diagnoses&TreatmentsofEyeCondiCons
VisualAcuity
Training,Policies,
etc.
Safetyissues
Training,Policies,
etc.
Safetyissues
45
Controller Analysis: UP Management
RolesandResponsibili&esq Ensurethatemployeesaremedicallyfitfordutyand
adequatelytrainedonjobtasks,includingcoordinaConq EnsurethatphysicalsystemcomplieswithregulaConsUnsafeControlAc&onsq DidnothavePTCinstalledontherouteq Didnotprovidetrainingoncrewresourcemanagementq DidnotrequiredocumentaConofengineer’svisual
acuityresults;didnotrequirefollow-uptesCngq Usedacolorvisiontestofunknownvalidity/reliability
46
Controller Analysis: UP Management
MentalModelFlaws
q Mayhaveincorrectlybelievedengineer’svisionwasokayq Mayhavebelievedthatengineer’svisionwouldnotbea
problemwiththeconductorassisCngbycallingoutsignalsq Mayhavebelievedresourceswerenotavailableto
implementsafetymeasures,orthatsafetymeasureswerenotasurgentasotherprioriCes(CRM,PTC)
47
Controller Analysis: UP Management Organiza&onalContextualFactors:q Resourceconstraints:PTC/CRMrequirelargeamountofresourcesq Staffingconstraints:mayhaveneededengineersbadly,decidedto
keeptheengineerdespitevisuallimitaConsq Policies:didnotuniformlyapplypolicyforverifyingvisualacuitywas
toobtainwrioendocumentaConq SchedulingpracCces:irregularschedulesarecommoninrail
industry;maycontributetofaCguedespitehoursofservicelimitaCons
RegulatoryContextualFactors:q WasUPinviolaConofregulaCons,orwereregulaConsinadequate?
48
Controller Analysis: FRA
Railroad Management
ConductorEngineer
Physical System (Trains and Signals)
Outside Medical Providers Dispatcher
Train Crew
Federal Railroad Administration
RegulaCons Safetydata
Railroad Management
ConductorEngineer
Physical System (Trains and Signals)
Outside Medical Providers Dispatcher
Train Crew
49
Controller Analysis: FRA
RolesandResponsibili&esq RegulaterailroadstoensuresafetystandardsUnsafeControlAc&onsq AllowedretakingvisiontestswithoutvalidaCngrailroad’stesCngmethods
q DidnotmandatePTCinstallaConsoonerq DidnotmandateCRMtrainings
50
Controller Analysis: FRA ProcessModelFlawsq BelievedCmelineforPTCimplementaConwasappropriateq BelievedrailroadshadadequateresourcesforCRMq BelievedrailroadswoulduseavalidvisiontesCngmethod
RegulatoryContextualFactors:q FRAalreadyrequiredimplementaConofPTCby2015q FRAconductedresearchintoCRM,providedrailroadswithfundingforpilot
programs
ExternalFactorsq DesiretomaintainposiCverelaConshipswithrailroads&workwithintheir
resourceconstraints(e.g.PTCregulaConCming)
51
ObjecCves&BackgroundNewCASTGuidanceFreightRailCaseStudyDiscussion
52
Enhanced CAST Controller Guidance
q ProvidesaddiConalguidanceonwhattypesofcontenttoinclude
q UsefulfornewpracCConersofCAST
q RevealedinteresCngresultsinourfreightcasestudy
3.ProcessModel(MentalModel)Flaws
A. MentalmodelofprocessstateB. MentalmodelofprocessbehaviorC. Mentalmodelofenvironment
4.ContextualFactors
A. PhysicalsystemandtechnologyfactorsB. IndividualandteamfactorsC. OrganizaConalfactorsD. RegulatoryfactorsE. External/environmentalfactors;“other”
1.SafetyRoles&Responsibili&es
2.UnsafeControlAc&ons(UCAs)
53
References
q France,M.,“EngineeringforHumans:ANewExtensiontoSTPA,”Master’sThesis,MassachuseosInsCtuteofTechnology,2017.
q France,M.,“EngineeringforHumans:Human-AutomaConInteracConinSTPA,”presentedatthe6thAnnualMITSTAMPWorkshop,2017.
q Leveson,N.G.“ANewAccidentModelforEngineeringSaferSystems.”SafetyScience,vol.42,no.4,pp.237-270,2004.
q Leveson,N.G.,“EngineeringaSaferWorld:SystemsThinkingAppliedtoSafety.”TheMITPress,2012.q NaConalTransportaConSafetyBoard,“HeadonCollisionofTwoUnionPacificRailroadFreightTrainsNear
Goodwell,Oklahoma,June24,2012.”NTSB/RAR-13/02.Washington,DC:NTSB,2013.q Rasmussen,J.,“RiskManagementinaDynamicSociety:AModellingProblem,”SafetyScience,Vol.27,No.
2/3,pp.183-213,1997.q Rasmussen,J.&Svedung,I.“ProacCveRiskManagementinaDynamicSociety.”SwedishRescueServices
Agency,2000.q Safar.H.,Multer,J,.&Roth,E.“AnInvesCgaConofPassingStopSignalsataPassengerRailroad”
Washington,DC:FederalRailroadAdministraCon,2015.q Safar.H.,Multer,J,.&Roth,E.“Whydopassengertrainspassstopsignals?Asystemsview”Washington,
DC:FederalRailroadAdministraCon,2017.q Thomas,J.andM.France.“EngineeringforHumans:STPAAnalysisofanAutomatedParkingSystem,”
presentedatthe5thannualMITSTAMPWorkshop,2016.
54
ThankyouforyouraoenCon!Contact:MeganFrance,USDOTVolpeCentermegan.france@dot.gov
55
BackupSlides:PTCImplementaCon
56
Positive Train Control Timeline
Source:hops://www.fra.dot.gov/ptc
57
PTC Implementation in Freight RRs
Source:hops://www.fra.dot.gov/ptc
58
PTC Implementation at UP
AsofDecember31,2017
Source:hops://www.fra.dot.gov/ptc
59
Ongoing/Future Work on SSOs
q Currentstudyfocusesonfreightenvironment§ CASTanalysesareapreliminarystep§ Follow-upwithinterviews,focusgroups,etc.andbriefingtorailroad
management
q Otherongoingwork§ ImprovingSSOdatacollecConusingacommonformtemplate§ CommunicaCngfindingstorailroadsina“GoodPracCceGuide”
Recommended