Positive Train Control Interface Design Issue With Locomotive and Cab Car Braking Systems

AGENCY:

Federal Railroad Administration (FRA), Department of Transportation (DOT).

ACTION:

Notice of Safety Advisory.

SUMMARY:

FRA is issuing Safety Advisory 2021-01 to make the rail industry, including railroads and railroad employees, aware of a recently identified interface design issue relating to how positive train control (PTC) systems in use throughout the United States interface with locomotive and cab car braking systems. This recently identified interface design issue allows a train crewmember to circumvent a PTC enforcement by manually cutting out the pilot valve/brake stand, commonly known as the cut-out valve, prior to the PTC system initiating the brakes. This interface design issue poses a significant safety risk by allowing a PTC system to be disabled and unable to initiate the brakes to prevent a train-to-train collision, over-speed derailment, incursion into an established work zones, or the movement of a train through a switch left in the wrong position. This Safety Advisory recommends that all railroads operating with PTC systems immediately remind crewmembers that circumventing a PTC enforcement is subject to civil penalty or disqualification for the locomotive engineer or conductor responsible; audit the designs of PTC systems as implemented on all types of locomotives and cab cars; assess the extent to which the design of the system could allow a locomotive or cab car's PTC system to be circumvented by a crewmember; develop and implement a plan to mitigate and/or correct this design issue; and provide FRA with a schedule for completion of the identified actions.

FOR FURTHER INFORMATION CONTACT:

Gabe Neal, Staff Director, Signal, Train Control and Crossings Division, Office of Railroad Systems and Technology, at telephone: (816) 516-7168 or email: gabe.neal@dot.gov.

SUPPLEMENTARY INFORMATION:

Background

Positive train control (PTC) systems must be designed to prevent train-to-train collisions, over-speed derailments, incursions into established work zones, and the movement of a train through a switch left in the wrong position. PTC accomplishes this by using technology to monitor train speed and train locations, provide warnings for the traincrew to take action, and automatically initiate braking if the traincrew does not take action.

FRA is aware of a recently identified design issue relating to how PTC systems in use throughout the United States interface with locomotive and cab car braking systems. This interface design issue allows a crewmember to circumvent a PTC enforcement by manually cutting out the pilot valve/brake stand, commonly known as the cut-out valve, prior to the PTC system initiating the brakes. If a PTC system is allowed to be disabled by the actions of a crewmember, the PTC system can no longer prevent a train-to-train collision, over-speed derailment, incursion into an established work zone, or the movement of a train through a switch left in the wrong position.

Although FRA has found that all PTC systems are potentially impacted by this interface design issue, FRA notes that only some interface designs between the PTC system and the locomotive or cab car braking system allow a PTC enforcement to be disabled. FRA believes that the interface designs of most concern are limited to a number of older locomotives equipped with mechanical braking systems, and the interface design is likely not an issue on most newer locomotives equipped with electronic braking systems. On PTC-equipped locomotives and cab cars with interface designs with this issue, manually cutting out the pilot valve/brake stand disables the PTC system enforcement capability. FRA recognizes that a locomotive or cab car PTC system is considered a “safety device” under FRA's regulations and that it is unlawful for a railroad employee to operate the equipment with such a safety device disabled without authorization. Accordingly, a system that allows such interference in its operation does not comply with the applicable statutory or regulatory requirements. In addition, a PTC system that allows such interference presents a significant safety risk in that it can no longer perform its required functions.

FRA became aware of this issue through three recent events:

• On May 27, 2021, during testing of the Advanced Civil Speed Enforcement System II (ACSES II) PTC system aboard a freight train, an FRA PTC Specialist witnessed an engineer circumvent a penalty brake application while operating in an overspeed condition. The engineer placed the pilot valve/brake stand in the cut-out position prior to PTC system enforcement of the overspeed condition. When the overspeed condition no longer existed, the pilot valve/brake stand was returned to the cut-in position, and the train continued without a PTC system penalty.
• On July 13, 2021, during testing of the Interoperable Electronic Train Management System (I-ETMS) PTC system on a freight locomotive, FRA conducted a test in which a zero speed temporary speed restriction (TSR) was issued to the train and the pilot valve/brake stand was placed into the cut-out position prior to PTC system enforcement of the TSR. This action allowed the train to circumvent PTC system enforcement.
• On July 21, 2021, during testing of the ACSES II PTC system on a passenger train, FRA conducted a similar test in which a zero speed temporary speed restriction (TSR) was issued to the train and the pilot valve/brake stand was placed into the cut-out position prior to PTC system enforcement of the TSR. This action achieved similar results, allowing the train to circumvent the PTC system enforcement with one exception; after placing the pilot valve/brake stand back into the cut-in position, the train encountered a PTC penalty brake application.

Safety Advisory 2021-01

As shown by the incidents described above, rail operations face a safety risk due to the interface design issue that allows PTC enforcement to be circumvented by cutting out the pilot valve/brake stand. Such risks must be addressed to provide for the safety of train operations, and thus FRA recommends that railroads do the following:

(1) Immediately remind railroad crewmembers that, along with the unauthorized disabling of a PTC system, circumventing PTC enforcement by manually cutting out the pilot valve/brake stand when not authorized is a revocable event for the locomotive engineer or conductor responsible, and subjects any other crewmember responsible to individual liability proceedings, including disqualification and/or civil penalties. See 49 CFR 240.117(e)(5), 240.305(a)(5), and 242.403(b) and (e)(5).

(2) Immediately conduct a complete audit of the PTC onboard design of all locomotives and cab cars equipped with PTC to determine how the onboard PTC equipment is integrated into each railroad's locomotive and cab car's braking system, to ascertain what percentage of the locomotive and cab car fleet is subject to the interface design issue described above;

(3) Within ten (10) days of the publication of this Safety Advisory, provide FRA, via the SIR site, with a report of the number and type of locomotives and cab cars that have this interface design issue;

(4) Upon completion of item (2) above, determine the mitigating measures and/or corrective actions necessary to address the safety risk presented by the design issue, and provide FRA, via the SIR site, with a report documenting the planned measures and/or actions, including a schedule for completion; and

(5) Immediately commence implementation of the planned measures and/or actions to address the safety risk presented by the design issue per the documented schedule, and provide FRA, via the SIR site, confirmation of completion.