U.S. Department of Transportation
Federal Transit Agency
SAFETY REVIEW OF WASHINGTON METROPOLITAN AREA TRANSIT AUTHORITY (WMATA) METRORAIL OPERATIONS
U.S. Department of Transportation
Research and Special Programs Administration
John A. Volpe National Transportation Systems Center
Cambridge, MA 02142
September 1997 Final Report
HTML Edition April 1999
This document is disseminated under the sponsorship
of the Department of Transportation in the interest of
information exchange. The United States Government
assumes no liability for its contents or use thereof.
The United States Government does not endorse
products or manufacturers. Trade or manufacturers'
names appear herein solely because they are
considered essential to the objective of this report.
A recent series of accidents and incidents at the Washington Metropolitan Area Transit Authority (WMATA) have raised concerns about the Authority's commitment to safety as its top priority.
In January 1996, a train operator was killed at an end-of-the-line station when his train slid on icy tracks into parked railcars. There have also been incidents of tower supervisors misdirecting trains in yards, including an incident in which a supervisor directed a train to pass a red (stop) signal. In April 1996, WMATA disconnected the operating mechanisms for the mid-car emergency doors on approximately 100 rail cars without informing the public. The doors were disabled to allow electrical repairs to be made gradually over a two-day period without removing cars from service. Later that month, two workers were injured when their tools made contact with a live electrical cable that should have been deactivated while tracks were being repaired. On May 10, 1996, a delayed response to a fire put both firefighters and passengers at risk.
This document presents a review of safety and operational issues at WMATA. It is being performed under the auspices of the Federal Transit Administration (FTA). Interactive Elements gratefully acknowledges the assistance, guidance, and comments of Jerry A. Fisher of the FTA's Office of Safety and Security, and the guidance provided by William T. Hathaway of the Volpe National Transportation Systems Center (Volpe Center). We are indebted to the management and staff of WMATA without whose cooperation this review could not have been completed.
The findings and recommendations provided herein are intended as guidance for the Federal Transit Administration (FTA). They have been prepared pursuant to Contract Number DTRS57-97-P-80106 by Interactive Elements. In no event shall the FTA or Interactive Elements have any responsibility for any consequences of the use, misuse, inability to use, or reliance upon the information contained in this document; nor do they warrant the accuracy, efficacy, or applicability of its contents.
AGM Assistant General Manager
APTA American Public Transit Association
ATO automatic train operation
ATP automatic train protection
ATS automatic train supervision
ATU Amalgamated Transit Union
CIP Capital Improvement Program
DECO Design and Construction Department
DGM Deputy General Manager
FTA Federal Transit Administration
MARS Maintenance and Reliability System
NTSB National Transportation Safety Board
OCC Operations Control Center
QA Quality Assurance
SSPP System Safety Program Plan
WMATA Washington Metropolitan Area Transit Authority
A recent series of accidents and incidents at the Washington Metropolitan Area Transit Authority (WMATA) have raised concerns about the Authority's commitment to safety as its top priority.
In January 1996, a train operator was killed at an end-of-the-line station when his train slid on icy tracks into parked railcars. There have also been incidents of tower supervisors misdirecting trains in yards, including an incident in which a supervisor directed a train to pass a red (stop) signal. In April 1996, WMATA disconnected the operating mechanisms for the mid-car emergency doors on approximately 100 rail cars without informing the public. The doors were disabled to allow electrical repairs to be made gradually over a two-day period without removing cars from service. Later that month, two workers were injured when their tools made contact with a live electrical cable that should have been deactivated while tracks were being repaired. On May 10, 1996, a delayed response to a fire put both firefighters and passengers at risk. This document presents a review of safety and operational issues at WMATA. It is being performed under the auspices of the Federal Transit Administration (FTA).
Safety has long been identified as one of the highest priorities of railroads and rail transit agencies. In the last decade, safety has been increasingly based on the formal disciplines that constitute system safety, utilizing the four elements identified in "System Safety Program Requirements" (MIL-STD-882C, Department of Defense, 1993):
WMATA has not kept abreast of these developments. Its safety efforts have been weakened by: frequent changes in reporting level of the Safety Department; staff and budget reductions; a de-emphasis of safety awareness in public and corporate communications.
The Safety Department was moved from place to place in the WMATA organization, making its work difficult, its priorities uncertain, and its status at the agency marginal. This review found little evidence of the Department's participation in decision making (as required by WMATA's own System Safety Program Plan), conduct of safety audits or reviews, or implementation of public or employee safety awareness programs. From 1992 to 1996, the Safety Department staff was reduced from '17 to 12 positions. But at the time this review began, only 8 of the 12 positions were filled. Furthermore, as a result of the Department's movement through the organization, the Department became responsible for other functions, further reducing its ability to meet its safety responsibilities. These limitations are reflected in, among others, the absence of strong public and employee safety awareness programs.
The effectiveness of WMATA's safety programs has been limited by what might be called the agency's corporate culture. The areas of primary concern are:
These attitudes and problems have a long history. As early as 1985, one study identified beliefs that "task completion is more important than task quality," resulting in, among others, incomplete preventive and corrective maintenance. It also found that middle managers were uncertain as to their responsibilities and authority.
This culture has permeated the agency, and limits initiative and effective action. Its correction is a long-term effort that will require continuous attention.
WMATA's Board has taken important first steps to change the situation. A new General Manager has been hired and he, in turn, has selected experienced rail transit professionals for the positions of Deputy General Manager for Operations and Chief Safety Officer. The General Manager has instituted a review of the safety function and a complete revision of the agency's System Safety Program Plan (SSPP), which, at the time of this writing, he has piloted through approval. The new Plan includes detailed protocols for the identification and assessment of hazards. In addition, it increases the staff of the Safety Department to 16 positions in 1998 and 19 in 1999.
As the second largest rail transit system in the country and operating in the nation's capitol, WMATA has a special safety burden. By some measures, it has appeared to carry that burden well, with only two fatalities in its more than 20 years of operation. As documented in its findings, however, this review found serious deficiencies in safety-related operating practices at WMATA. These practices reflect policies and procedures in place before the arrival of the current management team in the early fall of 1996.
The findings are divided into three categories:
In the body of the report, the findings are set in appropriate contexts followed by the supporting evidence.
In the context of this report, intelligence is used to mean the gathering and integration of information into the cumulative operational knowledge of WMATA.
Under this heading, this review made 18 findings with respect to the status of WMATA at the time of the Shady Grove accident. Most important among them is a lack of rail
operations perspective at WMATA. This leads, in turn, to deficiencies in the use of readily available information that should be applied to the identification of safety concerns and their resolution.
Proper performance indicators are not maintained; outside analyses and reviews are not effectively utilized; problems are not investigated to sufficient depth; and the principles of system safety are not generally practiced.
As a complex organization, the Rail Operations Department of WMATA requires orderly mechanisms to gather information to and from line personnel and to issue instructions to those personnel. Implied in these functions are accuracy of the information and its validation, timeliness and coherence of both the information and the instructions, and effectiveness of the instructions.
The seven findings in this category identify deficiencies in the communication of this information. They confirm conditions identified more than a decade ago by an external consultant who found confusion in middle management regarding authority, responsibility, and chain of command. In addition, the authority of written rules was found to have been undermined by managers who intimidated subordinates and discouraged initiative throughout the organization.
WMATA, as organized at the commencement of this study, used one of several structures that have been successful in similar multi-modal agencies. The Safety Department has recently been made a direct report of the General Manager, and so the organizational structure, if properly staffed, is suitable to the agency's mission. However, not all positions are filled, and the credentials of some management staff did not match their job descriptions.
The new management team must now act aggressively to overcome entrenched attitudes and behavior. Among the most important challenges the team faces are:
It is a well-established practice in rail transit operations that incidents and accidents be subjected to detailed analysis to provide clues to avoiding their recurrence and to identifying and curing any other potential weaknesses that may have surfaced. The Federal Transit Administration (FTA), under 49 U.S.C. Section 5327(c)(3) of its authority, has initiated this review of safety issues at WMATA, under the direction of its Volpe National Transportation Systems Center (Volpe Center). The Volpe Center, in turn, contracted with Interactive Elements, Inc. to assist in the performance of the review.
In recent years, a number of FTA-sponsored studies have elaborated the subject areas that constitute a comprehensive safety review, including the following nine elements:
In recognition of other reviews in progress or recently completed, and to focus on areas of special concern to the FTA, this investigation emphasizes four key areas of WMATA's Metrorail system.
Policies and practices relating to and affecting safety operation were reviewed using the seven-part paradigm that was developed by Interactive Elements for a previous FTA-sponsored safety investigation:
The resulting report is based on information gathered at WMATA through three channels:
Throughout the course of the review, the Project Team depended upon WMATA to furnish written materials and to make selected individuals available for interview.
As a result of the Shady Grove accident, several investigations, both internal and external, were initiated. These include:
In addition, as discussed in the body of this report, WMATA has been the subject of other safety-related investigations, audits, and reviews over the course of its history.
While it is beyond the scope of this study to confirm independently the results of these other investigations, many of their most important conclusions were found to be accurate. This review team was troubled to find that many of the recommendations of earlier studies were not implemented, or if implemented, were not effective in solving the problems they were intended to solve. Furthermore, where scorecards were maintained on the status of past recommendations, such as in the NTSB report of a 1982 fatal accident, many recommendations including those marked by the NTSB as "Closed-Acceptable Action" were found not to be currently in place. This important issue is discussed in detail in Section III.
Two other initiatives are in progress in parallel with this review:
ICF Kaiser Engineers - this firm is providing an assessment of the system safety function, assisting WMATA with the revision of its System Safety Program Plan, and aiding in the selection of a new Director of System Safety
Booz-Alien & Hamilton - Booz-Alien is conducting a management and organization assessment study to improve agency performance
To the extent consistent with its scope of work, the present review attempts to identify the reasons for WMATA's failure to adopt, implement, and effectively execute previous recommendations related to safety.
During the course of the review and the development of findings, it became clear that the conclusions could best be presented coherently and effectively under three general categories:
Within these categories, the individual findings are presented in italics, followed, where appropriate, by a discussion of the issues and the underlying evidence that supports them. Suggestions as to possible remedies are included in some cases. These are not intended to restrict WMATA's range of actions in any way but rather to assist the agency in formulating its own plans.
This report begins with a discussion of the historical and corporate cultural conditions at WMATA at the time of the Shady Grove accident. It then presents its findings, divided among the three categories above. Where findings and evidence are applicable to more than one of the above categories, they are presented again in the context appropriate to that category.
The major technical issues are revisited in Section VI (Critical Technical Issues).
The planning of a public transportation system to serve the Washington metropolitan area began in the early 1950s, with the passage of the National Capital Planning Act. During the Eisenhower and Kennedy administrations plans were developed for a regional transportation system that included a rapid rail system, commuter rail service, and express bus service. Finally, on November 6, 1966, after fourteen years of planning and deliberation, President Lyndon Johnson signed a bill creating the Washington Metropolitan Area Transit Authority (WMATA).
WMATA is governed by an appointed twelve-person Board of Directors comprised of six voting members and six alternates. The members represent Maryland, Virginia, and the District of Columbia. The board has responsibility for all policy issues concerning operations, construction, and administration. It may also formulate regulations affecting the safety of passengers, employees, and the general public.
The WMATA rail system, "Metrorail," has 92.8 miles of track (subway, elevated, and surface) and 76 stations. Its rail car fleet consists of 292 cars built by the Rohr Corporation and 466 built by Breda. The cars are 75 feet long and 'ID feet wide, function in married pairs, and run in trains up to eight cars long.
WMATA has a state-of-the-art train control system that regulates train speed and spacing, starts and stops trains, opens doors, and monitors train performance. Under normal operation, the train operator does not run the train, although he or she can override the automatic system, and operate manually following written procedures.
Since its inception in 1967, WMATA has had seven General Managers and three interim General Managers. While there was some longevity in the early years, there have been three General Managers and one interim since 1991.
The focus for the early General Managers was building the rail system. In 1973, however, WMATA acquired the region's four bus carriers. As a result, a major part of its mission was diverted to the operation of a bus system. WMATA became, de facto, two agencies: one concerned with rail building and the other with running buses. This division of priorities, created in 1973, further complicated by the opening of the rail system, can still be seen in the present-day organization.
The second wave of General Managers, by background and priorities, focused their attention on financial issues, in particular securing funding for the construction of the balance of the rail system. It was not until 1992 that WMATA hired a General Manager with rail operating experience.
Throughout its first twenty-five years, the WMATA organization grew largely from within its own ranks. Most of the General Managers did not reorganize the management structure or reporting lines, nor did they bring in new staff. In general, people were promoted from within the organization. In mature organizations, this is a laudable approach and generally fosters good agency morale. In the case of WMATA, however, it had the effect of creating and sustaining a void: few, if any personnel were brought into the system with rail operating, rail engineering, or rail safety experience. As a result, there was a minimal tradition of rail operations culture and knowledge at the agency. In addition, as General Managers changed, so did priorities, and, at times, this led to safety's importance being reduced.
Transit agencies commonly state that their goal is to transport their customers safely, securely, and dependably in a cost-effective manner. Indeed, many railroad books of operating rules traditionally state that "Safety is of the first importance in the discharge of duties." Safety encompasses all aspects of a transit system's functions, from planning to design to construction to operations. It should be a common theme permeating the organization, and affecting every individual working there. Thus, the safety program should be supported by all of the organizational elements of the transit agency.
System safety is a management and engineering discipline developed to formalize efforts to achieve safer system operation. Originating in the defense and space industries, system safety has evolved to assist a variety of organizations in the cost-effective assurance of safe systems.
In the widely used "System Safety Program Requirements" (MIL-STD-882C, Department of Defense, 1993), four elements of an effective System Safety Program are identified:
The system safety concept, therefore, becomes a strategy for managing safety as it applies to selection, design, construction, operation, and maintenance of all the systems and subsystems that comprise the total transit system.
Through the use of a formal, planned approach to safety, agencies adhering to system safety concepts can identify and resolve hazards early, respond to emergencies in an orderly way, anticipate the safety impact of capital programs and changes in operations, and maintain safe operation in the face of turnover of key personnel.
While the scope of this review did not include an in-depth examination of the WMATA Safety Department's organization, staffing, or functions, some general comments on the safety organization will set a useful context for an understanding of conditions at WMATA at the time of the Shady Grove accident. It will also provide a basis for discussions of steps for restoring WMATA's safety programs to the exemplary role they must provide.
Two other reviews of safety organization have already been conducted: an internal study performed after the Shady Grove accident (January 6, 1996), that resulted in a report to the General Manager on June 28, 1996; and an external assessment of the safety organization by ICF Kaiser Engineers for the new General Manager.
There are three mechanisms by which safety's stature has been undermined during WMATA's recent history:
The visibility of the Safety Department at WMATA has fluctuated under the leadership of various General Managers, playing a primary role under some managers and a secondary one under others. Yet, the overall impression gleaned from interviews conducted indicates that the critical roles that safety and system safety should play in a rail transit system were generally not understood by top management.
Despite this, as shown in Table 1, there were periods in the history of WMATA during which safety was elevated to an appropriate position within the organization.
|Fiscal Year||Safety Organization Reporting|
from: An Organizational Review of Safety Management at the Washington Metropolitan Area Transit Authority, June 28, 1996.
Branch within Office of Transit Engineering and Safety, reporting to Assistant General Manager (AGM), Transit Operations
1986, 1987, 1988, 1989
Branch within Office of the General Manager, reporting to General Manager
1990, 1991, 1992
Independent Office, reporting to the General Manager
1992, 1993, 1994, 1995, 1996
Branch within Office of Safety and Risk Management, reporting to AGM, Finance
Independent Office, reporting to Deputy General Manager, Administration
Throughout the transit industry, many agencies have been steadily moving the safety function up to report to the general manager or president. This reporting level has several benefits: it clearly emphasizes the importance of safety within the entire organization; it assures independence; and it provides the department with access to the highest level of management.
As shown in Table 1, the department was relegated to a branch in Transit Engineering in the mid-eighties. This organization failed to recognize the operational aspects of safety. The situation was rectified in 1986, with a satisfactory reporting structure that remained in place until 1992. Thereafter, the department again moved lower into the organization. During several periods, it was under the Assistant General Manager (AGM) for Finance. Such placement puts the department directly in a position for potential conflicts of interest, since as the agency's advocate for safety, the department must initially be free to present its views independent of cost considerations.
The Department's 1996 move to a position under the Deputy General Manager (DGM) for Administration made its lines to its prime responsibility-safe transit operations--long and convoluted. The presence of the department three levels removed from the General Manager also sent a significant and unsatisfactory message--that safety was not a genuine priority.
The present General Manager, in concert with his overall rehabilitation of the safety function, has restored the department to one of his direct reports. Other activities in the rehabilitation of the Safety Department include hiring a new Director of Safety and a thorough revision of the agency's System Safety Program Plan.
At the time of this review, the Safety Department had a total of twelve staff positions ( a loss of five positions since 1992), although only eight positions were filled. During the past thirteen years, the department has merged with several other departments: in 1986, it merged with Fire Protection and Safety and System Assurance, and in 1993, it then was joined with Risk Management. As a result of the merger with Risk Management, the Safety Director's time, resources, and energies were split between two functions: safety and claims. Perhaps of equal concern is the fact that the merger again sent a message to the WMATA employees that safety was not a primary concern of senior management.
As a result of its loss of staff, its increased responsibility, and its low reporting position, the Safety Department was unable to perform many functions normally handled by a transit system safety department, including data collection, trend analysis, system safety, accident/incident investigations, hazard analysis, and the like. Moreover, it could not provide the proactive services that are required, such as training, auditing, and field inspections.
Finally, major functions that are commonly found within a safety department's purview were located in other WMATA departments. The Design and Construction Department (DECO) has its own safety staff that does not interface on a regular basis with the Safety Department. In addition, there is a separate Duality Assurance Department. Safety does not have routine communications with other departments. In fact, communications. generally occur only when an emergency, an accident or incident takes place, or a department requires information concerning a product.
The continued undermining of the staff and status of the Safety Department led to a number of shortcomings that have developed over time. Table 2 identifies some areas cited in WMATA's own internal report.
Despite the loss of staff and the reactive role that it has been forced to play, employees of WMATA generally support a strong, active Safety Department. As one person stated: "[the] Safety Office should become a proactive partner to the branches, which helps to insinuate a work culture where good safety practices are a desired and integral part of productive work."
from: An Organizational Review of Safety Management at the Washington Metropolitan Area Transit Authority, June 28, 1996.
One crucial means of promoting the concept of safety is through communication, both to employees and the public. While WMATA has made some use of these channels, its scope, range, and efforts have been limited.
It has a safety awareness program for school children that uses a mascot, Mr. McGruff, who teaches children about riding Metro safely. In addition, it has used the media and a poster program to alert customers to the proper use of escalators (a frequent source of problems in the past).
While the agency holds emergency drills and training with local fire departments, it does not publicize these activities. Such publicity could provide the public with some assurance that planning for emergencies is an integral part of WMATA's operations. Internally, there is a lack of attention paid to safety issues. No employee safety committees meet on a regular basis to identify and address safety issues. The Safety Department does not regularly issue any safety notices or bulletins. The employee newspaper, inside Metro, has no regular safety issue feature columns, nor does it publicize lost-time injuries by department (a form of positive competition among departments to reduce injuries), or injury-free departments.
At one time, WMATA had a Safety Awards Incentive Program that was administered by the Safety Department. The program recognized employees who made significant safety contributions at the agency. The program was terminated in 1993. Many employees interviewed for the internal study stated that it was a worthwhile program that should be reinstituted .
The corporate culture that has existed at WMATA stems, in part, from the background and historical factors discussed above. The areas of primary concern are:
· the lack of rail transit perspective throughout the organization
· the lack of understanding of system safety concepts and responsibilities at all levels
· of the agency
· the lack of a system of checks and balances to identify and correct problems during
The absence, from the outset, of a strong rail operations perspective at WMATA set a poor foundation for certain aspects of the organization. Such widely respected principles as the primacy of written rules and safety first did not play a role in the agency's operation. In time, their absence became the "tradition" of the agency, ingrained in its corporate culture.
System safety, as an organization-wide discipline, includes the notion that "safety is everybody's responsibility." This was so remote from the agency's culture, that safety was described as a tool for accelerating desired projects, but to be ignored if it would impede them.
Effective system safety practice requires that safety ramifications be examined for every significant agency decision. This is a way of thinking, and for it to be successful, it has to be practiced as part of the culture of the organization. Those raising safety issues cannot be derided or punished or ridiculed, as was alleged at interviews during this study.
A system of checks and balances serves to ensure that sudden and unexamined actions do not have an adverse impact on an organization's performance, much less its safety. As WMATA implemented a number of questionable policies in the months prior to the January 1996 accident, there was no countervailing force at work in the agency to question these policies and subject them to a proper and disciplined analysis.
WMATA's Board has taken important first steps to improve the agency's corporate culture. A new General Manager has been hired who, in turn, has selected capable professionals for the positions of Assistant General Manager for Rail Operations and Director of System Safety. The General Manager has instituted a review of the safety function and a complete revision of the agency's System Safety Program Plan. However, cultural attitudes and problems have a long history. Their correction is a long-term effort and will require continuous attention.
In the context of this report, intelligence is used to mean the gathering and integration of information into the cumulative operational knowledge of WMATA. It incorporates three aspects of the management of that knowledge:
The important subjects of how information is communicated and how information is utilized in decision making are covered in the next section of this report (Command, Communication, and Control).
The safe, effective operation of any enterprise is highly dependent on the presence and accessibility of large amounts of information. At WMATA, the second largest rail transit system in the country, and one of the most advanced technologically, there are additional needs for a strong knowledge base, timely, accurate updates to that base, and frequent comprehensive reviews of it. The agency combines highly automated operations with manual ones. It has infrastructure that is almost thirty years old connected to new lines currently being placed into service. These system characteristics increase the informational needs of the organization. The importance of these needs is increased further in view of their impact on more than 600,000 daily riders and 6,000 employees.
Several of the analyses performed as a result of the Shady Grove accident, and some studies performed earlier, indicate that there are deficiencies in the basic rail expertise and experience at WMATA. This review confirms that such deficiencies continue to exist and that they are likely to have contributed to the conditions that led to Shady Grove.
There is an absence of rail operations perspective throughout the organization.
During the study, evidence mounted that conditions, factors, and events were regarded and treated differently at WMATA than they would be at other rail transit agencies. This appears to have its roots in the earliest staffing and organizational decisions made at WMATA. Despite numerous prior indications that this has been a problem, little has been done to foster a strong rail operations perspective.
The rail division's strong roots in bus operations have not been adequately supplemented with rail transit expertise.
WMATA's rail operations were created in the late 1960s from bus operations that were then serving the Washington metropolitan area. This history has had both benefits and disadvantages. On the one hand, in accordance with the union contract, WMATA's rail division hires operations personnel from a pre-qualified labor pool with better credentials than that available to most transit agencies, namely its own bus operators. WMATA has further enhanced this benefit by offering rail operating positions only to the most capable bus drivers.
However, this has been coupled with a history of supervisory appointments, at all levels, of personnel without strong rail operations experience. This lack has deprived the WMATA of a rail transit operations perspective that might have enabled it to recognize and act upon deficiencies that have persisted over much of the life of its rail division.
WMATA's book of rules has deficiencies in format and is not what other agencies utilize.
Railroads and heavy rail transit agencies require that operating personnel know and conform to a detailed set of rules and regulations contained in the agency's Book of Rules. The staff is required to carry the book with them whenever they are working. They are also responsible for keeping it up to date, by adding all rule changes until a new book is issued. To assure that the book is useable by the staff it is generally restricted to what the operations personnel need to know in the performance of their work.
While there are many approaches to meeting these needs, this review found WMATA's Book of Rules to have several defects in format, among them, that it is permanently bound, and therefore, not capable of being updated conveniently. It is cumbersome, primarily because it contains procedures, sometimes in excessive detail. It is lengthy and difficult to read.
WMATA does not utilize on-time performance as an indicator of system health.
On-time performance is a nearly universal indicator of overall rail transit system health. In its place, WMATA has traditionally utilized headways (the interval of time between trains), which, while sound for bus systems where "bunching" is an issue, fails to account for deterioration in running speed and other potential problems on rail systems.
Station overruns are regarded as neither a critical issue nor a safety concern.
WMATA has some 450 station overruns per year. (A station overrun being defined as at least one door beyond the end of the platform.) In most rail agencies, where trains are under manual operation, station overruns are considered cause for immediate investigation and possible relieving of the train operator. It is common for an agency to dispatch supervisory personnel to meet a train that has experienced a single overrun to verify that the operator is fit for duty and his or her equipment is functioning properly.
At agencies where trains are operated under automatic train operation (ATO) similar to WMATA's, the operator's fitness still remains a concern, because he or she has ultimate responsibility for safe train operation. However, because of the dependence on automation, the condition of the equipment becomes a greater concern. At the Bay Area Rapid Transit District (BART), for example, an automated system with considerable similarities to WMATA, this review verified that there are some 15 to 20 overruns per year (with an overrun defined as the head end coming to a stop 36 inches or more beyond the end of the platform). Yet, with overruns exceeding 400 annually and varying in magnitude from one door set to an entire train, WMATA had not undertaken a serious investigation of the problem at the time of the Shady Grove accident.
The failure of WMATA to address train overruns as serious system problems runs counter to the practice of experienced rail operators. (This subject is treated in further detail in Section VI.)
WMATA has failed to hire or develop strong hands-on senior staff.
The impact of the lack of rail operations perspective is exacerbated by WMATA's failure to place strong, hands-on rail transit operating personnel in senior management.
At the Assistant General Manager level and above the agency has traditionally selected managers as opposed to rail managers.
This may be a result of the large bus ridership or of a management philosophy that deems a good manager capable of managing an organization, regardless of its nature.
In either case, because there was no pre-existing rail operations expertise, these managers did not have expert subordinates on whom they could rely. And because they themselves lacked a rail operations perspective, they were unaware of the limitations of their staff. This may have created a vacuum that was subsequently filled by staff that was, by temperament and training, unsuited to managing the rail system.
General Managers who did have some rail transit experience deferred to a less qualified subordinate on rail operations issues.
Because WMATA General Managers themselves tended not to have strong backgrounds in rail transit operations, an inordinate degree of authority and control over such matters became vested in individuals below the level of General Manager. Lacking knowledge of rail transit operations, General Managers were able to exercise no oversight or review of decisions that were made by such individuals.
WMATA has not allowed qualified staff to use their expertise or encouraged staff to expand their know/edge.
Building on their roots in bus transit, capable line personnel will develop rail expertise on the job. While the knowledge gained in such a manner is likely to be incomplete, much of it can be of considerable value. The train operators at WMATA developed expertise but management was disinclined to respect it or allow it to be exercised. Professional staff were restricted in their ability to expand their knowledge.
Train operators developed skill at determining when they should operate manually to reduce station overruns and to maintain better control of their trains in inclement weather.
According to interviews, this was an almost clandestine activity. It precipitated action by management to monitor and then prohibit its occurrence. At some expense, indicators were added to the Operations Control Center (OCC) control board to show when operators ran manually. Later, in violation of the agency's own operating rules, the operators were forbidden to operate manually without the express consent of the OCC personnel.
In at least one case, a manager sought to increase understanding of the functions managed by auditing some of WMATA's training courses. Senior management forbade the practice but the manager persevered.
WMATA personnel do not generally attend industry meetings or participate in industry events.
Informal interagency communication is an excellent channel for expanding and improving internal views about transit operations. Different agencies face many of the same problems and one system can benefit from the lessons learned by others. At such events, managers in similar positions can discuss these problems and explore their similarities and differences. The merits of technical versus management solutions and the use of internal resources versus external ones can be evaluated.
Peer reviews and visits to WMATA from other agencies do not appear to have been productive in this regard, as will be discussed in the next section (Sources of Information).
The agency has not understood system safety and its implications,
The failure of WMATA to investigate station overruns properly is evidence of a larger. systemic lack of understanding and respect for the system safety function. In a high-technology agency such as WMATA, numerous sophisticated systems interact, largely without human intervention or monitoring. If a change is made to such a configuration its ramifications cannot be easily identified or understood. In such an environment, the participation of the Safety Department in decision making and review is critical.
Safety is not regularly mentioned in the job descriptions of senior and middle managers.
In rail operating environments "safety is of the first importance in the discharge of duty." This translates into a responsibility of senior and middle management to recognize the importance of safety and to promote it. Furthermore, it is widely regarded in transit agencies that safety is everybody's responsibility.
Despite the prevalence of these views in the industry, only two of the management job descriptions provided to this review included any reference to safety. As discussed in Section IV (Command, Communication, and Control), this translates into an absence of safety awareness programs throughout WMATA.
WMATA does not regard station overruns as a safety concern.
WMATA's failure to understand the implications of its large number of station overruns is discussed above, especially with respect to what it indicates about management's rail operations expertise.
The issue reflects WMATA's lack of understanding of system safety as well. At WMATA, station overruns were considered to be a "passenger inconvenience." However, whenever a system is forced to undertake abnormal operations or use a regularly unreliable subsystem, safety is compromised. This direct relationship between reliability and system safety was not widely appreciated at WMATA. The high frequency of station overruns should have led management to identify and seek to cure their causes.
The Safety Department does not actively participate in procurement reviews, system integration reviews, and configuration control functions.
The Department is regarded as useful to accelerate a program but it is excluded from deliberations where it might interfere with the desired implementation schedule. There are no formal requirements that it participate in reviews.
The Safety Department was not involved in the site investigation of the Shady Grove accident.
The strongest, most independent and unbiased safety investigations result if an independent safety department plays a key role in accident investigations. At many agencies, where the safety department has sufficient operations expertise, it takes the lead in such investigations.
Consists (a consist is the set of cars making up a train; pronounced with the accent on the first syllable: CONsist) of untested mixes of cars are operated on the system without safety review or tests of braking distances or other compatibility.
WMATA began operating mixed consists of Breda-built and Rohr-built cars without any testing or analysis of the possible safety or train reliability consequences of such operation. While built to the same general specifications, there are significant component differences between the car classes. To assure such a configuration can operate without presenting new hazards, a sound safety program would require extensive nonrevenue tests of train performance and braking, and analysis of test results, before certification of such consists for revenue operation would be sanctioned. There is no evidence that such tests were performed. (It was reported to this review that compatibility problems were actually experienced in revenue service due to differing brake rates between the car classes.)
No safety review was performed of the decision to eliminate most supervisory contact with workers reporting for yard duty.
Lack of supervisory contact with reporting train operators eliminates the opportunity for face-to-face checks of fitness for duty. Currently, such contact has been removed for train operators assigned to yard duty. This in itself presents a safety problem for agency employees and property. If, as happens on occasion, a yard operator is assigned a revenue train, the potential seriousness is increased. Even though trains are run primarily under automatic control, a thorough safety review would have noted that an operator must have the ability to run the trains manually. This is a direct consequence of the operator's ultimate responsibility for safe train operation.
The Safety Department was excluded from participation in some of the agency's major car procurements.
In the procurement of new vehicles, whether through an extension of an existing contract, or de novo, it is important that a thorough safety review be performed of the required operating parameters and specifications, so that the procurement documents will conform to system safety requirements.
During later stages of such procurements, especially during vehicle acceptance testing, the Safety Department should take a lead role in reviewing any safety-related performance characteristics. Modifications to brake tests and waiving of such tests may, on rare occasions, be necessary, but it is imprudent to do so without a thorough review of the safety implications.
Programming changes affecting the braking profile and other critical safety characteristics are not subjected to reviews by the Safety Department.
The utilization of sophisticated automatic supervision and control increases the need for detailed review of changes.
The various systems used at WMATA interact in numerous and potentially unpredic-table ways (the default to the highest performance level prior to the Shady Grove accident, as will soon be discussed in more detail, is an example). Yet, at WMATA, "fixes" are implemented with no record of the thorough testing that should be per-formed. As a comparison, at most rail transit agencies, considerable testing is per-formed in advance of system changes. If a new interlocking is being put into service, one group prepares an exhaustive set of tests; these are then executed by personnel from another department, under the supervision of the designers. Only after all tests have been passed using live trains, is the interlocking put into revenue operation.
As an automated system serving the nation's capital, WMATA has better means to improve its knowledge base than most other transit agencies. Its automated data acquisition and control systems can provide almost any measure of system performance management can identify. The agency is frequently visited by peer groups and has been subject to American Public Transit Association (APTA) safety audits, FTA-sponsored Triennial Reviews, consultants' reports, and NTSB accident investigations.
Despite these ready sources of information, the agency has failed to seek the proper information from its internal sources, and to make effective use of reviews and analyses performed by outside agencies. In one disturbing case, a serious discrepancy in system design has gone uncorrected despite its identification more than a decade ago, namely a lack of conformance of car braking performance to block lengths. A recently installed on-line information system has received mixed reviews and was not accompanied by sufficient orientation and training.
There is little effort to collect, analyze, and utilize important indicators of the health of the rail system.
The role of performance indicators at WMATA is discussed in detail in Section VI of this report as one of the Critical Technical Issues identified by this review.
WMATA does not use on-time performance as an indicator of system health.
While there are numerous measures for determining overall transit system health, on-time performance is used almost universally because it provides the best overall estimate of system performance. WMATA, on the other hand, utilizes deviation from headways for this purpose.
Passenger off-loads are tracked in considerable detail, and are included in the General Manager's monthly report to the Board; but little or no effort is made to correct the causes of these off-loads.
When a train breaks down in the middle of its run, it is not unusual to off-load the passengers and move the train into the maintenance facility for repair. While some failures, such as a stuck door, may be correctable, it is often difficult or impossible to make a "running" repair (while the train is in service). Even if such repairs can be done, they may cause considerable delays for later trains.
Accordingly, WMATA often performs such off-loads, cancels the train, and performs any necessary maintenance in the shop. But while the reason for the offloads is noted, tabulated, and tracked as a performance indicator, there is no effort to utilize the indicator to cure those causes that are attributed to brake or door problems.
WMATA has failed to make effective use of the considerable potential for automated analysis of system performance.
As an automated operation, WMATA has the systems in place to capture and retain considerable operating data. Such data could be utilized to perform retrospective analyses of system performance, potentially adding an informative dimension to any incident or accident investigation. The extent of correlations of various operational conditions and other factors could be evaluated. Analyses should be performed of such issues as whether station overruns occur at particular stations for particular vehicles or in inclement weather. Such analyses would assist in characterizing underlying problems and then in identifying their causes.
The newly installed Maintenance and Reliability System (MARS) has received mixed reviews from interviewees. This may be because there was little input into the system design from the prospective users of the system and there has been little or no orientation and training on the system's benefits and use.
Information appears to be collected, but not used. During interviews, this review was told that MARS had the information being sought, but no one knew who was using it or what forms of analysis were being done.
Investigations of system problems, if performed at all, are often superficial with important operating decisions being made without proper analysis.
Management has adopted an "arm's length" attitude with respect to operating information: a question is asked and staff provides an answer, but management does little to probe the accuracy or completeness of the answer. It appears that no effort is made to determine the facts on which the answer was based. This management approach parallels the actions of the automated systems in use at WMATA, wherein a measurement is communicated with little or no independent indication of its validity. The vitally important systems approach to problem solving was not practiced at WMATA.
This subject is discussed in Section IV (Command, Communication, and Control) with respect to the bases of management command decisions.
No serious determination was made as to the cause of the "flat wheel problem" that was the proximate cause of the order restricting manual operation. (This problem is discussed further in Section VI).
No analyses were found that justify the attribution of increased flat wheels to manual train operation. Indeed, this review was provided with anecdotal evidence that the only analysis performed concluded that manual operation was not responsible.
No regular independent check of braking distances is performed by WMATA.
Despite the excessive occurrence of station overruns, there was no evidence of intensive efforts to empirically determine the actual braking characteristics of commonly used train consists. Such a determination would involve the operation of a train at varying speeds along a straight, level track, and the measurement of the distance from application of braking to dead stop. Such measurements could be made for braking under a variety of controls, from manual to ATS, under normal and emergency conditions.
No indication of an investigation of any kind was located by this review for a reported overrun by a full train length in December 1995, a month before the Shady Grove fatal accident.
All station overruns are serious and should be investigated. An overrun by a full train length is a major system failure.
The investigation of incidents (operating irregularities that have the potential to affect the safety of train movements, riders, employees, or the general public, or to cause damage to agency property) is an important practice at transit systems. It gives the agency the opportunity to characterize a hazard and take steps to eliminate it. Such an investigation, in accordance with system safety practice and as taught at USDOT's Transportation Safety Institute, should consist of:
Consultants and suppliers have been given work of narrow scope, so that it is difficult to achieve a systems perspective.
Problems encountered at WMATA have been addressed on a "linear" basis. That is, rather than looking at them from the viewpoint of their relation to the entire system, the tendency has been to investigate them narrowly and offer solutions without consideration of possible ramifications elsewhere in the system.
The scope of a consultant's study of microprocessor and software issues affecting propulsion and braking systems was too restrictive to allow investigation of closely related safety issues.
In response to concerns over the performance of Breda-built rapid transit cars, a consultant, Battelle, was retained in 1988 to undertake an investigation restricted to the microprocessor and software in the braking and propulsion systems to identify potential problems that could impact safe braking. This study was completed with the finding that safety criteria, from a software point of view, were met in the normal mode of operation, but the report identified some conditions during abnormal operation which could result in inadequate braking. The limited scope did not investigate whether or not the hardware generating required signals, or required to act on received signals, had any inherit safety problems. Nor did it allow analysis of whether or not the operating procedures required to mitigate the inadequate braking provided during abnormal operations were satisfactory. From all appearances, it seems the narrowly focused report was accepted as proof that the Breda car braking systems were safe.
Some personnel interviewed by this review described past instances in which car performance problems were corrected by calling in the subsystem supplier to design a "fix" and implementing it in a matter of weeks. Most recently, this approach was used, after the Shady Grove accident, to raise the minimum slip/slide braking rate on the Breda-built cars to the minimum required by the train control system for assurance of safe braking distances. While the car modifications made in this manner may be needed, the process does not conform to sound practice. This review saw no evidence of any analysis or testing to determine if the modifications had any adverse consequences, outside of the specific functionality they were designed to correct, that could impact overall system safety. Moreover, attempts did not seem to be made to investigate the cause of the problem.
WMATA fails to make effective use of outside analyses and reviews.
WMATA has been the object of numerous studies by external agencies. Many of these have repeatedly identified the same problems. Yet, at the time of the Shady Grove accident, such remedial action as may have been taken in some areas, was no longer in effect. This is most recently illustrated in the NTSB's investigation of Shady Grove, where the recommendations of a 1982 accident investigation are included as an appendix to the Shady Grove accident report.
Numerous sound recommendations from an NTSB accident report of 1982 are not currently operative.
In 1982, a fatal accident at WMATA was the subject of a thorough NTSB investigation that included important safety-related recommendations. Almost all of these are indicated by NTSB to have the status "Closed - Acceptable Action. While many of these recommendations may indeed have been adopted on the dates indicated in the NTSB report, they are no longer in effect. Either they were implemented ineffectively, or they were gradually allowed to lapse.
Among the 1982 recommendations that might have changed the course of events at Shady Grove are:
An APTA Safety Audit of December 1993, and a follow-up audit of June 1995, did not motivate WMATA to adequately examine and improve its safety function.
APTA found that "the most essential elements of the System Safety Program Plan were effectively implemented," and that the agency's excellence in implementing certain programs was "easily verifiable," among them "safety inspections, computerized safety data acquisition and analysis, safety awareness programs, . . . inter-agency emergency response planning, . . . " The NTSB's report on the Shady Grove accident found serious deficiencies in several of these same areas. This review confirms the findings of the NTSB.
There was little evidence of a commitment by WMATA to the system safety discipline, and little evidence of its application in day-to-day decision making.
No institutional recognition was given to a 1988 Battelle study of software and microprocessor hardware which identified the system's dependence on manual operation for safety.
In its introductory summary, Battelle, after evaluating the software for braking in the Breda-built cars, concluded that there were certain conditions "which could produce a lower than intended level of braking ...." But that "these conditions are not inherently unsafe since the train operator has ultimate responsibility for safe operation of the train." [emphasis added]
As indicated above, the Battelle study was of narrow scope. It properly identified potential safety problems in braking, but because the study was directed toward microprocessor system and software, the manual procedures and the chain of authorization for using them was not given further scrutiny by the consultant. There is also no evidence that WMATA recognized the importance of this issue.
A 1985 Booz-Allen appraisal of the Department of Rail Services and its quality assurance function identified problems that were still in place at the time of the Shady Grove accident.
As one of the key findings of its review, this consultant found that the Department of Rail Services "has serious infrastructural weaknesses that without rectification will inhibit the implementation of a balanced quality assurance program." The report found that the weaknesses pervade the organization, resulting in a general perception by employees that "task completion is more important than task quality. " This, in turn, was found to result in incomplete preventive and corrective maintenance, incomplete analysis and reporting, loose application of standards, and inadequate technical support, among others.
This 12-year-old report found deficiencies in administration that are identical to those discussed in Section IV (Command, Communication, and Control). In particular, that "many key personnel are not sure what their superiors expect of them, what they are accountable for, or what their authority is."
Proper training, certification, and monitoring of employee performance is essential to the safety of a rail transit system:
As presented below, in some of its training activities, WMATA shows genuine strengths. There are, however, some notable areas that require improvement.
The progression to becoming an Operations Control Center (OCC) controller does not a/ways provide adequate training.
There are two paths to the position of OCC controller:
These paths are determined by union agreement, and are not easily changed. Unfortunately, the second of these paths does not provide sufficient exposure to the rail system to qualify the controller for situations he or she may encounter from time to time.
Station managers have inadequate familiarity with train operations to be fully effective as OCC controllers.
While it is true that in order to qualify as an OCC controller a station manager must spend two years in on-the-job training, this training does not include train operating experience. They have no first-hand familiarity with the responsibilities of a train operator. Furthermore, they have not necessarily traveled the entire system: they may be "dispatching" over territory that they do not know.
OCC controllers who have held their positions for a long time are not familiar with many of the new lines or line expansions.
Train operators who rose to OCC controller five or ten years ago are controlling territories that are significantly larger, busier, and more complex than those they once operated on; and most OCC controllers have been in their jobs 15 years or more. This limits the preparedness of these controllers to deal with non-normal conditions in portions of the system.
There is no requirement for retraining or recertification on the system, either to refresh old training or to train controllers on system changes.
At most rail and transit systems, controllers are required to have 3 to 5 road days per year. This provides them the opportunity to reacquaint themselves with the territory. In addition, they get a first hand opportunity to observe any changes to the physical character of the right-of-way. Such changes may occur quite routinely, in the course of the capital program or maintenance programs.
While this study was in progress, WMATA created a training program to better familiarize OCC controllers with the system, including recent changes. The program was initiated in early 1997, and by the date of this writing, all the controllers should have received at least a portion of this training.
OCC controllers do not have experience in problem solving to handle non-normal conditions.
OCC controllers work in an automated environment and are at a disadvantage when, for example, in a real incident or accident, they must act quickly in unfamiliar circumstances.
Simulation approaches could be used to improve or refresh the problem solving skills, including "table-top" simulations for OCC controllers. Time could also be set aside when actual trains could be manually controlled.
Skills acquired by train operators during training are weakened by lack of use.
Based on the curriculum provided to this review, WMATA has a satisfactory train operator course. Train operators now receive twelve weeks of training (previously they received eight weeks). The course includes:
When the twelve-week course is completed, operators are qualified on the entire Metrorail system.
Train operators were restricted from exercising their train operation skills.
It is important, with skills of this nature, that they be used regularly, to insure their continued quality. Prior to November 1995, therefore, train operators were required to run trains manually on a regular basis. In November 1995, directives were issued forbidding operators from running manually. They stated:
At no time will trains be permitted to run in manual mode (mode II, level I) except in an emergency situation
As a result, some skills, particularly for newer train operators, were lost.
Train operators were prohibited from using their troubleshooting skills en route.
The operator's training course includes a significant unit on troubleshooting minor car problems and bypassing them to keep the train in service.
In an effort to maintain schedule headways, however, management has preferred not to rely on these skills. Operators are not given the authority to assess problems en route; even minor door problems result in passenger off-loads and removal of trains from service.
This lack of authority to make assessments and address minor problems, as they have been trained to do, denies WMATA the benefits of this training. According, to the WMATA rule book, operators are in charge of their trains. In actuality, they are not: they take orders from OCC controllers, rather than participating in decision making.
Train operators have extensive knowledge of how the train "handles" on a day-today basis, and they are most familiar with the characteristics of the equipment. Yet, they have no input into the assessment of issues facing the system, including several that this review finds critical: flat wheels, station overruns, and slip-slide.
WMATA does not have adequate safety and system safety training programs for all levels 0f employees of the agency
The Metrorail safety rules and procedures handbook includes almost forty pages on safety, covering everything from hazardous materials to fire protection to operations training policies in considerable detail. Such comprehensive coverage has its strengths; however, it runs the risk of diluting critical operational safety information with other issues. Safety training must include techniques for distinguishing between general safety and operational safety.
Safety is not part of the WMATA environment
Based on interviews conducted, documents reviewed, and site visits, there is a general lack of safety consciousness at WMATA. Few of the training curricula emphasized safety. There were no safety posters, tips, or information at any of the locations visited (with the exception of the safety office).
While almost all those interviewed knew that WMATA had a System Safety Program Plan, few were familiar with its contents, and few were familiar with the concept of system safety as it applies to transit.
The lack of safety training is best expressed by the WMATA employees interviewed for the internal report "Organizational Review of Safety ... ". When asked what additional role they wanted the safety department to play, many senior managers and first line supervisors stated that there should be more safety training and that the Safety Department should be involved in its development and oversight.
The size and scope of WMATA’s Metrorail emergency preparedness manual and procedures reduce its effectiveness during an actual incident or accident.
In the event of an emergency, WMATA could face the problems of providing emergency aid to injured passengers and employees and of protecting thousands more from additional injury. To prepare for such eventualities, WMATA must establish and periodically test its capacity for emergency response. Since the agency operates in a jurisdictionally complex region and covers a large geographic area, it must depend on many external agencies for fire, medical, and police assistance. Its emergency preparedness plans should set forth the measures to be taken by it and related agencies to maintain readiness in anticipation of potential emergencies.
The manual has an introduction that briefly describes its purpose and scope, emergency agreements, fire equipment and procedures, operating procedures, emergency notification and call sheets, maps, and the like. The remainder includes sections of the other documents, with varying dates of implementation.
The organization and complexity of the manual limit its usefulness during a real emergency.
Because of past uncertainties in command authority at WMATA, and because of a lack of training and experience in rail operations during emergencies, this manual is the primary resource for emergency response. However, in its present format it could delay the effective first response to an emergency situation. Indeed, according to the NTSB Shady Grove accident report, the OCC sent the emergency response agencies to the wrong location, despite the fact that proper location was in the emergency preparedness manual.
The notification and call sheet is out of date.
The manual includes a notification and call sheet with the same date as the manual itself, November 1993. Many of the people listed on the call sheet have either left the agency or are in other positions.
This is a significant deficiency. Minutes lost in locating response personnel can dramatically affect the seriousness of the outcome of an emergency. It also suggests that this is not an up-to-date and working document for WMATA.
The emergency preparedness manual only refers to fire/rescue departments.
There are other agencies that respond to emergency and accident situations, including emergency medical services, hospitals, police, and federal, state, and local agencies. None of these are referenced, or even mentioned, in the emergency preparedness manual.
WMATA's program for simulations and drills does nor adequately meet preparedness and training needs.
Drills and simulations are generally recognized as effective tools to ensure that emergency plans, procedures, and equipment properly address the needs of various emergency situations. When performed properly, they will test the adequacy of training, the appropriateness of assigned responsibilities, techniques for evacuation, power removal, fire fighting, communication, needed agency involvement, and the like. They can also serve as an excellent vehicle to both boost public confidence in a transit system, and to educate the public as to proper actions during various emergencies.
WMATA has not utilized disaster drills to their full potential.
Such drills as have been held have not been on the scale required to test the agency's emergency response plans adequately. Most have been limited in scope and participation.
There are no annual or semi-annual full-blown simulations.
To be effective, such simulations should involve detailed, scripted accident events (such as a train fire with loss of power stranding a train in the subway between stations, or a collision/derailment with multiple injured passengers). They should involve every external agency that may respond to an actual emergency, and include levels of WMATA personnel with varying responsibilities. Employees should be encouraged to participate as volunteer victims and/or observers.
The annual program for emergency drills is limited in scope and external agency participation.
WMATA provided this review with a record of drills held since 1976, but there is no specified program of drills or simulations, of any kind, in the Emergency Procedures Manual. While there have been drills covering a variety of individual emergency situations, the only identified external participants were fire departments in the immediate jurisdictions.
In 1996, there were 15 drills held by WMATA; in 1995 there were 13. On the face of it, this would appear to be an adequate number for a system such as WMATA, operating through multiple jurisdictions. In each of these drills, however, the only outside agency participation was by the fire department of the jurisdictional area where the drill was held. The types of emergency Situations that could occur, however, may require cooperation from, or require the resources of, other agencies. Hospitals, police departments, emergency medical services, hazmat units, local utility companies are typical participants in drills and simulations at other transit agencies. All such agencies would play a role in an actual emergency.
Emergency drills have limited internal participation.
Internal participation appears to have been restricted to only those personnel directly involved in carrying out the drill. No effort appears to have been made to expand participation so that drills could be used as the valuable training tool they can be for transit personnel. Many managers interviewed, who were in positions that would normally require emergency response, said that they never participated in a drill. Senior managers reported that they were often unaware that drills affecting their areas of responsibility were being held; they found out about them by seeing a post facto report. This lack of senior management participation not only eliminates a valuable source of feedback on the conduct of drills, it also serves to undermine their importance in the eyes of agency personnel.
Little effort has been made to make use of employee volunteers. When volunteers have been used to act as victims, they are usually from outside WMATA. At other transit agencies, having their personnel voluntarily participate has proven to be a cost effective way of providing valuable training to individuals who could potentially face the real situations being simulated in the drills. The practice can also have a salutary effect on morale.
External agency training is limited and reinforcement is lacking.
Based on our review of the course outline, there appears to be an adequate initial training course for personnel at external fire and rescue response agencies. There are also policy agreements regarding emergency response responsibilities with the fire/rescue agencies in the jurisdictions which WMATA operates.
There does not appear to be, however, any formal mechanism to test preparedness, the effect of the received training, or how well all parties discharge their responsibilities. There is no evidence of any training being offered to police, hospitals, utility company workers, or any other personnel who might normally be required to respond to emergencies.
WMATA does not conduct "table-top" drills.
Procedures for drills and simulations are lacking.
WMATA's Emergency Preparedness Manual and Procedures, last updated in November 1993, contains a section entitled "Emergency Simulations and Drills," but the section consists only of a listing of all drills held since 1976. There is no procedure for conducting simulations or drills, no agreement with other agencies regarding frequency or participation level, and no description of a mechanism for critiquing them.
The review and critique process is inadequate.
Based on information received, an informal evaluation is held after each drill. This critique is limited to the participants, with rare input from an external observer. Generally, only those problems or deficiencies that were readily obvious were noted for follow-up. It was reported that in the past it had been a Safety Department responsibility to monitor protocols and drills, help identify areas requiring follow-up, and then take responsibility for monitoring follow-up action. Reduction in Safety Department personnel eliminated that responsibility.
An adequate critiquing process is usually evident from the modifications to procedures or emergency response activities that follow major drills or simulations. At WMATA, the evidence is that procedural changes result from actual incidents, rather than from the exercises designed to test them.
WMATA does not publicize the holding of emergency simulations and drills.
Drills and simulations are excellent vehicles to boost public confidence in a transit system. Properly publicized and covered by the media, they can also decrease the potential for panic and educate the public as to proper actions to take during various emergency situations. Press releases are not issued by WMATA prior to drills and, as a result, media coverage is sparse, at best. Such publicity could increase the public perception of the safety of the system.
The Quality Assurance Department has a formal program to test OCC response to simulated emergency conditions.
While the Safety Department's role in simulations and drills is small, a modest program is carried out by WMATA's Quality Assurance (QA) Department.
These simulations are primarily designed to test the safety rules and procedures, and response by OCC and rail transportation personnel, in situations involving fire and smoke on board trains. They involve short duration, unannounced simulations on board revenue trains. After each simulation, the QA Department produces a formal, written report critiquing the situational response, presenting findings, and any recommendations for corrective action it deems warranted.
Up to this point, the program could serve as a model for expanding drills and simulations under the Safety Department. However, the QA Department's responsibility ends there. Implementation of any of their recommendations is the responsibility of the department affected by the recommendation. OA plays no role in monitoring that implementation, and may not even be advised whether or not the recommendations were accepted.
WMATA does not have a "Lessons Learned" program.
It is almost universally agreed that formal "Lessons Learned" programs are invaluable in avoiding the repeat of design deficiencies, improper maintenance practices, and poor operational procedures. This is true with respect to operational problems as well as for problems arising in capital construction. While such programs are not generally considered a part of training, they can be of exceptional value in educating management.
Lessons Learned programs address the agency's response to problems that have occurred and been dealt with in the recent past. The salient issues are identified and managers and other personnel are encouraged to critically review the way the agency responded. The discipline of a formal program helps assure that problems are thoroughly analyzed. Input is often sought from all departments affected by a particular issue, and sometimes other departments are able to provide insights.
This review found no formal program at WMATA, nor within any of its departments. The Design and Construction Department (DECO) contended that they had such a program, but that it was informal and undocumented; thus its findings would have been difficult to communicate to others and they could not have provided a useful historical record.
As a complex organization, the Rail Operations Department of WMATA requires orderly mechanisms to get information to and from line personnel and to issue instructions to those personnel. Implied in these functions are accuracy of the information and its validation, timeliness and coherence of both the information and the instructions, and effectiveness of the instructions.
There has been a failure to recognize the primacy of written roles.
Rail transport systems, including freight railroads, inter-city passenger carriers, and passenger transit agencies, generally operate under an authoritative "book of operating rules." Changes in these rules occur only by a detailed, formal process.
At WMATA, verbal instructions are given to operating personnel.
The NTSB Report on the Shady Grove accident includes two conclusions about management's use of verbal instructions and their contribution to the accident. The report also includes a recommendation to discontinue the practice. This recommendation is virtually identical to a recommendation the National Transportation Safety Board (NTSB) issued in its investigation of a 1982 fatal accident at WMATA; this recommendation was indicated as being "Closed – Acceptable Action 12/15/82."
Rules Committee does not function effectively.
A notice to OCC controllers that had far-reaching consequences went unchallenged by the Committee. The Committee has also failed to produce its scheduled revision of the June 1994 Rules and Procedures Handbook.
WMATA personnel felt intimidated by senior managers.
Staff interviewed by this review believed their actions were subject to discipline if they did not agree with what senior managers wanted. This stifled thinking and initiative throughout the organization.
The raising of safety issues was perceived as an invitation for management retribution.
Interviewees claimed that management was not interested in their raising of safety concerns. To the contrary, the perception was that such action would subject them to punishment.
Training Department personnel were disciplined if train operators made errors.
Management personnel were threatened with reassignment or loss of access to resources normally associated with their positions.
A number of instances were described where managers, upon disagreeing with senior management about factual conditions at WMATA, were moved to distant offices, denied use of their agency vehicles, or reassigned.
There was confusion at all levels of the agency with respect to the chain of command and the authority and responsibilities of managers.
In its 1985 review of WMATA's quality assurance efforts, Booz-Allen identified serious management deficiencies that were still present at WMATA at the time of the Shady Grove accident:
Key personnel are not sure what their superiors expect of them, what they are accountable for, or what their authority is. This results in a reduction of management credibility and efficiency at all levels. Problems are routinely elevated to higher authority for resolution.
In 1997, the newly installed General Manager and his new Deputy General Manager identified lack of management initiative as one of the major problems they faced.
Management often failed to establish a proper basis for its actions.
In Section III (Intelligence: Knowledge Base, Sources of Information, and Training), limitations were described in management's efforts to collect and analyze operating information. The situation was aggravated by the willingness of management to make important operating decisions without reasonable steps to establish a basis for the action or anticipate its ramifications.
In some of the cases where analysis was incomplete, this led to questionable decisions or a failure to act in a timely and decisive manner.
Manual operations were prohibited in order to reduce the frequency of "flat wheels."
In response to a very limited investigation by Vehicle Engineering of a rash of flat wheels during adverse weather conditions in late 1995, a directive was issued requiring that trains operate in ATO, prohibiting train operators from running in the manual mode of operation unless they first sought and were given permission by the OCC; and the OCC was directed not to give permission for manual operation, except in cases of emergency. Prior to this prohibition, it had been the policy of WMATA to routinely operate manually on the first run of every day (to keep operator skills active) and during poor rail conditions (because of the problems experienced in making station stops under ATO operations).
There was no definitive conclusion from the Vehicle Engineering investigation, or any other, that manual operation was the cause of flat wheels. (In fact, a memorandum received by WMATA in late 1995 from WABCO, a brake system supplier, points out that wheel flats could just as easily be caused under ATO by abnormalities in the "slip-slide" system.) Nor was there any consideration of the impact on operations and safe stopping distances due to allowing trains to only operate in ATO.
The action was taken without a valid basis for taking it; without any analysis of the possible hazardous consequences of it.
Station overruns have been regarded as a "passenger inconvenience," requiring no remedial action.
Investigations into the station overrun problem were ongoing for years. They all focused, however, on the automatic train supervision (ATS) system's wayside-to-train communications and failures in the hardware and software within the programmed station stopping systems. Extremely large overruns during poor rail conditions were observed, but not investigated, including several where multiple cars or even an entire train slid past the station. Personnel were aware that long overruns generally occurred during inclement weather, but were either unwilling or unable to make the connection between these long stops and the erosion of safe braking distance needed for train protection. Therefore, no investigation was undertaken taken to determine the safety of operations during poor rail conditions, despite overwhelming evidence of the need for one.
According' to interviews, supervisory staff were reduced to the extent that some train operators and station managers were no longer checked for fitness for duty.
In an effort to reduce operating costs, all yard Tower Supervisors were removed and replaced by nonsupervisory personnel. As a result, train operators in yards are no longer seen by supervisors before beginning their work, eliminating a supervisory check of fitness for duty. Staff cuts were made with no analysis of this problem, and no effort to provide an alternative mechanism for this important safety check. Similarly, the reporting protocol for Station Managers has been changed so that they now report directly to their stations; this eliminates their fitness-for-duty check.
WMATA encouraged the solution of problems without regard to the quality, effectiveness, or ramifications of the solution.
The failure to prepare a basis for important operating and safety decisions is related to the agency's apparent eagerness that problems get solved. Any proposed solution seems to have been encouraged, regardless of its impact on other parts of the system or even the long-term effectiveness of the solution itself.
Such approaches have dangerous implications, among them: a false solution masking a condition of hazardous potential; and an effective solution in one area engendering a greater problem or hazard in another.
There has been no impetus to get to the bottom of problems. The problem of station overruns existed at WMATA from the beginning. It was continually being looked at, but not with the intensity it deserved. Most staff interviewed would only concede that they were an "inconvenience" to passengers, and some argued that station stopping performance was actually good because there was "only about one overrun for every 30,000 stops." This attitude fostered acceptance of station overruns and likely accounted for the relatively low priority they were given.
The quick actions taken by senior management with respect to flat wheels is similarly indicative of its preference for quick fixes over efforts to find root causes.
WMATA has regularly shown a lack of respect for staff and underutilizes their know/edge and experience.
With its lack of rail operating experience, management failed to understand the qualifications and motivations of the operating staff. Staff morale is regularly undermined through exclusion from decision making and inappropriate command decisions.
Train operators were not permitted to make the minor adjustments they have been trained to do.
WMATA trains its operators to take a variety of actions en route to bypass minor problems and keep trains in service. For a variety of reasons, some of them sound, management has prohibited such corrective procedures, preferring to "off-load" passengers and take the train out of service for repair at the shop. Train operators see this partly as an infringement on their responsibility for the train, and as a waste of the time they spent learning the skills to bypass problems.
Train operators were excluded from providing input on the "flat wheel" problem.
The flat wheel situation also illustrates prior management's attitude toward staff. Experienced train operators had routinely advised supervisory personnel of stopping problems during wet weather. They properly discharged their responsibilities by assuming manual control of their trains when they found braking under ATO to be poor. When the increase in flat wheels occurred in late 1995, management concluded that train operators were flattening wheels with hard braking to make their station stops in wet weather because they were "written up for station overshoots," but not for flattening wheels. Seeking input from the operators as to why hard braking was necessary, rather than simply assuming operators were in poor control of their trains, would have been sounder management practice.
WMATA has not fostered safety awareness.
There is a natural but unacceptable tendency in operating organizations to regard safety as a bothersome issue, separate from the primary mission of the agency. This can be true despite a clear, strong reference to safety in the agency's mission statement, and other written testimony to its importance. It is essential for management to actively foster safety consciousness throughout the organization.
WMATA has generally ignored its role in creating a safety-minded organization.
The Safety Department has been excluded from the decision-making process.
In most transit organizations, the department responsible for system safety is consulted anytime there is the slightest suspicion that a configuration change or change in operating procedures could affect safety of operations. At WMATA, the Safety Department was rarely consulted, even when it should have been readily apparent that modifications of operating policy changes could impact safety. In addition to the situations described above, modifications were made to vehicle braking and control systems with no safety advice sought, and without even notifying the Department after the fact. This sends a message as to the extent to which safety is regarded as a priority; accordingly, it has an unfavorable impact on the staff's safety consciousness.
There is little or no employee safety awareness program.
WMATA facilities, including the headquarters, are noticeably bare of safety awareness posters or other messages; the safety awards program for employees has been dismantled; and safety-related articles in employee publications are infrequent.
Senior management does not participate in disaster drills and simulations.
Disaster drills and simulations are excellent safety training tools, as discussed above. They permit employees to assemble in an informal environment to practice their safety skills, learn what to expect in an emergency, and become familiar with the personnel inside and outside their agency who might respond.
WMATA holds numerous drills of a very limited nature, and they appear to be directed solely toward fire departments. The need for an expanded program is discussed in the section on training (above). The new senior management could send an important message by supporting and participating in an expanded program.
Management did not promote the System Safety Program Plan as integral to WMATA's activities.
WMATA's System Safety Program Plan, although now under revision, was rarely examined in the past or used by managers. Indeed, some interviewees were unaware of its existence. The document is intended to be a source of working information for all agency departments.
Interviews with current senior management indicate that once the revised plan is ready for release, it will be properly promoted throughout the agency.
WMATA management has failed to take "ownership " of recommendations that should have been integrated into WMATA 's operating culture.
After the fatal 1982 accident, WMATA accepted and apparently adopted most of the recommendations made by the NTSB in their report on the accident. Over the years, however, ineffective implementation, backsliding, or a lack of monitoring has led to a return to some of the conditions that existed prior to the accident. For example, NTSB R82-063 recommended that WMATA "eliminate the practice of issuing verbal instructions to the Metrorail operations control center personnel which modify or amend operating rules and standard operating procedures." WMATA accepted this recommendation and the NTSB indicated it as "Closed - Acceptable Action" on 12/15/82. Personnel interviewed for this study reported that prior to the Shady Grove accident it had once again become common practice for verbal orders to be given. Fourteen years after WMATA supposedly put procedures in place to implement the recommendation, the NTSB had to repeat it, virtually verbatim, after Shady Grove. Another recommendation, R-82-077, was for WMATA "in conjunction with the District of
Columbia fire department, [to] expand the scope and frequency of the disaster crash simulations and include hospitals and fire/rescue units from surrounding jurisdictions." WMATA accepted this recommendation and the NTSB closed it out.
The NTSB closes out a recommendation on the basis of reports it receives from the agency involved. It does not, as a general practice, audit the agency's efforts. Hence, NTSB's closing the recommendation indicates that WMATA said it had appropriate procedures in place. Personnel interviewed stated that disaster simulations were infrequently held and generally did not include outside agencies. After the Shady Grove accident, the NTSB had to repeat the recommendation. (Recommendation R-96-44, "increase the frequency of command and control exercises conducted jointly between the Washington Metropolitan Area Transit Authority and the emergency rescue services of all jurisdictions served by the Metrorail system.")
These and other examples demonstrate a failure of management to fully adopt sound recommendations that address serious problems in a full and continuing way.
There has been inadequate interdepartmental communication at WMATA.
WMATA is a large and complex agency. To accomplish its mission effectively, its departments must agree on goals, develop plans to achieve them, and closely coordinate their progress. In addition, they must be in regular close contact to adjust to the innumerable unanticipated developments that occur. This, in turn, requires strong formal and informal lines of communication.
Such communications at WMATA have been poor, and despite the fact that the problems arising from this lack of departmental interaction are widely recognized, up to the time the new General Manager arrived, no effort had been taken to improve communications.
Communication between the Safety Department and other departments has been virtually nonexistent.
As is discussed in other sections of this report, and as asserted in interviews, the Safety Department is only utilized by other departments when it can accelerate projects they seek to move along. The Department does not generally perform reviews of other departments' plans or activities.
Communications between the departments responsible for vehicles and signals are inadequate.
The integrity of the automatic train protection (ATP) system at WMATA requires continual communication and close coordination between the vehicle and signal departments.
The discrepancy between the vehicle braking rate required by the signal system to ensure train protection and the rate being supplied by some vehicle classes was apparently known by some personnel within each department for years. In spite of this, no joint effort was ever undertaken to investigate the problem and review the integrity of the ATP system.
The operating and maintenance departments are not generally involved in the Design and Construction Department's (DECO's) planning and design.
The safety and future viability of systems installed on new capital construction under the auspices of DECO require input from, and review by, the operating and maintenance departments.
DECO management admitted that the levels of review of designs and communication with the operating and maintenance departments were poor. They blamed those departments, contending that capital projects would not be given any priority by rail department managers until they were ready to be placed in service. Rail managers, on the other hand, admitted they did not get involved in capital projects to the degree they should, but that it was because of a lack of adequate personnel resources. They maintained, however, that when they did comment, they were often ignored.
These departments appear to recognize and accept the need to communicate with each other. If adequate channels do not exist and if they fail to develop spontaneously, the new senior management team should take steps to put such channels in place.
WMATA, as organized at the commencement of this study, used one of several structures that have been successful in similar multi-modal agencies. The Safety Department, however, did not a report directly to the General Manager. The balance of the organizational structure, on the other hand, if properly staffed, is otherwise suitable to the agency's mission. The organizational structure is currently under review by an outside consultant, Booz-Allen & Hamilton.
However, not all positions are filled, and the credentials of some management staff did not match their job descriptions. Other problems were identified by this review, as outlined below:
The Safety Department has been situated too low in the organization to be effective.
During the agency's operating history, the Safety Department has moved from level to level and in and out of a variety of departments. Much of this history is presented in Section I of this document. It has become standard for Safety Departments to report to the General Manager, in order to provide the Department with a clear line of access and authority for systemwide safety issues. This placement of the Department also sends a clear message to the organization as to the importance of safety.
At the time of this writing, the Department has been made a direct report of the General Manager.
There are instances where staff qualifications and the corresponding position descriptions are not well matched.
Based on WMATA's own position descriptions and practices within the rail transit community, some incumbents in key positions do not have the qualifications or background experience required for the positions they hold. Except in rare instances, even if the incumbents are diligent, responsible individuals, a lack of required background or technical expertise limits fully effective performance. Often, a good manager supported by lieutenants with strong subject-matter expertise, can be an effective, even superior executive. But if there are no such subordinates, or if they leave, performance can be significantly impaired.
The problem can be compounded because poor management decisions may go unrecognized if others in the chain of command are underqualified. For example, managers lacking expertise may be forced to rely on subordinates who also lack expertise. Any resultant poor decisions leading to ineffective or inefficient operation may go unrecognized by senior management with costly consequences.
While it is not unusual in most large organizations to find a few individuals whose qualifications do not match their position descriptions, it appears that at WMATA the practice is more frequent. And since the agency has only a limited background in traditional rail operations, there is only a limited knowledge base to fall back on.
Operators were trained in areas that they were not permitted to utilize and have experience that is not used to benefit the organization.
Considerable effort has been expended training operating personnel in areas they are prohibited from practicing. This wastes training and student time and, as discussed above, undermines operator morale.
Train operators have been discouraged from taking control of their trains when they believe it necessary.
The lack of respect for the experience of train operations was discussed earlier in the report. Operators largely understood that they were responsible for the safe operation of their trains, even under ATO. They were trained to take control when they felt train performance was not in keeping with field conditions. Operators we spoke to wanted this responsibility. Some admitted to violating directives prohibiting manual operation when their experience told them that their train was not stopping adequately under ATO. They believed that their training and experience, and their position in the cab, enabled them to make operational decisions regarding their train much better than the OCC personnel. This is confirmed by the syllabus of their training and the authority granted them in the Book of Rules.
Train operators were not allowed to put their troubleshooting training into practice.
Operators were trained to isolate minor problems, such as stuck doors, to enable trains experiencing them to continue in service. During their training, they were even provided checklists to be used as guides in troubleshooting. The expressed purpose of the checklists was to "enable the train to be moved, or the problem resolved." Several operators interviewed expressed frustration at not being able to use their training; that at the first sign of trouble they are ordered to discharge passengers and take their train out of service. The concern is that unused skills will be lost.
Important functions at WMATA are thinly staffed or have been eliminated due to "lack of staff. "
Every organization must make difficult decisions when budget restrictions force staff cuts. There are, however, important safety-related functions that must be maintained regardless of budget limitations. This was apparently not recognized by WMATA operating management in some cases.
Supervisory staff cuts over the last few years have resulted in train operators assigned to yard service reporting directly to their trains without any contact with supervisory personnel. This effectively eliminates the vital "fitness for duty" check that was performed by Tower Supervisors in the past. In addition to the obvious safety issues involved when an unfit operator has control of a train, there are also liability issues, consequently, most transit systems require in-person fitness checks.
Similarly, no assessment was made of the impact of the elimination of safety functions due to mandated reductions in the Safety Department. Reductions in staff affected the ability to: perform safety-related data collection and trend analyses; establish interagency protocols and followup to drills; conduct field inspections; and create and monitor a proactive safety program.
As indicated elsewhere in this report, safety was not given the priority it needed. This was due, at least in part, to senior management not fully recognizing its importance. When difficult budget choices had to be made, cutting safety-related positions was easier than it should have been. Furthermore, senior management failed to understand that in the long run cutting safety programs increases costs.
The Safety Department’s size, prestige, and authority had declined steadily.
As indicated above, personnel cuts had been made in the Safety Department over the years. Additionally, its placement in the overall organization went from reporting to the General Manager to reporting to a number of different managers, leaving the department at least once removed from the General Manager. As the department moved lower in the organization, so did its authority. Safety was excluded from the decision-making process. The department was not asked to sign off on, or even for advice regarding, equipment modifications and operational decisions that had clear safety implications.
As with most organizations, a lack of a unit's inclusion in areas thought to be theirs sends a message to other units that the bypassed unit is ineffectual or "out of favor." This lost prestige leads to a downward spiral of increasing isolation and declining respect, both for the department and for its function.
By the time of the Shady Grove accident, the Safety Department was remote from the decision-making process and was not regarded as a key organizational element. Although lip service to safety was provided by other departmental managers and most managers interviewed acknowledged receiving a copy of a recent revision of the System Safety Program Plan, none had really reviewed it or shared it with their staff. There was never the sense that they knew their responsibilities with regard to the SSPP. The decline of safety seemed to have reached the point that the SSPP was regarded as a document whose only purpose was to satisfy a "requirement," but which had no relevance to WMATA's operation.
"Start-up Teams" are improperly formulated.
The lack of operating input into project design is compounded by the absence of any meaningful representation of operating personnel on Start-up Teams that work to commission new lines and systems. These teams have the responsibility of certifying facility and systems contracts as complete and adequately tested, and certifying that they are fully integrated and safe.
At other rail transit agencies, operating, maintenance, and system safety personnel are well represented on commissioning teams: they recognize problems that would likely go undetected if not for their presence. The absence of these personnel on WMATA teams not only contributes to organizational disharmony, but may result in acceptance of systems that are hard to maintain and operationally less friendly than they should be. It would further benefit WMATA to have such personnel participate at every stage of capital projects: from conception through planning, design, and construction.
Several critical issues have been identified by this review and are used throughout the report to support individual points. In this section, the technical basis of these issues is presented.
WMATA personnel interviewed acknowledged that station overruns under automatic train operation (ATO) were a problem, which they characterized as a "passenger inconvenience." Universally, they confidently expressed their assurance that overruns were not a safety issue. They explained that station overruns were a wayside-to-train communication problem in the non-vital automatic train supervision (ATS) function that in no way indicated a problem with the integrity of the vital automatic train protection (ATP) function.
Overruns averaged more than 400 per year, and ranged from going past a platform end by a few feet to passing it by several car lengths. Engineering and vehicle management personnel described the problem as lost signals from specific wayside transducers, or poor pick-up of signals by individual trains. It is possible that this conclusion is correct. It was not reached, however, in a manner consistent with the basic principles of incident investigation or hazard analysis. Furthermore, even if such investigation confirmed that station overruns did not compromise safety, per se, it could have pointed to system problems that did compromise safety.
Tests were performed of wayside transmitting equipment and on-board receiving equipment, confirming that the failure to receive proper stopping signal was the likely primary cause of the overruns. Such tests were not performed for all overruns. Nor were any tests performed on car braking systems, in those cases where receivers were tested, to determine if braking performance could have contributed to the extent of an overrun. Finally, no train involved in an overrun was ever field tested to determine if the braking rates called for were actually achieved.
There is no evidence that a systematic analysis of overruns was undertaken to determine if they were randomly occurring (tied only to the random pattern of station stopping functionality failures) or had some relation to rail conditions, individual car equipment, maintenance activities, or other factor.
It is not unusual for a secondary failure cause to be overlooked when there is an obvious primary cause. It is unusual, however, to fail to investigate the possibility of other causes when the failure is repeated hundreds of times, and the extent is as great as it was with the station overruns.
There was inadequate organizational leadership to direct a hazard analysis effort and a lack of procedures dealing with incident investigation or hazard analysis. The WMATA response to station overruns was to undertake a limited scope engineering effort to find a "fix" for the perceived problem. The very nature of these efforts heightened the focus on the prime failure mode and lessened the likelihood that any secondary modes would be discovered until after the fix for the primary was installed.
This study's limited review suggests that there is a relationship between frequency of station overruns and weather. Investigating this relationship could have led to conclusions regarding the ability of trains to achieve required braking rates under ATO during conditions of poor adhesion, regardless of whether commands for specific braking rates came from the non-vital ATS function or the vital ATP function.
Interviews revealed that many WMATA managers were aware of the braking problems during wet weather. However, because of the lack of any formal, systematic analysis of failure incidents, the consequences of these problems were not imagined.
A striking example of the non-system approach to problem solving is the "solution" to the problem of an increase in flat wheels during late 1995. The investigation into the problem was limited, the conclusions reached were qualitative, and the action taken was a causal factor in the Shady Grove accident.
In November 1995, Vehicle Engineering reported on an investigation they undertook of the "large number" of flat wheels experienced during a period of heavy storms in the fall of the year. They concluded that since trains were being operated manually when the flat wheels occurred, the flats were "operator-generated." The report points out several items that were believed pertinent to the situation. One was that speed corrections are less abrupt during ATO than during manual operation. Another was that ATO during wet weather can result in stopping inaccuracies. And, finally, that operators are "written up" for station overshoot but not for flattening wheels. The report concludes that given a choice, operators would rather flatten wheels than overshoot stations.
The report recommended that the standard practice of manual operation during winter storms be curtailed and ATO be made standard. The recommendation also stated that if improvement was not noted, then a program should be launched "to get the control system to perform as it should."
Two days after that report was submitted, a Notice was issued to all OCC Personnel advising that "AT NO TIME WILL TRAINS BE PERMITTED TO OPERATE IN MANUAL MODE (MODE II, LEVEL I), except in an emergency situation." The Notice also rescinded the long standing requirement that operators make their first trip of the day in manual mode. Three days later, a memorandum was issued to all train operators, operations supervisors, and Central Control supervisors mandating that permission had to be obtained from the Operations Control Center before a train could be taken out of ATO and operated manually.
It appears that Vehicle Engineering looked into the flat wheel problem with a limited interest. From their viewpoint, it may have seemed logical that increasing stopping distance to avoid flat wheels was acceptable, especially as station overruns were not regarded as a safety issue at WMATA. They acknowledged that the standard practice was to operate manually during wet weather, but did not ask why it was the standard practice. (Likely, it was because ATO braking performance was reduced during periods of low adhesion, and the hands-on control of an operator was needed to make acceptable station stops--and by extension, acceptable safety stops.)
In making their recommendation, Vehicle Engineering did not consider what possible adverse consequences could arise from removing control from the operator during conditions of poor braking performance. It is noteworthy that they recognized that the vehicle control systems were not operating as they should have been, but did not recommend correcting that faulty operation unless the "operational fix" failed.
An argument could be made that it was not the responsibility of Vehicle Engineering to look at potential ramifications of their recommendation. But the responsibility certainly does belong at the level of management that issued the Notice to prohibit manual operation.
This narrowly focused approach to problem solving seems to have prevented technical staff and management from recognizing that the poor stopping performance for station stops could just as easily be unsafe stopping distance performance in response to an ATP command.
This is clear from a statement made after the Shady Grove accident by Vehicle Engineering. In writing about the results of wet rail ATO station stopping tests, they reported an overrun of more than 700 feet. While they wrote that they had notified a superior of the long station stop, they went on: "At this time no correlation was made with station stopping distances and the ATC block design because the focus was on flat wheels."
The lack of a systems approach, coupled with the limited role of the System Safety Department, left important questions unasked before making a significant change in operating policy.
As with any automatic train protection (ATP) system, the WMATA design was intended to be "fail-safe." This means that any system failure must lead to a command or signal aspect at least as restrictive as the command or aspect that would have been given had there been no failure. For a truly fail-safe system, this must apply to operational failures under automatic train operation (ATO), as well as equipment and software failures. Safe train separation is provided by the ATP design assuming a consistent braking profile from all operating speeds and adding a "safety factor" to cover performance variations due to equipment tolerances, maintenance factors, adhesion variances, and the like. The result is a minimum safe stopping distance from any speed on any grade. The ATP system design must be coordinated with the car specifications to assure that delivered equipment provides the braking rates necessary to meet the minimum safe stopping distance requirements.
From all appearances, the specifications mandated braking rates that would meet the ATP system requirements. It is not clear, however, that all cars were delivered meeting those specifications. Further, staff interviewed indicated that there was no field testing program to assure that the required braking rates were being maintained over the years. The only field testing of braking rates provided for this review was done on new car acceptance. No testing was reported after maintenance activities, to evaluate
performance after any car modifications, or to determine if component wear was impacting braking performance. in spite of long stops occurring in service on a relatively frequent basis, there was no effort to evaluate whether the assumptions on maintained adhesion, or the performance of car brake systems, was in line with that required to maintain ATP safe stopping distances.
Even when long stops occurred during tests for other than determining braking performance, as described in the discussion on flat wheels, no association was made on the impact on safe stopping distances. As discussed elsewhere in this report, the agency view was that performance under automatic train supervision (ATS) commands had no relation to performance under ATP commands.
Overall system safety did not appear to be an agency concern. Those technical personnel who may have been aware that safe braking distances were being compromised, either did not make management aware of the seriousness of the situation, or if they did. management did not take appropriate action.
While ATP is designed to be fail-safe, no design can account for every unusual operating condition. Designing for the worst possible adhesion conditions would require train separations that precluded maintenance of reasonable headways or operating speeds. Usually, operating rules are written to increase train separation or limit speeds during conditions of poor adhesion, so that train protection stops would occur from much lower speeds than calculated in system design. This effectively provides greater braking distance allowance for a following train. For example, if the permissible speed based on block occupancy were 75 miles per hour, the minimum distance to the rear of a leading train would be the braking distance from 75 mph, under the assumed adhesion factor, plus a safety factor. During conditions of poor adhesion, a train limited to a speed of 50 miles per hour, entering a block where 75 mph was permissible, could considerably exceed the assumed braking distance from 50 mph and still stop well short of the preceding train.
The problem of lost commands after a station overrun was known to WMATA technical and OCC personnel. As the system was designed, if a restrictive command was lost in ATO, the system defaulted to the highest command permissible based on track occupancy. This effectively violated the fail-safe principle and made ATO operation under conditions of poor adhesion unsafe. This was unappreciated, unrecognized, or ignored by WMATA management.
As with all other rail transit agencies, WMATA's system design and operating book of rules recognized the possibility of the ATP system failing and placed ultimate control of train stopping in the hands of the train operator. An operator can assume manual control of a train and control braking, and the book of rules requires that he or she do so if train braking performance under ATO is deemed unsatisfactory. Even remaining in ATO, an operator can apply emergency brakes by depressing an emergency stop button, called the "mushroom" at WMATA.
Management contravened the Book of Rules by directing that operators were to obtain permission from the Operations Control Center before assuming manual control. OCC personnel were directed not to allow manual operation, except in an emergency. There was no definition of an emergency, nor could it be expected that OCC personnel would be able to make the same judgments as to track conditions on individual train braking performance as the individual train operators.
Further. the OCC personnel were aware that the intent of the directive was to prevent manual operation during wet weather. As a result, when manual operation was needed to provide safe stopping distances -- a situation that should be considered an emergency -OCC personnel were "programmed" not to consider that an emergency under which manual operation was to be permitted.
All this is in spite of findings in a 1988 Battelle report on the Breda Car Microprocessor and Software Systems specifically pointing to the need for ultimate manual control. This report identified certain conditions that "could produce a lower than intended level of braking under the abnormal mode of operation." They went on to state that the conditions "are not inherently unsafe since the train operator has ultimate responsibility for safe operation of the train." It is clear that when an ATP system is designed to place ultimate control in the hands of the train operator, directing otherwise makes the system inherently unsafe. This was recognized by some experienced train operators, if not by management. During our interviews, some train operators made off-the-record statements that they disobeyed the directive not to go to manual operation without permission, when they felt braking performance under ATO was inadequate.
Needless to say, a rail transit system where operating personnel feel compelled to disobey formal directives promulgated by management because they feel such directives compromise basic safety, is a system that is very much in complete disarray.
Every transit agency collects data and monitors performance data. They aggregate this data in tabular or graphical formats for tracking and comparison purposes. Those they deem most representative of the system's operation usually become performance indicators, which are important measures of safety, operational quality, and equipment reliability. What is sometimes not recognized, is that quantitative indicators not directly intended to measure system safety are, in fact, qualitative indicators of system safety.
System safety is at its best when operations are normal and equipment performs reliably. When non-normal operations are required, or when equipment fails, the likelihood of hazard activation increases. Whether or not it increases to levels that are unacceptable depends on the quality of an agency's overall system design and its operating procedures to deal with such conditions.
For performance indicators to be useful to an agency, they must reflect the operating and reliability parameters that truly measure performance, and they must be monitored and analyzed by management.
WMATA has had comprehensive data collection systems since its inception, and has recently installed a new automated system known as MARS (Maintenance and Reliability System). Some personnel interviewed expressed the belief that significant data was lost during the transition to MARS and preferred the previous system; others believed MARS is a superior system. The MARS data is available on-line to all WMATA managers, and certain data are used to generate performance indicators for weekly or monthly reports to senior management and the Board of Directors.
Based on our interviews, however, there is no evidence that there is a systematic review or analysis of performance indicators to identify trends, or evaluate if they are indications of larger problems. It was reported that the Safety Department at one time had responsibility for operational statistics and trend analysis; this is no longer the case.
One of the occurrences that was tracked is station overruns. There is no evidence, however, of an analysis of the pattern of overruns. There are reports alluding to seasonal increases and tying some overruns to wet rail conditions, but the cause of overruns was felt to be the failure of ATS systems to give proper commands during ATO-controlled station stops.
Data captured did not show the extent of overrun. This information, which would be gathered during a comprehensive analysis, could have lead to formal questions on the ability of trains to maintain acceptable braking performance during poor adhesion conditions.
No indicator tracked lost performance level commands. WMATA uses performance level commands to control maximum train speed. As the system is designed, the performance level command is lost when doors open for a station stop. It is reestablished when the doors close and the train is within the station limits. If the front of a train is outside the station limits when the doors are cycled, however, any restrictive performance level command is lost and the train defaults to the highest level. A performance indicator showing how often this occurred could have warned management of this hazard.
While not directly related to safety, WMATA's lack of use of on-time performance as a key indicator reflects the general lack of a rail transit perspective in its approach to man-agement. Almost all rail transit agencies use on-time performance as their most general indicator of the quality of the performance they provide their riders. WMATA uses head-way as its prime indicator. Lack of headway maintenance would show up in degraded on-time performance, since stretched headways would become late terminal arrivals. Measuring headways, however, does not reflect late arrivals due to slower running times. In bus operation, where uncontrollable traffic conditions could result in a great variety of run times, headway is a more important measure since it can indicate bunching.
Off-loads are measured and reported to senior management. There is, however, no analysis of trends or indication of what an acceptable level would be. No system operates without failure, but it is usual to establish performance targets. These are generally based on a variety of factors, including budget, equipment condition, and management priority. For each performance indicator followed, comparison with the target will immediately show if an agency is meeting its goals.
Analyses of the reasons for off-loads would help direct maintenance efforts and could also lead to improved specifications for new cars.
Safety begins with a well-written, comprehensive System Safety Program Plan. No matter how well the plan is written, however, for safety to be practiced effectively, a transit agency's organization must place system safety on a par with the departments
responsible for building and operating the system. Secondly, the personnel managing these departments must be knowledgeable about the system safety program and believe in its value. Finally, senior management must recognize the importance of system safety and embrace it as a consideration in all decision making, and send a clear message that safety is of primary importance.
From the information gathered through our interviews and document review, WMATA was lacking in almost all these areas. A System Safety Program Plan (SSPP) exists, but it has not been given the attention or the emphasis required. Several key managers in-terviewed acknowledged receiving a recent revision of the SSPP, but admitted they had not read it, were not sure if their staff was aware of it, and generally do not discuss it with their staff or peers. The Safety Department is at a relatively low level in the organiza-tional structure and has been kept out of safety-critical investigations and decisions. Key individuals involved in WMATA's day-to-day operations apparently did not understand the need for safety input before making system modifications or changing operating procedures, as none was sought. It is likely that such a denigration of safety was insinuated into the organization and shaped the attitude of other managers.
Even after the Shady Grove accident in January 1996, incorrect information was the rule at WMATA. A January 22, 1996 memorandum to the General Manager, for instance, misstated the specification for rail car braking rates, claiming they were 1.76 miles per hour per second, while in fact they are 1.65. The same memorandum failed to note that because of reduced car-to-rail adhesion on the night of the accident brought on by weather conditions, even the specified braking rate was insufficient to bring the train to a halt from maximum speed in a proper distance to avoid a collision with the train parked beyond the Shady Grove station.
The memorandum, however, while properly critical of a WMATA design flaw that had gone uncorrected for many years, was strangely silent on any contributing effect to the accident that may have been played by the sudden decision two months earlier to prohibit the operation of trains in manual mode during times in inclement weather.
Perhaps this omission can be traced to the fact that the department analyzing the accident, instead of being the Safety Department, was the same department that had unilaterally ordered the elimination of manual-mode operation two months earlier.
(Unless otherwise noted, all are WMATA documents)