Passenger rail station safety improvement and analysis of end-of-track collisions based on systems-theoretic accident modeling and processes (STAMP)

Purpose – At the US passenger stations, train operations approaching terminating tracks rely on the engineer ’ s compliant behavior to safely stop before the end of the tracks. Noncompliance actions from the disengaged or inattentive engineers would result in hazards to train passengers, train crewmembers and bystanders at passenger stations. Over the past decade, a series of end-of-track collisions occurred at passenger stations with substantial property damage and casualties. This study ’ s developed systemic model and discussions present policymakers, railway practitioners and academic researchers with a ﬂ exible approach for qualitativelyassessing railroadsafety. Design/methodology/approach – To achieve a system-based, micro-level analysis of end-of-track accidents and eventually promote the safety level of passenger stations, the systems-theoretic accident modeling and processes (STAMP), as a practical systematic accident model widely used in the complex systems, is developed in view of environmental factors, human errors, organizational factors and mechanical failures inthis complex socio-technical system. Findings – The developed STAMP accident model and analytical results qualitatively provide an explicit understanding of the system hazards, constraints and hierarchical control structure of train operations on © Zhipeng Zhang, Xiang Liu and Hao Hu. Published in Smart and Resilient Transportation . Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence maybe seen at http://creativecommons.org/licences/by/4.0/legalcode The research was completed when the lead author was a


Introduction
A train approaching the end of terminating tracks at passenger stations is one common train operation scenario in the USA.Passenger stations normally involve multiple platforms and a crowded public area.For example, the Hoboken Terminal in New Jersey contains 17 passenger platform tracks, among which New Jersey Transit (NJT) and the Port Authority Trans-Hudson provided around 15,600 and 30,800 passenger ridership per weekday on average, in 2017 (NJ Transit, 2018;Port Authority Trans-Hudson, 2018).At the US passenger stations, there is currently no mechanism implemented that can automatically stop a train before the end of terminating tracks and prevent trains from end-of-track collisions.In other words, when trains are entering passenger stations with stub-end tracks, the engineers' behavior will determine whether they can safely stop before the end of terminating tracks in general.With this type of train operation at passenger stations, passengers, crewmembers and bystanders are sometimes exposed to hazards resulted from noncompliant train operation if an engineer is disengaged or inattentive.Human errors occurred from time to time, and a series of end-of-track collisions took place at American passenger stations in the past decade.For example, two end-of-track collisions happening at a terminal station of Hoboken Terminal, New Jersey on September 29, 2016 and Atlantic Terminal, Brooklyn, New York on January 4, 2017, have gained concerns from the public and the rail industry.Both of them occurred because of an engineer's failure to stop the train before it reached the end of the track, each of which resulted in over 100 casualties.The National Transportation Safety Board (NTSB) (2018a) claimed that the safety issues identified from these two accidents also existed throughout the USA at many intercity passenger and commuter passenger train terminals.Despite this ubiquitous risk and an increasing concern on this specific train operation, to our knowledge, prior research studying on end-of-track collisions at passenger stations is quite limited.The development of this paper is motivated by this knowledge gap, in which end-of-track collisions at American passenger stations are studied through a system-based and micro-level risk analysis.The NJT train accident at Hoboken Terminal in 2016 leading to severe consequences to masses is selected as a case study on train operation at passenger stations.
To achieve an explicit understanding of end-of-track collisions and eventually improve the safety of passenger stations, a systematic accident model called Systems-Theoretic Accident Modeling and Processes (STAMP) is used with reference information based on accident investigation results released by NTSB (2018aNTSB ( , 2018bNTSB ( , 2018c) ) and FRA (2018).The safety of STAMP envisions, as a control problem embedded in an adaptive socio-technical system and accidents, is caused by an inadequate control or the violation of safety-related constraints resulted from component failures, external disturbances or dysfunctional Passenger rail station safety improvement interactions among system components (e.g.human factors, physical system and environment) (Leveson, 2003(Leveson, , 2004).This accident model has been widely employed in diverse domains, including rails (Ouyang et al., 2010;Song et al., 2012;Underwood and Waterson, 2014), aircrafts and spacecrafts (Ishimatsu et al., 2014;Allison et al., 2017) as well as gas industries (Altabbakh et al., 2014), which can contribute to a safer system to prevent accidents effectively (Leveson, 2003).The STAMP-based analytical results in this paper provide an explicit safety analysis of physical components, human errors, environmental factors and their interrelationship in the complex terminal operating system, which discloses the inadequate safety constraints at each hierarchical level of end-of-track collisions and contributes to the establishment of safety recommendations as well as suggestions.In addition to the contributions to this specific strategy for train accident risk mitigation and prevention, as the first system-based study on the American railroad industry based on STAMP, it can also be a practical investigation methodology for governmental accident investigators, railway practitioners and academic researchers.Although previous researchers have conducted STAMP-based studies on railways in China (Ouyang et al., 2010;Song et al., 2012) and the UK (Underwood and Waterson, 2014), different countries would have different hierarchical levels from the role of legislatures, federal agencies to crewmembers.For example, different American railroads may have different operational characteristics, while Chinese railways are managed and controlled primarily by the Government on a consolidated basis (Beck et al., 2013).
The rest of this paper is organized as follows.First, Section 2 gives a brief overview of common accident analysis methods with a summarized comparison based on previous studies.Section 3 introduces the end-of-track collision at passenger stations, as well as the knowledge gap that motivated the development of this study.In Section 4, STAMP, as the methodology in the paper, is presented with its basic structure and the basic usage in end-oftrack collisions at passenger stations.Based on the developed general STAMP model, one selected accident is studied in Section 5, and safety promotion strategies are discussed in Section 6.Finally, this paper concludes with major analytical results and safety findings.

Relevant prior literature with respect to accident models
Appropriate accident models perform the foundation of accident investigation and prevention strategies.The common accident analysis methods can be classified into several major categories, including but not limited to the Swiss Cheese model (SCM) and SCM-based models; sequential models; and systematic models.SCM was developed by Reason (1990) and proposed that adverse events result from a series of contributing flaws (like the holes in the cheese slices) that must be aligned.The human factors analysis and classification system (HFACS), the Australian Transport Safety Bureau (ATSB) and EUROCONTROL are universal accident analysis approaches inspired by SCM.Sequential models include fault tree analysis (FTA), event tree analysis (ETA) and failure mode and effect analysis (FMEA), most of which are classic techniques for reliability engineering over the past few decades.Moreover, AcciMap, the functional resonance accident model (FRAM), the driver reliability and error analysis model (DREAM) and STAMP are prevailing systematic models.Selected accident models from these three major categories are extensively studied in prior literature (Table 1).
In comparison with SCM-based models and sequential models, systematic models have better performances in the accidents from the complex systems, such as rail system (Ouyang et al., 2010;Song et al., 2012;Underwood and Waterson, 2014) and aviation (Ishimatsu et al., 2014;Allison et al., 2017).Previous researchers (Leveson, 2012;Hollnagel, 2012) who have drawn some criticisms on the SCM-based models pointed out that SCM-based models SRT 3,2 oversimplify accident causation through a linear chain of events.In complex systems, nonlinear interactions among environmental factors, human errors, organizational factors and mechanical failures may get involved and cannot be described comprehensively using these traditional models.However, systematic models, such as AcciMap and STAMP, are developed to seek to overcome these limitations of complex relationships and provide an explicit understanding of sophisticated accident causations.Ferjencik (2011) pointed out that systematic models are able to offer a deeper judgment and insight into the hazards and risks from dynamic processes and complex systems.Sequential models also have a similar weakness comparing to systematic models (Al-shanini et al., 2014).Although there is a large number of conjunctive conditions and contributors in some adverse events, sequential models typically describe accidents as certain combinations of failures or events.Al-shanini et al. (2014) argued that sequential models cannot represent multi-linear causes or nonlinear causes in accidents.Therefore, systematic models are applicable in the analysis of the endof-track collisions at passenger stations, as a system involving multiple system components with complicated interactions.
To our knowledge, there is no direct comparison between STAMP and all other non-STAMP systematic models, but Underwood and Waterson (2014) compared STAMP against AcciMap and concluded that STAMP provides more explicit descriptions of system structure, component relationships, and system behavior and that STAMP may be a more appropriate option for researchers with some features, such as greater thoroughness and taxonomy.With these features, in the domain of rail safety and train accident study, Ouyang et al. (2010) and Underwood and Waterson (2014) have implemented a STAMPbased analysis on the Jiaoji railway accident in China and the Grayigg train derailment in the UK, respectively.As a systemic accident analysis method that can embody the concepts of systems theory, STAMP is selected in this paper to study the end-of-track collisions at passenger stations in the USA.The rail safety operation constraints, hierarchical levels of control and process models of the STAMP model developed in this paper can also be adapted to the studies of other train accidents in the nationwide US railway system.

End-of-track collisions at passenger stations
There are at least 35 passenger stations with multiple tracks that end at a bumping post and/or platform in the USA (NTSB, 2018a).Bumping post is a safety device placed at the AcciMap (Rasmussen, 1997;Branford et al., 2009;Salmon et al., 2012;Salmon et al., 2013;Underwood and Waterson, 2014) DREAM (Hollnagel, 1998;Warner and Sandin, 2010) FRAM (Hollnagel, 2012;Patriarca et al., 2017) STAMP (Leveson et al., 2003;Leveson, 2004;Ferjencik, 2011 In the USA, trains approaching terminating tracks are required to operate at restricted speeds, which are defined as a speed that permits stopping within one-half the range of vision, but not exceeding 20 miles per hour (FRA, 2011).On one side, "stop within one-half the range of vision" could be challenging, especially under adverse environmental conditions (e.g.foggy) or complex terrain characteristics (e.g.descending grade).On the other side, in current station operations, stopping a train on a terminating track usually relies on the attentiveness and compliance of the train crews.Under the circumstances, violation of restricted speed rules at passenger stations is one common type of rule compliance problem on US railroads with potentially high consequences.Human errors occurred now and then and a series of end-of-track collisions at passenger stations happened in the past decade.For example, LIRR trains caused 15 collisions with bumping posts at passenger stations in New York between 1996 and 2010, and NJT also reported seven end-oftrack collision accidents in the last ten years (NTSB, 2018a).Most recently, two accidents, NJT train collision at Hoboken Terminal in 2016 and LIRR train collision at Atlantic Terminal in 2017, led to over 100 casualties and millions of damage cost each and both of them were end-of-track collisions at passenger stations that were operating at restricted speeds.Despite the serious risk and the increasing concerns, few literatures have conducted studies on end-of-track collisions at US passenger stations.To narrow the knowledge gap, a system-based risk analysis on end-of-track collisions is essential to increase the safety level at passenger stations.
4. Stamp-based accident analysis of end-of-track accidents at passenger stations 4.1 Structure of systems-theoretic accident modeling and processes-based accident analysis In STAMP models, safety (e.g.train operation safety at stub-end passenger stations) is viewed as a control problem.Leveson (2003) summarized that accidents took place owing to an inadequate enforcement of safety-related constraints on the development, design and operation of the system instead of a series of failure events.Three basic concepts in STAMP, namely, the hierarchical level of control, constraints and process models, are briefly introduced in the following.
In system theory, systems are viewed as hierarchical structures, in which each hierarchical level imposes constraints on the activity of the level below it.Constraints or the lack of constraints at a certain level would control or permit lower-level behavior (Checkland, 1981), which includes the engineering design, physical components, management, human factors and regulatory behavior.Components that violate safetyrelated constraints of the system or their interactions are likely to result in accidents.Taking train operation in the USA as an example, a hierarchical socio-technical control structure combines five socio-technical system levels, namely, the American Congress, governmental agencies (e.g.Federal Railroad Administration (FRA), NTSB), industrial associations (e.g.

SRT 3,2
American Public Transportation Association and Association of American Railroads), railroad companies and operating processes involving train crewmembers as well as train movements from top to bottom in general.
Apart from constraints and hierarchical levels of control, the process model is also a basic concept in STAMP.Figure 1 shows a basic process control loop where a human controller (e.g. a train engineer) takes charge of train operation.In essence, there are two common controllers in the model of a controlled system, namely, the human controller and the automated controller.Based on commonly employed train operation methods in the USA, train movements are primarily controlled and managed by human controllers, which are also supervised by a train protection controller, such as positive train control (PTC).PTC is a train control system capable of a reliable and functional prevention of train accidents attributable to human errors by slowing down or stopping trains automatically.It is indicated that the PTC system is not a completely automated controller everywhere, which, instead, functions and takes charge of train operation only if the human controller (e.g.train engineer) fails to or inadequately controls the train safely and properly, even though PTC keeps monitoring the performance of engineers and train movements.Therefore, in Figure 1, the interconnection between the train control system and the actuator (commands applied by train control system to actuator) is marked with a dashed line, representing that this channel works conditionally and is not always active.Furthermore, since the mandate of the Rail Safety Improvement Act in 2008 (Congress of the United States of America, 2008), a nationwide implementation of PTC has been underway in the USA.Railroads serving for toxic-or poisonous-by-inhalation hazardous materials and those providing a regular intercity or commuter rail passenger transportation were required to implement the PTC system by December 31, 2018, with the opportunity for an additional two years upon the approval from FRA (FRA, 2011; Congress of the United States of America, 2015a).It means that American railroads are currently in the deploying and implementing process of the PTC systems, such as the Interoperable Electronic Train Management System used by Class I freight railroads and the Advanced Civil Speed Enforcement System (ACSES) used by the National Railroad Passenger Corporation (Amtrak) on the Northeast Corridor.Furthermore, the concept of several terms (e.g.sensor, actuator, disturbance, process input and process output) in the process model are also interpreted through explanatory descriptions with common examples in Table 2. 4.2 Systems-theoretic accident modeling and processes in end-of-track collisions at passenger stations This section applies the STAMP model to study end-of-track collisions with potential high consequences at passenger stations.Figure 2 shows the general safety control structure of train operations and major safety-related requirements at passenger stations.The general system hazard related to the train operations at the stub-end passenger terminals is the failure of the train to stop at the end of the terminating track and to collide with the bumping post.This hazard should be prevented with system safety constraints, as shown in Figure 2.These general constraints must be enforced by the entire socio-technical control structure at passenger stations to achieve a positive stop before reaching bumping posts.In other words, end-of-track collision at passenger stations results from either lack of or inadequate enforcement of the constraints at a certain hierarchical level.All the hierarchical levels and controllers are interpreted with brief discussions as follows.To clarify, numerous federal agencies and rail industry associations are related to the train operation safety in the USA,   while this study only considers some of them that have a close relationship with train operations at passenger stations.
The US Congress, as the bicameral legislature of the federal government, vests all legislative powers.New laws and changes in existing laws can only be enacted with the consent of the US Congress.
FRA is an agency in the US Department of Transportation (USDOT) with the mission to facilitate the safe and reliable movement of both passenger and freight in the USA by way of establishment and enactment of safety regulations, promotion of rail infrastructure and services, data-driven analysis and development of emerging technologies and innovative solutions in support of rail safety and operational performance (USDOT, 2017).
FTA is also an agency within USDOT.NTSB is an independent US government investigative agency that is responsible for transportation accident investigations on aviation, highway, marine, pipeline and railroad modes.Although NTSB has no formal authority to regulate or be directly involved in the operation of transportation, it provides objective viewpoints through conducting independent investigations and making well-considered recommendations to improve transportation safety (NTSB, 2018d).Railroad industry associations are the industry groups that represent specific modes of rail transportation.For example, the American Public Transportation Association (APTA) is a nonprofit organization that represents all modes of public transportation (e.g.commuter rail, light rail, subways) in the USA.To achieve safe and economical public transportation services and support the growth of federal investments and resource advocacy, APTA provides manuals for transportation modes, education for the public and training programs for workforce, and lobbies to the US Congress (APTA, 2018).The Association of American Railroads (AAR) primarily represent the seven Class I freight railroads (a group of the largest railroads operating in the USA with each railroad annual operating revenue over US $447.6m in 2016) of North American, Amtrak, some non-Class I, and regional commuter railroads, and rail suppliers (AAR, 2018).Some short line and regional railroads are also represented by the American Short Line and Regional Railroad Association.The American Railway Engineering and Maintenance-of-Way Association is an industry group that develops technical manuals and recommended practices for the railway infrastructure, including the process from design, construction, to maintenance (American Railway Engineering and Maintenance-of-Way Association, 2018).Railroads in the USA play a key role in the national economy, with both freight shipment and passenger service.In terms of passenger railroads, Amtrak is the Passenger rail station safety improvement largest intercity passenger railroad that provides national passengers a rail network connecting over 500 destinations in 46 states, as well as three Canadian provinces (Amtrak, 2017).In addition, there is also a list of commuter rails existing in some metropolitan areas, such as Long Island Rail Road (LIRR) and Metro-North Railroad in New York City, NJT in New Jersey, the Massachusetts Bay Transportation Authority in Boston and Metrolink in Southern California.For freight railroads, around 600 freight railroads operating in the USA are privately owned and operated with a nearly 140,000-mile rail network (AAR, 2017).Seven freight railroads (e.g.BNSF, Canadian National, Canadian Pacific, CSX Transportation, Kansas City Southern, Norfolk Southern and Union Pacific) with at least US$447.6m in 2016 revenue are classified as Class I railroads and each operates in a variety of states over thousands of track miles.Based on the latest statistics from AAR (2018), seven Class I railroads contribute to around 69% of freight rail mileage, 90% of employees and 94% of revenue.In addition, hundreds of short line and regional railroads transport the goods across the country in various operation sizes.Traincrew members include engineers, conductors or assistant conductors in some cases.FRA (2016a) established minimum requirements for the size of train crew staffs depending on the type of operation and the safety risks.Generally, train engineers and conductors make up the train staff in either freight trains or passenger trains and have the responsibility for safe train operation, as well as providing the operation reports and problem reports to the railroads.To guarantee it, train engineers and conductors are subject to a federally regulated training, qualification, and certification process mandated by 49 Code of Federal Regulations (CFR) Part 240 and Part 242, respectively.Furthermore, effective communication channels between the hierarchical levels are essential (Figure 2).For example, in the communication channels between US Congress and FRA, Congress establishes and enacts legislation as well as grants budgets to FRA.In return, the FRA needs to submit government reports so that Congress can attain information on proposed legislation, oversee the activities of the government agency and evaluate the implementation of federal laws (GPO, 2018).In terms of the connections between FRA and railroads, the FRA has the responsibility for making regulations and certifications for the railroad industry, as well as the supervision of railroads' execution, in the USA.The rules and regulations are published in the form of Federal Register and the CFR.Some safety recommendations and standards are also published by FRA, such as a safety advisory to remind railroads of the significance of compliance with restricted speed operating rules (FRA, 2012), an updated passenger equipment safety standard for high-speed trains that can travel up to 220 miles per hour (FRA, 2016b).Conversely, railroads must work out necessary accident/incident reports, implementation plans and operations reports.Moreover, the PTC system in the operating process (Figure 1) is excluded in the control structure at passenger stations (Figure 2) because current regulations (FRA, 2011) designate train operations at passenger stations as a regulatory exemption from the PTC requirement, which would be further discussed in following sections.

Accident narratives
Most accident information and probable causes mentioned in this paper refer to NTSB accident investigation reports (NTSB, 2018a(NTSB, , 2018b(NTSB, , 2018c) ) and the FRA database (FRA, 2018).More accident details and investigation results are also available in these references.

SRT 3,2
This section only briefly summarizes crucial accident information to support the analysis of end-of-track collisions at passenger stations using STAMP model.
An NJT collision accident at Hoboken Terminal occurred on September 29, 2016, at about 8:38 A.M. (Eastern Standard Time).An NJT train failed to stop short of the stub end of track 5 and overrode a bumping post, which is a rigid structure that is level with the train's coupler at the end of the track, then the train struck a wall of the Hoboken Terminal in New Jersey, USA (Figure 3).NJT is a state-owned public transportation system that has served the state of New Jersey since 1979.It connects the major commercial center and employment hubs within New Jersey, as well as some neighboring major cities of New York and Philadelphia.NJT is the nation's largest statewide public transportation system that provides around 270 million passenger trips totally in the fiscal year 2017 (NJ Transit, 2018).
According to the locomotive event recorder data released by NTSB (2018b), the train was traveling about 8 mph at about 38 s before the collision and the throttle position went from idle to the number 4. As a result, the train speed started to increase and reached about 21 mph.Just less than 1 s before the collision occurred, emergency braking was applied by the engineer and train speed at the time of the collision was still documented as 21 mph in the locomotive event recorder.The accident train includes one cab car, three passenger cars and one locomotive at the rear with about 250 passengers and three crewmembers (engineer, conductor and assistant conductor).A total of 110 people got injured and one person on the passenger platform was killed by the falling debris (NTSB, 2018b).The total damage to the equipment, track, signal and structural damage was over US$6m (FRA, 2018).

Stamp-based analysis in New Jersey Transit accident at Hoboken Terminal
As an end-of-track collision at terminal, the Hoboken accident roughly has the identical operation safety control structure as developed in Figure 2. The general system hazard related to NJT accident is identified as a failure to stop at the end of the terminating track where it struck the bumping post.This hazard is restrained through the constraints that are applied by the entire socio-technical control structure to enforce safe train operations at passenger stations.Instead of distributing blame or responsibility to any controller, following further discussions aim to understand the occurrence of the NJT accident and to analyze its inadequate control actions in this complex train operation system at the passenger station.Detailed analysis of inadequate enforcement is extended with selected system components' safety constraints, failures or inadequate control actions and supportive backgrounds, as shown in Figure 4.

NJT Train 1614
SRT 3,2 regulations and policies published were strictly followed by NJT.More specifically, in the mechanical part, the inspection and maintenance program of NJT met the requirements in 49 CFR Part 238.Before the trip, a comprehensive inspection was made on the accident controlling cab car and the air brake based on FRA requirements.In addition, an alerter was installed in the locomotive cab, which was operated properly as was required by 49 CFR Part 229.In terms of signal part, the signals indicating restricted-speed operation, together with other wayside signals, were inspected and verified for a proper performance, and there was no deficiency in the rate of cab signal code, either.NTSB (2018b) concluded that both the signal system and the train control system were functioning as was designed, which were in accordance with the FRA requirements.Meanwhile, NTSB (2018b) pointed out that there was a lack of legislative rules or non-legislative recommendations providing medical standards or regulations to address OSA screening and treatment.
According to NTSB (2018a), OSA is a contributing factor in the NJT accident and previous train accidents, because it is able to result in frequent interruptions in sleep during train operation, which leads to an expanded fatigue and daytime microsleeps.Since 2010, NTSB (2018a) has investigated 6 OSA-related railroad accidents causing nine fatalities and 283 injuries in total, and identified that the sleep disorders were a key medical fitness issue for train employees.As a result, a variety of safety recommendations have been subsequently made to the FRA, such as R-12-16 (NTSB, 2012), R-13-21 (NTSB, 2013) and R-16-044 (NTSB, 2016), all of which suggested that the FRA should develop and enforce its standards to medically screen railroad employees for sleep apnea and other sleep disorders.However, according to NTSB (2018a), it was still in a process of responding to the reiterated safety recommendations, and there was no medical standard or regulation directly addressing OSA screening or treatment mandated by FRA in the NJT accident.
A nationwide implementation of the PTC system is mandated by the Rail Safety Improvement Act of 2008.ACSES II, one of PTC system types approved and certified by FRA, was implemented by NJT to prevent human-error-related train accidents through automatically slowing down or stopping trains.However, train operation at passenger stations is designated as a regulatory exemption from the PTC requirements based on current FRA regulations (FRA, 2011).Thus, stopping a train in a terminating track would depend on the attentiveness and compliant behavior of the engineer.
5.2.2New Jersey Transit.As a statewide public transportation system providing around 270 million passenger trips each year (NJ Transit, 2018), NJT is responsible for strictly following safety requirements and constraints to mitigate operational risks.Firstly, NJT should make sure that mechanical components work without defects according to FRA requirements.It should also keep periodic inspections and maintenance programs for the locomotive and passenger cars to meet the FRA requirements.Moreover, trainings and physical examinations for crew staff are also essential.NJT has the responsibility for continuing educational requirements on train crew staff to maintain their competence and knowledge about rail safety.In the personnel physical condition, NJT is accountable to providing a periodic physical examination to ensure that the crew members, particularly those at safety-sensitive positions, are fit for their duties.Furthermore, according to NTSB reports (NTSB, 2018a(NTSB, , 2018b)), the system safety program plan (SSPP) and OSA screening were two safety constraints involving inadequate control actions, which were identified by NTSB as probable contributing factors to the NJT accident at Hoboken Terminal.SSPP is a system safety program designated to assist in operation monitoring and appropriate data collection, so as to identify emerging safety issues before the occurrence of accidents, in which the significance of hazard management was recognized both by FRA and APTA (NTSB, 2018a).APTA (2006) identified SSPP as the first element of a formal Passenger rail station safety improvement process in the application of the principles of system safety, which is described as a structured program with a proactive process and procedure to identify and eliminate hazards as well as the risks resulted to the railroad system.A total of 23 elements are identified in the Manual for the Development of System Safety Program Plans for Commuter Railroads (APTA, 2006) for commuter railroads to consider in the development of an SSPP.Based upon NTSB investigation (NTSB, 2018a), although NJT had its SSPP in effect at the time of the accident, it lacked an identification and evaluation of the potential of a collision between a train entering the stub-end track and the bumping post.In addition, NJT designated terminal tracks at Hoboken Terminal as other-than-main line tracks and exempted them from PTC requirements in accordance with FRA requirements (FRA, 2011).In this context, train operation at Hoboken Terminal largely relied on train engineers, who had a severe OSA that was not diagnosed or treated.

Train engineer.
Train engineers play a pivotal role in the safety of both passengers and bystanders while operating locomotive equipment.The train engineer has the responsibility to make sure the train is in compliance with all signals, rules and regulations at the Hoboken Terminal.Some additional safety requirements were also followed by the train engineer.For example, the inspection of train equipment and cabs on locomotives before departure was conducted by the train engineer to make sure these were in appropriate working order.Train engineers should receive and transmit information via the radio or telephone to the conductors and dispatchers and should also be aware of the surrounding areas and necessary decision making accordingly.Nonetheless, the train engineer in this accident train failed to follow the speed limits and restricting signal.As a result, the train speed was reduced with insufficient braking distances to the end of the track by the engineer and then led to the occurrence of the NJT accident.In respect of train crews, the train engineer's increased fatigue due to frequent interruptions in sleep contributes to failing to stop the train after entering Hoboken Terminal.
As another recent high-consequence end-of-track accident at passenger station, the LIRR accident at Atlantic Terminal, New York on January 4, 2017, had similar inadequate enforcement of control actions and contexts comparing against NJT accident at Hoboken Terminal based upon investigation results from NTSB (2018a).It would not be further discussed in this paper and sufficient precise accident details and investigation results are also available in NTSB reports (NTSB, 2018a, 2018c).

Discussions in policy implications and practices
The end-of-track collision at Hoboken Terminal discloses a potentially stern consequence of accidents at passenger stations, in which a train fails to stop before reaching the end of its terminating track.The STAMP-based analysis with selected accidents contributes to a distinct understanding of system hazards, constraints and the hierarchical control structure of train operation at passenger stations.Based on the analytical results, in particular with inadequate control constraints, this section aims to inform several effective safety strategies to reduce accident risks at passenger stations and promote their safety level in the future.After the occurrence of the NJT train accident in 2016, several safety issues were raised in the railroad industry, such as the measures ensuring that engineers are fit for their duties, investigations on PTC system at terminal tracks and the implementation of safety management systems.The findings are discussed in the following subsections based on both the STAMP-based analysis of end-of-track collisions and reference information in NTSB report (NTSB, 2018a), including OSA screening and treatment; mechanisms to automatically prevent end-of-track collisions; comprehensive system safety program plans; and bumping posts with a higher impact tolerance.SRT 3,2 6.1 Obstructive sleep apnea OSA is one major contributing factor to fragmented sleep and subsequent daytime fatigue sleepiness, which could be a crucial increasing risk for train crewmembers.In a study of train engineers in Greece, Nena et al. (2008) concluded that OSA was common among Greek railway drivers and 62% of train engineers encountered this sleep-disorder issue, while the percentage of adults having OSA in the general population from Western countries was only around 5% (Young et al., 2002).Similarly, Koyama et al. (2012) studied the prevalence of OSA among Brazilian railroad workers.Based on an evaluation of a survey from 745 railroad workers, the prevalence of OSA was approximately 35%, which is higher than that in the general population too.Without OSA screening and diagnosis programs required by federal agencies or railroads, a relatively high prevalence in the train engineers of OSA would possibly increase the risk of end-of-track collisions at passenger stations.According to an NTSB report (NTSB, 2018a), the engineer in the NJT accident underwent a post-accident study and was diagnosed with severe OSA, which was a probable cause of this accident.Nevertheless, at the time of the collision, there were no regulatory guidelines or recommendations referring to effective diagnosis and followup medical treatment in respect to OSA.This STAMP-based accident analysis demonstrates the necessity for government agencies, railroad associations and railroad companies to work closely to promote the development and enforcement of a complete, effective program involving OSA screening and follow-up medical treatment.To achieve this, extensive research studies could contribute to the development of an effective OSA program.Romero-Corral et al. (2010) disclosed the interactions between body weight (measured by BMI) and OSA, which were also used in the investigation of NJT train engineer after accidents by NTSB (2018bNTSB ( , 2018c)).Epstein et al. (2009) provided a comprehensive clinical guideline for the evaluation and treatment of OSA.The diagnostic of OSA was suggested to involve a sleep-oriented history, physical examination and objective testing.Once the diagnosis is set up, the patient should consider an appropriate treatment strategy that covers positive airway pressure devices, oral appliances, behavioral treatments, surgery and/or adjunctive treatments (Epstein et al., 2009).With the support from existing but limited OSA screening practices and literature, a comprehensive, valid OSA program can be developed to mitigate the risk from OSA posing to intercity passenger trains and commuter trains.An intervention policy with regulatory guidelines and recommendations referring to diagnosis and follow-up medical treatment are paramount to detect OSA and other sleep disorders among train crewmembers.In this case, the railroad employees in safety-sensitive positions should meet medical standards to be fit for duty, which is able to reduce such human-factorrelated train accidents.
Figure 5 provides a visual interpretation of the proposed recommendation in the STAMP model.More specifically, a practical OSA program involving both screening and treatment can be developed based on the guidance from NIH and would be valid for train crew members who should be fit for duty under the OSA program to release more positive commands in the train operations at passenger stations.

System safety program plans
As mentioned in Section 5, NJT had SSPP with rich hazard management to monitor train operations and collect considerable data to identify emerging safety issues.Although six collisions have also occurred between NJT trains and bumping posts between 2007 and 2016 (two of them at Hoboken Terminal), NTSB (2018a) pointed out that NJT did not recognize the risk of an end-of-track collision at passenger stations as a key risk factor in SSPP.

Passenger rail station safety improvement
Similarly, the SSPP overlooked the need for OSA screening and treatment to prevent potential hazards and did not account for undiagnosed or untreated OSA.Therefore, SSPP should be promoted and updated with the account for the increased risk of OSA and operational hazards associated with end-of-track collisions.Eventually, the robust SSPP documenting comprehensive hazards can contribute to the mitigation of emerging, critical risk elements through an effective management system.
In Figure 5, the proposed robust SSPP is interpreted visually using simplified STAMP.In addition to adding end-of-track collisions and OSA into the SSPP, federal agencies (e.g.FRA or FTA), industry associations (e.g.APTA) and railroads can construct a reliable SSPP with comprehensive hazards documented.This action would promote the level of safe train operations (commands in Figure 5) by train crewmembers.Moreover, the reports and feedbacks from the train operation process can also advance an exhaustive, continuous safety management system and eventually mitigate the risk at passenger stations before the accident occurred.Notes: The plus signs (+) represent the reinforcing channels between components.Specifically, train engineers under OSA program are expected to make more compliant commands and guaranteed safe train movement SRT 3,2 6.3 Collision avoidance and mitigation techniques 6.3.1 Positive train control.NJT designated the terminating tracks as "other-than-main-line track" and exempted them from PTC implementation requirements, which are in accordance with federal regulation (FRA, 2011).Without the implementation of PTC system that can automatically prevent these passenger trains from human-error-related accidents, the safe train operations would generally depend on crewmembers' compliant behavior when they are entering passenger stations with stub-end tracks.However, NTSB (2018a) augured that it cannot provide the level of safety necessary to protect the public.In the study of the safe approach of train terminals, Moturu and Utterback (2018) stated that implementation of a design mitigation (e.g.PTC) has distinct benefits for controlling speed entering terminal point locations.Therefore, it is critical to implement a mechanism that can automatically stop a train before the end of the tracks even if the engineer is negligent or disengaged to mitigate potential hazards to passengers and bystanders at passenger stations.
The train operation procedures that NJT was using during the accidents are shown in Figure 6(a), and the train movements were only managed by train crewmembers.If appropriate wayside signal and cab signal are displayed, the safe train operations at passenger stations would be guaranteed by the compliant behavior of train crewmembers and any performance that does not follow received information is likely to result in hazards or even accidents.A train control system, such as PTC, can be implemented to prevent such train accidents attributable to human error.The train movements are still under the control of train engineers but are also monitored by PTC.Taking ACSES, one of PTC technologies that are primarily used on the Northeast Corridor and mostly implemented by Amtrak and commuter railroads (e.g.NJT and LIRR), as an example, it integrates the locomotive computer, wayside device, communication network, transponders and back office to collect and analyze train real-time status, movement authority and speed restriction information (measured variable from sensors to PTC in Figure 6(b)).If the train crewmembers fail to appropriately operate train movements, ACSES would automatically apply the brakes and bring the train to a positive stop (Zhang et al., 2018).
6.3.2Concept of operations for positive train control enforcement at passenger stations.To explore how ACSES may function (what is needed, how to implement it) as if the ACSES was enforced under restricted-speed operations at passenger stations, specific modifications are proposed in Figure 7 based upon Zhang et al. (2019).This concept of operations focuses on the PTC enforcement to prevent end-of-track collisions at passenger stations and does not intend to propose this system to be installed everywhere in the US rail system.
Figure 7(a) shows a stub-end passenger station with a bumping post locating at the end of tracks.The proposed solution is to divide the station into two zones as shown in Figure 7(b).As the train reaches the end of full ACSES territory, the last transponder set tells the onboard ACSES system that it has entered "Out of ACSES Territory."No linking distance will be provided to the next transponder set, but the transponder set will provide a line speed package designed for the maximum speed that trains are supposed to be operated in the terminal area (e.g. 15 mph).The preceding transponder set will be designed with a permanent speed restriction package telling the system that the speed will be capped at the lower speed at the location of the end of ACSES territory.The second zone begins at the entering end of each platform.The first transponder set (T1) makes the system re-enter ACSES territory and provides positive train stop (PTS) information targeting the end of the platform track or bumping post as the stop target.This transponder set also provides linking distance information to the next transponder set (T2).The first transponder set needs to be located at a distance greater or equal to the braking distance needed to stop the train.The second transponder set (T2) provides redundancy to the first set and also better Passenger rail station safety improvement As the train reads the first transponder set T1, the engineer will receive an alarm.The system calculates a braking curve based on the present speed of the train and the distance to the target (bumping post).Provided there is sufficient braking distance, the train will receive a stop enforcement unless the engineer stops the train before it reaches the target.If there is insufficient stopping distance, the system will slow the train to a much lower speed than the train would have been traveling without this solution.When the train changes direction, it will read the transponders T2 and/or T1 in the reverse direction.The message in these transponder sets for this direction will tell the train that it is leaving ACSES territory until it reaches the location where ACSES territory with full supervision starts (Figure 7

Passenger rail station safety improvement
Moreover, the mechanisms to prevent trains from colliding with the end of tracks are not limited to PTC systems.Any PTC-alike collision risk mitigation technology can be developed and implemented to achieve the same prevention function and safeguard.Furthermore, some challenges and the impracticability of additional technology installation, such as the complexity of terminating tracks, the size of the turnouts, the large number of train movements and the close proximity of signals and switches at passenger stations should be taken into account while developing and implementing practical end-of-track collision mitigation techniques.
6.4 Bumping post with more impact tolerance Bumping post, also known as bumper block, buffer stop, is an attenuating safety device placed at the end of terminating track to stop unauthorized movement.In the NJT accident at Hoboken Terminal, the bumping post (an exemplar shown in Figure 8(a)) located at the end of the tracks was overrode and destroyed by the accident trains.NTSB (2018a) concluded that the bumping post at the accident location did not by itself provide protection at passenger stations adequately.The fixed bumping posts, of the type employed at Hoboken Terminal can only offer tolerance and protection for low-speed impact.In theory, a train transfers enormous kinetic energy to the bumping post in an impact (e.g.end-of-track collision) and can easily exceed the bumper's tolerance.After hitting the bumping post, the accident train stuck a wall of the terminal and also led to one person on the passenger platform died due to the falling debris from the Hoboken Terminal.
In addition to the fixed bumping post that was implemented in the NJT accident, energy absorbing bumping posts (Figure 8(b)) are dynamic barriers that utilize friction mechanisms and hydraulic systems and can absorb relatively higher-speed impact.However, NTSB (2018a) pointed out that most terminals do not have the physical space for this type of bumping post, in particular for the friction mechanisms with extensive distance demand.Moreover, Moturu and Utterback (2018) identified that energy absorbing bumping posts are still limited in the amount of kinetic energy that they can tolerate and would have a large likelihood to fail at speeds over 10 mph.It means even if this type of bumping post was equipped, it still cannot bear the impact of the NJT train at Hoboken Terminal, which was traveling around 21 mph at the time of the accident.Therefore, it is essential to design and implement bumping posts with both higher impact tolerance and more practical function in the complex station areas.Figure 8 visually indicates how advanced bumping posts increase the level of safe train operations at passenger stations.Advanced bumping posts located at the end of the terminating track can strengthen the impact tolerance to the uncompliant train movements.As a result, the potential collision consequence (process output in Figure 8) under reinforcing collision protection device would be reduced.It is acknowledged that there is always an upper limit of allowed impact speed for this impact absorbing device.In practice, bumping post should be coupled with the aforementioned end-of-track collision risk mitigation strategies (e.g.OSA screening program, train protection systems, comprehensive SSPP) to effectively prevent end-of-track collisions in the nationwide rail system.

Conclusion
End-of-track collisions at passenger stations have caused substantial damage costs and casualties over the past decade in the USA.At present, the safety of train operation on terminating tracks would generally depend on the attentiveness and compliance of crewmembers.One recent end-of-track collision at Hoboken Terminal discloses the potentially high consequence of train operation at passenger stations and is analyzed through STAMP, a widely used system-based accident model in complex systems.The analytical results demonstrate an explicit understanding of system hazards, constraints and the hierarchical control structure of train operation on terminating tracks in American railroads.In particular, the failures or inadequate control constraints in operating process loops primarily play a probably contributing role in the high-profile end-of-track collision.
Four policy recommendations and practical options are discussed to improve the safety status and mitigate the risk of end-of-track collisions at passenger stations based on recommendations of the NTSB and our engineering assessment.Firstly, it is essential to ensure an effective screening and treatment program of sleep disorders to mitigate the noncompliant behaviors of railroad employees at safety-sensitive positions.Secondly, mechanisms (e.g.PTC) are needed to automatically prevent collisions between trains and the end of tracks in case the engineers are inattentive or disengaged.Thirdly, an effective SSPP should be comprehensively promoted and updated with identified hazards (e.g.end-of-train collisions, OSA) to protect the train operation against the increasingly unsafe conditions.Fourthly, a bumping post with a higher impact tolerance should be designed and implemented at the end of the tracks to absorb the trains' kinetic energy and reduce bad consequences.The findings of STAMP-based analysis can serve as valid references for policymakers, governmental accident investigators, railway practitioners and academic researchers.Ultimately, they can contribute to establishing effective emergent measures for train operation at passenger stations and promoting the level of safety necessary for protecting the public.The STAMP accident models developed in this paper can also be adapted to the studies and investigations of other train accidents as well as railway systems in the USA.

Passenger rail station safety improvement
Passenger rail station safety improvement Figure 1.Basic process model in train operation at US passenger stations (s) Devices to transmit control commands and control the train movements Throttle, brake system, etc. Disturbances External environments that could have effect on train movements Snow, extreme wind, flood, ice, etc. Process inputs Input information and devices that support/ influence the train movements Signal, track condition, rolling stock condition, safety equipment (e.g.bumping post), etc. Process outputs Output information and conditions that result from train movements Vibration, noise, severe hazard (e.g.derailment, collision), etc.
Figure 2. Basic train operation control structure at passenger stations Figure 3. Map of Hoboken Terminal tracks Figure 4. STAMP analysis of control structure and system components with inadequate constraints (summarized based on NTSB reports)

Figure
Figure 5. Illustrations of proposed programs in the prevention of end-of-track collision in STAMP operating processes Figure 6.Illustrations of proposed end-of-track collision prevention solutions in STAMP operating processes (b)).

Table 2 .
Explanatory It provides financial and technical assistance to public transit, including light rail, subways, buses(FTA, 2018).FTA receives funding authorized by US Congress in transportation legislation, such as the Fixing America's Surface Transportation Act (Congress of the United States of America, 2015b).
(Romero-Corral et al., 2010)h (NIH) is an agency of the US Department of Health and Human Services.NIH publishes and supports foremost medical research studies and some of them could guide the physical examination in railroads.For example, an NIH study of interactions between obesity and obstructive sleep apnea (OSA)(Romero-Corral et al., 2010)found out that a body mass index of more than 35 kg/m 2 indicates severe obesity and increased risk of OSA.