Photo from the NTSB.

NTSB members’ emotional tongue-lashing of Metro last week may have been well deserved. But the NTSB critique also risks being counterproductive unless cooler heads prevail at WMATA, focused more on actual safety than on just responding to NTSB.

NTSB’s safety recommendations are reactive, not proactive. They illuminate the facts of the crash, but are unhelpful in preventing the next crash, whose specific causes are likely to be very different given the rarity of accidents in any transit system.

Furthermore, because NTSB’s makes its recommendations without regard to costs, yet expects WMATA to implement them in their entirety or suffer further tongue-lashing, they risk stealing funds from higher priority corrective actions. WMATA really needs a prioritized list of initiatives (corrective action plans, or CAPs) that would boost safety, without regard to whether NTSB has made political footballs of them or not.

Where should such a list come from? Hazard analysis, conducted systematically, is the central discipline in safety management, and it is missing at WMATA and from NTSB’s recommendations. It is common practice in industries such as airlines and nuclear power.

A hazard is a cause of an accident, and the purpose of hazard analysis is to identify as many hazards as possible and then prioritize them by likelihood, severity of the consequences, and the cost of correcting them. There are two types of hazard analysis, and both are critical.

Root Cause Analysis: Whenever accidents happen, root cause analyses must be conducted to identify the root causes, or hazards, that led to the accident. NTSB conducted an excellent root cause analysis of the Red Line crash. The problem with relying on root cause analyses alone is that systems with very, very few accidents present few opportunities to identify root causes, and the root causes of each accident are statistically likely to be different.

Failure Modes and Effects Analysis (FMEA): A more proactive approach to hazard analysis is to identify all of the ways in which a system might fail. These are the system’s failure modes. Loss of train detection by the automatic train control system was the failure mode implicated in the Red Line crash. But there are dozens of other failure modes. FMEA identifies as many failure modes as possible, identifies the causes of each failure mode, and then prioritizes the actions that would correct each cause by the severity and likelihood of the effects of their failure mode and the cost of the corrective action.

NTSB rightly identified the deeper cause of the Red Line crash as not the failure of track circuit modules but an institutional failure to address safety. This institutional failure, though, was unhelpfully generalized as the “lack of a safety culture.” How does one get a “safety culture”? NTSB’s recommendations are sorely lacking in detail on this topic, with no mention of hazard analysis or FMEA. The result, as has been said, is a tone of petulance by the NTSB.

When WMATA calmly, systematically begins to conduct hazard analysis, publicly displays the resulting prioritized list of Corrective Action Plans in its monthly Vital Signs report, and then updates the list itself (as hazard analyses are conducted continuously) and the status of each plan, then people will think of WMATA as having a “safety culture”.

FTA Guide for Transit Hazard Analysis.

In this regard, the FTA was much more helpful than the NTSB in the FTA Audit’s recommendations for a “Hazard Management Program”. The institutional root cause of the Red Line crash, unidentified by NTSB, was described perfectly by the FTA: “There is no evidence that safety analysis is being performed to prioritize hazards for elimination and mitigation.”

Will cooler heads at WMATA prevail? Preliminary signs are not encouraging. The WMATA Board criticized the failure to implement over 100 Corrective Action Plans. Similarly, a WMATA official told the Riders Advisory Council, in explaining why the new 7000 series of rail cars will forego longitudinal seating, that if there were anything it could do, no matter what, to improve safety, then they would be remiss in skipping it.

Both of these incidents portray a shell-shocked WMATA that is reflexively saying “of course” to any idea that could improve safety. This emotional response to safety is precisely what leads to the false “safety vs cost” trade-off. A proactive hazard analysis program, however, must prioritize this list of ideas because it has produced far more corrective action plans than there is money or time to ever implement.

This results in a lean safety agenda that prioritizes CAPs with a high safety return on investment, not those that will only push large volumes of riders into cars for a minimal improvement in safety. That’s why the FTA asked WMATA for its list of “top ten” hazards that it plans to address.

Furthermore, it’s unclear if FMEA and Hazard Analysis are skills that exist within WMATA. The recent WMATA Vital Signs monthly report of Key Performance Indicators, such as passenger injuries and bus on-time performance, is to be commended for transparently monitoring and reporting metrics. But the discussions of “Why did performance change?” and “Actions to improve performance” for each KPI seem so arbitrary that it appears no root cause analyses were conducted for each KPI that was below target. Hopefully new Chief Safety Officer James Dougherty can bring these skills to WMATA.

It’s time for calm, proactive analysis to replace emotional, reactive safety initiatives. The Metro Board and GM, as well as journalists and bloggers, can be more helpful by asking the right questions, as the FTA did, instead of exposing every safety idea that WMATA has not implemented as indicative of an agency with no “safety culture.”

Ken Archer is CTO of a software firm in Tysons Corner. He commutes to Tysons by bus from his home in Georgetown, where he lives with his wife and son.  Ken completed a Masters degree in Philosophy from The Catholic University of America.