CBTC - Computer-Based Train Collision?

[whole diary]

[stuving]

From Channel News Asia:

SINGAPORE: The “inadvertent” disabling of a software protection feature has been identified by the authorities as the reason for an SMRT train hitting another, stalled train at Joo Koon station on Wednesday morning (Nov 15).

Twenty-nine people were injured after a train “moved forward unexpectedly” and “came into contact” with another stationary one in front of it, according to earlier statements from the Land Transport Authority (LTA^▸ (Local Transport Authority)) and SMRT.

At a joint press conference held later Wednesday, LTA deputy chief executive of infrastructure and development Chua Chong Kheng said preliminary findings indicated that the first train - in front - departed Ulu Pandan with a software protection feature which was “inadvertently removed” when it passed a faulty signaling circuit.

“This train then arrived at Joo Koon station without the feature,” said Mr Chua. “This resulted in it giving off a train profile on the new signaling system of a three-car train instead of a six-car train.”

“As a result, the second train (behind) detected the first train as a three-car train and misjudged the distance between the two, causing a collision.”

Mr Chua said that as a precaution, operations from Joo Koon to Tuas Link will be suspended for the entire day on Nov 16 while assurance checks are conducted with signaling contractor Thales.
...
“SITUATION UNSATISFACTORY”

Expanding on his use of the word “inadvertent”, Mr Chua said there was no indication that the removal of the software protection feature was due to human action.

"The new trackside signaling circuit is still a work-in-progress and as the train passed by, we observed this (software protection) feature got removed,” he said, adding that a thorough investigation was being conducted to get to the root cause.

Mr Chua said that when the first train stalled at the station - due to an anomaly in the train signalling system - station staff boarded the train to run checks, and safety protocol at the station closed down the track to “physically protect” another train from coming in.

When the second train arrived, it “observed this stopping point” by halting 10.7m behind the first - a safe stopping distance, said Mr Chua.

Authorities were asked if the rear train driver - subsequently injured in the collision - could have overrode the signalling system and prevented his train from moving forward at an estimated speed of 16kmh.

Said Mr Kek: “10.7 metres away is relatively close, the movement before coming into contact with the first train took only 10 seconds.”

“The driver can override the system, and apply the manual brake, but he didn’t. It is now subject to the investigation.”

Meanwhile, Thales representative Peter Tawn said this was the first incident of such a nature.

“We are very confident our system is safe,” he reiterated. “The Thales system is on record one of the safest there is ... We’ve never had a collision.”

Said Mr Chua: “Obviously the situation is not satisfactory, we are concerned and will work closely with SMRT on this.

“There’s also a technical bit here and we must be clear about responsibilities. This incident involve technical aspects and we need to iron those out with Thales.”

“But ensuring the safety of our commuters remains our priority,” he insisted.

Thales is the French company which supplied the new signalling system.

Read more at http://www.channelnewsasia.com/news/singapore/smrt-train-collision-at-joo-koon-cause-lta-9408766

You will have seen that in this case, as in most such accidents, there were at least two faults (in some sense) and an incomplete system operating outwith its normal condition. (Note that 10 metres at 1 m/s² gets you to 16.1 km/hr in 4.5 seconds.)

In principle, there's no difference between the software that implements CBTC^▸ (Communications-based train control), ETCS^▸ (European Train Control System), or SSI^▸ (Solid State Interlocking), and a mechanical interlocking. It's a set of safety rules turned into a machine (or its drawing set) in an engineering office, by a team of people who communicate and record their work on paper or its on-screen equivalent. In the mechanical case you then have to machine the bits and assemble them, and check the work at each step. While "pure" software needs no lathes, it still needs a whole load of checking.

But somehow it's always been a bit scarier that it's "only" code, produced by some metaphorically spotty lad in an office, that keeps you safe.

[Red Squirrel]

But somehow it's always been a bit scarier that it's "only" code, produced by some metaphorically spotty lad in an office, that keeps you safe.

I'm probably mis-remembering it, but I have in mind a story from Tom Rolt's Red for Danger in which a metaphorically spotty lad despatched a train with a cheery 'Right away, Jack'; sadly he was heard by the other train in the passing loop, and Jack was a common name back in those days... It seems that no amount of vigilance will ever entirely preserve us from the curse of the PFY, of whatever age or pimpliness...

[stuving]

But somehow it's always been a bit scarier that it's "only" code, produced by some metaphorically spotty lad in an office, that keeps you safe.

I'm probably mis-remembering it, but I have in mind a story from Tom Rolt's Red for Danger in which a metaphorically spotty lad despatched a train with a cheery 'Right away, Jack'; sadly he was heard by the other train in the passing loop, and Jack was a common name back in those days... It seems that no amount of vigilance will ever entirely preserve us from the curse of the PFY, of whatever age or pimpliness...

But that was procedural safety, and railways rely heavily on replacing that with engineered safety, primarily to avoid such accidents.

[SandTEngineer]

.....But somehow it's always been a bit scarier that it's "only" code, produced by some metaphorically spotty lad in an office, that keeps you safe.

Oi do you mind. We are not all 'young spotty' signal engineers you know....

Seriously though, this sounds more like an operating incident than a software/hardware coding error.  Be an interesting read when the report gets issued (if it ever does).

[stuving]

.....But somehow it's always been a bit scarier that it's "only" code, produced by some metaphorically spotty lad in an office, that keeps you safe.

Oi do you mind. We are not all 'young spotty' signal engineers you know....

Seriously though, this sounds more like an operating incident than a software/hardware coding error.  Be an interesting read when the report gets issued (if it ever does).

I was, of course, really talking about the perception (and not just mine) of who does software as opposed to signalling. On-board systems I'd expect to see done by software engineers (and I know how old and ugly they can be). CBTC^▸ (Communications-based train control) systems are probably the same, with signalling engineers not getting much of a look in.

There's a rather longer set of words here, though it's still journalism not technical material.

I'm surprised you might see it as an operational not a sfotware issue; after all only the software was driving the train. The error does seem to have occurred at the interface of old and new systems, so I'd guess it's a bit of non-standard software at that interface. As a one-off, it will not have gone through the big formal safety reviews of either systems design. It also has to cope with a load of ill-defined real-world phenomena - such as trains, for a start. There might be a hardware fault there too, but isn't the software supposed to guard against those?

[Red Squirrel]

...sfotware...

...there you go! 

[stuving]

...sfotware...

...there you go! 

It's a good job that wasn't a safety-critical post. Now there's a scary thought - for some of us especially...

[stuving]

Here is another update, from the Straits Times:

Tuas West stations to reopen only on Monday

Train services between Joo Koon and Tuas Link stations were halted on Nov 16, 2017, for the authorities to investigate Nov 15's collision between two SMRT trains.ST PHOTO: LIM YAOHUI
SINGAPORE - Train commuters heading to the western end of Singapore will not be able to use the four stations on the Tuas West Extension (TWE) till Monday (Nov 20).

While the four stations on this extension – Gul Circle, Tuas Crescent, Tuas West Road and Tuas Link – will reopen after the weekend, the authorities will keep service between Joo Koon and Gul Circle stations suspended for up to a month.

The move comes as the authorities continue investigations into Wednesday’s SMRT train collision at Joo Koon following a signalling glitch, which left 36 people injured.
...

The section of the line where the old signalling interfaces with the new CBTC^▸ (Communications-based train control) system, where the accident happened,  on the extension will be closed for a month. They want to find out how it happened, and fix the interfacing software. It may even stay shut until the old line is upgraded to CBTC (due next year).

[stuving]

There's another of these very detailed explanations from the Straits Times here:

Signalling system firm Thales apologises for Joo Koon train collision; assures commuters that its system is safe
Published  Nov 21, 2017, 11:29 pm SGT  Adrian Lim  Transport Correspondent

SINGAPORE - French company Thales has taken "full responsibility" for its part in the Nov 15 train collision at Joo Koon MRT station.

It said an "unexpected" problem occurred in the interface between the old and new signalling systems of the East-West Line (EWL).

Thales, which is supplying the new system for the EWL, has also apologised to commuters who were inconvenienced, and the 38 people injured by the accident.
...
After the CBTC^▸ (Communications-based train control) problem was detected, the train was switched to be driven in manual mode to Joo Koon MRT by design, at a speed of up to 18kmh.

This meant the platform screen doors had to be manually opened by the train captain at Joo Koon MRT station.

When the doors are opened manually, a "closed track" protection system is imposed, meaning that another train will not be able to enter the station.

After the captain manually opened the platform screen doors, all passengers alighted from the affected train. Waiting 36m behind was a second train carrying 517 passengers.

When the platform screen doors were manually closed to allow the affected train to move off, the "closed track" protection was lifted.

As a result, the second train, which was running in automatic mode, moved forward as it could not detect any protective bubbles around the first train. The two trains then collided.

Mr Alvin Kek, senior vice-president for rail operations at SMRT, said the 10 seconds before the collision was "insufficient" for the train driver onboard the second train to react.

The explanation of how Seltrac (CBTC) got confused while the train was running under the old block-based control system is not really important. The point is that it had to be ready to take over at Joo Koon, the last of the old stations. In this case it wasn't, and this had been detected, so the train was being manually operated at the point where handover took place. So (as so often) it was an interaction of the two systems and the interim software governing the handover that was accidentogenic.

More specifically, the combination "manually driven under block control" into the station and "running under CBTC" out of the station with "next train under normal block control" didn't impose a safe default train length. But that of course is only one of many such interactions of old/new/interim systems that had to be considered.

[stuving]

And the consequence was ... (Straits Times again)

Joo Koon-Gul Circle link to remain closed till mid-2018
Minister for Transport Khaw Boon Wan giving a door stop on the Joo Koon train incident which occurred on Nov 15, 2017.
Published  Nov 22, 2017, 5:00 am SGT Christopher Tan  Senior Transport Correspondent

The fallout from last week’s train collision at Joo Koon station will echo for several more months. It will mean the end of seamless journeys for commuters travelling between Tuas and Pasir Ris on the East-West Line for at least up to June next year.

There will also be early closures along stretches of the East-West Line on Fridays and Saturdays, and late openings on Sundays from Dec 8 to 31 as resignalling works get speeded up to finish by June instead of the end of next year.

This will affect 17 stations from Tiong Bahru to Tuas Link, as well as Bukit Batok and Bukit Gombak stations on the North-South Line.

On Dec 10 and 17, which are Sundays, these stretches will also close for the whole day.

The changes were flagged after it was revealed that the collision was caused by compatibility issues between an old and a new signalling system. To avoid the risk of a repeat incident, the two systems will remain separated till next June.

So, if plan A was to divert a significant amount of the contractor's effort into revising, validating, certifying, etc. new interim software for (in theory) six months - and Plan B was all hands to getting the new system (already proven) ready on the whole line ASAP, if possible before next June - which would you pick?