Archive for the ‘Metro Crash’ Category

You can’t fight in here, this is the War Room!

July 14, 2009

Is Dr. Gridlock actually Dr. Strangelove?  He’s got a post up documenting the hearings going on right now on Capitol Hill, and not the ones dealing with potential Supreme Court justices.  The whole thing is full of colorful Cold War language:

The term entered the common language during the Cold War when Eugene Burdick wrote an arms-race thriller called “Fail-Safe.” The scenario seems dated now: To the stunned surprise of controllers, U.S. nuclear bombers move past the point at which they’re supposed to stop. But it’s still a ripper, because of the well-known principle the 1962 novel illustrated: If something can go wrong, eventually it will. Nothing built by humans is “Fail-Safe.”

The NTSB has already made their hypothesis known – that a glitch in the ATO system allowed the collision, even while operating in automatic mode.   What seems to have happened was a breakdown in the system where there was no redundancy – the failure of one system made it possible for the entire system to fail.

Dr. Gridlock continues with the Cold War imagery:

Metro’s operations control center isn’t as impressive as the Strategic Air Command’s headquarters, with its towering maps and flashing lights, but it’s basically the same function: Redundant protections are supposed to make the train system fail-safe. But ultimately, humans are making sure the equipment is going where it’s supposed to go.

On June 22, a fail-safe system failed to prevent the fatal crash of two Metrorail trains on Washington’s Red Line. And the National Transportation Safety Board told us on Monday that we have no system in place to ensure that this won’t happen again.

On a complete side note, I’ve always envisioned the operations center for Metro or any other large transit system to be like NORAD from WarGames or other Cold War movies.

(NORAD as depicted in WarGames – from PC Museum)

It’s the kind of place where all the super secret information is displayed.  You can’t let outsiders in there because they’ll see the big board!

Given Metro’s stark architecture and generous use of concrete, it’s not hard to envision a Kubrick-esque control room, complete with all the black and white imagery.

Joking aside, the substantive points from Dr. Gridlock’s post are that trains will be operating on manual for the foreseeable future.  The NTSB’s recommendation is the installation of a redundant train control system.  Such an installation would need to be specially designed for Metro, and obviously won’t be coming online in any short timeframe.

He also hits on one vitally important point – Metro is still the safest way to travel in DC.  It’s important not to forget that.


Man Bites Dog

July 3, 2009

Freakonomics had a nice post about the media coverage of Metro’s recent crash, drawing parallels with airline crashes and the perception about the safety of these various transport modes:

But what the media very rarely mention is that the carnage on our roads makes these much-hyped accidents look almost trivial. Nine lives is nine too many, but there were 39,800 motor vehicle traffic fatalities in 2008 alone (and that was a good year). At that rate, between the time of the accident, June 22, and the time you are reading this, on average about 1,000 Americans died on our roadways. Yet this rarely merits a mention by the press.

And I think there is one more key dynamic. Heavy rail (the mode in the Washington crash) is a lot safer than car travel; in 2006 (the last year for which I have data) autos were responsible for five times more fatalities per passenger mile. (See here for auto fatalities per year, here for transit fatalities, and here for passenger miles traveled by mode.

In 2007 and 2008 there was not a single fatal accident associated with a major commercial airline. This year has seen 60 deaths (most from a single crash), but that still makes commercial air travel vastly safer than driving. Even in 2001, the year of a (hopefully) freak disaster on 9/11, commercial air travel had a per-passenger mile fatality rate about one eighth that of driving (see here for air fatalities).

Matt Yglesias had a similar feeling in the immediate aftermath:

— Fatal train accidents are national news stories precisely because they’re so rare. Deadly car crashes are a dog-bites-man story. Obviously, what happened was unacceptable but the fact remains that commuting by rail is very safe.

So far, I’ve been very impressed with the man on the street interviews most local TV stations have had with Metro riders.  Almost all of them have expressed this exact same sentiment – despite the accident, Metro is still the safest way to travel.

My anecdotal evidence from riding shows very few people have been avoiding the system.  Yesterday’s ridership report (June 2) shows system-wide ridership of 778,670.  Considering the proximity to the long weekend, that’s exactly what you’d expect to see.  It’s down from last year’s number on that date, but gasoline last summer was a lot more expensive.

More clues…

July 2, 2009

Dr. Gridlock has a couple of posts on the NTSB’s recent discovery of the failure of the ATO system to detect that Red line train:

As previously reported, initial testing showed that when the test train was stopped at the same location as the train that was struck in the accident, the train control system lost detection of the test train. Additionally, in subsequent testing over the weekend the train detection system intermittently failed; data is currently being collected to further analyze each component in the train detection system. Investigators are reviewing recorded track circuit data for each test configuration.

Maintenance records show that an impedence bond for the track circuit where the accident occurred was replaced on June 17th, five days before the accident. After a post- accident review of recorded track circuit data, WMATA reported to the NTSB that the track circuit periodically lost its ability to detect trains after June 17th; the NTSB is reviewing documentation on the performance of that track circuit both before and after the June 17th replacement.

Bold is mine.

John Catoe’s statement, with an excerpt:

Our testing has resulted in our being able to replicate the problem, but not isolate the specific cause. We know the problem is in a track circuit. We could just replace the parts, but we need to understand what caused it. You don’t just change the parts. We must find the cause.

We have conducted computerized analytical tests, which the NTSB has referenced as “track circuit data.” The data establishes a profile of what’s taking place electronically in the rail system. These tests are normally conducted monthly. What we found during a special review of the data after the accident was that the track circuit periodically lost its ability to detect trains. This is not an issue that would have been easily detectable to controllers in our operations control center. What the analytical profile showed was that the track circuit would fail to detect a train only for a few seconds and then it appeared to be working again. This happened after we had replaced an “impedence” or “weezie bond” for the track circuit for where the accident occurred. The device communicates information such as speed and distance between the tracks, trains and operations control center. The device was replaced as part of Metro’s normal track rehabilitation program. We are now running analytical reports on the rail system daily instead of monthly and system wide. We have found no other similar issues with track circuits in the system.

Again, bold is mine.

So, the question now is to determine just how periodic this detection failure was – how often, and for what time frame.  “A few seconds” could mean 1 or 2 seconds, or it could mean more.  It would seem that the longer such a glitch occurs, the more likely it is that a collision could take place.  Without knowing what kind of data Metro operators have before them on an updated basis, it’s impossible to tell if such a glitch should have been detected by the operators.

We don’t have the full story yet, but the confluence of circumstances is starting to build.

Track Circuit Didn’t Work

June 26, 2009

News today that the track circuit underneath the stalled Metro train in Monday’s crash failed:

The track circuit below the Washington Metro train that was rear-ended by another train this week didn’t work, U.S. transportation safety investigators found in a test.The circuit was supposed to relay information about the location of trains. The National Transportation Safety Board is investigating the June 22 accident in which nine people died. It was the worst in the 33-year-old Metro system’s history.

The circuit, part of Metro’s automated operations system, didn’t detect the presence of a test train investigators placed on it, the board said today in an e-mailed statement.

My speculation: In effect, the system didn’t know the stalled train was there.  Hence, it accelerated the back train and sent it at normal speed into a section of track the computer thought was clear.

The disturbing part would seem to be not the ATC system, but the fact that the sensor didn’t work.  ATC is a relatively new thing for railroads, but track sensors are not.  They work by sending a small current through each rail – tracks are divided into separate sections called blocks, and when a train’s wheels enter a block, the metal axle completes the circuit, sending a message to the control center on the train’s location.  This kind of technology has been in use for a long time.

The question is whether the failure is a part of the ATC system or the trac circuits.  Either way, it’s becoming more clear that the ignalling/control failure is primarily responsible here.

Metro Crash Aftermath

June 25, 2009

In the wake of Monday’s Red Line crash, DC’s various news outlets have uncovered all sorts of interesting factoids about Metro’s safety record and the implementation of various NTSB recommendations.  Speculation about the causes have run rampant, ranging from mildly informed theories to pure guesswork.  Some immediately blamed the now deceased operator, citing likely use of a cell phone.  DCist now reports via WTOP that’s not the case.

There’s also been a lot of discussion about the 1000 series rail cars and their crashworthiness.  At Greater Greater Washington, Matt Johnson has an excellent summary of Metro’s safety systems, particularly noting the design of the Automatic Train Control system as well as the track record of the 1000 series rail cars.   WCP gives you tips on how to avoid them, while the WMATA board agrees to move the cars to the middle of trainsets.

Public interest seems to focus on the 1000 series rail cars as the culprit, even though there’s no evidence that the cars themselves were the cause of the crash.  To me, the more interesting news to come out was the City Paper’s report that the NTSB found “anomalies” in the trackside equipment that’s part of the automatic train control system:

‘Anomalies’—that’s what federal investigators found in trackside electronic control equipment during testing yesterday, ’suggesting that computers might have sent one Red Line train crashing into another’ on Monday evening, WaPo writes. More from Lyndsey Layton, Maria Glod, and Lena H. Sun: ‘A senior Metro official knowledgeable about train operations said an internal report confirmed that the computer system appeared to have faltered.’ And that system, according to the NTSB’s Debbie Hersman, is ‘vital.’ Then there’s this: ‘The steel rails show evidence that McMillan activated the emergency brakes 300 to 400 feet before the pileup’—but she would have been traveling 59 mph. See also WTOP, NC8, WRC-TV, WUSA-TV, WTTG-TV, NYT, and Examiner, which notes that brake maintenance seems no longer to be an issue.

Again, it’s important to separate the two issues in this crash – the events that caused the crash itself, and the impact of the crash and the aftermath.  The former is about why this happened in the first place, the latter is about the crashworthiness of the cars.  Crashworthiness is important, without a doubt – but it’s also about keeping things as safe as possible after something has already gone wrong.

For that reason, the events that caused the crash itself are far more interesting to me.  We have evidence that the train was operating on Auto mode, that it was traveling quite fast (though eyewitness accounts tend to vary as to how fast – nevertheless, the damage shows a great deal of force was involved).  Given the slight curvature of the track, the speeds involved, and human reaction time to depress the Mushroom, it seems we can infer that the collision was unavoidable at that point – which would point to a very serious error with the Automatic Train Control system.

That’s where my interest is as the investigation unfolds.