C. Warren Axelrod

Fail Safe, Fail Secure … Revisited

In my December 10, 2012 BlogInfoSec column “Fail Safe, Fail Secure,” I recounted the horrific collision of two high-speed passenger trains in Wenzhou, China on July 23, 2011, which left 40 dead and 192 injured. The root cause of the accident was found to be flawed signal boxes, which lacked proper design, manufacture and testing claimed to be due in part to the pressure to meet tight deadlines and save costs.

In July 2013 three tragic train disasters have occurred. On July 6 there was the explosion of the derailed freight train in Lac-Megantic, Quebec, killing at least 50 people. On July 12, a passenger train derailed at the Bretigne-sur-Orge station, near Paris, leaving 6 dead (two passengers and four persons on the platform ). And on July 25, a passenger train derailed at high speed in Santiago de Compostela, Spain, killing about 80 passengers at the time of this writing. The Canadian and Spanish catastrophes, which were purportedly caused to some extent by human error or recklessness with respect to controlling the train itself, likely could have been avoided with better designed braking and speed-management systems respectively. The French accident was because “a metal clip joining two rails as part of the switch, which guides trains from one track to another, had worked loose and disconnected from its normal position,” which may or may not have been due to human error or preventable.

The cause of the catastrophic explosion of the freight train carrying light crude oil at Lac-Megantic, Quebec, is still under investigation at the time of this writing. The explosion, which occurred at 1:00 am on Saturday, July 6, 2013, was a result of the train having insufficient braking activated, resulting in the stationary train rolling down the tracks at increasing speed until it derailed and the oil in its tankers exploded. The release of the train appears to have been caused, at least in part, by a braking system that was shut off in a dangerous fail-unsafe condition. The shutting down of an air brakes system—which was controlled by a single engine because of an earlier fire in the parked train—along with the inadequate application of manual brakes, appears to have allowed the train to careen down the tracks, derail and explode seven miles away.

While the forensics analysis for the case is still ongoing and a criminal investigation has been initiated, it is surprising that no one appears to be questioning the fundamental design of the braking system, but only the operation of the current design of the brakes. This is surprising since the concept of the “dead man’s brake” has long been adopted by the railroad industry. As you likely know, with such a system, the train driver must actively release the brakes and keep them open throughout journeys. If, for any reason, such as a trainman passing out, the brakes are no longer held open and the train automatically comes to a smooth halt. The question is: Why didn’t the freight train have a similar fail-safe braking system? And if it did, how was it possible for such a system to become disengaged? It seems to me that more attention should be focused on the braking systems as well as on the design of the oil tanks and tanker cars.

The French derailment appears to be less complex. A device holding tracks together apparently worked loose and caused the tracks to separate, resulting in the train, which was travelling within the speed limit, to derail. Seemingly the track had been checked only a week before the accident. The root cause was claimed to be that the infrastructure was “out of date,” and that the accident was due to mechanical failure, rather than human error, although the cause of the accident is being reexamined in the light of the subsequent Spanish accident.

The common explanation of the catastrophic Spanish train crash is that the train was traveling way above the speed limit. Among all the clamoring, I saw a television interview of a subject-matter expert, who suggested that some of the blame might be attributable to the fact that the railroad was in the process of converting from one control system to another and that the legacy system might have been operating at the same time as the replacement system. It is not clear whether these systems were at fault or if, under other circumstances, either system might have limited the trains speed. Either way, there is clearly a need for control systems that prevent trains from exceeding speed limits along different stretches of track. That shouldn’t be so hard to accomplish.

Post a Comment

Your email is never published nor shared. Required fields are marked *