Circuit Flaws Blamed For China Train Crash 103
hackingbear writes "The Xinhua news agency reports that a signaling equipment circuit design flaw and lack of safety alertness in railway management caused a high-speed train to ram into a stalled train near the city of Wenzhou in east China's Zhejiang Province on Saturday, leaving 40 people dead and 191 injured. A lightning strike triggered the malfunction, which resulted in a green alert light failing to turn red, leaving railway personnel unaware of the stalled train, the official said. The Beijing National Railway Research and Design Institute of Signal and Communication Co., which was responsible for designing and building the signaling system, has posted an apology letter on its website, offering condolences and promising to 'shoulder any due punishments that may result from the investigation.' Domestic media has raised more questions over the explanation. 'Why was such seriously flawed equipment in use for nearly two years without being detected? Why was it installed in as many as 76 rail stations across the country? Are there other problems with the railway apart from equipment flaws?'"
If true, they are clueless (Score:4, Interesting)
Why was such seriously flawed equipment in use for nearly two years without being detected?
Because it hadn't been struck by lightning until now.
If this analysis is true, the designers are not familiar with the term "fail safe".
I'm an engineer with over a decade of experience in the signalling business (although thankfully not the Chinese one). Fail Safe is what it's all about.
Note to Slashdot editors - your summaries really suck lately: TFA says "A lightning strike triggered the malfunction". That is NOT a "circuit flaw". It is an externally induced failure (which the system should dectect) and to compare the two terms is to compare rocks with pudding.
Re:Because (Score:4, Interesting)
EOS failures can do funny things. Single IOs can fail while the rest of the chip works fine. It's hard to catch such problems. Ideally during startup, you'd run a test on every pin to make sure they're all still working. Even if the lightning strike occurred immediately before the crash, I would hope that after being hit by lightning they'd stop and test their systems.
This sounds like it's more a problem with their safety protocols, and less a problem with the particular circuit that failed.
Signaling system by Hollysys? (Score:5, Interesting)
As I pointed out when this first happened, Hollysys [slashdot.org] claims to have designed and built the signalling system. They issued a denial that the system failed. [prnewswire.com] Now we have a unit of "China Railway Signal & Communication Co" taking responsibility. They're affiliated with what used to be General Railway Signal in the US, which is now part of Alstom. It's not clear who built what here. "China Railway Signal & Communication Co" may be the installation contractor.
A little of what happened is clear. There are two separate systems involved. One is classic railroad signaling, with track circuits, wayside equipment, and cab signals. The classical designs are simple and robust. That's the safety-related system. The other is the train control system which uses a unit at the head and tail of each train, communicating to a central headquarters. Those systems are elaborate and computerized, but not considered life-safety systems. Either system is normally sufficient to prevent collisions.
In normal operation, the train control system does most of the work. It knows about train identity, schedules, and speeds. If the train control system is working right, the safety-related system never intervenes.
In a power failure, though, the train control system can lose contact with a train, since it uses active equipment on each train. That probably happened here. With a total power loss, the dead train isn't reporting to central control.
The safety system, on the other hand, detects trains because the wheels connect the rails together, normally has battery backup, is supposed to be very robust, and is intended to fail to STOP. Even after lightning strikes and a total power failure, it should still work. (Such systems have been taking lightning hits for a century without problems. Lightning hits railroad tracks and pole lines frequently; in flat country, they're the lowest resistance path to ground.)
But the safety system is high-maintenance. There are bits of it all along the lines; track circuits, wayside equipment, signal enclosures, and various other little and big boxes, all of which need attention. Keeping railroad signalling working right requires a large staff of dedicated, well-supervised signal maintainers. Since the systems are designed to fail to STOP, maintenance failures tend to result in red signals.
If the train control system shows the line as clear, and the safety system shows STOP, this normally triggers an emergency brake application. For a high speed train, that takes several kilometers and can cause wheel flattening. (Train wheels have steel "tires", which have to be replaced periodically. An emergency stop takes a lot of life off a tire.)
The question here is what happened to the safety system. Was there over-reliance on the train control system? Was the safety system bypassed to avoid unwanted emergency stops. That's speculation at this point.