The story behind February's crash of two German interurban cars near Bad Aibling illustrates what happens when people disregard all the rules of reasonable railroading while introducing unnecessary complexity into the safety appliances.

We start with a report that the train director was taken into custody. "He is accused of having been distracted by video games on his mobile phone at the time of the crash, which saw two local trains collide head-on along a single-file stretch of track outside Bad Aibling, southeast of Munich."  The man has the deaths of several colleagues and passengers on his conscience.  He's going to have to live with that, prison time or no prison time, firing offense or no firing offense.  And allowing himself to be distracted is a firing offense. Let me quote Rule 701 (C) from the 1967 Consolidated Code of Operating Rules in effect on several U.S. railroads. "Employees whose duties are connected with the movement of trains or engines must not, while on duty, play games or read magazines, newspapers, or other literature not concerned with their duties, or use radio or television other than those provided by the Company."  Distracted, yes.  But enabled by a serious design flaw in his signalling apparatus.  "The controller first mistakenly allowed both trains to access the single-track stretch where they would be forced into a head-on collision."

Put another way, the designers of the signalling system went to a lot of trouble to give the train director the ability to defeat a safety feature that is relatively easy to provide.  Destination: Freedom published what appears to be a translation of reports filed by German sources, Schäbische Zeitung Newspaper, dpa (Deutsche Presse Agentur), and n-tv News Television. Apparently what's in place is something far less sophisticated than positive train control, or the old-style intermittent automatic train stop.
The news story generated intense interest all across Germany due in part to the aspect that this rail line had been retrofitted a few years earlier with PZB, a version of positive train control (PTC) installed on most German rail lines. Many in the general population were under the impression that the PZB system should have prevented such a collision. However the PZB positive train control system is really nothing more than an automated track signal “enforcer,” in other words PZB will automatically intervene to stop trains if they pass through a red signal or a yellow “caution” signal too fast. But if a signal is showing green, when in reality it should be showing yellow or red, PZB will not intervene, as PZB is not designed to cross-check the status of the track signal against some sort of decision logic which ensures the signal is displaying the correct light color at that point in time. That decision process is handled by human dispatch controllers and/or automated control logic in the network control centers.
But a caption that accompanies a picture of the Bad Aibling station, which is also the train director's block cabin, contains a disturbing revelation.
This dispatch center, located in the Bad Aibling train station, is fairly typical for many secondary and even some primary rail lines across Germany. The reason such dispatch centers are located directly in or next to passenger stations has much to do with the mechanical operation and control of both signals (mechanical semaphore signals) and track switches of several generations ago. Back at the time signals and track switches were moved and set mechanically with a system of push rods and/or cables and pulleys. As most of the signals and switches on such lines are located relatively close to rail stations, the control room was also located there to keep the length of the mechanical cables and/or push-rods to a minimum.
The point of those mechanical cables or push-rods (see an example at St. Erth) is to prevent conflicting train movements from being set up.  You must remember this.  "[I]f the dispatcher set up a meet on the fly, which is possible with centralized traffic control, the machinery will not permit conflicting routes to be set. Thus one train must see a stop signal."

There are three cardinal principles for setting up those mechanical interlockings.  First, a switch cannot be moved unless all signals controlling movements through that switch are set to STOP.  Second, a signal cannot be cleared to permit a movement through a switch until that switch is properly lined.  Third, a signal cannot be cleared to permit a movement that conflicts with a movement previously cleared.

It is much easier to configure the equipment to CONFORM to those three principles, particularly the third, than it is to provide a way for the train director to override the settings, particularly the third.

I set this up on my model railroad.  Note at lower left a double-pole, double-throw switch with the lever pointing to the right.  It's aligned to permit a train to approach from the right on the inward main line.  The lower pole is providing electricity to the inward main track.  If I threw the switch to the left, it would provide electricity to the outward main track.  The upper pole activates the signal at upper right, which is displaying a PROCEED aspect.  There's a green wire, that's no accident.  If I threw the switch to the left, that would change the setting of the signal to STOP.  See the red wire, that's also no accident.

I could provide another set of wires, so that when the signal above is at PROCEED, the signal controlling entry to the other end of the section would display STOP.  Throw the switch, get the STOP here and the PROCEED at the other end.  And I could wire a relay such that when I select the inward route, the track switch (points, for my overseas readers) lines for a train moving off the inward route onto the single track.

Now, I could add some additional circuitry to permit the signals at both ends of the section to display a PROCEED aspect, but why?  That sets up the situation that our German train director finds himself in, video games or not.

On occasion, a train director changes his mind, and he might change his mind at a bad time.  Thus, it's useful to provide a feature by which a train that has accepted the signal and the route will not be wrecked when the train director changes his mind at a bad time.

Here, a train is approaching the signal.  Under one safeguard, the route cannot be changed until the train has left the section under the train director's control.  It's not modelled here, but in practice, if a train director attempted to change the route, nothing would happen.  Again, giving a train director an instant override adds unnecessary complexity, and produces an unsafe condition.

Some signal systems give the train director the opportunity to take a signal away from a train at any time.  (The reasons for doing so get into complications not important for today's lesson.)  Because the alertness of the engineer, and the effectiveness of the brakes, not the signal, stops trains, here it's prudent to at least lock the switches (principle two) and the signals controlling conflicting routes (principle 3) until the train losing its route is stopped.  Its momentum might carry it into the switches or across a conflicting route.  The lock can be released, but only after enough time has elapsed to allow for that train to stop.

A countdown timer is an expensive bit of showing off on a model railroad, where train stopping distances are short and we have to invest money in special momentum circuits to simulate the stopping distance of a real train.  But note: at lower left, the control switch is lined for the outward route, the signal is displaying STOP (red wire), there is a train approaching the signal, and the egg-timer is modelling the longest two minutes in the life of a train director, which is to say the time between when he changes his mind, locks up the interlocking, and when he's free to make the next set of moves.

Thus, again, giving the train director an instant override creates an unsafe condition.

What good does it do to provide train directors with advanced technology the ability to override protection that's protected with simple electric circuitry, as above, or with the right set of levers and mechanical interferences?

No comments: