Transit
A look at Metro's safety systems
Monday's Red Line crash is a horrible reminder that sometimes things go badly wrong. By all accounts, this collision should not have happened. Not only are safety features present, but the train operator should have been able to hit the emergency stop in case the system failed.
It's far too early to speculate on the cause of the collision at this time. However, those familiar with the system already suspect that something went wrong in Metro's signaling system that allowed these trains to approach and collide.
With that in mind, let's take a look at how Metro's safety systems are supposed to work.
Automatic Train Control
Metro trains operate within the confines of a system known as ATC – Automatic Train Control. The ATC system was designed to allow for a minimum in involvement from train operators. In the design phase of Metro this was intended to provide the safest, most efficient, and most comfortable operations possible – something it has largely achieved. Trains running in the Metro system can be operated automatically or manually by operators. Either way, they are subject to aspects of the ATC system.
In order to make ATC work, three subsystems are required.
- Automatic Train Protection (ATP) is the most important. In a nutshell, this system prevents two trains from occupying the same space at the same time. In addition to controlling interlockings (crossovers or switches), the ATP system maintains safe distances between trains and allows for safe stopping distances through speed regulation (including 0 speed, e.g. "stop"). Additionally, the ATP system prevents trains from exceeding the design speed of any given stretch of track. This speed is known as the Limiting speed. Another feature of ATP keeps train doors from opening unless the train is properly berthed on the platform.
ATP operates whether the train is in manual or automatic mode. If a train exceeds the Limiting Speed for more than two seconds, an automatic brake application is made until the train is brought below the Regulating Speed.
- Automatic Train Supervision (ATS) keeps trains running on schedule and within certain performance parameters. This system is how the Operations Control Center modifies allowed train speeds and rates of acceleration. It also takes into account scheduled train departure and arrival times, and based on set parameters, increases or decreases train speeds and station dwell times automatically. This system sets the Regulated Speed, which can be modified by the Operations Control Center.
ATS only operates when the train is in automatic mode; however, the Regulated Speed set by ATS to each track segment applies as the maximum speed in both manual and automatic operation.
- Automatic Train Operation (ATO) unifies some of the above aspects of the ATC system, to allow the train to automatically adjust certain parameters. This subsystem can be turned off by WMATA and is not used in manual operation.
Metro tracks don't have signals in the same way that older subways like New York do. Visible wayside signals only exist at switches. They are capable of displaying to the operator three things: Stop, Clear, Clear Diverging (take the switch). A "stop" indication is shown with two red lights, one over the other. This is displayed if the switches are not set, for tracks with trains approaching from the other direction, and when a train moving the same direction is still in the block controlled by the signal. A "clear" aspect is a solid lunar white light. This indicates that the operator may proceed straight through the switch. The "clear diverging" signal is indicated by a flashing lunar white light. This means that the switch is set for the "turning" route, and the train is clear to proceed.
In other sections of track, equipment along the trackway transmits the appropriate information from the ATC system to passing trains. In addition to the design or limiting speed on a given stretch of track, wayside equipment can reduce speeds for curves and to maintain train spacing.
In order to maintain train spacing, each segment of track is divided into fixed blocks. Whenever a train is in a block, its axles complete the circuit in the track. So long as that circuit is complete, the ATP system prevents other trains from entering. The ATC system is designed to keep a safe distance between trains. It communicates with the wayside devices and track circuits and transmits Regulated Speed commands to trains. The ATC system brings down the Regulated Speed as a following train approaches a preceding train, until at a point where the minimum safe stopping distance is reached, the speed is zero. As the preceding train moves further away, the following train's Regulated Speed would come up.
As noted above, the Regulating Speed is binding on automatic and manual operations. When operating properly, it automatically applies the brakes if that speed is exceeded for more than two seconds. However, the system can be overridden so that trains can approach each other or in case of an ATC failure. For instance, when a train is stranded and must be pushed to the next station, the following train must be able to enter the same block. Under these circumstances, trains are operated manually in a different "mode" which limits their speed to fifteen miles per hour. Trains must be stopped with a full brake application to change modes.
Ultimately, however, the train operator is the final failsafe. If the ATC system appears unable to stop a train in time, the operator can push the Emergency Stop, called the "Mushroom" because of its shape.
Brakes
The Washington Post is now reporting that the striking train was two months overdue for scheduled brake maintenance. A degradation of brake performance could have played a role in Monday's crash. In 1996, in Metro's first train collision, snow and ice compounded with a reset of the Regulated Speed resulted in a collision killing the operator of a train at Shady Grove.
The design of the ATC system, it was discovered, did not account for inclement weather. Because the train was allowed to achieve the Limiting Speed (in this case 75 miles per hour) on the stretch of track between Rockville and Shady Grove, when the train reached the outer station marker 2,700 feet from the center of the Shady Grove platform, even a full application of the brakes by ATC would not have stopped the train in time. This is because the ice reduced the coefficient of friction far below what the designers had considered. ATC blocks had been designed with a minimum braking deceleration of 1.65 mph/second in mind.
In the National Transportation Safety Board (NTSB) report investigating the Shady Grove Incident, investigators noted that:
This accident occurred at a terminal station, but a similar accident could occur anywhere on the Metrorail system where conditions make a train deceleration rate of at least 1.65 mph/sec unachievable. If a train, because of an equipment malfunction or other reasons, were to come to a stop on the mainline, the ATC system would give any train following behind appropriate speed commands (including zero speed commands) to allow the train to stop in time avoid a collision. But, as shown by this accident, on outdoor track under extreme weather conditions, the distance required to stop the following train may be significantly longer than the available track. During rush hour, with crowded trains, scores of people could be killed or seriously injured. (page 61)However, the Red Line crash Monday evening took place under clear skies on a warm evening. It's far too early to suggest brake failure as the cause, but it is certainly a possibility. Another possibility is that the ATC system itself failed. This morning's Post referred to a June 2005 incident where three trains came close to colliding in the tunnel near Rosslyn. In this case, an emergency brake application by two operators prevented a crash. The Post reported that it was unclear if an investigation launched by Metro ever determined a cause.
Conclusions
It will likely be twelve to eighteen months before the NTSB report on Monday's collision is released. Some preliminary findings will probably be available in a few weeks. We may never know the exact cause, or we may discover that the crash was the result of a convergence of factors. The NTSB usually finds that collisions are preventable, and will make recommendations to keep an incident like this one from happening again. Their recommendations are just recommendations, however.
In the past, WMATA has followed some NTSB recommendations and not followed others. Two recommendations which they did not successfully complete include the installation of data recorders on all railcars and full retirement or reinforcement of the 1000 Series Railcars. They are currently taking a lot of heat for this, but in reality, they have had little choice in the matter.
The 1000 Series makes up about one-third of the Metro Fleet. Removing them from the tracks would mean major cutbacks in rail service. They're already scheduled for retirement when replaced by the new 7000 Series in a few years. And while data recorders would have made the NTSB investigation easier, it would probably have not prevented this crash. Perhaps this tragedy will serve as a wakeup call to everyone in the process. Metro is underfunded, and has been for years. Deferred maintenance is taking its toll, and is keeping railcars in service longer than they should be. Everyone, from the local jurisdictions to the federal government should be willing to fund upgrades, especially considering that lives are at stake.
The information in this post was gathered from: Final Environmental Impact Statement (1975), p. 180 (document) / 76 (PDF) and NTSB Report on the Collision of WMATA Trains at Shady Grove, January 6, 1996.
 | Matt Johnson has lived in the Washington region since mid-2007. He has a Master's degree in Community Planning from the University of Maryland and a BS in Public Policy from Georgia Tech. He has worked in the planning field since 2006 and lives in Greenbelt, where he serves on the city's Advisory Planning Board.    |
Comments
- Community stories show the shift to a walkable lifestyle
- Focus transportation on downtown or neighborhoods?
- Young kids try to assault me while biking
- Some are pushing to limit sidewalk cycling
- Where is downtown Prince George's County?
- Endless zoning update delay hurts homeowners
- Metro bag searches aren't always optional
by Froggie on Jun 24, 2009 8:27 am • link • report
Yes it was a choice, a very costly choice, 9 dead and millions in liability. I was wondering, why were they using 1000 series as the lead and tailing cars (1 and 2, 5 and 6 or 7 and 8)? If they were such a big safety risk in a collision, why not put them in the middle as the 3 and 4 car.
by RJ on Jun 24, 2009 8:36 am • link • report
I am most disturbed that the Post and the NYT reporting on this continues to focus on the NTSB recommendations to "reinforce" the series 1000 cars. How would having a reinforced car prevented the accident? What, exactly, were the recommended reinforcements? Would they have saved any lives?
It seems to me that this is being used an excuse to pile on Metro. Let's please focus on what CAUSED the crash and what could be done differently in the future to prevent another one, within reasonable standards of probability and seeking always to balance service with safety.
Also, let's not overlook the entirety of the NTSB statement yesterday about the emergency brakes being engaged. She also said that the crash itself or the rescue operations could have resulted in the button being depressed. I'm sure that Metro would like to show their operators not being negligent, but I think we have to remain open to that possibility.
by Josh on Jun 24, 2009 8:37 am • link • report
NTSB realizes that there are going to be accidents, so besides avoiding them, they look at ways to survive them. The reinforcement was recommended to increase survivable space inside the crash. The striking train only had 20 feet of survival space so any amount of reinforcement would have increase that amount.
Emergency Breaks.
Although the button is push, they did see evidence of "gluing" on the breaks. Gluing is a result of the break pad melting and fussing with the break rotor or disk. So there is some physical evidence to back it up.
by RJ on Jun 24, 2009 8:51 am • link • report
by JMS on Jun 24, 2009 9:03 am • link • report
Just to clarify: The data taken from the EIS is about the design of the ATC system.
The majority of the information in this post came from the NTSB Report of the Shady Grove Overrun in 1996. If you want to know exactly (and I mean several pages of exactly) how the ATC system works, follow the link at the bottom of the post (above) and check out: Page 5, Footnote 7 and Pages 16-23.
by Matt Johnson on Jun 24, 2009 9:29 am • link • report
Creating an entity like Metro that lacks a dedicated funding stream sets the stage for making "deal with the devil" decisions like not buying new, better rail cars quickly enough or not reinforcing older rail cars.... or the exactly the decision that we all know WAS made: "We cannot withstand the heat of taking rail cars out of service for maintenance or replacement, so we'll push them to their Nth degree."
The real story that people need to read here is "Why was Metro put in a position to run these 1000 series cars when there were so many recommendations against it? How many times did our elected leaders fail to make the right decision? How many ways has the Metro system been hamstrung by forsaking efficiency and redundancy for economy and expediency?"
by Phil Lepanto on Jun 24, 2009 9:32 am • link • report
Someone could argue in court that the design of the 1000 series cars was faulty and that engineers should have realized this in 1974.
The horrific deaths in this wreck happened because of telescoping, a failure mode in which one car rides up over another, and the body of one or both cars is compressed inward from the end.
Telescoping is a well-understood problem. It came to the foreground 100 years ago, when a series of horrific crashes exposed the dangers of increasing train speeds coupled with weak wood-body cars. Mainline railroads adopted body designs that resist endwards crushing. Some subway and streetcar systems strengthened frames and also added "anticlimbers," structural features that prevent cars from rising up over each other. You can see anticlimbers sometimes - they're the beam that projects from the end of a car.
The NTSB report on the Woodley Park wreck noted that the Federal Railroad Administration enforces standards for passenger car crashworthiness, but that the FRA lacks the authority to regulate transit operators.
by David R. on Jun 24, 2009 9:35 am • link • report
by BeyondDC on Jun 24, 2009 9:50 am • link • report
from the first sentence of that WaPo article you linked to:
The operator of the Metro train that slammed into a stationary train in front of it apparently had activated the emergency brakes in a failed effort to stop before the accident...
by Peter Smith on Jun 24, 2009 9:53 am • link • report
by Froggie on Jun 24, 2009 10:07 am • link • report
http://www.washingtoncitypaper.com/blogs/citydesk/2009/06/22/old-questions-about-crashworthiness-of-metro-cars/
Basically, WMATA hired engineering consultants who said that retrofitting the cars wasn't realistic, might not solve the problem, and may make things worse. Therefore, retirement was the only realistic option - but couldn't be accomplished until replacement cars were available - the 7000 series, for which procurement is currently underway.
I'm curious as to conversations we've had earlier here. Sand Box John has noted that Metro has always been undersupplied in terms of rail cars relative to the length and ridership of the system. These recommendations and actions seem to reinforce yet another reason for that undersupply.
by Alex B. on Jun 24, 2009 10:39 am • link • report
RJ - what the heck is "survival space" and how does one know that there was only 20 feet of it in the 1000 series cars? In any case, is it reasonable to assume that more of it would have A) prevented the crash and B) saved lives or prevented injuries?
(BTW, b-r-a-k-e-s)
by Josh on Jun 24, 2009 12:02 pm • link • report
by ksu499 on Jun 24, 2009 12:22 pm • link • report
Survival space is basically "limitation of passenger's compartment deformation to avoid passenger crushing” or space where there is a reasonable chance of survival. The 20ft reference came from NTSB press conference yesterday. Believe the metro cars are 60ft long, which means if you were in the first 40feet of the first car, you are most likely dead.
by RJ on Jun 24, 2009 1:01 pm • link • report
All Metro cars are *75* feet long. In this case, only people in the rear portion, roughly even with or behind the last set of doors, would have been in the survivable space.
by Matt Johnson on Jun 24, 2009 1:03 pm • link • report
Metro cars don't have 20 feet of survivable space. Survivable space is determined after an accident. Cars are supposed to have 75 feet of survivable space.
In the Shady Grove collision, the lead car only lost 21 feet, so the survival space was roughly 54 feet on that car.
At Woodley Park, the trailing car of the rollback train lost 34 feet of survival space. Meaining that there should have been 41 feet.
by Matt Johnson on Jun 24, 2009 1:13 pm • link • report
I don't think you're paying much attention.
You're comment about blaming the riders as opposed to Metro is just insane. If Metro is going to provide a service, then they should be able to accommodate the demand for it without compromising safety.
NTSB is the one reporting that the first striking car ended up with only 20 feet of "survival space" AFTER the collision. NTSB recommended reinforcement as an ALTERNATIVE to retiring the aged cars. So if an accident did happen, at least there would be a better chance at people not being hurt or killed.
NO ONE is losing focus on what CAUSED the crash. They are working on the investigation at this very moment.
Yes, the "mushroom" could have been depressed as a result of the accident. But pair that with the appearance of the brakes being applied, common sense would tell you that it seems most likely that the operator tried to engage the brakes herself.
However, for those doubters out there... Be assured in that her mobile phone records have been subpoenaed and they will be looking into whether or not she was on the phone at the time of the accident.
by Danny on Jun 24, 2009 1:35 pm • link • report
The NTSB investigatory board criticized WMATA in 2004, and after the Shady Grove wreck in 1996, in terms that are about as strong as the NTSB ever gets. But Metro and Breda should have known before. There is no excuse for designing a passenger rail car that is vulnerable to telescoping, not in the late 20th century.
Part of this comes about because subways are regulated by the Federal Transit Administration instead of the Federal Railway Administration. The top speeds on Metro exceed those of many heavy rail lines - why should FTA govern safety standards?
by David R. on Jun 24, 2009 2:06 pm • link • report
It's my understanding that multiple-unit rapid transit systems (or, for that matter, high-speed rail systems) couldn't exist under the current strict FRA rules, which are centered around strengthening and increasing the mass of forward-facing locomotives until they can ram through any stationary obstacle (like a truck stuck on a grade crossing) without the trailing passenger cars experiencing much of a shock or derailing.
This isn't such a bad idea for locomotive-based freight which can't stop in time for an obstacle within visual range in the grade-crossing-heavy US. It is a horrible idea for passenger rail that has engines at both ends (telescope, meet sandwich), it makes multiple-unit and high-performance designs nearly unworkable; Grade-separated or passenger-only operation removes any benefits it had in collision with stationary objects - because other passenger cars are the only thing a locomotive has to ram.
I am firmly in favor of keeping transit under the regulation of the FTA until the FRA can drop their obsession with jousting and embrace things like safer derailing, multiple unit operation, collision avoidance, and deliberate crumple zones.
by Squalish on Jun 24, 2009 4:20 pm • link • report
by Alex B. on Jun 24, 2009 4:39 pm • link • report
and caused this accident. The AF track circuit was not detecting the first train. The room track relay did not drop
They should switch to a General Railway Signal track circuit
by jim jacobs on Jun 24, 2009 5:43 pm • link • report
We know how to make passenger cars that don't get crushed; FRA requires one set of standards that produces this result, while FTA does not, and rolling stock built to its standards gets crushed even in collisions with trains of similar weight and design. If I remember correctly, FTA doesn't regulate crashworthiness at all. Surely there's a necessary middle ground?
The European high speed trains, all of them, put "locomotives" on the ends. On some of the permanently coupled sets, the power units go in the middle of the train, but the end units contain only switchgear/baggage/cabs, just so that there are no passengers in the most exposed position. Keeping passengers away from the ends may not be an option for subways, but European designers do recognize its importance for high-speed trains.
by David R. on Jun 24, 2009 6:05 pm • link • report
by JMS on Jun 24, 2009 10:27 pm • link • report
Obviously, there was a system failure but what's the root?
Mechanical, human, or malicious or a combination of all three.
These systems are highly automated, computerized and not immune to hacks. Computer security is extraordinary complex and I suspect it may take them weeks to figure if the system was breached.
by kob on Jun 24, 2009 10:45 pm • link • report
You seem to fail to realize that having safety devices in place doesn't always prevent accidents -- that's not why they're all there. Some safety features are in place for when the inevitable happens:
So, in my opinion, your repeated question of "Would it have prevented an accident?" is a bit misplaced. Just because a safety featured wouldn't have prevented the Red Line crash doesn't mean it shouldn't be there.
by Dustin on Jun 24, 2009 11:48 pm • link • report
The Washington Post also has several pieces taking the opportunity to turn this wreck into an argument for more funding.
Metro has struck and killed multiple track workers in the past several years. A report on one of these preventable outrages detailed how multiple safety procedures were ignored prior to the incident.
I agree that transit systems need funding. Only money can buy rail cars, fuel, and staff time. However, something is seriously wrong with the safety culture in an agency where multiple workers are struck and killed in just a few months. No pile of money, no matter how big, is going to fix this shockingly lackadaisical attitude toward safety at Metro.
by Omari on Jun 25, 2009 7:32 am • link • report
Regular fare increases. Dedicated funding. Significantly increased yearly jurisdictional funding.
That's right- riders will have to pay more, but in addition to that AND the new dedicated funding, our local jurisdictions are going to have to pony up big time. That means that you will need to start now giving your elected officials the political cover without which they will not likely act to raise your taxes for the purpose of providing Metro with the money it desperately needs.
Ain't a whole lot to that...
by KevinM on Jun 25, 2009 8:11 am • link • report
by Froggie on Jun 25, 2009 9:55 am • link • report
On the question of the Metro Train Operator activating the emergency brake, take a look at this blog by a regular Red-Line rider.
http://www.farmfreshmeat.com/2009/06/could-operator-have-seen-train.html
The analysis of the topography and sight obstructions, along with my rough kinematic analysis show that the T/O did not have a chance in hell. Not enough range of sight - if she activated the brake as soon as she saw the train ahead, she still would have hit it. a second or two delay in response time (normal) - then the hit occurs at high speed.
The bottom line is that these Robo-trains are unsafe. Human operated trains are safer (and cheaper), but the bosses drive to automate conquers all - the riders must beware. NYCT bosses are slobbering, trying to put ATO in effect in NYC - there already have been a number of mishaps on the L-line (right now the only ATO line), which management has been covering up.
SamR
by SamR on Jun 25, 2009 12:12 pm • link • report
by цarьchitect on Jun 25, 2009 12:30 pm • link • report
That's never supposed to happen. Metro has classic relay-based General Railway Signal track circuits, century-old technology that's still in use because it works.
(Of course, there's the cadmium-plated screw problem with GRS type B1 relays (see FRA safety bulletin 2000-1), but Metro supposedly replaced all of those years ago.)
by John Nagle on Jun 26, 2009 12:08 am • link • report
Likely they failed to test their track circuits. Track circuits are supposed to "fail safe"; any failure is supposed to bring up all-red-lights.
Whatever "failed unsafe" in the track circuit system is the primary cause of the disaster. The classic way to force such a disaster is to electrically link one track circuit with another; this was done in a famous sabotage case using electrical wire and clips (that case was discovered before a train went over it). This also foils broken-rail detection, which the track circuit is also supposed to identify.
It is *possible* that such an electrical linkage could have happened accidentally, but very hard, and it would involve lots of metal debris on the tracks, which shouldn't be happening anyway.
If that's not what happened, then the next most likely cause is electronics or signal system failure -- but in failsafe systems like track circuits, these are *also* supposed to be fail-safe.
by Nathanael on Jun 26, 2009 1:02 pm • link • report
The primary question to ask is not "why didn't WMATA replace/reinforce" the 1000 series cars. The primary question to ask is "what went wrong with the ATC system."
We need to focus on accident *prevention*. Would you rather be in a train crash in a reinforced car, or no train crash at all?
The Japanese Shinkansen is the safest high-speed rail system in the world. No one has ever died on board a Shinkansen in over 40 years of operation. But Shinkansens aren't "reinforced."
Shinkansens are EMUs, or Electric Multiple Unit. That means every car powers itself, just like a Metro train. Some passenger seats are located less than 30 feet from the front of the train. Look at this image and note how close the windows are. In even a moderate-speed collision, many of these people would die. Yet they don't. Why is this?
The answer is that the Shinkansen's tracks, signaling, and safety systems are impeccably maintained. They work. And it's the safest rail system in the world.
The "accidents will happen" approach taken by the FRA is an outgrowth of the sheer size of the US freight rail network, and the expense of upgrading vast swaths of rural single-track line to modern signal systems. It has no relevance to an urban commuter system like WMATA. The DC Metro is a heavily-used, well-defined route network, and all of the electronics should work flawlessly.
The fact that this accident happened at all shows that the electronics did not work properly. That is the problem.
by Abram VanElswyk on Jun 26, 2009 6:46 pm • link • report
by Stan on Feb 19, 2010 8:01 pm • link • report
Add a Comment