Chinese Train Collision

On Saturday July 23, a high-speed train lost power and either slowed down or stalled, and a second one rear-ended it, in or near Wenzhou city, on a line in Hanhzhou province: the Independent newspaper reports.

The lost power was said to be due to a lightning strike.

Unfortunately, the collision took place on a viaduct and four cars of the moving train fell off, some 20-30 meters. Some 30-40 people are reported to have died.

It is important to keep things straight. Electric railways have been affected by lightning before. The view of experienced rail safety people is somewhat different from the press reports. Here is David Tombs, one of the safety engineers of Queensland Rail, in a message to the York safety-critical systems mailing list :


News sites are emphasising the loss of power on the first train, but that by itself should not lead to a collision. To allow second train onto the same piece of track, there has been a clear and tragic breach of safeworking.

Exactly.

“Safeworking” is based on the block principle. The track is divided into logical blocks, to which access is controlled (by some form of signalling, or remote control). At most one train is to be in one block at any given time, unless all trains in the block are operating under “stop-on-sight” rules. This safeworking principle (rather: set of principles) has evolved for well over a century and is enshrined in the operation of every multiple-train railway line on earth. High-speed lines usually use some form of continuous sensing of train position, and in-cab signalling (the train is signalled, even controlled remotely, by a remote controller who knows exactly where the train is and at what speed it is travelling).

Trains travelling at high speed need kilometers to slow down and stop. Blocks are correspondingly long. That means that dispatch times between successive trains on the same line are correspondingly long, and that limits the capacity of the track. People have thus been attracted to the idea of “moving blocks”, whereby the exclusion area moves with a moving train, and is no longer geographically fixed. But this is an idea, and is by no means technically mature. Rail people are understandably reluctant to give up a system, the fixed-block system, which has proved its worth over more than a century. Further explanation of moving-block technology can be found at http://www.railway-technical.com/sigtxt3.shtml.

James Schapel has identified the signalling-system provider, HollySys , in another message to the York list.


HollySys claim to be one of only five automation control systems and products providers approved by China’s Ministry of Railways in the 200km to 250km high-speed rail segment, and one of only two automation control systems and products providers approved in the 300km to 350km high-speed rail segment:

http://www.hollysys.com.sg/home/index.php/about-us

HollySys also claim that its Automatic Train Protection (ATP) has been certified to Safety Integrity Level (SIL) 4 according to the European Committee for Electrotechnical Standardization (CENELEC) standards:

http://www.hollysys.com.sg/home/index.php/investor-relations/press-releases/522-october-27-2009-hollysys-automation-announces-its-proprietary-high-speed-rail-atp-product-certified-by-european-safety-standard

This claim, that such-and-such a system has been “certified to SIL X” according to some standard which uses Safety Integrity Levels (SILs) is becoming more prevalent amongst suppliers of safety-critical technologies. It is well to inquire what it is supposed to mean.

The Safety Integrity Level of the applicable CENELEC rail standards are based on a permissible average rate of dangerous failures of the system. A “SIL 4” system which is in continuous operation is only allowed to fail dangerously on average once every hundred million to billion operating hours.

Taken literally, the claim of “certification to SIL 4” can only mean that some overseer organisation has checked arguments that the system only fails dangerously on average once every hundred million to billion operating hours, and has said it thinks those arguments are good.

One should be extremely suspicious of any such assertion. Most arguments I and others have seen for such extreme levels of safety-function-reliability are inadequate.

In particular, if the signalling indeed behaved as claimed, the Chinese accident, which has happened well within a few million hours of operation (recall that there are only about 9,000 hours in a year) demonstrates empirically that it is very likely the system has a dangerous failure rate much higher than that.

Leave a Reply