Wednesday, June 24, 2009

A Look At Metro's Safety Systems

Crossposted at Greater Greater Washington

Yesterday’s Red Line crash is a horrible reminder that sometimes things go badly wrong. By all accounts, this accident should not have happened. Not only are safety features present, but the train operator should have been able to hit the emergency stop in case the system failed.

It’s far too early to speculate on the cause of the collision at this time. However, those familiar with the system already suspect that something went wrong in Metro’s signaling system that allowed these trains to approach and collide.

With that in mind, let’s take a look at how Metro’s safety systems are supposed to work.

Automatic Train Control
Metro trains operate within the confines of a system known as ATC – Automatic Train Control. The ATC system was designed to allow for a minimum in involvement from train operators. In the design phase of Metro this was intended to provide the safest, most efficient, and most comfortable operations possible – something it has largely achieved. Trains running in the Metro system can be operated automatically or manually by operators. Either way, they are subject to aspects of the ATC system.

In order to make ATC work, three subsystems are required.

Automatic Train Protection (ATP) is the most important. In a nutshell, this system prevents two trains from occupying the same space at the same time. In addition to controlling interlockings (crossovers or switches), the ATP system maintains safe distances between trains and allows for safe stopping distances through speed regulation (including 0 speed, e.g. “stop”). Additionally, the ATP system prevents trains from exceeding the design speed of any given stretch of track. This speed is known as the Limiting speed. Another feature of ATP keeps train doors from opening unless the train is properly berthed on the platform.

ATP operates whether the train is in manual or automatic mode. If a train exceeds the Limiting Speed for more than two seconds, an automatic brake application is made until the train is brought below the Regulating Speed.

Automatic Train Supervision (ATS) keeps trains running on schedule and within certain performance parameters. This system is how the Operations Control Center modifies allowed train speeds and rates of acceleration. It also takes into account scheduled train departure and arrival times, and based on set parameters, increases or decreases train speeds and station dwell times automatically. This system sets the Regulated Speed, which can be modified by the Operations Control Center.

ATS only operates when the train is in automatic mode; however, the Regulated Speed set by ATS to each track segment applies as the maximum speed in both manual and automatic operation.

Automatic Train Operation (ATO) unifies some of the above aspects of the ATC system, to allow the train to automatically adjust certain parameters. This subsystem can be turned off by WMATA and is not used in manual operation.

Train Speeds
Metro tracks don’t have signals in the same way that older subways like New York do. Visible wayside signals only exist at switches. They are capable of displaying to the operator three things: Stop, Clear, Clear Diverging (take the switch). A “stop” indication is shown with two red lights, one over the other. This is displayed if the switches are not set, for tracks with trains approaching from the other direction, and when a train moving the same direction is still in the block controlled by the signal. A “clear” aspect is a solid lunar white light. This indicates that the operator may proceed straight through the switch. The “clear diverging” signal is indicated by a flashing lunar white light. This means that the switch is set for the “turning” route, and the train is clear to proceed.

In other sections of track, equipment along the trackway transmits the appropriate information from the ATC system to passing trains. In addition to the design or limiting speed on a given stretch of track, wayside equipment can reduce speeds for curves and to maintain train spacing.

In order to maintain train spacing, each segment of track is divided into fixed blocks. Whenever a train is in a block, its axles complete the circuit in the track. So long as that circuit is complete, the ATP system prevents other trains from entering. The ATC system is designed to keep a safe distance between trains. It communicates with the wayside devices and track circuits and transmits Regulated Speed commands to trains. The ATC system brings down the Regulated Speed as a following train approaches a preceding train, until at a point where the minimum safe stopping distance is reached, the speed is zero. As the preceding train moves further away, the following train’s Regulated Speed would come up.

As noted above, the Regulating Speed is binding on automatic and manual operations. When operating properly, it automatically applies the brakes if that speed is exceeded for more than two seconds. However, the system can be overridden so that trains can approach each other or in case of an ATC failure. For instance, when a train is stranded and must be pushed to the next station, the following train must be able to enter the same block. Under these circumstances, trains are operated manually in a different “mode” which limits their speed to fifteen miles per hour. Trains must be stopped with a full brake application to change modes.

Ultimately, however, the train operator is the final failsafe. If the ATC system appears unable to stop a train in time, the operator can push the Emergency Stop, called the “Mushroom” because of its shape.

The Washington Post is now reporting that the striking train was two months overdue for scheduled brake maintenance. A degradation of brake performance could have played a role in yesterday’s accident. In 1996, in Metro’s first train collision, snow and ice compounded with a reset of the Regulated Speed resulted in a collision killing the operator of a train at Shady Grove.

The design of the ATC system, it was discovered, did not account for inclement weather. Because the train was allowed to achieve the Limiting Speed (in this case 75 miles per hour) on the stretch of track between Rockville and Shady Grove, when the train reached the outer station marker 2,700 feet from the center of the Shady Grove platform, even a full application of the brakes by ATC would not have stopped the train in time. This is because the ice reduced the coefficient of friction far below what the designers had considered. ATC blocks had been designed with a minimum braking deceleration of 1.65 mph/second in mind.

In the National Transportation Safety Board (NTSB) report investigating the Shady Grove Incident, investigators noted that:
This accident occurred at a terminal station, but a similar accident could occur anywhere on the Metrorail system where conditions make a train deceleration rate of at least 1.65 mph/sec unachievable. If a train, because of an equipment malfunction or other reasons, were to come to a stop on the mainline, the ATC system would give any train following behind appropriate speed commands (including zero speed commands) to allow the train to stop in time avoid a collision. But, as shown by this accident, on outdoor track under extreme weather conditions, the distance required to stop the following train may be significantly longer than the available track. During rush hour, with crowded trains, scores of people could be killed or seriously injured. (page 61)

However, the Red Line accident yesterday evening took place under clear skies on a warm evening. It’s far too early to suggest brake failure as the cause, but it is certainly a possibility. Another possibility is that the ATC system itself failed. This morning’s Post referred to a June 2005 incident where three trains came close to colliding in the tunnel near Rosslyn. In this case, an emergency brake application by two operators prevented a crash. The Post reported that it was unclear if an investigation launched by Metro ever determined a cause.

It will likely be twelve to eighteen months before the NTSB report on yesterday’s collision is released. Some preliminary findings will probably be available in a few weeks. We may never know the exact cause, or we may discover that the accident was the result of a convergence of factors. The NTSB usually finds that accidents are preventable, and will make recommendations to keep an accident like this one from happening again. Their recommendations are just recommendations, however.

In the past, WMATA has followed some NTSB recommendations and not followed others. Two recommendations which they did not successfully complete include the installation of data recorders on all railcars and full retirement or reinforcement of the 1000 Series Railcars. They are currently taking a lot of heat for this, but in reality, they have had little choice in the matter.

The 1000 Series makes up about one-third of the Metro Fleet. Removing them from the tracks would mean major cutbacks in rail service. They’re already scheduled for retirement when replaced by the new 7000 Series in a few years. And while data recorders would have made the NTSB investigation easier, it would probably have not prevented this crash. Perhaps this tragedy will serve as a wakeup call to everyone in the process. Metro is underfunded, and has been for years. Deferred maintenance is taking its toll, and is keeping railcars in service longer than they should be. Everyone, from the local jurisdictions to the federal government should be willing to fund upgrades, especially considering that lives are at stake.

The information in this post was gathered from:
Data from: Final Environmental Impact Statement (1975), Page 18o (document)/76 (pdf)
available at:


NTSB Report on the Collision of WMATA Trains at Shady Grove, January 6, 1996
available at:

*Note* Commenting here has been disabled. Please direct all comments to this same post on Greater Greater Washington.