Fail-Safe Design

A quick lunch-hour observation…

Quincy Adams at The RBC is absolutely right that the control system for Metro trains, as described in the Washington Post, contains a fundamental design flaw.  I’d argue, however, that an effective solution can be designed that is far simpler than Quincy’s suggestion.  In fact, the system could have been designed far more safely, without requiring technologies that weren’t available when the system was built (such as GPS or most other positive-location technologies).  All that was necessary was that the system be designed according to a fail-safe philosophy.

Quite simply, a fail-safe design requires that the default action of the system be the one that results in least harm.  An example can be found on high-speed trains in Europe– if the operator removes his foot from a sensor on the floor for more than a specified amount of time, an alarm is sounded and he’s given a few seconds to tell the system that he’s still alive by pressing a button.  If he doesn’t, the train stops itself.  In fact, almost all trains already have fail-safe systems in parts of their design, such as their pneumatic brakes, which are forced off by the application of air pressure (which compresses springs that apply constant force towards the brake rotor) and are applied when pressure is removed– so that in the event of a pneumatic failure, the train automatically comes to a stop.

The specific idea underlying both of the previous examples is pretty clear– the safest default action for a train (as opposed to, say, an airplane) is usually “stop immediately”, not “full speed ahead”.  In the case of the Metro train system, sensors should be designed to send a positive signal when a train is not present.  Under such a design, two desirable outcomes occur: a sensor failure cannot result in a collision (it instead results in train stoppages requiring manual operation to bypass), and the failure is immediately brought to system operators’ attention.

While such a system can be inconvenient if sensor failures are common, noisy failures generating inconvenience are almost always superior to silent failures generating death.  Also, of course, if the system wasn’t designed to be fail-safe because such failures are common, then it should never have been put into operation.  There may be something I’m missing, but from what information is available, this seems to be an inexcusable failure in design.

Disclaimer: Like Quincy, I am also not a transit engineer, and am also relying on the information from the Post.

A final note: the above is exactly why I’ve disabled cruise control in my car.  If I were to fall asleep or be otherwise incapacitated behind the wheel, I’d rather my foot lift off the accelerator and the car slow down than have it continue to hurtle along, à la Beck: stock car flaming with the loser in the cruise control.

Comments are closed.

Economics, Energy, and the Environment.