giner wrote:You just have to wonder when one of these "software failures" results in a catastrophe claiming human lives. It HAS to be a case of not 'if', but 'when'.
I know very little about the inner workings of software, but I do know that it cant just 'fail' unless the program has been badly written in the first place; but this should have been discovered during the testing period - assuming there is one and the software is not just installed on a "lets try it and see basis".
It tends to be the hardware that fails, and if there is no backup system which can be instantly switched in then some very senior heads ought to be rolling.
I notice that the idea of cable theft has been denied. Sorry for being so ignorant, but am I to believe that in the 21st century on high speed main lines in this country, the signalling continues to use copper wire? What happened to fibre optic cable, or wi-fi communication?
Like yourself, Strang Steel, I have little knowledge of the ins and outs of software. I was just quoting the spokesman in the BBC article that was linked: "A Network Rail spokesman said the problem was with its signalling software and officials had no idea how long it would take to fix."
What I do know is that there are many products released with known software 'bugs' and the buying public are used as guinea pigs. When, and if, the manufacturers receive enough complaints then OS updates are usually released to placate Joe Consumer who is rightly indignant at having shelled out his hard-earned cash on an imcomplete product. I'm not suggesting that signalling software has been released with 'known issues,' but poop happens, even in cases where potential consequences can be tragic. More vigilence, tighter quality control, etc. must be the order of the day.
giner wrote: " .... What I do know is that there are many products released with known software 'bugs' and the buying public are used as guinea pigs. When, and if, the manufacturers receive enough complaints then OS updates are usually released to placate Joe Consumer who is rightly indignant at having shelled out his hard-earned cash on an imcomplete product. I'm not suggesting that signalling software has been released with 'known issues,' but poop happens, even in cases where potential consequences can be tragic. More vigilence, tighter quality control, etc. must be the order of the day.
Without suggesting that the degree of disruption that happened with this failure was unavoidable, - York IECC came into use around late summer/autumn 1989 IIRC ("That long ago?"), and I would think its taking over York-Northallerton wouldn't have been too long after.
[ South from Darlington comes under Tyneside IECC (at Gateshead : Came in not too many years later, I think), with the boundary around Danby Wiske.].
Just possibly some circumstance or combination of more than one, occurred for the first time in about 20 years. Not a wonderful excuse though.
TRESTROL wrote:The link between the interlockings and the panel failed causing the delay. There are two links A and B. A failed so they swiched to the B link which caused a power spike and the interface system went bang.
Wasn't there a similar failure in South Wales about a week or so back?
Is there a common link?
TRESTROL wrote:The link between the interlockings and the panel failed causing the delay. There are two links A and B. A failed so they swiched to the B link which caused a power spike and the interface system went bang.
I have now heard that at some time during the initial problems [possibly the operators were getting concerned at seeing strange or unsatisfactory indications, during attempts to get things running again, and the switching between A & B, and so perhaps from worries (whether correct from hindsight or not) about the signalling's train safety integrity], an 'Emergency All Signals 'On' ' control was used.
During my time at Liv.St. IECC in its first years we learned this was always very much a last resort thing to do at an IECC control centre, as it achieved its intended effect by briefly depriving the SSI interlocking of its power supply, thus causing the interlocking to crash (causing all its controlled signalling equipment to go into its default fail-safe mode, and then self-restart (thus, in the process temporarily losing the signaller all his points and signals indications, and showing all track circuits as occupied, - the latter causing all train headcode positions to shoot forward to incorrect on-screen locations or be lost completely - also putting all signals to red and leaving them in that state on recovery).
And invoking this facility carried the real possibility of resulting in 'blowing' something in the interlocking PPMs (which was far from a quick job to repair), but I thought a fix to prevent that particular undesirable result had been developed years ago.
[ Edited at 08:15-08:19, 30/03/11 to clarify a very few details.]
Last edited by StevieG on Wed Mar 30, 2011 8:18 am, edited 4 times in total.
Am I the only one to regard the whole situation as a bit of a paradox? The Railway Inspectorate were adamant that Marylebone needed two work stations (or whatever they're called now they're not lever frames) when the computerised signalling system was introduced there to provide the necessary "redundancy". As only one was actually needed to control things the other was just used one day a week to prove that it still worked.
Problems posed by software glitches didn't seem to have interested the Inspectorate, but as the Milton Keynes problem, which formed part of the discussion here earlier, showed they can present a real risk. There it seems two adjoining sections had their software written by different contractors who simply didn't talk to each other. Consequently the two sections couldn't talk to each other properly either! At a very basic level they understood each other, but some of the fancier code being transmitted by one couldn't be understood properly by the other one.
I remember watching an OU programme some years ago which looked at computerised signalling control, and I couldn't stop laughing. It was obvious that the computer dweebs who were pretending to design the system had no clear grasp of concepts like interlocking or overlap and in one case were proposing to program things so that the line to a particular point within a station was regarded as clear provided only one end of a crossover involved was set correctly for a required movement! Errm .. a derailment in waiting.
Going a bit OT, the Marylebone set up was, and probably still is, a bit of a hoot with that huge gap in its control area starting/ending at Mantles Wood where LU took over the signalling to/from outer London. The Marylebone software had been feebly programed to try and predict when an Up train which had left its "known universe" at Mantles Wood would reappear on the Marylebone screens again as it approached London. Its reliability was quite awful.
Big levers, block bells and handwritten train registers might not be fashionable these days, but they're probably a good deal safer than letting software writers run amok in a safety critical area they clearly don't understand.
StevieG wrote:Just possibly some circumstance or combination of more than one, occurred for the first time in about 20 years. Not a wonderful excuse though.
Hull Paragon revisited? An amazing accident where two signalmen managed to beat the interlocking by pure chance and cause a head on collision.
After re-reading my post here of last night, I have re-worded a few bits to clarify intended meaning and to hopefully allay one or two possible safety fears which could have been read into it.
Regarding Marylebone, I think a 'standby' workstation is in practice a bit of a luxury, regrettably not replicated elsewhere in the VDU control centres I'm aware of, except that there may be some similarity when possibly things are arranged that where there are two operators, one each on two workstations, at busier (typically day/evening) times, can be reduced to one at quiet periods (nights?), and for this, either of the two workstations can operate the combined area of both. There is at least one case of this workstations arrangement, which chiefly arose by a historical quirk of a decision to change the boundary of their signalmen's control areas at an early stage after commissioning (Liverpool Street/Bethnal Green).
The West Coast Route Modernisation's intended but never-commissioned Network Management Centre at Saltley (the building which is now the West Midlands Control Centre), to have been equipped by Union Switch & Signal Co. of USA, was to have included flexibility in switching control of areas/part areas between workstations, particularly for individual operators to be relieved of supervising some of their normal area when needing to concentrate on handling a significant incident in part of it.
Micky wrote:By the way there was 3-signalmen on duty in the s/box at that time and not 2-signalmen if you don't mind me pointing out as i seem to recall from the book on this accident.
Quite correct Micky. The box in question was indeed a three man one, but the accident was caused by only two of them [one pulled 95 instead of 96 at the same time as the other was restoring 171 and the interlocking couldn't cope].
Result: 8 passengers killed in the accident, 4 died later in hospital, 24 passengers seriously injured, 22 slightly injured and both footplate crews injured. An expensive interlocking error by any standards.
Micky wrote:What i remember from reading about the Hull Paragon accident in February 1927 was that on the day of the accident the junior signalman out of the 3 was the team-leader (a modern day term) and that the senior signalman in terms of railway service had aready clocked up over 40 years service as a signalman and that he had 'personal misgivings' about the power-signalling from the miniture lever frame which according to the author that i read only probably confirmed his misgivings?. This accident isn't one that you hear much about on the L.N.E.R.
I guess i'm talking about myself here just like the signalman at Hull Paragon it will be 40 years next year for me as well and like i already said i prefer mechanical signalling over power boxes especially IECC work stations
According to Colonel Pringle's report into the accident, staff at Park Street box, Hull Paragon took it in turns to be chargeman for periods of three weeks at a time. On the day of the accident Alfred Campling was chargeman. He had 16 years signalling experience, all of it with electro-pneumatic [EP] equipment.
With him were John Clark [46 years service] and Edwin Gibson [approaching 47 years service]. Gibson told Pringle that all of the staff on duty that day possessed the necessary competence to act as chargeman in his opinion and he did not doubt Campling's ability to do the job. Gibson had worked EP equipment since 1905, so couldn't be described as inexperienced himself.
Clark had been a special grade relief signalman since 1910 and had worked at Park Street previously for periods ranging from one day to 11 months, so again wasn't lacking in experience. Pringle blamed Clark for directly causing the accident when he mistakenly pulled lever 95 instead of 96 during the brief "window of opportunity" created when Gibson put lever 171 back prematurely before all of a departing train had passed the signal it controlled.
In his report Pringle records that Clark "Thought the electro-pneumatic system of operating points and signals was not so reliable as he would wish". Clark was, of course, directly responsible for causing the accident so I'm reminded of Mandy Rice-Davies' famous comment about Lord Astor during the Profumo scandal in the 1960s: "Well, he would say that wouldn't he?"
Last edited by Mr Bunt on Thu Mar 31, 2011 12:13 am, edited 1 time in total.
From what I recall reading about the Paragon affair, it was not so much about power working but as much about signalman error as can happen in mechanical signal boxes without full track circuiting and comprehensive electric locking : (Remembering that the signalling was a long way from power signalling as we may think of it over the last sixty or so years) I believe it was not really an error in the interlocking, more of the wrong lever being pulled at the unfortunately wrong time : I think I recall that there was little or no track circuiting, and security against pulling facing points under, or just in front of, a moving train was down to inter-lever interlocking, signalman observation, and traditional fouling bars linked with facing point locks - but power worked.
So I think I read that the problem was caused in the few seconds between the train's signal lever being put back to Normal, releasing the interlocking of the points, and the train's leading wheels reaching the fouling bar that would have held the points locked in the correct position : During those few seconds (the Inquiry calculated the time involved - was it was about 3.7?) the lever for those points got pulled in mistake for the lever next to it, and they reversed position just in time to divert the train onto a wrong line, and into head-on collision with one approaching the other way (approaching signal(s) which I suppose would have been at Danger otherwise the offending points would presumably have been locked by it(them)).
Last edited by StevieG on Wed Mar 30, 2011 9:56 pm, edited 1 time in total.
