NTSB Calls Metro's Crash-Prevention System Inadequate, Urges Real-Time Backup
Tuesday, July 14, 2009
The federal safety board investigating last month's deadly Metro accident said yesterday that the electrical system designed to prevent crashes is inadequate and urged the transit agency to add a real-time, continuous backup that would alert train operators to potential problems and stop trains when necessary.
The National Transportation Safety Board also recommended that the Federal Transit Administration advise other transit agencies that use similar automated systems that they need adequate safety redundancy as well and verify that those agencies take the necessary steps to ensure that the backup systems are in place. That move underscores concern about potential failures at other major subways and raises questions about systems that are supposed to be fail-safe.
"While the NTSB is still in the very early stages of its investigation into this tragic accident here in our nation's capital, we have concerns about the failure of [Metro's] train control system to prevent this collision," Acting Chairman Mark V. Rosenker said in a statement.
The board's urgent safety recommendation to Metro yesterday asked for a response within 30 days. Metro, in a statement, said it "will devote all of our resources" to developing additional protections. It is unclear how long such a process would take, but the costs are certain to add to the cash-strapped agency's financial burdens.
By calling on Metro to take swift action and urging the FTA to alert other transit agencies, "we hope to prevent something similar from happening again," Rosenker said.
Federal investigators have not determined the cause of the Metro crash. The safety board has no regulatory authority, but in rare instances the board issues urgent recommendations before an investigation is completed to address immediate safety hazards. Besides the two issued yesterday, seven other urgent recommendations have been issued in the past two years.
The June 22 crash on the Red Line between the Fort Totten and Takoma stations showed that Metro's train control system is susceptible to a single-point failure because it did not prevent one train from slamming into the stopped train ahead of it, the board said. Nine people died and 80 were injured.
Metro's automatic train control system relies on track circuits to maintain a safe distance between trains. The circuit detects the presence of trains by using audio frequencies transmitted between the train and the steel rails. The system is supposed to automatically transmit signals to the next train down the line. If the following train gets too close, the system sends a "zero" speed signal that forces it to stop.
Federal investigators and Metro officials said the track circuit where the crash occurred intermittently lost its ability to detect a train after a key component was replaced five days before the crash. Shortly after that repair work, the circuit fluttered and flickered, reporting the presence of a train one moment but not the next, transit officials said.
"It appears that the train control system did not detect [the idling] train's location after it stopped, and thus the following train did not receive a command to slow or stop in order to maintain train separation," the safety board said. Instead, it appears onboard computers would have set the train to 59 mph, the speed limit on that stretch.
The investigation found that Metro had "no automatic monitoring" that would identify and immediately report that a train was no longer being detected.
There also was no communication between the train operators and downtown controllers in Metro's operations control center before the crash, investigators said. The controllers monitor real-time movement of trains on an illuminated graphic depiction of the 106-mile railroad.
Metro officials said that every component of the malfunctioning circuit has been replaced, but the problems persist.
Metro Board Chairman Jim Graham, who represents the District, said the agency would do its best to "go out and invent something" but urged the NTSB to address the key mystery of why the circuit keeps failing. The trains are being run manually until the issue is resolved.
Metro officials have said they detected the track circuit failure only after the accident. The safety board said there was no evidence to suggest that Metro was aware of the track circuit problem before the accident.
After the crash, Metro officials began to check recorded data daily instead of monthly to look for similar track circuit problems. But yesterday, the safety board said that a daily review "is not sufficient to address this safety issue." The board said additional software or circuitry could be developed to look for problems in real-time and alert workers when such problems are detected. The alerts should prompt actions to immediately slow or stop trains, the board said.
San Francisco's BART system is considered a sister to Metro because it was built about the same time using similar designs, technology and suppliers. Officials there installed a separate backup tool in the mid-1970s as a protection against this type of track circuit failure. BART installed the backup after initial tests of its train protection system failed to detect the presence of a train in a few instances.
In a statement yesterday, Metro said there are currently no systems available commercially that could provide the transit agency with the kind of alerts the safety board has recommended. "Such a system must be invented," the statement said.
Metro said the BART system would not meet Metro's needs. "We will be developing a new system that will be specifically tailored to Metro," the statement said. The agency is contacting vendors and getting cost estimates.
After Metro's crash, officials at several other major subway systems have reinspected their train control protections.
In Boston, officials have hired an outside engineering firm to perform a "top-to-bottom" inspection of its Orange Line after the signaling system there failed to detect the presence of trains in May. Engineers were able to catch the problem in time.
Staff writer James Hohmann contributed to this report.