Train Derailment 3

[dik]

In Washington state, derailment killed 3 people and some still seriously injured. Part of the problem it seems is the design of the rail. From the BBC.

"A US passenger train that derailed, killing three people, was travelling at 80mph (130km/h) on a curve with a speed limit of 30mph, data from the train's rear engine indicates."

The rail was supposed to be a high speed rail and it seems really silly to have a 30mph curve on it.

link:

http://www.bbc.com/news/world-us-canada-42408624

Dik

 

[davidbeach]

Gillian Glider - last I’d heard it had never been successful repeated in a simulator.

 

[3DDave]

The Toyota had push-button start. When the car is in motion it requires holding the button for several seconds to shut the engine off, obviously to prevent the result of a kid playing with the buttons while driving. There is no key in the dash. It was a loaner replacement, so the driver had never used the car before.

(edit to clarify)

 

[waross]

Thanks for the explanation Dave.

Bill
--------------------
"Why not the best?"
Jimmy Carter

 

[BrianPetersen]

IMO the way cars have adopted keyless engine start should not have been allowed. Keyless - No problem. But it should have been done using a rotary selector switch with the same positions as a normal key switch and located in the same place in the vehicle. Or, done the way motorcycles and race cars do it - a pushbutton for starting, but also in conjunction with the big red button for shutting it down in a hurry. But, we digress ...

 

[3DDave]

I think the biggest problem for Toyota, aside from a heart-wrenching 911 call recording playing over and over and the photographed aftermath of an incinerated and pulverized family with no instant explanation, was Toyota had been 'quietly' dealing with a couple of driveability issues related to the throttle.

One problem was the formation of tin whiskers in one pedal sensor which caused the throttle response to be non-linear - from the idle position to part throttle the ECU didn't see a resistance change and when the whisker lost contact it looked to the ECU like a sudden throttle input; not WOT, just dead-band and then a bit of voom, which startled drivers. Depending on how the whisker was positioned the symptoms would be irregular and testing with a typical ohm-meter could be enough to damage the whisker such that the pedal tests OK only for the symptoms to return.

There was also a pedal design issue. In an 'old-fashioned' car there is some sticktion due to the throttle linkage and cable so that a driver's foot could vary pressure slightly without moving the pedal. In drive-by-wire, there is just a pedal return spring and slight variations in pressure result in variations in throttle which results in slight surge/sag of power. So they added a friction source to produce sticktion and, in some cases, this meant that the return spring didn't have enough force to ensure the pedal returned all the way to idle when released.

When the accident happened it resulted in every leaf being turned over to explain why the family was incinerated so it came to light that some of this had not been divulged.

The 'trapped' pedal concept was advanced by Toyota both because that's what really caused the crash, the wrong floor mat was identified early on as a most-probable cause and, I think, to provide a simple to implement fix. It was also a dodge as there would have been hundreds of videos of pedals trapped by floor mats on YouTube. As far as I can tell, there was only one video, where a guy wadded a floor mat and shoved it between the foot well wall and the pedal.

The other source of trouble for Toyota was the lack of an obvious fault in the ECU that would explain the non-existent ECU related problems, leading to investigations into the software development practices at Toyota. These investigations lacked any demonstrations of realistic failure modes. I suspect it's true the ECU software wasn't made with significant fault tolerance in mind, but no one demonstrated any actual faults to be tolerant of. This led to the grand-standing of an expert and further unsubstantiated guesses increasing the speculation that there was something to hide. And let's not forget the driver who falsely claimed an out-of-control condition that seemed to be an extortion attempt that also implicated every Toyota, even those with entirely different ECUs.

In contrast is the VW ECU/Diesel lie, where independent software and hardware investigators were able to identify the place in the software and verify by bench test and testing in the vehicle that they had been programmed to cheat the federal emissions testing. Anyone could duplicate the observations/reproduce the results - they could look at the inputs and the state of the outputs.

In spite of the obvious value in confirming such a flaw in the Toyota ECUs I don't recall seeing anyone demonstrate a clear runaway causing condition.

Out of it all, one feature that eventually did make it into the software was a check to give priority to the brake input such that some amount of brake application would cause the ECU to ignore the throttle input and set the engine back to idle. This is a handy change to make, but I doubt that it makes much difference except in the case that the pedal is physically restrained, which doesn't seem to happen often, and maybe only ever happened on the one car. (Though articles claim there was a prior problem with all-weather mats, it seems so unlikely to be true; all the cell phones and no one put up a video showing their runaway death-traps)

The majority cause of unexpected acceleration is the same as always - pressing on the accelerator when intending to press the brake and then being startled by the sudden motion and pressing harder on the 'brake,' which just makes the control loop worse. Some (most?) of this has been dealt with by interlocking the shift out of Park with application of the brake, so that the car can't move from Park without the driver pressing the brake.

One thing that seems ignored is that the pedal problem is a side effect of cost reduction. Originally most accelerator pedals were hinged at the floor, which was advantageous to the placement of the pull-cable housing mount in the firewall. With the hinge at the bottom the worst a floor mat could do is run up the pedal and provide slight pressure with little moment arm. It required some time to install the pedal in that location.

The 'electronic' pedal meant that it could be integrated into the dash assembly and fit before installing the dash into the car as one unit. This exposes the end of the pedal to bypass the edge of the floor mat. If the user is able to push the pedal into the carpeting, an oversized mat edge can ride up and prevent its return, applying its load at the point of maximum leverage. An all-weather mat makes this worse by being significantly stiffer than the carpet mat and might as well be a wedge.

I expect one reason few people noticed this, aside from not having the wrong mats, is that it requires a very high level of pedal force. In the accident vehicle there was a report that the car seemed to have trouble keeping speed and then suddenly shot forward in traffic. If the mat was blocking the pedal travel, preventing ordinary application, and the driver got frustrated and stamped as hard as he could to overcome the obstruction, it would fit the observation. Why the driver just didn't put the transmission in neutral is a question - maybe he did and the sound frightened him, believing the engine would explode. (Hint everyone - Let the engine manage itself, especially if it's a loaner.)

 

[berkshire]

3D dave,
Whilst this is off the subject of the train de-railment I would point out that the guy killed in Santee was not "Just a cop", he was a California Highway patrol officer , these guys/gals get extensive car handling training including skidpan work. I also used to commute to work on that road. At the time of the accident , the road was unfinished with a Tee junction at the end of a high speed downgrade into a road work area The area across the other side of the tee was a river valley with large boulders in it. I am sure given his training, if there was a way of stopping the car that he knew about ,he would have done so. Anyway this is off the subject of train de-railments.
B.E.

You are judged not by what you know, but by what you can do.

 

[Spartan5]

Two things before we get back on the rails.

I believe that particular model of Toyota would not go into neutral above a certain RPM threshold.

And regarding the testing that showed that brakes could overcome an engine, it was only if they were firmly and constantly applied without releasing them. In the case of sudden acceleration on the highway, cockpit resource management becomes a lot more challenging. Your first instinct is not to stand on the brakes. It’s to try to get the car below 80 MPH while you troubleshoot. So you ride the brake a bit maybe. Try not to hit the cars in front of you. Release the brake to clear the accelerator with your foot. Reapply. Ride it some more. Try to turn it off. Etc.

At that point the brakes have soaked up so much heat it’s game over. Especially in “family cars” pushing 300 HP but without the brakes to match (have to keep that weight down for MPG). That was what happened to that patrol officer. No doubt.

 

[3DDave]

Spartan5 - if that was true it would have been documented. The exact same car was brought to a stop a few days earlier due to the same problem by a driver who shifted it into neutral and pulled over. He dislodged the floor mat and reported it to the dealership when he dropped the car off. I'm not sure there's an advantage to forcing the transmission to remain engaged; the ECU can look after the motor to keep it from detonating while unloaded. There's at least one comment that the US DOT requires that vehicles always be able to shift to neutral, though the I didn't find a rule to that effect.

The fact that the Officer Saylor did't succeed using that let the start that some huge programming problem prevented it from happening and therefore starting rumors that there had to be a coverup.

Bershire - A different driver of the exact same car had the exact same problem and brought the car to safe halt. Training cannot make up for panic and I doubt that any skidpad training included WOT latching on. I expect the additional burden of having his immediate family in the car also added to the cognitive load, causing him to exclude more survivable alternatives to heading off an embankment, such as grinding along a guard rail or sliding into a ditch.

The question for the train derailment is that certain systems can offset operator error and without looking at how operators get into good or terrible situations, allows for future problems. This train was run with a single engineer so any mistake made had no co-pilot to alert him or take action. This driver wasn't able to observe what made previous runs on the refreshed line successful, such as noting the positions and indications on speed control signs.

Had the conductor been given a device that plotted the location, speed limit, and current speed and sounded an alarm for over-speed, the conductor could have accessed the emergency brake or radioed the engineer and stopped the train on the way to the curve.

Frankly, I'm a bit surprised that the railroad enthusiasts weren't aware of the impending situation; it's a new route and they would certainly be interested as to exactly where they were and could know what the track speeds should be. Perhaps they had too much confidence in the system to recognize the danger.

I expect the immediate cause is the engineer was explaining something to the conductor-trainee and they just failed to notice what was happening outside the cab due to the distraction. I would not be surprised if it was the engineer's first run on the route.

 

[zeusfaber]

Sometimes the problem is just that driving a train is so boring that people lose track of where they are. There's a tendency to shout at drivers after they've had accidents like this in the hope of encouraging their colleagues to be more careful in future, but it never really works very well. Human beings are vulnerable to lapses of concentration under conditions of low arousal - engineering in an independent layer of protection may feel like an expensive way of solving the problem but it really is "low hanging fruit" compared to the futility of trying to bully a driver (who is already quite motivated to not kill him/herself and a trainload of passengers) into hours of unbroken concentration.

Some interesting parallels with a recent tram crash in the UK.

A.

 

[JohnRBaker]

Do locomotives still have so-called 'dead-man switches' to assure that the engineer is actually 'driving' the train at all times? I would think that something like that would be mandatory with a single-man cab.

John R. Baker, P.E. (ret)
EX-Product 'Evangelist'
Irvine, CA
Siemens PLM:
UG/NX Museum:

The secret of life is not finding someone to live with
It's finding someone you can't live without

 

[Spartan5]

3DDave - Not sure where I saw that, but it must have seemed reputable or I might not have logged it. Perhaps it's wrong. More than likely, as I said, it boiled down to cockpit resource management (CRM) in an unfamiliar vehicle.

Take a look at this shift gate and tell me where neutral is. Now imagine trying to figure that out at 110 MPH in traffic with everyone in the car freaking out.

Another thing to consider with regards to braking, is that at wide open throttle you only get a few pumps on the pedal before the boost is gone and you're left with manual braking. Though it was clearly documented in this lexus that the brakes were thoroughly cooked. Sad story all around. Especially considering that the officer was made out by some to be at fault due to his perceived incompetence.

I guess the moral of the story, perhaps as we may even find in this train wreck, is that all of this complexity we are building into things (push button start, trick automatic transmissions, POWER!) is causing CRM issues.

 

[racookpe1978]

The problem with the car "OFF" "rotary" switch as implemented in the US was exaggerated by the design of the OFF rotary switch was right between three OTHER rotary control switches, all of sear-identical size, height, diameter, and "feel". The AC fan Off-speed selection rotary knob, the radio On-Volume control rotary knob, the transmission Reverse-Neutral-Drive-Low selection control rotary knob, and the engine Start-Off rotary selection knob.

But.

If you "turn off" the wrong knob, the engine does NOT turn off but the transmission IS locked into its last (drive or reverse) position. If you turn "off" the transmission selection, it changed to the Reverse position, and - again - the engine does NOT turn off. The Key fob is a remote control sensor - The Key does NOT have to be pulled from the key slot at any time. So, getting out of the car seat (with the key now in your pocket) means nothing: The engine is still running, and the transmissio is still in "Drive". The radio is Off though.

 

[BrianPetersen]

^ I'm missing some context. Which specific vehicle are you talking about here?

Very few vehicles use a rotary switch for a keyless-ignition system and the few that I know of that do, have that switch in the same place as where a normal rotary key switch would be (which IMO is the right way to do it). Very few vehicles also use a rotary switch for transmission selection (certain late model Chryslers and Jaguars are the only ones I can think of) and the ones that do, don't also use a rotary switch for keyless-ignition, nevermind having such a switch similarly arranged as the ignition switch ... and they're not shaped similarly to the HVAC controls. So, you must be referring to a specific make, model, year that I haven't seen. What is it?

 

[bacon4life]

The locomotive I road in a few years back still had a so-called 'dead-man switch' alertness monitor. It monitored control inputs, then started a flashing light and a buzzer if too much time elapsed without operator input. At 80 MPH, a train can travel quite a distance before a monitor would take any action. I don't recall the exact timing, but it seemed more like minutes than seconds.

 

[IRstuff]

The problem with such a switch is precisely how much input is really required? A 10-mile stretch of straight track should require no inputs for 7 minutes. Such as system cannot adequately capture the variation of track length and turns. The positive train control that was supposed to have been completed in 2015 would be far superior to any sort of dead man switch.

Even an Arduino coupled with a GPS and a detailed track program could have prevented such an accident by warning the operator that the speed was excessive for that portion of the track, as well as the previous portion, since the operator probably needed to have slowed down well in advance of the slow section.

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert!

https://www.youtube.com/watch?v=BKorP55Aqvg

faq731-376 forum1529 Entire Forum list

http://www.eng-tips.com/forumlist.cfm

 

[waross]

I can't help thinking that a tech school class could probably design a good reliable safety system for a couple of thousand dollars in hardware.
Is this reasonable or an I blowing smoke?


Bill
--------------------
"Why not the best?"
Jimmy Carter

 

[BrianPetersen]

Given that your normal average GPS knows what speed limits are, it really shouldn't be all that hard.

GPS is not infallible, but it knows when it's not getting a signal, and a good many places where it won't have a signal (e.g. tunnels) are predictable in advance, which means you can do something about it.

Even without a GPS signal, the path of a train is governed by the tracks that it's running on, which is known, and the distance that it has covered along those tracks can be established by wheel sensors on non-driving wheels to eliminate the possibility of wheelspin. That ought to provide enough coverage for the periods where it doesn't have a GPS signal or where the signal is ambiguous.

For that matter, the distance-since-trip-start (or since a known "reset" location - a station, a track switch) could be the primary control with GPS only used to refine the position accuracy. "31.7 km into this trip, reset maximum speed to 70 km/h, then 33.2 km into this trip, reset maximum speed to 120 km/h, then 55.4 km into this trip, download next instruction set depending on which position the track switch sends the train down", that sort of thing.

I'm sure someone can toss enough FMEA darts at this to find theoretical holes that this strategy doesn't cover, but compare it to what the current system provides ... nothing.

 

[MacGyverS2000]

Flight-sim pilots were often able to successfully pilot a plane under the circumstances that brought a DC-10 down in Chicago, but only after they were fully informed as to the exact defect and given a chance to plan a response, time and information the original crew did not have.

For those who haven't seen Sully yet... same situation. The board swore up and down multiple sims showed he could have landed at one of several airports. Once they reset the time limit to more appropriately reflect what would likely happen in the cockpit, none of the sim pilots could make it.

Dan - Owner

http://www.Hi-TecDesigns.com

 

[SnTMan]

To continue the digression just a bit, I had not heard of the Gimli Glider incident (accident?).

What an amazing feat of piloting. Other than running out of fuel in the first place

The problem with sloppy work is that the supply FAR EXCEEDS the demand

 

[IRstuff]

OK, so a GPS/INS + Arduino could be had for around $150 from Sparkfun, and triple redundancy would be slightly more than triple to account for the voting hardware. I would think that the existing train routing software already has the speed limits database, and the programmed route information could easily include the limits along with the GPS coordinates of the track segments.

Existing route planners from other industries can already autonomously program flight paths and speeds for UAVs well enough to avoid enemy radars; adapting them to plan a train route shouldn't be that complicated.

The biggest issue, of course, is a fundamental lack of desire. The rail companies neither want to spend the money or even to do the job in the first place. That's the only rational explanation for an already 3-yr slip in implementation of positive train control. Any time safety equipment is demanded by the public or the government, companies resist, until they're back up against a wall. Then, the implementation is PDQ, and the companies laud all their safety features, after the fact.

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert!

https://www.youtube.com/watch?v=BKorP55Aqvg

faq731-376 forum1529 Entire Forum list

http://www.eng-tips.com/forumlist.cfm