> However, we are aware that there are still occasional problems, which results in the Driver having to either manually tell the train where it is via the "location not found" option in the TMS, or in the event of that not working, using the emergency door release option in the train management system.
So... we added GPS to the trains so that doors could only be opened at stations. Then, we realised that this was a terrible idea and probably against safety regulations, so we added a function to do this anyways but buried it in menus so it couldn't be accessed in a real emergency.
Sounds like a manglement-directed idea if I ever heard one.
Edit: To clarify, I meant that if there is a manual release for the doors... what's the point of the GPS system?
In most industrial setups, you have a normal stop procedure and an emergency stop procedure. The emergency stop procedure is a big red button that you are not supposed to use unless it's an emergency. They fire you if you use the emergency button in an everyday situation.
I guess that in an emergency you can open all the doors with a big red open button in the train driver cabin, and that in each wagon there is another red button (protected by a breakable glass, to prevent pranks).
Indeed, the proximity between "emergency door release" and "train management system" is a bit disturbing in that sentence (that is, if we assume 'system' to be 'computer system' which needn't necessarily be the case of course)
I don't think they made the train. They bought an 'off the shelf' train that had that feature. A small number of Thameslink stations are underground (about 4 out of 30 or so) and so they installed GPS boosters there. Its not that crazy really. Interesting though.
OK, so we bought a poorly-designed train with features that we don't need, and so we're going to spend lots of money making the feature work with our incompatible stations. Maybe a little better, but still not very good.
I very much doubt this is related to emergencies. Don't you feel it's a bit dishonest to use words such as "we" when it seems you haven't a clue how this actually works?
> Operation of Class 377 train doors require a (GPS) signal to identify that the train is in a station to allow the Driver to open the doors. Effectively this prevents the doors being operated in error when the train is not at a station and as such is a safety feature of the trains.
Was there some epidemic of doors being opened outside stations that I missed? This smacks of a solution looking for a problem
The real, less trivial problem is only opening the doors of train cars that actually fit on the platform.
GPS was just a poor choice of positioning system. There are already widely deployed systems where what is essentially an RFID tag sits at a fixed point on the track between the rails and, when scanned, tells the train exactly where it is.
Oh god, opening doors on the wrong side would be absolutely terrible in rush hour - people back away from the door they think will open, and squeeze a few people out the other side onto the live wire, or perhaps into the path of a train arriving from the other direction.
Why would it be an issue if you opened more doors than necessary?
I'm assuming that the edge of the platform will always match the edge of a car, and that it is not possible to board off-platform cars (otherwise they wouldn't be off-platform), and that there will be no people in the "off-platform" cars. Otherwise, how would they get off? It seems extremely inefficient to start the train just to move it half its length, then stop it again.
Some trains will have 8 cars but stop at some stations with only 4 cars worth of platform. The passengers heading to those station usually knowmto board the first four cars.
The difficulty arises when doors are accidentally opened for all cars at 4-car platforms.
No, the train does not move forwards by 4 cars, it simply stops, passengers board and alight from the front four (including a rush of passengers frommthe back four cars who forgot that their station is a four-car stop), then the train leaves.
Of course not. This was some government contractor taking the tax payers for a ride. They could charge $x more per train this way and just through in a shitty gps device. Things like this aren't accidents.
surely there are restrictions opening while moving but while stopped seems a bit odd. Aren't they paying the driver to think, to know when to open or not open doors?
The potential, yes, but the risk of human error? Once you have reduced the amount of thinking the driver has to do, you start hiring drivers who aren't that good at thinking, and the ones that are good at it stop practicing it.
I don't have data showing it, but I think making the driver's work duller can make things less safe for his passengers.
Thinking about this some more, I still don't understand. If the goal was door safety, why not use the same release systems automatic trains (eg underground) have?
Yeah. It's a completely ridiculous idea. Almost as if the project manager had an idea and pushed it through without thinking about the repercussions.
If it's really a problem why not use the speedometer to figure out if the train is moving? Or why not use something like the MTA's wheel rotation sensors? The guy who wrote the signal code for MTA said that they use wheel rotations to calculate when to play audio messages in-train and in-station... those "There is a queens-bound train N stations away". It's a simple idea.
Train might stop in places that aren't stations. Also different stations need the doors on different sides to open. Therefore its useful to know exact location of train.
GPS could still be used for that, but what is wrong with opening the doors in the tunnel not at a station? I would think that would be helpful in the case of emergencies where people need to get off the train between stations. If a driver accidentally pressed the wrong button they might want to check to make sure no one is outside the train when they drive off, but I would think that wouldn't happen to much.
I can't believe HN is reacting to this as if checking location is a bad idea. It does have an emergency override.
On the underground, particularly during rush hour, doors opening on the wrong side, or in the wrong place, could cause people to fall out of the train onto the tracks, in the dark, and risk serious injury or even death (especially with electrified rails).
And using GPS and repeaters in the few spots where the signal's poor sounds like a practical and cost-effective approach. Given the issues, perhaps they should've implemented it some other way, but it's hardly the ridiculous solution you're all making it out to be.
Using an unauthenticated, jammable signal for a safety critical function is wrong, not something dictated by the practicality or expediency of the solution. It is absolutely
wrong and stupid. Like Therac stupid.
It's kind of hilarious that you kicked your post off with a glib denouncement of "HN" and then edited it to refer to information someone had posted prior to you making the comment.
It's also the case that most of the raspberries are aimed at the idea that it doesn't work very well, which is a failure regardless of the apparent reasonableness of the implementation.
Adding a complex and unreliable dependency that has to be reimplemented underground and isn't really needed (because you don't need the GPS coordinates, just a little bit of local metadata)? Not ridiculous at all.
Use of broadcast signals like GPS for safety-critical purposes makes them a target for adverse interference - like a jammer hoping to mess with / trap people on the train.
I actually experienced this in St Pancras International last week!
The train stopped in the station, but the doors didn't open for a good 5 minutes. The driver issued a statement stating that there'd be a slight delay before the doors opened.
I recall thinking: what possible reason could there be for not opening the doors? Congestion? Electric failure?
The only advantage GPS would have is that you don't have to install something (eg, a powered RFID tag) in each station. And yet, they've had to install "GPS repeater beacons" to work around this problem. Sounds like a typical case of bad design.
Somebody decided that GPS was a good idea here, and didn't think about problems underground. Silly, but understandable.
Somebody else decided that having doors controlled by location was a good idea here, and didn't think somebody would specify a system that doesn't work at some stations.
At some point during procurement and installation of the equipment you'd think somebody would have raised a red flag. Unless, of course, they were simply told to install GPS equipment, and not why. Or they were told why but nobody listened to them when they explained why it wouldn't work right.
Sounds to me more like bad organization than bad design, although of course it's hard to tell from this distance.
The buses where I'm from started using the odometer to show the next station on a digital sign some time in the 90's. This ought to work even more accurately on a train.
Only on underground stations. Possibly most of the stations this class of train stops at are above ground, and it made sense there to avoid big station upgrade works. Just one little GPS receiver on the train instead. You can see how it could happen.
Someone tell Bruce Schneier his new movie plot terror threat[1] is here: someone homebrews a GPS signal transmitter to open all the train doors at rush hour ... preferably on the wrong side.
Why wouldnt this using something like radio waves in each station from a few sources, wouldnt it be super easy to tell your position fairly accurately with just a few radio sources? I did some googling and indoor localization systems can determine your location down to 3cm, I think that would be way more accurate than the 50m or so I have observed of GPS units while they moves around.
And obviously they would be 10000x louder than the gps signal, so you couldnt lose it unless someone was purposefully interfering with the signal.
I agree. The entire thing sounds a bit like running a web-based Javascript solution on an embedded system because that's the only technology you're familiar with.
Just a reminder that stories like these are regularly accumulated and curated by the ACM's Committee on Computers and Public Policy, known as the RISKS Digest. In the pre-web days you might have remembered this as Usenet's comp.risks.
Peter G. Neumann has been moderating this publication online for almost 30 years now. Always interesting reading.
I once had the opportunity to drive along in a locomotive here in Switzerland. En route, the computer has detected an issue in the engine, has restarted the whole machine and came back up fine.
This happened while driving at 160 km/h and if we had not seen the messages on the screen, nobody would have known.
That was seriously impressive and I wish I could do something like this. Not only did it properly detect the failure, it also rebooted and then came up correctly and still was aware of all the state needed to drive on.
If software works like that, I can live with it being used more and more.
I'm not sure if that's impressive, or if I should be scared that trains randomly reboot their engines whilst in motion and nobody seems to care or investigate?! What kind of issue can be resolved by rebooting an engine, exactly?
I catch these trains every day. People are confused by the warning about a "slight delay" from the driver as we approach the stations. I occasionally say "GPS doors" and everyone who was previously confused instantly adopts a "seriously?!" face. I have NO idea how such a knuckle-headed design flaw can make it all the way through design and build with even minimally aware designers and engineers in charge.
I can see the need and advantage of a system to make sure that only the appropriate doors open at certain stations, but surely this could have been done with information at the local level. Barcodes, NFC, RFID ... to go with sats hundreds of miles in the sky augmented by repeaters is overly complex.
Passengers are not cattle. I don't see why they cannot have local door control when the train is stopped for more than 5/10/15 minutes. The risk of death by idiot openign wrong door surely is less than the risk of death by fire/poison gas/axe murderer, all of which have happened on trains.
Your claim needs evidence. A hypothetical murderer could open a door and push people out, no weapon necessary. In a fire, passengers could fall out a door onto third rail.
But are those risks less than the risk that in an emergency the doors can't be opened at all and the entire carriage of passengers are effected, eg burnt alive?
The old system of windows that slide down with a handle on the outside of the carriage seemed to work pretty well - hypothetically you could open the door and push people out or fall on the track. Wonder how many times that happened?
FFS. A line in the station that the operator pulls up to, and two handles in the cab that have to be operated in sequence and simultaneously. And now the operator can open the doors whenever and wherever necessary, even while the train is rebooting.
Or were masses of people trapped in cars in the decades of operation prior to this, because the operator couldn't figure out where he was and wouldn't/couldn't open the doors?
This was the reason I was given at London Victoria Station for the doors taking a long time to open. Oh for the days when the doors weren't controlled by a computer, and passengers could open the windows -- always a joy when the air conditioning fails.
In one of the threads here someone points out that different doors should be opened at different stations (sometimes different sides of the train, I think sometimes not all of the doors on one side).
Which explains why they want it to be location dependent, it doesn't excuse the poor implementation.
SDO, CSDE: Firstly, some platforms are too short to fit all of the doors on, especially with the lengths of trains being extended. Thus at some platforms it is necessary to ensure that the first or last doors of the train, or both, are not unlocked.
The London Underground has its own system to do this (https://en.wikipedia.org/wiki/Selective_Door_Operation ). Here it appears they decided to use GPS, but the LU almost certainly uses a much simpler (and more reliable system).
Of course, if a GPS fix isn't obtained, you don't know whether you're at a short platform or not, so you can't assume anything.
A related safety issue is whether drivers open the doors on the right side of the train (!). Yes, believe it or not, they sometimes get this wrong. When the London Underground moved to one-man train operation (meaning that the doors were controlled by the driver, rather than by a separate guard), they had some issues with this happening. They responded by introducing a simple, low-level system called "Correct Side Door Enable", which uses an electrical loop by the side of the track in platforms, which is detected by the train and allows the train to determine that a) it is in a station and b) which side the platform is on. This prevents the driver from opening the doors in error.
I would guess that the LU's SDO system uses some similar or even interrelated mechanism.
Metro vs. Rail: Note that on metro trains (e.g. the majority of London Underground trains) the doors usually open automatically, whereas on other trains you have to press a button to open the doors once it illuminates. This makes the potential consequences of accidentally opening the doors on the wrong side worse on tube trains, especially when you consider how packed they can get. Whereas with a train like the class 377, a driver would have to unlock the door on the wrong side and then the passenger would have to accidentally open the door on the wrong side. So the consequences of accidentally unlocking the doors on the wrong side is not -that- severe, which makes the apparent difficulty and obscurity of the overrides available to the driver (plus the implication that the drivers aren't properly trained on their operation) all the more ridiculous.
(A particularly curious variant is found on some trains of the Paris metro; the doors try and open as soon as the driver tells them to, but a mechanical latch on the doors prevents it. A passenger has to move up the latch before the doors can open. The latches were probably retrofitted, perhaps to mitigate unnecessary heat loss, but it also serves as a safety measure. This system has the advantage over a button-based system that a malfunctioning microcontroller cannot randomly open a door at inopportune times, though this is a rather academic advantage given that I am unaware of such cases.)
I have myself ridden the 377, and on one occasion I did notice an unusual delay before the doors unlocked, of about a minute, which involved the "door out of order" lamp momentarily flashing on and off a few times, perhaps suggesting some sort of train reboot.
I find the term 'GPS repeater' strange. The nature of GPS would lead me to believe that 'repeating' GPS would be rather difficult, though I could be mistaken. It seems more likely that by 'GPS repeater' what they actually mean is some sort of overriding 'you are at station #27' signal, perhaps implemented much like the LU's CSDE system. The Wikipedia page for SDO seems to confirm this (https://en.wikipedia.org/wiki/Selective_door_operation - note that 'Thameslink' and 'First Capital Connect' are effectively synonymous).
The idea that not being able to quickly open the doors is a safety issue seems quite peculiar to me. On the 377 and all non-metro trains, all doors are fitted with passenger-operable emergency releases. There are also somewhat anonymous emergency releases which could be operated from outside the train by platform staff. Both such releases are mandated and governed by railway standard GM/RT2473 (which can be found here, along with some rail accident reports referencing it: https://www.google.co.uk/search?q=gm/rt2473 )
That said, there is one way in which the Class 377's doors are implemented in an obviously deficient way: if you hold down the open button before the doors are unlocked, the doors will not open when they are. You then have to release and re-depress the button. In other words, whoever programmed the door erroneously chose an edge-triggered behaviour rather than a level-triggered one. This is in contrast to the buttons on the Class 319 (which the Class 377 is replacing), which behave correctly. I previously ranted about this here: http://www.devever.net/~hl/train377
Oh, probably you can avoid the reboot by changing the access level to "Service" (username: service, password: service123), choose "Disable all Safety Systems", click "OK" on the dialog popping up telling you that this is forbidden when operating on public rails and having passengers, and just continue driving.
[yes, completely made up, but corresponds to what's happening daily in other, probably slightly less safety critical, industrial automation systems]
Lots of embedded systems reboot themselves when they get into some unknown state. It's the safest thing to do. Microcontrollers are designed to do it automatically in some cases.
People generally don't notice because the system doesn't beep or display a boot message (if it even has a display).
So... we added GPS to the trains so that doors could only be opened at stations. Then, we realised that this was a terrible idea and probably against safety regulations, so we added a function to do this anyways but buried it in menus so it couldn't be accessed in a real emergency.
Sounds like a manglement-directed idea if I ever heard one.
Edit: To clarify, I meant that if there is a manual release for the doors... what's the point of the GPS system?