Background
The signalling system contractor Alstom-Thales DUAT Joint Venture (ATDJV) has been carrying out tests of the new signalling system during non-traffic hours at different sections of the Tsuen Wan Line by phases since late 2016. The ATDJV commenced full-line train tests in early 2018, and had subsequently completed the tests on site, which lasted for more than two years, in Feb 2019
On 16 Feb 2019, the MTRCL commenced a series of drills and exercises before putting the new signalling system into revenue service.
Analysis
From Prof Roderick Smith:
6.2.2 doubts had been expressed... lack of belief that the system fully complied with international standards and "latent anomalies"...result in an unacceptably high risk of an unsafe incident.
6.2.3 Software has become increasingly complex and is being used in a huge variety of situations. It is difficult, perhaps impossible, to test complex software off-line for all eventualities.
(a) programming error, which was introduced in July 2017, as a result of poorly specified design requirements and inadequate design, verification and validaton processes of the software.
(b) potential risk arising from the introduction of warm-standby tertiary ZC was not comprehensively included in the risk assessment by the system contractor
(c) simulation tests were not conducted to the maximum extent
From Prof Felix Schmid
6.3.2 Individually, both the implementation of a CBTC system on an existing operating railway, AND the introduction of a tertiary ZC-C would be deemed major changes. The criticality of combining the two changes was not recognized by the stakeholders.
note:
The EMSD report has shown a clearer background and investigations of this crash incident.
The conclusions and comments from experts are included to give insight of such complex incident.
This EMSD report, though the facts are very similar, are much higher quality than the MTR report.
Is MTR lacking the expertise and critical awareness of formulating such complex systems requirements in the first hand? Will it be more safe to carry it out in a two phase approach?
BS EN 50128 guide
EMSD website
The signalling system contractor Alstom-Thales DUAT Joint Venture (ATDJV) has been carrying out tests of the new signalling system during non-traffic hours at different sections of the Tsuen Wan Line by phases since late 2016. The ATDJV commenced full-line train tests in early 2018, and had subsequently completed the tests on site, which lasted for more than two years, in Feb 2019
On 16 Feb 2019, the MTRCL commenced a series of drills and exercises before putting the new signalling system into revenue service.
Analysis
According to our investigation findings, the cause of the incident was a programming error introduced during software rectification of the new signalling system at the design and development stage. This programming error caused a failure to re-create the data of the crossover track at the Central Station after switch-over from the primary zone controller (ZC) to the warm-standby tertiary ZC. Hence the Automatic Train Protection (ATP) system could not function as required to prevent two trains from entering the crossover track at Central Station at the same time, and led to train collision.
From Prof Roderick Smith:
6.2.2 doubts had been expressed... lack of belief that the system fully complied with international standards and "latent anomalies"...result in an unacceptably high risk of an unsafe incident.
6.2.3 Software has become increasingly complex and is being used in a huge variety of situations. It is difficult, perhaps impossible, to test complex software off-line for all eventualities.
(a) programming error, which was introduced in July 2017, as a result of poorly specified design requirements and inadequate design, verification and validaton processes of the software.
(b) potential risk arising from the introduction of warm-standby tertiary ZC was not comprehensively included in the risk assessment by the system contractor
(c) simulation tests were not conducted to the maximum extent
From Prof Felix Schmid
6.3.2 Individually, both the implementation of a CBTC system on an existing operating railway, AND the introduction of a tertiary ZC-C would be deemed major changes. The criticality of combining the two changes was not recognized by the stakeholders.
note:
The EMSD report has shown a clearer background and investigations of this crash incident.
The conclusions and comments from experts are included to give insight of such complex incident.
This EMSD report, though the facts are very similar, are much higher quality than the MTR report.
Is MTR lacking the expertise and critical awareness of formulating such complex systems requirements in the first hand? Will it be more safe to carry it out in a two phase approach?
EMSD website
留言
張貼留言