Paddington Mainline Station, with or without statues of that bear. Lots of platforms, lots of railway tracks, lots of points on the tracks, lots of signals, lots of trains. Several railway companies that contributed to tragedy, but certainly not the most complex or the busiest station.
With my egghead business partner at the time, I was sitting with the station manager in his office overlooking the station. We were discussing the operation of the station, not in terms of staffing problems, but as an engineering artefact. My partner, Howard, asked if there was ever a condition where this train couldn’t move because the signals were set for another train, which in turn was blocked by another so that everyone was stuck.
“Yes, that happens two or three times a year. How did you guess?”
“I didn’t guess, it is a standard condition called livelock”.
At the risk of you never wanting to travel by train again, the points are controlled by electronic devices called solid state interlock devices. From memory each device has 2 to the power 8 states and controls a small set of related track points and signals. The specification for the rail research labs that developed them was that they were for railway engineers and therefore the use of a computer programming language was inappropriate. It took an engineer about a year to set up a single device and test it.
You need to understand that the last paragraph is a bit tongue in cheek. I think there are ten devices to control Paddington Station and something like 10 to the power of 64 states, more than could be tested in the life of the universe. And the command that thou shalt not use computer programming excludes all the insights that global computer research might contribute, such as what livelock is and what to do about it. All very King Canute. All very dangerous to the public as subsequent crashes proved.
What Howard and I were doing was decompiling the programmes in the devices that were only pretending not to be computers and mapping the logic onto an interactive graphic on a screen, so that a railway engineer could play with the points and the signals to see if they behaved the way he expected. Unfortunately the research labs took the view that we had violated their design patents by showing what a device actually did.
I was simply struck recently by the sheer gleaming engineering of all those tracks and points that so obviously control the safety of lots of people. And yet the abstractions that support the engineering are all too human and fragile. A legal fiction here. An ego in a huff there. A mind that cannot comprehend the literal complexity here. And a sort of “well it works most of the time”. Everyone doing their best.
Separate the train companies from the track company. Apply incentives to the train companies to run their trains on time. Pretend that the engineering systems are safe unconditionally.
Does this remind you or anywhere you have worked?
Part of the spate of accidents was outsourcing the maintenance so that the teams who had worked on particular stretches of track all their lives were replaced with new crews. When the west coast line was upgraded there were two schools of thought: straighten to worst curves on the track or use tilting trains. As I understand it since the argument would not resolve they did both.
Just follow the procedures.
Or do some Thinking. Try some better design. We offer to economise risk. Smooth the flow of your passengers. End the livelocks!