Re: European train deaths

Re: European train deaths

[Philip Anderson]

Colin Paul Gloster wrote:
> 
> Something which occured to me only yesterday (unless I cleanly
> forgot before) is that Ada and formal methods are used for
> European train systems and so these may be involved in some
> of the spate of fatal crashes over the last circa two years
> in the U.K.; Norway; and elsewhere in the E.U.. At least one
> in the U.K. had to do with a light signalling error if
> memory serves correctly but I do not recall if this had
> anything to do with software. It may be worthwhile to investigate this --
> would any of ye happen to remember if computers were involved in these
> locomotive incidents?

From memory, the causes of the UK accidents have been identified as
faulty track, badly-maintained signals or drivers going through red
lights.  I don't think software has been brought into any of these
cases.

The Norwegian train crash has been discussed on the comp.risk newgroup
(which is a good place to look for problems attributable to software). 
some suggestions involved software, but that wasn't the official
finding.


-- 
hwyl/cheers,
Philip Anderson
Alenia Marconi Systems
Cwmbr�n, Cymru/Wales

Re: European train deaths

[Marin David Condic]

The problem is that there is so much more that goes into a major system
failure than just the software. Possibly you can only conclude in some cases
that the software may have been the initiating cause of a failure, but its
almost never possible to establish that the software may have been the
critical in the prevention of a failure. If there are more/less accidents on
EU trains, can Ada take blame/credit for it? That's really difficult to
establish.

A more productive (yet still arguable) effort is to try to establish that
Ada (and methods) reduce errors in delivered systems. This you stand a
chance of demonstrating in a quantifiable way. From there you have a case
that Ada contributes to safer systems. Looking at train wrecks and noting
that Ada was involved really doesn't tell you much.

MDC
--
Marin David Condic
Senior Software Engineer
Pace Micro Technology Americas    www.pacemicro.com
Enabling the digital revolution
e-Mail:    marin.condic@pacemicro.com
Web:      http://www.mcondic.com/


"Colin Paul Gloster" <Colin_Paul_Gloster@ACM.org> wrote in message
news:slrn9eiqb9.58t8.Colin_Paul_Gloster@tolka.dcu.ie...
> Something which occured to me only yesterday (unless I cleanly
> forgot before) is that Ada and formal methods are used for
> European train systems and so these may be involved in some
> of the spate of fatal crashes over the last circa two years
> in the U.K.; Norway; and elsewhere in the E.U.. At least one
> in the U.K. had to do with a light signalling error if
> memory serves correctly but I do not recall if this had
> anything to do with software. It may be worthwhile to investigate this --
> would any of ye happen to remember if computers were involved in these
> locomotive incidents?
>
> Thank you,
> Colin Paul Gloster
>
> P.S. I apologise in advance for not promptly replying to any forthcoming
> responses. I will be out of touch for much of the coming month.

European train deaths

[Colin Paul Gloster]

Something which occured to me only yesterday (unless I cleanly
forgot before) is that Ada and formal methods are used for
European train systems and so these may be involved in some
of the spate of fatal crashes over the last circa two years
in the U.K.; Norway; and elsewhere in the E.U.. At least one
in the U.K. had to do with a light signalling error if
memory serves correctly but I do not recall if this had
anything to do with software. It may be worthwhile to investigate this --
would any of ye happen to remember if computers were involved in these
locomotive incidents?

Thank you,
Colin Paul Gloster

P.S. I apologise in advance for not promptly replying to any forthcoming
responses. I will be out of touch for much of the coming month.

Re: European train deaths

[Jean-Pierre Rosen]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1366 bytes --]


"Colin Paul Gloster" <Colin_Paul_Gloster@ACM.org> a �crit dans le message news: slrn9eiqb9.58t8.Colin_Paul_Gloster@tolka.dcu.ie...
> Something which occured to me only yesterday (unless I cleanly
> forgot before) is that Ada and formal methods are used for
> European train systems and so these may be involved in some
> of the spate of fatal crashes over the last circa two years
> in the U.K.; Norway; and elsewhere in the E.U.. At least one
> in the U.K. had to do with a light signalling error if
> memory serves correctly but I do not recall if this had
> anything to do with software. It may be worthwhile to investigate this --
> would any of ye happen to remember if computers were involved in these
> locomotive incidents?
>
I can confirm that no Ada nor formal methods were involved in the UK crashes (don't know for Norway, but it is highly unlikely).
AFAIK, the first attempt to use formal methods and Ada was for Meteor, the new automated subway line of the Parisian subway. Safety
critical software was coded and proven in B, then automatically translated to Ada. Less critical parts were directly coded in Ada.
And I heard from trustable sources that software integration went remarkably well.

--
---------------------------------------------------------
           J-P. Rosen (rosen@adalog.fr)
Visit Adalog's web site at http://www.adalog.fr

Re: European train deaths

["Paul E. Bennett"]

In article <slrn9eiqb9.58t8.Colin_Paul_Gloster@tolka.dcu.ie>
           Colin_Paul_Gloster@ACM.org "Colin Paul Gloster" writes:

> Something which occured to me only yesterday (unless I cleanly
> forgot before) is that Ada and formal methods are used for
> European train systems and so these may be involved in some
> of the spate of fatal crashes over the last circa two years
> in the U.K.; Norway; and elsewhere in the E.U.. At least one
> in the U.K. had to do with a light signalling error if
> memory serves correctly but I do not recall if this had
> anything to do with software. It may be worthwhile to investigate this --
> would any of ye happen to remember if computers were involved in these
> locomotive incidents?

Despite the existence of SSI and MBP systems (where Ada and Formal 
Methods were used in the specification) the penetration of such in
the UK is not that great at present (long time getting round to the 
investment that should have been committed over the past 30 or 40 
years). 

I believe that the two Paddington Crashes happened on sections that 
have SSI implemented. In the case of the Great Western Driver who 
(with AWS turned off) was packing his bag on the run in to Paddington 
and collided with the goods train. In the case of the Thames Trains 
driver, he didn't see a red signal on his early morning exit from 
Paddington and thus passed it leading to the crash at Ladbroke Grove. 
The view of the signal was considered to be very poor and thus the
layout was brought into question. I believe we are still awaiting the 
final report from the Paddington (Ladbroke Grove) incident.

In both cases, if a philosophy of "Permit to Move" was built into the
signalling and control system both situations could probably have been 
avoided. I have made such comments before, with HMRI and DETR personnel
but little notice seems to have been taken.

-- 
********************************************************************
Paul E. Bennett ....................<email://peb@amleth.demon.co.uk>
Forth based HIDECS Consultancy .....<http://www.amleth.demon.co.uk/>
Mob: +44 (0)7811-639972 .........NOW AVAILABLE:- HIDECS COURSE......
Tel: +44 (0)1235-814586 .... see http://www.feabhas.com for details.
Going Forth Safely ..... EBA. www.electric-boat-association.org.uk..
********************************************************************

Re: European train deaths

[Florian Weimer]

Colin_Paul_Gloster@ACM.org (Colin Paul Gloster) writes:

> Something which occured to me only yesterday (unless I cleanly
> forgot before) is that Ada and formal methods are used for
> European train systems and so these may be involved in some
> of the spate of fatal crashes over the last circa two years
> in the U.K.; Norway; and elsewhere in the E.U..

There were major accidents in Germany as well, but they were caused by
lack of careful maintenance or errors of the driver.

I think there were some non-fatal accidents in Southern Germany due to
software failures (or specification errors or whatever), but these
involved streetcars.

Re: European train deaths

[Tarjei Tj�stheim Jensen]

Colin Paul Gloster wrote:
> 
> Something which occured to me only yesterday (unless I cleanly
> forgot before) is that Ada and formal methods are used for
> European train systems and so these may be involved in some
> of the spate of fatal crashes over the last circa two years
> in the U.K.; Norway; and elsewhere in the E.U.. At least one
> in the U.K. had to do with a light signalling error if
> memory serves correctly but I do not recall if this had
> anything to do with software. It may be worthwhile to investigate this --
> would any of ye happen to remember if computers were involved in these
> locomotive incidents?

The norwegian accident seems to have been caused by an aggregation of
circumstances. The rail controllers failed to notice that the trains
could collide due to a mindnumbing design flaw in the software which
they use to keep track of the trains. In addition they could not
communicate with one or more of the trains because they 1) had the wrong
mobile phone number 2) there were no cover at the site 3) they had no
rail phone system. The money they had gotten for automatic train stop
had been spent on something else (i'm not sure about this). The railway
had changed procedures for allowing a train to leave a station. It used
to be that you needed two people to agree to leave the station, but
suddenly only the driver should do this. These days the conductor must
OK leaving a station.


The railway has shown other signs of gross ineptitude. They have to
cancel trains because there are not enough train drivers around.

In short: nobody trust them much theese days.


Greetings,

Re: European train deaths

[Stefan Skoglund]

Colin Paul Gloster wrote:
> in the U.K. had to do with a light signalling error if
> memory serves correctly but I do not recall if this had
> anything to do with software. It may be worthwhile to investigate this --
> would any of ye happen to remember if computers were involved in these
> locomotive incidents?

At least in the case of the crash in Norway bad programming
cant be blamed. that particular piece of track doesn't ATC
ie it is run the same way as the old Preston-Manchester Railway
from 1830.

Re: European train deaths

["Paul E. Bennett"]

In article <9cbs3b$obf$1@nh.pace.co.uk>
           marin.condic.auntie.spam@pacemicro.com "Marin David Condic" writes:

> The problem is that there is so much more that goes into a major system
> failure than just the software. Possibly you can only conclude in some cases
> that the software may have been the initiating cause of a failure, but its
> almost never possible to establish that the software may have been the
> critical in the prevention of a failure. If there are more/less accidents on
> EU trains, can Ada take blame/credit for it? That's really difficult to
> establish.
> 
> A more productive (yet still arguable) effort is to try to establish that
> Ada (and methods) reduce errors in delivered systems. This you stand a
> chance of demonstrating in a quantifiable way. From there you have a case
> that Ada contributes to safer systems. Looking at train wrecks and noting
> that Ada was involved really doesn't tell you much.

No matter how much crowing anyone is inclined to do about their 
software development language or methods it won't make the system any
better. Systems involve a mixture of physics, mechanics, hardware and
software coming together in unison to achieve a specific functional
goal within a defined range of environments and non-functional 
circumstances.

I am sure that, with the appropriate level of care and attention to 
detail at all levels, it is perfectly possible to produce a superbly
safe system. It will take a long time, will require enormous amounts
of witnessed testing and cost an absolute bundle of money.

The real trick is knowing how to implement seemingly complex systems 
in simple enough ways that we can remain certain of the outcomes, 
even when taking account of the personal aborations of the human 
operator (like the IQ-zero's that are all the other car drivers on
the road with the exception of yourself - please note that I choose 
not to drive anymore so I am not one of them).

The system developer needs a wide range of tools and techniques at
his disposal. Tools that he knows he can trust and that are easy
for him to use them regularly. Having looked at the formal methods 
through a series of introductory seminars and from the viewpoint of
using formal methods based tools (I-logix et al) I am certain that
some very complex views of multiple process-threads running on high
end processors can be modelled quite cleverly but it is very hard 
to see and be confident in the proof.

For myself, I find that limiting complexity, using many more 
processors in a structure that follows the process hierarchy well
and that can be tested thoroughly, is the best way of proceeding.
The testing is then layered. Once you prove out fully the behaviour 
of a module under normal and adverse conditions, proving full logic
path coverage in the process, you are very well placed to use it
as a component for the next level to build on.

-- 
********************************************************************
Paul E. Bennett ....................<email://peb@amleth.demon.co.uk>
Forth based HIDECS Consultancy .....<http://www.amleth.demon.co.uk/>
Mob: +44 (0)7811-639972 .........NOW AVAILABLE:- HIDECS COURSE......
Tel: +44 (0)1235-814586 .... see http://www.feabhas.com for details.
Going Forth Safely ..... EBA. www.electric-boat-association.org.uk..
********************************************************************

Re: European train deaths

[Matthias Andree]

Colin_Paul_Gloster@ACM.org (Colin Paul Gloster) writes:

> Something which occured to me only yesterday (unless I cleanly
> forgot before) is that Ada and formal methods are used for
> European train systems and so these may be involved in some
> of the spate of fatal crashes over the last circa two years
> in the U.K.;

Nope, AFAI have information about UK train accidents, at least one (near
London in 1996 or when that was) was caused by a driver's fault. 

In Germany, the Deutsche Bundesbahn has - among other systems "InduSi"
and "SiFa", systems that prevent a train from entering a "block" (track
segment between two signals) which is red. This system was not in place
or working properly in at least one of the accidents in the UK.

If the driver fails to stop the train, the train will stop anyways
(several signals transmitted inductively), this cannot be overriden by
the driver. Should the driver fall asleep, die, leave his seat, the
train will trigger an emergency stop procedure c. 30 s after the
incident. I don't know if speed limits can be enforced in a similar
manner, I think they can, see below.

As to some of the major German train accidents, on the big ICE disaster
in Eschede, there was a mechanical defect. In a recent other major train
accident in Western Germany (was it Emmerich? Not sure) the driver went
much too fast through a detour (which went around track constructions or
maintenance), with 120 km/h with 40 km/h allowed. In Wuppertal, where
the Schwebebahn dropped off its tracks and fell into the Wupper river,
workers had forgotten to remove a track clamp which is used to prevent a
train from proceeding through a track construction.

In Belgium (which has three official languages), there was a
communication problem since the driver did not properly understand the
warning issued to him.

I believe there's nothing Ada could do about these incidents. I cannot
tell about the Eschede disaster since I believe the last words aren't
yet spoken on that case.

-- 
Matthias Andree

Re: European train deaths

[Karel Thönissen]

Matthias Andree schreef:
 
> As to some of the major German train accidents, on the big ICE disaster
> in Eschede, there was a mechanical defect. In a recent other major train
> accident in Western Germany (was it Emmerich? Not sure) the driver went
> much too fast through a detour (which went around track constructions or
> maintenance), with 120 km/h with 40 km/h allowed. 

Wasn't it in Br�hl between K�ln and Bonn? No accidents happened in
Emmerich.

-- 

Groeten, Karel Th�nissen

Hello Technologies develops high-integrity software for complex systems