
Train doors require GPS signal to open despite stations being underground (2014) - ColinWright
http://www.ciras.org.uk/report-library/train-operations/52131-issue-with-opening-class-377-doors-on-the-thameslink-route/
======
Hello71
> However, we are aware that there are still occasional problems, which
> results in the Driver having to either manually tell the train where it is
> via the "location not found" option in the TMS, or in the event of that not
> working, using the emergency door release option in the train management
> system.

So... we added GPS to the trains so that doors could only be opened at
stations. Then, we realised that this was a terrible idea and probably against
safety regulations, so we added a function to do this anyways but buried it in
menus so it couldn't be accessed in a real emergency.

Sounds like a manglement-directed idea if I ever heard one.

Edit: To clarify, I meant that if there is a manual release for the doors...
what's the point of the GPS system?

~~~
codeulike
I don't think they made the train. They bought an 'off the shelf' train that
had that feature. A small number of Thameslink stations are underground (about
4 out of 30 or so) and so they installed GPS boosters there. Its not that
crazy really. Interesting though.

~~~
Hello71
OK, so we bought a poorly-designed train with features that we don't need, and
so we're going to spend lots of money making the feature work with our
incompatible stations. Maybe a little better, but still not very good.

------
bonaldi
> Operation of Class 377 train doors require a (GPS) signal to identify that
> the train is in a station to allow the Driver to open the doors. Effectively
> this prevents the doors being operated in error when the train is not at a
> station and as such is a safety feature of the trains.

Was there some epidemic of doors being opened outside stations that I missed?
This smacks of a solution looking for a problem

~~~
blibble
it's more common that the driver opens the doors on the wrong side, or at a
short platform opens all the doors instead of, say the first 8

~~~
Hello71
Why would it be an issue if you opened more doors than necessary?

I'm assuming that the edge of the platform will always match the edge of a
car, and that it is not possible to board off-platform cars (otherwise they
wouldn't be off-platform), and that there will be no people in the "off-
platform" cars. Otherwise, how would they get off? It seems extremely
inefficient to start the train just to move it half its length, then stop it
again.

~~~
manicdee
Some trains will have 8 cars but stop at some stations with only 4 cars worth
of platform. The passengers heading to those station usually knowmto board the
first four cars.

The difficulty arises when doors are accidentally opened for all cars at 4-car
platforms.

No, the train does not move forwards by 4 cars, it simply stops, passengers
board and alight from the front four (including a rush of passengers frommthe
back four cars who forgot that their station is a four-car stop), then the
train leaves.

------
TazeTSchnitzel
I can't believe HN is reacting to this as if checking location is a bad idea.
It does have an emergency override.

On the underground, particularly during rush hour, doors opening on the wrong
side, or in the wrong place, could cause people to fall out of the train onto
the tracks, in the dark, and risk serious injury or even death (especially
with electrified rails).

And using GPS and repeaters in the few spots where the signal's poor sounds
like a practical and cost-effective approach. Given the issues, perhaps they
should've implemented it some other way, but it's hardly the ridiculous
solution you're all making it out to be.

As superuser2 mentions below, there's even a non-safety reason for this
feature: long trains in short stations.
[https://news.ycombinator.com/item?id=9203351](https://news.ycombinator.com/item?id=9203351)

~~~
sitkack
Using an unauthenticated, jammable signal for a safety critical function is
__wrong __, not something dictated by the practicality or expediency of the
solution. It is absolutely wrong and stupid. Like Therac stupid.

And as someone mentioned below, there is already a solution for this exact
problem;
[https://en.wikipedia.org/wiki/Balise](https://en.wikipedia.org/wiki/Balise)

~~~
icebraining
Couldn't one "jam" the balise by throwing a large rock at it?

------
ceeK
I actually experienced this in St Pancras International last week!

The train stopped in the station, but the doors didn't open for a good 5
minutes. The driver issued a statement stating that there'd be a slight delay
before the doors opened.

I recall thinking: what possible reason could there be for not opening the
doors? Congestion? Electric failure?

Well, turns out it's the most ludicrous one.

------
TillE
The only advantage GPS would have is that you don't have to install something
(eg, a powered RFID tag) in each station. And yet, they've had to install "GPS
repeater beacons" to work around this problem. Sounds like a typical case of
bad design.

~~~
mikeash
Somebody decided that GPS was a good idea here, and didn't think about
problems underground. Silly, but understandable.

Somebody else decided that having doors controlled by location was a good idea
here, and didn't think somebody would specify a system that doesn't work at
some stations.

At some point during procurement and installation of the equipment you'd think
somebody would have raised a red flag. Unless, of course, they were simply
told to install GPS equipment, and not why. Or they were told why but nobody
listened to them when they explained why it wouldn't work right.

Sounds to me more like bad organization than bad design, although of course
it's hard to tell from this distance.

~~~
tjoff
The GPS solution should have been shot down on sight - regardless of where in
the process it was made up.

The only sensible reason for this is that someone responsible had a friend
that sold GPS-beacons.

------
cstross
Sigh.

Someone tell Bruce Schneier his new movie plot terror threat[1] is here:
someone homebrews a GPS signal transmitter to open all the train doors at rush
hour ... preferably on the wrong side.

[1]
[https://www.schneier.com/essays/archives/2005/09/terrorists_...](https://www.schneier.com/essays/archives/2005/09/terrorists_dont_do_m.html)

------
hobs
Why wouldnt this using something like radio waves in each station from a few
sources, wouldnt it be super easy to tell your position fairly accurately with
just a few radio sources? I did some googling and indoor localization systems
can determine your location down to 3cm, I think that would be way more
accurate than the 50m or so I have observed of GPS units while they moves
around.

And obviously they would be 10000x louder than the gps signal, so you couldnt
lose it unless someone was purposefully interfering with the signal.

~~~
cesarb
Or with a balise
([https://en.wikipedia.org/wiki/Balise](https://en.wikipedia.org/wiki/Balise)).

~~~
hobs
This seems like the actual solved answer to the problem, thanks!

------
joezydeco
Just a reminder that stories like these are regularly accumulated and curated
by the ACM's Committee on Computers and Public Policy, known as the RISKS
Digest. In the pre-web days you might have remembered this as Usenet's
comp.risks.

Peter G. Neumann has been moderating this publication online for almost 30
years now. Always interesting reading.

RISKS Digest:
[http://en.wikipedia.org/wiki/RISKS_Digest](http://en.wikipedia.org/wiki/RISKS_Digest)

Current Issue and Archives:
[http://catless.ncl.ac.uk/Risks/](http://catless.ncl.ac.uk/Risks/)

1994 Book: [http://www.amazon.com/Computer-Related-Risks-Peter-G-
Neumann...](http://www.amazon.com/Computer-Related-Risks-Peter-G-
Neumann/dp/020155805X)

------
themartorana
"...and the trains have needed to be rebooted."

Nope. No thanks. Do not need my trains to be so "smart" that the only way to
get them working properly is CTL-ALT-DELETE.

Seriously.

~~~
pilif
I once had the opportunity to drive along in a locomotive here in Switzerland.
En route, the computer has detected an issue in the engine, has restarted the
whole machine and came back up fine.

This happened while driving at 160 km/h and if we had not seen the messages on
the screen, nobody would have known.

That was seriously impressive and I wish I could do something like this. Not
only did it properly detect the failure, it also rebooted and then came up
correctly and still was aware of all the state needed to drive on.

If software works like that, I can live with it being used more and more.

~~~
mike_hearn
I'm not sure if that's impressive, or if I should be scared that trains
randomly reboot their engines whilst in motion and nobody seems to care or
investigate?! What kind of issue can be resolved by rebooting an engine,
exactly?

------
jimktrains2
I find it difficult to believe this was all deployed without manual overrides.
What about in the case of an emergency?

Also, isn't the first objection to GPS anything usually "it doesn't work well
in buildings or around buildings"?

------
verytrivial
I catch these trains every day. People are confused by the warning about a
"slight delay" from the driver as we approach the stations. I occasionally say
"GPS doors" and everyone who was previously confused instantly adopts a
"seriously?!" face. I have NO idea how such a knuckle-headed design flaw can
make it all the way through design and build with even minimally aware
designers and engineers in charge.

~~~
sitkack
Reinforces every stereotype I have about British Engineering(tm), precision
watch gears cut with a hacksaw. 400 Hp steam powered lawn mowers. Jaguars.

~~~
archagon
[https://www.youtube.com/watch?v=1EBfxjSFAxQ&t=57](https://www.youtube.com/watch?v=1EBfxjSFAxQ&t=57)

~~~
sitkack
thank you.

------
lyso
Site seems to be down, here is a text-only cache:
[http://webcache.googleusercontent.com/search?q=cache:Z4ZDqEM...](http://webcache.googleusercontent.com/search?q=cache:Z4ZDqEMjgu0J:www.ciras.org.uk/report-
library/train-operations/52131-issue-with-opening-class-377-doors-on-the-
thameslink-route/&hl=en&gl=uk&strip=1)

------
sandworm
So what happens in a power failure?

I can see the need and advantage of a system to make sure that only the
appropriate doors open at certain stations, but surely this could have been
done with information at the local level. Barcodes, NFC, RFID ... to go with
sats hundreds of miles in the sky augmented by repeaters is overly complex.

Passengers are not cattle. I don't see why they cannot have local door control
when the train is stopped for more than 5/10/15 minutes. The risk of death by
idiot openign wrong door surely is less than the risk of death by fire/poison
gas/axe murderer, all of which have happened on trains.

~~~
sukilot
Your claim needs evidence. A hypothetical murderer could open a door and push
people out, no weapon necessary. In a fire, passengers could fall out a door
onto third rail.

~~~
pbhjpbhj
But are those risks less than the risk that in an emergency the doors can't be
opened at all and the entire carriage of passengers are effected, eg burnt
alive?

The old system of windows that slide down with a handle on the outside of the
carriage seemed to work pretty well - hypothetically you could open the door
and push people out or fall on the track. Wonder how many times that happened?

------
a3n
FFS. A line in the station that the operator pulls up to, and two handles in
the cab that have to be operated in sequence and simultaneously. And now the
operator can open the doors whenever and wherever necessary, even while the
train is rebooting.

Or were masses of people trapped in cars in the _decades_ of operation prior
to this, because the operator couldn't figure out where he was and
wouldn't/couldn't open the doors?

------
TYPE_FASTER
Somebody probably opened the wrong side once and a passenger fell out and
sued...

We'll see more positive train control as the technology gets cheaper:

[http://en.wikipedia.org/wiki/Positive_train_control](http://en.wikipedia.org/wiki/Positive_train_control)

It doesn't replace operators, but instead enforces speed limits and stops. It
hasn't been implemented in more trains mostly because it's expensive.

------
davidmturner
This was the reason I was given at London Victoria Station for the doors
taking a long time to open. Oh for the days when the doors weren't controlled
by a computer, and passengers could open the windows -- always a joy when the
air conditioning fails.

------
webmonkeyuk
Pastebin of the text
[http://pastebin.com/raw.php?i=u4VrqmNe](http://pastebin.com/raw.php?i=u4VrqmNe)

~~~
webmonkeyuk
Or the PDF published version of the report
[https://drive.google.com/file/d/0B-ojoEvI-
qk7UW03XzhuRVNzOG8...](https://drive.google.com/file/d/0B-ojoEvI-
qk7UW03XzhuRVNzOG8/view?usp=sharing)

------
rasz_pl
Sounds pretty secure

[http://www.labsat.co.uk/index.php/en/](http://www.labsat.co.uk/index.php/en/)

lol

------
Jamie452
Whats wrong with an open close button that can only be activated when the
train is stationary and brakes are applied?

~~~
maxerickson
In one of the threads here someone points out that different doors should be
opened at different stations (sometimes different sides of the train, I think
sometimes not all of the doors on one side).

Which explains why they want it to be location dependent, it doesn't excuse
the poor implementation.

------
hlandau
There are a few issues here.

SDO, CSDE: Firstly, some platforms are too short to fit all of the doors on,
especially with the lengths of trains being extended. Thus at some platforms
it is necessary to ensure that the first or last doors of the train, or both,
are not unlocked.

The London Underground has its own system to do this
([https://en.wikipedia.org/wiki/Selective_Door_Operation](https://en.wikipedia.org/wiki/Selective_Door_Operation)
). Here it appears they decided to use GPS, but the LU almost certainly uses a
much simpler (and more reliable system).

Of course, if a GPS fix isn't obtained, you don't know whether you're at a
short platform or not, so you can't assume anything.

A related safety issue is whether drivers open the doors on the right side of
the train (!). Yes, believe it or not, they sometimes get this wrong. When the
London Underground moved to one-man train operation (meaning that the doors
were controlled by the driver, rather than by a separate guard), they had some
issues with this happening. They responded by introducing a simple, low-level
system called "Correct Side Door Enable", which uses an electrical loop by the
side of the track in platforms, which is detected by the train and allows the
train to determine that a) it is in a station and b) which side the platform
is on. This prevents the driver from opening the doors in error.

You can find some information on CSDE here:
[http://www.trainweb.org/districtdave/html/correct_side_door_...](http://www.trainweb.org/districtdave/html/correct_side_door_enable.html)

I would guess that the LU's SDO system uses some similar or even interrelated
mechanism.

Metro vs. Rail: Note that on metro trains (e.g. the majority of London
Underground trains) the doors usually open automatically, whereas on other
trains you have to press a button to open the doors once it illuminates. This
makes the potential consequences of accidentally opening the doors on the
wrong side worse on tube trains, especially when you consider how packed they
can get. Whereas with a train like the class 377, a driver would have to
unlock the door on the wrong side and then the passenger would have to
accidentally open the door on the wrong side. So the consequences of
accidentally unlocking the doors on the wrong side is not -that- severe, which
makes the apparent difficulty and obscurity of the overrides available to the
driver (plus the implication that the drivers aren't properly trained on their
operation) all the more ridiculous.

(A particularly curious variant is found on some trains of the Paris metro;
the doors try and open as soon as the driver tells them to, but a mechanical
latch on the doors prevents it. A passenger has to move up the latch before
the doors can open. The latches were probably retrofitted, perhaps to mitigate
unnecessary heat loss, but it also serves as a safety measure. This system has
the advantage over a button-based system that a malfunctioning microcontroller
cannot randomly open a door at inopportune times, though this is a rather
academic advantage given that I am unaware of such cases.)

I have myself ridden the 377, and on one occasion I did notice an unusual
delay before the doors unlocked, of about a minute, which involved the "door
out of order" lamp momentarily flashing on and off a few times, perhaps
suggesting some sort of train reboot.

I find the term 'GPS repeater' strange. The nature of GPS would lead me to
believe that 'repeating' GPS would be rather difficult, though I could be
mistaken. It seems more likely that by 'GPS repeater' what they actually mean
is some sort of overriding 'you are at station #27' signal, perhaps
implemented much like the LU's CSDE system. The Wikipedia page for SDO seems
to confirm this
([https://en.wikipedia.org/wiki/Selective_door_operation](https://en.wikipedia.org/wiki/Selective_door_operation)
\- note that 'Thameslink' and 'First Capital Connect' are effectively
synonymous).

The idea that not being able to quickly open the doors is a safety issue seems
quite peculiar to me. On the 377 and all non-metro trains, all doors are
fitted with passenger-operable emergency releases. There are also somewhat
anonymous emergency releases which could be operated from outside the train by
platform staff. Both such releases are mandated and governed by railway
standard GM/RT2473 (which can be found here, along with some rail accident
reports referencing it:
[https://www.google.co.uk/search?q=gm/rt2473](https://www.google.co.uk/search?q=gm/rt2473)
)

That said, there is one way in which the Class 377's doors are implemented in
an obviously deficient way: if you hold down the open button before the doors
are unlocked, the doors will not open when they are. You then have to release
and re-depress the button. In other words, whoever programmed the door
erroneously chose an edge-triggered behaviour rather than a level-triggered
one. This is in contrast to the buttons on the Class 319 (which the Class 377
is replacing), which behave correctly. I previously ranted about this here:
[http://www.devever.net/~hl/train377](http://www.devever.net/~hl/train377)

~~~
lttlrck
Edge triggered sounds safer to me. It protects against stuck switches due to
failure or leaning)

------
crazychrome
> ... and trains have needed to be rebooted.

Since when that default solution to any problem of any device embedded with
CPU, is to _reboot_?

Welcome to the digital age!

~~~
sukilot
Since the digital age started, aka when CPU was invented. Rebooting and
erasing all rewritable memory gets the system into a known good state.

~~~
jpindar
Lots of embedded systems reboot themselves when they get into some unknown
state. It's the safest thing to do. Microcontrollers are designed to do it
automatically in some cases.

People generally don't notice because the system doesn't beep or display a
boot message (if it even has a display).

------
chinathrow
Someone in that procurement department should be fired for ordering a door
stystem built on faulty, expensive and flawed logic. Yesterday.

