P415 rd/1

§P415 Readings

Do not make copies of this material except for individual personal use. The link to this material is provided for the use of P415 students and should not be used in other web pages.

Clayton Tunnel Disaster

This is an exerpt from the book Design and Validation of Computer Protocols, by Gerard J. Holzmann (Prentice Hall Software Series and AT&T Bell Telephone Laboratories, 1991). It has been transcribed with permission of the author. The full text is available from www.amazon.com.

TRAIN CRASHES

The cause of a railway accident is usually investigated and documented in minute detail, so there is no shortage of material on the early protocol design problems. A single example may suffice to illustrate how major accidents could result merely from an unexpected combination of events. To be sure, the accident to be described could have been prevented if an adequate protocol had been used for the communication between the signalmen.

Figure 1.5 -- Clayton Tunnel

The accident occurred in the Clayton tunnel, which must have been one of the best protected railway sections in England. On each end of the 1.5 mile long tunnel, 24 hours per day, signalmen were on duty. Furthermore, in 1841, the tunnel was equipped with a new space-interval block-signaling system. There were semaphore signals on each end of the tunnel, and the block-interval system guaranteed that any train passing a green signal automatically set that signal to red. It was up to the signalmen to reset the signals to green, but before doing so they were required to make certain that trains that had entered the tunnel on one side had indeed emerged again at the other end.

There were two tracks through the tunnel: one for each direction. At all times, only one train was allowed per track in the tunnel. As a further safety measure the tunnel had been equipped with a single-needle telegraph. This system was set up for the exchange of a small number of predefined messages between the signalmen on both ends of the tunnel.

Typically, after allowing a train to enter one side of the tunnel, the signalman at that side transmitted the code train-in-tunnel to his colleague. When (and if) the train emerged from the tunnel at the other end, his colleague responded with the code tunnel-is-clear. Upon the receipt of that message, the first signalman could reset the entrance signal to allow the next train to enter.

To make the system foolproof, yet a third message code had been added with which a signalman could ask his colleague: has-the-train-left-the-tunnel? The presence of the two signalmen guaranteed that the tunnel could be used safely even if, for any reason, the semaphore signal on either side of the tunnel malfunctioned. If a semaphore failed to show red after a train had passed, the signalman was warned by a bell. He could then use red and white flags to signal trains and keep the traffic going.

Still, the protocol turned out to be incompletely specified. Here is what happened in August 1861.

A first train passes semaphore A and fails to set the signal to red. As expected, the bell warns the signalman at A (call him signalman A). He dutifully first transmits the code train in tunnel to his colleague, and then fetches the red flag to warn the next train.
A second train, however, is too fast, and has already passed the green signal. Fortunately, its driver catches a glimpse of the red flag just in time as he enters the tunnel. A third train is warned in time and comes to a full stop before the tunnel entrance.
Signalman A returns to his box and again signals train-in-tunnel to indicate that there are now two trains in the tunnel. The protocol did not account for this event so the meaning of two subsequent train in tunnel messages had not been specified. However, since it was unlikely that the second train could overtake the first one, no real problem existed. The only problem for signalman A was to find out from his colleague when both trains had left the tunnel, so that the third one could enter.
To alert his colleague to the problem, signalman A transmits the only other appropriate message he has: has-the-train-left-the-tunnel? At this point there is no hope of recovery. Even if the signalman at B could understand precisely what the problem was, he had no way of communicating this. After seeing the first train emerge from the tunnel he responds, in full agreement with his instructions, tunnel-is-clear.
Signalman A cannot know if he should wait for two subsequent tunnel-is-clear. messages or whether the message can be taken literally. He decides that both trains must have left the tunnel and allows the third train to enter by waving a white flag. The driver of the second train, though, had seen the red flag while entering the tunnel and has come to a full stop in the middle of the tunnel. After some deliberation the driver decides to play it safe and back out of the tunnel.
In the collision that followed 21 people died and 176 were injured.

It is hard to assess who would be to blame for this accident. Once, by a freak combination of events, it had become possible for the second train to enter the tunnel before the first one had left it, there was no way to recover. The common sense of both the signalmen and the driver of the second train could not prevent the accident. The set of instructions given to the signalmen was incomplete. At the time, though, some were more eager to blame the relatively new block signaling method or the telegraph instruments than the men who had drafted the operating procedures for the signalmen's interactions.

In the early days of the railways, many accidents and near accidents were the result of an outright lack of means for communication. Later, when the right tools were available, it was discovered how surprisingly difficult it can be to establish unambiguous rules for communication. A historian of railway disasters (Nock [1967]) described the problem as follows,

``One can almost hear the same comment being made time after time. `I could not imagine that could ever happen.' Yet bitter experience showed that it could, and gradually the regulations and railway engineering practice were elaborated.''

The problem was to design a practical, common sense set of rules that was efficient to use under normal circumstances and that allowed for a safe recovery from unexpected events.