Fun fact: you know token ring networks? It's based on a system of reliable mutual exclusion used by early railways.
It worked like this: you have a long stretch of single-track line. Trains run in both directions on the line. Obviously you want to prevent collisions. But you don't have communications from one end to the other. How?
At each end of the line, by the signal which lets trains onto the line, there's a hook. There is exactly one token, which is a physical object which hangs on the hook. A train is only allowed onto the single-track line if the token is physically in the possession of the driver. On emerging from the other end of the line the driver hangs the token back on the hook.
More of an operational constraint. You can design the various carriages and locomotives any way you want as long as you don't compose them in that way.
They're putting an awful lot of faith in that counter though if they allow 255 and 257 that means that they expect to never miscount an axle.
Axle counters are "positive only" systems e.g. if the numbers don't match or the counter resets, it will report an error and the next train needs a special safety order to enter the track section. So if you manage to combine a 256 axle train, it will just slow down everything on its way and cause chaos, but no accidents.
In the old times there was a manned caboose car at the end which job was to ensure the completeness of the train (and that switches are cleared).
Still, given that the warning was issued quite explicitly it would seem that the designers of the operations guide definitely thought it was possible to have a train that long. Otherwise, why bother with the warning?
Well, maybe. I've seen a lot of "Hyperloop" fans who don't know basics about transportation systems (planning, technology, financing). So maybe I'm overly aggressive here. Sorry.
I've re-written a bunch of fuel quantity calculation software for a small airline, the degree of planning and verification that went into that totally blew my mind, it completely changed my way of thinking about writing any piece of software and even now I have to catch myself not to 'overthink' the solution to some problem.
As soon as there are lives on the line the amount of thinking about undefined situations skyrockets. Even so, given that the system fails 'positive' (as in: it can't register 'no train' when there is a train, it can only register 'train' when there is none) I'm quite impressed with the foresight to even think about that exact possibility occurring.
Another field where you see this kind of planning is in medical electronics and software systems.
Hm. Interesting. I've had - unfortunately - a lot of close up time with a bunch of high tech around one of my children and without exception that stuff was very well designed and did not hick-up even once over a whole pile of weeks. (Neonatal ICU.)
I've also bought some medical electronics surplus for parts in the past and it was absolutely bullet-proof. Top quality.
Try the radiology department. Brand new hardware and software from Siemens, GE or Philips. Particularly GE and particularly MRI interfaces. Broken code, and just plain terrible design choices like typing "1" for on and "0" for off. Type in "3" and it crashes, except when its occasionally allowed on non bools.
Ultrasound interfaces are so unbelievable horrid that they should win any competition fairly easily. On on current model machine - touch screen, track ball, hardware sliders, physical buttons, software buttons and a track pad. connecting that to the network was unpleasant.
Edit: Im just taking an infusion pump to be serviced. This model is well liked. However when you want to deliver a drug bolus at a very specific time point during an MR scan the pump may deliver it, or it may give and error as its timed out. There is no way to tell prior to pressing "bolus". Not ideal.
Ya, I remember those. My friends and I would always wave to the cabooseman (I doubt that's the right word, but I really like it) as it went by, and he would usually wave back at us.
In the U.S. that would the train's rear conductor or a brakeman, basically the conductor's assistants. In the days before vacuum brakes the rear conductor would have the job of reading lantern messages from the front conductor (in the locomotive) and then dispatching brakeman to walking along the train car roofs and individually setting the brakes on each car.
tldw: crew were expected to enter the confined area of the engine room in the middle of a fire and turn at least two valves (that have complex interactions with each other) filling the same confined area with CO2.
I realize you weren't being serious, but this van is an abbreviation of caravan, which ultimately has its origins in Persian: In 16th cent. carouan, < Persian kārwān, in same sense. Found in medieval Latin carvana (Hoveden), caravanna, caravenna (Matt. Paris), and French carvane, from Crusading times, but apparently not in English before 16th cent. The form caravan was perhaps caravane from French.[1]
A single wagon probably has an even number of axles, so 255 and 257 is probably impossible. But yes, those axle counters are extremely reliable, a miscount produces quite a bit of work because then a human has to confirm that the train left the track protected by the counters.
> you can't build a long enough train to exceed the limit.
You can definitely build long enough trains to blow past the limit several times, coal and ore trains are routinely 100+ cars long (with each car having at least 4 axles), the record is a BHP Billiton Iron Ore train of 682 cars and 8 locomotives.
In Switzerland the freight trains are not this long, perhaps at most 40 cars. They need three engines [0] to climb the gradient of 28‰ of the Gotthard mountain line (now being replaced by the Gotthard base tunnel).
Yes and no. The limit until 2010 was 670m in nearly all parts of western europe. Block signals, crossroads, stations… need to be made sufficient long enough.
With ETCS [1] there are no "fixed" physical block segements anymore. They are simulated in software and allow a much higher densitiy of trains and also longer trains.
While SBB is highly motivated to roll out and migrate their legacy signalling systems, it's still a long way. The new Gotthard Base Tunnel is already built ETCS-only.
The standard locomotive arrangement in the US is 2 bogies of 3 axles each; 4-6-0 and 0-6-0 wheel arrangements (5 and 3 axles, resp.) on steam locomotives were also common. While the modern locomotives do have an even number of axles, it's not a multiple of 4 (like standard wagons usually are), so it's not possible to have 256 axles exactly if you have an odd number of locomotives (e.g., 2 forward/1 reverse arrangement).
Although it is mentioned in the comments to the linked article that it is probably an electro-mechanical counter, so I am imagining a four wheel encoder with each wheel having 4 positions (although could be 8 wheels with 2 positions per wheel), electrically readable, and reset-able.
yeah, but my point was that a mechanical counter of this nature would overflow counting 0-255 then wrapping around. So it would never get to 257. And the wheels I was referring would be in the counting mechanisim, I didn't say anything to suggest type of cars / axles etc.
No, that it won't get to 257 is the whole point here. So 257 axles with a single axle missed would end up as 256, resetting the counter -> no train present.
I don't think that the article was about miscounts, otherwise it would equally be a problem for a 258 axle train that missed 2 axles. Since the article is describing a problem that occurs for multiples of 256 it is almost certainly a counter overflow issue, so a 256 axle train resets to zero and a 257 axle train would appear to the counter as 1, which is still sufficient to mark the block of track as occupied.
A train having less than 256 axles in Switzerland doesn't exactly sound limiting, ridiculously long trains are coal and ore lines (e.g. BHP Billiton) or huge general freight in large countries (Canada, US). Switzerland is a fairly small country with steep gradients, a 256 axles limit would give a limit of ~60 cars.
Also Germany has a limit of 252, IIRC, and I expect the majority of long freight trains passing through Switzerland to be international services. There are plenty of old axle counters in operation around Europe because ultimately it's a limitation more in theory than in practice.
Along with the steep gradients, you have to remember there's far more passenger services on the lines, so pathing constraints force freight services to be shorter (you can't have them accelerating that much slower than passenger services, or they start taking up a disproportionate amount of capacity on the line).
Yes. Plenty of European countries have similar limits, around 250. There's plenty of old 8-bit microcontroller based axle counter systems still in use which are unlikely to get replaced until they are life expired simply because the 256 limit incredibly rarely affects anything; for reference, the most axles per train in the UK I'm aware of is 192 axles.
Switzerland runs small freight trains by US standards. Freight cars are usually 2-axle.
Here's Union Pacific's longest container train. 295 freight cars, 9 locomotives. Four axles per car. So that's over 1180 axles. A more typical US train is 100 cars and a few locomotives; over 400 axles isn't uncommon. 256 would be an inadequate axle limit in the US.
(There are longer trains in Australia, but they're usually coal or mineral hauls on dedicated track in flat country. This was a run from Los Angeles to Texas on mainline track.)
Oh, certainly, I'm not trying to claim these are the longest in any worldwide sense, but it's a common sort of maximum length around Europe.
FWIW, a lot of freight wagons around Europe are on bogies (with two axles per bogie) where they would be two-axle wagons in the US; I presume a lot of this is down to comparatively higher speeds of freight in Europe as a result of pathing around passenger services. Plenty of freight around Europe runs at up to 160km/h (~100mph), and that sort of speed is fast for a passenger service in the US. Obviously, this doubles the number of axles per wagon (though decreasing axle weight and hence track loading), further shortening the length of a 256 axle train.
I'm only aware of one single movement of a 1500m test train, consisting of 76 container wagons and three SBB Re 620 locomotives, which would make 322 axles if I'm not mistaken, for the curious.
At the same time, that was a run through the Gotthard Base Tunnel, and running onto similarly modernised infrastructure, and hence less likely to have 40 year old axle counters in use.
It's not, but considering the context going above would mean going through the limit which would be dangerous, during exit the counter would mark a railroad section as unoccupied before underflowing back to occupied. It might also have interesting failure modes during entry.
Considering the context is track vacancy detection, I'd think even going through the counter would be dangerous (as it could temporarily mark a rail section as unoccupied during its occupation before underflowing, a good old race condition) and would thus be operationally avoided as a recipe for disasters.
It is much safer to lock the segment on overflow or underflow (and require manual rearming), a timer can be defeated and dumb luck means it will eventually be.
Why would you jump to the conclusion that this is a software implementation. I believe, based on the comments in the linked article that it is probably a electro-mechanical counter.
It follows that the axle count had better not be greater than 256 either, otherwise if the train splits then the front portion could decrement the axle count for the section down to zero, while leaving the rear portion in the section for the next train to collide with.
Also very few non-railroad people understand pneumatic safety brakes, and suddenly breaking a brake hose locks the breaks on both halves of the train until the tanks drain completely down. Pneumatic brakes operate like a mechanical differentiation analog computer and the strength of the brake application is the rate or slope at which the brake hose pressure is dropping.
An axle counter is like the stupidest defect detector imaginable. Modern defect detectors are like robot Q+A inspectors, every 20 miles or so they detect hot bearings, any load hanging out or down or too high, fancy ones can do on the fly weighing (hmm that tank car full of oil is losing 50 pounds per mile, someone has a leak...) for decades there's been work done with various barcode and RFID schemes to track and log individual cars, pretty interesting stuff. I would guess there exist dumb defect detectors that can not detect overheated bearings at exact integer multiples of 1024 degrees F or something. There's a nice one near a park a few miles from my house and using a scanner tuned to railroad frequencies you could hear a synthesized voice identify itself and say something like "no defects found" I never heard it say anything else.
There is nothing wrong with defense in depth. It was paid for in blood, after all. The biggest problem with defense in depth is it leads to lazyness, well, we don't have to care about 256 axle trains because there's at least three other safety systems, etc etc. Then you end up with every one of them in a corner case and someone gets killed resulting in more regulation.
Depending on the RR, the hot box detector will read out over the radio whether it has found a defect, what axle number it counted it to be on, and the total number of axles counted. It uses a pyrometer to "measure" the temperature of the bearings as they go by, although they aren't particularly accurate and are subject to variances due to environmental conditions. If the detector indicates that it has found a hot bearing, the engineer will stop the train, walk and count back to that axle, hold a special wax crayon on the suspect bearing, and if the wax melts, they have to set out the car. Usually the hot box detector will be associated with a dragger detector as well, and in some places will have other hazard detectors.
As mentioned in other comments, the maximum train length was limited in Europe to around 670m (therefore the possible axle count is rather limited) which will be increased on some networks and tracks. There are several different implementation of axle counters (for example http://www.scheidt-bachmann.de/en/signalling-systems/interlo...), also train splits in Europe will trigger an emergency break due to air pressure drop in the breaking system. https://en.wikipedia.org/wiki/Railway_air_brake
The note is just a sign of the huge safety margin that modern European railway systems implement in regular usage.
Could it be that this runs on little endian? And some code is accessing a 16 or 32 bit integer as though it were just a byte, so it gets only the low 8 bits?
This the one disadvantage of little endian: an aliasing bug between different integer widths is hidden if the code isn't tested with sufficiently large values. On big endian, it's likely an instant show-stopper, since small values near zero map to zero.
Note how the issue is that the value can't be a multiple of 256: i.e. have the least eight significant bits clear. That's troubling still, because although an axle count of 257 mitigates the signaling problem, the strong suspicion lingers remains that this 257 might be treated as an axle count of 1; and doesn't that have ramifications? I.e. it might be used as an 8 bit value for more than just an "do we have axles or not" test.
The systems with these limitations are mostly 1970s systems based on 8-bit microcontrollers, so I strongly suspect that they're using 8-bit integers.
And yes, there are concerns about modulo behaviour, but this ultimately is an engineering trade-off: what is the probability of losing exactly 2^8 axles from a consist?
I imagine the Olsen Gang/Olsen banden/Jönssonligan whisking away a train while keeping their theft hidden from the system through the power of 256 axles.
Often time law makers choose rules that are extremely difficult to build systems around, when slight changes could have made it fairly easy to implement and reason about such a system.
So I suppose it is nice to see that things can actually go the other way around.
So yes, this seems to be a real problem, as it is possible to arrange a train with with 256 axles with this type of car that does not violate the maximum length restriction.
> I was wondering if this could be an actual problem.
In Switzerland? Probably not. In other places definitely, large-countries (USA, Canada, Australia) freight and coal/ore trains are hundreds of cars long (and each car has at least 2 bogies of 2 axles), the record is 682 cars and 8 locomotives.
Although not all rail systems in all countries use axle counters for presence detection. In the US freight industry we use track circuits - https://en.wikipedia.org/wiki/Track_circuit
That's not a replacement, that's the older technology.
Axle counting guarantees that there isn't a detached, derailed wagon fouling the line, or a wagon with dirty wheels which aren't completing the track circuit.
Those 8 locomotives can be controlled by a single team of people. Additionally it allows greater freight throughput because you need to maintain minimum distances between trains. It's actually extremely uncommon where I live to see a train with a single locomotive.
Well technically that specific train was a stunt (at the time BHP Billiton's regular run used 336 cars and 6~8 locomotives, now 264 cars and 4 locomotives), other commenters have answered as to why you'd want to run longer trains (and AFAIK modern trains rarely run a single locomotive these days, a pair is just more efficient and convenient even on passenger trains)
WARNING - Did not RTFA, but I think I get the gist.
If they use an 8 bit counter, then the detection is basically the axle count % 256. Axle #256 crossing would reset the counter to zero, indicating a safe track, when if wasn't.
One of the rare benefits of the antiquated signalling system in the UK, using good old-fashioned analogue tech, lots of wires and relays. I was once shown a bug in the system, that was literally a bug, squashed between two relay contacts.
Very rare. It seems like 90% of delays are due to "signalling problems" (which is probably also code for "we have no idea what is going on", but still...)
The signals are designed to fail safe, due to gravity. But because they are electromechanical they fail a lot more often than solid state digital tech.
Gravity doesn't play into it much any more; semaphore signals are increasingly rare by this point, certainly on any main line. Modern electric signals simply default to danger in the absence of contact to the signal box, and fail-safe behaviour is maintained by the rule book stating that a signal displaying no aspect is equivalent to a signal displaying danger.
Gravity is still very important. The way that electric signals fail safe is that the relay is mounted in such a way that if something fails then gravity pulls the contacts to the danger position.
Aren't relays usually lightly spring-loaded/tend towards the NC position irrespective of which way you mount them? Maybe railway signalling relays are different, but none of the relays I've ever seen leave that behaviour to gravity.
Notably, the UK still largely relies upon track circuits for train detection, though the GWML (from London Paddington to Bristol) is moving to axle counters along with its move to ETCS Level 2. It's likely the rest of the UK will slowly move over to axle counters as signalling equipment becomes life-expired.
The goal is to answer the question of "is the entire train that passed into this block now out of the block?", alternatively phrased as, "has the train lost any wagons in this block?". If anything has got left behind, you can't let anything go into the block.
If I had to guess they count the number of axels entering a section of track and then count down the same number of axels at the end of a section to know when it has cleared the section completely.
The source http://imgur.com/DrEinPB states the problem using "256" not "2^8". I'm not sure if the tweeter is trying to be clever, but he isn't saving any characters by using the exponential notation.
If you're trying to save characters in a tweet, you don't have any savings in using exponential over decimal for base two until 2^14.
Similarly, in the UK train axles must not be more than a set distance apart, otherwise the train could disappear (from the signalling system). This is one of the reasons we can't have double decker trains, as the carriages aren't long enough.
For the curious: double-decker carriages do not have to be shorter or have shorter axle distance, per se, but in the UK, they have to because their rail network is older, and can't handle the load that a double-decker train of 'normal' length exerts on the rails. https://en.m.wikipedia.org/wiki/Bilevel_rail_car:
"Bilevel cars may not be usable in countries or older railway systems with low loading gauges. This includes much of the rail network in the northeast of the USA and almost the entire British rail network. In some countries such as the UK new lines are built to a higher than the existing structure gauge to allow the use of double-deck trains in future."
It's not the load: the loading gauge refers to the maximum dimensions of a train. In the UK, the vast majority of lines bridges and tunnels are simply far too low to allow for double-decker coaches; the only ones ever used had pretty weird offset compartments: see <http://dart75.tripod.com/cutaway.gif> for a cutaway diagram.
Yes, it's fascinating. For a look at how a complex system this can be handled without computers, do some reading on how signaling and train movements were handled in the 19th Century. Pretty amazing how they were able to control continent-wide rail systems with hundreds of trains in motion at any given time, using just a telegraph wire, manual signal lanterns, slips of paper, etc... without (usually) causing any collisions.
Dunno much about trains but how far away from the traffic light would the button be? Certainly not more than 256 x wagon.length. I.e. in the unlikely case of a train with 256 wagons the light will signal green (unfortunate) but while it does so there will be a train passing by the crossroad. So in that case only (257 wagons won't do it - they'll merely cause a green blip) you'd need to have a really pedantic driver at wheel to try to pass because light went green.
It worked like this: you have a long stretch of single-track line. Trains run in both directions on the line. Obviously you want to prevent collisions. But you don't have communications from one end to the other. How?
At each end of the line, by the signal which lets trains onto the line, there's a hook. There is exactly one token, which is a physical object which hangs on the hook. A train is only allowed onto the single-track line if the token is physically in the possession of the driver. On emerging from the other end of the line the driver hangs the token back on the hook.
Simple and foolproof (if not terribly efficient).
https://en.wikipedia.org/wiki/Token_(railway_signalling)