The collision occurred during a test on TWL when one train entered Central Station via a crossover and collided with another train that was departing the station using the same crossover. MTR suspended all further CBTC testing until May 29 following the incident.

Thales and Alstom are installing Thales’ Seltrac CBTC system across seven metro lines in Hong Kong under a €330m contract awarded in 2015. The suppliers are replacing existing Automatic Train Supervision (ATS), interlocking and Automatic Train Control technology in the control centre, onboard trains and at stations.

The contractor have been conducting tests on the line since December 2016, which have been progressively expanded from a single train to multiple trains, and to cover all aspects of the control system.

The signalling system is divided into two control zones with each zone comprising three signalling zone controller computers: Primary (A); Hot stand-by (B); and Warm stand-by (C), an arrangement the panel notes as novel in the contractor’s signalling system application for reducing recovery time during signalling failure incidents. The drill on March 18 was for operations staff to familiarise themselves with the operational procedures when computers A and B fail and the switch to computer C to control the signalling system takes place.

While the contractor needs to make software changes for the new signalling system during the development process, the panel found that the contractor made three software implementation errors when performing a software change in 2017 to achieve the design intention of avoiding common mode failure in Computer C, should there be a problem in Computers A and B. Critically, conflict zone protection information was not properly configured in Computer C, which ultimately led to the collision.

Conclusions

The investigation panel was co-chaired by Mr Adi Lau, MTR operations director, and Dr Peter Ewen, MTR engineering director, and concluded that the errors reflect the contractor’s inadequacies in upholding software quality assurance, risk assessment, and the extent of simulation on this software change.

Following the incident, the contractor has replaced the software design and development team responsible for the software implementation errors. The panel also recommends the contractor adopt the following improvement measures:

  • fix the software issue and confirm with substantiation that there are no wider implications in software development quality
  • enhance the software coding and testing practices to avoid future programming errors, and introduce effective and traceable measures for detection of any programming errors
  • employ an external independent software assessor to enhance the software development process for the signalling zone controller computers, and
  • review, re-check and demonstrate robustness on its approach with traceable evidence in applying a fail-safe principle.

In addition, the panel says MTR should assist the contractor with the above improvements by adopting the following measures:

  • expand the scope of the ISA from safety assurance for passenger service to the inclusion of on-site train related testing certification
  • upgrade the training simulator in Hong Kong to act as a testing simulation tool to perform more scenario simulation tests as far as practicable
  • establish a joint Safety Test & Commissioning Panel (the Corporation/contractor together with input from the ISA) to manage on-site testing, and
  • explore together with the panel’s experts the merits, if any, for staging the development of the Warm-standby computer, or any other technically appropriate alternatives proposed by the contractor.

“For a corporation that always puts safety as our top priority, we take every incident which has an impact on the safety of people inside MTR premises very seriously and would spare no effort in identifying the cause and looking at ways to prevent any recurrence. The 18 March incident is no exception,” says Dr Jacob Kam, MTR CEO. “We will make sure all necessary improvements are made by vigilantly monitoring the contractor to implement necessary follow up work and enhancing our own monitoring system.”

Response

The error is within Thales' scope of the contract, and responding to the panel’s findings, Thales said in a statement that it fully collaborated with the government and MTR’s investigation panel. The company added that it is committed to working with MTR and the relevant stakeholders to implement all the recommendations in the MTR investigation panel report.

“Thales has over 30 years’ experience in safely transporting more than 3 billion passengers per year and the Thales CBTC system is the world’s most widely adopted and trusted CBTC system,” the company says. “We are confident that the CBTC system is a secure and reliable system for Hong Kong DUAT lines operation. We are fully committed to delivering the solution in a safe manner.”