Investigation into Joo Koon MRT Train Accident

1 Mr Dennis Tan Lip Fong asked the Minister for Transport (a) in respect of the collision at Joo Koon station on 15 November 2017, what were the control options available to the driver of the second train to stop the train before it collided into the rear of the first train; and (b) what are the usual control options available to drivers of trains on North-South and East-West Lines for manual or emergency braking.

2 Ms Denise Phua Lay Peng asked the Minister for Transport (a) before the collision at Joo Koon station on 15 November 2017, whether the operations control centre and the driver of the second train were aware that the protective bubbles of the first train had malfunctioned; (b) if so, whether there were other options that could have been taken to ensure that the second train remained stationary; and (c) whether there was any previous occasion when a train had continued to operate when its protective bubbles had malfunctioned.

The Minister for Transport (Mr Khaw Boon Wan): Sir, may I take Question Nos 1 and 2 together, please.

Mr Deputy Speaker: Yes, please.

Mr Khaw Boon Wan: The cause of the collision was a software logic issue with the new signalling system. As a result, the first train at Joo Koon station was operating without a protective bubble that ensures safe distances between trains.

Subsequent tests and re-enactments confirmed that the failure conditions must occur in a specific sequence for the protective bubble to be deactivated. Thales, the supplier of the system, had not anticipated such a scenario. This was an isolated case with no precedent, even for Thales. The Operations Control Centre (OCC) staff and the train captains did not know that the protective bubble could be deactivated. Had they been aware of this, the train captain on the second train could have switched from Automatic to Restricted Manual Mode to drive the train manually or, as a last resort, engaged the emergency stop button to keep the train from moving.

All North-South and East-West Line trains, including those involved in the collision at Joo Koon station, are equipped with an emergency stop button for the train captain to apply the brakes manually. Based on train logs, the train captain in the second train was unable to engage these emergency brakes in time to avert a collision.

Thales has since rectified the system to address the failure condition which led to the collision. In addition, Thales is setting up a simulation facility, a simulator, in Singapore to strengthen the testing process. The facility will enable the Land Transport Authority (LTA) and SMRT Corp to perform additional simulation tests in a controlled setting which is tailored to our local environment and the infrastructural conditions of our rail network before deploying on our train services.

As an added precautionary measure, we decided to separate the operations on the Tuas West Extension from the rest of the East-West Line. The separation will continue until the rest of the East-West Line has fully transitioned to the new signalling system. Meanwhile, we are speeding up the re-signalling project, and the extended engineering hours on the Mass Rapid Transit (MRT) early closures and late openings will enable us to complete this transition by the middle of this year.

Mr Dennis Tan Lip Fong (Non-Constituency Member): I thank the Minister for his reply. I have two supplementary questions.

One, I understand from media reports and correct me if I am wrong here, that because of the failure conditions, the bubbles did not take place. I think there was a fixed distance of about 36 metres between the first and second trains. I just heard from the Minister that the driver apparently applied the emergency brakes, or did he apply the brakes and they did not work? Is my understanding correct? So, can I just clarify with the Minister on this point, whether or not the driver applied the emergency brakes or the automatic brakes to be used in emergency circumstances like what is available on the East-West and North-South Lines? If that is the case, subject to the Minister's answer, will LTA look into the condition of why the brakes did not come into effect, despite there being a braking distance of 36 metres?

My second question is, in light of what has just happened, which I agree could be quite unique, but nevertheless, for safety purposes, will SMRT be required to review its standard operating procedures (SOPs) in contingency situations like what we saw at Joo Koon, so that the OCC or the driver will be alerted to and will be required to apply the brakes when trains start to move in unforeseeable circumstances in order to prevent collisions from happening?

Mr Khaw Boon Wan: I thank the Member. As I had explained, this situation was never anticipated by Thales themselves.

I did engineering but that was many years ago. One of my favourite subjects was computer programming. I enjoy writing software. Of course, many things have happened during the last 40-odd years. Computer languages have improved and there are many more new languages and more efficiency tools. But the basic principle of writing computer programme, I think, has not changed. Which is, you start off by anticipating "what ifs". All kinds of possible scenarios and therefore, you compose logic, diagrams and decision trees, before you start coding and converting each of the steps into a program, so that the computer knows what to do. A good computer programmer is one who has robustly and comprehensively thought of all possibilities so that computers or the robot would know how to react.

Unfortunately, in this instance, Thales had not anticipated such a possibility and, therefore, the assumption, both by Thales and the operator – the operators were trained by Thales – was that the deactivating of the bubble could not have happened. Had we known, as I had explained in my answer, the driver would have converted it into manual mode, instead of leaving the train to be run by the computer. If it was in manual mode, there would have been an adequate reaction time.

In hindsight, one can blame the captain, but I do not. Because he was mentally not prepared and never trained to react under that kind of scenario. Whatever it is, the flaw, Thales has accepted full responsibility and has apologised, and the flaw has been rectified. But as an added precaution, I took a decision: let us not complicate our lives both for the software programmer as well as the operator; just separate the two systems.

If I may just describe a little, though highly simplified, what kind of complications we have introduced prior to this incident. East-West Line is a complete line but we were doing the most complicated by requiring the signalling system to run on most part of the Line, on the old system, and then at some point, switch to a new system. Therefore, the trains were being operated by two signalling systems – the old system and the new system. They were required to know when to do what.

So, based on the location at the track, the new signalling system could be on "passive" mode or "active" mode. For the stretch of the East-West Line which is still on the old signalling system, the system is on passive mode. It is collecting and reporting information but not acting. But after clearing a particular station, when it enters the Tuas West Extension, it switched into active mode. These are the complications we introduced.

For the deactivation of the bubble to take place, several things must happen. Unfortunately, on that day, all three things happened. First, the train must have developed some problem. Trains carry a lot of computers and the computers' signalling equipment have to communicate with the track-side equipment of the new system. For that particular train that day, it was not able to communicate. When it is not able to communicate, the system, as a safety procedure, activate this bubble so that the trains would comply with the safety distances between trains. That was the first step and in this case, it happened.

Secondly, this train must pass a stretch of track which is still on the old signalling system and the track-side equipment had not yet been configured to the new train system. Unfortunately, this was the sort of scenario that the programmer had not anticipated. When it occurred, the bubble got deactivated. When it was deactivated, well, the rest is history.

Now, the flaw has been rectified and corrected. In fact, we could have run this complicated, double system on the East-West Line, plus the Tuas West Extension, but I decided "no". Let us separate the two stretches; we run shuttle buses and the service is not too highly compromised and this way, we ensure maximum safety for our commuters.

Mr Dennis Tan Lip Fong: I thank the Minister. I understand the explanation about the problem which is created by the software logic issue. But my two questions today focused on the driver's access to the braking system of the train. This is important because whether it is a software logic issue that creates any situation or any other kind of glitch, software or otherwise, I would like to ask the Minister, whether in that accident or in ordinary circumstances, whether the train is operating on automatic mode or controlled manual mode, what is the access the driver or the OCC has to apply emergency braking, and what would be that expected reaction time?

Mr Khaw Boon Wan: I would not know enough to know what sort of reaction time is reasonable. But based on the logs and review by the experts, they felt that the train operator was just not able to react in time. Because the driver might have to switch from the automatic to manual mode, and from the manual mode, he could have activated the emergency button.

On hindsight, it is easy to say, "Why did you not do this?" and "Why did you not do that?"

A few months ago, I had a friend, a corporate lawyer, who called me frantically. He is a very safe, responsible driver. He was driving in Singapore. As he approached a pedestrian crossing, he was quite clear that there was nobody. He slowed down but he did not stop. We do not normally stop in front of the pedestrian crossing unless we know that there is a pedestrian. But the next second, he saw somebody on an e-scooter flung onto his windscreen. The rider must have been speeding right through. But that was when my friend stopped, came down, assisted and called the ambulance. The rider was admitted to the hospital.

A few days later, he was informed by the hospital that the victim died. My friend was totally traumatised. He knew he would be charged, he expected to be punished but he was very worried that he would be jailed. Being a lawyer, he checked up the law and asked me for advice. I am not a lawyer; I cannot advise him much. But as a layman, I wonder: when you do not have sufficient reaction time, are you responsible? To what extent are you responsible?

I asked him to get a lawyer and a proper forensic to see whether it could ascertain the speed of the e-scooter.

I think the Joo Koon situation is something like this, too. At that moment, was the train driver able to respond in time? Thirty-six metres, yes, it is not a short distance, but the speed was 18 kilometre per hour.

Mr Deputy Speaker: I think we move on to the next Parliamentary Question.

Mr Dennis Tan Lip Fong: I have just one more clarification.

Mr Deputy Speaker: Alright, I will just allow the last question.

Mr Dennis Tan Lip Fong: Thank you, Deputy Speaker. I appreciate that.

I thank the Minister for his answer. Just one clarification on what he just said. Perhaps the Minister could clarify to the public: when a train is on automatic mode, is each driver required to switch to control manual mode, before he can apply the brakes, or he has access to emergency brakes, even in automatic mode?

Mr Khaw Boon Wan: I think it would depend on the design. I am not perfectly sure of the answer, but I will check. Let me check.