Why it's safe to take the train
A railway-safety feature walkthrough
Introduction: Safe by design
Unlike other transportation systems (such as MIT = motorised individual transportation, i.e. cars and roads), the railway system is inherently stable. It is indeed designed for safety and, unless many things go terribly wrong all at once, safe by design.
"Inherently stable" means that the system will, in any case of incident or accident, fall back to a safe state. With an unstable system such as a populated motorway, an accident will usually lead to a cascade of further accidents; with a stable system such as a railway mainline, an accident will cause delays and inconvenience at worst, but no further accidents.
OK. Now let's consider a train that wants to go from A to B.*
Signals, points and interlocking
The basic rule of all railway traffic is that a train can only proceed on a route that is both locked and free.+ Locked means indeed: physically locked down. When points are switched, they are more ore less clamped down in the end position and the point machine transmits back that it has successfully cycled.
Now, a route consists of an entire sequence of points, and different routes exclude each other. They interlock: when one is set and locked (i.e. the signal box has been informed that all the points have cycled and locked in the correct position), other routes are forbidden. This is partly because points that are part of several possible routes cannot be in both positions at once (logical, isn't it?), partly because of safety considerations such as flank protection: when a route is locked, all points that could lead trains into the route must be set so as not to. Sometimes, derailers are also used -- you see the pattern: it's better for a train to derail than to crash into the side of another one.
Only when a route has been set and locked, the corresponding proceed signal is allowed to turn green -- provided the block section is free (see below).
All these interlocks and dependencies are noted in a large table of all possible routes and the exact turnout settings they demand. This implies mutual exclusions, which used to be realised in the signal box by physical levers and sliding rods. Later, electric all-relay signal boxes came into fashion; they use special safety relays which are protected against welding contacts and such. Today, high-redundancy computer systems with software that has been mathematically proven to be correct (a long and costly process) is used. Of course, all central signal box equipment is protected from blackouts by batteries (see UPS) and diesel generators.
However, now that the route is locked, for our train to go anywhere it has to be free, too. That means that a train can only proceed at a main signal if there is no train between this signal and the next. A railway signal is no mere traffic light -- to make sure the driver will not misread it, signals consist of several lights so they cannot be mistaken for another signal even if one light has burned out; furthermore, the lightbulbs used usually have two incandescent wires and a way of alerting the maintenance personnel if one or both of them break.
To make sure the mentioned section of line (block section) is free, an observer or (today, nearly always) a technical device checks that any train that has entered the section has come out again. This check is done not directly at the signal, but 1000 m behind it, because it could happen that a train, having missed the advance signal that advises it to stop, starts braking only at the main signal, which means it will come to a standstill behind it.
The abovementioned technical device can be either a track circuit~ that checks for wheelsets electrically connecting both rails (if there are, the section is not free) or (at least) a pair of axle counters: one counts the number of axles going into the block section, one the number exiting it, and if the same number comes out again, the block must be free. (If it's less than the number having gone in, Bad Things have happened, a coupling has given and part of the train is standing inside the block, waiting for recovery.)
Brakes
OK. So, what makes sure the mentioned 1000-metre threshold is enough? I.e. what ensures that any train will have a braking distance less than 1000 m?
Of course: it's the brakes. A compressed air line fed by a locomotive-side compressor runs from one end of the train to another, connecting brake controllers, each with its own air tank which it fills from the main line. (To ensure interoperability, only UIC-approved standardised designs are allowed for brake controllers.) Lowering the pressure on the brake line causes the brakes to be applied by pressure from these air tanks; this means that, when a train and, with it, the brake line, is torn apart, both parts will emergency-stop. (This is the same that will happen when you pull the emergency brake because someone has thrown your Mum out of the train (usually -- see below). Application of the brakes will in this case propagate down the train faster than the speed of sound, due to special accelerator devices in the brake controllers that respond to the shockwave going down the brake line rather than the absolute pressure, boosting the wave on its way.) Modern brakes are designed in a way as to prevent the compressed air on the train from exhaustion; they make sure that the brake controller's air tank will fully replenish when an applied brake is released.
When a train is assembled, a table of all vehicles in the train with their masses and the performance of their brakes is elaborated and signed; whenever the composition of a train changes, this table has to be updated. Creation and updating of this table go along with a brake test, where it is checked that the locomotive (if it's not a MU) delivers sufficient compressed air, that all brake hoses are correctly coupled and that the brakes will apply correctly upon opening of the driver's brake valve.
All vehicles are equipped with adequate brakes to allow stopping inside of 1000 metres at a speed of 160 km/h, which is the regular speed limit. The brake test makes sure everything works and is in the proper setting.
At certain speeds, official regulation demands a certain number of fully independent braking systems. Along with the usual shoe brakes and disc brakes, magnetic rail brakes are used to assure the maximum braking distance; they consist of large shoes that, when braking, lower themselves on the rails and cling to them electromagnetically, rapidly decelerating the train. Eddy current brakes are used on the ICE 3; they also have magnets, yet not touching the rails: braking is done by inducing eddy currents in the rails. Electric locos, EMUs and diesel-electric vehicles have dynamic braking or even regenerative braking, where motors act as generators; diesel-hydraulic locos and MUs feature retarders (hydraulic brakes).
To assure trains will go not faster than the 160-km/h speed limit, warning devices prevent the driver from exceeding that speed (or the respective maximum speed of their train or MU consist, if lower).
On modern trains, regular brake operation is electronic (via the UIC-standard data bus); this kind of brake is called electro-pneumatic brake. Note, that this is just a comfortable, nearly delay-free way of controlling the standard pneumatic braking system; no safety is lost when the system does not work. However, electro-pneumatic braking is a must for another safety feature: Emergency Brake Override (NBÜ).
This sounds scary, and effectively it is what it sounds like: on a train with this active, pulling the emergency brake will not emergency-stop it at once, but inform the driver that there has been an emergency. The driver will then electronically override the valve and ask the train crew to look for the emergency over the P.A. system (using a code phrase that does not instill panic in the public). The crew will then manually reset the emergency brake valve if it has been accidentally pulled as usual. Otherwise, the driver will release the override as soon as it is safe for the train to stop, the objective of the whole exercise being to avoid that a burning train will stop in a tunnel (not heavy rail, but a gruesome example was the Kaprun train disaster).
Train control
OK. So our train has working brakes to assure it will be able to stop inside of 1000 m, and it is going down a locked route in a free block section. What happens if the driver falls asleep or dies?
You guessed it: there's a safety device (Sifa) somewhat like a sophisticated dead man's switch. The driver has to press a button every 30 seconds, give or take five. (Of course, he has to release that button again, so weighing it down with a briefcase will not work!) To give the driver some freedom of movement, there are several Sifa buttons in the cab: usually one in the middle of the control desk, one at each side window and a pedal on the floor which the driver can use while writing, knitting or having breakfast.
Should the driver miss to push that button, optical and acoustical alerts remind him. If there is still no reaction, the train will emergency-stop.
A more sophisticated system makes sure the driver will not miss a stop signal. An active resonator on the train, close to the rails, will detect passive trackside resonators connected to signals and tuned to certain frequencies. This has several purposes: the driver is reminded that he's to stop when passing the advance signal; the train's speed is then compared to a standard braking curve to make sure the driver really noticed; and if she is too fast at a pre-signal checkpoint or if she completely missed the signal, the train is --you guessed it-- emergency-stopped. (The system is called punctual train control (PZB) and is about 80 years old.)#
High-speed traffic
For high speed trains which go faster than 160 km/h, the conventional system of advance signals and main signals does not work well as the distance between advance and main would have to be increased very much. The alternative is "continuous/linear train control" (LZB), which was first used in 1965. It uses a trackside waveguide and basically puts trains inside of a "loop" transmitting information from a central control station to the train and back.
This allows for advanced cab signalisation where the train is continuously instructed by the control station about its current scheduled speed, speed changes and stops. This takes the form of a simple indicator giving the next speed to change to and a "thermometer display" showing the distance remaining to the scheduled speed change. Usually, the "automatic drive and brake control" (AFB) executes these orders without human intervention. The train driver is relegated to an observation role.
Other safety features
- Standardisation authorities reign supreme: all material for track construction as well as all vital parts of all rolling stock has to be compliant with UIC or national standards.
- High-wear parts such as points are exchanged in regular intervals (I think it's 20 years for points).
- On bridges and in tunnels, protective rails inside the real rails will keep a derailing train on the track. Better an utterly maimed track than a train hitting concrete walls or steel struts or dropping into an abyss.
- Track recording vehicles regularly check whether the parameters of the tracks are still inside the specification; they do this with millimeter precision, using gyroscopes, GPS and lasers; they also check the rails for cracks, using ultrasound and eddy currents
- Same goes for wheel tires and monobloc wheels: they are regulary checked (with ultrasound etc.) and resurfaced, if necessary.
- With electric locomotives, the pantograph's slider is not simply a piece of coal, but there is a tiny pressurised copper tube inside, connected to a loco-side sensor. If the slider is damaged, it breaks the tube, the air inside escapes, the sensor notices and the locomotive will instantly take the pantograph down to avoid further damage such as tearing down the catenary.
- To detect hot boxes, that is, insufficiently lubricated bearings, trackside infrared detectors are used.
- A lot of care is taken to prevent passengers from getting hurt in train doors or leaving the train in dangerous places. Technical devices or observation by the driver or the rest of train crew ensures that the train will not leave before all doors have been properly closed. Either right then or at a minimum speed (5 km/h), the doors are then blocked till their release by the driver, so passengers will not accidentally get out, i.e. if the train stops at a signal shortly before a station. Some sophisticated logic assures doors will always open at the proper side of the train.
* This is how it works in Europe, more specifically in Germany (see also Deutsche Bahn). U.S. railways have a different security philosophy which relies on having a rather low default speed limit (about 127 km/h) and extremely heavy-built rolling stock. This has some benefits in the strange world of U.S. railways, where slow bulk freight is king and passenger services (see also Amtrak) are pretty much only the icing on the cake, but has the obvious disadvantage of making fast services of any kind nearly impossible.
+ There are exceptions to this rule. On written command (can be dictated via radio, but must always be written down and reread), trains can ignore signals and drive on sight, but only at slow speeds.
~ See also Manual Operation of Train Signals (or "Making ding-ding with no choo-choo")
# Before Sifa and PZB existed, trains (be they steam or not) always had two men in the cab for obvious safety reasons.