The Washington Metropolitan Area Transit Authority (WMATA) has got some explaining to do. According to yet another damning report on MetroRail that appeared in The Washington Post yesterday, the apparently failure-prone ‘fail safe’ Automatic Train Protection (ATP) system is again at the center of the report.

Metro has a two-layer system designed to prevent trains from slamming into one another. First, Automatic Train Control (ATC) usually runs the trains automatically and makes sure that trains don’t enter a ‘block’ (circuit) occupied by another train. If ATC is off and the trains are running manually, or if ATC fails, the secondary ATP system [supposedly] kicks-in and cuts power to a train entering an occupied block.

The problem is that both systems rely on a single, non-redundant network of track circuits. If a track circuit fails, both ‘layers’ of the protection system evaporate into nothingness. This is how the collision happened in June; both layers of the ‘fail-safe’ system got bad data from one bad track circuit and, because there was no independent backup, people died.

Now we learn that there are other single points of failure beside the non-redundant track circuits. On March 2 of this year, almost three months before the deadly collision, a train was entering an underground station and the train operator, noticing that the train wasn’t slowing down fast enough, hit the emergency brake (colloquially called the ‘mushroom’ because of the button’s shape). The train still overran the platform (which, horrifyingly, is a ‘fairly common occurance’ according to the article), but nobody was hurt.

The train was taken out of service, and life went on.

A full week later, when officials reviewed the train logs, Metro learned that the train had stopped less than 500 feet behind another train stopped in the tunnel. In all likelihood, if this had happened in a tunnel between stations, or if the driver had been less attentive, another terrible, deadly collision would have occurred . . . especially considering that the following train was another old, outdated, un-safe ‘1000 series’ car that the National Transportation Safety Board (NTSB) had asked Metro to remove from service many years ago.

So what happened? In this case, a single failed relay on the train resulted in the train not properly receiving signals from the ATC and ATP systems. Once again, the ‘fail-safe’ system simply ain’t fail-safe. There is no redundancy. In absence of a signal from ATC and ATP—whether because of a failed circuit on the track or a failed relay in the train—trains simply hit the accelerator and plow merrily along until somebody intervenes manually.

Engineers should know better when they are playing with people’s lives.

On tractor trailers—you know, the big 18-wheelers—the trailer has air brakes. We’ve all seen action movies where somebody crawling around on the outside of a truck cuts or breaks the pneumatic line to these brakes, leaving the truck unable to stop. This makes for some great action scenes, no doubt, but it’s not realistic. You see, the air brakes on a truck trailer work in the inverse. Air pressure holds the brake open. If you cut the line, eliminating the pneumatic pressure, the brakes are applied at full force and the truck comes to a stop. I’m sorry to have to ruin those action movies for you.

This is how you engineer a safe system. In the event of a failure of any kind, the moving vehicle should stop until the failure can be remedied. The vehicle should never be engineered to assume everything is a-okay in the absence of data; it should assume things are horribly wrong and stop immediately until safety can be assured (except, of course, in aircraft where an immediate system shutdown would cause far worse safety problems . . . this is an exception, not the rule).

The fact that Metro’s safety systems have any single point of failure is appalling. That they have multiple single points of failure is reprehensible. There is not a word strong enough to condemn the reality here though: there are multiple single points of failure, in the event of a failure trains just keep going at full throttle, Metro has known about these problems and has done nothing, Metro has ignored NTSB recommendations about its ‘fail-safe’ systems and the safety of its older cars in collisions, and Metro has done everything it can to keep all of this under-wraps for years (possibly decades).

This has gone too far for too long. Every single member of the Metro board, every single leader of the agency, every last decision maker who has been involved in this debacle must be removed from their positions. As to their replacements, I’m sure any cadre of first-year engineering students at any major university would be up to the task and would do a far better job.