One interesting thing I've noticed is that subway systems, long home of one of the more iconic failsafes, the big red lever behind glass connected directly to hydraulic brakes, are moving away from that. An old-style subway (like NYC) has emergency-stop-in-place levers that cause the train to screech to a halt immediately. But automatic train systems, like the Copenhagen Metro, have a similar looking lever that is just a computer signal that signals an emergency condition. The default response (according to the fine-print under it that I recently read) is that the train will continue on to the next station, open its doors, and then hold until further instructions.
That part I assume is on purpose, because even a computerized system could have "stop immediately" as the default policy when the emergency lever is pulled. Would be interesting to read the analysis that led to the decision. My guess is that it's because on-train issues are statistically the most likely emergency situation a passenger would signal (heart attacks, fights, etc.), in which case continuing to the next station (typically 30-90 seconds) where emergency staff can meet the train and access it, rather than stopping in the middle of a subway tunnel or elevated rail segment, is the most sensible policy.
NYC subways have additional safety features - if the track signals indicate stop (due to imminent collision with another train, for example), there are tripcocks. These raise from the tracks, and catch on the bottom of the train, causing it to hard break immediately.
Failsafes don't always fail safely. Take the unmanned Chicago subway train that cruised through the failsafes and crashed into another train, two weeks ago. Another article quotes a CTA official as not knowing how it could have escaped the yard without the brakes tripping.
Many of the newer NYC trains, I am told, are more complicated - an emergency lever pull (someone caught in the doors) should hard-brake the train. If it's travelled more than 1000 feet, it is assumed the train is already in the tunnel, and the lever just signals the conductor, who presumably will radio for help and tell the operator to hold at the next station. I guess this implies that there's a computer inline.
The tripcocks, I hope, are still connected directly to the brakes.
That part I assume is on purpose, because even a computerized system could have "stop immediately" as the default policy when the emergency lever is pulled. Would be interesting to read the analysis that led to the decision. My guess is that it's because on-train issues are statistically the most likely emergency situation a passenger would signal (heart attacks, fights, etc.), in which case continuing to the next station (typically 30-90 seconds) where emergency staff can meet the train and access it, rather than stopping in the middle of a subway tunnel or elevated rail segment, is the most sensible policy.