Metro Train Crash Update: Design Defects?

Washington DC. The Associated Press reports that the NTSB found anomalies in track sensors which in simulations prevented transmission of vital information relevant to controlling the speed and movement of the train; and that the transit workers union has demanded that operators be allowed to choose whether or not to operate in automatic mode. Investigators found the control in the operator's cab in the automatic operation position. Are the operators not authorized and trained to remove the train from automatic operation in the event of a braking emergency? Logically, the trains should be designed to automatically disengage the automatic operation control when the emergency brake is applied. It may be asking too much to expect an operator to remember, or to have time in an emergency, to disengage the automatic control which is continuously applying power to move the train forward, prior to applying the brake. Yet failure to do so would logically pit the manual brake against the computer-controlled propulsion system ("engine"), likely rendering the braking action ineffective, consistent with NTSB's initial findings that the brake rotors were fused from apparent emergency braking action over several hundred feet, while passengers reported that the train never slowed down prior to impact. Inadequacies in train design (no automatically disengaging throttle or "autopilot" when brakes applied?), training (operators not trained and frequently drilled on disengagement of computer control prior to braking, if no automatic disengagement?), or operator error (failure to follow such procedure, if so trained), are apparent. But if automatic disengagement of computer control in event of emergency braking is not part of the design, it would be hard to assign much blame to the operator in the face of such a blatant apparent design defect.
And with respect to the track sensors in question, is there no redundancy in the design? The recent Air France plane crash seems to have involved inconsistent readings from three different pitot tubes, there being three so that if one or two failed, hopefully at least one would be left still working. Similarly, if there were multiple independent track sensors, connected through independent wiring to independent computers, the failure of one need not lead to catastrophic consequences; and the system could presumably be programmed to abort computer control or automatic operation of the train in the event of conflicting data or instructions. One means of achieving effective redundancy near stations would be to make the track circuit blocks shorter than the length of the trains, so that every train would be in proximity to at least two track circuits. Then, if one detection circuit failed, as appears to have happened in this case, at least one properly functioning circuit would likely remain available to transmit the appropriate information to prevent collision by the following train. Any failure to incorporate both redundancy, and disengagement of automatic train control when the manual brake is applied, would appear to constitute critical design defects.