Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
2004 Q1 Fail safe
#1
An attempt for comments please.
Done with no time limit (and intermittently over several days), and open books no not representative of exam conditions.


Attached Files
.pdf   2004Module1Exam.pdf (Size: 81.78 KB / Downloads: 37)
.pdf   IRSE-Mod1-2004-Q1-DAP.pdf (Size: 368.89 KB / Downloads: 48)
Reply
#2
(03-02-2016, 10:05 AM)dorothy.pipet Wrote: An attempt for comments please.
Done with no time limit (and intermittently over several days), and open books no not representative of exam conditions.

Good initial definition.

Relay- good example,  but whereas the old shelf relays use gravity, a 930 series relay does not-  there are in general multiple springs which carry the contacts all acting on the armature and on some types additional spring.

ATP balise- broadly ok. 
Systems are generally designed that the failure to read any one balise will not bring the train to a halt.  You appear to be describing broadly an ETCS Level1 system and therefore the train will have been given a Movement Authority for a length of line and therefore its more of a question of that distance/speed profile not being updated should a latter balise be missed, but eventually yes the train will some to a stand prior to the Limit of Movement Authority that it holds.  For an ETCS Level2 system the vast majority of the balise are really only position references to reset any odometry errors, the Movement Authority being received via the GSM-R.  In this case failure to read a balise will result in the train's knowledge of its position becoming less certain; it is the behaviour of the on-board system in how it determines the worst cases (Max Safe Front End and Min Safe Rear End) for where the train might be which makes the overall system safe.
I guess, because I know you and your experience, (though the examiners almost certainly would not have guessed this) that you are thinking of GWML ATP.  In this somewhat antiquated system then I think you are right that if the train finds that it has gone beyond the place it expected to find a balise, then it will drop put of Full Supervision and unless the driver acknowledges then it will brake.  It then takes the train to pass over two  further balise before it can transition from Limited Supervision to Full Supervision again.  If we assume that the signal for which the balise was missed was the last Green before a restrictive sequence, then the balise for the signal at Double Yellow is only used to inform the onboard of distance and direction and it would be on passing the Single Yellow that ATP will know that the train is now approaching a Red and would emergency brake but with insufficient braking distance left.  On 3-aspect signaling, it would be worse since it would only be on passing the Red that ATP would become aware (not sure if it would take any cogniscence of any infill loop preceding the Red if not yet back in FS).  So yes there could be an accident if the driver acknowledged that protection had been lost and then disregarded the next aspects, but actually the risk would appear to be extremely low- as well as the missing balise an accident sequence would require this to occur just prior to the presence of a restrictive sequence and a driver inexplicably failing to respond in close juxtaposition to each other. 

I wonder whether this was the best choice for a 2nd example- I really can't decide. 
On the plus side it is very different and could form a good contrast; on the minus side I tend to think that "Failsafe" is a rather traditional concept of quite basic mechanicalistic, deterministic systems, whereas once computers and software are involved then in the realm of statistical probability, safety by combinations such as 2oo3 etc.  The high level objective is certainly still failsafe and this example does fit within your definition at the system level, but certainly doesn't apply all the way down the hierarchy in the same way as signal aspect- track relay- track circuit example.  Perhaps the best thing to have done was to have kept as your 2nd example but made the difference between them explicitly clear.

I think in your discussion re relay failure modes that are not failsafe (1) you should have mentioned silver migration on the plugboard and made it clearer that the relay coil could receive a voltage through some false path which perhaps involved a failure of insulation between wires or indirectly via an earth fault.

Example of balise (1) didn't convince me that it fitted "impossible to guarantee that component will always result in the known state".  I didn't disagree with what you wrote per se, but didn't seem to align.  In fact it would seem to fit (2) rather better- additional degraded working increasing overall system risk.

Example of relay (2).  Think you'd have done better to have started by pointing out that tracks occupied are sometimes used to give releases and so the defined "safe" state can sometimes lead to Wrong Side Failure. Then explain how Raynes Park control allows a WSF effect of false Approach Release can be largely protected before explaining that there are situations where the safe state is less obvious.

Example of balise (2)
Not quite sure why you say the stopping of the train will create uncertainty as to its position.
Don't disagree factually with the reminder of what you wrote and can see your argument that if the result of a missing balise is to lose protection then this may not be a design for the lowest risk solution- however didn't seem to me to be expressed very clearly.

Your choice of the balise as the 2nd example is now looking poor; I did like your last para in section 1b though.

Q1c

Generally ok- however by treating these as "alternative techniques" here then that reinforces the feeling that you should not have used the balise example earlier.

Perhaps when discussing 2oo3 and 2oo2 you should have mentioned "negation time"- the time window which exists before any disagreeing sub-system is shut down.  Similarly applies to the reading back of the actual  state of electronic outputs to ensure they match intention.

Fault tolerance is really about the ability of a system to keep going, perhaps in a degraded mode, in the presence of faults.  What you have described I think is something rather different almost the opposite (and is arguably more important): a sub-system undertaking consistency checks between combinations of its inputs so that it does not respond to undertake an action that might potentially be unsafe just because of a single trigger that might be false.  For example there can be "anti-valence" proving of inputs (e.g. input for track clear cross proved against input for track occupied) or cyclic proving (e.g. not only prove a TPWS VCR is present when signal is at red but also prove it is lost once signal is cleared to a proceed aspect) to give confidence of cause and effect as expected.

Overall I thought this answer was pretty good, but that you really needed a better second example chosen of "pure fail-safety" in order to have been able to answer the middle portion better and keep distinct from the last portion.

It might have been better to have restricted your first example to be a relay (or perhaps the methodology of implementing route locking within a relay interlocking)  and used the way a dc track circuit is used to control the aspect of signals as the second example.  Alternatively could have used the example of a mechanically operated semaphore signal, or the operation of an Automatic Half Barrier Crossing.
PJW
Reply
#3
Thanks for this. The examples I was initially thinking of were a bit similar, hence putting a Track relay against a balise instead of AWS electromagnet. Evidently my knowledge of GWML ATP (and ETCS) is rather more sketchy than I thought!
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)