Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
2008 Q1 SAFETY CRITICAL / RELATED
#1
Quote:Our study group In Brisbane looked at the 2008 paper Questions 1 - 4 last Tuesday and would appreciate some feedback.

We would also like to ask whether the answer reflects the time available to answer three questions.

Thanks,
Hitesh, Laura & Johnson.

I went to town a bit on this one; see attached document with "Track Changes" and also inserted comments.

I have done this because there was very little actually wrong with what you wrote, it was very much along the right lines with definitely some valuable stuff, yet I fear that you would not have done as well as you should.
For me merely to say that it was sketchy and that you needed to give more explanation and examples may not be too helpful, so I decided to spend the time to build on your bare bones to give a more comprehensive answer. I did rearrange the order of your text in the last portion with track changes turned off to avoid too much confusion; I felt that it had descended into a bullet point list of a brainstorm of good ideas by this time and was a bit lacking focus and direction.

I think that for the first two sections the additions I have made to your answer would be representative of what a good answer should present in the exam. For the last section I have put in more than actually you could hope to do in the exam; I did this for two reasons.
1. This was the weakness in your answer; for 50% of the question you had not written enough and I wanted to demonstrate that there was lots to say- I suspect that now I have done so you may well realise that you could actually have come up with much of the content yourselves.
2. I admit that I am a little perplexed what the question was really after here. It seems to be worded to require a discussion of the various detailed design techniques, but to me that would be what I'd be expecting more in a mod 7 or even mod 5 question. So I'd definitely feel that the answer should go deeper into the "7 stage process" than your glib reference to risk assessment because:
i) it is a mod 1 question,
ii) taking the question as a whole it is about the system level hazards etc
Hence here I wrote what I felt I needed to to give a good answer overall; in the exam I'd have had to be more selective. I would have still looked at the design concept and the design detail but would have needed to approximately halve both sections.

Note that I decided to show I was addressing both part a and part b by means of the tick applicability presentation; I agree with you that they tend to be closely related but your answer only sometimes made clear to which (or both) of the two elements it was relevant. In the exam it is best to show that you are fully answering everything asked.

===================================================================
Specific comment on TPWS as safety critical.
My problem with this example of Safety Criticality is that it arguably isn't (in the UK at least) engineered like that. Failures do not place the system into what would traditionally have been thought a safe state; it is not "failsafe" by usual definition.
To be honest though, neither truly is AWS although the chances of a permanent magnet losing its magnetism or being stolen is rather less than the on track loop failing to radiate its signal (loss of power supply, transmitter fault, cable damage). This is compensated for in some degree by being monitored and the health being reported to the signaller and the holding the signal in rear at red when the TPWS should be active but is not proved as such. However it is certainly not unknown for track workers removing the loops and cables to access sleeper and ballast and reinstaing so that the two cables at a TSS on the incorrect of the pair of loop positions...... The result is that although the proving circuit is happy the TSS is ineffective; if the line is reversible this tends to get discovered by the first train in the other direction getting an unwarranted intervention, but most lines are not and the error can remain undetected for a long time (depends on maintenance schedules and how alert the person undertaking them actually is....)

Things like seat belts and anti-lock brakes in cars, lifeboats in ships etc. are all things that in the normal course of events should never be called upon to fulfill their role; however we really would like them to work when the need arises. They are themselves a mitigation to a hazard- they tend to be there to reduce the consequences of an accident, although ABS should reduce the chances as well. TPWS is similar; the TSS only acts once there has been a SPAD (i.e the hazard has occurred)- it may prevent a collision (dependent on the length of the overlap and whether it is a SASPAD or running SPAD) but is almost certain to reduce consequences. The OSS is actually quite likely to prevent the SPAD occuring, even though this is not its prime role. Hence it is all very complicated even to describe in relation to risks and hazards and it is also not clear whether it is "safety critical" or "safety related". It would warrant a question all to itself and hence I'd avoided being dragged into it in this more wide ranging question; better to choose an example that is a bit more "cut and dried."
For safety related I would have gone for a VDU route setting / display system for the signaller. The interlocking (safety critical) separates anything it does from the external railway; however in times of signalling failure in particular, the signaller is almost wholely dependent upon the integrity of its indications when authorising a train to pass a signal at danger although of course the risk is mitigated by the driver proceeding at very slo speed ready to stop short of any obstruction. It is possibly a bit simplistic but I tend to regard any function that is only called into use when the primary system has failed as only "safety related"; the risks ought to be low purely because the main system ought to be sufficiently reliable that the "back up" is only used rarely. Of course you need to demonstrate that numerically, but if the assessed risk is low enough then SIL 2 implementation is good enough, which is where I think the question was being aimed at.

Conversely the train stops as implemented on London Undergroud I feel as a much better example of "safety criticality"; in many ways these are actually regarded as more important than the red/green lights shown to the driver. Whereas traditionally on UK mainline the overlap has been a somewhat nominal allowance for braking misjudgement and rail conditions on approach to a signal and hence a vague allowance to accomodate a slight overrun, the role of the overlap on LU has always been that distance in which a train can be expected to be brought to a stand from an intervention at the train stop. This puts a whole different complexion upon things and in this context I am sure there would be no debate re Safety Criticality; traditional implementation is certainly to "failsafe" principles. NR for New Works has now moved towards the same situation by calculating TPWS provision according to approach speed and Safe Overrun Distance available- somewhat different from the blanket retrofit criteria. The role of ATP on NR has always been somewhat ambiguous in my opinion- iitially they were only "trial" systems so although engineered as safety critical were not at time of commissioning really regarded as essential (although Southall accident has rather changed that now!). ETCS certainly "safety critical"; hence I am not actually disagreeing with your contention that TPWS should be, only that with so much to choose from, you chose something that wasn't the best to show a clear distinction as it is in that "grey area". Similarly if asked to define the difference between a fruit and vegetable and giving some examples, a tomato really isn't a wise choice as it stirs up too much debate over the precise definitions!

======================================================================

So I hope that you find my feedback useful; please don't get demoralised by the amount I have added / changed. Take comfort from the fact that it was a reasonable attempt and well worth building upon.


Attached Files
.docx   2008 Module 1 Q1 Safety Critical.docx (Size: 36.76 KB / Downloads: 129)
Reply
#2
Question paper FYI


Attached Files
.pdf   2008Module1Exam.pdf (Size: 18.19 KB / Downloads: 28)
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)