2006 Q2 Wrong Side failures

[dorothy.pipet]

An untimed attempt for comments please.
I'm not sure I chose the best examples for this, but might it have passed anyway?

[Jerry1237]

Dorothy,

A thorough answer to a seemingly easy, but quite difficult, question. Seems a little long for 30 minutes but your exam technique may be to do so. There probably is a pass in there but the question hasn't been fully answered even though there are some important and relevant points in there.

First point is a suggestion; answer each question fully rather than split. Technique tends to mean the subject is repeated anyhow so context won't be lost. Not sure there are eight marks of consequences.

Good for picking up TPWS is not for stopping trains at red aspects. However, later on you discuss about overspeed mitigation and this should be mentioned at the same time. So, by definition, TPWS is not for SPAD mitigation. It is to remind an operator that an speed or movement authority is/is-to-be exceeded. Because of this and arguably, TPWS not energising is not a WSF per se, I agree, this was a bad example to use. TPWS would only activate the on-board equipment if a failure (operator error, signal reversion etc.) has/is taken/taking place. I would be interested to see other's views on this.

WSF2 - the failure described is generic. The WSF failure is a miscount out (so out==in when physically out!=in) so the section believes it is clear when it is occupied, i.e. more permissive. A miscount where the section shows occupied is a RSF. The early part of the answer discussed RSF whereas it shouldn't but improves further on. The "This is particularly..." paragraph isn't correct for a WSF question.

Suggestion for a WSF would be a relay sticking, incorrect indications etc. A more permissive indication to the train/operator than should be provided is the acid test.

[PJW]

Dorothy,

A thorough answer to a seemingly easy, but quite difficult, question. Seems a little long for 30 minutes but your exam technique may be to do so. There probably is a pass in there but the question hasn't been fully answered even though there are some important and relevant points in there.

First point is a suggestion; answer each question fully rather than split. Technique tends to mean the subject is repeated anyhow so context won't be lost. Not sure there are eight marks of consequences.

Good for picking up TPWS is not for stopping trains at red aspects. However, later on you discuss about overspeed mitigation and this should be mentioned at the same time. So, by definition, TPWS is not for SPAD mitigation. It is to remind an operator that an speed or movement authority is/is-to-be exceeded. Because of this and arguably, TPWS not energising is not a WSF per se, I agree, this was a bad example to use. TPWS would only activate the on-board equipment if a failure (operator error, signal reversion etc.) has/is taken/taking place. I would be interested to see other's views on this.

WSF2 - the failure described is generic. The WSF failure is a miscount out (so out==in when physically out!=in) so the section believes it is clear when it is occupied, i.e. more permissive. A miscount where the section shows occupied is a RSF. The early part of the answer discussed RSF whereas it shouldn't but improves further on. The "This is particularly..." paragraph isn't correct for a WSF question.

Suggestion for a WSF would be a relay sticking, incorrect indications etc. A more permissive indication to the train/operator than should be provided is the acid test.

People are very sensitive nowadays when calling things Wrong Side Failures.  A bit similar to the fact that many regard Test Logs as bad and therefore using as a metric to assess the status of a project pre-commissioning or as a surrogate to measure design quality; there is of course some correlation but it is indirect, certainly not a proportional relationship.
I am old school and therefore if a fault results in a reduction in the level of protection then I call it wrong-side.  I am perfectly comfortable therefore in saying that a couple of blown bulbs or a wire coming disconnected within a panel gives "a wrong-side indication failure"; the track shows to the signaller as clear even when the track itself is occupied and the interlocking is treating it as such. In other circumstances when perhaps there is a failure of the TDM bit and therefore a clear track actually displays as being occupied, the signaller could observe a signal at green reading over that section and must assume that has witnessed a Wrong-side failure although once the problem is understood it would be re-categorised as a Right-side indication failure.

Therefore my view is that a TPWS that is not active when it should be does constitute a WSF; it is not relevant that TPWS was never designed as a vital system. In fact WSF/RSF is too simplistic a distinction   nowadays; taking a holistic view of the railway system, just putting signals back to danger is not the end of it with signal engineer able to pat themselves on their back and think they have left the system in a safe state.  Somehow that train will have to be authorised to pass that signal and there are risks associated with that, in addition to the risks associated with fixing the fault.

[dorothy.pipet]

I did deliberately choose TPWS as an example of a WSF which does not have a consequence unless something else also fails.
That makes it a WSF at sub-system level, but not necessarily at whole Railway System level. I'll take note of that as something worth making explicit.

[PJW]

I did deliberately choose TPWS as an example of a WSF which does not have a consequence unless something else also fails.
That makes it a WSF at sub-system level, but not necessarily at whole Railway System level. I'll take note of that as something worth making explicit.

I think it was a perfectly good choice; the fact that it by itself does not lead to an immediately dangerous situation does give a good contrast (though I think that I'd actually have made my second example). I was actually more responding to Jerry than your original submission.  

Given that the question was potentially also about telecoms WSF, this itself reinforces the point that a WSF can be in a system on low (or nil) SIL.  I certainly cannot think of a telecom fault that gives an immediate threat to safety but are all actually going to need something else to be wrong-
a) wrong call connected by telephone concentrator (correct use procedure by signaller and driver should be defence)
b) inability to send GSM-R Emergency Stop message (some incident must have arisen to require its use as a form of mitigation)
c) misrouted transmission which results in the wrong SSI interlocking's datalink information being presented at a trackside node (LDT coding, the TFMs non-volatile memory of their initial connection should prevent it being acted upon).

So I think it was a good example and would definitely say that "TPWS not energising" is a WSF, albeit a relatively low risk one which indeed is what justifies the low SIL in the first place.  

• The fact that there is a high probability that the failure will result in the loss of proving and thus dropping of the VCR and that this causes the signal in rear to be replaced to red (except when Approach Release Relief applied) makes it a protected WSF with only a small "time window" of risk exposure.  
  

To me it seems a great one to talk about as plenty of material and quite a contrast with the axle counter.  Perhaps you should have made your point re it being a WSF at the sub-system level but manifesting itself more as a RSF at the system level more explicitly and also talked about the risk entailed in any form of degraded mode working because of human error which itself is mitigated by provision of ARR, but as an example I think it was a good choice (though I would have discussed the axle counter one first as being the one with the immediate and greater consequences).

[Jerry1237]

I think this is where the discussion becomes more interesting. NwR Safety Central infers that PJW's definition could be seen as not correct on the basis of the "unsafe" statement:

Wrong Side Failure WSF
(i) Wrong Side Failure: something which fails in an unsafe condition (ii) Wrong Side Signalling Failure. A wrong side failure occurs when equipment or a system does not fail safe. In other words, a failure occurs which could lead to an accident.
https://www.safety.networkrail.co.uk/Ser...ailure-WSF

However, everything PJW states is fundamentally correct! So could we deduce that choosing a more black and white example could provide a more robust, less subtle, answer? Possibly, but would stating our assumptions and definitions of what we deem a WSF to be before answering the question avoid the examiner interpreting the justification in a way we didn't intend and be a useful exam technique? Yes to the second question, perhaps to the first!

More opinions most welcome on this subject though.

[PJW]

I think this is where the discussion becomes more interesting. NwR Safety Central infers that PJW's definition could be seen as not correct on the basis of the "unsafe" statement:

Wrong Side Failure WSF
(i) Wrong Side Failure: something which fails in an unsafe condition (ii) Wrong Side Signalling Failure.  A wrong side failure occurs when equipment or a system does not fail safe. In other words, a failure occurs which could lead to an accident.
https://www.safety.networkrail.co.uk/Ser...ailure-WSF

However, everything PJW states is fundamentally correct! So could we deduce that choosing a more black and white example could provide a more robust, less subtle, answer? Possibly, but would stating our assumptions and definitions of what we deem a WSF to be before answering the question avoid the examiner interpreting the justification in a way we didn't intend and be a useful exam technique? Yes to the second question, perhaps to the first!

More opinions most welcome on this subject though.

I did say that I was old school and not ready to accept the redefinition of terms in order to satisfy those who are more worried about being "politically correct" in the new environment..........

Read "Drift into Failure" and "Thinking Fast and Slow"

[dorothy.pipet]

Going back to Jerry's previous suggestions - what could be said about WSF= a relay sticking?
Would you pick one particular example to discuss the consequences in detail or sketch out a few?

"Describe procedures or equipment that could be adopted to minimise future occurrences or the
consequences of each of the WSFs"
Can you tell me anything about this bit - I'm not a relay/circuits expert as you can tell.

[Jerry1237]

Dorothy,

A detailed technical understanding of relays/circuits should not be required for M1. In your paper attempt, you have discussed many of the relevant points already.

Assume an aspect relay stuck up, it could permit a higher aspect than is permitted to be displayed. With a track, you can have a relay stick up showing clear when it is occupied, sticking down [showing occupied] is a RSF.

Re effects, design can mitigate, or magnify, the effects of failure. Poor component selection can do similar. Having a system running close to its limits [contact current, relay load] can also cause problems.

Mitigations could be sequential track occupation [showing tracks have picked and dropped in order], high reliability -proven- relays with non-stick contacts [this is a misnomer, less likely to stick is more apt], double cut circuits [mitigates against just one contact being 'stuck' but don't cure all being stuck], how about health checking the system [change in current loads etc], periodic replacement of at-risk relays... The paper asks for things that could be used - they answer could be a little out there or not very practical but as long as it isn't pie-in-the-sky!

Happy to discuss more fully at Signet in July if you're coming?