Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
2005 Q4 DEGRADED OPERATION
#1
I have typed up my attempt at this question that we went through in the study group on 20th May.

I hope somebody finds it useful.

Simon
Reply
#2
(29-05-2009, 05:00 PM)seastmond Wrote: I have typed up my attempt at this question that we went through in the study group on 20th May.

I hope somebody finds it useful.

Simon

It is good to see someone prepared to share; too many leave it to the tutors / someone else to make accessible to others who could not attend the session. I hope that it is the first of many and that others will follow suit.

Overall seems a very good answer to me.
Part 1.
You were asked for three examples and you gave three examples but recognised that you needed to do a little more than this for the marks. Your approach of giving several lower level faults which could lead to the same higher level failure is good (though I think emphasising event / defect / fault / failure distinctions would have added something worthwhile). To demonstrate a greater range it might have been worth including in your examples something a little more different (all seem to be technical failures of equipment)- what about the need to caution a train through an axle counter section after it has been reset following disturbance by a P'Way shovel being used too close to a count head for example?

Part 2.
It was good that you interpreted the question both to mean "worth providing at all" and "what would be appropriate to provide"; always be on the look-out for doing this by "reading between the lines" to spot the hidden ambiguity so that you can expand the question. May have been worth making a little more of this latter interpretation by bringing in some discussion re
a) the nature of the degraded mode (i.e. is it a lower capacity signalling system of the same integrity- e.g. ETCS L1 back up but with limited number of block sections to an ETCS L2 system- or is it a lower integrity system to keep trains moving at much reduced speed with driver proceeding on sight but with the assurance that the route is set, locked and detected)
b) the nature of the transmission system used for the in-cab display (e.g. is it via a code superimposed upon the track circuit, via separate inductive loops for intermittent / quasi-continuous transmission or by radio); this could be relevant in assessing whether a common mode failure might affect any back-up sigalling system and / or whatever signaller-driver communication is provided. For example if there are no SPTs and both the cab-signalling and cab-radio are implemented via some common radio equipment then a physical signal trackside that does not use the same comms system may be more appropriate than when the in-cab signalling uses the track circuits for the transmission medium.

Part 3.
To me this seems the hardest part to answer, particularly as I'd have put much of what you'd written here in part 2 (yes in the exam you should always read the full question before starting the answer..... but examiners would award you the marks if you had gone deeper than they had intended in an earlier section and thus had already answered by the time you got to the section where they were expecting that information). To me much of what you wrote does fit more comfortably in part 2 rather than 3; however I am struggling to do much better.

Certainly right to emphasise independence from common-mode failures; I am not so convinced that the back-up does need to be highly reliable though, provided that any fault it suffers is self-detecting and receives prompt attention. A back-up for a signalling system is not in the same league as a parachute for abandoning an aircraft or air-bag in a car so I disagree with a little of what you wrote; it is not the sole mitigation that could preventing a death, it is merely trying to overcome operating delay or the potentially slightly risky procedural operation of the railway. So provision of a reasonably reliable system of low SIL may be perfectly reasonable for the usage it is going to get; far better that than nothing at all due to the wonderful system being unaffordable. You might also have mentioned the possibility of a reasonably localised control (to overcome transmission problems from the main control centre) provided that the railway is such that this back-up could quickly be implemented by staff close to site) or start working automatically in the event of failure of the main system being detected.
So I think that for the 3 of the 5 marks in this section I like your 2nd and 3rd bullets as they are and your 4th bullet with modifications. I think discussion of where to exercise control, how to "switch-in" and "switch-out" would be the 4th but can't really find a 5th, so in the exam I'd talk about trying to design it as a basic system with generic functionality as far as possible free from any specific frills so that can quickly be customised from the generic solution to the particular site (did I say "modular signalling".....). Any one else got a better idea for that 5th mark?

Part 4.
There is probably more items here than you need / would have time for in the exam. Clearly for this exercise well worth including them all, but be careful not to get carried away in the exam; sometimes there is a rich seam and it is very tempting to go on mining, but remember that "enough is enough"- when you have the luxury of choosing a selection from what you know and is relevant, then do ensure that you show the total breadth and thus include some performance risks, some safety risks (did you really identify which were in which category? and could you have split safety into personnel safety / system safety and performance re getting into the fall-back mode and whilst working in fall-back mode?), some technical and some operational.

Part 5.
Again I thought what you put was good. I'd be looking for bullet points about "first cost", "whole life cost", "safety benefit", "direct performance benefit", "reputational insurance benefit" and you covered all these but perhaps the safety benefit was not considered well enough. It almost looked like something that might get called upon to help justify the cost if the other claimed benefits weren't giving a strong enough business case! You should have considered wheether providing the cab-signalling without any back-up would be good enough to be a demonstratably ALARP and thus some form of degraded mode signalling would have to be provided unless costs proved grossly disproportionate. Always bear in mind that which module you are answering the question within; the examiners will be looking for a "module 1 spin" as it was asked in module 1 whereas a slightly different spin if the identical question had been placed in a module 5 paper.

So all in all I think a very good answer. It is particularly interesting given I have just come back from Spain looking at a line that will (eventually ...may be even this year let's hope) be operated under ETCS level2 but currently with ETCS level1 that will be kept as a back-up as well as the legacy ATP system as a back-up to the back-up; all this on a line with trains no more often than 15 minutes in each direction. I believe that it was mainly funded by EU money which may well have influenced the decision and of course the L2 isn't working yet and they needed the High Speed Line to be open so there were other considerations as well. Furthermore if a train is more than 10 minutes late in Spain then all passengers automatically get their entire fare for the journey refunded; compare this to the UK where a train up to 10 minutes late is generally regarded as being "on time" and only if you get horrendously delayed do you have a chance of getting some small amount of refund or ex-gratia gift as some grudging compensation; different environment!
PJW
Reply
#3
One of two questions set at the York Study Group May session. Any comments would be gratefully received and used at the June session.

A railway is introducing a new cab signalling system. Under normal operation there is no requirement for lineside infrastructure for the purposes of signalling the train or advising the driver of any restrictions or limits (any relevant information will be available in the cab). The railway has very demanding operating requirements and the provision of signalling equipment for degraded operation is being considered.

Give three examples of events that could lead to degraded operation. [3 marks]

What factors may influence the provision of equipment to support degraded operation ? [5 marks]

How could the equipment for degraded operation be designed and controlled? [5 marks]

How can technical and operational performance and safety risks associated with infrequent use of the degraded mode equipment be managed? [7 marks]

How can the cost effectiveness of the degraded mode provision be assessed? [5 marks]
Reply
#4
(17-06-2010, 08:34 AM)cgallafant Wrote: One of two questions set at the York Study Group May session. Any comments would be gratefully received and used at the June session.

A railway is introducing a new cab signalling system. Under normal operation there is no requirement for lineside infrastructure for the purposes of signalling the train or advising the driver of any restrictions or limits (any relevant information will be available in the cab). The
railway has very demanding operating requirements and the provision of signalling equipment for degraded operation is being considered.

Give three examples of events that could lead to degraded operation. [3 marks]

What factors may influence the provision of equipment to support degraded operation ? [5 marks]

How could the equipment for degraded operation be designed and controlled? [5 marks]

How can technical and operational performance and safety risks associated with infrequent use of the degraded mode equipment be managed? [7 marks]

How can the cost effectiveness of the degraded mode provision be assessed? [5 marks]

I am not going to be able to respond in this degree of detail regualrly but in this case I felt it was worth it. Well done to this Study Group for having students that come up with the goods- we have 4 reasonable answers to the same interesting question so I think it is informative to do a compare and contrast. In the attachment I have gone through the question by section with a column for each answer, made an assessment of what I would score it and tried to explain the thinking that lead me to that. Where i felt that no answer had adequately addressed an issue I also added a few thoughts of my own in that section heading.

Note that i am not an examiner and have no inside info re how they mark; just a view of how I would approach it. I think that i am probably not far off. It is all a bit subjective, but they say that too- it sounds wrong but it is the only way it can be and i hope that sharing the thoughts I had when marking these, you can begin to see how an examiner approaches, balancing what is written against the question (rather than any pre-conceived notion of what "THE ANSWER" is- the whole point is that there is NOT one answer, so no tick list can be made to work. Also the examiner always has to be assuming what the candidate meant by any words and has to use all information holistically to get a view of the persons level of comprehension rather than purely going on marks- I have endeavoured to explain my thought process on this and the judgements that are needed.

It is commonly said that the earliest marks in the question are the easiest and a bit of a "warm up"; it is your chance to define the context for how you are going to answer the remainder; I don
PJW
Reply
#5
Hitesh had difficulty posting for some reason and so emailed me

Quote:We decided at the Brisbane Study Group to make an individual attempt at the 2005 paper under exam conditions.

I gave myself 10 minutes of reading time and then attempted to answer the paper in 1 hour. (20 minutes per question)
I did questions 3, 4 and 6.

Thanks for your help.
Hitesh P


PJW
Reply
#6
[quote='PJW' pid='2169' dateline='1285515960']
[quote]
We decided at the Brisbane Study Group to make an individual attempt at the 2005 paper under exam conditions.

I gave myself 10 minutes of reading time and then attempted to answer the paper in 1 hour. (20 minutes per question)
I did questions 3, 4 and 6.

Thanks for your help.
Hitesh P
[/quote]

I thought initially that this was the best of your three 20 minute answers; you have given me comfortably two pages of A4 so that looks like as much as is likely to be possible. Although I am struggling to read some words I think this is more of a consequence of the pdf fuzziness than the original.

Given the accelerated timescales then part 1 is adequate, although a description that showed a little more understanding then "system failure" would have been better. Say 2/3

Part 2. Really only gave me 3 items so perhaps 3/5

Part 3. Ok as far as it went but a little brief; didn't really say anything about how it should be controlled and that was specifically asked. No mention in this or previous section of the cost to set against the benefit but I'll assume that is intentional as you have read ahead and are reserving that until the end. 2.5/5 I think

Part 4. There were 7 marks available but in away you gave me less than for part 3; that which was there was good although brief. Gut feel is 3.5/7

Part 5. It was a good point to include re the social impact of the delays, but should have related this nore directly to cost- do you mean the policing of the crowds that are stranded on the platforms, the loss of productive working time to the local economy, the loss of future business to the rail operator due to perceptions that it is not a good way to travel in future?
Should probably have said a bit more of the costs of not having a degraded mode and that would need to entail both the main systems reliability re service affecting failure and the Mean time To Repair- a cross reference back to part2 would have helped. I think something like 3/5 again.

Hence I feel that this is the sort of attempt that you should be making at all your chosen questions and if you achieve this then you'll be a solid Pass I think. I don't think anyone has much idea of what is realistically achievable in 20 minutes, but I think that this is the sort of answer that the examiners will be hoping for and I think if you prodcuced another 2 like this then a Pass is assured and just the possibility of a Credit. This seems a good standard to set yourself; a measure of contingency if things don't go as well as they might on the day then you'll still get through...... and on Module 1 recently that is something to be proud of.





PJW
Reply
#7
Another attempt for comments please
Done open book, untimed.
Reply
#8
(02-03-2016, 04:38 PM)dorothy.pipet Wrote: Another attempt for comments please
Done open book, untimed.



Part a)

Item 1- worth specifying the extent of the affected area (i.e. in the case of ETCS L3 solution: one base station affecting say 1km radius or a loss of comms between interlocking and RBC or between the RBC and many base stations which would each affect a much wider area).

Item 2- ok but it might have been better for giving a more wide-ranging context later to have been more fundamental since if it is only the loss of the cab display the train would still be reporting its position etc to the interlocking).

Item 3 - ok, but not an obvious one for the scope of the question.  However I thought that it was going to turn out to be very clever and that you'd have drawn upon this scenario further on in your answer and identified that a fall-back system would also have depended upon this same input and therefore this was a common mode type failure for the primary and fallback.  However you didn't seize this opportunity and therefore it just looks like you couldn't think of a third that was more closely related to the cab signaling system.  

As the examiners say, always think of the question as a whole as well as each separate part.

I certainly think that you could have constructed a good answer with this as one of the failure events; otherwise I'd have presented the failures as:
a) non-communicating train,
b) loss of comms affecting a small area,
c) loss of the office end of the system affecting a very large area.



Part b)

2nd bullet; probably ought to have broken this down a bit more at least into the on-board and the line side subsystem.  This relates also to bullet 3 because the key thing about recovery from such a failure is not the repair of the fault but rather the time taken to get the defective train to a place where the passengers can be disembarked and clear of the line to enable the remainder of the service to resume; quite how long the casualty languishes there before being recovered to a depot where fault rectification can be undertaken is not the immediate issue. Worthwhile distinguishing this from the scenario in which there is a line side fault which affects all trains and for which the MTTR is directly relevant.
 
The thing, given that this is Module 1 after all, that you really should have mentioned was SAFETY.  A bit of a black mark that despite your sizeable list you didn’t appear to factor this in your assessment at all- tut tut!
Don’t forget that the question was very specific in emphasising that there is no requirement for line side infrastructure in normal operation.  Hence in many failure scenarios the signaller has no idea where all the trains are (and possibly not even how many there are in the area which is no longer under control).  Hence is faced with a difficult situation to manage which clearly has safety implications.
 
Otherwise I think you had enough in this section but something that I would have included is the additional complexity in system architecture and indeed potential hazards introduced when changing over from one mode of operation to another.  Of course these must be offset against the risks of the purely procedural degraded working that would have to be adopted in the event of a failure of the system if there were no equipment provided for a fall-back mode of operation.
 
Part c)

I think I would interpret “HOW” as meaning:
  • "to what safety integrity level",
  • "to what level of functionality should be incorporated?”,
  • “is it just for the junction areas or a substitute signalling system for the entire line”?,
  • “how free-standing from the new signalling system? (i.e.of your items in part a does it attempt to give a degraded solution for 1,2 and 3 or only some of these?) and if there is some dependency between them is it the bedrock on which the in-cab system is overlaid or alternatively does it rely on any elements of the main signalling system (the conventional point detection, object controller and central interlocking perhaps)?
 
The last part of your answer did touch on one such consideration, but as you identified yourself I don’t think you “hit the nail on the head” for this portion.  One might argue that established procedures and standards are of some value for the detail of presentation but in terms of what is the content of the required design are basically pretty standard although you could have referred to the NR POSA (of which there are only a few real examples).  You did mention Human Factors which would be one component, but I think you should have presented your answer in terms of:
  1. Defining the high level objectives (as my bullets above seek to scope)
  2. Obtaining a more precise set of requirements.
  3. Validating these from the many perspectives (which would include HF but far wider), Concept of Operations, “Day in the Life of...”HAZOP, HAZID, FTA, FMECA etc. to satisfy that the fall-back system to be provided is addressing the right problem.
  4. Further that the associated hazards have been assessed and influence the design solution; follow CSM-RA and manage the Hazard Record.
  5. Estimate the benefits of the proposed solution both in terms of risk reduction and its costs.  It may be found necessary to provide the fall-back just on ALARP grounds, but it is more likely that most of the financial justification will depend upon the items you listed in part b, particularly the first.  
 
Part d)

[Image: tNXEAAAAgSURBVBjTY2hsbGTo6OjgANEM5eXlAnl...5ErkJggg==]In practice it is going to be difficult to use the back-up system regularly;
  • firstly it isn’t going to be palatable to cause significant disruption and indeed safety risk in a premeditated manner often enough  to maintain enough familiarity amongst the significant number of drivers and signaller’s involved just to reduce risk for the pretty rare occasion when it would be needed in anger.  The effect might be a small reduction of risk and disruption involved should a real random fault occur but at too high a price.  Just how often would you need knowingly to place system in an unsatisfactory state to get the required coverage of staff and refresh that knowledge sufficiently? I suggest it is not practicable and arguably not morally acceptable; it would be like choosing to push a few passengers down stairs at stations occasionally in order to check how efficiently the station staff could render first aid, deal with the disruptions and ensure that the emergency services and hospital doctors could attend to their injuries effectively!  It is not like operating a lineside signalled railway in override through routes that actually, if timed when no unsupported moves are to be made, causes little disruption if the office end of the system affecting a very large area.
  • Secondly some of the failure modes may not be easy to create operationally; don’t really want drivers deliberately creating faults on their trains for example. 
 
Suggest instead that simulation of the degraded mode fallback system should be included within both the signaller’s and driver’s simulators both prior to implementation and to maintain competence throughout lifecycle.  Otherwise all your suggestions are sensible provisions, but think you should have explicitly referred to condition monitoring and fault reporting rather than just saying “close monitoring” that is a little vague.
 

Part e)

Study of the failure modes of the primary signalling system does need to be based initially on the system as it would be without any fall-back and then secondly revisited to see whether the provision of a fall-back signalling system is likely to introduce any other failure modes of the primary system. 

Also explicitly consider any possible “common cause failure” that might affect both the primary and the fall-back, since the two failure rates may not be completely independent.

Do separate out-
  1. the justification for spending mony to reduce the risk to be ALARP,
  2. the choice to invest money in order to reduce the other financial / reputational risks.
Whereas the question asked for cost-effectiveness, I think that in this module in particular to show that you recognise that there are safety obligations which may go beyond pure cost-benefit analysis.
 
Overall though I thought that this was a pretty good answer and I think that it would have achieved a Credit
 

 
PJW
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)