2010 Q8 - Design Error Management in Commissioning Phase

[dorothy.pipet]

Another attempt for comments

- not timed, and admitedly an area I am not totally familiar with.

[PJW]

Another attempt for comments

- not timed, and admitedly an area I am not totally familiar with.

2010 mod1 q8 DAP

Similar comments as Q3 apply re length applicable to 20 minutes but too short if for 30 minutes.

Possibly needed to have a bit of an intro before plunging into options; you implicitly seemed to assume that the design error would mean that the railway would not be in a safe state unless it was addressed or mitigated; there can of course be many types of design error and some might well mean that a function does not operate at all or doesn’t work properly but not actually directly unsafe or without consequential operational impact at all (it could however impact long term reliability or maintainability etc.).  It would therefore have been worth stating some assumptions in this regard as the implicit (but not unreasonable given the thrust of the question) assumption meant that certain other options were not discussed as being inapplicable to the scenario that I imagine you were envisaging.

Options 1 and 2 were well covered.

Option 3 should have given some examples of what they might be specially requested to do (key points, not permit a movement on a parallel line, not set a route until the previous train had gone beyond a particular post ion, not utilise ARS, not use Auto Raise on a level crossing).  Often initially just briefed verbally and then followed up by an A4 sheet of notes appended to box instructions and signaller briefs their relief.

Option 4- reasonable.  However even if CBI data can be reverted relatively easily, then it may be incompatible with trackside changes that would also need to be reversed; TFM plug coupler changes are not to be undertaken lightly or speedily and of course there can be more drastic trackside changes.  
At a box rewire job, the DO hadn’t thought about ohms law when recalling and whereas the free light for a level crossing wicket gate still operated, pushing the plunger to operate the associated electric lock just caused the lamp to grow very dim and the lock resolutely did not pick.  As TiC I received the mod sheet to correct which was just to “ungreen” the previous cable.  By then it was in approximately 100 separate 5m lengths in a skip!

However it is actually not just the trackside physical which is practically irreversible; the CBI will be interfacing with the Control System which will be passing data to SMART on which all the various operational systems such as TRUST, Customer information, network overview (yes even “Open Train Times” etc. depend.  On any one weekend there is almost certainly other unrelated work happening elsewhere, so these systems couldn’t be reverted to a previous state to reflect one particular job that didn’t happen, because they would then be wrong for all the other changes which actually did go ahead as planned.  So it was worth including as an option that might, for a small local tweak intended  to resolve a particular issue but was proved to make things worse, be appropriate but there should have been far more of a caveat that it is rarely going to be practicable.  It isn’t just the technical systems either; what other consequences may there be for things such as timetable, staff rosters, vehicle deployment and rules and regulations etc.  Given that this is a module 1 question there should have been more consideration of such elements and this would have been a good part of the question to illustrate such considerations were in your mind.

I think the question invited some consideration of what would be “acceptably safe”, the nature and magnitude of the residual risk after any proposed mitigation as well as the risks introduced from pursuing the proposed options (e.g. designing mods in a hurry can result in the original problem being cured only to introduce another one that might be more serious; testers are also going to be against time and will be trying to limit the testing to what is actually needed so could perhaps not go back and re-test something that used to be ok but which this latest modification had introduced a serious deficiency; similarly any operational mitigation puts the signaller's etc. under more workload pressure, needing to remember to do something special to cover for the interlocking deficiency and whereas they’d usually do so ok, being human they might not always do what they should, or because they are concentrating attention on the need to do so, make an error or oversight elsewhere).  
I think your answer would have benefitted from you having the various topics of the mod1 syllabus firmly in mind so that you could have woven your material into something more explicitly based on the framework of the module; just a few well chosen key words would have given it more of a “module 1 shape” that may have been well rewarded by the examiner when marking.

Overall though, if this were a 20 minute answer I think that it was reasonably good and would have certainly been a comfortable pass and possibly a credit; a more holistic perspective would have made that certain.