Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Risks associated with signal lamp failure
#1
Hi,

During a discussion about Lamp checking relay, I was informed that in certain Railways in Europe, if a lamp fails , the signal will go blank. But I am unable to get any further information regarding which part of European Railway or how the associated risk is mitigated. Kindly share any information regarding this.

Thanks,
savitha
Reply
#2
I think it is true to say that in very many instances if a lamp fails then a signal will become blank. Indeed mitigation of this risk is the reason for provision of the lamp checking relay, so the situation can be detected and then acted upon to give the mitigation.

It is probably best that I start off giving you some background before launching into the answer to the question you actually asked, as I suspect that the cause of your doubt lie deeper than the question on the surface.

Until relatively recently (varies between countries but broadly 10 years ago), signals illuminated by incandescent lamps containing filaments which will eventually burnout and hence suddenly fail. Not possible to predict lifespan of any particular example with any certainty (manufacturing tolerances etc all give a significant randomness, but so to does the installed environment as does the particular operation of the signal relating to how long it displays any particular aspect at a time and how often it is switched on and off according to train movements); however but the range of average lifespans is statistically well known.

One means of reducing the likelihood of any lamp failing would be to adopt a maintenance regime that replaces lamps well before the probability of failure becomes significant. However this would be hugely expensive as the vast majority of lamps would be renewed when they actually have most of their useful life remaining. Not a "green" solution and very labour intensive and a nightmare to administer to ensure none were missed; furthermore there would still be those lamps as "out-liers" of the failure distribution "rogue units" that would fail before routine replacement. In addition there are other causes of blank signals- perhaps vandals destroy a lamp by projecting a missile, or cut the cable to the signal (and the "vandals" in this latter case may actually be careless track workers or mechanised on track machinery etc).

Nowadays many railways are increasingly using LED signals so in fact these "other" causes of blank aspects are much more significant than an actual "lamp" failure. LED modules tend to last a very long time- probably over 10 years- and thus the routine renewal before their likely failure is now a practical proposition. Further they are designed such that the fail "gracefully"- the failure of any one LED may knock out a whole row, but does not result in a blank aspect and is observable by a maintenance technician when passing so can be reported and arrangements made to make a special renewal before the aspect given to the driver is significantly worsened. The other failure mode is that light output does gradually diminish or even change its colour balance over time, but this is a very slow process and can be monitored on an occasional basis as a "health check". So whereas LED signals do suffer failures they are both much rarer and also less dramatic sudden failures from which real lamps suffer.

That is the background, so now to come to your question:

Network Rail tend(ed) to use the SL35 lamp which has two filaments, the main filament at the focal point of the lens system and the auxiliary filament behind it. In normal use the main filament is lit and the auxiliary one is not. Over and above the signal lamp proving (whose relay is generally in the adjacent lineside equipment case or relay room), there is a "had changeover relay" in the actual signal head close to the lamp. This is kept energised by the current flowing through the main filament but should this "blow" no more current will flow so the relay drops and by making its back contacts switches in the auxiliary filament instead- hence often called the "standby" filament. [Note that in India a variant of the SL35 is used but has both filaments horizontal rather than main horizontal and the auxiliary vertical].

Provided that the reason for failure of the first filament was just that the thin wire itself had burnt out through old age and use, then the auxiliary filament should itself last for a broadly similar lifetime (although it has been suffering the environment for an equal time and subject to the thermal stress of the main filament being switched on and off, so itself is actually far from new so probably won't last as long as the first one did). Another contact of the head relay is used in a circuit which tends to call around all the signals in a certain geographical area which gives an alarm to the signaller to inform the technician- this basically means: "help, come and find me, I am on my last legs, replace me before I fail completely".

Meanwhile the actual lamp proving relay has remained energised (note this is slightly "slow release" so remains up when signal is swapping from main to auxiliary or indeed from yellow to green etc. The result is that the signalling system as far as the operator (signaller and driver) are concerned is still operating normally (in truth the aspect given to the driver is not so good in terms of range and beam distribution but in most cases this is only really evident to a skilled observer trackside), yet there has been a failure which the technician needs to attend to reasonably promptly before another failure results in loss of function (also to find which lamp of which of a group of signals has a defective filament is quite easy when there is only one fault; becomes very much more difficult to determine if technician leaves it so long that there are several signals all with defective filaments on the same combined fault circuit!).
[This is a form of graceful degradation; it may be worth you studying the definitions of RELIABILITY and AVAILABILITY to be able to better understand this scenario from a RAMS perspective.]

However note that the auxiliary is of no use if the cause of the first burning out was the loss of vacuum within the glass bulb so that the filaments are burning in air; the auxiliary will still be switched into circuit but will almost immediately burn out itself as it will suffer the same fate. [From a RAMS perspective there is a "Common Cause Failure" and so two things cannot be treated as independent and thus don't get the benefit that would otherwise have been expected.]

Similarly if the signal has been vandalised, the supply fuse blown following a lightening strike, a wire fallen off a terminal, the cable severed, a relay contact become high resistance etc etc the auxiliary filament does not help; there are a whole range of reasons why a signal whether incandescent lamp, quartz halogen, LED or whatever may be "out" and the signal giving a blank aspect- it is just that the likelihood is greater when incandescent signals are involved.

So this is the role of the lamp proving relay- to discover that the lamp is out so that mitigations can be put in place to reduce the consequence and therefore the overall risk of the occurrence.
Bear in mind that what this relay does is effectively measure the current exceeds a certain threshold and thus it is inferred that there i light output. An open circuit cable will certainly be detected. A short circuited cable will cause the relay and / or the fuse to burn out and thus be detected. The relay energised does not actually "prove" the signal alight, but it is a pretty good inference. be aware though that there can be faults in signal head transformers that cause a misleading current to be drawn yet light output low, an LED module is detected via the presence of its internal "ballast resistor" which is not related to light output and even if the signal lamp is producing light then it is not unknown for a bird to build a nest in the nice warm space between the lamp and the internal lens so obstructing most of the light from leaving the signal head towards the driver's eye.

However let us concentrate on the main hazard and assume that in vast majority of cases the relay energised does actually prove that useful light is being produced. If the relay drops we can then take action by replacing the aspect of the signal in rear (i.e. the one on the approach which authorises the driver to proceed up to the signal which is blank). Therefore (assuming for the moment that no train is in the immediate vicinity at the instant of failure), the driver will experience a normal aspect sequence, stop at the red aspect and contact the signaller by phone or radio. By procedure the signaller will verbally authorise the driver of the situation, to pass this signal at danger, proceed cautiously as far as the next signal warning them that it may not be alight and then contact again from there. Later when the driver gets to the failed signal the procedure would be repeated.
[Be aware that in India I believe that it is regarded as necessary that the driver has to wait until there is a handsignaller stationed at all the affected signals and there is always written authorisation physically handed to drivers to pass signals; in the UK we do similar if the failure is to be prolonged / extensive but are prepared to operate the railway as I have described; all to do with assessment of risk, how much can rely on training of staff and procedures to reduce risk of human error, the complexities of the site, the number of affected trains in the area, the anticipated duration of the fault etc. Nowadays at some sites where there are junctions, a POSA aspect is provided that can be used to inform the driver to "Proceed On Sight" past a signal at danger or unlit- this is a more secure way on transferring the message generally iven verbally leading to less delay and higher safety when operating the railway in degraded mode; the POSA proves points in line of route set, but not the train detection nor the signal ahead lit]

Therefore the risks of a SPAD at unlit signal are minimised; the likelihood much reduced as the driver has been pre-warned and the consequences of any SPAD which does occur (perhaps fails to see the signal post in the dark of night in a remote area) also minimised due to the low speed- driver will probably see last minute and even if unable to stop won't go very far past it so will almost certainly stop in overlap. If they fail to see at all then the slow speed would reduce the energy involved in any subsequent collision thus reducing the probable consequence / fatalities.

Actually if the fault on the signal only affected one aspect (as it is likely to do if it is a "real" lamp failure rather than a severed cable etc) then the signaller can often "manipulate aspects". Say that it was the yellow aspect of a 3 aspect that had completely failed; the signaller might hold the affected signal at red until the signal in advance (i.e. the next one beyond) could be cleared to yellow and there for faulty signal could step straight from red to green and never ask for the non-existent yellow and therefore the failure could be "hidden". Gives signaller extra workload, affects capacity, may slow trains unnecessarily but drivers will not see anything particularly unusual and safety is not affected with delays also minimised.

It is only if the failure happens "at the worst possible time" when a train is approaching that the driver will suffer an aspect reversion. Say they have passed signal 1 showing green and the signals ahead are signal 3 at green and then signal 5 at green. Then signal 5 goes to blank. Signal 3 will go to red but the train has already passed signal 1 so driver does not yet know. They first find out when get see signal 3 and think; "@*$&! that's at red". Emergency brake. Knows that going to pass signal at red. Very worried. Makes Public address announcement and then tries to leave cab and enter passenger compartment of train so better chance of not being so badly injured- remember driver has no idea why signaller has put signal to danger, so perhaps there has been an embankment slip, a road vehicle fallen onto track from overbridge and river having swept away an underbridge........

Actually however it is nothing like that- the train is entirely safe as there has been no disaster, the route remains set and locked and actually also signals are safe to pass. The risk is that there could be a few (probably minor) injuries on the train- perhaps the onset of emergency braking caused luggage to fall from an overhead rack onto someone in a seat, perhaps someone else carrying a tray of coffees also spills scalding liquid over fellow passengers etc.

Actually a previous practice was "lamp or controls"- if the signal was not proved alight but the aspect relays were up and thus the signal safe to pass then there would be no aspect reversion; it is interesting to speculate the reason why this practice was abandoned. I think it was the desire to make drivers recognised that any signal "improperly displayed" should be treated as a signal at danger- whereas the practice would avoid risk in this particular situation, overall on the railway it could increase risk of a serious fault not being reported when first observed and thus the opportunity to prevent a serious accident lost.

One thing that can be done (hardly is at all in the UK - generally only when using imported signalling systems - but is I believe quite a common European practice) is "aspect degradation". Actually I think this is probably the very thing that you had heard of and caused you to pose your question- but you hadn't quite understood things correctly so you worded incorrectly.

This is where as signal that has been asked to display a certain aspect finds that when it tries that it is unable to do so because the lamp has failed. Hence signal 5 in our example is trying to show green and starts off doing so but then suddenly the lamp expires. The signal circuitry detects this and instead of just sitting there stupidly still trying to feed green, reporting the problem to signal 3 which can then only revert to red, instead signal 5 says "if I can't show green then I'll try yellow, because that is more restrictive but not as bad as being blank". If it tries and find that there is lamp proving, then it never has to report to signal 3 to change aspect; if however it tries and finds that the yellow doesn't work either, then it tries red. If that works then it does need to report to signal 3, but this only has to revert to yellow. If however it finds that it can't light the red (because the most likely thing is that the common fuse has blown etc) then we are into the original situation without aspect degradation.

You can see the advantages of the methodology for keeping trans moving safely and with only minimal delays where the problem is individual lamp failures. it does however give a range of complexity (remembering which lamps are failed, knowing when to "re-try" a previous detected failure- does it do so periodically or does the technician have to reset a fault memory when changing lamps etc.) It definitely made sense if using incandescent lamps that only had the one filament; however the advantages are less obvious when there are auxiliary filaments and the maintenance regime is such that the lamps are swiftly renewed once working on their standby. With LED signals the likelihood of a "lamp" failure is very low and if one is affected then almost certainly all aspects are affected, so therefore it is a lot of complexity for practically no real benefit.

However do recognise that for there to be a risk there has to be a potential accident. If the signal is actually blank for a proceed aspect, then there is no (direct- there are secondary risks, see earlier re emergency braking, operation of the railway procedurally in degraded mode etc) safety risks as indeed the line is still being proved safe, it is just that the message is not reaching the driver. The hazard therefore is the signal being passed when it is supposed to be displaying red and that aspect is supposed to be protecting a conflicting movement [risk = death / injury/ damage / disruption etc from a possible junction collision], a level crossing [risk = similar but more likely to be suffered by road user than train passengers], a preceding train [risk = similar but probably less severe following a rear-end collision] or track workers [risk = death / injury of these workers being the most likely consequences]. Obviously if there is a train protection system this might not prevent the SPAD itself but ought to stop the train safely within the overlap and thus be a good mitigation of immediate safety risk (but still leading to delay and disruption). Even an AWS system will alert the driver to the fact that approaching a signal which is not at green and therefore makes it much more likely that the driver will completely miss observing an unlit signal.

What a good question; a short one but opening up a whole range of elements. Are you looking to be appointed to an IRSE examiner's job?
Not sure if best to answer it from a "module 5" or a "module 3" or a "module 1" or a "module 7" context. Obviously since posed in this section of the website decided to concentrate on the safety / risk elements applicable to module 1, but obviously needed also to explain the principles and application as these are clearly from where your question originated. Therefore hope I have done a reasonable job of tackling from several angles, which is normally a good approach for module 1.

Imagine you got more than you bargained for, but hopefully you can find the answer you wanted amongst the text and perhaps can use as a wider learning opportunity as well.


(19-10-2012, 05:08 AM)savitha kandasamy Wrote: Hi,

During a discussion about Lamp checking relay, I was informed that in certain Railways in Europe, if a lamp fails , the signal will go blank. But I am unable to get any further information regarding which part of European Railway or how the associated risk is mitigated. Kindly share any information regarding this.

Thanks,
savitha
PJW
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)