(13-04-2016, 10:11 PM)dorothy.pipet Wrote: I did deliberately choose TPWS as an example of a WSF which does not have a consequence unless something else also fails.
That makes it a WSF at sub-system level, but not necessarily at whole Railway System level. I'll take note of that as something worth making explicit.
I think it was a perfectly good choice; the fact that it by itself does not lead to an immediately dangerous situation does give a good contrast (though I think that I'd actually have made my second example). I was actually more responding to Jerry than your original submission.
Given that the question was potentially also about telecoms WSF, this itself reinforces the point that a WSF can be in a system on low (or nil) SIL. I certainly cannot think of a telecom fault that gives an immediate threat to safety but are all actually going to need something else to be wrong-
a) wrong call connected by telephone concentrator (correct use procedure by signaller and driver should be defence)
b) inability to send GSM-R Emergency Stop message (some incident must have arisen to require its use as a form of mitigation)
c) misrouted transmission which results in the wrong SSI interlocking's datalink information being presented at a trackside node (LDT coding, the TFMs non-volatile memory of their initial connection should prevent it being acted upon).
So I think it was a good example and would definitely say that "TPWS not energising" is a WSF, albeit a relatively low risk one which indeed is what justifies the low SIL in the first place.
- The fact that there is a high probability that the failure will result in the loss of proving and thus dropping of the VCR and that this causes the signal in rear to be replaced to red (except when Approach Release Relief applied) makes it a protected WSF with only a small "time window" of risk exposure.
PJW