(29-05-2009, 05:00 PM)seastmond Wrote: I have typed up my attempt at this question that we went through in the study group on 20th May.
I hope somebody finds it useful.
Simon
It is good to see someone prepared to share; too many leave it to the tutors / someone else to make accessible to others who could not attend the session. I hope that it is the first of many and that others will follow suit.
Overall seems a very good answer to me.
Part 1.
You were asked for three examples and you gave three examples but recognised that you needed to do a little more than this for the marks. Your approach of giving several lower level faults which could lead to the same higher level failure is good (though I think emphasising event / defect / fault / failure distinctions would have added something worthwhile). To demonstrate a greater range it might have been worth including in your examples something a little more different (all seem to be technical failures of equipment)- what about the need to caution a train through an axle counter section after it has been reset following disturbance by a P'Way shovel being used too close to a count head for example?
Part 2.
It was good that you interpreted the question both to mean "worth providing at all" and "what would be appropriate to provide"; always be on the look-out for doing this by "reading between the lines" to spot the hidden ambiguity so that you can expand the question. May have been worth making a little more of this latter interpretation by bringing in some discussion re
a) the nature of the degraded mode (i.e. is it a lower capacity signalling system of the same integrity- e.g. ETCS L1 back up but with limited number of block sections to an ETCS L2 system- or is it a lower integrity system to keep trains moving at much reduced speed with driver proceeding on sight but with the assurance that the route is set, locked and detected)
b) the nature of the transmission system used for the in-cab display (e.g. is it via a code superimposed upon the track circuit, via separate inductive loops for intermittent / quasi-continuous transmission or by radio); this could be relevant in assessing whether a common mode failure might affect any back-up sigalling system and / or whatever signaller-driver communication is provided. For example if there are no SPTs and both the cab-signalling and cab-radio are implemented via some common radio equipment then a physical signal trackside that does not use the same comms system may be more appropriate than when the in-cab signalling uses the track circuits for the transmission medium.
Part 3.
To me this seems the hardest part to answer, particularly as I'd have put much of what you'd written here in part 2 (yes in the exam you should always read the full question before starting the answer..... but examiners would award you the marks if you had gone deeper than they had intended in an earlier section and thus had already answered by the time you got to the section where they were expecting that information). To me much of what you wrote does fit more comfortably in part 2 rather than 3; however I am struggling to do much better.
Certainly right to emphasise independence from common-mode failures; I am not so convinced that the back-up does need to be highly reliable though, provided that any fault it suffers is self-detecting and receives prompt attention. A back-up for a signalling system is not in the same league as a parachute for abandoning an aircraft or air-bag in a car so I disagree with a little of what you wrote; it is not the sole mitigation that could preventing a death, it is merely trying to overcome operating delay or the potentially slightly risky procedural operation of the railway. So provision of a reasonably reliable system of low SIL may be perfectly reasonable for the usage it is going to get; far better that than nothing at all due to the wonderful system being unaffordable. You might also have mentioned the possibility of a reasonably localised control (to overcome transmission problems from the main control centre) provided that the railway is such that this back-up could quickly be implemented by staff close to site) or start working automatically in the event of failure of the main system being detected.
So I think that for the 3 of the 5 marks in this section I like your 2nd and 3rd bullets as they are and your 4th bullet with modifications. I think discussion of where to exercise control, how to "switch-in" and "switch-out" would be the 4th but can't really find a 5th, so in the exam I'd talk about trying to design it as a basic system with generic functionality as far as possible free from any specific frills so that can quickly be customised from the generic solution to the particular site (did I say "modular signalling".....). Any one else got a better idea for that 5th mark?
Part 4.
There is probably more items here than you need / would have time for in the exam. Clearly for this exercise well worth including them all, but be careful not to get carried away in the exam; sometimes there is a rich seam and it is very tempting to go on mining, but remember that "enough is enough"- when you have the luxury of choosing a selection from what you know and is relevant, then do ensure that you show the total breadth and thus include some performance risks, some safety risks (did you really identify which were in which category? and could you have split safety into personnel safety / system safety and performance re getting into the fall-back mode and whilst working in fall-back mode?), some technical and some operational.
Part 5.
Again I thought what you put was good. I'd be looking for bullet points about "first cost", "whole life cost", "safety benefit", "direct performance benefit", "reputational insurance benefit" and you covered all these but perhaps the safety benefit was not considered well enough. It almost looked like something that might get called upon to help justify the cost if the other claimed benefits weren't giving a strong enough business case! You should have considered wheether providing the cab-signalling without any back-up would be good enough to be a demonstratably ALARP and thus some form of degraded mode signalling would have to be provided unless costs proved grossly disproportionate. Always bear in mind that which module you are answering the question within; the examiners will be looking for a "module 1 spin" as it was asked in module 1 whereas a slightly different spin if the identical question had been placed in a module 5 paper.
So all in all I think a very good answer. It is particularly interesting given I have just come back from Spain looking at a line that will (eventually ...may be even this year let's hope) be operated under ETCS level2 but currently with ETCS level1 that will be kept as a back-up as well as the legacy ATP system as a back-up to the back-up; all this on a line with trains no more often than 15 minutes in each direction. I believe that it was mainly funded by EU money which may well have influenced the decision and of course the L2 isn't working yet and they needed the High Speed Line to be open so there were other considerations as well. Furthermore if a train is more than 10 minutes late in Spain then all passengers automatically get their entire fare for the journey refunded; compare this to the UK where a train up to 10 minutes late is generally regarded as being "on time" and only if you get horrendously delayed do you have a chance of getting some small amount of refund or ex-gratia gift as some grudging compensation; different environment!
PJW