A new fail-safe principle for railway signaling

Slides:

Advertisements

Similar presentations

PLC Applications[ATE-1212] Module-1

Advertisements

SCORT/TRB Rail Capacity Workshop - Jacksonville Florida1 1  A Primer on Capacity Principles  New Technologies  Public Sector Needs 22 September

EECE499 Computers and Nuclear Energy Electrical and Computer Eng Howard University Dr. Charles Kim Fall 2013 Webpage:

NERC Lessons Learned Summary December NERC lessons learned published in December 2014 Three NERC lessons learned (LL) were published in December.

In this presentation you will:

Thales Axle Counter The Challenges for a modern Train Detection System

Lecture 5: PLC Programming

Materials developed by K. Watkins, J. LaMondia and C. Brakewood Rail Capacity Unit 3: Measuring & Maximizing Capacity.

Ing. Tomáš Vicherek, Ing. Vlastimil Polach, Ph.D. Research and development Automatic Route Setting According to Train Paths in Anticipated Time Schedule.

Location of Signals. Considerations for Location of Signals Braking Distance Overlaps Isolation Simultaneous Reception.

REAL-TIME SOFTWARE SYSTEMS DEVELOPMENT Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.

Copier Jam Detector Design Problem

 A system consisting of a number of remote terminal units (or RTUs) collecting field data connected back to a master station via a communications system.

During a mains supply interruption the entire protected network is dependent on the integrity of the UPS battery as a secondary source of energy. A potential.

EMBEDDED SOFTWARE Team victorious Team Victorious.

Distributed Control Systems Emad Ali Chemical Engineering Department King SAUD University.

ANTI LOCK BRAKING SYSTEM

Airbus flight control system  The organisation of the Airbus A330/340 flight control system 1Airbus FCS Overview.

SISTEMA Example One. Schneider Electric – Sistema Example 1 – June Example 1: Start/Stop Facility with Emergency Stop Device Circuit Diagram.

Airbus flight control system

SISTEMA Example Two. Schneider Electric – Areva D Acquisition – June Example 2: Safe stopping of a PLC-driven drive with emergency stop – Category.

Electro-Pneumatics Module 1

SCADA and Telemetry Presented By:.

THE ELECTRIC SUB STATION

1 Satisfiability Testing in the Railway Industry Simon Chadwick Head of Research Westinghouse Rail Systems Limited, Chippenham, UK SAT2009 Twelfth International.

May 20, 2008 Train Detection 1 Train Detection Systems Mid-States Highway-Rail Grade Crossing Safety Conference Session 4 Use of New Technology for Highway-Rail.

Network Design Essentials. Guide to Networking Essentials, Fifth Edition2 Contents 1. Examining the Basics of a Network Layout 2. Understanding Standard.

Chapter 2 Network Design Essentials Instructor: Nhan Nguyen Phuong.

INTRODUCTION 1 What word comes to your mind to describe “ The attempt by two objects to occupy the same space at the same moment in time”

Real-Time Software Design Yonsei University 2 nd Semester, 2014 Sanghyun Park.

1 Fault Tolerance in the Nonstop Cyclone System By Scott Chan Robert Jardine Presented by Phuc Nguyen.

Protocol Architectures. Simple Protocol Architecture Not an actual architecture, but a model for how they work Similar to “pseudocode,” used for teaching.

Prepared By :.  Introduction  Techniques Used  Case Study  Advantages  Application  Conclusion OUTLINE.

A smart signalling system for Indian railways Smart signalling system – user’s view Full capacity realisation Flexibility of movements Easy to operate.

Secure Systems Research Group - FAU 1 A survey of dependability patterns Ingrid Buckley and Eduardo B. Fernandez Dept. of Computer Science and Engineering.

A Proposal of Application Failure Detection and Recovery in the Grid Marian Bubak 1,2, Tomasz Szepieniec 2, Marcin Radecki 2 1 Institute of Computer Science,

By Anthony Moody Rhys Porter Nicolas Wilson.  Background  Objectives  Design  Normal Operation  Logic  Failure  Issues and solutions  Improvements.

Topics of presentation

Reference: Ian Sommerville, Chap 15  Systems which monitor and control their environment.  Sometimes associated with hardware devices ◦ Sensors: Collect.

Adaptive control and process systems. Design and methods and control strategies 1.

Codan 5700 Series C-Band Transceiver Technical Overview.

Time Management.  Time management is concerned with OS facilities and services which measure real time, and is essential to the operation of timesharing.

Sem1 - Module 8 Ethernet Switching. Shared media environments Shared media environment: –Occurs when multiple hosts have access to the same medium. –For.

On the Definition of Survivability J. C. Knight and K. J. Sullivan, Department of Computer Science, University of Virginia, December 2000.

Centralised Traffic Control Working On Dhamra line of ECoR

Hwajung Lee. One of the selling points of a distributed system is that the system will continue to perform even if some components / processes fail.

ROLE OF SIGNALLING IN RAILWAYS

Student Name USN NO Guide Name H.O.D Name Name Of The College & Dept.

TRIGGER DELAY 100µs. G. Gräwer AB/BT/ECLBDS Trigger Delay2 The trigger delay is a back-up system that generates an asynchronous dump trigger for MKD and.

Embedded Computer - Definition When a microcomputer is part of a larger product, it is said to be an embedded computer. The embedded computer retrieves.

UNIT IV TRACK CONSTRUCTION. POINTS AND CROSSINGS Point and Crossings are peculiar arrangement used in permanent way to guide the vehicle for directional.

ARM and GPS Based Transformer monitoring system with area Identification Student Name USN NO Guide Name H.O.D Name Name Of The College & Dept.

Fire Fighting Robotic Vehicle. Introduction:  It is designed to develop a fire fighting robot using RF technology for remote.

 The figure below shows a protection system for a transmission line, consisting of a CT, PT, a relay and its associated circuit breaker.

Artificial Intelligence In Power System Author Doshi Pratik H.Darakh Bharat P.

Chapter 8. Electrical Systems

ANTI LOCK BRAKING SYSTEM

Real-time Software Design

Guide for the application of CSM design targets (CSM DT)

MOVA Traffic Signal Control Trial

Communications in Railway Centralized Traffic Control Systems

How SCADA Systems Work?.

Real-time Software Design

OVERVIEW: POSITIVE TRAIN CONTROL (ptc)

Fault Tolerance Distributed Web-based Systems

Copier Jam Detector Design Problem

Knowing When to Stop: An Examination of Methods to Minimize the False Negative Risk of Automated Abort Triggers RAM XI Training Summit October 2018 Patrick.

ACOE347 – Data Acquisition and Automation Systems

Presentation transcript:

A new fail-safe principle for railway signaling Yinghua Min Institute of Computing Technology, Chinese Academy of Sciences, Beijing, China

Outline Introduction Old fail-safe principle Difficulty in implementing the old fail-safe principle A new fail-safe principle Conclusions

signaling When trains run on railway tracks they follow rules of operations in which safety plays a very important role. The most important rule in respect of safety is ensuring that two trains do not occupy the same position on the track at the same time. To make this rule work operation of trains uses signaling to control movement of trains on tracks and divides tracks into several sections which are protected by the signals.

Importance Transportation efficiency vs safety In case both cannot be achieved simultaneously we prefer to lost efficiency, but guarantee safety. The need to ensure safety is always the topmost consideration and under no circumstances the signaling arrangement can compromise with this primary requirement. Fail-safe principle is critical for railway signaling systems. Railway accidents teach us the importance of signaling safety.

Old fail-safe principle A number of decades ago when relays were widely used in railway signaling systems. The fail-safe principle said that railway signaling had to guarantee the safety when any element in the system was faulty, including signals degraded running.

Relay interlocking In some form of partial route relay Interlocking systems electrical switches are provided which allows electrical feeds to signals of appropriate colors and to points as desired. Through use of suitable relay logic the safety of the system for train running is ensured. In such systems electrical detection of point is used and track circuits are used for proving safety of train running. When relays are unoperated, no unsafe condition of train running occurs.

Reliability of relays L C Ideal unreliable (p>>q=1-p) L C 1 L C 1 unreliable L C P{C=0}=p P{C=1}=q 1 P{C=0}=q P{C=1}=p (p>>q=1-p)

Safety relays It is impossible for C to stuck-at 1. For instance, Gravity type relays Gravity always exists in any case Single signal lamp machanism Gravity type to guarantee red light in case L C P{C=0}=1 P{C=1}=0 1 P{C=0}=q P{C=1}=p

Metal to metal contact relay It is possible to use metal to metal contact relays for realizing the logic circuits but such circuits have to be designed with care to ensure that even under failure condition train operations are safe. This is achieved by designing the circuits in a manner that for every clearance of a signal the relays that pick up to cause the signal to clear is also checked with respect to its back contact.

Track circuits That a track section is occupied or empty is indicated by a track relay, which is a safety relay. Train occupancy or in whatever case, the relay will go down with 100% probability. Any disconnection Power off Bulb broken wire (no display equals to red light)

The system commands a red signal if the track circuit is faulty, no matter a train is running in its forward interval or not. The old fail-safe principle is then implemented.

Automatic block system(ABS) ABS operation allows trains operating in the same direction to follow each other in a safe manner without risk of rear end collision. The automatic operation comes from an ability to detect if blocks are occupied or otherwise obstructed and then convey that information to approaching trains. The term "Automatic" means the operation of the system without any outside intervention. it rejects external control to establish a flow of traffic, which is inconsistent with the idea of CTC.

ABS Movement of train between two stations is controlled by a pair of equipment called “Block Instrument” in railways. Automatic Block signal(ABS) is the vital interlocking hardware located at the remote location.

Centralized Traffic Control CTC is very much centralized . It controls not only traffic scheduling, but also control all signal facilities, and command train operations, and managements. Highly centralized systems have the advantages of high efficiency But with disadvantages of degrading reliability and safety.

Interface Controls Interface controls should be arranged to fail safe principles and an absence of circuit continuity is indicating train approach.

Warning Light Controls Warning lights shall be designed to operate in a fail-safe mode so that an absence of indication is considered as a warning. Separate warning lights shall be used for separate tracks unless specifically approved otherwise. The warning given by the system shall be initiated by the detected approach of any rail traffic movements routed towards the protected area, and shall be maintained until such time as all those movements are detected as being clear of the protected area. Operation of the warning lights shall be automatic and not require any action by the signaler. Fail safe means of train detection shall be used. Failure of train detection equipment shall ensure that the system is maintained in a "warning" state.

Fail-safe principle All signaling must be designed in accordance with accepted railway fail safe principles for both mechanical and electrical equipment, e.g., the failure of any component is not to present an unsafe condition. be reliable but fail-safe such that any predictable type of failure of an item of signaling equipment will lead to a more rather than less restrictive operating condition.

Microprocessor interlocking Microprocessor interlocking system with microprocessors or full fledged computers carries out the logical operation under software control. The Drives to external functions as signal lights, point machine etc. are typically given through suitable serial ports and decoder/controller drivers at site. Design on the system is made keeping in view the safety requirements.

Fail-safe with software The requirement of safety is a logical analysis of the state of the points, track circuits and signals. To generate commands to operate points, signals as required, the logic of signal operation can be implemented by relay logic or even mechanical logic, so it should be a pretty simple job for the modern computers. But, if some fault occurs during the process with a long path, the actuator may not act as desired. In the case Solid State Interlocking safety is attained mainly through redundancies.

Redundancy Redundancy alone cannot ensure reliability or safety of a system in operation. Correct management of redundancy is essential in making a redundant system fault tolerant and fail-safe.

Difficulty in implementing the old fail-safe principle Nowadays with the advance of electronics control systems, the principle is no longer practical. Since the electronic system is too complicated that there is no way to exhaustively consider all possible element faults. No contact elements No unified model Too many are used. Faulty behavior is various. The old fail-safe principle needs updated.

A new fail-safe principle Given a system and a state transition diagram Define critical states Life-threatening Threating major property losses Depends on system functions Define safe states Depends on systems A system is fail-safe if any critical state will transit to a safe state when any single fault occurs, which will be detected in time.

State transition diagram Critical state Safe state The shortest path to reach the safe state

The shortest path The shortest signal path for fail-safe is to guarantee the highest reliability in critical situations when critical faults occur in the system. Ignoring any faults in other nodes No matter how many paths are able to be activated. The shortest path is the only one activated.

Shortest path control Field sensor Track circuits Etc. Actuator Signal lamp Automatic stopping dispatcher monitor Data base analysis channel command Field sensor actuator

What faults can be safe? Any fault in the electronic system Hardware faults Software faults A dispatcher’s operation fault Care should be taken for Severe weather Lightning stroke protecting direct lightning flash to the sensor and actuator Track circuit Short circuit sensitivity degradation due to moisture

conclusions The fail-safe principle is to identify a critical fault and mask its effect until recovery is taken. A system is fail-safe if any critical state will transit to a safe state when any single critical fault occurs, which will be detected in time. The fail-safe requirement is that the probability of keeping train operation safe larger than (1-10-10), MTBF is typically 100 years. The shortest signal path principle for fail-safe is to guarantee the safety with highest reliability in critical situations when fault occurs in the system.

Thank you for your attention! Comments & questions?