Embed Size (px)
DESCRIPTION
This training PPT was prepared to support students for understanding of Basic railway principles
Citation preview
Safety Concept & Practices in Signalling
Presented by
Shiv Mohan ATC&S Manager
Serco Dubai Metro
Signalling and Safety Systems
Pointmachine
Point machine
Axle counting
Intermittenttrain controlsystem
Intermittentautomatic train controlsystem EUROBALISE
Continuousautomatic traincontrol system
Computer room
Control room
Axle counting
Continuousautomatic traincontrol system
Interlocking
S- bond
Signalling Overview
A T O
A T P I S
A T S
Safety Layer
Automatic TrainSupervision
Interlocking
Automatic TrainOperation
Automatic TrainProtection
What is Fail Safety?
Failures- whether Equipment or Human - can be minimized -but can not be eliminated Therefore, steps are required to be taken to ensure that there
is no unsafe effect of failure Signalling Systems are designed in such a way that every
Failure has a safe Reaction
This is called Fail – Safe Principle
Fail – Safe Principle
Fundamental principle of design of Signalling system is:
--- safe state corresponds to the lowest energy level --- to keep the system in a permissive state, constant
energy/effort should be applied
This ensures that due to any inadvertent situation or failure,the system comes back to the state of lowest energy—ie. Safe Sate
Equipment Failure Equipment
Failure
Safe reaction
Unsafe reaction
Normal system design
Safe reaction
Unsafe reaction
Fail safe Signalling System design
Fail - safety
Fail – safe Principle is adopted in the design of all signalling systems- mechanical, relay based as well as software based systems
Example- Semaphore Signal -Mechaniical design is such that”stop” aspect is the stable state -Constant Force required to keep required to keep the signaling “
proceed” aspect. Signal returns to “stop” aspect in case of breakage of transmission wire
or any other failure.
Fail – Safety-Examples
Signalling Relays: -Stable state- Dropped (Maintained by gravity/spring
action)- safe state - Red signal aspect controlled by Relay-” dropped”- which
is lowest energy state. - permissive aspect controlled by Relay –”picked up” - Constant current required to maintain the relay in “picked
Up”
Software Based Systems
Software based Signalling systems require repeated positive action to be taken to be taken by- both,software as well as hardware to keep it in permissive state.
Disruption of this positive action due to any failure results into reversion of the system to safe state.
Microprocessor and other component
Disadvantage Are not fail safe Don’t have well
defined failure modes Are not reliable enough
to meet 10-9 unsafe failures/our. They are approx. 10-5 to 10-6
Advantage Speed ability to perform
complex task Miniature size Low price
Then How is Safety Achieved?
Employ more resources than required (redundancy)(both hardware & software)
Self check procedures to detect a fault within given time period dt such that prb. Of occurance of a fault within dt is <10-9
watchdog timers
What is Redundancy?
Redundancy: Is the use of additional resources(whether hardware or
software) than required for the normal functioning of the system
The additional resources should be configured judiciously to obtain max. advantage in terms of safety and reliability
The amount and type of additional resources and its configuration will depend on the safety and reliability requirements.
OR
UNIT 1
UNIT 2
PF =P2 , PWSF =2P
AND
UNIT 1
UNIT 2
PF = 2P , PWSF =P2
PF =Probability of failure
PWSF =Prob.of wrong
side failure
Safety Availability
This Will not increase safety
Types of redundancy
Dual hardware redundancy Dual hardware redundancy with 100%
standby Triple modular redundancy(TMR) Software redundancy-single hardware
Dual hardware Redundancy (2 oo2)
comparator
Unit 1
Unit 2
Assumption : both units of hardware will not fail simultaneously
PF = 2P, PWSF = P2
Dual HW red+100% standby (2-2oo2)
Subsystem1
Subsystem 2
OR
Unit1/A
Unit 2/A
Unit 1/B
Unit 2/B
Comparator A
Comparator B
PF =4P2 PWSF = 2P
2
Triple Modular Red.(TMR) (2oo3)
Unit 1
Unit 2
Unit 3
Majority voter
Asmpn: 2 units will not fail simultaneously
PF = 3P2
PWSF =3P2
Software redundancy- single hardware
Software A
Software Bcomparator
Single hardware
Assmpn: independent Softwares will react differently for a HW fault
Self Check & Watchdog timers
Periodical check of microprocessor, buses,memory, peripheral especially input circuits
Watchdog timers-within specified time window if command is not received then system goes to safe state.
Essentials of Interlocking(as per indian railway SEM)
It shall not be possible to take ‘OFF’ a running signal, unless all points including isolation are correctly set, all facing points are locked and all interlocked level crossing are closed and locked against public road for the line on which the train will travel including overlap.
After the signal has been taken ‘OFF’ it shall not be possible to move any points or lock on the route, including overlap and isolation, nor to release any interlocked gates until the signal is replaced the ‘ON’ position.
It shall not be Possible to take ‘OFF’ at the same time, any two fixed signals which can lead to any conflicting movements.
Where feasible, points shall be so interlocked as to avoid any conflicting movement.
