- Email: [email protected]
An Evaluation of Redundancy Concepts for Fault Tolerant Railway Track Switching*
8th IFAC Symposium on Fault Detection, Supervision and Safety of Technical Processes (SAFEPROCESS) August 29-31, 2012. Mexico City, Mexico
An Evaluation of Redundancy Concepts for Fault Tolerant Railway Track Switching ? Samuel Bemment, Roger Dixon, Roger Goodall School of Electronic, Electrical and Systems Engineering, Loughborough University, Loughborough, LE11 3TU, United Kingdom (e-mail: [email protected]). Abstract: Railway track switching provides necessary flexibility to a rail network, but also introduces many single points of failure. Other industries have resorted to redundancy to provide the fault tolerance necessary to achieve specified safety and operational goals in similar critical systems, yet this approach has not yet been applied to track switching. This paper explores several system concepts for redundancy in track switching, and attempts a rudimentary cost/benefit analysis of each. Mechanical design is not considered, the paper being a feasibility study only. Finally, concept performance is evaluated in a case study at Derby Midland station (UK). The results show that providing redundancy which utilises only existing technology demonstrates some gains in operational availability. However, it is unlikely to be cost effective, and for redundancy in track switching to be a realistic prospect, novel designs and technologies may be necessary. Keywords: Fault Tolerance, Rail Traffic, Railways, Redundancy, Reliability evaluation, Train control 1. INTRODUCTION Rail networks offering more than a single vehicle upon a single line are dependent upon the ability to provide multiple routes for traffic. Switches (UK: Points) serve this purpose, allowing the permanent way to merge and diverge, providing different routes. The standard design, in use throughout the world, consists of two ‘switch blades’ upon a suitable supporting structure, which are able to slide laterally between two ‘stock rails’ (Cope and Ellis, 2002). Over time, many aspects of the rail infrastructure have evolved with new developments - new rail cross sections, signalling methods and civils works are obvious examples. However, whilst switch actuation has changed (from mechanical rods and levers to more modern electrical or electro-hydraulic designs) the basic mechanical design of switches has remained identical since the first railways were envisioned. For all the operational flexibility switches provide, they are also a single-point-of-failure. Switch failures can rapidly cripple operations. In some jurisdictions, due to control rules around the location and locking of adjacent switches, single switch failures can sometimes prevent use of an entire junction or station throat (Marshall, 1961). ? The authors wish to acknowledge the financial support provided by the United Kingdom Engineering and Physical Sciences Research Council in grant number EP/I010823/1 and the RSSB for the project titled ‘REPOINT: Redundantly engineered points for enhanced reliability and capacity of railway track switching’. The authors also wish to thank Network Rail Infrastructure Ltd for providing access to network performance data, and Tracsis PLC for continued industrial support and advice.
978-3-902823-09-0/12/$20.00 © 2012 IFAC
763
Infrastructure operators have long recognised this fact, and switches are subject to careful inspection and maintenance regimes to reduce failures. There is a current trend in the rail industry towards condition monitoring and condition based maintenance, which promises to reduce failures.(Garc´ıa et al., 2003; Marquez and Pedregal, 2006; Silmon and Roberts, 2010) However, these strategies can only reduce, not eradicate, failures, and at certain key locations in any network, this may not be enough. Other industries with safety-critical systems have long utilised redundancy as a method of achieving fault-tolerant operation (Isermann, 2006). Redundant systems have seen minimal use in the rail infrastructure sphere, a successful and widely-adopted exception being the architecture of Solid State Interlocking (Cribbens, 1987). This paper seeks to introduce, discuss and evaluate the concept of redundancy in track switching, in order to provide the fault tolerance necessary for uninterrupted operations at these critical locations. It does not seek to provide new mechanical design for switching solutions. Additionally, a case study is then presented to demonstrate the increase in asset availability resultant from deployment of some of the design concepts. 2. EXISTING INSTALLATIONS 2.1 Description A single turnout consists of two stock rails, two switch rails and a common crossing, fastened by clips, bolts and/or chairs to supporting bearers of wood or concrete, themselves supported upon a bed of ballast. Some installations are of slab track, that is, the rails are directly supported by a concrete raft with no ballast. The stock rails are securely 10.3182/20120829-3-MX-2028.00295
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
fixed, whilst the free ends of the switch rails are free to slide upon supporting cast iron chairs, their movement restricted by the attached stretcher bars and the lock and drive provided by the points operating equipment (POE). There are several different designs of POE which are located variously in between the running rails, at the line side, or a combination of both. Higher line speeds require shallower divergence angles, which in turn require longer switches. This leads to a difference between a typical station throat installation, and mainline installation - short, small clearances with many overlapping features in the former, and long, spaced out designs in the latter. Longer designs require multiple actuation points upon the switch blades. This is provided either by a power take-off from the main actuator, or additional actuators along the length. (Cope and Ellis, 2002) 2.2 Unit Cost Estimation In order to provide a basic cost/benefit analysis of the concepts, knowledge of individual component cost is necessary. Using data provided by the UK Infrastructure Operator (Network Rail (NDS), 2011), unit costs of a typical Switch installation in the UK can be approximated. Switches come in many designs tailored to handle handle different traffic speeds and to suit available track side space. For this example, an ‘E’ length (17.25 crossing), shallow depth vertical switch upon concrete bearers with IAD Rail Systems ‘HPSA’ actuation/detection subsystem has been selected, as an example of a typical current UK installation. Costs are raw equipment cost only and no attempt is made to estimate installation or asset life cycle costs. Table 1. Switch subsystem cost estimation Symbol Cp
Ca Cd Cm
Description Permanent way components providing a single turnout location - Bearers, switch blades, common crossing etc Individual actuation subsystem for single switch. Individual detection subsystem for single switch. Additional control components necessary to interface multiple subsystems to current interlocking
Cost [GBP(2011)] 95000
For the sake of this evaluation, ‘use’ will be defined as the average number of actuations per hour (A), which will in turn be derived from the number of scheduled passenger trains per week, under the assumption that the switch position is changed once for each passing train. 2.4 Failure Modes and Rates Whole-system failure events will be grouped into 3 broad categories. It is recognised that in some commercial designs of points operating equipment, there is some overlap between component functions. It is a matter of engineering judgement to attribute these failures to a particular category: (1) Those caused by failure within the actuation subsystem. The actuation subsystem is defined as being responsible for the actuation of the switch rails, linkages providing transmission of drive to the switch rails, and the locking system. (2) Those caused by failure within the p-way 1 subsystem. The p-way subsystem is defined as the switch rails, stock rails, associated slide chairs and sleepers/bearers. (3) Those caused by failure within the detection subsystem. The detection subsystem is defined as being those components which detect the position of the switch rails and facing points lock. Note that the majority of failures in any of (1) or (2) will manifest themselves as a ‘loss of detection’, which is not the same as (3). This does not mean that the detection system has failed, instead it means that the detection system has performed its role in recognising the switch is potentially unsafe (Hadaway, 1950). Further, a loss of detection does not necessarily indicate a failure within another subsystem, but may represent an issue with any of the 3 subsystems. Only maintenance intervention can discern. Failures within the controlling signalling system, typically from the local apparatus case back to the interlocking and further, are beyond the scope of this evaluation.
35000 10000
It is also important to note that the detection subsystem operates continuously, whereas the actuation and p-way subsystems are only required when changing the set route. Failure rates of the subsystems can therefore be related using actuations per hour, A.
3000
It follows that for a typical switch as currently on the network, the total equipment cost Ctotal [GBP(2011)] is the sum of existing components: Ctotal = Ca + Cd + Cp = 140000
of trains’ due to flanking protection, maintenance intervention, ordering of traffic, perturbed running procedures etc.
(1)
3. THEORETICAL FAULT-TOLERANT CONCEPTS 3.1 Proposed Redundant Concepts Potential redundancy in track switching is proposed to take one of three forms:
2.3 Switch Use On the UK network it is difficult to get an accurate estimate of the ‘use’ of each switch as no records are kept. The definition of ‘use’ can also vary - tonnage of traffic, number of passing vehicles, or number of actuations. Further, ‘number of actuations’ can vary greatly from ‘number 764
(1) Redundancy in Actuation or Detection: A lower cost option which could potentially be retrofitted to existing installations. No change in the track layout is 1
A railway industry abbreviation for Permanent Way, meaning permanent track components - rails, sleepers, chairs etc.
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
necessary, however, this retains the single point of failure issue for permanent way related failures. Multiple actuators and detection systems would be fitted to a single switch, with associated control equipment. Operational switches would require one OR other system to be functioning for traffic to pass. (2) Redundancy in Permanent Way (multiple routes ‘Network Redundancy’): A higher cost option as it requires additional permanent way to provide bypass routes, but could lead to a step change in network availability. Traffic would be able to take one OR another route through a single turnout node, dictated safe by the interlocking, to reach a prescribed destination. (3) Combinations of the above: Potentially, both options could be combined, to provide the most robust, but highest cost, system. Multiple routes could be achieved by multiple actuators featuring multiple detection systems. Subsystem interaction would need to occur on multiple levels for optimum benefit (e.g. the loss of the actuation subsystem of flanking points is not an issue for passing traffic, whereas loss of detection potentially is). Additional control would be needed locally and within the interlocking. An infinite number of combinations is possible theoretically, but the practicalities of combining components in a real-world design places the upper limit on the instance of each subsystem to between 2 and 4. As part of the work, upwards of 25 unique combinations have been studied. The 5 concepts labelled A-E below represent a small selection of those, due to the berevity of this paper.
3.2 Control and Decision Making - The ‘OR’ Requirement The prospect of adding redundancy into the signalling system raises an interesting issue. Both detection and network redundancy require some use of OR logic. The whole system of route-based signalling is currently built solely upon ‘IF... THEN’, ‘AND’ and ‘NOT’ logic, with no provision for the use of ‘OR’. For example, IF the points are detected correctly AND the line ahead is NOT occupied, THEN the signal can be cleared (Such, 1956). Detection logic could be as simple as a local decision on what state to communicate back to the interlocking. Automated network redundancy would be more complex, requiring OR to become a feature of the interlocking system, with the interlocking trying to set any of a number of routes through a junction. Combinational designs could reach almost any level of complexity, with routes potentially declared safe and set even with known subsystem faults in adjacent switches that, under current rules, would render the use of the route impossible. Some level of change to local design rules and legislation is therefore inevitable. This decision making process could fill more than a single paper in its own right, therefore the particular complexities of implementation and control are ignored here. The remainder of this paper will concentrate upon potential operational reliability benefits assuming these control difficulties can be overcome. 765
3.3 Concept A: Multiple Actuation of a single switch Redundancy is provided passively in the actuation function only, on a single switch with a single detection element. The turnout would be able to change position if any one of the NA actuators, was in a functioning state. This schema would be akin to those used to actuate flight control surfaces on passenger aircraft. Common mode failures involving the switch blades (e.g. stuck ballast) would still have the same effects. Some local control logic would be necessary to operate multiple actuators, the assumption is made that this is perfect. 3.4 Concept B: Multiple Detection of a single switch Redundancy is provided in the detection function only, on a single switch with a single actuation element. Duplication of detection is not as straight-forward as duplication of actuation. Detection is a safety function which exists to ensure that the turnout is in a safe state for the passage of traffic. Having duplicate detectors, and allowing the system to utilise the result which allows most vehicle movements could conversely be seen as ignoring a warning of a system in a failed state. For this reason, a scenario featuring 2-out-of-3 voting will instead be explored. 3.5 Concept C: 3 Switches Combined offering a single ‘bypass’ route Here, redundancy is provided by allowing two possible paths through the turnout, as in fig. 1. The turnout would therefore consist of 3 separate switches, each with a single actuator. In normal use, switches A and C would be set normal. Switch B would be actuated to change the route. Simple local control logic would be employed such that if switch B failed, switch C could be set reverse, and switch A then utilised as necessary to change the route. In this way, the availability of the reverse 2 route through the switch is increased considerably. The normal route through the combined turnout would still be available for use, providing the failure in Switch B was one of actuation, not detection, and that detection was still functioning in the normal position. Note that the reliability is now calculated as a separate function for each route, as different routes require the correct function of different subsystems. Note also that a loss of detection on switch A would still render the entire turnout unusable. 3.6 Concept D: Multiple Actuation and Detection of a single switch Redundancy is provided in the detection and actuation functions, on a single switch. The switch could be actuated by any single sub-system. The switch would be declared in correspondence (i.e. 2
Normal and Reverse are used here to merely distinguish between the two positions of a turnout or switch. In a real-world scenario, it would generally be more beneficial to provide redundancy on the normal route, so this turnout design would counter-intuitively have normal/reverse swapped over.
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
4.2 Reliability Estimation Fig. 2 shows system-level block diagrams representing each of the concepts. Due to the differing subsystem utilisation, and therefore availability figures, of Normal/Reverse routes through designs with multiple paths, there are necessarily several block diagrams. In order for the system to be functioning, there needs to be a path through the block diagram from left to right, entirely encompassing functioning subsystems.
Fig. 1. Multiple traversal paths and turnout identification in Concept C.
The system block diagrams in Fig. 2 can be converted to equations describing the mean time to failure M of each route within each concept. Example formulae are shown in equations 2 to 4. Reliability of each subsystem can be approximated using figures obtained from the performance of existing UK installations (Network Rail (AM), 2011), and is expressed as λ. 1 MA = (2) n (Aλa ) a + Aλp + λd MB =
1 (2λd )3 + A(λa + λp )
MC(N ) =
1 (A(λa + λp ))2 + 2λd
(3) (4)
The chosen measure of reliability for the initial appraisal is Mean Time to Service Affecting Failure (MTTSAF), also included as a figure for comparison is the 13 week survivor function R, listed for reverse and normal routes where different. 13 weeks is the standard interval between preventative maintenance in the UK. R therefore describes the proportion of switches which would survive the maintenance interval without further unscheduled intervention. Results are shown in table 4. Fig. 2. System Block Diagrams for proposed redundancy concepts A through E. trains could run) if any one of the discrete detection units detected both switch blades in the correct position, and the FPL engaged. The actuators and detectors act upon a single P-way unit - i.e. there is only a single path through the turnout for vehicles. Some local control logic would be necessary to operate multiple actuators and compare states of multiple detectors. 3.7 Concept E: Multiple Actuation and Detection of 3 Switches Combined Redundancy is provided in all 3 subsystems of a multipleroute switch. As in concept (C), use of different subsystems by different routes means the availability of the two routes will differ.
These results, whilst providing some measure of improvement, come with obvious limitations upon an operational railway. Common mode failures have been ignored, though in reality there are relatively few. Extreme weather, cable theft and vandalism are the obvious issues, though considered out of scope in this study. Power supply failures would render the whole turnout unusable, but are also placed out Table 2. Concept Cost Estimation Concept (Standard) A B C D E
Cp 1 1 1 3 1 3
Ca 1 2 1 3 2 6
Assuming dual actuation in (A) and (D) and (E), equipment costs can be approximated from the number of required subsystems: 766
Cm 0 1 1 2 2 4
Total [GBP(2011)] 140000 178000 163000 426000 201000 567000
Table 3. Subsystem Reliability Estimates Symbol A
Value 8
λa
1.00 × 10− 5
λd
1.90 × 10− 5
λp
2.50 × 10− 5
4. DESIGN CONCEPT EVALUATION 4.1 Cost Estimation
Cd 1 1 3 3 3 6
Description Equivalent to an average of 8 trains per hour. Very heavy junction use. Equivalent to a single failure every 100 000 actuations. Equivalent to a single failure every 6 years. Equivalent to a single failure every 40 000 actuations.
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
Fig. 4. ∆R/∆C GBP(2011)−1 for each Concept (Estimated direct effectiveness per additional unit cost) 4.4 Discussion
Fig. 3. Estimated Cost vs Estimated 13-week survivor function (R) of scope as a complete supply failure would extinguish all signals and prevent any traffic movements in any case. Concepts (C) and (E) provide multiple paths for traffic. This means that, with the correct physical layout, repairs to switch ‘B’ could be carried out whilst traffic was diverted through switches ‘A’ and ‘C’ (See fig. 1). This means the true availability of the reverse route, with the correct maintenance response, could potentially be much higher than indicated. The MR figure for concept (E), whilst mathematically correct, can be taken as artificially high due to the assumption of perfect switching and control. In a real-world installation, the complexity of controlling a single switch with so many subsystems, as well as the mechanical design complications of fitting them into a suitably sized package, would severely limit this figure. However, a more accurate figure cannot be reasonably estimated without much a more in-depth design study which is also beyond the scope of this analysis. 4.3 Cost vs Benefit Figure 3 shows the potential increase in reliability for each concept, as measured by the 13 week survivor function R. Concepts (C) and (E) show a range due to the differing figures for normal and reverse operations. Figure 4 demonstrates the effectiveness of the additional cost in each concept, assuming the maximum MTTSAF where normal and reverse routes differ. It should be noted that it is more likely to be total cost which would be the limiting factor in a real installation. Table 4. Concept reliability estimation Concept
Standard A B C D E
MN (hours) (×103 ) 3.34 4.57 3.57 1.67 5.00 2.50
MR (hours) (×103 ) 3.34 4.57 3.57 3.14 5.00 40.0
RN
RR
0.52 0.62 0.54 0.27 0.65 0.42
0.52 0.62 0.54 0.50 0.65 0.95
∆M (hours) (×103 ) n/a 1.23 0.23 -0.02 1.66 36.66
Providing redundancy of actuators and detectors in concepts (A), (B) and (C) leads to small incremental improvements in the reliability of the switch. When taken outright, this may or may not prove beneficial to the infrastructure operator’s business. However, of critical importance is the ratio of ∆M to the expected mean time to repair, MTTR. This describes the likelihood of successful maintenance intervention between subsystem and whole system failure. Current figures for MTTR are around the order 100 to 101 hours. However these assume a complete failure of the switch and therefore traffic flow having ceased, enabling swifter maintenance intervention. With the addition of effective remote condition monitoring, the probability of complete switch failure after the first indication of impending subsystem failure is diminishingly small. The benefits of concepts (C) and (E) are higher in operational practice than the pure reliability figures suggest. Crucially, these concepts trade a small amount of Normal route availability for a larger gain in Reverse route availability. This may be of great benefit in certain situations, for instance station throats, where keeping traffic flowing can be much more important that routing it to the correct platform. The multiple routes through the switch mean that an isolated work site could be set up around the bypassed subsystem failure, and even though the Normal route would be blocked, traffic could potentially continue to flow along the Reverse route. Critically, this provides a degraded mode of operation for failures involving the p-way components which is not present under current operation. 5. CASE STUDY It is beyond the scope of this study to decide potential network locations to benefit from such redundancy. However the authors feel it is worthwhile to provide a case study as an example of potential benefits of redundant network design in an operational scenario. Naturally the case study should be from a known problem area, as it is envisioned that the extra expense of such an installation would only be justified in such cases. The location selected was the south throat of Derby Midland station, England. A diagram of the current layout is shown in figure 5. Traffic arrives/leaves via one of two bi directional lines, and is diverted to one of six platforms or a by-pass route by the use of 7 switches, including
767
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
a special combined type, the ‘double slip’, shown here diagrammatically as two switches for simplicity. Switches A and B are the critical pinch-points, as failure would prevent the use of any platforms for trains arriving on the upper or lower lines respectively. Traditional design practice dictates that the permanent way is set out according to anticipated traffic levels, and the signalling is then added to allow the correct routing of traffic. In this example, this design methodology is replaced by a fully redundant network allowing at least 2 routes into each platform. This does not allow for anticipated traffic levels, so some routes would naturally be little used. The bypass line is not provided with redundant switching as it is assumed traffic could pass through via any unoccupied platform line. Similarly, the bay platform is not provided with redundant switching, as it is of use to a single service only, which could utilise any other platform if absolutely necessary. It is important to note that the revised case in fig. 6, with 16 switches, represents the most extreme version of network redundancy and is for illustrative purposes only. It is anticipated that in an operational context, a balance would be found with several ‘high availability’ platforms provided with multiple access routes. These would be timetabled in order to be lesser used, such that they could be utilised more densely should a failure render a ‘low availability’ platform unusable for a time. 5.1 Platform availability Platform availability is herein defined as the ability of the system to allow an approaching vehicle to access a particular platform. For the purposes of the case study, we shall concern ourselves only with vehicles arriving upon the upper line from the left of figs. 5 and 6, and routing into any of platform 1, 2 or 3. The comparison is restricted to these platforms as these are the only platforms available to arrivals on the upper line in the current layout. It shall also be assumed that all platforms are empty, and that platform allocation is non-critical. This comparison shall use the 13-week survivor functions (R) which are discussed in section 4.2 and listed in table 4. To recap, these figures describe the probability each concept will be available for use after 13 weeks, assuming normal use and zero repairs.
non-redundant layout, there is only a single route to each platform For cost comparison purposes, this layout consists of 7 standard switches. Only 3 of these are used to route trains for this example. An estimate, in GBP (2011) and excluding track costs, is therefore given by: Ctotal = 140000 × 3 = 420000 (5) 5.3 Proposed Redundant-Network Layout The redundant network layout allows access to all platforms. All switches are accessible from the upper arrival lane, and any may be traversed at some point en-route to a platform. However, for the purpose of this evaluation we shall route into platforms 1, 2 and 3 only. In order not to bias the comparison, it is judged that switches which do not aid in routing traffic into these three platforms shall not contribute to the failure statistics. These are switches H, M, P, R, S, T, U and V. Removal of these switches compresses the layout into two type E concepts as described in section 3.7 (G-I-J, grouped as ‘W’ and N-O-Q, grouped as ‘X’), along with a standard crossover (K-L) constructed from 2 ‘D’ concepts as described in section 3.6. The reduced layout for the purpose of this analysis is shown in fig. 7. Platform availability is the probability that at least one route to a platform is open after the 13-week interval, therefore it is the sum of the Route Availabilities. The figures are shown in table ??. For cost comparison purposes, the layout consists of two ‘D’ concepts and two ‘E’ concepts, giving, in GBP (2011): Ctotal = 567000 × 2 + 201000 × 2 = 1536000 (6) 5.4 Analysis and Summary The figures demonstrate increased platform availability through the use of network redundancy. However, this comes at significant extra cost. In essence, additional operational availability of platforms during asset failures can be purchased through the deployment of network redundancy. In a real scenario, it may be a wise approach to optimise the network redundancy in order to bring a majority of the benefits at a fraction of the additional cost. This optimisation problem is omitted from this paper but is the subject of further study. It is beyond the scope of this paper to judge whether this approach is suitable in Table 5. Current Layout Platform Availability
5.2 Current Layout The current layout restricts arrivals to the use of platforms 1, 2 and 3. This is via the use of switches B and D (double) only, all other switches can be ignored. Switches are of the baseline design, and switch D is taken as 2 separate switches. To calculate each platform availability, one can describe all possible paths from arrival to a platform, and sum the route availability of each. This is shown in table 6 Platform availability is the probability that at least one route is open after the 13-week interval, therefore it is the sum of the Route Availabilities in table 6. As this is a 768
Platform 1 2 3
Route B(n) B(r), D1(r), D2(n) B(r), D1(r), D2(r)
R 0.52 0.523 0.523
Plat. Avail. 0.52 0.14 0.14
Table 6. Redundant-Network Layout Platform Availability Platform 1 1 2 3
Route W(n), L(r) W(r), K(r), L(r) W(r), K(n), X(n) W(r), K(n), X(r)
R 0.42 × 0.65 0.95 × 0.652 0.95 × 0.65 × 0.42 0.952 × 0.65
Plat. Avail. 0.68 0.26 0.58
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
significant additional cost element associated with doing so. Whether the performance improvement could justify the additional cost is beyond the scope of this paper, and in any case would depend heavily upon the particular political and operational environment of any particular node. Future research will concentrate upon generating novel concepts for including redundancy in order to lower projected costs, and optimisation of redundant networks to the same ends. Fig. 5. Derby Midland Station (South): Current layout
REFERENCES
Fig. 6. Derby Midland Station (South): Proposed layout with Network Redundancy
Fig. 7. Derby Midland Station (South): Reduced layout for Analysis any particular instance, but merely to demonstrate the potential improvement for an approximate incremental initial infrastructure investment. An actual deployment decision would need to be taken according to the local operational requirements and political environment, and a subsequent operational cost/benefit analysis. 6. CONCLUSIONS This paper seeks to introduce the concept of redundancy to railway track switching. By splitting the current system down into its component subsystems in section 2, an attempt can be made to duplicate or triplicate those subsystems to create concepts with improved performance characteristics. Many concepts have been evaluated, of which a selection have been described in section 3 in detail, with the appropriate reliability figures. In addition, an elementary estimation of cost has been included in order to place the modifications in context. Considering a real operational context, this methodology has some limitations, as described in section 4.4, yet the results can be taken as broadly indicative of the magnitude of performance improvement achievable. Taking into account the results from section 4 and the case study in section 5, this paper has demonstrated that is is possible to significantly increase switch and network availability through the varying use of subsystem redundancy. However, the paper has also demonstrated that there is a 769
Cope, D.D. and Ellis, J. (2002). British Railway Track 7th Edition, Volume 5: Swith and Crossing Maintenance. The Permanent Way Institution, Derby, UK. Cribbens, A. (1987). Solid-state interlocking (ssi): an integrated electronic signalling system for mainline railways. Electric Power Applications, IEE Proceedings B, 134, 148–158. Garc´ıa, F.P., Schmid, F., and Conde, J.C. (2003). A reliability centered approach to remote condition monitoring. a railway points case study. Reliability Engineering & System Safety, 80, 33–40. Hadaway, H. (1950). IRSE green booklet no.5:- Principles of power point control and detection (British practice). The Institution of Railway Signal Engineers, London. Isermann, R. (2006). Fault-Diagnosis Systems: An Introduction from Fault Detection to Fault Tolerance. Springer, Berlin. Marquez, F.P.G. and Pedregal, D.J. (2006). An algorithm for detecting faults in railway point mechanisms. volume 6. Tsinghua University, P.R. China. Marshall, N. (1961). IRSE green booklet no.19:- Principles of relay interlocking and control panels (British practice). The Institution of Railway Signal Engineers, London. Network Rail (AM) (2011). Asset Management Data related to logged S&C failures, via personal communication, October 2011. Network Rail (NDS) (2011). National Delivery Service (NDS) Data & Contract Support, Switches and Crossings common component price list, via personal communication, July 2011. Silmon, J. and Roberts, C. (2010). Improving switch reliability with innovative condition monitoring techniques. Proceedings of the IMechE: Part F Journal of Rail and Rapid Transit, 224, 293–302. Such, W.H. (1956). IRSE Green Booklet No.2:- Principles of Interlocking (British Practice). The Institution of Railway Signal Engineers, London.
An Evaluation of Redundancy Concepts for Fault Tolerant Railway Track Switching ? Samuel Bemment, Roger Dixon, Roger Goodall School of Electronic, Electrical and Systems Engineering, Loughborough University, Loughborough, LE11 3TU, United Kingdom (e-mail: [email protected]). Abstract: Railway track switching provides necessary flexibility to a rail network, but also introduces many single points of failure. Other industries have resorted to redundancy to provide the fault tolerance necessary to achieve specified safety and operational goals in similar critical systems, yet this approach has not yet been applied to track switching. This paper explores several system concepts for redundancy in track switching, and attempts a rudimentary cost/benefit analysis of each. Mechanical design is not considered, the paper being a feasibility study only. Finally, concept performance is evaluated in a case study at Derby Midland station (UK). The results show that providing redundancy which utilises only existing technology demonstrates some gains in operational availability. However, it is unlikely to be cost effective, and for redundancy in track switching to be a realistic prospect, novel designs and technologies may be necessary. Keywords: Fault Tolerance, Rail Traffic, Railways, Redundancy, Reliability evaluation, Train control 1. INTRODUCTION Rail networks offering more than a single vehicle upon a single line are dependent upon the ability to provide multiple routes for traffic. Switches (UK: Points) serve this purpose, allowing the permanent way to merge and diverge, providing different routes. The standard design, in use throughout the world, consists of two ‘switch blades’ upon a suitable supporting structure, which are able to slide laterally between two ‘stock rails’ (Cope and Ellis, 2002). Over time, many aspects of the rail infrastructure have evolved with new developments - new rail cross sections, signalling methods and civils works are obvious examples. However, whilst switch actuation has changed (from mechanical rods and levers to more modern electrical or electro-hydraulic designs) the basic mechanical design of switches has remained identical since the first railways were envisioned. For all the operational flexibility switches provide, they are also a single-point-of-failure. Switch failures can rapidly cripple operations. In some jurisdictions, due to control rules around the location and locking of adjacent switches, single switch failures can sometimes prevent use of an entire junction or station throat (Marshall, 1961). ? The authors wish to acknowledge the financial support provided by the United Kingdom Engineering and Physical Sciences Research Council in grant number EP/I010823/1 and the RSSB for the project titled ‘REPOINT: Redundantly engineered points for enhanced reliability and capacity of railway track switching’. The authors also wish to thank Network Rail Infrastructure Ltd for providing access to network performance data, and Tracsis PLC for continued industrial support and advice.
978-3-902823-09-0/12/$20.00 © 2012 IFAC
763
Infrastructure operators have long recognised this fact, and switches are subject to careful inspection and maintenance regimes to reduce failures. There is a current trend in the rail industry towards condition monitoring and condition based maintenance, which promises to reduce failures.(Garc´ıa et al., 2003; Marquez and Pedregal, 2006; Silmon and Roberts, 2010) However, these strategies can only reduce, not eradicate, failures, and at certain key locations in any network, this may not be enough. Other industries with safety-critical systems have long utilised redundancy as a method of achieving fault-tolerant operation (Isermann, 2006). Redundant systems have seen minimal use in the rail infrastructure sphere, a successful and widely-adopted exception being the architecture of Solid State Interlocking (Cribbens, 1987). This paper seeks to introduce, discuss and evaluate the concept of redundancy in track switching, in order to provide the fault tolerance necessary for uninterrupted operations at these critical locations. It does not seek to provide new mechanical design for switching solutions. Additionally, a case study is then presented to demonstrate the increase in asset availability resultant from deployment of some of the design concepts. 2. EXISTING INSTALLATIONS 2.1 Description A single turnout consists of two stock rails, two switch rails and a common crossing, fastened by clips, bolts and/or chairs to supporting bearers of wood or concrete, themselves supported upon a bed of ballast. Some installations are of slab track, that is, the rails are directly supported by a concrete raft with no ballast. The stock rails are securely 10.3182/20120829-3-MX-2028.00295
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
fixed, whilst the free ends of the switch rails are free to slide upon supporting cast iron chairs, their movement restricted by the attached stretcher bars and the lock and drive provided by the points operating equipment (POE). There are several different designs of POE which are located variously in between the running rails, at the line side, or a combination of both. Higher line speeds require shallower divergence angles, which in turn require longer switches. This leads to a difference between a typical station throat installation, and mainline installation - short, small clearances with many overlapping features in the former, and long, spaced out designs in the latter. Longer designs require multiple actuation points upon the switch blades. This is provided either by a power take-off from the main actuator, or additional actuators along the length. (Cope and Ellis, 2002) 2.2 Unit Cost Estimation In order to provide a basic cost/benefit analysis of the concepts, knowledge of individual component cost is necessary. Using data provided by the UK Infrastructure Operator (Network Rail (NDS), 2011), unit costs of a typical Switch installation in the UK can be approximated. Switches come in many designs tailored to handle handle different traffic speeds and to suit available track side space. For this example, an ‘E’ length (17.25 crossing), shallow depth vertical switch upon concrete bearers with IAD Rail Systems ‘HPSA’ actuation/detection subsystem has been selected, as an example of a typical current UK installation. Costs are raw equipment cost only and no attempt is made to estimate installation or asset life cycle costs. Table 1. Switch subsystem cost estimation Symbol Cp
Ca Cd Cm
Description Permanent way components providing a single turnout location - Bearers, switch blades, common crossing etc Individual actuation subsystem for single switch. Individual detection subsystem for single switch. Additional control components necessary to interface multiple subsystems to current interlocking
Cost [GBP(2011)] 95000
For the sake of this evaluation, ‘use’ will be defined as the average number of actuations per hour (A), which will in turn be derived from the number of scheduled passenger trains per week, under the assumption that the switch position is changed once for each passing train. 2.4 Failure Modes and Rates Whole-system failure events will be grouped into 3 broad categories. It is recognised that in some commercial designs of points operating equipment, there is some overlap between component functions. It is a matter of engineering judgement to attribute these failures to a particular category: (1) Those caused by failure within the actuation subsystem. The actuation subsystem is defined as being responsible for the actuation of the switch rails, linkages providing transmission of drive to the switch rails, and the locking system. (2) Those caused by failure within the p-way 1 subsystem. The p-way subsystem is defined as the switch rails, stock rails, associated slide chairs and sleepers/bearers. (3) Those caused by failure within the detection subsystem. The detection subsystem is defined as being those components which detect the position of the switch rails and facing points lock. Note that the majority of failures in any of (1) or (2) will manifest themselves as a ‘loss of detection’, which is not the same as (3). This does not mean that the detection system has failed, instead it means that the detection system has performed its role in recognising the switch is potentially unsafe (Hadaway, 1950). Further, a loss of detection does not necessarily indicate a failure within another subsystem, but may represent an issue with any of the 3 subsystems. Only maintenance intervention can discern. Failures within the controlling signalling system, typically from the local apparatus case back to the interlocking and further, are beyond the scope of this evaluation.
35000 10000
It is also important to note that the detection subsystem operates continuously, whereas the actuation and p-way subsystems are only required when changing the set route. Failure rates of the subsystems can therefore be related using actuations per hour, A.
3000
It follows that for a typical switch as currently on the network, the total equipment cost Ctotal [GBP(2011)] is the sum of existing components: Ctotal = Ca + Cd + Cp = 140000
of trains’ due to flanking protection, maintenance intervention, ordering of traffic, perturbed running procedures etc.
(1)
3. THEORETICAL FAULT-TOLERANT CONCEPTS 3.1 Proposed Redundant Concepts Potential redundancy in track switching is proposed to take one of three forms:
2.3 Switch Use On the UK network it is difficult to get an accurate estimate of the ‘use’ of each switch as no records are kept. The definition of ‘use’ can also vary - tonnage of traffic, number of passing vehicles, or number of actuations. Further, ‘number of actuations’ can vary greatly from ‘number 764
(1) Redundancy in Actuation or Detection: A lower cost option which could potentially be retrofitted to existing installations. No change in the track layout is 1
A railway industry abbreviation for Permanent Way, meaning permanent track components - rails, sleepers, chairs etc.
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
necessary, however, this retains the single point of failure issue for permanent way related failures. Multiple actuators and detection systems would be fitted to a single switch, with associated control equipment. Operational switches would require one OR other system to be functioning for traffic to pass. (2) Redundancy in Permanent Way (multiple routes ‘Network Redundancy’): A higher cost option as it requires additional permanent way to provide bypass routes, but could lead to a step change in network availability. Traffic would be able to take one OR another route through a single turnout node, dictated safe by the interlocking, to reach a prescribed destination. (3) Combinations of the above: Potentially, both options could be combined, to provide the most robust, but highest cost, system. Multiple routes could be achieved by multiple actuators featuring multiple detection systems. Subsystem interaction would need to occur on multiple levels for optimum benefit (e.g. the loss of the actuation subsystem of flanking points is not an issue for passing traffic, whereas loss of detection potentially is). Additional control would be needed locally and within the interlocking. An infinite number of combinations is possible theoretically, but the practicalities of combining components in a real-world design places the upper limit on the instance of each subsystem to between 2 and 4. As part of the work, upwards of 25 unique combinations have been studied. The 5 concepts labelled A-E below represent a small selection of those, due to the berevity of this paper.
3.2 Control and Decision Making - The ‘OR’ Requirement The prospect of adding redundancy into the signalling system raises an interesting issue. Both detection and network redundancy require some use of OR logic. The whole system of route-based signalling is currently built solely upon ‘IF... THEN’, ‘AND’ and ‘NOT’ logic, with no provision for the use of ‘OR’. For example, IF the points are detected correctly AND the line ahead is NOT occupied, THEN the signal can be cleared (Such, 1956). Detection logic could be as simple as a local decision on what state to communicate back to the interlocking. Automated network redundancy would be more complex, requiring OR to become a feature of the interlocking system, with the interlocking trying to set any of a number of routes through a junction. Combinational designs could reach almost any level of complexity, with routes potentially declared safe and set even with known subsystem faults in adjacent switches that, under current rules, would render the use of the route impossible. Some level of change to local design rules and legislation is therefore inevitable. This decision making process could fill more than a single paper in its own right, therefore the particular complexities of implementation and control are ignored here. The remainder of this paper will concentrate upon potential operational reliability benefits assuming these control difficulties can be overcome. 765
3.3 Concept A: Multiple Actuation of a single switch Redundancy is provided passively in the actuation function only, on a single switch with a single detection element. The turnout would be able to change position if any one of the NA actuators, was in a functioning state. This schema would be akin to those used to actuate flight control surfaces on passenger aircraft. Common mode failures involving the switch blades (e.g. stuck ballast) would still have the same effects. Some local control logic would be necessary to operate multiple actuators, the assumption is made that this is perfect. 3.4 Concept B: Multiple Detection of a single switch Redundancy is provided in the detection function only, on a single switch with a single actuation element. Duplication of detection is not as straight-forward as duplication of actuation. Detection is a safety function which exists to ensure that the turnout is in a safe state for the passage of traffic. Having duplicate detectors, and allowing the system to utilise the result which allows most vehicle movements could conversely be seen as ignoring a warning of a system in a failed state. For this reason, a scenario featuring 2-out-of-3 voting will instead be explored. 3.5 Concept C: 3 Switches Combined offering a single ‘bypass’ route Here, redundancy is provided by allowing two possible paths through the turnout, as in fig. 1. The turnout would therefore consist of 3 separate switches, each with a single actuator. In normal use, switches A and C would be set normal. Switch B would be actuated to change the route. Simple local control logic would be employed such that if switch B failed, switch C could be set reverse, and switch A then utilised as necessary to change the route. In this way, the availability of the reverse 2 route through the switch is increased considerably. The normal route through the combined turnout would still be available for use, providing the failure in Switch B was one of actuation, not detection, and that detection was still functioning in the normal position. Note that the reliability is now calculated as a separate function for each route, as different routes require the correct function of different subsystems. Note also that a loss of detection on switch A would still render the entire turnout unusable. 3.6 Concept D: Multiple Actuation and Detection of a single switch Redundancy is provided in the detection and actuation functions, on a single switch. The switch could be actuated by any single sub-system. The switch would be declared in correspondence (i.e. 2
Normal and Reverse are used here to merely distinguish between the two positions of a turnout or switch. In a real-world scenario, it would generally be more beneficial to provide redundancy on the normal route, so this turnout design would counter-intuitively have normal/reverse swapped over.
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
4.2 Reliability Estimation Fig. 2 shows system-level block diagrams representing each of the concepts. Due to the differing subsystem utilisation, and therefore availability figures, of Normal/Reverse routes through designs with multiple paths, there are necessarily several block diagrams. In order for the system to be functioning, there needs to be a path through the block diagram from left to right, entirely encompassing functioning subsystems.
Fig. 1. Multiple traversal paths and turnout identification in Concept C.
The system block diagrams in Fig. 2 can be converted to equations describing the mean time to failure M of each route within each concept. Example formulae are shown in equations 2 to 4. Reliability of each subsystem can be approximated using figures obtained from the performance of existing UK installations (Network Rail (AM), 2011), and is expressed as λ. 1 MA = (2) n (Aλa ) a + Aλp + λd MB =
1 (2λd )3 + A(λa + λp )
MC(N ) =
1 (A(λa + λp ))2 + 2λd
(3) (4)
The chosen measure of reliability for the initial appraisal is Mean Time to Service Affecting Failure (MTTSAF), also included as a figure for comparison is the 13 week survivor function R, listed for reverse and normal routes where different. 13 weeks is the standard interval between preventative maintenance in the UK. R therefore describes the proportion of switches which would survive the maintenance interval without further unscheduled intervention. Results are shown in table 4. Fig. 2. System Block Diagrams for proposed redundancy concepts A through E. trains could run) if any one of the discrete detection units detected both switch blades in the correct position, and the FPL engaged. The actuators and detectors act upon a single P-way unit - i.e. there is only a single path through the turnout for vehicles. Some local control logic would be necessary to operate multiple actuators and compare states of multiple detectors. 3.7 Concept E: Multiple Actuation and Detection of 3 Switches Combined Redundancy is provided in all 3 subsystems of a multipleroute switch. As in concept (C), use of different subsystems by different routes means the availability of the two routes will differ.
These results, whilst providing some measure of improvement, come with obvious limitations upon an operational railway. Common mode failures have been ignored, though in reality there are relatively few. Extreme weather, cable theft and vandalism are the obvious issues, though considered out of scope in this study. Power supply failures would render the whole turnout unusable, but are also placed out Table 2. Concept Cost Estimation Concept (Standard) A B C D E
Cp 1 1 1 3 1 3
Ca 1 2 1 3 2 6
Assuming dual actuation in (A) and (D) and (E), equipment costs can be approximated from the number of required subsystems: 766
Cm 0 1 1 2 2 4
Total [GBP(2011)] 140000 178000 163000 426000 201000 567000
Table 3. Subsystem Reliability Estimates Symbol A
Value 8
λa
1.00 × 10− 5
λd
1.90 × 10− 5
λp
2.50 × 10− 5
4. DESIGN CONCEPT EVALUATION 4.1 Cost Estimation
Cd 1 1 3 3 3 6
Description Equivalent to an average of 8 trains per hour. Very heavy junction use. Equivalent to a single failure every 100 000 actuations. Equivalent to a single failure every 6 years. Equivalent to a single failure every 40 000 actuations.
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
Fig. 4. ∆R/∆C GBP(2011)−1 for each Concept (Estimated direct effectiveness per additional unit cost) 4.4 Discussion
Fig. 3. Estimated Cost vs Estimated 13-week survivor function (R) of scope as a complete supply failure would extinguish all signals and prevent any traffic movements in any case. Concepts (C) and (E) provide multiple paths for traffic. This means that, with the correct physical layout, repairs to switch ‘B’ could be carried out whilst traffic was diverted through switches ‘A’ and ‘C’ (See fig. 1). This means the true availability of the reverse route, with the correct maintenance response, could potentially be much higher than indicated. The MR figure for concept (E), whilst mathematically correct, can be taken as artificially high due to the assumption of perfect switching and control. In a real-world installation, the complexity of controlling a single switch with so many subsystems, as well as the mechanical design complications of fitting them into a suitably sized package, would severely limit this figure. However, a more accurate figure cannot be reasonably estimated without much a more in-depth design study which is also beyond the scope of this analysis. 4.3 Cost vs Benefit Figure 3 shows the potential increase in reliability for each concept, as measured by the 13 week survivor function R. Concepts (C) and (E) show a range due to the differing figures for normal and reverse operations. Figure 4 demonstrates the effectiveness of the additional cost in each concept, assuming the maximum MTTSAF where normal and reverse routes differ. It should be noted that it is more likely to be total cost which would be the limiting factor in a real installation. Table 4. Concept reliability estimation Concept
Standard A B C D E
MN (hours) (×103 ) 3.34 4.57 3.57 1.67 5.00 2.50
MR (hours) (×103 ) 3.34 4.57 3.57 3.14 5.00 40.0
RN
RR
0.52 0.62 0.54 0.27 0.65 0.42
0.52 0.62 0.54 0.50 0.65 0.95
∆M (hours) (×103 ) n/a 1.23 0.23 -0.02 1.66 36.66
Providing redundancy of actuators and detectors in concepts (A), (B) and (C) leads to small incremental improvements in the reliability of the switch. When taken outright, this may or may not prove beneficial to the infrastructure operator’s business. However, of critical importance is the ratio of ∆M to the expected mean time to repair, MTTR. This describes the likelihood of successful maintenance intervention between subsystem and whole system failure. Current figures for MTTR are around the order 100 to 101 hours. However these assume a complete failure of the switch and therefore traffic flow having ceased, enabling swifter maintenance intervention. With the addition of effective remote condition monitoring, the probability of complete switch failure after the first indication of impending subsystem failure is diminishingly small. The benefits of concepts (C) and (E) are higher in operational practice than the pure reliability figures suggest. Crucially, these concepts trade a small amount of Normal route availability for a larger gain in Reverse route availability. This may be of great benefit in certain situations, for instance station throats, where keeping traffic flowing can be much more important that routing it to the correct platform. The multiple routes through the switch mean that an isolated work site could be set up around the bypassed subsystem failure, and even though the Normal route would be blocked, traffic could potentially continue to flow along the Reverse route. Critically, this provides a degraded mode of operation for failures involving the p-way components which is not present under current operation. 5. CASE STUDY It is beyond the scope of this study to decide potential network locations to benefit from such redundancy. However the authors feel it is worthwhile to provide a case study as an example of potential benefits of redundant network design in an operational scenario. Naturally the case study should be from a known problem area, as it is envisioned that the extra expense of such an installation would only be justified in such cases. The location selected was the south throat of Derby Midland station, England. A diagram of the current layout is shown in figure 5. Traffic arrives/leaves via one of two bi directional lines, and is diverted to one of six platforms or a by-pass route by the use of 7 switches, including
767
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
a special combined type, the ‘double slip’, shown here diagrammatically as two switches for simplicity. Switches A and B are the critical pinch-points, as failure would prevent the use of any platforms for trains arriving on the upper or lower lines respectively. Traditional design practice dictates that the permanent way is set out according to anticipated traffic levels, and the signalling is then added to allow the correct routing of traffic. In this example, this design methodology is replaced by a fully redundant network allowing at least 2 routes into each platform. This does not allow for anticipated traffic levels, so some routes would naturally be little used. The bypass line is not provided with redundant switching as it is assumed traffic could pass through via any unoccupied platform line. Similarly, the bay platform is not provided with redundant switching, as it is of use to a single service only, which could utilise any other platform if absolutely necessary. It is important to note that the revised case in fig. 6, with 16 switches, represents the most extreme version of network redundancy and is for illustrative purposes only. It is anticipated that in an operational context, a balance would be found with several ‘high availability’ platforms provided with multiple access routes. These would be timetabled in order to be lesser used, such that they could be utilised more densely should a failure render a ‘low availability’ platform unusable for a time. 5.1 Platform availability Platform availability is herein defined as the ability of the system to allow an approaching vehicle to access a particular platform. For the purposes of the case study, we shall concern ourselves only with vehicles arriving upon the upper line from the left of figs. 5 and 6, and routing into any of platform 1, 2 or 3. The comparison is restricted to these platforms as these are the only platforms available to arrivals on the upper line in the current layout. It shall also be assumed that all platforms are empty, and that platform allocation is non-critical. This comparison shall use the 13-week survivor functions (R) which are discussed in section 4.2 and listed in table 4. To recap, these figures describe the probability each concept will be available for use after 13 weeks, assuming normal use and zero repairs.
non-redundant layout, there is only a single route to each platform For cost comparison purposes, this layout consists of 7 standard switches. Only 3 of these are used to route trains for this example. An estimate, in GBP (2011) and excluding track costs, is therefore given by: Ctotal = 140000 × 3 = 420000 (5) 5.3 Proposed Redundant-Network Layout The redundant network layout allows access to all platforms. All switches are accessible from the upper arrival lane, and any may be traversed at some point en-route to a platform. However, for the purpose of this evaluation we shall route into platforms 1, 2 and 3 only. In order not to bias the comparison, it is judged that switches which do not aid in routing traffic into these three platforms shall not contribute to the failure statistics. These are switches H, M, P, R, S, T, U and V. Removal of these switches compresses the layout into two type E concepts as described in section 3.7 (G-I-J, grouped as ‘W’ and N-O-Q, grouped as ‘X’), along with a standard crossover (K-L) constructed from 2 ‘D’ concepts as described in section 3.6. The reduced layout for the purpose of this analysis is shown in fig. 7. Platform availability is the probability that at least one route to a platform is open after the 13-week interval, therefore it is the sum of the Route Availabilities. The figures are shown in table ??. For cost comparison purposes, the layout consists of two ‘D’ concepts and two ‘E’ concepts, giving, in GBP (2011): Ctotal = 567000 × 2 + 201000 × 2 = 1536000 (6) 5.4 Analysis and Summary The figures demonstrate increased platform availability through the use of network redundancy. However, this comes at significant extra cost. In essence, additional operational availability of platforms during asset failures can be purchased through the deployment of network redundancy. In a real scenario, it may be a wise approach to optimise the network redundancy in order to bring a majority of the benefits at a fraction of the additional cost. This optimisation problem is omitted from this paper but is the subject of further study. It is beyond the scope of this paper to judge whether this approach is suitable in Table 5. Current Layout Platform Availability
5.2 Current Layout The current layout restricts arrivals to the use of platforms 1, 2 and 3. This is via the use of switches B and D (double) only, all other switches can be ignored. Switches are of the baseline design, and switch D is taken as 2 separate switches. To calculate each platform availability, one can describe all possible paths from arrival to a platform, and sum the route availability of each. This is shown in table 6 Platform availability is the probability that at least one route is open after the 13-week interval, therefore it is the sum of the Route Availabilities in table 6. As this is a 768
Platform 1 2 3
Route B(n) B(r), D1(r), D2(n) B(r), D1(r), D2(r)
R 0.52 0.523 0.523
Plat. Avail. 0.52 0.14 0.14
Table 6. Redundant-Network Layout Platform Availability Platform 1 1 2 3
Route W(n), L(r) W(r), K(r), L(r) W(r), K(n), X(n) W(r), K(n), X(r)
R 0.42 × 0.65 0.95 × 0.652 0.95 × 0.65 × 0.42 0.952 × 0.65
Plat. Avail. 0.68 0.26 0.58
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
significant additional cost element associated with doing so. Whether the performance improvement could justify the additional cost is beyond the scope of this paper, and in any case would depend heavily upon the particular political and operational environment of any particular node. Future research will concentrate upon generating novel concepts for including redundancy in order to lower projected costs, and optimisation of redundant networks to the same ends. Fig. 5. Derby Midland Station (South): Current layout
REFERENCES
Fig. 6. Derby Midland Station (South): Proposed layout with Network Redundancy
Fig. 7. Derby Midland Station (South): Reduced layout for Analysis any particular instance, but merely to demonstrate the potential improvement for an approximate incremental initial infrastructure investment. An actual deployment decision would need to be taken according to the local operational requirements and political environment, and a subsequent operational cost/benefit analysis. 6. CONCLUSIONS This paper seeks to introduce the concept of redundancy to railway track switching. By splitting the current system down into its component subsystems in section 2, an attempt can be made to duplicate or triplicate those subsystems to create concepts with improved performance characteristics. Many concepts have been evaluated, of which a selection have been described in section 3 in detail, with the appropriate reliability figures. In addition, an elementary estimation of cost has been included in order to place the modifications in context. Considering a real operational context, this methodology has some limitations, as described in section 4.4, yet the results can be taken as broadly indicative of the magnitude of performance improvement achievable. Taking into account the results from section 4 and the case study in section 5, this paper has demonstrated that is is possible to significantly increase switch and network availability through the varying use of subsystem redundancy. However, the paper has also demonstrated that there is a 769
Cope, D.D. and Ellis, J. (2002). British Railway Track 7th Edition, Volume 5: Swith and Crossing Maintenance. The Permanent Way Institution, Derby, UK. Cribbens, A. (1987). Solid-state interlocking (ssi): an integrated electronic signalling system for mainline railways. Electric Power Applications, IEE Proceedings B, 134, 148–158. Garc´ıa, F.P., Schmid, F., and Conde, J.C. (2003). A reliability centered approach to remote condition monitoring. a railway points case study. Reliability Engineering & System Safety, 80, 33–40. Hadaway, H. (1950). IRSE green booklet no.5:- Principles of power point control and detection (British practice). The Institution of Railway Signal Engineers, London. Isermann, R. (2006). Fault-Diagnosis Systems: An Introduction from Fault Detection to Fault Tolerance. Springer, Berlin. Marquez, F.P.G. and Pedregal, D.J. (2006). An algorithm for detecting faults in railway point mechanisms. volume 6. Tsinghua University, P.R. China. Marshall, N. (1961). IRSE green booklet no.19:- Principles of relay interlocking and control panels (British practice). The Institution of Railway Signal Engineers, London. Network Rail (AM) (2011). Asset Management Data related to logged S&C failures, via personal communication, October 2011. Network Rail (NDS) (2011). National Delivery Service (NDS) Data & Contract Support, Switches and Crossings common component price list, via personal communication, July 2011. Silmon, J. and Roberts, C. (2010). Improving switch reliability with innovative condition monitoring techniques. Proceedings of the IMechE: Part F Journal of Rail and Rapid Transit, 224, 293–302. Such, W.H. (1956). IRSE Green Booklet No.2:- Principles of Interlocking (British Practice). The Institution of Railway Signal Engineers, London.