By Josef Winter
Posted 3 years ago

Solar-powered video surveillance for tracks

Safety and RAMS

Share
banner image

The solar video surveillance system was specially developed for an application without power supply and network connection for railroad use. This system is the ideal and cost-effective solution for video surveillance, at locations without existing infrastructure. The RAILWAY CONTROLLING models can be used in all locations where sunlight and mobile phone reception are available. All models meet strict security requirements.

 

Ideally suited for:
- Track surveillance
- Tunnel portal surveillance
- Storage yard surveillance
- Weather monitoring

 

Visit: http://railway-controlling.com/index.html

 

To continue reading Register Now or Login

Suggested Articles for you

Somnath Pal - Posted 3 years ago

RAMS of a Vital Input Card

CHAPTER -1  Introduction For a Railway Signal Interlocking system, Field Input conditions to be monitored by the Interlocking equipment are Track Cct / Axle Counter, Point Detection, Signal Aspect Proving, Level Crossing Gate, Crank Handle and Panel Buttons. The monitoring is done by reading the Pick-up or Drop contacts of corresponding Relays. This could have been done by operating a Transistor through external Voltage fed via the pick-up Contact of the Relay. The Output of Transistor is processed by the Logic Solver ( Processor). But in that case, there would be no Isolation between external Analog Input and internal Digital Output circuits. An Opto Coupler is used for this purpose, where the Input LED and Output Phototransistor are electrically isolated . The Input through Pick-up contact of Relay operates the LED of the Opto Coupler, light from which turns the output Phototransistor. The  interfacing using a Transistor and an Opto coupler is showed in Fig 1(a)&(b) When the Relay is in Pick-up condition, the Transistor is Forward biased and Collector Output to Processor is ‘0’ . During Drop condition of the Relay, Collector Output is ‘1’ . Input Interface Card converts the Analog information of DC Voltage fed through the Relay contacts to send TTL level to Processor. The basic features of the Card are: All Inputs are fed through Opto Couplers having a minimum Isolation Voltage of 1500V.   All Inputs are protected from Transient Voltages and Surges by using Varistors. To reduce Single-point Failure, both Front and Back potential-free contacts of each external Relay are interfaced. They are read through different Ports and Bits to avoid common-mode failure. Each Card gets Hardware Address of the particular Slot of the Backplane, to which it is inserted. This Address must be matched with the Software Address sent by Logic Solver Card before the external Relay Inputs are read. Input Cards can be inserted or extracted with System Power-ON conditions. A special circuit is used to prevent transient to Stable +5V Supply to ICs, Input data are read employing Input Toggle by the logic Solver or using multiple sets of Opto Couplers ensuring Hardware redundancy. The Input Data Structure of the Interlocking System Inputs is given in Fig 2: Panel Buttons and Keys are called Non-Vital Inputs and a Non-Vital Input / Output Card is used to read 32 Inputs . All other Inputs are Vital Inputs and a Vital Input Card reads 16 Relay Inputs.   A detailed diagram is showed in Fig 3 . Since Railway Interlocking is a Safety-critical System, Inputs from both Pick-up and Drop Contacts of a Relay is analysed. Each Input is monitored by Opto Couplers by supplying Current from an Isolated 12V Supply . The Input to Processor will be ‘ 01’ in Drop Condition and ‘ 10’ in Pick up Condition . These two combinations are Valid Inputs . Other two Inputs ‘ 00’ and ‘ 11’ are Invalid and Processor will show Fault. But during transition of Relay between Drop to Pick-up or Pick- up to Drop , both the Opto Couplers will be OFF . So, Output will be ‘11’ , which is Invalid A De-bouncing circuit (U1) is used for feeding steady Input to the Logic Solver. In this case, during transition of Relay, the Input to Processor will remain unchanged from Last State. When the Relay X is not operated , current flows through the Drop Contact , Inductor, L1, Current Limiter R1, Resistor R2 and input Diode of Opto Coupler OC1. The Opto Coupler conducts and a level ‘ 0 ’ is fed to Pin1 of U1 . This makes output Pin 3 of U1  as ‘ 1 ’. At the same time, since no current passes through Input Diode of OC2, it does not  conduct. Level ‘1’ is fed to  Pin 5 of U1 and output   Pin 6 of U1 to Port becomes ‘0’. Thus we get a pattern 0101 at the Port. When the Relay X is operated , current flows through the Pick-up Contact ,  Inductor L2,  Current Limiter R5, Resistor R6 and input Diode of Opto Coupler OC2. The Opto coupler conducts and a level ‘0 ’ is fed to Pin 5 of U1 . This makes output to Pin 6 of U1   as ‘0’ . At the same time, since no current passes through Input Diode of OC1, it does not  conduct. Level ‘1’ is fed to  Pin 1 of U1 and output to Pin 3 of U1 to Port becomes ‘0’ .This time, the inputs to Port changes to 1010 . We find that Port inputs 0101 and 1010 are the valid levels . All other combinations  are invalid levels. If Hardware De-bounce Cct U1 is replaced by Software De-bounce to reduce Parts Count to enhance Reliability, the inputs to Port will change to 01 when Relay X is not operated and 10 when it is  operated. If a vital decision is taken by   Pick-up condition of Relay X, then a failure to read Pick-up condition as Drop, is a Safe failure . But if Drop condition is read as Pick-up condition, it will be Unsafe failure . Now we shall have to do an Failure Mode Effects & Criticality Analysis (FMECA)  study of the Cct showed in Fig 3 and identify the critical component to cause Unsafe Failure and mitigate the Hazard. Failure Mode Effects & Criticality Analysis (FMECA) We shall first study the failure modes of the components. For every failure mode of components , we shall their effect for Drop and Pick-up conditions. Typical faults of an Electronic component are Open Cct, Short Cct, Drift in Parameter and Functional Faults. Average relative frequencies of Failure Modes of various Components are given in the Table 1 below. Terminating Resistors and Current Limiting Resistors are of mainly Metal Film type for which Short cct Mode is incredible and hence are not considered. When Resistors are used in Nodes with Pull up Totem-pole Driver , even Drift in value is not to  be considered. For open Collector Modes like Opto coupler output, the design ensures much higher Collector current as well as Diode input current , so that even  ± 20% Drift does not affect the Circuit behaviour. So, for Resistors , only Open Cct Mode is considered. For Inductors, any Drift will not affect normal operation and only Open Mode of failure is considered. For Varistor, Open Mode does not affect normal operation and if the Clamp Voltage is chosen much higher than the required Value , Drift also does not have any effect. Only Short cct Mode is analysed . For ICs, both s-a-0 and s-a-1 Faults are considered for every Pin. Now we will consider component-wise FMECA. The effects during Relay Drop  and Pick-up conditions are analysed for each Component Failure. a) If Inductor L1 is Open Relay Drop condition: Current does not pass through input of Opto Coupler OC1. U1 pin 1 is at ‘1’ and U1 pin 5 is  aIso ‘1’. Output  to Port will be ’1011’. Fault is detected as Invalid Data and failure is Safe.  Since both the Inputs to Debounce Cct are at ‘1’, its Output will remain at last State, i.e. 01. Relay Pick-up condition : Current  passes through input of Opto Coupler OC2. U1 pin 1 is at ‘1’ and U1 pin 5 is  at ‘0’. Output  to Port will be ’1010’. Fault is not detected  and failure is Safe.  b) If Inductor L2 is Open Relay Drop condition: Current does not pass through input of Opto Coupler OC2. U1 pin5  is at ‘1’ and U1 pin 1 is at ‘0’. Output  to Port will be ’0101’. Fault is not detected and failure is Safe.  Relay Pick-up condition : Current  passes through input of Opto Coupler OC1. U1 pin 1 is at ‘1’ and U1 pin 5 is  also at ‘1’. Output  to Port will be ’1011’. Fault is  detected  as invalid data. c) if Metal Oxide Varistor RV1 is Short : Relay Drop condition: Current does not pass through input of Opto Coupler OC1. U1 pin 1 is at ‘1’ and U1 pin 5 is  aIso ‘1’. Output  to Port will be ’1101’. Fault is detected as invalid data and failure is Safe.  Relay Pick-up condition : Current  passes through input of Opto Coupler OC2. U1 pin 1 is at ‘1’ and U1 pin 5 is  at ‘0’. Output  to Port will be ’1010’. Fault is not detected  and failure is Safe.  d) if Metal Oxide Varistor RV2 is Short : Relay Drop condition: Current does not pass through input of Opto Coupler OC2. U1 pin5  is at ‘1’ and U1 pin 1 is at ‘0’. Output  to Port will be ’0101’. Fault is not detected and failure is Safe.  Relay Pick-up condition : Current does not pass through input of Opto Coupler OC2. U1 pin 5 is at ‘1’ and U1 pin 1 is  aIso ‘1’. Output  to Port will be ’1011’. Fault is detected as invalid data and failure is Safe.  e) If Current Limiting Resistance R1 is Open: Relay Drop condition: Current does not pass through input of Opto Coupler OC1. U1 pin 1 is at ‘1’ and U1 pin 5 is  aIso ‘1’. Output  to Port will be ’1101’. Fault is detected as invalid data and failure is Safe.  Relay Pick-up condition : Current  passes through input of Opto Coupler OC2. U1 pin 1 is at ‘1’ and U1 pin 5 is  at ‘0’. Output  to Port will be ’1010’. Fault is not detected  and failure is Safe.  f) If Current Limiting Resistance R2 is Open: Relay Drop condition: Current does not pass through input of Opto Coupler OC1. U1 pin 1 is at ‘1’ and U1 pin 5 is  aIso ‘1’. Output  to Port will be ’1101’. Fault is not detected data and failure is Safe.  Relay Pick-up condition : Current  does not pass through input of Opto Coupler OC2. U1 pin 1 is at ‘1’ and U1 pin 5 is also at ‘1’. Output  to Port will be ’1011’. Fault is  detected  as invalid and failure is Safe.  g) If Current Limiting Resistance R5 is Open: Relay Drop condition: Current does not pass through input of Opto Coupler OC2. U1 pin 1 is at ‘0’ and U1 pin 5 is  aI ‘1’. Output  to Port will be ’0101’. Fault is not detected data and failure is Safe.  Relay Pick-up condition : Current  does not pass through input of Opto Coupler OC2. U1 pin 1 is at ‘1’ and U1 pin 5 is  at ‘1’. Output  to Port will be ’1010’. Fault is not detected  and failure is Safe.  h) If Current Limiting Resistance R6 is Open: Relay Drop condition: Current does not pass through input of Opto Coupler OC2. U1 pin 1 is at ‘0’ and U1 pin 5 is  aI ‘1’. Output  to Port will be ’0101’. Fault is not detected data and failure is Safe.  Relay Pick-up condition : Current  does not pass through input of Opto Coupler OC2. U1 pin 1 is at ‘1’ and U1 pin 5 is  at ‘1’. Output  to Port will be ’1010’. Fault is not detected  and failure is Safe.  i) If Protection Diode D1 is open: Normal operation of the cct is not affected. But a reverse voltage of more than 6V during Drop condition would damage the Diode of Opto coupler OC1. During Pick-up condition, there is no effect. j) If Protection Diode D2 is open: Normal operation of the cct is not affected. But a reverse voltage of more than 6V would damage the Diode of Opto Coupler OC2 during Pick-up. There is no effect during  Drop condition. k) If Protection Diode D1 is short: Relay Drop condition: Opto coupler OC1 will be OFF since current will  be bypassed via D1. U1 pin 1 is at ‘1’ and U1 pin 5 is  at ‘1’. Output  to Port will be ’1101’. Fault is detected as invalid data and failure is Safe.  Relay Pick-up condition : Opto coupler OC1 will be OFF since current will  be bypassed via D1. U1 pin 1 is at ‘1’ and U1 pin 5 is  at ‘1’. Output  to Port will be ’1010’. Fault is not detected failure is Safe.  l) If Protection Diode D2 is short: Relay Drop condition: Opto coupler OC2 will be OFF since current will  be bypassed via D2. U1 pin 1 is at ‘1’ and U1 pin 5 is  also at ‘1’. Output  to Port will be ’ 0101’. Fault is not detected and failure is Safe.  Relay Pick-up condition : Opto coupler OC2 will be OFF since current will  be bypassed via D2. U1 pin 1 is at ‘1’ and U1 pin 5 is  aIso ‘1’. Output  to Port will be ’1011’. Fault is detected as invalid data and failure is Safe. m) If Input Diode of Opto Coupler OC1 is open: Relay Drop condition: Current does not pass through input of Opto Coupler OC1. U1 pin 1 is at ‘1’ and U1 pin 5 is  aIso ‘1’. Output  to Port will be ’1101’. Fault is detected as invalid data and failure is Safe.  Relay Pick-up condition : Current does not pass through input of Opto Coupler OC1. U1 pin 1 is at ‘1’ and U1 pin 5 is  at ‘0’. Output  to Port will be ’1010’. Fault is not detected  and failure is Safe.  n) If Input Diode of Opto Coupler OC2 is open: Relay Drop condition: Current does not pass through input of Opto Coupler OC2. U1 pin 5  is at ‘1’ and U1 pin 1 is at ‘0’. Output  to Port will be ’0101’. Fault is not detected and failure is Safe.  Relay Pick-up condition : Current  does not pass through input of Opto Coupler OC2. U1 pin 1 is at ‘1’ and U1 pin 5 is  also at ‘1’. Output  to Port will be ’1011’. Fault is  detected  as invalid data. o) If Collector in Opto Coupler OC1 is open: Relay Drop condition: Due to the pull up Resistor 5, Current does not pass through input of Opto Coupler OC1. U1 pin 5  is at ‘1’ and U1 pin 1 is at ‘0’. Output  to Port will be ’0101’. Fault is not detected and failure is Safe.  Relay Pick-up condition : Opto Coupler OC2 starts conducting  and port input becomes 0101. Fault is not detected  and failure is Safe.  p) If Collector in Opto Coupler OC2 is open: Relay Drop condition: Current does not pass through input of Opto Coupler OC2. U1 pin5  is at ‘1’ and U1 pin 1 is at ‘0’. Output  to Port will be ’0101’. Fault is not detected and failure is Safe.  Relay Pick-up condition : Current  passes through input of Opto Coupler OC1. U1 pin 1 is at ‘1’ and U1 pin 5 is  also at ‘1’. Output  to Port will be ’1011’. Fault is  detected  as invalid data. q) If Collector and Emitter of OC1 is short: Relay Drop condition: We get  1 in Pin 1 of U1 and port gets data 0101. Fault is not detected and failure is Safe.  Relay Pick-up condition : Both pins 1 and 5 get 1 and we get 0110. Fault is  detected  as invalid data. r) If Collector and Emitter of OC 2 is short: Relay Drop condition: We get  1 in Pin 5 of U1 and port gets data 1010. Fault is not detected and failure is Safe.  Relay Pick-up condition : Both pins 1 and 5 get 1 and we get 0110. Fault is  detected  as invalid data. s) If Pull up Resistor R3 is open: Relay Drop condition: Since Opto Coupler OC1 is in operated condition, we get  0 in Pin1 of U1 and port gets data 0101. Fault is not detected and failure is Safe.  Relay Pick-up condition : If there is large leakage current from Supply and Ground, the Collector of Opto coupler OC1 will be at level ‘0’. So data to  port will be 0110. Fault is  detected  as invalid data. t) If Pull up Resistor R7 is open: Relay Drop condition: Since Opto Coupler OC2 is in operated condition, we get  0 in Pin5 of U1 and port gets data 0110. Fault is detected as invalid data and failure is Safe.  Relay Pick-up condition : If there is large leakage current from Supply and Ground, the Collector of Opto coupler OC1 will be at level ‘0’. So data to  port will be 1010. Fault is  not detected.  u) If S-a-0 fault is at Pin 1 of U1: Relay Drop condition: Pin 3 of U1 will be ‘1’ and Port Input is 0101. Fault is not detected. Relay Pick-up condition : Port Input will be 0110, which is invalid. v) If S-a-0 fault is at Pin 5 of U1: Relay Drop condition: Pin 6 of U1 will be ‘1’ and Port Input is 0110 which is invalid. Relay Pick-up condition : :Port Input will be 1010. Fault is not detected. w) If S-a-1 fault is at Pin 1 of U1: Relay Drop condition: Pin 1 and Pin 5 of U1 both will be ‘1’ and Port Input remains 0101. Fault is not detected. Relay Pick-up condition : Port Input will be 1010. Fault is not detected. x) If S-a-1 fault is at U1-5: Relay Drop condition: Pin 6 of U1 will be ‘0’ and Port Input is 0101.  Fault is not detected. Relay Pick-up condition : Pin 1 and Pin 5 of U1 both will be ‘1’ and Port Input remains 1010. Fault is not detected. y) If S-a-0 fault is at U1-3: Relay Drop condition: Pin 3 of U1 will be ‘0’ and Port Input is 0011, which is invalid. Relay Pick-up condition : Port Input is 1010. Fault is not detected. z) If S-a-0 fault is at U1-6: Relay Drop condition: Port Input is 0101. Fault is not detected. Relay Pick-up condition : Port Input is 1100, which is invalid. aa) If S-a-1 fault is at U1-3: Relay Drop condition: Port Input is 0101. Fault is not detected. Relay Pick-up condition : Port Input is 1101, which is invalid. ab) If S-a-1 fault is at U1-6: Relay Drop condition: Port Input is 0111, which is invalid. Relay Pick-up condition : Port Input is 1010. Fault is not detected. ac) If R4 is Open: Relay Drop condition: LED 1 will not glow. Since LED 2 also does not glow, fault can be usually detected. Relay Pick-up condition : Since LED 2 glows, fault cannot be detected. ad) If R8 is Open: Relay Drop condition: Since LED 1 glows, fault cannot be detected. Relay Pick-up condition : LED 2 will not glow. Since LED 1 also does not glow, fault can be usually detected . ae) If LED1 is faulty: Relay Drop condition: LED 1 will not glow. Since LED 2 also does not glow, fault can be usually detected. Relay Pick-up condition : Since LED 2 glows, fault cannot be detected. af) If LED2 is faulty: Relay Drop condition: Since LED 1 glows, fault cannot be detected. Relay Pick-up condition : LED 2 will not glow. Since LED 1 also does not glow, fault can be usually detected. In summary, Invalid Input is obtained in Relay Drop condition if OC1 Output is Short OC2 Input or Output is Open U1-3 S-a-1 U1-6 S-a-0 Similarly, Invalid Input is obtained in Relay Pick-up   condition if OC1 Input or Output is Open OC2 Output is Short U1-3 S-a-0 U1-6 S-a-1 It also shows that a single fault cannot lead to Unsafe Failure. After the completion of FMECA, we are to perform Fault Tree Analysis (FTA) of the Circuit to identify the causes of Safe and Unsafe Failures .                                                        Fault Tree Analysis (FTA) We shall now learn how the Circuit can fail to operate. So, we shall make a Fault Tree Analysis as shown below. Fault trees are individually made for both Safe as well as Unsafe Failures. Safe Failure can occur due to Two simultaneous Faults --- Open Cct Fault in Opto Coupler OC2 as well as Short Cct Fault in Opto Coupler OC1. Unsafe Failure can occur due to Two simultaneous Faults --- Open Cct Fault in Opto Coupler OC1 as well as Short Cct Fault in Opto Coupler OC2.     Unsafe Failure can happen only due to simultaneous Faults in Open cct in Relay NO path and Short cct in Relay NC path.         CCT UNSAFE FAILURE (0101 is read as 1010)               Once we prepare the Fault Tree, we are to calculate the Failure Rate of the Card .               For this, we are initially to find the Basic Failure Rate for each component as per Calculations given in MIL Std 217F . Then we are to Calculate the actual Failure Rate under environmental stress.   The environmental stress factors are : λ C =  Contact Constitution Factor λ Q = Quality Factor λ E =  Environmental Factor. We consider Ground Fixed λ T =  Temperature Factor λ s =  Electrical Stress Factor λ R =  Resistor Value factor λ CV = Capacitor Value Factor   Typical Calculations for a Components are showed in Chapter. The following Table shows the individual Component Failure Rates for the Input Interface Cct. We have seen that Unsafe Failure can be caused only by 2 simultaneous failures – Open Circuit in OC 1 and Short Circuit of OC 2 Output. So, the Failure Rate will be the Product of Individual Failure Rates of the 2 Opto Couplers. From the table above, we find that the Failure Rate of an Opto Coupler is 0.0257 X 10 -6 . So, the Unsafe Failure Rate will be ( 0.0257 X 10 -6 ) 2 = 6.6040 X 10 -16.  This is far above the requirement of SIL 4. Total Failure Rate of the Card is 3.375477 X 10 -6 giving a Mean Time Between Failure of 296254.4 Hours. Reliability after a period of One year (8760 Hrs) i s R = e – λt     = e - 0.0000033754 X 8760    = e – 0.029568    = 0.97086   Designed Life with 99% Reliability = (- ln 0.99) / 0.0000033754 = 0.01005033585 / 0.0000033754 = 2977.5 Hrs. Preventing Common- Mode Failures: To reduce Common- mode failures, we can feed U1 outputs in two different Ports and that too at different Input Pins . For example, if Pin 3 of U1 is fed to D0 of Port A, Pin 6 of U1 should be fed to D7 of Port B . Then we can match them through Software in Processor Card. See the Diagram of the connection in Fig 4 A Program for the same task is written below in 8085 Assembly language. START:          IN Port 1                     :   Read Drop Contact Data                        MOV D, A                  :    Save Data                        IN Port 2                     :    Read Pick-Up Contact Data MATCH:         PUSH D                     :    Save Drop Contact Data                        CMA                           :    Invert Pick-Up Contact Data                        MOV B, A                  :   Save Data                        MVI C, 00                  :   Initialize Register ‘C’                        LXI H, 0180                :   Initialize Registers : ‘H’ and ‘L’                        MVI E, 08                  :    Load Count (8) for the Loop Iterator LOOP  :         ANA H                        :    Mask Unconcerned Bits of the Pick-Up* Data                        JNZ ONE                    :    If Data Bit is Not 0, Go to Label ONE                         MOV A, L                   :    Transfer Data from Register ‘L’ to ‘A’.                         CMA                           :    Invert Data of Accumulator                         ANA C                        :    Mask Unconcerned Bits                         JMP ZERO                 :    Go To Label ZERO . ONE    :          MOV A, C                  :    Copy Contents of ‘C’ to Accumulator                       ORA L                        :    Make MSB ‘1’ and progress with other bits ZERO  :          MOV C, A                  :    Save the new value in Register C                      MOV A, H                  :    Load Bit Position Indicator in Accumulator                      ADD H                       :    Shift Left for Next Bit indicator                        MOV H, A                  :   Save the Bit Indicator Data.                                     MOV A, L                   :   Load Bit Position in Accumulator                            RRC                           ;    Go to Next Bit Position                        MOV L, A                :    Save Updated Bit Position Data                        MOV A, B                :    Read saved Pick-up* Contacts Data                        DCR E                    :    Check for completion of all 8 Bits           JNZ LOOP             :  Repeat Rearranging for all 8 Bits                         MOV A, C              :  Save Rearranged Pick-up* Data                         POP D                   :  Restore Saved Drop Contact Data                        RET                       :  Go back to Main Programme                        CMP D                   :   Compare Drop and Pick-up* Data                       JNZ FLT                 :   If not Matched, Go to Fault This Subroutine is Executed in 34.5 μs, considering that each State in 8085 generally takes 330 ns for execution .   Toggling of Input data to detect Opto Coupler Faults Instead of keeping the Emitter of Opto Coupler permanently Grounded, we feed ‘0’ from Processor through Port C of Programmable Peripheral Interface 8255, to the Emitters as showed in Fig 5.   After reading the input and analysing, we momentarily feed ‘1’ to the Emitters. Now, all the opto-couplers should be OFF. That means, Opto-coupler outputs should follow the Toggling input from the microprocessor. Now, we again feed ‘0’ from the Processor and analyse the Opto-coupler Outputs finally. We take inputs from Drop Contacts of 4 different relays along with the Output of U1 Pin 3 of their De-bounce circuits, via Port ‘A’ of 8255. Similarly, the pick-up Contacts of the same four Relays and Output from U1 Pin 6 are taken through Port ‘B’. For 16 relays, Interface to the Card, 4 numbers of 8255 ICs PPI 8255   1 are needed. The Programme for the Toggle Operation is given below:   MVI A, 92                 Programme Four PPIs (8255) having     OUT 03                           PORT A -- INPUT OUT 07                           PORT B -- INPUT OUT 0B                          PORT C -- OUTPUT OUT 0F                           LXI H, 1100               Starting Location to keep Drop Contacts Data SUB A                       Enable Opto Couplers in PPI 1 OUT 02 IN 00                         Read Drop contact Status from PPI 1 MOV M, A                 Save in Location 1100 IN 01                         Read Pick-up contact Status from PPI 1 CALL MATCH          Rearrange Bits and Match them. INX H                        Go to Next Location SUB A                       Enable Opto Couplers in PPI 2 OUT 06 IN 04                        Read Drop contact Status from PPI 2 MOV M, A                Save in Location 1101 IN 05                        Read Pick-up contact Status from PPI 2 CALL MATCH         Rearrange Bits and Match them. INX H                       Go to Next Location SUB A                      Enable Opto Couplers in PPI 3 OUT 0A IN 08                        Read Drop contact Status from PPI 3 MOV M, A                Save in Location 1102 IN 09                        Read Pick-up contact Status from PPI 3 CALL MATCH         Rearrange Bits and Match them. INX H                       Go to Next Location SUB A                      Enable Opto Couplers in PPI 4 OUT 0E IN 0C                        Read Drop contact Status from PPI 4 MOV M, A                Save in Location 1100 IN 0D                        Read Pick-up contact Status from PPI 4 CALL MATCH         Rearrange Bits and Match them.                            STA 1100                Bring Drop Contact Data from Location 1100 LXI H , 1200             Initialize Flag Location for First Relay of PPI 1 IN 00                       Read Drop contact Status from PPI 1        CPI 55                      Check if this Data is same as the Saved Data JZ PPI 2 CALL DELAY 1ms  Wait for 1 milli second MVI A, FF                 Disable Opto Couplers OUT 02 IN 00 CALL DELAY 1ms  Wait for 1 milli second CPI FF JNZ FLT                   If not, Go to Fault SUB A                      Again Enable Opto Couplers OUT 02 IN 00 CPI 55 CNZ PROCESS PPI 2    :             STA 1101                   Bring Drop Contact Data from Location 1101 LXI H , 1204                 Initialize Flag Location for First Relay of PPI 2 IN 04                           Read Drop contact Status from PPI 2 CPI AA JZ PPI 3 CALL DELAY 1ms     Wait for 1 milli second MVI A, FF                    Disable Opto Couplers OUT 06 IN 04                            Read Drop contact Status from PPI 2 CALL DELAY 1ms     Wait for 1 milli second CPI FF                        Check if Opto Couplers are Disabled JNZ FLT                      If not, Go to Fault SUB A                        Again Enable Opto Couplers OUT 06 IN 04                           Read Drop contact Status from PPI 2 CPI AA CNZ PROCESS PPI 3       :        STA 1102                   Bring Drop Contact Data from Location 1102 LXI H , 1208                Initialize Flag Location for First Relay of PPI 3 IN 08                          Read Drop contact Status from PPI 3 CPI 55                   JZ PPI 4 CALL DELAY 1ms   Wait for 1 milli second MVI A, FF OUT 0A IN 08                         Read Drop contact Status from PPI 3 CALL DELAY 1ms   Wait for 1 milli second CPI FF                      Check if Opto Couplers are Disabled JNZ FLT                   If not, Go to Fault SUB A                       Again Enable Opto Couplers OUT 0A IN 08                        Read Drop contact Status from PPI 2 CPI 55 CNZ PROCESS PPI 4    :             STA 1103                 Bring Drop Contact Data from Location 1104 LXI H , 120C              Initialize Flag Location for First Relay of PPI 4 IN 0C                        Read Drop contact Status from PPI 4 CPI AA   JZ NXT_CARD CALL DELAY 1ms  Wait for 1 milli second MVI A, FF                 Disable Opto Couplers OUT 0E IN 0C                         Read Drop contact Status from PPI 4 CALL DELAY 1ms  Wait for 1 milli second CPI FF                       Check if Opto Couplers are Disabled JNZ FLT                   If not, Go to Fault SUB A                       Again Enable Opto Couplers OUT 0E IN 0C                         Read Drop contact Status from PPI 4 CPI AA CNZ PROCESS   PROCESS   :    MOV B, A     MVI C, 04                MVI D, 40                              CHK             :     MOV B, A               ANA D               JNZ PICK-UP               MVI A, FF               MOV M, A PICK-UP       :  MOV A, D RLC MOV D, A ANA D JNZ FLT SUB A MOV  M, A INX H MOV A, D RLC MOV D, A DCR C JNZ CHK   dELAY 1 ms :   PUSH D BACK           :    LXI B , 0BB1                            DCX B JNZ BACK POP D RET  This Programme to check the Status of the Relays Interfaced in One Card takes about 9.64 ms . Thus to check all 16 Input Cards, a total time of 154 ms is needed. It covers up the Transition periods for QN1 Relays. Card AcCcess Whenever an Input Card is inserted into one of the I/O Slots, it gets the I/O Slot address , which is Hardwired in Back-plane . Processor Card sends Motherboard Slot addres s through the I/O Bus. When the two addresses match, the Comparator Output Pin gets low and a Decoder and Data Buffer are enabled. The arrangement is showed in Fig 6 .    The FMECA of this sub- circuit is given below. a) If Pin 19 of Comparator UA is s-a-1: The Decoder UD and Buffer UC will not be enabled. Processor cannot read ID andID* of Input Card. b) If pin 19 of Comparator UA is s-a-0: The fault will not be detected. c) If any Input Pin of P or Q Comparator of UA is s-a-0 / s-a-1 : Software data sent by Processor will not match with Hardware data from the Backplane. Failure is same as (a). d) If any Pull- up resistor for Backplane is Open: The corresponding Pin may float to either 0 or  1. Depending on that the Hardware and Software addresses may or may not match. e) If any Input Pin of Buffer UB is s-a-0 or s-a-1. Software data will be faulty and may or may not match with Hardware data. f) If Pin 19 of Bus Driver UC is s-a-1: UC will not be enabled. Card ID and ID* cannot be read. g) f) If Pin 19 of Bus Driver UC is s-a-0 : UC will be permanently enabled and the fault will remain undetected while accessing the Card. h) If Pin 1of Bus Driver UC is s-a-1 : UC will not allow reading Card ID and ID*. i) if any Data Pin of Bus Driver UC is s-a-0 or s-a-1 : Processor will get wrong ID and ID*. j) If Pins 1 and 19 of Buffers UE or UF are s-a-1 : Processor will not get ID or ID* depending on whether UE or UF has got the fault. j) If Pins 1 and 19 of Buffers UE or UF are s-a-0 : UE or UF will be permanently enabled . There will be Bus contention while reading ID and ID*.    

Read Full Article

Somnath Pal - Posted 3 years ago

FAULT TREE ANALYSIS OF ROUTE RELAY INTERLOCKING BUTTON CIRCUITS

Chapter -2  The Buttons are Self-restoring type Push Buttons and are used for the following purposes: The Signal Buttons (GN’s) are provided near the concerned Signal on the Panel, one Button for each Signal with distinct colours. For Stop Signal --  Red For Calling `ON’ Signal -- Red with White dots For Shunt Signal --  Yellow button etc) and are numbered 1,2,3 etc.   Route Buttons (UN’s) are provided in the middle of each Berthing Track / Overlap Track / Exit Track on the Panel, one Button for each Route / Overlap / Exit Route. The Colour of Route / Overlap Button is Grey / White .  They are marked alphabetically as A, B, C etc or with the respective Route number. Point Buttons (WN) nearer or on the concerned Point and Common Point Group Button WWN (NWN) & WWR (RWN) and Emergency Point Operation Button (EWN). Concerned Point Button is pressed along with the Common Point Group Button. Crank Handle Control Button (CHN) and Common Crank Handle Buttons (CHYYN, CHYRN). These Buttons are pressed for Crank Handle or Siding Key Transmissions. Emergency Signal Cancellation Button (EGGN). Emergency Route Cancellation Button (EUYYN)     and Siding Control Key Button (KTN). SIGNAL BUTTON RELAY (GNR) CIRCUIT To operate any Signal, the concerned Signal Button is to be pressed . Whenever the Signal Button is pressed, the corresponding Signal Button Relay (GNR) will operate, provided no other Signal Button is simultaneously pressed. So, Drop Contacts of all other GNR Relays are proved in the operate path of GNR Relay. The Flowchart for the operation of GNR Relay is shown in Figure 1 and State Transition Diagram is shown in Figure 2  Figure 1 Operation of GNR Relay Figure 2 State Transition Diagram The Boolean Equation is very simple --                                                GNR = GN Button . Confl GN Buttons * Refer Figure 3 for basic Circuit Diagram  Figure 3 Basic Circuit Diagram  The circuit is self-explanatory. Relay GNCR is normally in Pick up condition , proving that all Signal Button Relays are dropped i.e. no Signal Button is pressed .  Now, we will prepare a Fault Tree (Figure 4 & Figure 5)  to find out how the GNR Circuit can fail in a Safe mode (Relay does not Pick-up when Signal Button is Pressed). Figure 4 Fault Tree  Unwanted operation of GNR (Relay picks up without GN Button) can be due to two causes only. This cannot cause any Unsafe Failure since a Button-Stuck condition beyond a specified Time limit is indicated by Button Stuck-up Relay NNCR. Figure 5 Fault Tree     Failure Mode Effect and Criticality Analysis for GNR Relay is givenin Table 1. Table 1 : Failure Mode Effect Criticality Analysis  All the above failures are detected . Safe failures will not allow GNR to operate and Signal Clearance cannot be initiated. Signal will not go to OFF. Unwanted operation of GN Button is detected by Button stuck-up Alarm . The Rate of Safe Failure         λ safe = λ GNR +λ FUSE +λ POWER +λ WIRING +λ CONTACT. FLT (Button) + λ Other GNRs (13)   As per Railtrack IRM CCA Model,            λ RELAY (open )          = 0.7495 X 10 –6 / Hr.,   λ RELAY (short )          = 0.4307 X 10 –6 / Hr          λ WIRING ( Open )         = 6.554 X 10 –8 / Hr.,    λ FUSE                          = 0.04 X 10 –6 / Hr.,             λ POWER                      = 0.04 X 10 –6 / Hr.   and     As per MIL Std. 217F               λ CONTACT. FLT         = 0.3468 X 10 –6 / Hr. ( considering 5 operations / Hr.),             (for GN Button)                                     Replacing these values in the equation                  λ safe =  (0.7495 X 10 – 6 + 0.4307 X10 –6 + 6.554 X10 – 8   + 2 X 0.04 X10 – 6                                                                                             + 0.3468 X10 – 6 + 13 X 0.7495 X 10 – 6 ) / Hr                        =  1 1. 416 X 10 –6 / Hr . The Rate of Unwanted Operation is      Λ unwanted   = λ Direct Supply    + λ CONTACT. FLT (Button) In this case, Fault due to Direct Supply has negligible probability except Human Interference, which is difficult to calculate. Thus, λ unwanted can be limited to λ CONTACT. FLT    or    0.3468 X 10 –6 / Hr.   Event Tree Analysis of the GNR Relay Operation is shown in Figure 6  Figure 6 Event Tree Analysis The Timing Diagram for operation of GNR relay is given in Figure 7  Figure 7 The Timing Diagram  Figure 8 Operation  EMERGENCY SIGNAL CANCELLATION INITIATION RELAY (EGGNR) EGGNR Relay picks up without SMCR contact to allow the Signal to be thrown back to danger in case of emergencies even without SM’s Authorization .  This Relay operates as soon as EGGN Button in the Panel is pressed. T he Boolean Equation is     EGGNR = EGGN Button The basic Circuit Diagram is shown in Figure 9  Figure 9 Basic Circuit Diagram  The Fault Tree, Failure Mode Effect and Criticality Analysis, Event Tree Analysis and Timing Diagram all are similar to the GNR Relay. The Safe and Unwanted Operation Rates are same as for GNR Relays. Refer Figure 10 for a Single Line  layout of which the circuit is made  Figure 10 Single Line Layout  The detailed Circuit Diagram for all GNR Relays and EGGNR Relay of the given Yard is shown in Figure 11 . The operating path for 1GNR Relay is marked in RED Lines. The vital condition to be proved, i. e. operation of Signal Button 1GN is highlighted by Blue Box. Figure 11 Detailed Circuit Diagram 

Read Full Article

Somnath Pal - Posted 3 years ago

Fault Tree Analysis of Route Initiation Circuit

CHAPTER -3  I would describe the Route Initiation Circuit for the given Yard. Before proceeding with development of the Circuit, we consider that Route Initiation is possible only if SM’s Key is Inserted ( SMCR Relay Pick up) , Signal knob is operated ( GNR Relay Pick up ), Route Button is operated ( UNR Relay Pick up) and No Conflicting Route is already Initiated ( LR Relays Drop for conflicting Routes ). We will start from the operation of SMCR Relay.Refer Figure 1 for State Transition Diagram. Figure 1 State Transition Diagram  This Relay is energized when the SM’s Panel Key is ` IN ’ and turned to Normal.  The Energisation of SMCR / SMR Relay provides authorized operation of all the functions on the Panel . When SM’s Key is turned to Reverse and taken out from panel by SM , it prevents un-authorized operation and locks the Panel in the last operated position. The Circuit is very simple as the SMCR Relay operation depends on only one condition – Insertion of SM’s KEY. The SMCR Circuit is given below. If needed, a Repeater Relay SMCPR can be used. One Pick-up Contact of SMCR can be used for operating a Repeater Relay SMCPR , if needed. The Vital Event is showed in a box. Boolean Equation for SMCR is:                                                     SMCR = SM’s KEY Refer Figure 2 for Operating Circuit for SMCR and SMCPR  Relay  Figure 2 The Operating Circuit for SMCR and SMCPR Relay The energised contacts of SMCR are used in Knob circuits, Button circuits, Point operation circuits, Route Initiation circuits, Route Cancellation circuits, Emergency circuits, Crank Handle circuits, Timer circuits etc. Repeaters of SMCR Relay ( SMCPR ) may be used as required. Now, we will prepare a Fault Tree to find out how the Circuit can fail in a Safe mode (Relay does not Pick-up when SM’s KEY is Inserted).Refer Figure 3 & 4 Figure 3 Fault Tree  Unsafe failure (Relay picks up without SM’s KEY) can be due to two causes only. Figure 4 Fault Tree  showing two causes  Failure Mode Effect and Criticality Analysis for SMCR Relay is shown in Table 1  Table 1  Failure Mode Effect and Criticality Analysis for SMCR Relay  All the above failures are detected . Safe failures will not allow ALR to operate and Route cannot be initiated. Signal will not go to OFF. But, Unsafe Failures are not detected until SM tries Route Setting, without insertion of the Key or when the Panel is tested.   The Rate of Safe Failure is   λ safe       = λ SMCR  + λ FUSE  + λ POWER  + λ WIRING  + λ CONTACT. FLT          As per MIL Std. 217F, for less than 1 operation / Hr. (SM’s KEY is not Inserted for every Signal clearance), λ CONTACT. FLT        = 0.0594 X 10 –6 / Hr.,     So, λ safe = (0.7495 X 10 – 6 + 0.4307 X 10 –6 + 6.554 X 10 – 8   + 2 X 0.04 X 10 – 6                     + 2 X 0.0594 X 10 – 6 ) / Hr                                   = 1.3855 X 10 –6 / Hr . The Rate of Unsafe Failure is    λ unsafe       = λ WIRING  + λ CONTACT. FLT In this case, Wiring fault has negligible probability except Human Interference, which is difficult to calculate. Thus, it can be limited to λ CONTACT. FLT     =  ( 0.0594 X 10 –6 ) 2  / Hr.   =   0.003528 X 10 –12  / Hr.  Event Tree Analysis of the SMCR Relay Operation is shown in Figure 5  Figure 5 Event Tree Analysis of the SMCR Relay Operation  The Timing Diagram for operation of SMCR Relay is shown in Figure 6 Figure 6 The Timing Diagram for operation of SMCR Relay Route Initiation A Signal Route Selection Relay ” LR ” decides a particular Route for a Signal and all the Points required for that Route including Isolation and Overlap will be operated to the required position by the LR Relay.  Every Signal will have One LR Relay for each of the Routes that the Signal can lead to, including different Overlaps.  Some Signals e.g. Advance Starter, Starters etc will have only one LR as there is only one Route. Refer Figure 7 for Flowchart representing  the conditions needed for LR Relay Operation for Route Initiation: Figure 7 Flowchart with the  conditions needed for LR Relay Operation for Route Initiation Route Initiation / Selection is done by the Operation of Individual LR Relay for the Signaled Route. LR Relay picks up only when there is an operation to Clear a Signal. From the conditions to be satisfied for Route Initiation, and considering one extra Information that Emergency Signal Cancellation (EUGGN) is not applied, we can find the Boolean Equation as :         LR = Signal GNR. Route UNR. SMCR. Conflicting LRs*. EGGNR* If we Initiate the Signal ‘1’ for Route ‘A’ in the given Yard, the Signal Button ‘1GN’ and Route Button ‘AUN’ are to be pressed simultaneously. The Flowchart of operation of ‘1ALR’ is as follows.  Refer Figure 8 for The Flowchart of operation of ‘1ALR’  Figure 8 The Flowchart of operation of ‘1ALR’  Refer Figure 9 for Logic Diagram for operation of 1 ALR Relay  Figure 9 Logic Diagram for operation of 1 ALR Relay  Refer Figure 10 for  State Transition Diagram   made for 1ALR Relay along with Contact use. Figure 10 for  State Transition Diagram is made for 1ALR Relay along with Contact use. Refer Figure 11 for the  Basic A1LR Circuit with Signal Button 1GN and Route Button A1 UN pressed  Figure 11 The Basic A1LR Circuit with Signal Button 1GN and Route Button A1 UN Pressed  In the above circuit with SMCR Pick up, the Signal button 1 and the concerned Route Button A are pressed simultaneously to pick up concerned relay ALR through 1GNR and ‘ A’ UNR . Once Picked up, it will remain Up through its own front contact and TSR front contact even when Buttons are released (1GNR and ‘A’ UNR front contacts are broken) and even if SM’s KEY is removed . On arrival of train, when the Train passes the Signal, with TSR drop, LR also drops . In case of cancellation, EGGNR (Emergency Signal Cancellation Relay) will pick up and cause LR to drop . EGGNR Contact is bypassed by 1GNR contact , so that only the particular Signal can be Cancelled .   For Route 1A1 , the Conflicting LRs are – 1A2LR, 1BLR, 1C1LR, 1C2LR, Co1A1LR, Co1BLR, Co1C1LR, 2DLR, 4ELR, 6ELR, 8ELR, 10A1LR, 10BLR, Co10A1LR, Co10BLR, SH11A1LR, SH11BLR, SH11C1LR, SH12A1LR, SH12BLR, 13FLR and 14A1LR (22 conflicting routes!!). We could have used Drop contact of Sequential Route Release Relay, UYR2 or UYR3 in place of TSR pick up contact to drop LR after a Train crosses the Signal. But it will be a delayed drop . With TSR front contact LR will drop immediately. Refer Figure 12 for  Safe Failures of LR Relay indicated in the Fault Tree.   Figure 12  Safe Failures of LR Relay   Fault Tree. It shows that Safe failure can be caused by any of the twelve individual Causes, one Cause having variable combination depending on yard (Conflicting Routes can vary in different Yards).             Unsafe Failure can occur if 1 ALR Relay either operates when not wanted or it does not release when needed . There are three causes of Unsafe failures: The first case can occur if the operating path is available due to simultaneous failures of Contacts of Relays in the path . If ALR operates when not wanted, UCR and subsequently HR Relays will operate clearing the Signal for the Route . The second case can occur if the Stick Path does not break due to simultaneous contact failures of TSR and ALR (own) Relays . In this case also UCR and subsequently HR Relays will remain operated clearing the Signal for the Route.   Unsafe condition can also occur if the Emergency Release of Route is not possible . Refer Figure 13 for Unsafe Failures of LR Relay   in the Fault Tree. Figure 13 Unsafe Failures of LR Relay  Refer Table 2  for Failure Mode Effect and Criticality Analysis for ALR Relay  Table 2 Failure Mode Effect and Criticality Analysis for ALR Relay  All the above failures are detected . Safe failures will not allow ALR to operate and Route cannot be initiated. Signal will not go to OFF since UCR and subsequently HR Relays do not operate. Unsafe Failures are detected by the Panel Indication . The Rate of Safe Failure is   λ safe       = λ LR + λ GNR  + λ UNR + λ SMCR + λ EGGNR  + λ TSR  + λ CONFLR + λ FUSE                                                        + λ POWER   + λ WIRING + λ LR (STICK CONTACT)   Using Failure Rates and considering 22 Conflicting LR Relay Contacts,   λ safe = (28 X 0.7495 X 10 – 6 + 1.1802 X 10 –6 +   6.554 X 10 – 8   + 2 X 0.04 X 10 – 6 ) / Hr            = 22.3117 X 10 –6 / Hr .   The Rate of Unsafe Failure due to unwanted operation of ALR Relay seems to be much less because all Failures must occur simultaneously . In this case only one Conflicting LR is to be considered since only one Route can be initiated at a time. But, Short Cct of ALR Stick Contact along with short Cct. Failure of TSR Relay contact, leads to Unsafe condition as ALR will directly operate and Signal would come if no other Route is initiated. Luckily the Fault will be detected by Panel Indication . Unsafe failure can also occur due to Short Cct. Of EGGNR Relay contact during Emergency Release .  Westinghouse Q Series Relays have Mean Time Between Wrong Side failure of 6.89 X 10 – 9 .  So, the Rate of Unsafe Failure is λ unsafe = (λ ALR (OWN) . λ TSR )+(λ GNR . λ UNR . λ SMCR . λ CONFLR . )+(λ EGGNR +   λ GNR ) .          As per Railtrack IRM CCA Model, λ RELAY (short )     = 0.4307 X 10 –6 / Hr    λ unsafe       =  (0.1451 X 10 – 9 / Hr) 2 + (0.1451 X 10 – 9 / Hr) 3 . ( 0.7495 X 10 – 6 / Hr)                                                                                    + 2 X 0.1451 X 10 – 9 / Hr                                 =  0.021 X 10 – 18 / Hr + (3.0549 X 10 – 27 / Hr).( . 0.7495 X 10 – 6 / Hr )                                                           + 0.2902 X 10 – 9 / Hr                            =  0.2902 X 10 – 9 / Hr , as the other terms are negligible.         We observe that Unsafe operation has a low probability and satisfies Safety Integrity Level .  Refer Figure 14 for Event Tree Analysis of the LR Relay operation   Figure 14 Event Tree Analysis of the LR Relay Operation  The Timing Diagram for LR Relay operation is shown in Figure 15  Figure 15 The Timing Diagram for  LR Relay operation Refer Figure 16 for Timing Diagram for Emergency Release of the Relay Figure 16 Timing Diagram for Emergency Release of the Relay There is an option of connecting the Crank Handle Relay contacts in the operating Path of LR Relays, if Motor Points are used in the Yard. This increases Safety since both UCR as well as LR Relays are controlled by the Crank Handles . Route now cannot be initiated if any Crank Handle in the Route is unlocked. But the Rate of Safe Failure would increase due to additional contacts in Series. Thus, there are several ways of designing the Circuit for LR Relay when Signal Button is used. They are: Using EGGNR and GNR Drop contacts in Parallel, in the Operate Path of LR Relay and using TSR and LR Pick-up Contacts in Series in the Stick Path of LR Relay. This design is described above. Using EGGNR and GNR Drop contacts in Parallel, in the Stick Path of LR Relay.  Figure 17 LR relay Circuit  A Relay draws less Current in Stick Path with respect to the Current drawn in Operate Path. So, inclusion of EGGNR and GNR Contacts in Stick Path is a better idea . UYR Drop Contact in the Operate Path of LR Relay . Figure 18  LR Circuit  Proving UYR Relay instead of TSR is a better idea , since UYR gives a Positive proof that the Train has passed Signal . TSR, on the other hand, can Drop due to Track Bobbing or Power Supply problem Using UYR and LR Pick-up Contacts in Series in the Stick Path.   SMCR   1 GNR   ‘A1’ UNR           Figure 19 LR Circuit    Using Conflicting Signal ASR Pick-up Contacts in Operate Path of LR Relay.   Figure 20  In some Panels, Signal Initiation is done by using Signal Switch instead of Button. In this case, the GNR Relay Contact of the Circuits described above, is replaced by the ‘ R’ Band of the Signal Switch.   The Basic Circuit with Signal Switch is Figure 21  ‘R’ Band of the Signal Switch is bypassed by SMCR Drop Contact to allow Locking of the Panel by SM after the Signal is Taken OFF and to prevent any unauthorized normalization of Signal. Bypassing SMCR Front Contact and Route Button Contact by Pick-up Contact of the concerned LR Relay is to prevent   Dropping of LR Relay when Route Button is released (thereby breaking Button Contact ‘A1’UNR). Dropping of LR Relay when SM’s Key is removed after the Signal is Taken OFF. LR can Drop when Signal Switch is made Normal , if SM’s Key is In (SMCR is Up).

Read Full Article