201803 – McGrath – Redundancy vs Resilience: The Hidden Vulnerability of Installing Two of Everything

The field of resilience engineering explores the mismatch between a system-as-designed, and the actual system as it operates in the real world, in the presence of shocks, stresses and resource constraints. In signalling systems, the modelling of component availabilities into system availability leads to the belief that more redundancy is always an asset; while in a real operating railway, redundancy has at times been an asset to the system and at other times has increased cost while also decreasing performance and whole-system safety margins.

This paper explores the justification for component and link redundancy in signalling system design alongside the legislation and body of research on system resilience. It draws on a series of ideas from the field of resilience engineering, and real-world rail and signalling examples, to explore the issues. Alarm architecture, lifecycle maintenance planning, and criticality assessment are provided as concrete guidance for how to design a resilient signalling system. However, true resilient behaviour depends on the context, organisational culture and human behaviours, and the real railway as an evolving complex system.