2018 – March – McGrath – Redundancy vs Resilience: The hidden vulnerability of installing two of everything
Downloads are only accessible for registered, logged in, users. Click here to log in.
Alex McGrath
Level Crossing Removal Authority (LXRA)
The field of resilience engineering explores the mismatch between a system-as-designed, and the actual system as itoperates in the real world, in the presence of shocks, stresses and resource constraints. In signalling systems, themodelling of component availabilities into system availability leads to the belief that more redundancy is always an asset;while in a real operating railway, redundancy has at times been an asset to the system and at other times has increasedcost while also decreasing performance and whole-system safety margins.This paper explores the justification for component and link redundancy in signalling system design alongside thelegislation and body of research on system resilience. It draws on a series of ideas from the field of resilienceengineering, and real-world rail and signalling examples, to explore the issues. Alarm architecture, lifecycle maintenanceplanning, and criticality assessment are provided as concrete guidance for how to design a resilient signalling system.However, true resilient behaviour depends on the context, organisational culture and human behaviours, and the realrailway as an evolving complex system.