Trip device not failing to safe when damaged

The reporter expressed a safety concern relating to the design of the trip device.

The reporter described the trip device as a mechanical air switch mounted on a bogie frame.

This is essentially correct, although the trip device (tripcock) is actually attached to the axlebox, not the bogie frame.

When a lever on the air switch is struck by a raised track-mounted lever, the trip is designed to vent the brake pipe and apply the train brakes.

This is essentially correct. The trip lever of the tripcock is designed to contact a raised trackside train stop, with contact face dimensions 150 x 75 mm, located only in a specified position relative to the rails.

The device is intended to act as a safety system to protect against a train passing a signal at danger, possibly due to an incapacitated driver.

This is overstating the function of the tripcock. The tripcock is one element of the train’s Driver Safety System. It is separate from and is not part of the other elements of the Driver Safety System (operator enable system and vigilance system).

As per [Operator] Standard [number] – D (DRIVER SAFETY SYSTEMS), Driver safety system is defined as:
“The combination of safety devices and associated logics such as an operator enable system, vigilance device and trip valve mechanism, fitted to the driven portion of a train/vehicle.

The operator enable and vigilance systems are designed to bring the vehicle/train to a stand in the event of driver incapacitation.

The trip gear is designed to bring the vehicle/train to a stand after passing a signal at stop or approaching a signal at excessive speed (timed train stops).”

The reporter advised that the trip’s design requires the air switch lever to be struck and rotated in order to turn a valve body, which vents the brake pipe.

This is essentially correct. The tripcock design is such that it will operate to vent the brake pipe when it contacts a raised trackside train stop, although the tripcock internal operation is different to that described.

However, the reporter also described a known scenario where a trackside obstruction has struck the lever, but instead of rotating, the lever has separated from the device and failed to activate the train brake.

There have been occurrences where the tripcock has been struck by a trackside obstruction such as high ballast, wombats or other animals, sleepers etc. that are infringing the rollingstock outline. This type of obstruction may contact the tripcock in a different position and manner to the raised train stop, and may result in damage to the tripcock, including hitting the trip lever with sufficient force to cause it to break off.

While this occurrence is undesirable, it is not a design requirement for any train equipment (including the tripcock) that the train brakes are activated if a trackside obstruction is contacted.

It can also be observed that such a scenario is possible for other types of tripcock device, not just the one manufactured by our company.

See further comments below regarding mitigation for such an event.

The reporter has expressed a concern that under some failure modes the system may not fail to a safe condition, as the lever may shear off rather than provide the necessary rotational action to apply the brakes.

We are not aware of any instance where the tripcock has struck a raised trackside train stop and has not acted to apply the brakes. There has been one reported incident where the trip arm was broken off during this impact, but acted as designed, to apply the brakes.

There is a risk that the trip lever may be damaged due to impact, and that it would then not be effective in the event of a subsequent SPAD. See further comments below regarding mitigation for such an event.

The reporter also advised that the failure mode described above had not been considered in the failure mode analysis process, more specifically under conditions where an incapacitated driver was unable to manually apply the brakes.

It is not correct that such a failure mode has not been considered. A detailed FMECA (Failure Mode Effect and Criticality Analysis) was conducted during the design of the tripcock, and has been subsequently presented to train builders and users of the tripcock for their review.

The tripcock needs to be considered as part of the Driver Safety System, and as such, the expectation is that in the event of the tripcock being disabled due to any reason, the other parts of the system will still function. If the driver is incapacitated, the vigilance and/or operator enable systems would act to apply the train brakes in accordance with their design function.

Regular inspection and maintenance is prescribed for the tripcock – in particular it should be part of the daily train preparation that the tripcock is checked for completeness and correct operation.

In addition to the analysis noted above, the tripcock has been subjected to extensive testing including repeated high speed impacts to the trip lever, to confirm its suitability for its intended function.

For applications where there is a higher risk of impact damage, we have developed an external protection package – this has been adopted on some of diesel train fleets operating in country areas.

We have also proposed an electronic sensor to our customers, to detect the position and presence of the trip lever.