The National Academies Press

Currently Skimming:

Pages 22-29

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 22... ... SECTION 7 22 Equipment Failures 7.1 CBTC Equipment Failures 7.1.1 Equipment Redundancy To maintain a high level of service, train control suppliers have been working to include redundancies in their new systems. The most common methods used in CBTC projects are described below. The architecture discussed in this section concerns all CBTC equipment: onboard controller, wayside controller, and ATS servers. Both availability and safety affect the architecture of CBTC equipment. Safety features may require using several units and a comparison system, while higher availability is achieved by adding more redundant units. 1oo2: One out of Two The most common type of redundancy is to have two identical units when only one is required for proper operation. This arrangement is called 1 out of 2 and denoted as 1oo2. Figure 8: Example of 1 out of 2 redundancy architecture The two units are configured in hot standby. With hot standby, one unit is active and the other is passive waiting to become active. If the active unit fails, then the passive unit becomes active. 2oo2: Two out of Two For safety considerations, suppliers have developed a method which includes two identical hardware units performing the same functions (sometimes in two different ways) and a subsystem comparing the results of the two units. If the results match, then the result is validated and processed in terms of outputs. If the results of the two units do not match, the system is not able to conclude which result is correct, therefore it stops performing its function. This method is denoted as 2oo2 and is used to guarantee the integrity of the result for vital applications. This arrangement is usually combined within a 1oo2 system, with each redundant unit being made of two 2oo2 units (four units in total) Read the entire page →
From page 23... ... SECTION 7 – EQUIPMENT FAILURES 23 the constraints of this 2oo2 arrangement is that complete redundant 2oo2 equipment includes four units while other arrangements require two or three units. More units imply more space and more frequent maintenance which might be more acceptable for wayside controllers than for onboard controllers. 2oo3: Two out of Three For vital systems, CBTC suppliers may expand the 2oo2 system by adding a third unit. It is called two out of three and denoted as 2oo3, where two out of three units must work properly and have identical outputs for the system to continue to function. Comparator logic compares the results of the calculations of the three units; at least two must agree for the system to function properly. If one unit has a different result than the other two, the troubled unit is isolated, i.e. its results are not considered until the failure is cleared. Figure 10: Example of 2 out of 3 redundancy architecture This configuration may be applied to both the onboard and wayside controller depending on the CBTC project. Usually, the maintenance procedure requires that the complete equipment be down during repair even though only two units are necessary for operation. This constraint is not present on a redundant 2oo2 system which makes the 2oo2 system more desirable for some wayside controller applications. 7.1.2 Onboard Failures To have good availability of the onboard controller, the equipment is arranged in 1oo2 or 2oo3 configuration depending on the CBTC supplier. Despite the redundant architecture, designed for a few years of Mean Time Between Functional Failures, the industry survey revealed that the most frequent failure of a CBTC system comes from the onboard equipment. Understandably, there is a scale factor because there is more onboard equipment than any other CBTC equipment. However, without considering the scale factor, the onboard equipment is subject to more frequent failures than wayside ones. It is a direct result of its environment: onboard controllers are subject to vibration, wide temperature variation, dirt/dust, humidity and electromagnetic interference. In addition to the harsh environment of the onboard controller hardware, it is a complex system including not only the main controller but also other subsystems like a speed measurement system and a communications system. In addition to hardware failures, the equipment is subject to software errors due to the complexity of the calculations and to other functional failures when the speed measurement system or the communications system suffers a malfunction or the interface between those subsystems is not working properly. A momentary wayside failure such as loss of network communications and certain train operation errors may result in the inability for the train to continue to operate in CBTC mode. Though technically not an onboard controller failure, the impact of such an event is that the train cannot operate in CBTC, acting like a train with CBTC failure. When an onboard controller stops, whether it can recover immediately or not, the train is unable to move in CBTC until an initialization process takes place. The initialization process is different on every project, but it always involves moving in non‐CBTC mode for a short distance to localize the train. Note Unit A Unit C 2oo3Unit B Read the entire page →
From page 24... ... SECTION 7 – EQUIPMENT FAILURES 24 that there are a few projects with specific assumptions regarding the presence of non‐equipped trains, plus particular train tracking and localization functions, where it is possible that a CBTC train can move immediately in CBTC mode after onboard equipment boot‐up. Managing a single train with CBTC failure in CBTC project Category 1.A: Secondary System capable of revenue service • Train is switched to operate without the CBTC system in restricted speed mode until the next signal, and then either it can recover and resume CBTC operation or it is driven at restricted speed to a siding area or it is switched to bypass mode, to be able to run at a speed compatible with revenue service. • If the following train is close to the train with CBTC failure, the following train is stopped and needs to run in non‐CBTC mode for a short distance. If not close to the train with CBTC failure, the following train remains in CBTC mode and follows the train with CBTC failure, increasing the train separation but still compatible with peak or off‐peak revenue service. Read the entire page →
From page 25... ... SECTION 7 – EQUIPMENT FAILURES 25 Managing a single train with CBTC failure in CBTC project Category 2: No STD/PS • Train is switched to operate without the CBTC system in restricted speed mode. • The area where the train with CBTC failure is located is blocked for CBTC operation. The train with CBTC failure needs to be removed from the mainline and brought to a CBTC system initialization point, if capable of resuming CBTC operation. Another train, with full CBTC capabilities, must run in manual mode to sweep the area before CBTC revenue service can resume in the area. The result is a major service disruption. Read the entire page →
From page 26... ... SECTION 7 – EQUIPMENT FAILURES 26 Managing a wayside controller failure in CBTC project Category 1.B: Secondary System designed to handle a single non‐CBTC train, • All trains are switched to operate without the CBTC system in restricted speed mode. • In projects of Category 1.B.1, revenue service can continue with absolute block operation, one train per block, a block usually covering an interstation. Speed is limited. Normal operation is possible in areas outside the failed control zone. Read the entire page →
From page 27... ... SECTION 7 – EQUIPMENT FAILURES 27  Prone to a failure of the entire line, for instance in case of loss of power to the room. Pros:  Easily accessible by maintenance. Read the entire page →
From page 28... ... SECTION 7 – EQUIPMENT FAILURES 28 In projects using processor‐based interlockings, and where the interface between the interlocking and the wayside controller is digital, then loss of communication between an interlocking and the wayside controller results in an inability to continue CBTC operation over the area controlled by the interlocking. 7.2 STD/PS Equipment Failures It is very important to note that when a secondary system is used, it is implemented such that its detection and protection functions are active and interface with the CBTC system at all times. Therefore, any failure of the secondary system has the potential to impact the performance of the CBTC system. This section presents some of the possible secondary system failures and the impact on CBTC operation. 7.2.1 Track Circuit Failures A track circuit is a fail‐safe solution and, when failed, it reports as if it were occupied by a train. The CBTC can detect that a track circuit is failed by comparing the localization of the trains and the track circuit status. For instance, if a track circuit which is not occupied by any train suddenly reports occupied, then the wayside controller determines that it is due to a failure of the equipment and not due to a train present on the track circuit and shunting the running rails. When a track circuit is detected as failed, CBTC trains may be impacted. Trains may be required to stop and switch to a restricted CBTC mode or non‐CBTC mode of operation before entering the track circuit block. Alternatively, there might be relatively complex CBTC functions which allow continued CBTC operation over the area, where the function may be automatic or may require ATS operator intervention. In most projects, the CBTC system uses the determination that the track circuit is failed to allow CBTC operation over it. Authorizing CBTC operation over the area may be automatic or may require a control center ATS command. Because the track circuit failure may be due to a broken rail, a slow speed may be enforced while the train is occupying the track circuit. Depending on the option chosen by the transit agency, a track circuit failure may be transparent for CBTC operation. The rare and unsafe case of a failed track circuit in the vacant state, even when a train is shunting the rails, is handled by CBTC, inhibiting train operation in CBTC mode. Recovery: After the track circuit is repaired, CBTC operation may resume immediately over it. A control center ATS command may be necessary to remove the restrictions on operation depending on the type of failure and the agency procedures. 7.2.2 Axle Counter Failures Failure of an axle counter impacts the blocks before and after the axle counter. Similar to a failed track circuit, the axle counter output is used by CBTC at all times, and therefore CBTC trains may be stopped before entering the blocks around the failed axle counter. As for the track circuit, in most projects, the CBTC system uses the determination that the axle counter is failed to allow CBTC operation over the area. Authorizing CBTC operation may be automatic or may require a control center ATS command to disregard the failed axle counter. Depending on the option chosen by the transit agency, an axle counter failure may be transparent for CBTC operation. Recovery: Unlike track circuits, returning to normal operation after an axle counter failure requires a process to verify that the blocks around the repaired axle counters are empty. The procedure can be: Read the entire page →
From page 29... ... SECTION 7 – EQUIPMENT FAILURES 29 • Sweeping the area with a train. • Sending a command to the axle counter system after verification that the blocks are empty. The verification usually involves having personnel in the field. Read the entire page →

From page 22...

... SECTION 7 22 Equipment Failures 7.1 CBTC Equipment Failures 7.1.1 Equipment Redundancy To maintain a high level of service, train control suppliers have been working to include redundancies in their new systems. The most common methods used in CBTC projects are described below. The architecture discussed in this section concerns all CBTC equipment: onboard controller, wayside controller, and ATS servers. Both availability and safety affect the architecture of CBTC equipment. Safety features may require using several units and a comparison system, while higher availability is achieved by adding more redundant units. 1oo2: One out of Two The most common type of redundancy is to have two identical units when only one is required for proper operation. This arrangement is called 1 out of 2 and denoted as 1oo2. Figure 8: Example of 1 out of 2 redundancy architecture The two units are configured in hot standby. With hot standby, one unit is active and the other is passive waiting to become active. If the active unit fails, then the passive unit becomes active. 2oo2: Two out of Two For safety considerations, suppliers have developed a method which includes two identical hardware units performing the same functions (sometimes in two different ways) and a subsystem comparing the results of the two units. If the results match, then the result is validated and processed in terms of outputs. If the results of the two units do not match, the system is not able to conclude which result is correct, therefore it stops performing its function. This method is denoted as 2oo2 and is used to guarantee the integrity of the result for vital applications. This arrangement is usually combined within a 1oo2 system, with each redundant unit being made of two 2oo2 units (four units in total)

Read the entire page →

From page 23...

... SECTION 7 – EQUIPMENT FAILURES 23 the constraints of this 2oo2 arrangement is that complete redundant 2oo2 equipment includes four units while other arrangements require two or three units. More units imply more space and more frequent maintenance which might be more acceptable for wayside controllers than for onboard controllers. 2oo3: Two out of Three For vital systems, CBTC suppliers may expand the 2oo2 system by adding a third unit. It is called two out of three and denoted as 2oo3, where two out of three units must work properly and have identical outputs for the system to continue to function. Comparator logic compares the results of the calculations of the three units; at least two must agree for the system to function properly. If one unit has a different result than the other two, the troubled unit is isolated, i.e. its results are not considered until the failure is cleared. Figure 10: Example of 2 out of 3 redundancy architecture This configuration may be applied to both the onboard and wayside controller depending on the CBTC project. Usually, the maintenance procedure requires that the complete equipment be down during repair even though only two units are necessary for operation. This constraint is not present on a redundant 2oo2 system which makes the 2oo2 system more desirable for some wayside controller applications. 7.1.2 Onboard Failures To have good availability of the onboard controller, the equipment is arranged in 1oo2 or 2oo3 configuration depending on the CBTC supplier. Despite the redundant architecture, designed for a few years of Mean Time Between Functional Failures, the industry survey revealed that the most frequent failure of a CBTC system comes from the onboard equipment. Understandably, there is a scale factor because there is more onboard equipment than any other CBTC equipment. However, without considering the scale factor, the onboard equipment is subject to more frequent failures than wayside ones. It is a direct result of its environment: onboard controllers are subject to vibration, wide temperature variation, dirt/dust, humidity and electromagnetic interference. In addition to the harsh environment of the onboard controller hardware, it is a complex system including not only the main controller but also other subsystems like a speed measurement system and a communications system. In addition to hardware failures, the equipment is subject to software errors due to the complexity of the calculations and to other functional failures when the speed measurement system or the communications system suffers a malfunction or the interface between those subsystems is not working properly. A momentary wayside failure such as loss of network communications and certain train operation errors may result in the inability for the train to continue to operate in CBTC mode. Though technically not an onboard controller failure, the impact of such an event is that the train cannot operate in CBTC, acting like a train with CBTC failure. When an onboard controller stops, whether it can recover immediately or not, the train is unable to move in CBTC until an initialization process takes place. The initialization process is different on every project, but it always involves moving in non‐CBTC mode for a short distance to localize the train. Note Unit A Unit C 2oo3Unit B

Read the entire page →

From page 24...

... SECTION 7 – EQUIPMENT FAILURES 24 that there are a few projects with specific assumptions regarding the presence of non‐equipped trains, plus particular train tracking and localization functions, where it is possible that a CBTC train can move immediately in CBTC mode after onboard equipment boot‐up. Managing a single train with CBTC failure in CBTC project Category 1.A: Secondary System capable of revenue service • Train is switched to operate without the CBTC system in restricted speed mode until the next signal, and then either it can recover and resume CBTC operation or it is driven at restricted speed to a siding area or it is switched to bypass mode, to be able to run at a speed compatible with revenue service. • If the following train is close to the train with CBTC failure, the following train is stopped and needs to run in non‐CBTC mode for a short distance. If not close to the train with CBTC failure, the following train remains in CBTC mode and follows the train with CBTC failure, increasing the train separation but still compatible with peak or off‐peak revenue service.

Read the entire page →

From page 25...

... SECTION 7 – EQUIPMENT FAILURES 25 Managing a single train with CBTC failure in CBTC project Category 2: No STD/PS • Train is switched to operate without the CBTC system in restricted speed mode. • The area where the train with CBTC failure is located is blocked for CBTC operation. The train with CBTC failure needs to be removed from the mainline and brought to a CBTC system initialization point, if capable of resuming CBTC operation. Another train, with full CBTC capabilities, must run in manual mode to sweep the area before CBTC revenue service can resume in the area. The result is a major service disruption.

Read the entire page →

From page 26...

... SECTION 7 – EQUIPMENT FAILURES 26 Managing a wayside controller failure in CBTC project Category 1.B: Secondary System designed to handle a single non‐CBTC train, • All trains are switched to operate without the CBTC system in restricted speed mode. • In projects of Category 1.B.1, revenue service can continue with absolute block operation, one train per block, a block usually covering an interstation. Speed is limited. Normal operation is possible in areas outside the failed control zone.

Read the entire page →

From page 27...

... SECTION 7 – EQUIPMENT FAILURES 27  Prone to a failure of the entire line, for instance in case of loss of power to the room. Pros:  Easily accessible by maintenance.

Read the entire page →

From page 28...

... SECTION 7 – EQUIPMENT FAILURES 28 In projects using processor‐based interlockings, and where the interface between the interlocking and the wayside controller is digital, then loss of communication between an interlocking and the wayside controller results in an inability to continue CBTC operation over the area controlled by the interlocking. 7.2 STD/PS Equipment Failures It is very important to note that when a secondary system is used, it is implemented such that its detection and protection functions are active and interface with the CBTC system at all times. Therefore, any failure of the secondary system has the potential to impact the performance of the CBTC system. This section presents some of the possible secondary system failures and the impact on CBTC operation. 7.2.1 Track Circuit Failures A track circuit is a fail‐safe solution and, when failed, it reports as if it were occupied by a train. The CBTC can detect that a track circuit is failed by comparing the localization of the trains and the track circuit status. For instance, if a track circuit which is not occupied by any train suddenly reports occupied, then the wayside controller determines that it is due to a failure of the equipment and not due to a train present on the track circuit and shunting the running rails. When a track circuit is detected as failed, CBTC trains may be impacted. Trains may be required to stop and switch to a restricted CBTC mode or non‐CBTC mode of operation before entering the track circuit block. Alternatively, there might be relatively complex CBTC functions which allow continued CBTC operation over the area, where the function may be automatic or may require ATS operator intervention. In most projects, the CBTC system uses the determination that the track circuit is failed to allow CBTC operation over it. Authorizing CBTC operation over the area may be automatic or may require a control center ATS command. Because the track circuit failure may be due to a broken rail, a slow speed may be enforced while the train is occupying the track circuit. Depending on the option chosen by the transit agency, a track circuit failure may be transparent for CBTC operation. The rare and unsafe case of a failed track circuit in the vacant state, even when a train is shunting the rails, is handled by CBTC, inhibiting train operation in CBTC mode. Recovery: After the track circuit is repaired, CBTC operation may resume immediately over it. A control center ATS command may be necessary to remove the restrictions on operation depending on the type of failure and the agency procedures. 7.2.2 Axle Counter Failures Failure of an axle counter impacts the blocks before and after the axle counter. Similar to a failed track circuit, the axle counter output is used by CBTC at all times, and therefore CBTC trains may be stopped before entering the blocks around the failed axle counter. As for the track circuit, in most projects, the CBTC system uses the determination that the axle counter is failed to allow CBTC operation over the area. Authorizing CBTC operation may be automatic or may require a control center ATS command to disregard the failed axle counter. Depending on the option chosen by the transit agency, an axle counter failure may be transparent for CBTC operation. Recovery: Unlike track circuits, returning to normal operation after an axle counter failure requires a process to verify that the blocks around the repaired axle counters are empty. The procedure can be:

Read the entire page →

From page 29...

... SECTION 7 – EQUIPMENT FAILURES 29 • Sweeping the area with a train. • Sending a command to the axle counter system after verification that the blocks are empty. The verification usually involves having personnel in the field.

Read the entire page →

Key Terms

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.