VPI Overview
Contents
1. DUART Dual Universal Asynchronous Receiver Transmitter EMC Electromagnetic Compatibility EMI Electromagnetic Interference EPROM A programmable read only memory device that is erasable using high intensity ultra violet light Fail Safe The concept that if a system fails only a safe result will occur Failure Mode The effect by which a failure is observed for example short circuit Firmware Instructions stored on a ROM chip FLASH A form of electrically erasable programmable read only memory FMEA used with embedded processors Failure Mode and Effects Analysis FPGA Field Programmable Gate Array FRA Federal Railroad Administration FSK Frequency shift Keying P2086G Rev E Jan 15 2 3 Alstom Signaling Inc Introduction Table 2 1 Common Abbreviations and Glossary Cont Term FSVT Hardware UO Definition or Explanation Field Settable Vital Timer board A specific Vital Serial Controller board VSC that provides a means of communicating to and from programmable Genrakode modules A specific Vital Serial Controller board VSC that provides a means of communicating to and from programmable Genrakode modules The electronic section of the computer that stores and manipulates symbols under the direction of the computer Hand Held terminal Identification MODBUS Input Output IOB Input Output I O Bus Interface board Interface The equipment2. An experienced signal engineer must verify the safety of the VPI data and its application lt is the signaling engineer s responsibility to verify the correctness of the VPI input data in that it accurately represents the intended safe functionality of the VPI system Furthermore verify the correctness means that the signaling engineer 1 is required to compare the input and output data files to verify the CAA has operated correctly and 2 must test the VPI application in its intended environment before it can be placed in revenue service Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment P2086G Rev E Jan 15 5 39 Alstom Signaling Inc Vital Subsystem A WARNING VPI APPLICATION MUST BE VALIDATION TESTED Prior to revenue service validation testing must confirm all VPI application logic is correct and consistent with application requirements Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment The basis of the application of VPI is to use a tool to configure the system hardware and software as well as create the signaling logic for the Vital application The independent Application Data Verifier Tool as well as associated procedures must be run and performed prior to any VPI applicat
3. P2086G Rev E Jan 15 Alstom Signaling Inc ABOUT THE MANUAL This manual introduces the Alstom Vital Processor Interlocking Control System VPI The information in this manual is arranged into sections The title and a brief description of each section follow Section 1 SAFETY WARNINGS This section contains the safety information presented as warnings applicable to the VPI system Section 2 INTRODUCTION This section describes the manual organization introduces the topics enclosed and provides a glossary of terms used in this manual Section 3 VPI This section gives general information on function and organization of the VPI system Section 4 CHASSIS CONFIGURATIONS This section describes the chassis used for the VPI system Section 5 VITAL SUBSYSTEM This section describes the Vital boards and assemblies used in the VPI system Section 6 NON VITAL SUBSYSTEM This section describes the non vital boards and assemblies used in the VPI system Section 7 DESIGN TEST AND VALIDATION TOOLS This section describes the design test and validation tools used for the VPI system Section 8 NON VITAL SYSTEM AND COMMUNICATIONS SOFTWARE This section describes the non vital system and communications software used in the VPI system P2086G Rev E Jan 15 Alstom Signaling Inc P2086G Rev E Jan 15 Alstom Signaling Inc MANUAL SPECIAL NOTATIONS In the Alstom manuals three methods are use
4. CH Note Other system boards may also be required to configure a proper operating system and several other arrangements could be possible The continuous motherboard version of the plug coupled module connects all the slots 1 21 of the P2 connector together This requires that all the UO housed in the module be either Vital or non vital Also a CSEX board can be housed in this module with Vital I O as long as no non vital I O are also housed P2086G Rev E Jan 15 4 2 Alstom Signaling Inc Chassis Configurations Table 4 1 VPI Plug Coupled Chassis Configurations Description Part Number Plug coupled chassis with split motherboard 5 16 slots 5 VDC 31506 015 01 power filter and 38216 404 Bus Extension Cable Plug coupled chassis with continuous motherboard 21 slots 5 31506 015 11 VDC power filter and 38216 404 Bus Extension Cable Extra deep plug coupled chassis with rear cover split ES motherboard and 5 VDC power filter IS Extra deep plug coupled chassis with rear cover continuous ES motherboard 5 VDC power filter and e 422 Cable Harness The chassis requires specific cable harness assemblies to be installed based on the PCB configuration Ribbon cables are required for the main system bus This is a 60 way ribbon cable which connects the main system boards together The number of positions or slots required for this cable is dependent upon the number of main boards being installed The boards connec
5. efe el E B E alo arfer aljaj x Y Queens1 E Y Queens VPI Sy Queenst NY CTC2v b CH Output tt El Og Report Queenst NV LCS VPIPWR UP VPLWORK ABSI 131UWBLZABSI 131WBLZABSI E Queens1 NV CON 11 i I 1 4 4 E Queenst NV CFN Queens1 NY CAQ 131WBL ABSI E Queensl NV LAP Queens1 HDW Queens1 NV PRM 131 UWBLZ Queens1 NV NV Queens1 NV VC1 Queens1 NV CSS Queens1_DT8 LPC Queens1 NV LOG Queens1 NV CSI Queens1 NV NVI 131 WBL REQ 131WBL I G Y Gueenst VTL VPI bes t i 1 th gt GI Y Queenst NVa CTC2v v 131WBLZ of VPIPWR UP VPIWORK ABSI 131WBLZ ABSI STMT 47 Boolean 131_UWBL REQ 131WBL i gt 131UWBLZ STMT 48 Boolean COMPILER CenTraCode Il v C Copyright Alstom Signaling 1991 1997 31746 030 GR74 Rev C Processing input data Kn For Help press F1 E Caape Apps Queens Figure 7 1 CAAPE Non Vital Relay Application Logic Display P2086G Rev E Jan 15 7 3 Alstom Signaling Inc VPI Design Test and Validation Tools 7 2 2 Application Verification Critical CAAPE utility that is used to both verify compiled design as it is resident in System Memory and highlight differences between complies The latter is extremely important where multi phase projects require many incremental changes without having to retest entire interlocking plant In general the ADV Reconstructs Appli
6. 6 1 through 6 16 Jan 15 7 1 through 7 12 Jan 15 8 1 through 8 6 Jan 15 P2086G Rev E Jan 15 Alstom Signaling Inc P2086G Rev E Jan 15 Alstom Signaling Inc PREFACE NOTICE OF CONFIDENTIAL INFORMATION Information contained herein is confidential and is the property of Alstom Signaling Inc Where furnished with a proposal the recipient shall use it solely to evaluate the proposal Where furnished to customer it shall be used solely for the purposes of inspection installation or maintenance Where furnished to a supplier it shall be used solely in the performance of the contract The information shall not be used or disclosed by the recipient for any other purposes whatsoever VPI is a registered trademark of Alstom Signaling Inc iVPI is a trademark of Alstom Signaling Inc All other trademarks referenced herein are trademarks of their respective owners FOR QUESTIONS AND INQUIRIES CONTACT CUSTOMER SERVICE Address Alstom Signaling Inc 1025 John Street West Henrietta NY 14586 USA Website www alstomsignalingsolutions com Email websiteinfo Qalstomsignalingsolutions com Phone 1 800 717 4477 P2086G Rev E Jan 15 Alstom Signaling Inc REVISION LOG A November 1996 Orignalissue e maya TC March 2008 pf November 2013 Updated to include new SG KW MS warnings January 2015 Updated for clarity MS added additional warnings added Safety Warnings section
7. 6 4 1 2 Specifications Assembly Differences rrrrrrrrrrrrrrrrrrrnnnnnnnr 6 10 6 4 1 3 ASSCIIDIICS avse 6 10 6 4 2 NVO SNK Non Vital Output Sink Board P N 31166 123 6 11 6 4 2 1 Specifications EEN 6 12 6 4 2 2 A ine 6 12 6 4 3 NVR Non Vital Relay Output Board P N 31166 238 6 13 6 4 3 1 ICC CAL ONS illa aa 6 14 6 4 3 2 E ele E 6 14 6 5 TRAIN TO WAYSIDE COMMUNICATIONS BOARD 6 15 6 5 1 NVTWC FSK Non Vital TWC FSK Board P N 31166 119 6 15 6 5 1 1 ee EE 6 16 6 5 1 2 HEES 6 16 SECTION 7 VPI DESIGN TEST AND VALIDATION TOOLS een 7 1 7 1 E E EE 7 1 7 2 CAAPE AN INTEGRATED WINDOWS BASED CONFIGURATION TO UE 7 2 7 2 1 EE EE 7 3 7 2 2 Application Verification a AAA A a Gene 7 4 7 2 3 CAAPE System eouirements ooooccccccccccccccooooconnnnnnnnnnnnn nn nono nnnnnnnnnns 7 6 7 3 WATCHER EE 7 7 7 4 EMBEDDED DATALOGGER rnnr nrnna 7 8 7 5 TRACKER REMOTE DIAGNOSTIC ANALYZER mnnnnnnnnnnrrrvrvrnnnnnnnnnnnnnnnn 7 9 7 5 1 Fault Detecti n AA hemdbidernhndebadifernmash sebsniet 7 9 7 5 2 al 06 19 30 ARE EEE AE teererer tt 7 9 7 5 3 Data Retrieval and Report Creation rrrrrrrrrrrrrrrnnnnnrrrrrrrrnnnnnnnnn 7 9 7 6 TESTYRTE EE 7 10 P2086G Rev E Jan 15 iv Alstom Signaling Inc TABLE OF CONTENTS Topic Page T T MAINTENANCE MANAGEMENT SYSTEM ccccccccceeeeeeeeeeeeeeeeeeees 7 12 SECTION 8 NON VITAL SYSTEM AND COMMUNICATIONS SOFTWARE 8 1 8 1 SYST
8. O Table 5 14 SBO Board Assembly SBO Board Assembly 8 outputs 9 15 VDC 59473 739 01 Group energy is filtered SBO Board Assembly 8 outputs 9 15 VDC 59473 739 02 Group energy is not filtered supports use of coded energy 39780 003 01 through Signature PROM one for each output board in a system determined by CAA 39780 003 40 P2086G Rev E Jan 15 5 23 Alstom Signaling Inc Vital Subsystem 5 8 3 DBO and DBO 50V Specifications The double break output is analogous to a relay circuit with the contacts in both the feed and return sides of the circuit With the solid state equivalent however each output is completely isolated from all other outputs and or power supplies Each output is isolated by using individual DC DC converters that provide in excess of 3000 VRMS isolation This Vital output board series is used to drive relays line circuits and most often when a bipolar i e pole change output is required e g point machine control Figure 5 10 DBO Port Interface A WARNING LOAD DEVICE RESTRICTIONS FOR DOUBLE BREAK OUTPUT DBO BOARDS Low current Vital DBO boards may fail with up to 3 milliamperes of output leakage current with the system requesting the output to be in the de energized state To prevent a potential unsafe condition any load device attached to a low current Vital output circuit board must not operate at or below 3 milliamperes and must de activate above 3 milliamperes Thi
9. This includes all environmental operating conditions and all operating values of the load device over its service life Failure to follow this requirement may lead to unexpected operation of the load device resulting in property damage injury and or death due to train collision or derailment 5 5 1 Specifications Table 5 7 CRG Board Specifications Characteristic Specification Maximum number of Boards per VPI System Board slots required AOCD Current Threshold 3mA Maximum Board Logic Current Supply 1200 mA 5 5 2 Assemblies Table 5 8 CRG Board Assembly Differences Description Part Number CRG board assembly for solid state relay code followers one board per system Produces codes of 0 50 75 120 180 pulses 31166 261 01 per minute CRG board assembly for solid state relay code followers three boards per system Produces codes of 0 50 75 120 180 pulses 31166 261 03 per minute CRG board assembly for relay code followers three boards per system Produces codes of 0 50 75 120 180 270 420 pulses 31166 261 04 per minute and Steady On P2086G Rev E Jan 15 5 15 Alstom Signaling Inc Vital Subsystem 5 6 IOB I O BUS INTERFACE BOARD P N 59473 827 The I O Bus Interface board serves as a buffer between the system processing boards and groups of Vital I O It provides a storage medium for test data obtained during Vital input and Vital output port checks The board includes logic t
10. for use with CAA 31746 011 and later Multi drop full duplex four wire with 40026 193 MVSC software for use with CAA 31746 011 and later 59473 939 04 59473 939 05 Pt Pt with daughter board and 40026 192 VSC software for use with CAA 31746 011 and later 59473 939 06 Multi drop half duplex two wire with 40025 290 GVSC software for use with CAA 31746 023 and later 59473 939 07 Pt Pt with 40025 322 VSC Software for use with CAA 31746 027 and later 59473 939 10 Pt Pt with daughter board and 40025 322 VSC software for use with CAA 31746 027 and later 59473 939 11 Multi drop full duplex four wire with 40025 323 MVSC software for use with CAA 31746 027 and later 59473 939 12 Multi drop half duplex two wire with 40025 324 GVSC software for use with CAA 31746 023 and later 5947 3 939 13 Multi drop half duplex two wire with 40025 348 GVSCE software for use with CAA 31746 030 and later 59473 939 14 Pt Pt with 40025 399 VSC Software for use with CAA 31746 032H 59473 939 15 Pt Pt with daughter board and 40025 399 VSC software for use with CAA 31746 032H 5947 3 939 16 Pt Pt with 40025 406 VSC Software for use with CAA 31746 032K and later 59473 939 17 Pt Pt with daughter board and 40025 406 VSC software for use with CAA 31746 032K and later P2086G Rev E Jan 15 5 13 5947 3 939 18 Alstom Signaling Inc Vi
11. train collision personal injury and or death Alstom strongly recommends that strict revision control of the VPI application data and system software be maintained so that the expected configuration in the train control system is the actual installed configuration For train control systems designed by Alstom the transit or railroad authority shall be solely responsible for any modifications whatsoever to the train control system which deviate from Alstom s originally delivered design and any consequences to the system s safety integrity and performance as a result of such modifications Alstom assumes no responsibility or liability for any modifications to the train control system or for the safe performance of the train control system once Alstom s originally delivered design has been modified For train control systems not designed by Alstom the transit or railroad authority shall be solely responsible for the design of the train control system and any consequences to the system s safety integrity and performance as a result of such designs Alstom assumes no responsibility or liability for any designs or for the safe performance of the train control system P2086G Rev E Jan 15 1 13 Alstom Signaling Inc Safety Warnings A WARNING UNIQUE SITE ID CONTROL MUST BE MAINTAINED Failure to properly assign maintain and control unique Site IDs for VPI systems can result in unintended consequences including train derailment t
12. 2 500 mA SE Async or Sync Multi drop half duplex 2 07 wire Note 3 2 Note 2 1 500 mA 19200 Sync 10 Pt Pt 4 Note 1 1 500 mA 19200 Sync 9600 or 19200 11 Pt Pt with daughter board 4 Note 1 2 500 mA Async or Sync Multi drop full duplex 4 wire 12 Note 3 2 Note 2 1 500 mA 19200 Sync Multi drop half duplex 2 13 wire Note 3 2 Note 2 1 500 mA 19200 Sync Multi drop half duplex 2 14 wire Note 4 2 Note 2 1 500 mA 19200 Sync 15 Pt Pt 4 Note 1 1 500 mA 19200 Sync 9600 or 19200 16 Pt Pt with daughter board 4 Note 1 2 500 mA Async or Sync 17 Pt Pt 4 Note 1 1 500 mA 19200 Sync 18 Pt Pt with daughter board 4 Note 1 2 500 mA oe Async or Sync CH Note Note 3 Supports 15 parameters per track Note 1 Starting with CAA 31746 025 this limit is increased to 10 minus the sum of FVSC MVSC GVSC GVSCE HORG CSEX where indicates the total number of a particular VPI board type 2 The total number of GVSCE GVSC MVSC combinations must be less than or equal to 2 P2086G Rev E Jan 15 5 12 Note 4 Supports 25 parameters per track Alstom Signaling Inc Vital Subsystem 5 4 3 Assemblies Table 5 6 VSC Board Assembly Differences Description Part Number Pt Pt with 40026 081 VSC Software for use with CAA 31746 010 and earlier 59473 939 01 Pt Pt with 40026 192 VSC Software
13. E Jan 15 1 15 Alstom Signaling Inc Safety Warnings A WARNING UNIQUE SYSTEM ID CONTROL MUST BE MAINTAINED Failure to properly assign maintain and control a unique System ID for each VPI system within the entire train control system can result in unintended consequences including train derailment train collision personal injury and or death Alstom strongly recommends that strict control of the System IDs be maintained so that the expected configuration of all VPIs within the entire train control system is the actual installed configuration For train control systems designed by Alstom the transit or railroad authority shall be solely responsible for any modifications whatsoever to the train control system which deviate from Alstom s originally delivered design and any consequences to the system s safety integrity and performance as a result of such modifications Alstom assumes no responsibility or liability for any modifications to the train control system or for the safe performance of the train control system once Alstom s originally delivered design has been modified For train control systems not designed by Alstom the transit or railroad authority shall be solely responsible for the design of the train control system and any consequences to the system s safety integrity and performance as a result of such designs Alstom assumes no responsibility or liability for any designs or for the safe performance of the train co
14. EIA232 EIA422 EIA485 MAC blank FLASH PROMs 36 pin Aux 31166 175 03 Bd P2086G Rev E Jan 15 6 3 Alstom Signaling Inc Non Vital Subsystem 6 3 NON VITAL INPUT BOARDS 6 3 1 NVI Non Vital Input Board P N 59473 757 The Non Vital Input board provides 32 isolated Non Vital inputs interface through the motherboard to the VPI module A CSEX board employing Non Vital UO control software communicates over the motherboard bus to the NVI board Input states are latched and read every 25 ms by the NVP board 6 3 1 1 Isolated Inputs Optical isolators separate the power supplies of the 5V logic system and field circuitry Each of the four groups of eight inputs has a separate signal return allowing inputs derived from four isolated supplies to share one input board Figure 6 3 NVI Board P2086G Rev E Jan 15 6 4 Alstom Signaling Inc Non Vital Subsystem 6 3 1 2 Specifications Assembly Differences Table 6 3 NVI Board Specifications Specification Characteristic 59473 757 Maximum number of Boards per NVP Subsystem Minimum Activation Current Per Port 10 mA 7 mA Source Source 6 3 1 3 Assemblies Table 6 4 NVI Board Assemblies Description Part Number NVI 32 inputs 18 33 VDC 59473 757 02 NVI 32 inputs 9 18 VDC 59473 757 03 P2086G Rev E Jan 15 6 5 Alstom Signaling Inc Non Vital Subsystem 6 3 2 NVID Non Vital Input Differen
15. Interlocking Control Remote Office Controls And Indications Train to Wayside and Wayside to Train Communications Tram Dwell Control Tram Identification Train Berthing Automatic Train Operation Automatic Route Generation Auxiliary Train Tracking Interface to Vital Logic 8 2 2 1 Logic Statement Types Boolean Equations Timer Equations delays the setting of an equation Integer Equations arithmetic using variables and constants Program Flow Control IF ELSE WHILE GOTO User Defined Subroutines SUBROUTINE CALL Predefined Subroutines timer control format conversion e g Integer Binary Arrays P2086G Rev E Jan 15 8 3 Alstom Signaling Inc Non Vital System and Communications Software Queens1 NV NV Notepad lolx File Edit Search Help BOOLEAN EQUATION SECTION SUBROUTINE TO COPY ARRAY BITS SUBROUTINE COPY_BITS BOOL BIT_ARRAY_1 BOOL BIT_ARRAY_2 INT NUM BITS COUNT 8 WHILE COUNT lt NUM BITS H BOOL BIT ARRAY 2 COUNT BIT ARRAY 1 COUNT COUNT COUNT 1 H END COPY_BITS MAIN PROGRAM STARTS HERE WAIT FOR 16 SECONDS AFTER POWER UP TIME DELAY 16 SECONDS BOOL PWR_UP TRUE IF PWR_UP TRUE H CHECK WHICH ARRAY TO COPY IF MSG1 REGEIVED TRUE amp amp COPY OK TRUE CALL COPY_BITS SOURCE1 DEST 28 ELSE CALL COPY_BITS SOURCE2 DEST 28 x USE PREDEFINED SUBROUTINE TO EXTRACT STATION NUMBER FROM DEST ARRAY CALL BIN TO INT STATION DEST DE
16. Meets AREMA requirements Operating Temperature 40 to 160 F 40 to 70 C Humidity 0 to 95 Non Condensing Typical Weight per Module with some 15 Ibs 6 80 kg boards Dimensions 14H x 19W x 23D inches 35 6H x 48 3W x 58 5D cm Depth includes cable dress at rear of chassis P2086G Rev E Jan 15 3 3 Alstom Signaling Inc VPI Control Center C Modem kb Communication System Location 1 Location 2 Modem K A VPI System VPI System Non vital Non vital Communications Communications ien Processor Processor Subsystem Non vital UO Non vital UO Vital Serial Link Vital Wayside Signals Vital Processor Vital Processor J Subsystem Vital UO Switch Controls Switch Machines op Vital Contacts from Track Circuits Audio Frequency Track Circuits Local Control Panel DC Coded m Automatic Dispatcher Track Circuits gt o gt Data Logger Code Rate Generator o gt Platform Signs gt Wheel Counters Figure 3 2 General VPI System Block Diagram P2086G Rev E Jan 15 3 4 Alstom Signaling Inc Chassis Configurations SECTION 4 CHASSIS CONFIGURATIONS 4 1 GENERAL This section describes the chassis used for the VPI system Figure 4 1 VPI Chassis 4 2 PLUG COUPLED CHASSIS The VPI plug coupled chassis includes
17. RAM is shared with the main processing system and is the means by which the checkwords are transferred Figure 5 3 VRD Board P2086G Rev E Jan 15 5 8 Alstom Signaling Inc Vital Subsystem 5 3 3 Specifications Table 5 3 VRD Board Specifications Characteristics Specification Maximum number of Boards per VPI System 1 Board slots required Maximum Board Logic Current Supply 300 mA 5 3 4 Assemblies Table 5 4 VRD Board Assembly Description Part Number Vital Relay Driver board assembly 59473 740 02 P2086G Rev E Jan 15 5 9 Alstom Signaling Inc Vital Subsystem 5 4 VSC VITAL SERIAL CONTROLLER BOARD P N 59473 939 The Vital Serial Controller board is a microprocessor based board that provides a means for exchanging the states of Vital interlocking functions between interlocking systems in a Vital manner This board family was first designed to provide Vital VPI to VPI Vital communications more efficiently than line wires There are two types of data transmission interfaces one for private copper pairs and one for generic ElA232 DCE connection A daughter board is used to provide the ElA232 connection so the number of chassis slots required for this interface is two 2 Two additional applications of the VSC were created to provide a means of communicating to and from AF Track Circuit modules MVSC and programmable Genrakode modules GVSC The system software installed on the Vital Ser
18. REPAIRED BY ALSTOM Alstom strongly recommends all LRU repairs be performed by Alstom as Alstom uses special components and has developed special assembly and repair techniques to ensure the continued safety of the train control system Use of LRUs not repaired by Alstom in the Alstom train control system can degrade the safety performance of the system resulting in property damage injury and or death due to train collision or derailment Alstom strongly recommends that a detailed AREMA compliant safety analysis be performed before using any LRU not repaired by Alstom in this Alstom train control system This safety analysis should be performed by personnel with mastery in the system safety implications when using Alstom LRUs not repaired by Alstom Responsibility for the adequacy of the safety analysis rests solely with the transit or railroad authority and Alstom will neither review nor approve any such safety analysis For train control systems designed by Alstom the transit or railroad authority shall be solely responsible for any consequences to the safety integrity and performance of the train control system in which LRUs not repaired by Alstom are used in the train control system originally designed safety certified and commissioned by Alstom Alstom assumes no responsibility or liability for the safe performance of the train control system once LRUs not repaired by Alstom are used For train control systems not designed by Alstom
19. SBO Single Break Output board SN Sink Real Time Clock A special program that represents the behavior of a system Surface Mount Technology Subsystem VPI Software Programs that direct the activity of the computer SRAM Static Random Access Memory Subroutine A section of a program that carries out a specific operation Used to summarize the Vital or non vital functions of a VPI system as in Vital subsystem and non vital subsystem One of multiple subracks populated with boards in a system configuration composed of more than one subrack One or more subracks populated with boards Task A program that is run as an independent unit TTL TWC Train to Wayside Communications UART Universal Asynchronous Receiver Transmitter USART Universal Synchronous Asynchronous Receiver Transmitter VA C P2086G Rev E Jan 15 CENELEC 3 1 67 the activity applied in order to demonstrate by test and analysis that the product meets in all respects its specified requirements Volts Direct Current 2 6 Alstom Signaling Inc Introduction Table 2 1 Common Abbreviations and Glossary Cont Term Definition or Explanation Verification CENELEC 3 1 68 the activity of determination by analysis and test at each phase of the life cycle that the requirements of the phase under the consideration meet the output of the previous phase and that the output of the phase under consideration fulfills it
20. Signaling Inc Safety Warnings SECTION 1 SAFETY WARNINGS 1 1 SAFETY WARNING MATRIX Warnings are presented in Table 1 1 for convenience in locating an applicable warning Table 1 1 Warning Titles and Location Warning Heading Found on page Overview Manual Must Be Read In Entirety 1 2 Notification of Service Disruption 1 2 Use Only Alstom Vital Relay With VRD Board 1 2 5 4 5 47 Use of LRUs Not Manufactured by Alstom 1 3 5 5 5 45 Use of LRUs Not Repaired by Alstom 1 4 5 6 5 46 Load Device Restrictions for Code Rate Generator CRG Boards 1 5 5 15 Load Device Restrictions for Single Break Output SBO Boards 1 6 5 22 Load Device Restrictions for Double Break Output DBO Boards 1 6 5 24 Load Device Restrictions for Light Driver Output LDO Boards 1 7 5 27 Load Device Restrictions for Light Driver Output 2 LDO2 Boards 1 7 5 30 Load Device Restrictions for Low Current Vital AC Output ACO 1 8 5 33 Boards Load Device Restrictions for High Current Vital AC Output ACO 1 8 5 33 Boards Intended Safe Functionality of the VPI System Must Be Verified 1 9 5 39 VPI Application Must Be Validation Tested 1 9 5 40 ADV Input Data Must be Verified Separately Prior to ADV 1 10 5 41 Process VPI Application Must Be Field Tested 1 10 5 41 Verifier Must Be Different Than Designer 1 11 5 42 Timer Equation Protection Required 1 11 5 43 Protect V
21. VPI system The VPI system does not have a fixed chassis layout The signal engineer is allowed to configure the system within a set of constraints to best meet the needs of each particular application The Computer Application Package CAA is used to configure the VPI chassis as well as define the Vital and non vital application logic required for each system P2086G Rev E Jan 15 2 1 Alstom Signaling Inc Introduction 2 3 COMMON ABBREVIATIONS AND GLOSSARY Terms and abbreviations used throughout this manual are provided in Table 2 1 Table 2 1 Common Abbreviations and Glossary Term Definition or Explanation AAR Association of American Railroads Replaced by AREMA ME 3 Alternating Current ACO 1 Vital AC Output board gt Application Data Verifier Audio Frequency a A step by step procedure used to solve a problem AlsDload A tool for programming application and system software on VPI iVPI PGK PGK2 GK3 and AFTC boards AOCD Absence Of Current Detector AREMA American Railway Engineering and Maintenance of way Association ARES Advanced Railroad Electronic System ATC Automatic Train Control ATCS Automatic Train Control System BBRAM Battery Backed Read Write Memory Byte This is a group of eight bits handled as a unit Clock A device in a CPU that sends out electrical pulses at a fixed rate the control unit uses the pulses to synchronize its operation Comple
22. VRD circuit board Alstom products are designed to function 5 3 1 VRD Relay within all Alstom systems The introduction of non Alstom products into an Alstom VPI system could have unintended and unforeseeable safety consequences Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment P2086G Rev E Jan 15 5 4 Alstom Signaling Inc Vital Subsystem A WARNING USE OF LRUS NOT MANUFACTURED BY ALSTOM Alstom strongly recommends only using Lowest Replaceable Units LRUs manufactured by Alstom in order to maintain the safe operation of the train control system Use of LRUs not manufactured by Alstom in the Alstom train control system can degrade the safety performance of the system resulting in property damage injury and or death due to train collision or derailment Alstom strongly recommends that a detailed AREMA compliant safety analysis be performed before using any LRU that is not an Alstom manufactured direct replacement for this Alstom train control system This safety analysis should be performed by personnel with mastery in the system safety implications of using LRUs not manufactured by Alstom Responsibility for the adequacy of the safety analysis rests solely with the transit or railroad authority and Alstom will neither review nor approve any such safety analysis For train control systems designed by
23. Windows 7 operating systems are supported in CAAPE 019B and later P2086G Rev E Jan 15 7 6 Alstom Signaling Inc VPI Design Test and Validation Tools 1 3 WATCHER Watcher is a PC based tool that operates with embedded VPI software to provide real time review of internal execution of the interlocking thorough a connection to the non vital system controller lts prime task is to e Monitor and record the real time states of selected Vital or non vital variables e View application logic equations in graphical or text format including the real time states of their variables e View detailed diagnostic screens in VT100 format Note Watcher is not certified to run on Windows 7 platform fe Watcher File Settings Clock Sync YT100 Help Application Display Seel litte a in Runtime Playbacl Dunwdys Equation Timing Load Save Clear Record Kl Cl stopped ix y Time f 00 00 00000 120 1304R0 120 1308RQK 120 130RKE 120 130RKE NVO Filters Input Integer Serial Timer Variables Alarms gt Watch Remove Set Age Upgrade Cancel E watcherinstall project NewT est mdb 3 49 PM Figure 7 4 Watcher Main Screen View Logic and State P2086G Rev E Jan 15 7 7 Alstom Signaling Inc VPI Design Test and Validation Tools 7 4 EMBEDDED DATALOGGER A feature provided by the non vita
24. be done first to validate the correct information is used P2086G Rev E Jan 15 Alstom Signaling Inc P2086G Rev E Jan 15 Alstom Signaling Inc TABLE OF CONTENTS Topic Page SECTION 1 SAFETY WARNINGS rrnnnnnrrennnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnennnnnnnnennnnnnnr 1 1 1 1 SAFETY WARNING OM KE 1 1 1 2 SAEETY WARNINGS EE 1 2 SECTION 2 INTRODUCTION nnnnnnnrnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnennnnnnnnennnnnnnnnnnnnnnnnennnnnnnr 2 1 2 1 SCOPE Ends 2 1 2 2 DOCUMENT CONVENT IONS 0 0 a 2 1 2 3 COMMON ABBREVIATIONS AND GLOSSARY i inrrrrnrrrrvnnrrrrrvrnnrrrrnnvnnnnernn 2 2 2 4 RELATED PUBLICATION LE 2 8 SECTION Vd e ese ene cone 3 1 3 1 GENERAL EE 3 1 3 2 VRISUBSY STEMS E 3 1 3 3 GENERAL GHARAGT TR e 3 1 3 4 GENERAL elen e 3 3 SECTION 4 CHASSIS CONFIGURATIONS runnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnennnnnnnr 4 1 4 1 GENERATED EA 4 1 4 2 PLUG COUPLED CHASSIS se 4 1 4 2 1 Ca 4 2 4 2 2 Gabe A A A bn haf 4 3 4 3 DIRECT WIRE CHASSIS ansees ed 4 4 4 3 1 Cas eher es 4 5 4 3 2 e A A VE NR Me 4 6 4 4 PCE INTERFACE CHASSIS CPIB e E AEdAEEeCKEAERSANAEEEUAESAERSN KEE Ed 4 7 4 4 1 A eda 4 8 4 4 2 e O EE EE 4 9 4 4 3 Interface PGBS tick cto esse eee anise ae ee ee ee ee 4 9 4 5 COVERS uer es a SE 4 10 SECTION 5 VITAL SUBSYSTEM usina 5 1 5 1 GENER Aber stone EE 5 1 5 2 CPU PD CENTRAL PROCESSING UNIT POLYNOMIAL DIVIDER BOARD P N 31166 029 orrnnnnnnnvvrnnnnnnn
25. internal cable harness assemblies These assemblies connect the VPI PCB I O point s to a series of AMP type M series plug couplers mounted on the rear panel of the chassis The rear panel also contains a 14 pin type M series plug coupler for the 5 VDC power connection and provisions for up to four 60 way ribbon cable connectors for connecting to expansion chassis Figure 4 2 Plug Coupled Chassis P2086G Rev E Jan 15 4 1 Alstom Signaling Inc Chassis Configurations Plug Coupled Chassis Cable Harness Figure 4 3 Plug Coupled 4 2 1 Case The VPI plug coupled chassis can be provided in two basic case configurations One to four chassis can be used to complete a single system The chassis may be a mixture of the two types The two basic types are the split motherboard and the continuous motherboard that busses the center connector P2 of the printed circuit boards together Each chassis contains 21 printed circuit board slots The split motherboard version of the chassis is configured to connect the P2 connector traces from chassis slots one through five together and slots six through twenty one together Since the VPI system uses the P2 connector as the I O bus this allows Vital and non vital I O to be housed in the same chassis For example the first five chassis slots could be used to house non vital I O and the non vital processor Slots from 6 to 21 could contain Vital I O along with the Vital I O controller UO Bus
26. private communications network P2086G Rev E Jan 15 5 56 Alstom Signaling Inc Vital Subsystem 5 12 5 Miscellaneous Assumptions 5 12 5 1 EMC EMI The nature of the modifications for VPI in comparison to VPI are not subject to downgrade original EMC EMI characteristics VPI rack as an incremental evolution of the mature VPI has been tested and qualified to AREMA 11 5 1 Class C Standard However this document refers to the executed test on the generic VPI VPI2 iVPI Products i e VPI VPI2 iVPI rack EMC EMI shall be verified in the frame of each Application Project with e specific control room power supply characteristics protection and filter where the VPI VPI2 iVPI rack in installed e specific cubicle project configuration e specific cubicle wiring e specific cubicle and grounding e etc P2086G Rev E Jan 15 5 57 Alstom Signaling Inc Vital Subsystem THIS PAGE INTENTIONALLY LEFT BLANK P2086G Rev E Jan 15 5 58 Alstom Signaling Inc Non Vital Subsystem SECTION 6 NON VITAL SUBSYSTEM 6 1 GENERAL This section describes the non vital boards and assemblies used in the VPI system Non vital Subsystem Non Vital Inputs Non Vital Outputs Train to ER Communications Figure 6 1 Non Vital System A WARNING NON VITAL SUBSYSTEM IS NOT FAIL SAFE The non vital subsystem and communications software used in the VPI system is not designed for fail safe application and must not be used for saf
27. that enables one kind of hardware to be recognized and processed by another kind of hardware Interrupt The event that tells the computer to stop the program currently running and do some other more important task LAN Local Area Network Latch A mode of operation for a circuit in which an output s state is maintained LDO Lamp Drive Output board LED Light Emitting Diode Logic Symbol A symbol used to graphically represent a logic element Lowest Replaceable Unit MAC Maintenance ACcess connection point in a system This enables the connection of a VT100 compatible terminal to examine system diagnostics and internal operation of the system Megabyte Maintenance Management System A messaging structure used to establish master slave client server communication between intelligent devices Modem A piece of equipment that connects data terminal equipment to a communication line MOV Metal Oxide Varistor used for voltage surge suppression MSB Most Significant Bit P2086G Rev E Jan 15 Alstom Signaling Inc Introduction Table 2 1 Common Abbreviations and Glossary Cont Term Definition or Explanation A specific Vital Serial Controller board VSC application that provides a means of communicating to and from AF Track Circuit modules NISAL Numerically Integrated Safety Assurance Logic Non Vital Circuit This circuit provides either support or secondary services for the Vital networks its failure i
28. with POR 59473 785 03 NVO Sourcing 9 18 VDC with POR 59473 785 04 NVO Sourcing 4 5 14 5 VDC with POR 59473 785 05 NVOAC 5 250 VAC with POR 59473 936 02 P2086G Rev E Jan 15 6 10 Alstom Signaling Inc Non Vital Subsystem 6 4 2 NVO SNK Non Vital Output Sink Board P N 31166 123 The Non Vital Sink Output board provides a VPI system with 32 Non Vital latched isolated open drain current sinking outputs each capable of driving TTL or CMOS logic inputs Note logic inputs must be provided with an appropriate pull up resistor The outputs are divided into four groups of eight The outputs are controlled via the system bus on the system motherboard by a Code System Emulator board CSEX running Non Vital UO control software Figure 6 6 NVO SNK Board P2086G Rev E Jan 15 6 11 Alstom Signaling Inc Non Vital Subsystem 6 4 2 1 Specifications Table 6 12 NVO SNK Board Specifications Characteristic 31166 123 01 Maximum number of Boards per CSEX Subsystem Board slots required 20 Number of ports per Board 32 Minimum Switched Output Supply Voltage 4 5 VDC Maximum Switched Output Supply Voltage 14 5 VDC Maximum Output Current per Port 0 25 A sink Power On Reset POR 6 4 2 2 Assembly Table 6 13 NVO SNK Board Assembly Description Part Number NVO SNK 32 sinking 4 5 14 5 VDC 31166 123 01 P2086G Rev E Jan 15 6 12 Alstom Signaling Inc Non Vita
29. 01 P1 Ribbon Cable 18 38216 630 00 Interconnect Interconnect inches 4 4 3 Interface PCBs Table 4 5 Interface Assembly Differences Description Part Number Vital output PCB interface 31166 194 01 Vital input interface 31166 195 01 Non vital interface 31166 196 01 VRD and 5 VDC Power interface 31166 197 01 VSC interface 31166 198 01 Communications interface CSEX 31166 199 01 CPU PD interface 31166 336 01 P2086G Rev E Jan 15 4 9 Alstom Signaling Inc Chassis Configurations 4 5 COVERS The VPI chassis can be supplied with optional covers The front cover is a hinged aluminum cover on which the PCB label is generally mounted The chassis can also be supplied with either a top or bottom screen or both This screen is generally used to prevent items from falling into the PCB area of the equipment Table 4 6 VPI Chassis Covers Description Part Number Front cover 58605 043 02 Top bottom screen cover 50253 354 00 P2086G Rev E Jan 15 4 10 Alstom Signaling Inc Vital Subsystem SECTION 5 VITAL SUBSYSTEM 5 1 GENERAL This section describes the Vital boards and assemblies used in the VPI system Vital Subsystem CPU PD Vital Outputs Vital Inputs Figure 5 1 Vital Subsystem 5 2 CPU PD CENTRAL PROCESSING UNIT POLYNOMIAL DIVIDER BOARD P N 31166 029 All the Vital application logic is stored on this board and executed from it Each Vital s
30. 05 is to be used with the Alstom VPI system VRD circuit board Alstom products are designed to function within all Alstom systems The introduction of non Alstom products into an Alstom VPI system could have unintended and unforeseeable safety consequences Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment P2086G Rev E Jan 15 1 2 Alstom Signaling Inc Safety Warnings A WARNING USE OF LRUS NOT MANUFACTURED BY ALSTOM Alstom strongly recommends only using Lowest Replaceable Units LRUs manufactured by Alstom in order to maintain the safe operation of the train control system Use of LRUs not manufactured by Alstom in the Alstom train control system can degrade the safety performance of the system resulting in property damage injury and or death due to train collision or derailment Alstom strongly recommends that a detailed AREMA compliant safety analysis be performed before using any LRU that is not an Alstom manufactured direct replacement for this Alstom train control system This safety analysis should be performed by personnel with mastery in the system safety implications of using LRUs not manufactured by Alstom Responsibility for the adequacy of the safety analysis rests solely with the transit or railroad authority and Alstom will neither review nor approve any such safety analysis For train cont
31. 086G Rev E Jan 15 7 10 Alstom Signaling Inc VPI Design Test and Validation Tools Following are samples of TestWrite Screen and reports ia Testwrite T1 mdb 5 ls Unknown 1 Signal 4R not requested EAST CODE Action None 1 2 Switch 3 operation WEST CODE Fesult None LE RAW TRACK STATUS Action Unknown E A Se 1 6 Switch 7 operation W 8 ES Figure 7 6 TestWrite User View Route 1 SWT SET 3 N 7A N East Steps Actions Expected Results 1 1 Signal 4R not requested 1 2 Prove Switch 3 operation Reverse Shop Call switch 3 reverse Switch 3 normal position input removed Field Switch 3 controlled reverse Switch 3A normal position input removed Switch 3A controlled reverse 1 3 Shop Switch 3 in reverse position Field Switch 3 reverse control removed Switch 3A in reverse position Switch 3A reverse control removed 1 4 Normal Shop Call switch 3 normal Switch 3 reverse position input removed Field Switch 3 controlled normal Switch 3A reverse position input removed Switch 3A controlled normal Figure 7 7 TestWrite Report P2086G Rev E Jan 15 7 11 Alstom Signaling Inc VPI Design Test and Validation Tools T T MAINTENANCE MANAGEMENT SYSTEM The Maintenance Management System MMS is an Alstom diagnostic tool that can remotely monitor each VPI Vital and non vital networked system MMS is a graphical diagnostic and m
32. ADV complete no errors Ladder Logic PD F69BD02C Text PD F69BD02C v Lam e E Caape Apps Queens1 E a VA For Help press F1 Figure 7 2 Graphical ADV Compares Logic Input to Output Files wCRCs File Edit Search Help File Edit Search Help VPI CAA 31746 021GR61 REV A GENERAL RAILWAY SIGNAL CO A MEMBER OF THE SASIB GROUP COPYRIGHT GRS 1991 GENERAL RAILWAY SIGNAL CO A MEMBER OF THE SASIB GROUP COPYRIGHT GRS 1989 CAA FONOLIDATION REPORT ADV CONSOLIDATION REPORT VERIFICATION SECTION OL SYMBOL TAEL NO CAA VERIFICATION REQUIRED VERIFICATION SECTION 02 DUPLICATE H DUPLICATE NAME PDSUM 7371FD50 VERIFICATION SECTION 03 DUPLICATE A NO CAA VERIFICATION REQUIRED VERIFICATION SECTION 04 VITAL INPUT SIGNATURE REPORT CH SGRP BED 1 A P VERIFICATION REQ 1 SYMBOL TABLE NO VERIFICATION REQUIRED VERIFICATION REQ 2 DUPLICATE NAMES RE DUPLICATE NAME PDSUM 7371FD50 VERIFICATION REQ 3 DUPLICATE ADDRESS NO DUPLICATE ADDRESSES FOUND VERIFICATION REQ 4 VITAL INPUT REPORT SIGNATURE REPORT CH SGRP BRD CH SGRP A P 2 Figure 7 3 ADV Compare Application Utility P2086G Rev E Jan 15 7 5 Alstom Signaling Inc VPI Design Test and Validation Tools 7 2 3 CAAPE System Requirements Table 7 1 shows the computer and operating system requirements for CAAPE Table 7 1 Computer and Minimum Operating System Requirements Operating System Windows XP SP3 Windows 7 32 bit and Windows 7 64 bit
33. ALSTOM ACCUTRACK PRODUCT SOLUTIONS VPI Vital Processor Interlocking Control system Product Overview Copyright 1996 2003 2004 2013 2015 Alstom Signaling Inc Read and understand this manual before using this equipment Failure to follow the instructions presented in this manual can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment Product Overview Manual P2086G ALSTOM ACCUTRACK PRODUCT SOLUTIONS VPI Vital Processor Interlocking Control system Product Overview Copyright 1996 2003 2004 2013 2015 Alstom Signaling Inc Read and understand this manual before using this equipment Failure to follow the instructions presented in this manual can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment Product Overview Manual Alstom Signaling Inc P2086G Rev E January 2015 Printed in U S A LIST OF EFFECTIVE PAGES P2086G VPI Vital Processor Interlocking Control System Product Overview Manual ORIGINAL ISSUE DATE November 1996 CURRENT REVISION AND DATE Rev E January 2015 PAGE CHANGE OR REVISION LEVEL Cover Jan 15 Title page Jan 15 Preface Jan 15 through x Jan 15 1 1 through 1 18 Jan 15 2 1 through 2 8 Jan 15 3 1 through 3 4 Jan 15 4 1 through 4 10 Jan 15 5 1 through 5 58 Jan 15
34. Alstom the transit or railroad authority shall be solely responsible for any consequences to the safety integrity and performance of the train control system in which LRUs not manufactured by Alstom are used in the train control system originally designed safety certified and commissioned by Alstom Alstom assumes no responsibility or liability for the safe performance of the train control system once LRUs not manufactured by Alstom are used For train control systems not designed by Alstom the transit or railroad authority shall be solely responsible for any consequences to the safety integrity and performance of the train control system in which LRUs not manufactured by Alstom are used Alstom assumes no responsibility or liability for the safe performance of the train control system once LRUs not manufactured by Alstom are used P2086G Rev E Jan 15 5 5 Alstom Signaling Inc Vital Subsystem A WARNING USE OF LRUS NOT REPAIRED BY ALSTOM Alstom strongly recommends all LRU repairs be performed by Alstom as Alstom uses special components and has developed special assembly and repair techniques to ensure the continued safety of the train control system Use of LRUs not repaired by Alstom in the Alstom train control system can degrade the safety performance of the system resulting in property damage injury and or death due to train collision or derailment Alstom strongly recommends that a detailed AREMA compliant safety analysi
35. EM SOFTWARE INTERFACE MATRIX 8 1 8 2 APPLICATION AEE 8 2 8 2 1 VO EE 8 2 8 2 2 VE 010 vavrtuvevavetewasavetasasavareveravupavesavataumavenavebevaied 8 3 8 2 2 1 Logic Statement Types idad 8 3 8 2 3 COMMUNICAQUONS EN 8 4 8 3 SYSTEM SOFTWARE INTERFACE MATRIX 8 5 P2086G Rev E Jan 15 v Alstom Signaling Inc LIST OF FIGURES Figure No Title Page e e Die A DEE 3 1 Figure 3 2 General VPI System Block Dragram 3 4 Fig re 4 1 EE dat A 4 1 Figure 4 2 Plug Coupled Chassis occccccccccccccccccccnnccnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnos 4 1 Figure 4d Plug OU Na nes hank bebudet 4 2 Figure 4 4 Direct Wire Chassis mm com 4 4 Figure 4 5 PCB Interlace A Entet 4 7 Figure 4 6 PCB Interface a e titi 4 7 Figure 5 1 Vital Subs ysteM EE 5 1 Figure 5 2 CPU PD Board occccccccnncccccccnnnnnnnnnnnnnnnnnnnnnnnnnnnonononnnnnnnnnnnnnnnnnonnnoneneneninos 5 2 e Le UI ET Ree EE 5 8 Figure 5 4 MSC Board nes 5 11 Figure 5 5 CRG e WEE 5 14 Figure 9 67 re sado ad tado ad ek bd dd dd dd tad 5 16 Figure 5 72 DIBOA O WEE 5 18 Figure 5 8 Vital Output Boards aii la iia 5 21 Figure 5 9 SBO Port Interface oocociconinnninnmn eee 5 22 Figure 5 10 DBO Port len e 5 24 Figure 5 11 LDO Port Interface ocooomoiionionnnn e 5 27 Figure 5 12 LDO2 Port Interface ococoooccoococcocoococeccoorerericenerenernrenenernrerenceninens 5 29 Figure 5 13 LDO2 Board Edge Diagnostic Indicators nn
36. I board in a system determined by CAA 59473 867 07 59473 871 01 through 59473 871 16 The 59473 867 03 assembly input circuit possesses the ability to rectify AC signals and is intended for special situations only Consult Alstom on its use P2086G Rev E Jan 15 5 20 Alstom Signaling Inc Vital Subsystem 5 8 VITAL DC OUTPUT BOARDS P N 59473 739 747 977 749 There are four types of Vital DC Output boards e Single Break SBO 59473 739 e Double Break DBO 59473 747 e Double Break 50 V DBO 50V 59473 977 e Lamp Driver LDO 59473 749 All are configured with eight Vital outputs per board The single break output is analogous to a single relay contact placed in the positive or feed side of the circuit The equivalent to the relay contact in the solid state circuit is the FET switch The double break output is analogous to a relay circuit with the contacts in both the feed and return sides of the circuit With the solid state equivalent however each output is completely isolated from all other outputs and or power supplies The lamp driver s output is equivalent to a single relay contact in the return or common side of the circuit All outputs use a circuit AOCD that detects current to vitally determine the state of the circuit If the current is greater than the threshold value the output is considered in the ON state It is only proven to be OFF if the current is less than the AOCD thre
37. IN 6 2 D E EK INs10 1Ne11 INFAZ Ine 115 Figure 5 7 DI Board P2086G Rev E Jan 15 5 18 Alstom Signaling Inc Vital Subsystem 5 7 1 Specifications Table 5 11 DI Board Specifications Specification Characteristic 59473 867 Maximum number of Boards per VPI System Board slots required Maximum Board Logic 300 mA Current Supply Minimum Input 9 0 9 0 9 0 45 0 9 0 24 0 Voltage Port VDC VDC VDC VDC VDC VDC Maximum Input 15 0 15 0 15 0 55 0 22 0 34 0 Voltage Port VDC VDC VDC VDC VDC VDC Input Transient Protection Voltage Max Voltage Input Transient Protection Energy Max Energy Isolation Between Inputs gt 3000 Vrms Address Signature Header Required Ze SE SES Yes No N Yes Yes Yes ilter Momentary Input Hold No 1700 Vrms 3 6 Joules dr No Yes No No No P2086G Rev E Jan 15 5 19 Alstom Signaling Inc Vital Subsystem 5 7 2 Assemblies Table 5 12 Direct Input Assembly Differences Description Part Number 16 Discrete Inputs with Filtering 9 15 VDC 59473 867 01 16 Discrete Inputs w o Filtering 9 15 VDC 59473 867 02 16 Discrete Inputs with hold circuit 9 15 VDC 59473 867 03 16 Discrete Inputs w o Filtering 45 55 VDC 59473 867 04 16 Discrete Inputs w o Filtering 9 22 VDC 59473 867 05 16 Discrete Inputs w o Filtering 24 34 VDC Signature Header one for each D
38. ITAL TIMER BOARD P N 59473 894 5 35 5 11 1 SPECIES deep 5 36 5 11 2 e 5 36 5 12 APPLICATION ASSUMPTIONS AND CONSTRAINTS rrrrrrrrrrrnnnnnnnnnnn 5 37 5 12 1 Application AsSumption Require Ment 2 ccccccccceseeeeeeeeeeeeeeeeeees 5 37 5 12 1 1 E e sa Pee 5 37 5 12 1 2 VITAL TIMING EE 5 37 5 12 1 3 System Grounding EE 5 37 P2086G Rev E Jan 15 ii Alstom Signaling Inc TABLE OF CONTENTS Topic Page 5 12 1 4 Tee 5 37 5 12 1 5 Response Time to a Safety Critical Failure 5 38 5 12 1 6 Signaling Logic OIEA iaa 5 38 5 12 1 7 Vital Output Verttcaton AAA 5 38 5 12 1 8 Preventing Potential Output Circuit Run Around Paths A A inher a E Cee cat 5 38 5 12 1 9 Safety Checks Outputs ccocicociconcocococacocacocacocacocacocacocacocaiacainn 5 38 5 12 1 10 Safety Checks System Processing rrrrrrrrrrrrrrrrrrrrrrrrrrrnnnnnr 5 38 5 12 1 11 Application Verification EE 5 39 5 12 1 12 Output Current Check for Output Porte 5 40 9 121 183 Cycles of Forgiveness eet 5 40 5 12 1 14 Proof of Logic Primordial Logic Review rrrrrrrrrrrrrrrrrnnnr 5 41 5 12 1 15 Short Cycle Timer Protection sm rs essrersrassvessnsssnensressnensnessvende 5 43 5 12 1 16 Output Protection EE 5 44 5 12 1 17 VRD Relay and VRD Repeaters rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrnnnr 5 45 5 12 1 18 Simultaneous Faures 5 48 5 12 1 19 FMEA Provides Adequate Failure Coverage occccccc 5 48 9 12 1 20 Se
39. S FOR SINGLE BREAK OUTPUT SBO BOARDS Low current Vital SBO boards may fail with up to 3 milliamperes of output leakage current with the system requesting the output to be in the de energized state To prevent a potential unsafe condition any load device attached to a low current Vital output circuit board must not operate at or below 3 milliamperes and must de activate above 3 milliamperes This includes all environmental operating conditions and all operating values of the load device over its service life Failure to follow this requirement may lead to unexpected operation of the load device resulting in property damage injury and or death due to train collision or derailment A WARNING LOAD DEVICE RESTRICTIONS FOR DOUBLE BREAK OUTPUT DBO BOARDS Low current Vital DBO boards may fail with up to 3 milliamperes of output leakage current with the system requesting the output to be in the de energized state To prevent a potential unsafe condition any load device attached to a low current Vital output circuit board must not operate at or below 3 milliamperes and must de activate above 3 milliamperes This includes all environmental operating conditions and all operating values of the load device over its service life Failure to follow this requirement may lead to unexpected operation of the load device resulting in property damage injury and or death due to train collision or derailment P2086G Rev E Jan 15 1 6 Alstom Sig
40. ST 1 DEST 2 DEST 3 IF STATION 18 BOOL STATION 19 SEND SEND OK N DEST 4 URDFRNT DI Figure 8 1 Logic Programming Sample 8 2 3 Communications See Section 8 3 for Alstom s library of communications protocols e Office This provides local or interlocking information to a remote office for display while allowing the office to control routing through the interlocking e Remote Access Terminal e Automatic Train Dispatch e Platform Signs e Intra or Inter system communications Allow expansion of the system or partitioning of the non vital subsystem into multiple processors Also allows neighboring locations to exchange interlocking information P2086G Rev E Jan 15 8 4 Alstom Signaling Inc Non Vital System and Communications Software 8 3 SYSTEM SOFTWARE INTERFACE MATRIX These features are available through the software items listed below which are distributed with the CAAPE software package Table 8 1 Communications Protocol Library Alstom Protocol Part Number Publication Number en REGER System v2 csex s6152 system V2 CSEX3 mea O O Generic Poteras 1 s200 System Status Interface s1200 we IL o eem AT MARTA TWO ree e LI TO NVTWC Taegu Taipei 4 P2517A TWC hardware required 119 series of boards P2086G Rev E Jan 15 8 5 Alstom Signaling Inc Non Vital System and Communications Software Table 8 1 Communications Protocol Li
41. System ID board can be configured with the compiled System ID value VRD will not energize if the Revision ID Site ID System ID values configured on the hardware do not match the values configured in the CPU PD application P2086G Rev E Jan 15 5 53 Alstom Signaling Inc Vital Subsystem 5 12 3 Production Assumptions 5 12 3 1 System Manufacturing VPI has been designed with the latest state of the art surface mount components and has been fully qualified to international rail industry standards as well as quality standards for complete system component manufacture It is assumed that the manufacturer of printed circuit boards continues to follow recommended production standards for printed circuit boards and that it is periodically verified though quality inspection that proper production and handling best practices have been performed It is further assumed that Alstom will be made aware of any change to components or manufacturing processes of Vital printed circuit boards prior to authorization being given to proceed with the changes This includes first run production as well as printed circuit boards being cycled through a repair cycle P2086G Rev E Jan 15 5 54 Alstom Signaling Inc Vital Subsystem 5 12 4 External Interface Assumptions 5 12 4 1 I O Interface It needs to be considered that VPI inputs must not be connected to any external device that can act to rectify an induced AC signal Inputs that are not static i
42. TTTT FFFFFFR TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT FFFFFFR TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT FFFFFFF TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT Dyna Figure 7 5 Screen View of User Data P2086G Rev E Jan 15 7 8 Alstom Signaling Inc VPI Design Test and Validation Tools 7 5 TRACKER REMOTE DIAGNOSTIC ANALYZER Tracker is a software package with a number of features intended to make problem detection and diagnosis easier for the user A PC based Windows product Tracker is used to automatically identify VPI system failures and produce alarms at a central site Tracker also serves as a centralized server for the collection of VPI Datalogger event records from field sites Basic features are fault detection logging data retrieval and report creation CH Note Tracker is not certified to run on Windows 7 platform 7 5 1 Fault Detection In the convenience of an office setting the Tracker Diagnostic Analyzer Software can provide full time and part time monitoring of multiple field device sites simultaneously and can be configured to sound an alarm when a malfunction occurs When a fault is detected the Tracker software can be configured to diagnose the problem to indicate the fault or field condition This helps ensure that proper spares are taken to the site the first time thus minimizing system down time 7 5 2 Logging The Tracker software provides an historical log of error
43. UIRED Vital Boolean and timer equations are evaluated in every one second application cycle regardless of the state of the VRD therefore every timer equation must include the VRDFRNT DI vital input as a constituent in order to prevent the timer from running short and completing an evaluation of the equations prematurely Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment All VPI timer equations should include a VRDFRNT DI parameter to ensure that the timing cannot be short timed Protection of system timing is provided by check results each one second timing cycle Failure of a timer runs short would be detected and drop the VRD However timing equations continue to evaluate and therefore a timer equation could prematurely complete By inserting the VRDFRNT DI input into a timer equation this situation can be prevented P2086G Rev E Jan 15 5 43 Alstom Signaling Inc Vital Subsystem 5 12 1 16 Output Protection A WARNING PROTECT VITAL OUTPUT EQUATIONS WITH VRDFRNT DI Relying on the status of the VRDFRNT DI Vital input to in effect control Vital output devices without including the VRDFRNT DI Vital input in the respective output equations does not provide fail safe operation The VRDFRNT DI Vital input must be used as a constituent to the Vital output Boolean equations Failure to comply can
44. afety integrity and performance as a result of such designs Alstom assumes no responsibility or liability for any designs or for the safe performance of the train control system P2086G Rev E Jan 15 5 49 Alstom Signaling Inc Vital Subsystem A WARNING UNIQUE SITE ID CONTROL MUST BE MAINTAINED Failure to properly assign maintain and control unique Site IDs for VPI systems can result in unintended consequences including train derailment train collision personal injury and or death Alstom strongly recommends that strict control of the Site IDs be maintained so that the expected configuration of all VPIs in the train control system is the actual installed configuration For train control systems designed by Alstom the transit or railroad authority shall be solely responsible for any modifications whatsoever to the train control system which deviate from Alstom s originally delivered design and any consequences to the system s safety integrity and performance as a result of such modifications Alstom assumes no responsibility or liability for any modifications to the train control system or for the safe performance of the train control system once Alstom s originally delivered design has been modified For train control systems not designed by Alstom the transit or railroad authority shall be solely responsible for the design of the train control system and any consequences to the system s safety integrity and performance a
45. aintenance application that uses a graphical track layout to dynamically record and display the VPI diagnostic status the status of linked VPI variables and play back recorded data Additional tools are available to manage diagnostics configuration event and data logs schedule maintenance tasks and view record and play back VPI application variable data For more information on this Alstom tool refer to Alstom publication P2509 Maintenance Management System for Alstom Vital Processor Interlocking Systems VPI VPI IL iVPI P2086G Rev E Jan 15 7 12 Alstom Signaling Inc Non Vital System and Communications Software SECTION 8 NON VITAL SYSTEM AND COMMUNICATIONS SOFTWARE 8 1 SYSTEM SOFTWARE INTERFACE MATRIX The non vital subsystem can simultaneously support multiple communication code system protocols while performing non vital input output operations application logic functions train to wayside and wayside to train communications and data logging within the VPI system The data logged information is time stamped and can be viewed real time can be selected by the user by run time or downloaded for off line examination The logic may be written using a combination of Boolean and higher level programming techniques to control the communications and input output functions A WARNING NON VITAL SUBSYSTEM IS NOT FAIL SAFE The non vital subsystem and communications software used in the VPI system is not designed for fa
46. ards P N 59473 785 and 59473 936 The Non Vital Output NVO board 59473 785 and Non Vital Output AC NVOAC board 59473 936 provide 32 isolated non Vital outputs An NVP board employing non Vital UO control software communicates over the motherboard bus via the P2 connector to the NVO board 6 4 1 1 Isolated Outputs Optical isolators separate the power supplies of the 5V logic system and field circuitry Each of the four groups of eight outputs possesses a separate power feed and signal return allowing interface with four distinctly different supplies Various board assemblies have different output voltage ratings see specifications Outputs can source up to 250 mA g p le e EN e Z RH frr P A KAAF Figure 6 5 NVO Board P2086G Rev E Jan 15 6 9 Alstom Signaling Inc Non Vital Subsystem 6 4 1 2 Specifications Assembly Differences Table 6 9 NVO Board Specifications Assemblies Specification Characteristic 59473 785 03 04 05 Maximum number of Boards per NVP Subsystem 20 Maximum Output Current per Port Source 0 25A Table 6 10 NVOAC Board Specifications Characteristic 59473 936 02 Maximum number of Boards per CSEX Subsystem Board slots required Number of ports per Board es PowerOnReset POR ves 6 4 1 3 Assemblies Table 6 11 NVOAC Board Assemblies Description Part Number NVO Sourcing 18 33 VDC
47. assembly together with improved Vital system software offers enhanced CPU PD diagnostic capability A diagnostic interface on the board edge is provided to permit maintenance personnel to examine the operation of the board without connecting any other equipment Figure 5 12 LDO2 Port Interface Toggle Switch Output Number Clear Error Switch Reset Switch Parameter E LED CFG LED nae Requested Output State Figure 5 13 LDO2 Board Edge Diagnostic Indicators P2086G Rev E Jan 15 5 29 Alstom Signaling Inc Vital Subsystem A WARNING LOAD DEVICE RESTRICTIONS FOR LIGHT DRIVER OUTPUT 2 LDO2 BOARDS High current Vital LDO2 boards may fail with up to 50 milliamperes of output leakage current with the system requesting the output to be in the de energized state To prevent a potential unsafe condition any load device attached to a high current Vital output circuit board must not operate at or below 50 milliamperes and must de activate above 50 milliamperes This includes all environmental operating conditions and all operating values of the load device over its service life Failure to follow this requirement may lead to unexpected operation of the load device resulting in property damage injury and or death due to train collision or derailment P2086G Rev E Jan 15 5 30 Alstom Signaling Inc Vital Subsystem Table 5 19 LDO2 Board Specifications Specification Characteristic 31166 340 Maximum number
48. atus of the VRDFRNT DI Vital input to in effect control Vital output devices without including the VRDFRNT DI Vital input in the respective output equations does not provide fail safe operation The VRDFRNT DI Vital input must be used as a constituent to the Vital output Boolean equations Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment Customer Application of VRDFRNT DI in a non vital manner is done so at the risk managed by the customer Alstom Signaling takes no responsibility for that risk A WARNING LOAD DEVICE RESTRICTIONS FOR CODE RATE GENERATOR CRG BOARDS Low current Vital CRG boards may fail with up to 3 milliamperes of output leakage current with the system requesting the output to be in the de energized state To prevent a potential unsafe condition any load device attached to a low current Vital output circuit board must not operate at or below 3 milliamperes and must de activate above 3 milliamperes This includes all environmental operating conditions and all operating values of the load device over its service life Failure to follow this requirement may lead to unexpected operation of the load device resulting in property damage injury and or death due to train collision or derailment P2086G Rev E Jan 15 1 5 Alstom Signaling Inc Safety Warnings A WARNING LOAD DEVICE RESTRICTION
49. be placed in revenue service Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment A WARNING VPI APPLICATION MUST BE VALIDATION TESTED Prior to revenue service validation testing must confirm all VPI application logic is correct and consistent with application requirements Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment P2086G Rev E Jan 15 1 9 Alstom Signaling Inc Safety Warnings A WARNING ADV INPUT DATA MUST BE VERIFIED SEPARATELY PRIOR TO ADV PROCESS Vital system operation requires that the Boolean equations in the Vital application logic must be written correctly so that by executing the logic the VPI system operates safely in accordance with the rules of the transit or railroad authority The Application Data Verifier ADV output report provides a means to compare and verify equivalence between the input and the output application data However the Application Data Verifier neither determines the safety suitability of the Boolean expression list nor determines the validity of certain encoded VPI application data The input data to the ADV process must be verified for safety separately prior to the ADV process and the safety and suitability of the input data is the re
50. brary Cont Alstom Protocol Part Number Publication Number ween sees NVTWCBARTMUX szor OOOO ooo s seier tots Tagu IL emm o eege 1 mamen O nvrwese mem Destseu Rey stemor P2086G Rev E Jan 15 8 6 Alstom Signaling Inc Need help Contact Customer Service Alstom Signaling Inc 1025 John Street West Henrietta NY 14586 USA 1 800 717 4477 www alstomsignalingsolutions com ALSTOM
51. cation Design From EPROM Generates Reports For Circuit Check Creates the Equivalent of an Electronic Book Of Plans Provides for a Difference Utility Highlights Changes Provides Security Far Beyond Checksums Validates Configuration Management Specifically Application Data Verifier ADV helps verify that application prom data matches intended user input New Consolidation Reports simplify analysis of ADV data Graphical ADV helps verify that graphically entered logic matches prom data This is a specialized aspect of the ADV for users who enter logic graphically There is no graphical verification report ADV Compare program compares ADV reports to highlight differences between applications in their Vital logic symbols messages and I O P2086G Rev E Jan 15 7 4 Alstom Signaling Inc VPI Design Test and Validation Tools F CAAPE Project Queens1 File Actions View Options Window Help al sale e 2 E Queens1 3 Queens VPI G Ey Queenst NV CTC2v Name Ey Queenst VTL VPI 3 Gueensl NYa CTC2v m Project Location E Caape Apps Queens1 Deene CPB Application Description Queens 1 Interlocking VPI Application Program Designer Checker Copyright E Starting Graphical ADV Opening logic component Reconstructing ladder logic from text file Comparing logic statements Graphical
52. cific availability requirements A single VPI system may include 1 to 4 chassis depending on I O and arrangement Single VPI systems controlling interlockings with 35 point machines have been proposed However the largest single VPI system installed so far has 20 points machines and the average number of point machines per system tends to be less due to specific project availability requirements The VPI system can be mounted in a small wayside equipment shelter No special heating or cooling equipment is required for operation in AREMA specified environments of Class C or Class D 40 to 70 degrees C Built in secondary transient protection is provided for all I O lines to prevent disruption of service from EMI or other local interference If required additional primary protection devices can be added to the external lines to protect against higher level EMI such as pulses from nearby electrical storms Typically no interface devices are required between the VPI inputs and outputs and the standard interlocking appliances P2086G Rev E Jan 15 3 1 Alstom Signaling Inc VPI The interlocking relay logic is reduced to either a closed set of Boolean mathematical expressions or expressed graphically using Relay Ladder Logic diagrams which represent standard relay contact closures energizing coils Then using an ALSTOM Computer Aided Application Programming Environment CAAPE software package these Boolean expressions are converted into op
53. cunty AA vetevebeveeacveeveteupeeveeaueeeues 5 48 5 12 2 Maintenance Assumpton AA 5 49 5 12 2 1 External Input Output Integrity A 5 49 5 12 2 2 Site Version Revision Configuration Conte 5 49 5 12 3 Production Assumptions EE 5 54 5 12 3 1 System Manufacturing EE 5 54 5 12 4 External Interface Assumptons 5 55 5 12 4 1 VO MENES vio 5 55 5 12 4 2 Vital Sen l Heger 5 55 5 12 5 Miscellaneous Assumpions 5 57 5 12 5 1 EMC EM sees 5 57 SECTION 6 NON VITAL SUBSYSTEM unnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 6 1 6 1 E E 6 1 6 2 NON VITAL PROCESSOR FAMILY NP 6 2 6 2 1 CSEX3 Extended Code System Emulator 3 Board P N 31166 TLI r trr n hed ete dee ed bi Aone EVEEN terete EEES 6 2 6 2 1 1 ee 6 3 6 2 1 2 ASSIM AAA AE 6 3 6 3 NON VITAL INPUT BOARDS 000000 did Ee 6 4 6 3 1 NVI Non Vital Input Board P N DO A 3 db 6 4 6 3 1 1 Ee Re 6 4 6 3 1 2 Specifications Assembly Differences rrrrrrrrrrrrrrrrrrrrnrrnnnnnnr 6 5 P2086G Rev E Jan 15 iii Alstom Signaling Inc TABLE OF CONTENTS Topic Page 6 3 1 3 ASSEM NOS diran 6 5 6 3 2 NVID Non Vital Input Differential Board P N 31166 106 6 6 6 3 2 1 ee E 6 6 6 3 2 2 Ee 6 7 6 3 3 NVIDSW Non Vital Input Differential Switch Board P N A A A O N 6 7 6 3 3 1 enee EN 6 8 6 3 3 2 ASOMO rara 6 8 6 4 NON VITAL OUTPUT BOARD 6 9 6 4 1 NVO Non Vital Output Boards P N 59473 785 and 59473 e 1 EE E ni MEER ON 6 9 6 4 1 1 Isolated Outputs E 6 9
54. d AREMA compliant safety analysis be performed before using any LRU that is not an Alstom manufactured direct replacement for this Alstom train control system This safety analysis should be performed by personnel with mastery in the system safety implications of using LRUs not manufactured by Alstom Responsibility for the adequacy of the safety analysis rests solely with the transit or railroad authority and Alstom will neither review nor approve any such safety analysis For train control systems designed by Alstom the transit or railroad authority shall be solely responsible for any consequences to the safety integrity and performance of the train control system in which LRUs not manufactured by Alstom are used in the train control system originally designed safety certified and commissioned by Alstom Alstom assumes no responsibility or liability for the safe performance of the train control system once LRUs not manufactured by Alstom are used For train control systems not designed by Alstom the transit or railroad authority shall be solely responsible for any consequences to the safety integrity and performance of the train control system in which LRUs not manufactured by Alstom are used Alstom assumes no responsibility or liability for the safe performance of the train control system once LRUs not manufactured by Alstom are used P2086G Rev E Jan 15 5 45 Alstom Signaling Inc Vital Subsystem A WARNING USE OF LRUS NOT
55. d to convey special informational notations These notations are warnings cautions and notes Both warnings and cautions are readily noticeable by boldface type and a box around the entire informational statement Warning A warning is the most important notation to heed A warning is used to tell the reader that special attention needs to be paid to the message because if the instructions or advice is not followed when working on the equipment then the result could be either serious harm or death The sudden unexpected operation of a switch machine for example or the technician contacting the third rail could lead to injury and or death An example of a typical warning notice follows A WARNING DISCONNECT MOTOR ENERGY Disconnect the motor energy whenever the gear cover is removed Otherwise the switch machine may operate unexpectedly and can cause injury and or death Caution A caution statement is used when failure to follow the recommended procedure could result in loss or alteration of data A typical caution found in a manual is as follows A CAUTION Changing session date and time to earlier values may affect the ability of the History Window to store data correctly Note A note is normally used to provide minor additional information to the reader to explain the reason for a given step in a test procedure or to just provide a background detail An example of the use of a note follows Note This step should
56. degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment Customer Application of VRDFRNT DI in a non vital manner is done so at the risk managed by the customer Alstom Signaling takes no responsibility for that risk The primordial logic should be designed to assure that failures in internal and external circuitry including the VRD Relay and VRD Repeater Relays result in known safe conditions All VPI output control equations should be evaluated by a capable and qualified user eg experienced signal engineer to include a VRDFRNT DI parameter to ensure that all outputs for example signals and vital serial parameters are placed in a restrictive state in the event of a system failure including a failure in the VRD Relay or VRD Repeater Relay circuitry external from the VPI system P2086G Rev E Jan 15 5 44 Alstom Signaling Inc Vital Subsystem 5 12 1 17 VRD Relay and VRD Repeaters A WARNING USE OF LRUS NOT MANUFACTURED BY ALSTOM Alstom strongly recommends only using Lowest Replaceable Units LRUs manufactured by Alstom in order to maintain the safe operation of the train control system Use of LRUs not manufactured by Alstom in the Alstom train control system can degrade the safety performance of the system resulting in property damage injury and or death due to train collision or derailment Alstom strongly recommends that a detaile
57. ds connected by this main bus are CSEX VRD CPU PD I O BUS and VSC The VRD PCB takes two slots P2086G Rev E Jan 15 4 6 Alstom Signaling Inc Chassis Configurations 4 4 PCB INTERFACE CHASSIS CPIB The PCB interface chassis uses printed circuit cards with WAGO style spring clip wire termination blocks and PCB edge connectors to map the I O termination points on the VPI PCBs to discrete wire connectors The chassis is designed to allow these interface PCBs to be inserted and removed from the rear of the chassis This provides a wire termination method that can be quickly disconnected by removing the PCBs and individual I O points may be disconnected for troubleshooting This chassis style is intended for low density applications See Figure 4 5 for a photo of a PCB Interface Chassis ee SEN rettet tritt itetit t EET ci A A Figure 4 5 PCB Interface Chassis PCB Interface Chassis Interface Boards Figure 4 6 PCB Interface P2086G Rev E Jan 15 4 7 Alstom Signaling Inc Chassis Configurations 4 4 1 Case The PCB Interface case is similar in arrangement and options to the plug coupled and direct wired cases The difference in this case is that an additional set of card guides are installed on the rear of the chassis for the interface PCBs The case descriptions in Table 4 3 include a list of the boards in each case The individual boards are discussed in SECTION 5 Vital Subsystem a
58. e regardless of the state of the VRD therefore every timer equation must include the VRDFRNT DI vital input as a constituent in order to prevent the timer from running short and completing an evaluation of the equations prematurely Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment P2086G Rev E Jan 15 1 11 Alstom Signaling Inc Safety Warnings A WARNING PROTECT VITAL OUTPUT EQUATIONS WITH VRDFRNT DI Relying on the status of the VRDFRNT DI Vital input to in effect control Vital output devices without including the VRDFRNT DI Vital input in the respective output equations does not provide fail safe operation The VRDFRNT DI Vital input must be used as a constituent to the Vital output Boolean equations Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment Customer application of VRDFRNT DI in a non vital manner is done so at the risk managed by the customer Alstom Signaling takes no responsibility for that risk P2086G Rev E Jan 15 1 12 Alstom Signaling Inc Safety Warnings A WARNING SOFTWARE REVISION CONTROL MUST BE MAINTAINED Failure to properly version control VPI system software and VPI application data can result in unintended consequences including train derailment
59. earth ground must be considered when providing connections between VPI I O and field devices in order to insure that the earth ground remains isolated from the signaling battery 5 12 1 4 Vital Inputs Inputs that are considered Vital are expected to be provided by a Vital source such that e permissive inputs ON will be presented as DC signals at the level of the Vital signaling battery with some tolerance or e restrictive inputs OFF will be presented as no voltage 0 volts e there is no defined threshold for OFF beyond the assumption that no energy is applied 0 VDC no connection or there is no presence of voltage signifying ON at signal battery voltage level e while VPI performs input scanning with detection of induced AC 25 250 Hz proper care must be taken in the installation layout of wiring so that no differentially induced AC signal can be presented to a Vital input where the level of this input could be inappropriately sensed as a permissive state gt 3 VDC P2086G Rev E Jan 15 5 37 Alstom Signaling Inc Vital Subsystem 5 12 1 5 Response Time to a Safety Critical Failure VPI has been designed to remove output energy when a failure is detected prior to the period required to have a switch point machine begin to move from its intended position normal or reverse or to energize a traditional B Relay lt 200 ms This is considered the worst case safety failure VPI s design maintains a failure detection
60. eath due to train collision or derailment P2086G Rev E Jan 15 1 7 Alstom Signaling Inc Safety Warnings A WARNING LOAD DEVICE RESTRICTIONS FOR LOW CURRENT VITAL AC OUTPUT ACO BOARDS Low current Vital AC output boards may fail with up to 3 milliamperes of output leakage current with the system requesting the output to be in the de energized state To prevent a potential unsafe condition any load device attached to a low current Vital output circuit board must not operate at or below 3 milliamperes and must de activate above 3 milliamperes This includes all environmental operating conditions and all operating values of the load device over its service life Failure to follow this requirement may lead to unexpected operation of the load device resulting in property damage injury and or death due to train collision or derailment A WARNING LOAD DEVICE RESTRICTIONS FOR HIGH CURRENT VITAL AC OUTPUT ACO BOARDS High current Vital AC output boards may fail with up to 50 milliamperes of output leakage current with the system requesting the output to be in the de energized state To prevent a potential unsafe condition any load device attached to a high current Vital output circuit board must not operate at or below 50 milliamperes and must de activate above 50 milliamperes This includes all environmental operating conditions and all operating values of the load device over its service life Failure to follow this requ
61. erating instructions for the VPI microprocessor Both Vital and non vital applications are created with the same user interface The CAAPE software package is also used to configure the hardware of the VPI chassis The tool set includes a graphical simulator that allows the signal engineer to exercise the logic before building the hardware The simulator provides a mechanism for the signal engineer to demonstrate the operation of the interlocking before the design is complete As such it can offer clarifying detail to design reviews The simulator can also be used in presenting the application design to non signaling personnel e g operating personnel to insure that the signal design adequately supports the operational needs The VPI system has separate subsystems for Vital and non vital control The Vital and non vital logic and hardware are maintained as separate subsystems to allow modifications in one section to not affect the other These subsystems may share a chassis or may be configured in separate chassis Refer to Figure 3 2 for a general block diagram of a portion of a control system with two VPI systems P2086G Rev E Jan 15 3 2 Alstom Signaling Inc VPI 3 4 GENERAL SPECIFICATIONS Table 3 1 lists nominal specifications for the VPI module Chassis and Boards Table 3 1 VPI Specifications Characteristic Specification Logic Input Power 5 0 25 VDC at 8 amperes maximum per module High Voltage Isolation Rating
62. es a database function to store and organize all relevant data An extensive documentation section makes it easy to track applications through various stages of development and provides enhanced revision control Online context sensitive assistance is available through the HELP facility in the form of a SEARCH window Also accessible from the HELP menu the comprehensive tutorial provides an easy reference guide and training tool for the CAAPE package The program allows the viewer to follow the creation of a typical new application from the beginning to end and also contains an index for handy access to the main control topics P2086G Rev E Jan 15 7 2 Alstom Signaling Inc VPI Design Test and Validation Tools 7 2 1 CAAPE The CAAPE design tool shows project contents graphical logic editing and compile results in message window to illustrate the integrated nature of CAAPE e Integrated project oriented environment for developing compiling and verifying applications and for managing input output and report files e Graphical entry of application data including graphical logic with straight or drop line symbols traditional text based application data entry is still supported as well e Compiler configuration reports include date time of input and output files system software versions calculated checksums and CRCs EZ CAAPE CTC2Logic Queens1_NY File Edit Actions Wiew Insert Tools Configure Window Help a sjea
63. ety critical operations Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment P2086G Rev E Jan 15 6 1 Alstom Signaling Inc Non Vital Subsystem 6 2 NON VITAL PROCESSOR FAMILY NVP The non vital processors perform important communications data logging and non vital logic operations within the VPI system There have been three generations of processor boards with generally increasing functionality All the non vital processors are referred to as CSEX which stands for Code System Emulator eXtended The first CSEX board family was the 59473 938 series This board was developed to support multiple non vital communications links simultaneously and to permit the separation of the non vital application from the Vital to better support the non vital application requirements The CSEX2 board family 31166 049 enhanced the flexibility of configuration of the non vital communications interfaces and the first generation of data logging The latest family CSEX3 31166 175 was designed to support larger more demanding non vital applications and provided a greater depth of memory for data logging The CSEX3 was also designed to be a plug in replacement for either the earlier CSEX or CSEX2 board assemblies 6 2 1 CSEX3 Extended Code System Emulator 3 Board P N 31166 175 The CSEX3 Code System Emulator eXtended board is a
64. field troubleshooting e Operational Records Embedded Datalogger View on board event records for all application parameters Time stamped and interactive display of logged data e Remote Collection of Event and Diagnostic Records Tracker Remote access to VPI System diagnostics and event records Tracker identifies a root cause failure to a primary VPI failure with suggested responses for field personnel Also used as a remote collection mechanism for system event records e Circuit Check and Factory Field Test Support TestWrite Generates test sheets based on graphical track layouts Serves as an independent validation of interlocking functional design for VPI or relay based interlockings e One Stop VPI Control Monitoring Diagnosis and Maintenance Planning Maintenance Mgmt System MMS A PC based user friendly interactive program installed within an interlocking rack of equipment Integrates Watcher Tracker Tests Write etc VPI support tools from above for use with Field Install and Test Maintenance and Preventive Maintenance and Condition Monitoring of field devices P2086G Rev E Jan 15 7 1 Alstom Signaling Inc VPI Design Test and Validation Tools 7 2 CAAPE AN INTEGRATED WINDOWS BASED CONFIGURATION TOOL The Computer Aided Application Programming Environment CAAPE is a comprehensive set of development tools for creating VPI Vital and non vital applications These tools are integrated together wit
65. h Signature Header i Drawing No ID letter 59473 871 01 A 5 11 2 Assemblies Table 5 24 FSVT Assembly Differences Description Part Number Eight timers for timers one through eight 59473 894 01 Eight timers for timers nine through sixteen 59473 894 02 P2086G Rev E Jan 15 5 36 Alstom Signaling Inc Vital Subsystem 5 12 APPLICATION ASSUMPTIONS AND CONSTRAINTS Several assumptions have been defined to be used in the application of the generic product and are included here along with any associated product constraints 5 12 1 Application Assumption Requirements 5 12 1 1 System Cycle VPI is based on a defined and vitally verified one second cycle where all inputs evaluations and outputs are provided 5 12 1 2 Vital Timing Application timing is provided based on increments of the vitally ensured VPI one second system cycle 5 12 1 3 System Grounding VPI s internal logic power supply is internally connected to a ground plane subsequently to the electronics chassis and finally through an external connection to earth through proper RFI friendly cables Typically this is performed by connecting a shielded cable from the equipment rack in which VPI is mounted to the earth common reference in the equipment room This grounding is maintained to shunt induced RFI away from critical UO circuits and prevent disruption to system processing This
66. he features this tool provides are indicated here e Quick Track Layout Builder simple graphical tool to draw track layout Symbols for tracks switch machines signals etc are available This graphical view of the interlocking is later used by the VPI MMS as an active display to provide actual local control panel displays or used as the visual display of test results e Route Wizard Analyzes the final track layout and generates a listing of routes through the interlocking This list along with the physical elements assigned form the foundation for defining test strategies e Test scenario reports for each route a test scenario is defined that provides a sequence of test to be performed When test scenarios are initiated through the VPI MMS the test scenarios are provided to a graphical display for assisting the test engineer through the test TestWrite has four intended uses e Circuit check of electronic or relay based interlocking logic e Generation of test sheets for reducing factory and field test time e Secondary use for training signaling employees on interlocking rules specific to the operating authority and in the future e Framework to be used for performing automatic interlocking tests mandated by FRA or other regulatory bodies The benefits are e Consistent rules for design e Standardization of test sheet generation e Electronic reports of actual factory or field test sequences executed by test engineer P2
67. hin a development environment for easy access It is intended for use by Alstom signal engineers third party signaling consultants and railroad and transit signal engineers CAAPE for use with Windows XP SP3 Windows 7 32 bit and Windows 7 64 bit operating systems Windows 7 operating systems are supported in CAAPE 019B and later includes the following e Compilers for VPI Vital and non vital application e Application Data Verifier ADV for VPI e Simulators for VPI Vital and non vital logic e Genrakode II Control Point in a Box applications for downloading to Genrakode II coded track circuit e Utilities such as PROM file generation Label generation for HP and Intergraph plotters Consolidation report for VPI ADV Genrakode II download Relay equivalent circuits for final documentation Genrakode II compiler and ADV may optionally be added The CAAPE package uses a project based architecture that allows the user to create projects containing any number of VPI applications Computer programming experience is not required applications can be built using either graphical or textual methods The graphical methods include form entry pull down lists extensive prompts online documentation and a HELP facility to guide the designer through the process An extensive stand alone tutorial is also provided for easy training and reference The CAAPE package can be used for both Vital and non vital applications and includ
68. ial Controller board is associated with a particular version of system software on the Vital processor board Each type of board MVSC GVSC or VSC has its own unique Vital system software that is not interchangeable 5 4 1 System Capacity The VSC used for VPI to VPI communications sends and receives up to 200 Vital parameters of information in its message for up to ten boards depending on the system arrangement When used for MVSC up to 450 Vital parameters can be transmitted in each direction The GVSC sends and receives up to 30 Vital parameters of information in its messages to each of a maximum of two Genrakode modules Up to ten VSC boards or combinations of VSC MVSC GVSC and CRG boards can be supported by a single Vital subsystem See Table 5 5 for more information on permissible combinations of these boards P2086G Rev E Jan 15 5 10 Alstom Signaling Inc Vital Subsystem s s gt 3203 H Figure 5 4 VSC Board P2086G Rev E Jan 15 5 11 Alstom Signaling Inc Vital Subsystem 5 4 2 Specifications Table 5 5 VSC Board Specifications Maximum Ass y Maximum Board No of Boards Board Logic 59473 per VPI slots Current 939 Type System req d Supply Baud Rate 01 Pt Pt 4 Note 1 1 500 mA 19200 Sync 04 Pt Pt 4 Note 1 1 500 mA 19200 Sync Multi drop full duplex 4 wire 05 Note 3 2 Note 2 1 500 mA 19200 Sync 06 Pt Pt with daughter board 4 Note 1
69. il Energy Supply Voltage 18 0 VDC 35 0 VDC Maximum Current per Relay Contact Port 1A Maximum Contact Power Rating 30 W 62 5 VA Maximum Contact Voltage 34 8 VDC 34 8 VDC Power On Reset Yes 6 4 3 2 Assemblies Table 6 15 NVR Board Assemblies Description Part Number NVR 32 Form A 9 18 V coil supply 31166 238 01 NVR 32 Form A 18 35 V coil supply 31166 238 02 3 This is a limit imposed by the 1 5KE43CA bi directional suppressor Actual contact rating is 100 VDC or 125 VAC P2086G Rev E Jan 15 6 14 Alstom Signaling Inc Non Vital Subsystem 6 5 TRAIN TO WAYSIDE COMMUNICATIONS BOARDS The Non Vital Train to Wayside Communications Modem board is the wayside part of the Train to Wayside Communications TWC system TWC is a two way communication link consisting of a transmitter receiver set transceiver aboard the train and a similar set in wayside systems The system provides communication between the car carried equipment and the wayside equipment for the transfer of routing dispatch information and for monitoring by central control This board demodulates analog frequency information into a digital form and passes it on to a NVP board It also takes digital information from the NVP board and converts it to analog frequency form to be transmitted to the train As with the CSEX board series the TWC board series has evolved over the years of application to reach higher levels of integration and functi
70. il safe application and must not be used for safety critical operations Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment P2086G Rev E Jan 15 8 1 Alstom Signaling Inc Non Vital System and Communications Software 8 2 APPLICATION 8 2 1 UO Non vital inputs and outputs can interface to external equipment in order to provide indications to a remote office or to an adjacent location Outputs are capable of flashing at 60 cycles per second or 120 cycles per second Examples of inputs and outputs include the following e Local Control Panel Switch Machine Normal and Reverse Request Controls Switch Machine Normal and Reverse Position and Lock Indications Signal Request Fleet and Cancel Controls Signal Aspect and Fleeting Indications Traffic Indications Snowmelter Controls and Indications e Maintainer Calls e Battery Power Alarms e Ground Detection e Fire Alarm e Intrusion Alarm e Room Temperature Monitor e Track Indications e System Health e Redundancy Transfer P2086G Rev E Jan 15 8 2 Alstom Signaling Inc Non Vital System and Communications Software 8 2 2 Logic The non vital logic can be written to perform a wide array of functions including the following N X Entrance Exit Interlocking Control Controls provided from a local panel and or a remote office Unilever
71. ing is different than that for 747 02 assembly DBO Board Assembly 8 outputs 30 40 VDC operation 59473 977 01 DBO Board Assembly 8 outputs 45 55 VDC operation 59473 977 02 39780 003 01 Signature PROM through one for each output board in a system determined by CAA 39780 003 40 P2086G Rev E Jan 15 5 26 Alstom Signaling Inc Vital Subsystem 5 8 4 LDO Specifications The lamp drive output circuit handles high current to light signal lamps Each output circuit can accommodate hot and cold filament checks This output uses a FET switch in the common or return line of the circuit Therefore it is necessary to supply the positive side of the battery or signal lighting supply to the signal lamps Figure 5 11 LDO Port Interface A WARNING LOAD DEVICE RESTRICTIONS FOR LIGHT DRIVER OUTPUT LDO BOARDS High current Vital LDO boards may fail with up to 50 milliamperes of output leakage current with the system requesting the output to be in the de energized state To prevent a potential unsafe condition any load device attached to a high current Vital output circuit board must not operate at or below 50 milliamperes and must de activate above 50 milliamperes This includes all environmental operating conditions and all operating values of the load device over its service life Failure to follow this requirement may lead to unexpected operation of the load device resulting in property damage injury and o
72. ion program being tested in field commissioning tests 5 12 1 12 Output Current Check for Output Ports VPI has the ability to vitally determine current flow in an output port This parameter can be used as an internal parameter in the building of the signaling logic rules This feature is only available for DC based outputs AC outputs that are turned ON cannot take advantage of the Vital current check feature as the check mechanism cannot produce an expected result due to the unsynchronized nature of the output check and the positive voltage peak of the AC cycle 5 12 1 13 Cycles of Forgiveness Vital inputs because they are not synchronized to the system cycle can be sensed to be in an unknown state during transition from ON to OFF or due to spurious interference to an ON input This is not a safety critical issue A feature termed cycle of forgiveness COF can be applied to inputs to prevent either of the two input sensing situations from having an undesirable ripple effect on signaling logic The COF can be used to delay response to a transitional input for a given system cycle Care must be taken to analyze the overall system response time when COF are assigned to inputs P2086G Rev E Jan 15 5 40 Alstom Signaling Inc Vital Subsystem 5 12 1 14 Proof of Logic Primordial Logic Review A WARNING ADV INPUT DATA MUST BE VERIFIED SEPARATELY PRIOR TO ADV PROCESS Vital system operation requires that the Boolean equati
73. irement may lead to unexpected operation of the load device resulting in property damage injury and or death due to train collision or derailment P2086G Rev E Jan 15 1 8 Alstom Signaling Inc Safety Warnings A WARNING INTENDED SAFE FUNCTIONALITY OF THE VPI SYSTEM MUST BE VERIFIED The safety of the application logic as written is the responsibility of an experienced signal engineer CAAPE does not make any determination regarding the inherent safety of the logic equations that were entered Verifying the accuracy with which CAAPE converted the signaling engineer s application data into PROM data structures is aided by CAAPE but the signaling engineer must make a final determination using information supplied by CAAPE CAAPE s compilers are not themselves Vital programs An additional independent process is needed to verify that the compile was done correctly This process is required for all Vital applications An experienced signal engineer must verify the safety of the VPI data and its application lt is the signaling engineer s responsibility to verify the correctness of the VPI input data in that it accurately represents the intended safe functionality of the VPI system Furthermore verify the correctness means that the signaling engineer 1 is required to compare the input and output data files to verify the CAA has operated correctly and 2 must test the VPI application in its intended environment before it can
74. ital Output Equations With VRDFRNT DI 1 12 5 7 5 44 Software Revision Control Must Be Maintained 1 13 5 49 Unique Site ID Control Must Be Maintained 1 14 5 50 Accurate Software Revision ID Control Must Be Maintained 1 15 5 51 Unique System ID Control Must Be Maintained 1 16 5 52 Vital Communications Require Unique Link and Block Settings 1 17 5 56 Non Vital Subsystem is Not Fail Safe 1 18 6 1 8 1 P2086G Rev E Jan 15 1 1 Alstom Signaling Inc Safety Warnings 1 2 SAFETY WARNINGS A WARNING OVERVIEW MANUAL MUST BE READ IN ENTIRETY This VPI Overview manual P2086G should be read in its entirety prior to any operational and or maintenance actions as it contains important safety messages and pertinent VPI information Failure to comply may result in an unsafe condition or accident causing property damage injury and or death A WARNING NOTIFICATION OF SERVICE DISRUPTION Disruption of VPI operation poses a potential threat to rail safety Before shutting down an interlocking for any reason the railroad dispatcher in charge of the affected route s must be notified Take all steps necessary to ensure the safe passage of traffic is maintained Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment A WARNING USE ONLY ALSTOM VITAL RELAY WITH VRD BOARD Only Alstom VRD relay P N 56001 787
75. ital input to in effect control Vital output devices without including the VRDFRNT DI Vital input in the respective output equations does not provide fail safe operation The VRDFRNT DI Vital input must be used as a constituent to the Vital output Boolean equations Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment Customer Application of VRDFRNT DI in a non vital manner is done so at the risk managed by the customer Alstom Signaling takes no responsibility for that risk Every Vital system requires at least one B relay which is operated by the VRD and through whose front contacts all the energy for the Vital outputs is broken This relay must be and must only be replaced by an Alstom VRD Relay part number 56001 787 05 100 ohm B relay A front contact from the VRD Relay must be fed back into the VPI system as a Vital input for use in the application for example to prevent Vital timers from starting when the VRD is de energized The name of this Vital input may be VRDFRNT DI Note The front contact used as the Vital input is also available to supply energy to Vital outputs P2086G Rev E Jan 15 5 7 Alstom Signaling Inc Vital Subsystem 5 3 2 Physical Characteristics The processing portion of the VRD board is based on an 8085 microprocessor chip with 4K of EPROM program memory and 4K of RAM The
76. ith no software changes jeopardizes proper software revision control and can result in unintended consequences including train derailment train collision personal injury and or death Alstom strongly recommends that Software Revision IDs be changed with every software change even a re compile of unchanged software Software Revision IDs shall be maintained so that software and application revision control is maintained and the expected configuration of all VPIs in the train control system is the actual installed configuration For train control systems designed by Alstom the transit or railroad authority shall be solely responsible for any modifications whatsoever to the train control system which deviate from Alstom s originally delivered design and any consequences to the system s safety integrity and performance as a result of such modifications Alstom assumes no responsibility or liability for any modifications to the train control system or for the safe performance of the train control system once Alstom s originally delivered design has been modified For train control systems not designed by Alstom the transit or railroad authority shall be solely responsible for the design of the train control system and any consequences to the system s safety integrity and performance as a result of such designs Alstom assumes no responsibility or liability for any designs or for the safe performance of the train control system P2086G Rev
77. l Subsystem 6 4 3 NVR Non Vital Relay Output Board P N 31166 238 The Non Vital Relay Output NVR board 31166 238 provides 32 Form A non vital relays interfaced through the system backplane to the connectors on the back of the module A NVP board employing non vital I O control software communicates over the motherboard bus via the P2 connector to the NVR board Internal circuitry on the NVR board disables outputs at power up until a NVP board writes to this board to initialize the outputs The NVR board is functionally equivalent to its NVO non vital output predecessors except for power requirements and the existence of the FPGA The outputs are grouped in four groups with eight outputs each as they are in the NVO board but the outputs on the P1 and P3 connectors are assigned two pins each an even and an odd If the output is currently active these two pins will be connected through the associated relay allowing current flow T du Figure 6 7 NVR Board P2086G Rev E Jan 15 6 13 Alstom Signaling Inc Non Vital Subsystem 6 4 3 1 Specifications Table 6 14 NVR Board Specifications Specification Characteristic 31166 238 01 02 Maximum Number of Boards per CSEX Subsystem 20 Board Slots Required 1 Number of Ports per Board 32 Maximum Board Logic Current Supply Draw 500 mA Minimum Switched Coil Energy Supply Voltage 9 0 VDC 18 0 VDC Maximum Switched Co
78. l subsystem the embedded data logger permits viewing of timestamped events in log form or in near real time chart recorder form Multiple views are provided Key features are e View Events Historical Real Time e Filters Unwanted Info e Saves Data In Nonvolatile Memory e Timeline and Timestamp Views e Record time stamped events to on board battery backed memory e Event capacity is typically several days e Automatically detect a change to a large number of user specified application parameters and record when changes occur in real time e On line help is available to assist the operator From 0141901 13 07 E o 0141901 14 51 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFR TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT FFFFFFF TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFR TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT FFFFFFF NTTTTTTTTTTITTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT FFFFFFFFFFFFFFFFFFF TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFEFFFFF TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT
79. l system once Alstom s originally delivered design has been modified For train control systems not designed by Alstom the transit or railroad authority shall be solely responsible for the design of the train control system and any consequences to the system s safety integrity and performance as a result of such designs Alstom assumes no responsibility or liability for any designs or for the safe performance of the train control system P2086G Rev E Jan 15 5 51 Alstom Signaling Inc Vital Subsystem A WARNING UNIQUE SYSTEM ID CONTROL MUST BE MAINTAINED Failure to properly assign maintain and control a unique System ID for each VPI system within the entire train control system can result in unintended consequences including train derailment train collision personal injury and or death Alstom strongly recommends that strict control of the System IDs be maintained so that the expected configuration of all VPIs within the entire train control system is the actual installed configuration For train control systems designed by Alstom the transit or railroad authority shall be solely responsible for any modifications whatsoever to the train control system which deviate from Alstom s originally delivered design and any consequences to the system s safety integrity and performance as a result of such modifications Alstom assumes no responsibility or liability for any modifications to the train control system or for the safe
80. ment P2086G Rev E Jan 15 5 41 Alstom Signaling Inc Vital Subsystem A WARNING VERIFIER MUST BE DIFFERENT THAN DESIGNER The signaling engineer responsible for verification the Checker or Verifier using the ADV checklist and creating the report shall be independent from the signaling engineer responsible for designing the Designer the VPI application Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment The application of VPI depends on application engineers defining configurations and logic to be implemented for the interlocking application While VPI guarantees that logic and outputs etc are managed vitally there is no intrinsic check on the correctness or completeness of the signaling logic as it is intended to meet the requirements of the transit railroad application It is a primary safety requirement that the logic produced for VPI execution be independently verified as correct and complete through a circuit check type process The check process must be performed by engineers knowledgeable in the requirements of the signaling rules that govern transit railroad operation and independent from the engineering staff that produced the logic P2086G Rev E Jan 15 5 42 Alstom Signaling Inc Vital Subsystem 5 12 1 15 Short Cycle Timer Protection A WARNING TIMER EQUATION PROTECTION REQ
81. mentary Metal Oxide Semiconductor a major class of integrated circuits CMOS devices use little power and do not produce as much heat as other forms of logic Cycle of Forgiveness CPIB PCB Interface Chassis Compiler Program that translates a high level computer language into machine language CPU Central Processing Unit the computer section that handles the actual processing of data into information P2086G Rev E Jan 15 2 2 Alstom Signaling Inc Introduction Table 2 1 Common Abbreviations and Glossary Cont Term Definition or Explanation CPU PD Central Processing Unit Polynomial Divider board assembly containing Alstom s Vital processor and polynomial divider Code Rate Generator board Extended Code System Emulator board Double Break Output board De multiplexing Diagnostic Direct Current The process of extracting a specific signal from a circuit carrying multiple multiplexed signals Direct Input board The process of detection and isolation of either a malfunction or mistake Diagnostic Routine A routine designed specifically to locate a malfunction in the computer DIP Dual In line Package integrated circuit DOT Department Of Transportation DPRAM Dual Ported Random Access Memory Dual Port Memory A shared memory random access memory that provides a mechanism for exchanging data between separate processor busses
82. n designing equipment room and field wiring care must be taken when using single break outputs so that external failures such as shorted wires cannot introduce a run around path for output current that could energize an output that should be in the OFF state 5 12 1 9 Safety Checks Outputs In order to achieve required response time physical output states for OFF outputs and Logic expression results for ON outputs are verified every 50 ms 5 12 1 10 Safety Checks System Processing Verification of system processing checks such as memory integrity Vital timing etc is accomplished once each system s one second cycle P2086G Rev E Jan 15 5 38 Alstom Signaling Inc Vital Subsystem 5 12 1 11 Application Verification A WARNING INTENDED SAFE FUNCTIONALITY OF THE VPI SYSTEM MUST BE VERIFIED The safety of the application logic as written is the responsibility of an experienced signal engineer CAAPE does not make any determination regarding the inherent safety of the logic equations that were entered Verifying the accuracy with which CAAPE converted the signaling engineer s application data into PROM data structures is aided by CAAPE but the signaling engineer must make a final determination using information supplied by CAAPE CAAPE s compilers are not themselves Vital programs An additional independent process is needed to verify that the compile was done correctly This process is required for all Vital applications
83. n large locations it may be necessary to use a repeater in order to take advantage of the additional contacts for signal lighting VRD repeaters may also be used to distinguish between feeding output groups from different signaling supply sources Where either of these situations requiring repeater relays is considered a response time review should be performed to insure that the added drop times of the repeater relays do not delay the response to a failure detected by VPI Depending on repeaters used and arrangement response time greater than 140 ms will likely be observed P2086G Rev E Jan 15 5 47 Alstom Signaling Inc Vital Subsystem 5 12 1 18 Simultaneous Failures Two or more independent self revealing component failures will not occur simultaneously This assumption has been traditionally accepted in the train signaling industry There are three aspects of the assumption however which should be emphasized e The first is the aspect of independent failures Failure modes of individual components may be interrelated in such a way that one failure may precipitate others These interrelated failures would then constitute one independent failure e The second aspect is that of simultaneity Simultaneously in this context means during the period bounded by the occurrence of the first independent self revealing failure and the occurrence of the event which reveals that failure e The third aspect is that
84. n nature e ON OFF such as dynamic signals must be reviewed for Vital application 5 12 4 2 Vital Serial Links VPI provides a Vital communication protocol called Vital Serial Link VSL VSL establishes communications over a direct connect copper interface or through an ElA232 interface with a modem or multiplexer It must be understood that the Vital protocol established has taken into account all known hazards associated with the medium of communications as well as the interconnection of various adjacent VPI VPI Il and track circuit systems that reside on the medium The protocols require that the receiving system must perform the final verification of the message Vital integrity Connection to other systems requires a thorough review of safety methods used on both sides of the interface to insure that all protections provided for in the VSL protocol are maintained P2086G Rev E Jan 15 5 55 Alstom Signaling Inc Vital Subsystem 5 12 4 2 1 Vital Serial Link Message Identification A WARNING VITAL COMMUNICATIONS REQUIRE UNIQUE LINK AND BLOCK SETTINGS Failure to properly assign maintain and control unique Link and Block settings for Vital communications within VPI systems can result in unintended consequences including train derailment train collision personal injury and or death The message link and block values must be assigned such that the combination of these values is unique throughout the network Alstom stro
85. n upgrade for both the CSEX 59473 938 and CSEX2 31166 049 boards It is designed as a system board for VPI as well as a stand alone non vital logic processor The CSEX3 board has six serial ports for communications to external devices such as modems other CSEX boards etc A 80C186 microprocessor 20Mhz A DC code line interface is available as well as ElA232 ElA422 and ElA485 interfaces The CSEX3 board provides an interface to non vital inputs and outputs for local control of interlockings Battery backed RAM is also available for data logging The CSEX3 board is designed using primarily SMT Surface Mount Technology parts CSEX3 supports up to 20 NVIO boards This board is extensible to support interfaces with various LAN and WAN networking protocols Figure 6 2 CSEX3 Board P2086G Rev E Jan 15 6 2 Alstom Signaling Inc Non Vital Subsystem 6 2 1 1 Specifications Table 6 1 CSEX3 Board Specifications Specification Characteristic 31166 175 02 03 Maximum number of Boards per VPI System 750 mA No Network port type Daughterboard used 31166 187 01 31166 187 02 Additional Assembly Information HK l DC Code Line 6 2 1 2 Assemblies Table 6 2 CSEX3 Board Assemblies Description Part Number CSEX3 2 EIA232 EIA422 EIA485 3 ElA422 EIA232 EIA422 EIA485 MAC blank FLASH PROMs 36 pin Aux 31166 175 02 Bd CSEX3 1 EIA232 EIA422 EIA485 1 DC code I F 3 EIA422
86. nal cables such as the 38216 497 xx cable assemblies For those systems with large numbers of I O s this makes access to the back of the motherboard and 5 VDC power filter easier P2086G Rev E Jan 15 4 5 Alstom Signaling Inc Chassis Configurations Table 4 2 VPI Direct Wire Chassis Configurations Description Direct wired chassis with rear panel split motherboard and 5 VDC power filter Note use with 38216 404 KN bus ext cables Part Number 31506 015 02 Chassis with split motherboard 5 VDC power filter NO rear panel or rear cover 31506 015 03 Direct wired chassis with rear panel continuous motherboard and 5 VDC power filter 31506 015 12 Chassis with continuous motherboard 5 VDC power filter NO rear panel or rear cover 31506 015 13 Direct wired chassis with rear panel split motherboard and 5 VDC power filter Note use with 38216 504 KN bus ext cables 31506 015 14 Direct wired chassis with split motherboard rear cover 31506 015 17 Direct wired deep chassis with continuous motherboard rear cover 31506 015 18 4 3 2 Cables The chassis required specific cables to be installed based on the PCB configuration Cables are required for the main system bus This is a 60 way ribbon cable which connects the main system boards together The number of positions or slots required for this cable is dependent upon the number of main boards being installed The boar
87. naling Inc Safety Warnings A WARNING LOAD DEVICE RESTRICTIONS FOR LIGHT DRIVER OUTPUT LDO BOARDS High current Vital LDO boards may fail with up to 50 milliamperes of output leakage current with the system requesting the output to be in the de energized state To prevent a potential unsafe condition any load device attached to a high current Vital output circuit board must not operate at or below 50 milliamperes and must de activate above 50 milliamperes This includes all environmental operating conditions and all operating values of the load device over its service life Failure to follow this requirement may lead to unexpected operation of the load device resulting in property damage injury and or death due to train collision or derailment A WARNING LOAD DEVICE RESTRICTIONS FOR LIGHT DRIVER OUTPUT 2 LDO2 BOARDS High current Vital LDO2 boards may fail with up to 50 milliamperes of output leakage current with the system requesting the output to be in the de energized state To prevent a potential unsafe condition any load device attached to a high current Vital output circuit board must not operate at or below 50 milliamperes and must de activate above 50 milliamperes This includes all environmental operating conditions and all operating values of the load device over its service life Failure to follow this requirement may lead to unexpected operation of the load device resulting in property damage injury and or d
88. nd SECTION 6 Non Vital Subsystem This chassis uses a fixed PCB for the main system bus and therefore a main system cable is not used Table 4 3 VPI PCB Interface Chassis Configurations Description Part Number Case with split MB VRD IOB CPU PD Dl and DBO 31038 274 01 Case with split MB CSEX3 VRD IOB CPU PD VSC DI DBO 31038 274 02 and LDO Case with split MB CSEX3 VRD IOB CPU PD VSC FSVT DI DBO and LDO 31038 274 03 Case with split MB CSEX3 VRD IOB CPU PD VSC DI DBO 31038 274 04 and LDO GN with split MB CSEX3 VRD IOB CPU PD VSC DI and 31038 274 05 P2086G Rev E Jan 15 4 8 Alstom Signaling Inc Chassis Configurations 4 4 2 Cables The following 60 conductor ribbon cables support connection of CPU PD header and rear panel bulkhead mount to support connection to CPU PD assembly via the 38216 589 00 cable The following 10 conductor ribbon cables support the connection of CRG Boards to the CPU PD Boards Table 4 4 Ribbon Cable Part Numbers Board Connect Between Part Number CPU PD Board Rear Panel VPI case 60 Conductor Header Ribbon Cable 18 38216 625 01 inches CPU PD Board Rear Panel VPI case 60 Conductor Header Ribbon Cable 27 38216 625 02 inches CRG Board 31166 CRG Board 31166 10 Conductor 544 01 P1 544 01 P1 Ribbon Cable 6 38216 629 00 Interconnect Interconnect inches CPU PD Board CRG Board 31166 10 Conductor 31166 543 01 P3 544
89. nennnnnneeeeererrr rt tnttrennnnn rtn treeennnn nenn 5 19 Table 5 12 Direct Input Assembly Dtterences 5 20 Table 5 13 SBO Board BE Eeer e TE 5 23 Table 5 14 SBO Board Assembhy nr 5 23 Table 5 15 DBO DBO 50 Board Specifications n snnenennnnnnenrennnnrrrrntnereennen nna 5 25 Table 5 16 DBO Board Assemblies nnnnnnsseneeennntttterreernrr rrt rrttrnrnrrr nt rnrennnnn nnen 5 26 Table 5 17 LDO Board Specifications rrt tnrrrennnnrr rtt neeennne nnna 5 28 Table 5 18 LDO Board Assemblies oooocccccccccnnnnnnnonnconnnccnonoccnnnnnnnnnnnnnnnnnnnnnnos 5 28 Table 5 19 LDO2 Board Gpecticatons nn rnnnnennnnn nn 5 31 Table 5 20 LDOZ Board Assemblies erctinscnudsaxssandiesdennddexGcnxddendeonGdunlamcdcunbeexdeentasuGhe 5 31 Table 5 21 AC Outputs SpecificatiONS ccocccnnnnnnnnnnconnnnccnnnoconannnnnnnncnnnnnnnnnnos 5 34 Table 5 22 ACO Board Assembly rrnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 5 34 Table 5 23 FSVT Board Specifications ccccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeesaeeeeeees 5 36 Table 5 24 FSVT Assembly Dtterences 5 36 Table 6 1 CSEX3 Board Specifications AA 6 3 Table 6 2 CSEX3 Board Assemblies ooooocccccnccccnncccoccccccnnccconnnnnnnnnncnnnnnnnnnnnnnnnnnnnos 6 3 P2086G Rev E Jan 15 viii Alstom Signaling Inc LIST OF TABLES Table No Title Page Table 6 3 NVI Board Specifications icc siscecssevssecsesstsesasenseecsevsesedsessanecase
90. ngly recommends that strict control of the Link and Block settings be maintained so that the expected configuration of all VPIs in the train control system is the actual installed configuration For train control systems designed by Alstom the transit or railroad authority shall be solely responsible for any modifications whatsoever to the train control system which deviate from Alstom s originally delivered design and any consequences to the system s safety integrity and performance as a result of such modifications Alstom assumes no responsibility or liability for any modifications to the train control system or for the safe performance of the train control system once Alstom s originally delivered design has been modified For train control systems not designed by Alstom the transit or railroad authority shall be solely responsible for the design of the train control system and any consequences to the system s safety integrity and performance as a result of such designs Alstom assumes no responsibility or liability for any designs or for the safe performance of the train control system The VSL messages must be unique in order to assure safe communications supported by the assignment of link and block sub block numbers The message link and block sub block values must be assigned such that the combination of these values is unique throughout the network The VSL protocol does not protect against spoofing and the user must maintain a
91. nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 2 2 Table 2 2 Related EE ia EE 2 8 Table 3 14 VPI Ze iii A A A nnn 3 3 Table 4 1 VPI Plug Coupled Chassis Configurations ccceceeeeeseeeeeeeeeeeees 4 3 Table 4 2 VPI Direct Wire Chassis Configurations rrnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 4 6 Table 4 3 VPI PCB Interface Chassis Confouratons 4 8 Table 4 4 Ribbon Cable Part Numbers nn 4 9 Table 4 5 Interface Assembly Differences rrnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 4 9 Table 4 6 VPI Chassis Cover rnt rrrennne nnmn 4 10 Table 5 1 CPU PD Board Specifications oooocccccccccccnccnnonncnnnnncnnnnonanannnnnnos 5 2 Table 5 2 CPU PD Board ASSembly ii dee 5 3 Table 5 3 VRD Board Specifications cocococcconnnnnnnncccnnncccnnnnnnnnnnncnnnnnnnnnnnnnnnnnnnns 5 9 Table 5 4 VRD Board Assembly rnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnne 5 9 Table 5 5 VSC Board Specifications tt tnrrrennnnrr rn rnnennnne nnna 5 12 Table 5 6 VSC Board Assembly Dterences cece cece eeeeeeeeeeeeeeeeeeeeeeeeees 5 13 Table 5 7 CRG Board Specifications AAA 5 15 Table 5 8 CRG Board Assembly Differences rrnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 5 15 Table 5 9 I O Bus Interface Specifications nnn 5 17 Table 5 10 UO Bus Interface Assembly Differences oocococcccccnncccocccccccnncccnononnnos 5 17 Table 5 11 DI Board Specifications nnnnnseneee
92. nnnnnnnnvennvnnvnnnnnnnnnsnvenvnenn 5 1 5 2 1 High Integration Embedded MIicroprocesSor rrrrrrrrrvnrrrrrrrnnsrrrrnnnn 5 1 5 2 2 y O T 5 2 5 2 3 AA o e edia etat aeie e 5 3 P2086G Rev E Jan 15 i Alstom Signaling Inc TABLE OF CONTENTS Topic Page 5 3 VRD VITAL RELAY DRIVER BOARD P N DO4 3 A0 5 4 5 3 1 UR 5 4 5 3 2 Physical ChearactensUcSauanueapaeensasgramsnusenuesuedten 5 8 5 3 3 SPECHICATIONS saunter a a a a 5 9 5 3 4 ege 5 9 5 4 VSC VITAL SERIAL CONTROLLER BOARD P N 59473 939 5 10 5 4 1 System Capacity it 5 10 5 4 2 SPECIES vade loa 5 12 5 4 3 Assen 5 13 5 5 CRG CODE RATE GENERATOR BOARD P N 31166 261 5 14 5 5 1 SPECHICATIONS ii ee 5 15 5 5 2 ee 5 15 5 6 IOB I O BUS INTERFACE BOARD P N 594 73 827 annnnnnnnnnnnnnnnnnnnnnnnnr 5 16 5 6 1 SPECIES arrene 5 17 5 6 2 PEST EE ER e E eh 5 17 5 7 DI DIRECT INPUT BOARD P N 59473 867 rrrnnnnnnnnnnvvnnnnnnnnnnnnrrrernennnn 5 18 5 7 1 SPECIES vamser 5 19 5 7 2 ASSOMDICS sci ee a a a 5 20 5 8 VITAL DC OUTPUT BOARDS P N 59473 739 747 977 749 5 21 5 8 1 SBO SPOGHIGAONS aiii 5 22 5 8 2 ASCII TENNE 5 23 5 8 3 DBO and DBO 50V Zpecifcatons 5 24 5 8 3 1 el 5 26 5 8 4 LDO Eege EE 5 27 5 8 4 1 ASSCMDIICS NNN 5 28 5 9 LDO2 SPECIFICATIONS peee eeaeee rr pad 5 29 5 9 1 1 ASOMO aa ai 5 31 5 10 ACO VITAL AC OUTPUT BOARD P N 594 OT 5 32 5 10 1 SPECHICATIONS A 5 32 5 10 2 Eed 5 34 5 11 FSVT FIELD SETTABLE V
93. ntrol system P2086G Rev E Jan 15 1 16 Alstom Signaling Inc Safety Warnings A WARNING VITAL COMMUNICATIONS REQUIRE UNIQUE LINK AND BLOCK SETTINGS Failure to properly assign maintain and control unique Link and Block settings for Vital communications within VPI systems can result in unintended consequences including train derailment train collision personal injury and or death The message link and block values must be assigned such that the combination of these values is unique throughout the network Alstom strongly recommends that strict control of the Link and Block settings be maintained so that the expected configuration of all VPIs in the train control system is the actual installed configuration For train control systems designed by Alstom the transit or railroad authority shall be solely responsible for any modifications whatsoever to the train control system which deviate from Alstom s originally delivered design and any consequences to the system s safety integrity and performance as a result of such modifications Alstom assumes no responsibility or liability for any modifications to the train control system or for the safe performance of the train control system once Alstom s originally delivered design has been modified For train control systems not designed by Alstom the transit or railroad authority shall be solely responsible for the design of the train control system and any consequences to the
94. ntsssesevapecaean 6 5 Table 6 4 NVI Board ASsSembles ista 6 5 Table 6 5 NVID Board Specifications coooooocccnnnnonnncccconcccnnnnnnnnnncnnnnnnnnnnnnnnnnnnnnos 6 6 Table 6 6 NVID Board Assemblies ooooocccccccccnnnncnnncccccnncccnnnonnnnnncnnnnnnnnnnnnnnnnnnnnos 6 7 Table 6 7 NVIDSW Board Specifications nn tnereerenrr nr rrrrennn 6 8 Table 6 8 NVIDSW Board Assemblies AAA 6 8 Table 6 9 NVO Board Specifications ASSEeMDIIES ooooocccccnnncnnnccnonnccccnnncccnnnnnnno 6 10 Table 6 10 NVOAC Board Specifications oooooococnnnnnnnnccccnnnccnnnnonannnnncnnnnnnnnnnnnnns 6 10 Table 6 11 NVOAC Board Assemblies ccc ccccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseaeaeeeeees 6 10 Table 6 12 NVO SNK Board Gpoechficatons rtrt r neennnnn nnen 6 12 Table 6 13 NVO SNK Board Assembly ccccccecceeeeeeeeeeeeeeeeeeeeeeeeeeseeseeeeeeeeeeeees 6 12 Table 6 14 NVR Board Specifications oooccoccccnnnonnnnccccnnnnccnnonnnannncncnnnnnnnnnnnnnns 6 14 Table 6 15 NVR Board Assemblies edd 6 14 Table 6 16 NVTWC FSK Board Gpoechfcatons rnnr nereeeeen nna 6 16 Table 6 17 NVTWC FSK Board Assemblies rrrnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 6 16 Table 7 1 Computer and Minimum Operating System Requirements 7 6 Table 8 1 Communications Protocol Library rrnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 8 5 P2086G Rev E Jan 15 ix Alstom Signaling Inc P2086G Rev E Jan 15 x Alstom
95. o control the continuous verification of Vital output port states Each chassis containing Vital input or output boards including the FSVT must have an UO Bus Interface board _ bei KR SE NON ot Figure 5 6 l OB Board P2086G Rev E Jan 15 5 16 Alstom Signaling Inc Vital Subsystem 5 6 1 Specifications Table 5 9 I O Bus Interface Specifications Characteristic Specification Maximum number of Boards per VPI System Board slots required Maximum Board Logic Current Supply 300 mA 5 6 2 Assemblies Table 5 10 I O Bus Interface Assembly Differences Description Part Number I O Bus Interface 59473 827 01 59473 871 01 Signature Header one for each IOB board in a system through 59473 871 04 P2086G Rev E Jan 15 5 17 Alstom Signaling Inc Vital Subsystem 5 7 DI DIRECT INPUT BOARD DIN 59473 867 Direct Input boards contain 16 isolated Vital inputs that each require two connections to the field IN and IN The inputs are DC current sensing and require a minimum of 12 8 mA Two inputs may be connected in parallel with opposite polarity i e input a connected to input b and input a connected to input b to form a bipolar input except for board 59473 867 03 Note The input circuits have been designed to interface with circuits that utilize standard Vital contacts AA e RIG E gr e gi4 r e A ts LE e ep RA ag A dn IN 1 INGE INS3 EI INS
96. of Output Boards per VPI II System Board slots required Number of ports per board Maximum Board Logic Current Supply Minimum Switched Output Supply Voltage Vin Maximum Switched Output Supply Voltage Vin Maximum Output Current per Port lout Maximum Output Current per 4 port group Typical Output Voltage Drop on board Cable Integrity Check Detection Voltage 2 0 0 3 V Over Current Shutdown Threshold t 200 to 400mS none Low level current detection threshold range 099 19329 none in 7 steps AOCD Current Threshold Isolation Between Outputs and 5 Volt Logic Hot Cold Filament Check Signature PROM Required 5 9 1 1 Assemblies Table 5 20 LDO2 Board Assemblies LDO2 Board Assembly 8 outputs 31166 340 01 8 18 VDC 3 3 Amp operation LDO2 Board Assembly 8 outputs w o current monitor 8 18 VDC 3 3 Amp operation 31166 340 02 P2086G Rev E Jan 15 5 31 Alstom Signaling Inc Vital Subsystem 5 10 ACO VITAL AC OUTPUT BOARD P N 59473 937 The Vital AC Output board operates in a manner similar to Vital Output boards It is used for lighting signal lamps or for operating other AC loads requiring less than 0 8 ampere Figure 5 14 ACO Board 5 10 1 Specifications Figure 5 15 ACO Port Interface P2086G Rev E Jan 15 5 32 Alstom Signaling Inc Vital Subsystem A WARNING LOAD DEVICE RESTRICTIONS FOR LOW CURRENT VITAL AC OUTPUT ACO BOARDS Low current Vital AC output boards ma
97. of the two types The two basic types are the split motherboard and the continuous motherboard that busses the center connector P2 of the printed circuit boards together All chassis contain 21 printed circuit board slots The split motherboard version of the chassis is configured to connect the P2 connector traces from chassis slots one through five together and slots six through 21 together Since the VPI system uses the P2 connector as the I O bus this allows Vital and non vital UO to be housed in the same chassis For example the first five chassis slots could be used to house non vital UO and the non vital processor Slots from 6 to 21 could contain Vital UO along with the Vital I O controller UO Bus Note Other system boards may also be required to configure a proper operating system and several other arrangements could be possible The continuous motherboard version of the plug coupled module connects all the slots 1 21 of the P2 connector together This requires that all the UO housed in the module be either Vital or non vital Also a CSEX board can be housed in a module with Vital I O as long as no non vital I O are also housed This chassis can also be supplied with an optional rear panel This panel is used to provide connection points for diagnostic equipment connections chassis to chassis ribbon cable connections and power supply connections An extra deep plug coupled chassis is offered to provide more space for inter
98. ompliant safety analysis be performed before using any LRU not repaired by Alstom in this Alstom train control system This safety analysis should be performed by personnel with mastery in the system safety implications when using Alstom LRUs not repaired by Alstom Responsibility for the adequacy of the safety analysis rests solely with the transit or railroad authority and Alstom will neither review nor approve any such safety analysis For train control systems designed by Alstom the transit or railroad authority shall be solely responsible for any consequences to the safety integrity and performance of the train control system in which LRUs not repaired by Alstom are used in the train control system originally designed safety certified and commissioned by Alstom Alstom assumes no responsibility or liability for the safe performance of the train control system once LRUs not repaired by Alstom are used For train control systems not designed by Alstom the transit or railroad authority shall be solely responsible for any consequences to the safety integrity and performance of the train control system in which LRUs not repaired by Alstom are used Alstom assumes no responsibility or liability for the safe performance of the train control system once LRUs not repaired by Alstom are used P2086G Rev E Jan 15 1 4 Alstom Signaling Inc Safety Warnings A WARNING PROTECT VITAL OUTPUT EQUATIONS WITH VRDFRNT DI Relying on the st
99. onality The present board assemblies supporting the TWC function are the 31166 119 series 6 5 1 NVTWC FSK Non Vital TWC FSK Board P N 31166 119 The Non Vital TWC FSK board provides true Frequency Shift Keying TWC The incoming TWC messages are keyed such that the logic 1 and logic O frequencies are based symmetrically around some base frequency example 9650 150 Hz This board uses 4 Phase Lock Loops 1 per channel to decode the incoming signals The output of the phase lock loops are then reformatted so that they can then be sent to the CSEX board Firmware on board validates the received message before it is sent to the NVP to reduce or eliminate the effects of noise induced errors Figure 6 8 NVTWC FSK Board P2086G Rev E Jan 15 6 15 Alstom Signaling Inc Non Vital Subsystem 6 5 1 1 Specifications Table 6 16 NVTWC FSK Board Specifications Specification Characteristic 31166 119 Maximum number of Boards o o o o Maximum Board Logic Current 350 mA Supply Draw Number of detection channels Maximum Baud Rate 2800 Maximum detection frequency 10 kHz 10 kHz 10 kHz 70 kHz 10 kHz Software 6 5 1 2 Assemblies Table 6 17 NVTWC FSK Board Assemblies Description Part Number NVTWC FSK 4 Channel TWC Receive only 40025 238 00 Software for MARTA NVTWC FSK 4 Channel TWC Transmit Receive 40025 242 00 Software for Shanghai Taipei Taegu NVTWC FSK 4 Channel TWC T
100. ons in the Vital application logic must be written correctly so that by executing the logic the VPI system operates safely in accordance with the rules of the transit or railroad authority The Application Data Verifier ADV output report provides a means to compare and verify equivalence between the input and the output application data However the Application Data Verifier neither determines the safety suitability of the Boolean expression list nor determines the validity of certain encoded VPI application data The input data to the ADV process must be verified for safety separately prior to the ADV process and the safety and suitability of the input data is the responsibility of the signaling engineer The ADV does however issue warnings and error messages as a result of non vital data checking to alert the signaling engineer to possible discrepancies Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment A WARNING VPI APPLICATION MUST BE FIELD TESTED Field testing of a VPI application is required before placing the location into revenue service The customer s testing plan and safety plan define the testing requirements for the VPI application Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derail
101. oonnoeeennneneeeeeeeeeeeeeene 5 29 e Le UI AGO B ard EE 5 32 Figure 5 19 AGO Port Eet 5 32 Figure 5 167 FSVT e DEE 5 35 Figure 6 1 Non Vital SyStem ooooooonocenoconecerecenenennernenerenrere 6 1 Figure 6 2 CSEX3 Board a AS 6 2 Figure 0 3 CNV BOA EE 6 4 Figure 6 4 NVIDSW BO disnea ba 6 7 Figure 65 A ege 6 9 Figure 6 6 NVO SNK Board 6 11 Figure 6 7 NVR EE eg 6 13 Figure 6 8 NVTWC FSK EE eege 6 15 Figure 7 1 CAAPE Non Vital Relay Application Logic Display 7 3 Figure 7 2 Graphical ADV Compares Logic Input to Output Files w CRCs 7 5 Figure 7 3 ADV Compare Application Utility ooooooncccccnnnccnnonccnnnnnnnnnnnnnns 7 5 Figure 7 4 Watcher Main Screen View Logic and Giate 7 7 Figure 7 5 Screen View of User Data 2 cccccccccccceteceeeeeeeceeeeeeeeeeeeeteneeeeeseeeeneetes 7 8 P2086G Rev E Jan 15 vi Alstom Signaling Inc LIST OF FIGURES Figure No Title Page Figure 76 TestWrite SO snc ccccececeectceeceencceeceentceeceenceeeceentcenceenegenecentcenceenceeses 7 11 Figure 7 7 TestWrite Repo EE 7 11 Figure 8 1 Logic Programming Sample o oocccccccccncccccnccnnnnnnnnononononnnonononinononininininos 8 4 P2086G Rev E Jan 15 vii Alstom Signaling Inc LIST OF TABLES Table No Title Page Table 1 1 Warning Titles and Location cocoa PESCHE EE KEEN 1 1 Table 2 1 Common Abbreviations and Glossary rrnnnnn
102. output state than VPI has calculated It is assumed that proper maintenance is being provided by the rail authority to prevent instances of signal circuit shorts which could produce such an occurrence 5 12 2 2 Site Version Revision Configuration Control A WARNING SOFTWARE REVISION CONTROL MUST BE MAINTAINED Failure to properly version control VPI system software and VPI application data can result in unintended consequences including train derailment train collision personal injury and or death Alstom strongly recommends that strict revision control of the VPI application data and system software be maintained so that the expected configuration in the train control system is the actual installed configuration For train control systems designed by Alstom the transit or railroad authority shall be solely responsible for any modifications whatsoever to the train control system which deviate from Alstom s originally delivered design and any consequences to the system s safety integrity and performance as a result of such modifications Alstom assumes no responsibility or liability for any modifications to the train control system or for the safe performance of the train control system once Alstom s originally delivered design has been modified For train control systems not designed by Alstom the transit or railroad authority shall be solely responsible for the design of the train control system and any consequences to the system s s
103. performance of the train control system once Alstom s originally delivered design has been modified For train control systems not designed by Alstom the transit or railroad authority shall be solely responsible for the design of the train control system and any consequences to the system s safety integrity and performance as a result of such designs Alstom assumes no responsibility or liability for any designs or for the safe performance of the train control system P2086G Rev E Jan 15 5 52 Alstom Signaling Inc Vital Subsystem One hazard condition that needs to be considered with regard to software based interlocking control is the potential of installing an old and incorrect release or that of a similar application program other than the one required This could occur through improper maintenance activities following system failure One of the mitigations of this class of failure has been to institute location site and revision control features into VPI The site and revision ID must be uniquely assigned by the Application Engineer with each interlocking program change that will be installed in a field location CH Note For CPU PD refer to the application Ivc file for the wire table in order to configure the hardware jumper wires for the compiled revision and site ID values Alternatively refer to the application cfg file for the System ID The System ID is equivalent to the combination of the Revision ID and Site ID The
104. r death due to train collision or derailment P2086G Rev E Jan 15 5 27 Alstom Signaling Inc Vital Subsystem Table 5 17 LDO Board Specifications Specification Characteristic 59473 749 Maximum number of Output Boards per VPI II System Number ofportsperboard 8 O Isolation Between Outputs and 5 Volt Logic Hot 100 Yes 100 Yes 200 mA Hot Cold Filament Check mA mA no Cold Signature PROM Si 5 8 4 1 Assemblies Table 5 18 LDO Board Assemblies LDO Board Assembly 8 outputs EE 9 18 VDC 2 9 Amp operation 59473 749 02 LDO Board Assembly 8 outputs ae 15 30 VDC 2 9 Amp operation 59473 749 03 LDO Board Assembly 8 outputs ee 9 18 VDC 2 9 Amp operation 59473 749 04 l 39780 003 01 Signature PROM through one for each output board in a system determined by CAA 39780 003 40 P2086G Rev E Jan 15 5 28 Alstom Signaling Inc Vital Subsystem 5 9 LDO2 SPECIFICATIONS The LDO2 is a Vital VPI Output board that interfaces with signal lamps It provides essentially similar functions as the LDO described above However this assembly offers the following additional features for each of the eight outputs on each board assembly e Sourcing Current Drive positive side switch e Non Vital Current Monitor with Over Current Protection and Low Current Detection e Non Vital Cable Integrity Check CIC e Switch Selectable AOCD Signature PROM The board
105. rain collision personal injury and or death Alstom strongly recommends that strict control of the Site IDs be maintained so that the expected configuration of all VPIs in the train control system is the actual installed configuration For train control systems designed by Alstom the transit or railroad authority shall be solely responsible for any modifications whatsoever to the train control system which deviate from Alstom s originally delivered design and any consequences to the system s safety integrity and performance as a result of such modifications Alstom assumes no responsibility or liability for any modifications to the train control system or for the safe performance of the train control system once Alstom s originally delivered design has been modified For train control systems not designed by Alstom the transit or railroad authority shall be solely responsible for the design of the train control system and any consequences to the system s safety integrity and performance as a result of such designs Alstom assumes no responsibility or liability for any designs or for the safe performance of the train control system P2086G Rev E Jan 15 1 14 Alstom Signaling Inc Safety Warnings A WARNING ACCURATE SOFTWARE REVISION ID CONTROL MUST BE MAINTAINED Failure to update and maintain the Software Revision IDs for every software change made to the VPI application data and or system software even a re compile done w
106. ransmit Receive 40025 284 00 Software for WMATA NVTWC FSK 4 Channel TWC Transmit Receive 40025 289 00 Software for Seoul Metro Line 6 NVTWC FSK 4 Channel TWC Transmit Receive 40025 295 00 Software for WMATA test fixture 31166 119 02 31166 119 03 31166 119 04 31166 119 05 31166 119 06 P2086G Rev E Jan 15 6 16 Alstom Signaling Inc VPI Design Test and Validation Tools SECTION 7 VPI DESIGN TEST AND VALIDATION TOOLS 7 1 GENERAL In support of design verify test install and maintenance aspects of a typical interlocking project the industry s most comprehensive suite of tools are provided for use with VPI e Design Framework Computer Aided Application Programming Environment CAAPE Graphical design and simulate Provides for graphical hardware configuration relay or ladder logic program definition and communication assignments e Design Verifier Application Data Verifier ADV Inverse compiler that generates reports from application files illustrating hardware configurations and interlocking logic design as resident within EPROM to be installed in VPI field equipment Produces documentation following changes to reduce retest of interlocking following changes to interlocking logic or configuration e Monitor Realtime VPI Operation Watcher Views application variables real time status during factory field or post installation Reduces test time and facilitates
107. re for use with CAA 31746 027A and later 31166 029 27 Board with 40025 328A Software for use with CAA 31746 028A and later 31166 029 28 Board with 40025 329A Software for use with CAA 31746 029A and later 31166 029 29 Board with 40025 347A Software for use with CAA 31746 030D and later Board with 40025 356A Software for use with CAA 31746 031A and later 31166 029 30 31166 029 31 Board with 40025 366A Software for use with CAA 31746 032A and later 31166 029 32 Board with 40025 404A Software for use with CAA 31746 033A and later 31166 029 33 P2086G Rev E Jan 15 5 3 Alstom Signaling Inc Vital Subsystem 5 3 VRD VITAL RELAY DRIVER BOARD P N 59473 740 This board plays a key role in assuring the vitality of the system lt produces an output voltage that operates a 100 ohm Alstom Type B1 relay 56001 787 05 if and only if the data sent to it by the main processing system is exactly correct If any of these checkwords are not precisely correct the VRD output is shut off and the external relay de energizes The field energy that is delivered to the Vital output boards is broken through front contacts of this Vital relay or a repeater of it Thus power will be removed from the outputs when the Vital checkwords are incorrect A WARNING USE ONLY ALSTOM VITAL RELAY WITH VRD BOARD Only Alstom VRD relay P N 56001 787 05 is to be used with the Alstom VPI system
108. ries Code Communication System Publications contact Alstom Signaling Inc s Customer Service at 1 800 717 4477 for a specific protocol P2509 Maintenance Management System for Alstom Vital Processor Interlocking Systems VPI VPI II iVPI P2512A Computer Aided Application Programming Environment CAAPE Software Package User Manual P2512B AlsDload Software Download User Manual P2512D VPI Computer Aided Application CAA Reference Manual P2512E DataLogger P2086G Rev E Jan 15 2 8 Alstom Signaling Inc VPI SECTION 3 VPI 3 1 GENERAL This section gives general information on function and organization of the VPI system 3 2 VPI SUBSYSTEMS The VPI system can be subdivided into five main subsections as shown below y e Non vital ee Communications Chassis Vital Subsystem Subsystem Application Tools Protocals Figure 3 1 VPI Breakdown 3 3 GENERAL CHARACTERISTICS The VPI module is a Vital fail safe microprocessor based control system designed to meet the needs of interlocking control for mainline railroads and mass transit applications Designed as a modular control system it contains a set of plug in Printed Circuit Boards that are applied in varying quantities to meet the needs of a specific project Although one VPI system is sufficient for many installations additional systems in distributed arrangements can be added for sites that are more complex and or have spe
109. rol systems designed by Alstom the transit or railroad authority shall be solely responsible for any consequences to the safety integrity and performance of the train control system in which LRUs not manufactured by Alstom are used in the train control system originally designed safety certified and commissioned by Alstom Alstom assumes no responsibility or liability for the safe performance of the train control system once LRUs not manufactured by Alstom are used For train control systems not designed by Alstom the transit or railroad authority shall be solely responsible for any consequences to the safety integrity and performance of the train control system in which LRUs not manufactured by Alstom are used Alstom assumes no responsibility or liability for the safe performance of the train control system once LRUs not manufactured by Alstom are used P2086G Rev E Jan 15 1 3 Alstom Signaling Inc Safety Warnings A WARNING USE OF LRUS NOT REPAIRED BY ALSTOM Alstom strongly recommends all LRU repairs be performed by Alstom as Alstom uses special components and has developed special assembly and repair techniques to ensure the continued safety of the train control system Use of LRUs not repaired by Alstom in the Alstom train control system can degrade the safety performance of the system resulting in property damage injury and or death due to train collision or derailment Alstom strongly recommends that a detailed AREMA c
110. s Assembly 01 of the NVIDSW board provides the ability to physically set the state of the inputs through 32 switches located on the front of the board Assembly 02 functions identically to the NVID board and has no switches Figure 6 4 NVIDSW Board P2086G Rev E Jan 15 6 7 Alstom Signaling Inc Non Vital Subsystem 6 3 3 1 Specifications Table 6 7 NVIDSW Board Specifications Specification Characteristics 31166 276 01 02 03 04 Maximum Number of Boards per NVP 20 Subsystem Board Slots Required 1 Number of Ports per Board 32 Maximum Board Logic Current Supply Draw 200 mA Minimum Input Voltage Per Port 9V 9V 18V 18V Maximum Input Voltage Per Port 18V 18V 33V 33V Switches to force each input on off Yes No Yes No 6 3 3 2 Assemblies Table 6 8 NVIDSW Board Assemblies Description Part Number NVIDSW 32 inputs with Force Input switch 31166 276 01 NVIDSW 32 inputs with Force Input switch 31166 276 02 NVIDSW 32 inputs with Force Input switch 31166 276 03 NVIDSW 32 inputs with Force Input switch 31166 276 04 P2086G Rev E Jan 15 6 8 Alstom Signaling Inc Non Vital Subsystem 6 4 NON VITAL OUTPUT BOARDS Non vital output boards are available with DC solid state outputs in sinking and sourcing configurations Also solid state AC versions and Form A relay contact versions are available 6 4 1 NVO Non Vital Output Bo
111. s includes all environmental operating conditions and all operating values of the load device over its service life Failure to follow this requirement may lead to unexpected operation of the load device resulting in property damage injury and or death due to train collision or derailment P2086G Rev E Jan 15 5 24 Alstom Signaling Inc Vital Subsystem Table 5 15 DBO DBO 50 Board Specifications Specification Characteristic 59473 747 59473 977 KEN Boards per VPI II System Number of ports perboard 8 O Maximum Board Logic Current 500 mA Supply Minimum Input Voltage Vin 9VDC 9VDC 9 VDC 30 VDC 45 VDC Maximum Input Voltage Vin 15 VDC 15 VDC 15 VDC 40 VDC 55 VDC Minimum Output Voltage Vout 6 VDC Kc 6 VDC 45VDC 45 VDC Maximum Output Voltage Vout 15 VDC 358 15 VDC 55 VDC 55 VDC eI ME OUI UL Current per 600 mA 300 mA 600 mA 140 mA 140 mA Port lout TTW P2086G Rev E Jan 15 5 25 Alstom Signaling Inc Vital Subsystem 5 8 3 1 Assemblies Table 5 16 DBO Board Assemblies DBO Board Assembly 8 outputs 9 15 VDC operation Note Not for new designs since board keying is the same 59473 747 01 as that for 747 02 assembly DBO Board Assembly 8 outputs with doubled output voltage ch 9 15 VDC in with 18 30 VDC output 59473 747 02 DBO Board Assembly 8 outputs 9 15 VDC operation 59473 747 03 Note Preferred for new designs since board key
112. s a result of such designs Alstom assumes no responsibility or liability for any designs or for the safe performance of the train control system P2086G Rev E Jan 15 5 50 Alstom Signaling Inc Vital Subsystem A WARNING ACCURATE SOFTWARE REVISION ID CONTROL MUST BE MAINTAINED Failure to update and maintain the Software Revision IDs for every software change made to the VPI application data and or system software even a re compile done with no software changes jeopardizes proper software revision control and can result in unintended consequences including train derailment train collision personal injury and or death Alstom strongly recommends that Software Revision IDs be changed with every software change even a re compile of unchanged software Software Revision IDs shall be maintained so that software and application revision control is maintained and the expected configuration of all VPIs in the train control system is the actual installed configuration For train control systems designed by Alstom the transit or railroad authority shall be solely responsible for any modifications whatsoever to the train control system which deviate from Alstom s originally delivered design and any consequences to the system s safety integrity and performance as a result of such modifications Alstom assumes no responsibility or liability for any modifications to the train control system or for the safe performance of the train contro
113. s be performed before using any LRU not repaired by Alstom in this Alstom train control system This safety analysis should be performed by personnel with mastery in the system safety implications when using Alstom LRUs not repaired by Alstom Responsibility for the adequacy of the safety analysis rests solely with the transit or railroad authority and Alstom will neither review nor approve any such safety analysis For train control systems designed by Alstom the transit or railroad authority shall be solely responsible for any consequences to the safety integrity and performance of the train control system in which LRUs not repaired by Alstom are used in the train control system originally designed safety certified and commissioned by Alstom Alstom assumes no responsibility or liability for the safe performance of the train control system once LRUs not repaired by Alstom are used For train control systems not designed by Alstom the transit or railroad authority shall be solely responsible for any consequences to the safety integrity and performance of the train control system in which LRUs not repaired by Alstom are used Alstom assumes no responsibility or liability for the safe performance of the train control system once LRUs not repaired by Alstom are used P2086G Rev E Jan 15 5 6 Alstom Signaling Inc Vital Subsystem A WARNING PROTECT VITAL OUTPUT EQUATIONS WITH VRDFRNT DI Relying on the status of the VRDFRNT DI V
114. s detected so that the events leading up to a particular failure can be later analyzed for possible trends Based on analysis of the log preventive action may be possible to protect against future problems 7 5 3 Data Retrieval and Report Creation Tracker can retrieve historical event data from field devices for archival and analysis Reports are available P2086G Rev E Jan 15 7 9 Alstom Signaling Inc VPI Design Test and Validation Tools 7 6 TESTWRITE TestWrite is a software package generally used by a quality assurance engineer or circuit check design personnel to separately validate that the logic being implemented by the interlocking logic design engineer meets the safety critical needs of the railroad The user easily generates a track layout from a set of graphical tools TestWrite can then automatically determine all routes in the system The user then builds test steps for each route by assigning states inputs outputs to each graphical element Steps can be grouped to form individual test scenarios TestWrite then develops a test description document for the assigned test scripts The final document is available in Word or text format For interlocking configurations the tool is used to create a set of rules that reveal how the interlocking functions route time indication locking are to operate and be tested independent of the actual signal design executable Sample output for the TestWrite tool are included below T
115. s not considered critical to the safe operation of a railroad but may be significant operationally NVP Non Vital Processor board CSEX2 or CSEX3 V Non Vital Relay Output board NVTWC Non Vital Train to Wayside Communication Personal Computer Printed Circuit PCB Printed Circuit Board Polynomial Divider board Polynomial A sum of two or more algebraic terms each of which consists of a constant multiplied by one or more variables raised to a non negative integral power Power On Reset Program A series of instructions for the computer to follow PROM Programmable Read Only Memory programmable memory devices that store firmware RAM Random Access Memory this part of memory temporarily stores information that is constantly being changed in the computer here words may be stored written or read retrieved in any order at random Reset The act of changing a bit value to zero or an output to an inactive condition Also refers to the startup or restart of a processor based system P2086G Rev E Jan 15 2 5 Alstom Signaling Inc Introduction Table 2 1 Common Abbreviations and Glossary Cont Term RFI ROM Radio Frequency Interference Definition or Explanation Read Only Memory this part of memory is built in during the integrated circuit fabrication process ROM content cannot be altered after the chip is produced R Simulator SMT K TC RTU Relay Test Unit
116. s requirements Vital Component Any device circuit or software module used to implement a Vital or Circuit function a Vital circuit is so named because its function is critical to the operation of certain signals and track equipment Vital Function A system subsystem equipment or component that provides a function critical to safety it is implemented using fail safe design principals hardware software and or relays VPI Alstom s Vital Processor Interlocking product Vital Relay Driver board Volts Root Mean Square Vital Serial Controller board that provides a means for exchanging the states of Vital interlocking functions between interlocking systems in a Vital manner Vital Serial Link Wide Area Network A form of internal timer that is used to detect a possible malfunction also it is a timer set by a program to prevent the system from looping endlessly This is a group of two bytes eXclusive OR P2086G Rev E Jan 15 2 7 Alstom Signaling Inc Introduction 2 4 RELATED PUBLICATIONS Detailed information for applying and configuring a VPI system is available in the following manuals listed in Table 2 2 Table 2 2 Related Publications Document No Title P2086G VPI Product Overview P2086B V1 Installation Operation and Maintenance P2086B V2 Vital Printed Circuit Boards P2086B V3 Non Vital Printed Circuit Boards P2086B V4 Module Cables and Miscellaneous P2346 Se
117. shold Figure 5 8 Vital Output Boards P2086G Rev E Jan 15 5 21 Alstom Signaling Inc Vital Subsystem 5 8 1 SBO Specifications The single break output is analogous to a single relay contact placed in the positive or feed side of the circuit The equivalent of the relay contact in the solid state circuit is the FET switch This Vital output board is most often used when driving Vital relays that are part of a special network outside of VPI Figure 5 9 SBO Port Interface A WARNING LOAD DEVICE RESTRICTIONS FOR SINGLE BREAK OUTPUT SBO BOARDS Low current Vital SBO boards may fail with up to 3 milliamperes of output leakage current with the system requesting the output to be in the de energized state To prevent a potential unsafe condition any load device attached to a low current Vital output circuit board must not operate at or below 3 milliamperes and must de activate above 3 milliamperes This includes all environmental operating conditions and all operating values of the load device over its service life Failure to follow this requirement may lead to unexpected operation of the load device resulting in property damage injury and or death due to train collision or derailment P2086G Rev E Jan 15 5 22 Alstom Signaling Inc Vital Subsystem Table 5 13 SBO Board Specifications Specification Characteristic 59473 739 No 5 8 2 Assemblies es i
118. sponsibility of the signaling engineer The ADV does however issue warnings and error messages as a result of non vital data checking to alert the signaling engineer to possible discrepancies Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment A WARNING VPI APPLICATION MUST BE FIELD TESTED Field testing of a VPI application is required before placing the location into revenue service The customer s testing plan and safety plan define the testing requirements for the VPI application Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment P2086G Rev E Jan 15 1 10 Alstom Signaling Inc Safety Warnings A WARNING VERIFIER MUST BE DIFFERENT THAN DESIGNER The signaling engineer responsible for verification the Checker or Verifier using the ADV checklist and creating the report shall be independent from the signaling engineer responsible for designing the Designer the VPI application Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment A WARNING TIMER EQUATION PROTECTION REQUIRED Vital Boolean and timer equations are evaluated in every one second application cycl
119. system s safety integrity and performance as a result of such designs Alstom assumes no responsibility or liability for any designs or for the safe performance of the train control system P2086G Rev E Jan 15 1 17 Alstom Signaling Inc Safety Warnings A WARNING NON VITAL SUBSYSTEM IS NOT FAIL SAFE The non vital subsystem and communications software used in the VPI system is not designed for fail safe application and must not be used for safety critical operations Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment P2086G Rev E Jan 15 1 18 Alstom Signaling Inc Introduction SECTION 2 INTRODUCTION 2 1 SCOPE This document contains a general description of the Alstom VPI Vital Processor Interlocking Control System It contains basic system level information and hardware descriptions and is intended to be used to estimate the items required to satisfy a specific interlocking s control requirements 2 2 DOCUMENT CONVENTIONS This document provides a breakdown of the VPI product into five main subsections e Chassis e Vital subsystem e Non vital subsystem e Application tools e Communication protocols The five main subsections are then subdivided to provide functional descriptions and electrical specifications for each base item case PCB software etc used to develop a complete
120. tal Subsystem 5 5 CRG CODE RATE GENERATOR BOARD P N 31166 261 The Code Rate Generator Board is a Vital VPI board that receives code rate commands from the VPI CPU PD board The received code rate commands are decoded and used to generate 8 coded outputs The frequency and duty cycle of the coded outputs are vitally verified by using an absence of current detector AOCD During the on and off portions of an output s coding cycle data is circulated through the AOCD Data returned from the AOCD coupled with other NISAL processing verifications are used to generate a message that the CRG board sends to the VPI CPU PD board The message received by the CPU PD board from the CRG is used as part of the generation of the VRD checkword All outputs are generated using a Double Break Output DBO DC DC converter and as such are isolated from each other by gt 2000 Vrms and protected from undetected single fault failures Figure 5 5 CRG Board P2086G Rev E Jan 15 5 14 Alstom Signaling Inc Vital Subsystem A WARNING LOAD DEVICE RESTRICTIONS FOR CODE RATE GENERATOR CRG BOARDS Low current Vital CRG boards may fail with up to 3 milliamperes of output leakage current with the system requesting the output to be in the de energized state To prevent a potential unsafe condition any load device attached to a low current Vital output circuit board must not operate at or below 3 milliamperes and must de activate above 3 milliamperes
121. ted by this main bus are CSEX VRD CPU PD I O BUS and VSC The VRD PCB takes two slots Cable harnesses are also required to connect the PCB edge connectors to the plug couplers on the rear cover of the chassis These cables are detailed below There are 21 available plug coupler locations on the rear panel and four 60 way ribbon cable locations The blank plates listed below are used to cover the unused locations Also note that there are several variations of output and input cables to provide a variety of arrangements of plug couplers and board configurations P2086G Rev E Jan 15 4 3 Alstom Signaling Inc Chassis Configurations 4 3 DIRECT WIRE CHASSIS The direct wire chassis is configured to allow the I O wiring to be economical by directly inserting wire into the PCB edge connectors in the chassis This chassis configuration does not allow for quick removal of the chassis from a wired rack However all the PCBs can be removed and no active electronic components are left in the chassis This version is intended for applications where the rack housing this chassis provides a plug coupled connection to the other interlocking equipment Figure 4 4 Direct Wire Chassis P2086G Rev E Jan 15 4 4 Alstom Signaling Inc Chassis Configurations 4 3 1 Case The VPI direct wired chassis can be constructed from two basic case configurations One to four chassis can be used to complete a system The chassis may be a mixture
122. the maximum component failure rate should be low enough to preclude simultaneous failures 5 12 1 19 FMEA Provides Adequate Failure Coverage The Failure Modes and Effects Criticality Analysis technique correctly and comprehensively applied is adequate to reveal all potential unsafe effects of component failure Justification of this assumption is again based on accepted industry practice e AREMA 5 12 1 20 Security of Installation In order to maintain security from physical tampering VPI is required to be installed within either an enclosed case under lock and key or a locked equipment house where only those trained in the line maintenance or designated members of the rail authority have necessary means of access P2086G Rev E Jan 15 5 48 Alstom Signaling Inc Vital Subsystem 5 12 2 Maintenance Assumption 5 12 2 1 External Input Output Integrity VPI Vitally insures that any safety critical failure that occurs internal to the system inboard side of the electrical boundaries of its input and output circuit boards is detected with the system attaining a more restrictive state should a failure occur VPI does not have the capability to determine if an erroneously applied energy positive Vital signal battery voltage has been applied to its input In a similar manner VPI cannot detect if energy has been erroneously applied to an output drive circuit external to the system thereby supplying a potentially more permissive
123. the transit or railroad authority shall be solely responsible for any consequences to the safety integrity and performance of the train control system in which LRUs not repaired by Alstom are used Alstom assumes no responsibility or liability for the safe performance of the train control system once LRUs not repaired by Alstom are used P2086G Rev E Jan 15 5 46 Alstom Signaling Inc Vital Subsystem A WARNING USE ONLY ALSTOM VITAL RELAY WITH VRD BOARD Only Alstom VRD relay P N 56001 787 05 is to be used with the Alstom VPI system VRD circuit board Alstom products are designed to function within all Alstom systems The introduction of non Alstom products into an Alstom VPI system could have unintended and unforeseeable safety consequences Failure to comply can degrade the safety performance of the train control system resulting in property damage injury and or death due to train collision or derailment The VPI VRD relay is a specific type as it forms the final stage of the Vital circuit residing on the VPI VRD circuit board Its pick time and pick up and drop away currents are critical parameters in guaranteeing a quick response to a detected failure The VRD relay is used to disconnect output energy should VPI encounter a failure in a Vital process result or output state Back contacts of the VRD relay are typically used to drive the Red Aspect of signals to show a positive Stop aspect rather than a dark signal I
124. tial Board P N 31166 106 The Non Vital Input Differential board provides 32 isolated Non Vital Inputs to a VPI system Interface to the system is accomplished through the system motherboard A Code System Emulator employing Non Vital I O control software communicates over the motherboard bus to the NVID board Input states are latched and then read every 25 ms On board jumpers permit configuration of the inputs as 1 common cathode 2 common anode 3 isolated i e differential 6 3 2 1 Specifications Table 6 5 NVID Board Specifications Specification Characteristics 31166 106 01 02 03 04 05 Maximum number of Boards per CSEX Subsystem Board slots required Input Sensitivity min input voltage to be read as 1 P2086G Rev E Jan 15 6 6 Alstom Signaling Inc Non Vital Subsystem 6 3 2 2 Assemblies Table 6 6 NVID Board Assemblies Description Part Number NVID 32 six volt inputs 31166 106 01 NVID 32 twenty four volt inputs 31166 106 02 NVID 32 twelve volt inputs 31166 106 03 NVID 32 twelve volt inputs 31166 106 04 NVID 32 twenty four volt inputs 31166 106 05 6 3 3 NVIDSW Non Vital Input Differential Switch Board P N 31166 276 The Non Vital Input Differential Switch Board provides 32 isolated non Vital inputs to a VPI system Interface to the system is accomplished through the system motherboard Input states are latched and then read every 25 m
125. to energy removal period of 140 ms Switch machines or other signaling devices that complete state change in less than 200 ms such as air operated switch machines must not be directly interfaced to a VPI system without a Vital relay between the VPI and the machine to introduce a sufficiently delayed response 5 12 1 6 Signaling Logic Ordering VPI evaluates logic in a sequential manner from first expression to last each system cycle When implementing signaling rules this fact must be considered to insure proper order of output states and proper sequences of rules implementation 5 12 1 7 Vital Output Verification VPI s detection of failures on outputs is accomplished through the detection of current flow in an output that has been otherwise directed to be in the OFF state Absence of current in an OFF output is positive proof that no failure has occurred to falsely drive that output The detection threshold on the absence of current detector is any current over 3 ma for DC non signal output types and 100 ma for signal lamp drivers Therefore when designing an interlocking application it must be guaranteed that VPI output loads will draw more than 5 ma 150 ma of current during normal operation when the output is turned ON to provide safe operating margin 5 12 1 8 Preventing Potential Output Circuit Run Around Paths Vital Outputs VPI outputs have been designed for single break SBO ACO LDO and double break DBO application Whe
126. ubsystem requires one of these boards All the Vital control and monitoring functions for the VPI module go through this board The CPU PD board controls the System bus over which the CPU PD VRD CSEX VSC and I O Bus interface boards communicate 5 2 1 High Integration Embedded Microprocessor The 16 MHz microprocessor 180C186EB 16 on this board has many integrated features All of these features are used on the CPU PD board to provide a compact high speed board set The increased speed and memory capacity of the board afford increased Vital I O and Vital expression capacities P2086G Rev E Jan 15 5 1 Alstom Signaling Inc Vital Subsystem Figure 5 2 CPU PD Board 5 2 2 Specifications Table 5 1 CPU PD Board Specifications Characteristic Maximum number of Boards per VPI System Board slots required Maximum Board Logic Current Supply Maximum Board Logic Current Supply with HHT Supports 27H010 EPROM P2086G Rev E Jan 15 5 2 Alstom Signaling Inc Vital Subsystem 5 2 3 Assemblies Table 5 2 CPU PD Board Assembly Description Part Number Basic Board No VPI System Software 31166 029 01 Board with 40026 081 Software for use with CAA 31746 010 and earlier 31166 029 10 Board with 40025 191B Software for use with CAA 31746 011B and later 31166 029 11 Board with 40025 304A Software for use with CAA 31746 025A and later 31166 029 25 Board with 40025 321A Softwa
127. utputs Specifications Specification Characteristic 59473 937 03 No 5 10 2 Assembly Table 5 22 ACO Board Assembly Description Part Number ACO Board Assembly 8 channels with enhanced EMI protection 59473 937 02 ACO Board Assembly 8 channels with EMI suppression 59473 937 03 Signature PROM one for each output board in a system determined by CAA 39780 003 01 through 39780 003 40 P2086G Rev E Jan 15 5 34 Alstom Signaling Inc Vital Subsystem 5 11 FSVT FIELD SETTABLE VITAL TIMER BOARD P N 59473 894 The Vital Timer board 59473 894 contains provisions for the use of eight field settable Vital timing functions Time setting selection is accomplished through the programming of the time selection jumpers Each of the eight timers has four pin headers that allow setting of the desired time interval by positioning one jumper in each header The Vital Timer board is located on the Vital I O bus Normal operation is to detect the switch setting and then perform a Vital algorithm to verify the setting of that timer s switch Figure 5 16 FSVT Board P2086G Rev E Jan 15 5 35 Alstom Signaling Inc Vital Subsystem 5 11 1 Specifications Table 5 23 FSVT Board Specifications Specification Characteristic 59473 894 Maximum number of Boards per VPI System Eeg Number of Discrete Timers perbo s Minimum Run Time minutesiseconds owo Assign to I O Bus Wit
128. y fail with up to 3 milliamperes of output leakage current with the system requesting the output to be in the de energized state To prevent a potential unsafe condition any load device attached to a low current Vital output circuit board must not operate at or below 3 milliamperes and must de activate above 3 milliamperes This includes all environmental operating conditions and all operating values of the load device over its service life Failure to follow this requirement may lead to unexpected operation of the load device resulting in property damage injury and or death due to train collision or derailment A WARNING LOAD DEVICE RESTRICTIONS FOR HIGH CURRENT VITAL AC OUTPUT ACO BOARDS High current Vital AC output boards may fail with up to 50 milliamperes of output leakage current with the system requesting the output to be in the de energized state To prevent a potential unsafe condition any load device attached to a high current Vital output circuit board must not operate at or below 50 milliamperes and must de activate above 50 milliamperes This includes all environmental operating conditions and all operating values of the load device over its service life Failure to follow this requirement may lead to unexpected operation of the load device resulting in property damage injury and or death due to train collision or derailment P2086G Rev E Jan 15 5 33 Alstom Signaling Inc Vital Subsystem Table 5 21 AC O
Download Pdf Manuals
Related Search