Design of a Crash Survivable Locomotive Event Recorder
Thomas Stevens, Robert E. Onley, and Robert S. Morich
L-3 Communications, Electrodynamics, Inc., Rolling Meadows, Illinois
KEYWORDS
Rail Event Recorder, Crash Survivable Memory, FRA Crashworthy Event Recorder, FRA Rule 49 CFR 229.135
INTRODUCTION
The FRA is presently preparing a regulation covering the crash survivability of the Locomotive Event Recorder. This regulation will also specify the minimum number of parameters to be recorded and how this requirement will be phased-in on existing and new locomotives. The parameter selection reflects the more advanced control systems now in use or planned for use in the modern passenger or freight locomotive. In lieu of periodic inspection and test, the regulation will require the Event Recorder to incorporate internal self-monitoring. Self-monitoring will extend the inspection interval to one year and, based on good one-year results, extend the interval to three years.
The crash survivability test levels and test methods are based on the European Organization for Civil Aviation Equipment (EUROCAE) documents, ED-55, "Minimum Operation Specification for Flight Data Recorder System," and ED-56A, "Minimum Operation Requirement for Cockpit Voice Recorder System." The tests, test levels and methods have been modified to reflect the lower speeds and heavier structure of the locomotives. The product of the crash survivability is the recorded data. Specifics covering the recovery of the data are not intended to be incorporated into the regulation. However, the rail system, like the airborne flight data recorders, must have provisions to recover the data down to the memory board and memory chip level.
PROPOSED FRA REGULATIONS
The present FRA regulation 49 CFR 229.135 requires all lead locomotives and remote distributive power locomotives that travel over 30 miles per hour to have an Event Recorder capable of recording a minimum number of parameters (nine). The new ruling will modify 49 CFR 229.135 and catagorize locomotives by manufacture date, to be-equipped-with or to phase-in crashworthy event recorders over a period of time or at an overhaul. The minimum number of parameters (nine) must be recorded on locomotives built prior to a TBD date. For locomotives having a tape recording medium, their recorders must be removed from service during a five-year period and replaced with crashworthy recorders capable of recording the same number of data channels as the recorders they replace. All locomotives built after a TBD date, and those built prior to a TBD date and undergoing a rebuild overhaul, must have a crashworthy recorder capable of recording 27 parameters. MU locomotives built after a TBD date will be required to have a crashworthy recorder capable of recording 20 parameters.
The criteria for the crashworthy Event Recorder Memory Module (ERMM) have been adopted from the EUROCAE ED-55 and ED-56A documents with different test limits and time durations. The crash survivability tests include impact shock, static crush, fluid immersion, fire and hydrostatic pressure. The testing procedures must be as specified in EUROCAE ED-56A.
The fire test requires the ERMM to be subjected to both high and low temperature fire tests. The high temperature test requires that the entire external surface of the ERMM be exposed to a flame temperature of 1000o C for a period of 60 minutes. The low temperature test requires a constant air temperature of 260o C for a period of 10 hours. These tests simulate fire-pool and hot wreckage bake exposures respectively.
The impact shock test requires the ERMM to survive a shock pulse of 23 g's for 250 milliseconds duration applied to the most damage-vulnerable direction. This simulates impact of an 80-mph locomotive into an unyielding object.
The static crush requires a static force of 25,000 lbs. applied continuously to each face of the unit for a period of five minutes. In addition, a static force of 10,000 lbs. must be withstood for a period of five minutes using a loading surface that is 25% of the total surface of each face. This simulates a locomotive derailment and blunt object impact.
Fluid immersion tests require the ERMM to be immersed in regular and salt water, number 1 and 2 diesel fuel, and lubricating oils individually for 48 hours. In addition, immersion in currently used fire extinguishing agents for 48 hours is required.
The hydrostatic requirement is immersion in salt water to an equivalent depth of 100 feet at a nominal temperature of 25o C for a period of 48 hours. This duplicates the deepest anticipated water submersion for a derailed locomotive.
The testing sequence allows split-branch testing, permitting separate recorders to be tested for fire and hydrostatic performance since it is unlikely that an ERMM would be involved in fire and sunk in water as a result of the same incident.
RAIL VERSUS AIR REQUIREMENTS
The EUROCAE specifications for airborne recorders were used as a reference
point to define the required rail crash survivability levels. The requirements
differ as a result of the lower speeds and higher weights of the rail equipment.
A comparison of the rail and air survivability requirements is shown in
Table 1. The aviation recorder requirements are detailed in FAA regulations
in 14 CFR that refer to TSO-C124a, which in turn refers to the EUROCAE
documents.
| Requirement | Air | Rail |
| 1 Shock | 3,400 g's/6.5ms | 23 g's/250 ms or energy equivalent |
| 2 Penetration | 10 ft. Drop 500 lbs., 0.05in2 | 3 Not required |
| 4 Static Crush | 5,000 lbf, 5 min., faces and diagonals | 25,000 lbf/5 minutes, each face |
| 5 Face Crush | 6 Not required | 10,000 lbf/5 min. Applied to 25% of a face |
| 7 Fire, High Temperature | 8 1100o C, 60 minutes | 1000o C, 60 minutes |
| 9 Fire, Low Temperature | 10 260o C, 10 hours | 260o C, 10 hours |
| 11 Immersion, Fuel/Fluids | 12 48 hours | 48 hours |
| 13 Immersion, Sea Water | 14 9 feet, 30 days | 48 hours |
| 15 Immersion, Fire Exting. | 16 8 hours | 48 hours |
| 17 Hydrostatic, Sea Water | 18 20,000 feet, 30 days | 100 ft, 48 hours |
Table 1: Comparison of crash survivability requirements.
PRESENT RAIL RECORDERS
Locomotive event recorders currently in use range from older tape units with a minimum of channels to more recent solid-state units with a variety of input capabilities. Data storage is provided by magnetic tape, battery-backed RAM, nonvolatile EEPROM or "flash" memory. Solid state memory is available from 256K bytes to 2M bytes and can be downloaded via a communications unit or a removable memory card.
Inputs for non-integrated stand-alone recorders are typically analog or discrete (digital) channels with limited capability. In these systems, the recorder interfaces directly with the sensors in the locomotive. The recorder must process each signal individually. Since signal types can vary, specialized hardware and software are required within the event recorder. The stand-alone approach also increases the complexity of the recording system by requiring the routing of additional wiring from the sensors to the recorder. The flexibility of the stand-alone recorder is limited in that changes to sensors and numbers and types of channels will require changes to the recorder hardware and software as well as wiring changes within the locomotive.
More recent recorders are integrated digital systems that interface with the Locomotive Process Controller (LPC) computer via a serial data bus. In these systems, the LPC interfaces directly with the sensors in the locomotive. The recorders acquire the sensor readings as digital data from the controller. This approach permits access to all the parameters available to the LPC with only a recorder software configuration. Wiring is minimized, and parameter changes require only software reconfiguration. In addition, the integrity of data transmission is preserved by a check-byte field and error-correcting protocol.
The FRA presently requires an event recorder, but it need not be crash survivable. In anticipation of the regulation, Electrodynamics, Inc. has developed, tested and installed a crash survivable event recorder, to a General Electric Transportation Systems (GETS) specification, that meets or exceeds the GETS specification and the proposed FRA regulation requirements.
CRASHWORTHY RECORDER DESIGN
Locomotive recorders must survive shock, crush, fluid immersion, fire, bake, and/or hydrostatic pressure in the order they would naturally occur. It is advantageous to include design features that address two or more of these requirements simultaneously. This is easier to do in rail recorders than in aviation recorders.
SHOCK
Shock damage is avoided by not using brittle items such as ceramic or glass circuit cards or electrical components in the crash-survivable memory unit. In military aviation recorders, some of these items may be needed to meet military-component requirements and to cope with extremes of thermal exposure (thermal coefficient of expansion incompatibilities). Metal-core cards or chip-carrier adapters on plastic cards are used for strength and thermal compatibility. In rail recorders, severe extremes of temperature and qualified-parts lists are not considerations. This allows use of tough, inexpensive commercial plastic-package components and polymer circuit cards that can withstand high levels of acceleration and bend/twist force without damage. Peak acceleration is 150 times higher in air crashes, but is only 33 times longer duration in rail crashes, resulting in 77% less total energy (g-time) in rail crashes than in air crashes. This also assists in lowering costs of circuit packaging in rail recorders.
CRUSH
Static crush forces are five times higher for locomotive accidents than airplanes, but since impact speeds are much lower, penetration forces are less, and are more static than inertial. A strong housing is important for both. A strong housing also provides a solid foundation for mounting of the memory assemblies for shock resistance. Housings are usually rectangular for best crush survival. Minimizing size and weight of the housing is much more important in aircraft than locomotives. This leads to use of expensive, exotic materials such as titanium housings and intumescent paint coatings that swell into an insulating foam char when exposed to fire. Smaller housings are also inherently stronger in face strength, and have less fire exposure surface. In contrast, crash-protected memory sizes are usually larger and heavier for rail recorders, since size and weight are not concerns. This allows use of inexpensive common steels and paints for housings. The larger face sizes have less inherent crush strength, but rail penetration requirements are not as severe. The larger fire exposure is compensated by use of thicker insulation and heavier thermal mass in the memory unit. Thus, larger allowable size-and-weight yields dramatic cost reductions in rail recorders.
FLUIDS
Fluids that the recorders can be immersed in, such as jet or diesel fuels, oils and lubricants, hydraulic fluids, and fire extinguishers, have some similarities and differences between air and rail cases, but no significant differences. The best defense against fluids is impervious conformal coatings on the memory circuit cards. The strong housings cannot be counted on to provide fluid immersion survivability, since the electrical connector is typically a weak spot.
FIRE
Fire survivability requirements are similar for aircraft and rail recorders, with rail recorders having a slightly lower peak fire temperature due to lower fuel burn temperatures. Fire protection uses a two- or three-part strategy based on delaying and deflecting heat flows. Special high-temperature insulation inside the crash-survivable housing reduces flow of heat to the interior to a small amount per hour. Unlike typical soft fiberglass or Styrofoam insulation, it is a solid fibrous mass, to support the memory cards for shock survival without using heat-conducting metal supports. It is also rated for high temperatures. Large thermal masses that require lots of heat flow to raise their temperature surround the memory circuits. In some aviation recorders, water or other phase-change materials act to absorb or dissipate some of the interior heat as temperatures rise. Solid-state memories that can survive high peak temperatures for a short time without loss of data are used in modern recorders. The goal is to reduce the peak temperature seen by the memory to much less than the fire temperature. Military aviation recorders sometimes use expensive intumescent paints, super-insulations, and beryllium or phase-change thermal masses to reduce size and weight to absolute minimums. Larger and heavier rail recorders can use ordinary paints, thicker but less-expensive solid insulations, and a larger thermal mass of common steel as the thermal heat sink. They do not need special heat-absorbing materials. This allows large reductions in the cost of fire protection for rail recorders.
BAKE
The same thermal features provided to survive short-term fire also provide long-term bake survivability. In rail recorders, there is no reliance on finite "consumable" phase-change heat-dissipating materials.
HYDROSTATIC
There is a considerable difference in hydrostatic pressure requirements. Aviation recorders must survive deep ocean immersion pressures of 8,900 PSI. This is accomplished in commercial recorders by use of solid plastic-encapsulated integrated circuit memories that have a high inherent hydrostatic crush resistance. The deep-water requirement is not often imposed on military aviation recorders that must use fragile, hollow ceramic-encapsulated memories, because it requires expensive pressure-vessel packaging techniques. Rail recorders must only survive relatively shallow river or shore immersions, allowing use of inexpensive plastic memories.
Table 2 compares survival-oriented design features of aviation and rail
recorders and the crash environments they help survive.
| Recorder | Feature | Shock | Crush | Penetration | Fluids | Fire | Bake | Pressure |
| Commercial | Plastic parts | x | x | |||||
| aviation | Plastic cards | x | ||||||
| Steel housing | x | x | x | |||||
| Conformal coating | x | |||||||
| Solid insulation | x | x | x | |||||
| Phase-change mass | x | x | ||||||
| Solid-state memory | x | x | ||||||
| Military | Metal-core cards | x | ||||||
| aviation | Adapters/plastic cards | x | ||||||
| Titanium housing | x | x | x | x | x | |||
| Conformal coating | x | |||||||
| Solid insulation | x | x | x | |||||
| Intumescent paint | x | x | ||||||
| Solid-state memory | x | x | ||||||
| Pressure vessel | x | x | x | x | ||||
| Beryllium mass | x | x | x | x | ||||
| Phase-change mass | x | x | ||||||
| Rail | Plastic parts | x | x | |||||
| Plastic cards | x | |||||||
| Steel housing | x | x | x | |||||
| Conformal coating | x | |||||||
| Solid insulation | x | x | x | |||||
| Steel mass | x | x | ||||||
| Solid-state memory | x | x |
Table 2: Features of aviation and rail recorders.
DESIGN EXAMPLE
An example of a current event recorder system for locomotives is shown in Figures 1 and 2. This system includes a solid-state recorder unit (Figure 1), a memory-card-based download unit (Figure 2), and PC software. The recorder includes a crash-hardened memory module and a non-hardened recording and playback control module. This division of circuitry reduces the size and cost of the hardened housing while not compromising the crash survivability of the data. The fire survival time of the recorder was extended by over 100% during design optimization by using custom computer heat transfer analysis software. This software was able to predict the peak recorder interior temperature in a fire within a few degrees Celsius.
An RS-232 serial cable allows recorded data to be sent to the download unit's transfer medium, an industry-standard PC Card (formerly called PCMCIA) solid-state "flash EEPROM" memory card. This card can be hand-carried to a data center PC having a PC Card drive for data downloading and analysis. PC Windows software allows examination of the data in tabular or line graph form for maintenance trends as well as incident investigation. The recorder can also be downloaded at the memory module or memory chip levels if necessary. A laptop computer can be used to download files directly without a memory card. A third option is download via a yard radio data system.
Figure 2: Electrodynamics download unit with memory card.
The recorder system is tamper-proof because alteration or erasure of recorder data is not a provided user function. This system can directly replace existing tape recorders and non-crash-protected solid state recorders. The useful lifetime of the recorder is 20 years. New control software can be uploaded to update the recorder during this time.
QUALIFICATION TESTING
The recorder was tested for compliance to a GETS specification that did not anticipate the draft FRA regulation governing crash survivability of rail recorders. EDI performed some of the testing in the draft regulation as it then existed (1998). Shock testing was performed as 1000-g 6.5-ms shocks using an airgun recorder-launcher and a calibrated-compliance target for controlled deceleration. The new draft FRA regulation waveform has lower and longer shock pulse levels, but allows reshaping of the pulse as long as the total energy remains the same. Static crush tests were performed using a hydraulic press machine. The fire test was performed in a fire bunker building containing four large propane burner jets aimed at the recorder unit, as shown in Figure 3. Continuous regulation of propane pressure and burn mixture is necessary to maintain the proper temperature and flame size as the propane is expended during a one-hour fire test. Hydrostatic pressure was tested in a pneumatically pressurized seawater pressure vessel of the same type as used in testing aviation recorders, but using a much lower pressure level (47 PSIG).
Figure 3: Locomotive event recorder in fire test.
FUNCTIONAL REQUIREMENTS
The Event Recorder interfaces with the locomotive's computer system and provides a crash-hardened record of the locomotive's pertinent data. The recorder, as shown in the block diagram in Figure 4, is a microcontroller-based unit with communication interfaces and a crash-protected nonvolatile solid-state memory (shown in dashed lines).
Figure 4: Locomotive event recorder block diagram.
The locomotive's computer system sends parameter data only when value changes exceed preset thresholds (including time). Software filters prevent overuse of memory by faulty channels. The locomotive computer selects the parameters to be monitored, performs the required triggering and filtering, and sends the resulting data to the recorder where it is formatted and written to nonvolatile memory.
OPERATION
In operation, the recorder is powered-up and recording whenever the locomotive's engine is running and its power supply is on. This differs from the military aviation world, in which recording typically begins only when weight-off-wheels is sensed.
The recorder unit connects to the locomotive via a standard RS-422 high-speed serial data link. This link uses a robust error-correcting two-way asynchronous communications protocol that requires only four wires to transmit up to 80 parameters. This saves wiring and reduces maintenance costs. This bus is similar in concept to the MIL-STD-1553B or ARINC 629 buses in the aviation world, but less expensive. The recorder receives parameter messages addressed to it from the locomotive central computer. These messages arrive at a rate of one per second. A few parameters are recorded at 10 samples per second.
The event recorder memory is software-configured as a circular buffer. When a record is written to recorder memory, it replaces the oldest record in memory, thus maintaining a record of the most recent period of time. The number of parameters recorded, the memory size, and data activities determine the recording period retained in memory. The crash regulation requires a minimum of 48 hours of safety and maintenance-related data when the electrical system of the locomotive is operating. Up to 72 hours of data can be provided, depending on parameter activity.
Records are stored once per second. Parameters monitored and storage formats can be customized on a railroad-by-railroad basis. Optional check-bytes at the end of each 1K-byte record verify the integrity of data storage.
At any time, the user can request a data download. The recorder continues to record while downloading. This is another difference from the aviation world, in which most recorders must be stopped in order to examine data.
Recorded data is downloaded via an RS-232 serial data link to a laptop personal computer or to a nonvolatile PC Card memory via a custom recording device interface. The serial link may also be used to download the data to a remote location via a yard data radio. Downloaded data is in a DOS binary file format.
Data analysis software that operates on an IBM PC-compatible computer is available. The software package provides the capability to display selected parameters in either tabular or graphical format as a function of date, time, or another parameter, as shown in Figure 5. Up to 23 additional parameters are derived or calculated from recorded data during data analysis.
A built-in health test checks internal recorder functions periodically on a non-interfering basis. Laptop PC software can reveal the current status of the recorder, allowing a technician to determine the health of the system in detail at any time.
CONCLUSIONS
A cost-effective solid-state event recorder can be provided to the railroad industry by borrowing design and test techniques from aviation recorders while reducing costs in ways unique to the railroad industry.
REFERENCES
ARINC 629, "Multi-Transmitter Data Bus," Aeronautical Radio, Inc.
EUROCAE ED-55, "Minimum Operation Specification for Flight Data Recorder System," European Organization for Civil Aviation Equipment.
EUROCAE ED-56A, "Minimum Operation Requirement for Cockpit Voice Recorder System," European Organization for Civil Aviation Equipment.
Federal Regulation 14 CFR Parts 25, 29, 91, 121, 125 and 135, "Cockpit Voice Recorders (CVR) and Flight Data Recorders," Federal Aviation Administration.
Federal Regulation 49 CFR 229.135, "Event recorders (Draft)," Federal Railroad Administration.
Federal Regulation 49 CFR 229.25, "Tests (Draft)," Federal Railroad Administration.
Figure 5: Data analysis software display of recorded data.
Federal Regulation 49 CFR 229.5, "Definitions (Draft)," Federal Railroad Administration.
MIL-STD-1553B, "Digital Time Division Command/Response Multiplex Data Bus," Naval Publications.
TSO-C124a, "Flight Data Recorder Systems," Federal Aviation Administration.
BIOGRAPHIES
Thomas Stevens has been involved with design and analysis of solid-state flight data recorders since 1986, and rail recorders since 1996. His area of specialty is systems engineering, including hardware, software, simulation, user interface, safety, publications and trade studies. He has participated in several military crash investigations. He is a member of the Institute of Electrical and Electronics Engineers Computer Society, National Defense Industrial Association and International Society of Air Safety Investigators, and serves on the FRA Rail Safety Advisory Committee Event Recorder Working Group. He has authored or co-authored several papers on missile safety and fuze design.
Robert E. Onley participated in the design of the US Navy's first experimental solid-state flight data recorder in 1977, and seven airborne recorders since then. He has been active in rail recorders since 1995. His area of specialty is advanced systems engineering, including system design, preliminary circuit design, proposals and trade studies. He has authored or co-authored papers on airborne recorders and air traffic control displays.
Robert S. Morich has designed rail recorder crash-survivable memory units since 1996. His area of specialty is mechanical engineering, including housings, crash-survivable circuit packaging and testing. He has participated in military incident investigations.
NTSB Home | Contact Us | Search | About the NTSB | Policies and Notices | Related Sites