Advanced Group Rapid Transit Guideway Communication Unit Design Summary

Claude W. Colson

FINAL REPORT
DECEMBER 1984
NOTICE

The United States Government does not endorse products or manufacturers. Trade or manufacturer's names appear herein solely because they are considered essential to the object of this report.

NOTICE

This document is disseminated under the sponsorship of the Department of Transportation in the interest of information exchange. The United States Government assumes no liability for the contents or use thereof.
The purpose of the Advanced Group Rapid Transit (AGRT) program was to develop an advanced automated guideway transit system capable of providing high passenger volumes, short waiting times, and high levels of passenger service. The transportation system developed consists of small, automated vehicles which operate on a single lane guideway at short headways with unmanned, off-line stations. This report summarizes the design and development of the Guideway Communication Unit (GCU) for the AGRT program. The GCU is a subsystem of the AGRT command and control subsystem. It functions as an interface between the vehicle command and control subsystem and the test track command and control subsystem. It contains an inductive communication link, a vehicle presence detection system, and magnetic guideway markers. The inductive communication link provides a two-way command and control data path between the wayside and vehicles. This link also provides a failsafe speed limit to the vehicle. The design utilizes eight bit microcomputers and incorporates unique self-exercised software to detect potentially unsafe latent failures within the hardware. A digital FSK receiver was designed which operates in the severe impulse noise environment with low bit error rate. The digital FSK receiver is also implemented with an eight bit microcomputer. The development of the GCU has produced several innovative solutions to difficult problems that may be useful to future designers. Details of these design innovations are contained within this report.
This report summarizes the design and development of the Guideway Communication Unit (GCU) for the Advanced Group Rapid Transit program. The GCU functions as an interface between the wayside and vehicles. The GCU contains an inductive communication link, a vehicle presence detection system, and magnetic guideway markers. The inductive communication link provides a two-way command and control data path between the wayside and vehicles. This link also provides a fail-safe speed limit to the vehicle. The design utilizes eight bit microcomputers and incorporates unique self-exercised software to detect potentially unsafe latent failures within the hardware. A digital FSK receiver was designed which operates in the severe impulse noise environment with low bit error rate. The digital FSK receiver is also implemented with an eight bit microcomputer.
PREFACE

The Guideway Communication Unit (GCU) is a subsystem of the Advanced Group Rapid Transit (AGRT) Command and Control Subsystem (C&CS). It functions as an interface between the Vehicle Command and Control Subsystem (VCCS) and the Test Track Command and Control Subsystem (TCCS). This document discusses the design and development of the GCU.
# METRIC CONVERSION FACTORS

## Approximate Conversions to Metric Measures

<table>
<thead>
<tr>
<th>Symbol</th>
<th>When You Know</th>
<th>Multiply by</th>
<th>To Find</th>
<th>Symbol</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>LENGTH</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>in</td>
<td>inches</td>
<td>0.025</td>
<td>centimeters</td>
<td>cm</td>
</tr>
<tr>
<td>ft</td>
<td>feet</td>
<td>0.30</td>
<td>centimeters</td>
<td>cm</td>
</tr>
<tr>
<td>yd</td>
<td>yards</td>
<td>0.9</td>
<td>meters</td>
<td>m</td>
</tr>
<tr>
<td>mi</td>
<td>miles</td>
<td>1.6</td>
<td>kilometers</td>
<td>km</td>
</tr>
<tr>
<td><strong>AREA</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>in²</td>
<td>square inches</td>
<td>6.5</td>
<td>square centimeters</td>
<td>cm²</td>
</tr>
<tr>
<td>ft²</td>
<td>square feet</td>
<td>0.09</td>
<td>square meters</td>
<td>m²</td>
</tr>
<tr>
<td>yd²</td>
<td>square yards</td>
<td>0.8</td>
<td>square meters</td>
<td>m²</td>
</tr>
<tr>
<td>ac</td>
<td>acres</td>
<td>0.4</td>
<td>hectares</td>
<td>ha</td>
</tr>
<tr>
<td><strong>MASS (weight)</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>oz</td>
<td>ounces</td>
<td>0.028</td>
<td>grams</td>
<td>g</td>
</tr>
<tr>
<td>lb</td>
<td>pounds</td>
<td>0.45</td>
<td>kilograms</td>
<td>kg</td>
</tr>
<tr>
<td>short ton</td>
<td>(2000 lb)</td>
<td>0.9</td>
<td>tonnes</td>
<td>t</td>
</tr>
<tr>
<td><strong>VOLUME</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>tsp</td>
<td>teaspoons</td>
<td>5</td>
<td>milliliters</td>
<td>ml</td>
</tr>
<tr>
<td>Tbsp</td>
<td>tablespoons</td>
<td>15</td>
<td>milliliters</td>
<td>ml</td>
</tr>
<tr>
<td>fl oz</td>
<td>fluid ounces</td>
<td>30</td>
<td>milliliters</td>
<td>ml</td>
</tr>
<tr>
<td>c</td>
<td>cups</td>
<td>0.29</td>
<td>liters</td>
<td>l</td>
</tr>
<tr>
<td>pt</td>
<td>pints</td>
<td>0.49</td>
<td>liters</td>
<td>l</td>
</tr>
<tr>
<td>qt</td>
<td>quarts</td>
<td>0.95</td>
<td>liters</td>
<td>l</td>
</tr>
<tr>
<td>gal</td>
<td>gallons</td>
<td>3.8</td>
<td>liters</td>
<td>l</td>
</tr>
<tr>
<td>ft³</td>
<td>cubic feet</td>
<td>0.03</td>
<td>cubic meters</td>
<td>m³</td>
</tr>
<tr>
<td>yd³</td>
<td>cubic yards</td>
<td>0.76</td>
<td>cubic meters</td>
<td>m³</td>
</tr>
</tbody>
</table>

## Approximate Conversions from Metric Measures

<table>
<thead>
<tr>
<th>Symbol</th>
<th>When You Know</th>
<th>Multiply by</th>
<th>To Find</th>
<th>Symbol</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>LENGTH</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>mm</td>
<td>millimeters</td>
<td>0.04</td>
<td>inches</td>
<td>in</td>
</tr>
<tr>
<td>cm</td>
<td>centimeters</td>
<td>0.4</td>
<td>inches</td>
<td>in</td>
</tr>
<tr>
<td>m</td>
<td>meters</td>
<td>3.3</td>
<td>feet</td>
<td>ft</td>
</tr>
<tr>
<td>yd</td>
<td>yards</td>
<td>1.1</td>
<td>meters</td>
<td>m</td>
</tr>
<tr>
<td>km</td>
<td>kilometers</td>
<td>0.6</td>
<td>miles</td>
<td>mi</td>
</tr>
<tr>
<td><strong>AREA</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>cm²</td>
<td>square centimeters</td>
<td>0.16</td>
<td>square inches</td>
<td>in²</td>
</tr>
<tr>
<td>m²</td>
<td>square meters</td>
<td>1.2</td>
<td>square yards</td>
<td>yd²</td>
</tr>
<tr>
<td>km²</td>
<td>square kilometers</td>
<td>0.4</td>
<td>square miles</td>
<td>mi²</td>
</tr>
<tr>
<td>ha</td>
<td>hectares (10,000 m²)</td>
<td>2.5</td>
<td>acres</td>
<td>ac</td>
</tr>
<tr>
<td><strong>MASS (weight)</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>g</td>
<td>grams</td>
<td>0.035</td>
<td>ounces</td>
<td>oz</td>
</tr>
<tr>
<td>kg</td>
<td>kilograms</td>
<td>2.2</td>
<td>pounds</td>
<td>lb</td>
</tr>
<tr>
<td>ton (1000 kg)</td>
<td></td>
<td>1.1</td>
<td>short tons</td>
<td>t</td>
</tr>
<tr>
<td><strong>VOLUME</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>ml</td>
<td>milliliters</td>
<td>0.03</td>
<td>fluid ounces</td>
<td>fl oz</td>
</tr>
<tr>
<td>l</td>
<td>liters</td>
<td>2.1</td>
<td>pints</td>
<td>pt</td>
</tr>
<tr>
<td>l</td>
<td>liters</td>
<td>1.00</td>
<td>quarts</td>
<td>qt</td>
</tr>
<tr>
<td>m³</td>
<td>cubic meters</td>
<td>0.26</td>
<td>gallons</td>
<td>gal</td>
</tr>
<tr>
<td>m³</td>
<td>cubic meters</td>
<td>0.35</td>
<td>cubic feet</td>
<td>ft³</td>
</tr>
<tr>
<td>m³</td>
<td>cubic meters</td>
<td>1.3</td>
<td>cubic yards</td>
<td>yd³</td>
</tr>
</tbody>
</table>

## TEMPERATURE (exact)

°C (Celsius) = °F (Fahrenheit) - 32
°F (Fahrenheit) = °C (Celsius) * 9/5 + 32

*Note: Exact conversions are important for accurate measurements and calculations. Use these tables as a reference for converting between metric and imperial units.*
<table>
<thead>
<tr>
<th>Section</th>
<th>Page</th>
</tr>
</thead>
<tbody>
<tr>
<td>1.0 EXECUTIVE SUMMARY</td>
<td>1</td>
</tr>
<tr>
<td>2.0 INTRODUCTION</td>
<td>4</td>
</tr>
<tr>
<td>3.0 DESIGN REQUIREMENTS</td>
<td>7</td>
</tr>
<tr>
<td>4.0 DETAILED DESIGN DESCRIPTION</td>
<td>8</td>
</tr>
<tr>
<td>4.1 Inductive Communication Subsystem</td>
<td>8</td>
</tr>
<tr>
<td>4.1.1 Communication Processor</td>
<td>15</td>
</tr>
<tr>
<td>4.1.2 Speed Limit Checker Processor</td>
<td>22</td>
</tr>
<tr>
<td>4.1.3 Safe-To-Proceed Control</td>
<td>30</td>
</tr>
<tr>
<td>4.1.4 FSK Receiver</td>
<td>33</td>
</tr>
<tr>
<td>4.1.5 FSK Modulator</td>
<td>45</td>
</tr>
<tr>
<td>4.1.6 Loop Driver</td>
<td>45</td>
</tr>
<tr>
<td>4.1.7 Loops and Feedlines</td>
<td>50</td>
</tr>
<tr>
<td>4.2 Presence Detection Subsystem</td>
<td>54</td>
</tr>
<tr>
<td>4.2.1 Presence Detector Electronics</td>
<td>56</td>
</tr>
<tr>
<td>4.2.2 Presence Detector Processor</td>
<td>56</td>
</tr>
<tr>
<td>4.2.3 Presence Detectors</td>
<td>59</td>
</tr>
<tr>
<td>4.3 Magnetic Signaling Subsystem</td>
<td>64</td>
</tr>
<tr>
<td>4.3.1 Stop Initiate Magnets</td>
<td>68</td>
</tr>
<tr>
<td>4.3.2 Switch Initiate Magnets</td>
<td>68</td>
</tr>
<tr>
<td>4.3.3 Position Correction/Calibration Magnets</td>
<td>68</td>
</tr>
<tr>
<td>4.4 Master Clock</td>
<td>68</td>
</tr>
<tr>
<td>4.5 Run-out Switches</td>
<td>69</td>
</tr>
<tr>
<td>5.0 SAFETY PHILOSOPHY</td>
<td>72</td>
</tr>
<tr>
<td>6.0 ANALYSES</td>
<td>76</td>
</tr>
<tr>
<td>6.1 Circuit Analyses</td>
<td>76</td>
</tr>
<tr>
<td>6.2 Safety Analyses</td>
<td>76</td>
</tr>
<tr>
<td>6.2.1 STP Control</td>
<td>76</td>
</tr>
<tr>
<td>6.2.2 Speed Limit Checker</td>
<td>76</td>
</tr>
<tr>
<td>6.2.3 Loop Driver and Modulator</td>
<td>81</td>
</tr>
<tr>
<td>7.0 DEVELOPMENTAL TESTS AND GCU STATUS</td>
<td>82</td>
</tr>
<tr>
<td>8.0 CONCLUSIONS</td>
<td>83</td>
</tr>
<tr>
<td>9.0 RECOMMENDATIONS</td>
<td>85</td>
</tr>
<tr>
<td>9.1 Future Improvements</td>
<td>85</td>
</tr>
<tr>
<td>9.2 Potential Applications</td>
<td>86</td>
</tr>
<tr>
<td>10.0 BIBLIOGRAPHY</td>
<td>89</td>
</tr>
</tbody>
</table>
AGRT GCU FINAL REPORT

LIST OF ILLUSTRATIONS
(Continued)

<table>
<thead>
<tr>
<th>Figure</th>
<th>Description</th>
<th>Page</th>
</tr>
</thead>
<tbody>
<tr>
<td>2.0-1</td>
<td>EDS Command and Control Hierarchy</td>
<td>5</td>
</tr>
<tr>
<td>4.1-1</td>
<td>Inductive Communication Subsystem Block Diagram</td>
<td>9</td>
</tr>
<tr>
<td>4.1-2</td>
<td>Inductive Link Modulation Format</td>
<td>11</td>
</tr>
<tr>
<td>4.1-3</td>
<td>Inductive Communications Demonstration Configuration</td>
<td>13</td>
</tr>
<tr>
<td>4.1-4</td>
<td>Spectrum Analyzer Photos Showing FSK Signal With and Without Noise</td>
<td>14</td>
</tr>
<tr>
<td>4.1-5</td>
<td>Oscilloscope Photo Showing Signal and Noise</td>
<td>16</td>
</tr>
<tr>
<td>4.1-6</td>
<td>Plot of Receiver Sensitivity to Sinusoidals versus Frequency</td>
<td>17</td>
</tr>
<tr>
<td>4.1.1-1</td>
<td>Communication Processor Block Diagram</td>
<td>19</td>
</tr>
<tr>
<td>4.1.1-2</td>
<td>Communication Processor Software Structure</td>
<td>20</td>
</tr>
<tr>
<td>4.1.1-3</td>
<td>Main Communications Routine</td>
<td>20</td>
</tr>
<tr>
<td>4.1.1-4</td>
<td>Communication Processor Software Interrupt Sources</td>
<td>21</td>
</tr>
<tr>
<td>4.1.1-5</td>
<td>Uplink Software Structure</td>
<td>23</td>
</tr>
<tr>
<td>4.1.1-6</td>
<td>Uplink Message Format</td>
<td>24</td>
</tr>
<tr>
<td>4.1.1-7</td>
<td>Downlink Message Format</td>
<td>24</td>
</tr>
<tr>
<td>4.1.1-8</td>
<td>Downlink Software Structure</td>
<td>25</td>
</tr>
<tr>
<td>4.1.2-1</td>
<td>Speed Limit Checker Block Diagram</td>
<td>27</td>
</tr>
<tr>
<td>4.1.2-2</td>
<td>SLC Interfaces</td>
<td>28</td>
</tr>
<tr>
<td>4.1.2-3</td>
<td>SLC Status Output</td>
<td>29</td>
</tr>
<tr>
<td>4.1.2-4</td>
<td>SLC Software Structure</td>
<td>31</td>
</tr>
<tr>
<td>4.1.2-5</td>
<td>SLC Timing Diagram</td>
<td>32</td>
</tr>
<tr>
<td>Figure</td>
<td>Description</td>
<td>Page</td>
</tr>
<tr>
<td>----------</td>
<td>-----------------------------------------------------------------------------</td>
<td>------</td>
</tr>
<tr>
<td>4.1.3-1</td>
<td>STP Control Application</td>
<td>34</td>
</tr>
<tr>
<td>4.1.3-2</td>
<td>STP Control Block Diagram</td>
<td>35</td>
</tr>
<tr>
<td>4.1.4-1</td>
<td>Method of Frequency Demodulation</td>
<td>36</td>
</tr>
<tr>
<td>4.1.4-2</td>
<td>Analog Front End Block Diagram</td>
<td>38</td>
</tr>
<tr>
<td>4.1.4-3</td>
<td>Digital Demodulator Block Diagram</td>
<td>39</td>
</tr>
<tr>
<td>4.1.4-4</td>
<td>Effects of Sinusoidal Interference and Impulse Noise</td>
<td>41</td>
</tr>
<tr>
<td>4.1.4-5</td>
<td>Front End Filter Characteristics</td>
<td>43</td>
</tr>
<tr>
<td>4.1.4-6</td>
<td>Receiver Software Structure</td>
<td>44</td>
</tr>
<tr>
<td>4.1.4-7</td>
<td>Vehicle Antenna Driver to GCU Receiver Link Losses</td>
<td>46</td>
</tr>
<tr>
<td>4.1.5-1</td>
<td>Modulator Block Diagram</td>
<td>47</td>
</tr>
<tr>
<td>4.1.5-2</td>
<td>Modulator Output Example</td>
<td>48</td>
</tr>
<tr>
<td>4.1.6-1</td>
<td>Uplink Path Losses</td>
<td>49</td>
</tr>
<tr>
<td>4.1.6-2</td>
<td>Vehicle Antenna Ride Height Variation</td>
<td>51</td>
</tr>
<tr>
<td>4.1.6-3</td>
<td>Signal Attenuation at Intersections</td>
<td>52</td>
</tr>
<tr>
<td>4.1.6-4</td>
<td>Loop Driver Block Diagram</td>
<td>53</td>
</tr>
<tr>
<td>4.1.7-1</td>
<td>Signal Profile at Loop Boundary</td>
<td>55</td>
</tr>
<tr>
<td>4.2-1</td>
<td>Presence Detection Subsystem Block Diagram</td>
<td>57</td>
</tr>
<tr>
<td>4.2.2-1</td>
<td>PD Processor Block Diagram</td>
<td>58</td>
</tr>
<tr>
<td>4.2.2-2</td>
<td>PD Processor Software Structure</td>
<td>60</td>
</tr>
<tr>
<td>4.2.2-3</td>
<td>Nominal PD Closure Timeline</td>
<td>61</td>
</tr>
<tr>
<td>4.2.2-4</td>
<td>Long PD Closure Timeline</td>
<td>62</td>
</tr>
</tbody>
</table>
LIST OF ILLUSTRATIONS

(Continued)

<table>
<thead>
<tr>
<th>Figure</th>
<th>Description</th>
<th>Page</th>
</tr>
</thead>
<tbody>
<tr>
<td>4.3-1</td>
<td>Guideway Cross-Section</td>
<td>63</td>
</tr>
<tr>
<td>4.3-2</td>
<td>Vehicle Reed Switch Locations</td>
<td>65</td>
</tr>
<tr>
<td>4.4-1</td>
<td>Master Clock Block Diagram</td>
<td>70</td>
</tr>
<tr>
<td>4.5-1</td>
<td>Run-out Switch/Master Clock Interface</td>
<td>71</td>
</tr>
<tr>
<td>5.0-1</td>
<td>Checked Redundant Configuration</td>
<td>73</td>
</tr>
<tr>
<td>5.0-2</td>
<td>Checked Redundant Configuration for CAS</td>
<td>73</td>
</tr>
<tr>
<td>5.0-3</td>
<td>Redundant Speed Limit Configuration</td>
<td>74</td>
</tr>
<tr>
<td>6.0-1</td>
<td>Fault Tree for Speed Limit Configuration</td>
<td>79</td>
</tr>
<tr>
<td>9.1-1</td>
<td>Proposed Inductive Link Timing Diagram for Integrated Command/Control and</td>
<td>87</td>
</tr>
<tr>
<td></td>
<td>Collision Avoidance System</td>
<td></td>
</tr>
<tr>
<td>9.1-2</td>
<td>Proposed Block Diagram for Integrated Command/Control and Collision</td>
<td>88</td>
</tr>
<tr>
<td></td>
<td>Avoidance System</td>
<td></td>
</tr>
</tbody>
</table>

LIST OF TABLES

<table>
<thead>
<tr>
<th>Section</th>
<th>Description</th>
<th>Page</th>
</tr>
</thead>
<tbody>
<tr>
<td>4.3-1</td>
<td>Magnetic Signalling Configuration</td>
<td>66</td>
</tr>
<tr>
<td>4.3-2</td>
<td>Angular Off-Tracking Components</td>
<td>67</td>
</tr>
<tr>
<td>4.3-3</td>
<td>Vertical Variation Components</td>
<td>67</td>
</tr>
</tbody>
</table>
## Glossary

<table>
<thead>
<tr>
<th>Abbreviation</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>CAS</td>
<td>Collision Avoidance System</td>
</tr>
<tr>
<td>CDR</td>
<td>Critical Design Review</td>
</tr>
<tr>
<td>CRC</td>
<td>Cyclic Redundancy Check</td>
</tr>
<tr>
<td>FSK</td>
<td>Frequency Shift Keyed</td>
</tr>
<tr>
<td>GCCS</td>
<td>Guideway Command and Control Subsystem</td>
</tr>
<tr>
<td>ICS</td>
<td>Inductive Communication Subsystem</td>
</tr>
<tr>
<td>MPM</td>
<td>Morgantown People Mover</td>
</tr>
<tr>
<td>PD</td>
<td>Presence Detector</td>
</tr>
<tr>
<td>PDR</td>
<td>Preliminary Design Review</td>
</tr>
<tr>
<td>RAM</td>
<td>Random Access Memory</td>
</tr>
<tr>
<td>ROM</td>
<td>Read Only Memory</td>
</tr>
<tr>
<td>SLC</td>
<td>Speed Limit Checker</td>
</tr>
<tr>
<td>STP</td>
<td>Safe To Proceed</td>
</tr>
<tr>
<td>STTF</td>
<td>Surface Transportation Test Facility</td>
</tr>
<tr>
<td>TCCS</td>
<td>Test Track Command and Control Subsystem</td>
</tr>
<tr>
<td>VCCS</td>
<td>Vehicle Command and Control Subsystem</td>
</tr>
<tr>
<td>VRC</td>
<td>Vertical Redundancy Check</td>
</tr>
<tr>
<td>WCAS</td>
<td>Wayside Collision Avoidance Subsystem</td>
</tr>
</tbody>
</table>
The Advanced Group Rapid Transit (AGRT) program was conceived shortly after TRANSPO '72, a Department of Transportation (DOT) sponsored transportation exhibition held at Dulles Airport. The purpose of the AGRT program was to develop an advanced automated guideway transit system capable of providing high passenger volumes, short waiting times, and high levels of passenger service; this resulted in requirements with a peak line capacity of 14,000 seated passengers per lane per hour using 12-passenger (all seated) vehicles operating with off-line stations and 3-second minimum headways.

The program was initially structured as a two-phase development program with three prime contractors participating in the Phase I preliminary design competition. Phase II was originally intended to proceed with full scale test track prototype development with one contractor selected from the original three.

After the completion of Phase I, a decision was made to split Phase II into two parts. All three contractors continued work on their separate design approaches in Phase II-A which involved design refinements and laboratory testing of selected key components. As Phase II-A was nearing completion in the fall of 1977, a DOT task force was formed to again review the program and chart a course for further activity. During this review period, Phase II-A was completed and one of the three contractors, Rohr Industries Inc., withdrew from the program. At that time, Rohr Industries Inc. signed a licensing agreement with the Boeing Company granting rights to Rohr's integrated magnetic propulsion and suspension technology.

As a result of the DOT Task Force's recommendations, the period of performance was extended from 36 months to 69 months. The restructured program provided for development and track testing of "Engineering Development Systems" (EDS) by each of the two remaining contractors, the Boeing Company and Otis Elevator Company. Letter contracts were signed in the fall of 1978 to provide for limited system engineering and to
work out the detailed definition of Phase II-B. The full AGRT EDS activity commenced with the awarding of definitive contracts in June, 1979. The primary thrust of the redefined program was to develop the critical technologies associated with the AGRT concepts. Initial Phase II-B efforts at the Boeing Company included design of the Command and Control System, a new vehicle, and a new test track.

By the spring of 1981, as a result of funding limitations, it became apparent that the most critical element of Boeing's AGRT design was the Command and Control System (C&CS). Activity was cancelled on the new vehicle and test track design and development, and in early 1982 a decision was made to use Boeing's existing test track for the EDS program. (This track was used for vehicle testing during the Morgantown program). In addition, two Morgantown vehicles would be modified to accept the new AGRT Command and Control System and allow for development of the critical elements of AGRT.

In mid 1982, UMTA initiated another comprehensive program review to define the status of the program and clarify the expected results. This review resulted in the decision to eliminate all vehicle/test track testing and only allow continuation of development and laboratory testing of selected subsystems rather than the entire EDS. As a result, the AGRT program at the Boeing Company resulted in completion of the Vehicle Control Unit (VCU) hardware and software development only through laboratory (simulation) testing. The Guideway Communication Unit (GCU) and Collision Avoidance System (CAS) developments were stopped at the successful completion of Critical Design Review.

SUMMARY CONCLUSIONS

This report discusses in detail the design, development, and test of that portion of the control hierarchy responsible for the communications interface between station equipment and the vehicles on the guideway. This interface is provided by the Guideway Communications Unit (GCU).
The GCU contains an inductive communications link, a vehicle presence detection system, and magnetic guideway markers. This communications link also has the responsibility for providing failsafe speed limit information and safe-to-proceed (STP) control to the vehicles throughout the guideway.

The GCU design utilizes eight bit microcomputers and incorporates unique self exercised software to detect potentially unsafe latent failures within the hardware.

The development of the GCU has produced several innovative solutions to difficult problems that may be useful to future designers. A digital receiver capable of operating in a high impulse noise environment (common with vehicle chopper type propulsion systems) was developed. Additionally, the concept of the digital receiver (implemented with a microprocessor) has resulted in high performance as well as small size. Also, a microprocessor-based speed limit checker with exercised software with no known failure modes was developed. The hardware/software techniques developed have produced the capability to generate and transmit a speed limit to the vehicle in a failsafe manner. Through the use of hamming and cyclic redundancy check codes, the vehicle can detect transmission errors with a high degree of accuracy.

Details of the aforementioned design innovations are contained within this report. Design details of hardware with which the GCU interfaces are contained in other National Technical Information Services (NTIS) reports and are listed in the bibliography.
The Advanced Group Rapid Transit (AGRT) program began as the development of a complete transportation system consisting of small, automated vehicles operating on an exclusive guideway at short headways with unmanned off-line stations. The main thrust of the program was reduced significantly and evolved into the development of two critical elements of the AGRT system: the Longitudinal Control System (LCS) and the Collision Avoidance System (CAS).

In the Engineering Development System (EDS), the test system initially under development by the Boeing Company for the Urban Mass Transportation Administration, automation was to be achieved with a multi-level Command and Control System (C&CS). Figure 2.0-1 shows the major subsystems of the EDS C&CS and their interrelationships. These subsystems consist of a Test Track Command and Control Subsystem (TCCS), a Guideway Command and Control Subsystem (GCCS), and a Vehicle Command and Control Subsystem (VCCS).

The TCCS provides operator controls and displays, guideway traffic control commands, test data monitoring, and those functions that are necessary to supervise the operation of the GCCS. The Guideway Communications Unit (GCU) serves as a communication link between the station and vehicles on the guideway and consists of communication circuits in the station and communication equipment installed in the guideway. The VCCS is a vehicle controller/sensor package located on each vehicle in the fleet; it controls each vehicle according to the commands received from the TCCS via the GCU.

A major part of the communication between the station and the vehicles is performed by equipment in a subsystem within the GCU called the Inductive Communication Subsystem (ICS). The ICS uses an inductively coupled link between the guideway and the station through which binary frequency shift keyed (FSK) data is transmitted and received. The coupling is accomplished by the use of wire loops embedded in the
FIGURE 2.0-1: EDS COMMAND AND CONTROL HIERARCHY
running surface of the guideway; these couple inductively with vehicle borne coil antennas. The loops and antennas provide both station to vehicle communication (uplink) and vehicle to station communication (downlink). Each guideway segment, which can be as long as 1000 feet in length, possesses a pair of such inductive loops: one in the right half of the guideway for uplinks, and one in the left half for downlinks. Associated with each loop pair is a set of inductive communication equipment to perform the FSK transmission and reception. Downlink messages are sent by vehicles only when prompted to do so by the wayside or when anomalous conditions occur which must be reported to the station. Uplink messages, on the other hand, are sent continuously with a safe-to-proceed (STP) signal encoded in the uplink. Presence of this STP signal is required by the VCCS before vehicle motion is permitted. Absence of this STP signal on a guideway loop results in an emergency stop of all vehicles over the loop. (STP removal is commanded by the Collision Avoidance System when a headway violation occurs.)

The Guideway Communications Unit (GCU), the subject of this report, is the communications interface between the vehicles via the VCU and the station equipment via the TCCS.
3.0 DESIGN REQUIREMENTS

The functions of the GCU are:

1) Station/Vehicle Communications
2) Vehicle Tracking
3) Guideway Physical Position Marking

Two major categories of GCU requirements were generated before the detailed design was started. These were interface and safety requirements.

Prior to the detailed design of the GCU, internal and external electrical/mechanical interfaces were generated to ensure compatibility between subsystems and within the GCU. The electrical interfaces define signal levels, timing, and power requirements. The mechanical interfaces define the physical layout of the racks, cages, and circuit cards. The VCCS/GCU magnetic interface was described in a later document since testing was needed to develop the design.

The second major category of requirements is Safety. The primary GCU safety requirement is to generate and transmit the uplinked speed limit in a failsafe manner. This is accomplished by the speed limit checker scheme described in Section 4.1.2, the GCU inductive communication configuration described in Section 4.1, and the message error checking scheme described in Section 4.1.1.
4.0  DETAILED DESIGN DESCRIPTION

There are three GCU subsystems. They are listed below.

1) Inductive Communication Subsystem
2) Presence Detection Subsystem
3) Magnetic Signalling Subsystem

The Inductive Communication Subsystem contains the following components:

1) Communication Processor  
2) Speed Limit Checker Processor  
3) Safe-To-Proceed Control  
4) FSK Receiver  
5) FSK Modulator  
6) Loop Driver  
7) Loops and Feedlines

The Presence Detection (PD) Subsystem contains the following components:

1) Presence Detector Electronics  
2) Presence Detector Processor  
3) Presence Detectors

The Magnetic Signalling Subsystem contains the following components:

1) Stop Initiate Magnets  
2) Switch Initiate Magnets  
3) Position Correction/Calibration Magnets

Other components of the GCU which are not contained within the above three subsystems are:

1) Master Clock  
2) Run-out Switches

4.1  Inductive Communication Subsystem

Much of the AGRT Inductive Communication Subsystem design is based on the experience gained from the MPM design which is documented in NTIS report number UMTA-MA-06-0048-78-6.

A block diagram of the Inductive Communications Subsystem is shown in Figure 4.1-1. Inductive coupling between wire loops embedded in the guideway and rectangular coil antennas mounted beneath the vehicle provides the medium of communication. Data to be uplinked originates in
FIGURE 4.1-1: INDUCTIVE COMMUNICATION SUBSYSTEM BLOCK DIAGRAM
The uplink message is 50 bits in length and encoded in a bi-polar return to zero format (see Figure 4.1-2). The upper FSK carrier frequency \( f_u = 110.34 \text{ KHz} \) represents data "1" and the lower \( f_L = 108.84 \text{ KHz} \) represents data "0". During the second half of each bit time, the carrier frequency is shut off. In addition, the FSK carrier will be interrupted during the first two bit times to mark the beginning of each message. As the system requires the transmission of a message every 40 ms, each bit time will be 40 ms/50 or 800 us long. This gives a bit rate of 1250 bits per second.
FIGURE 4.1-2: INDUCTIVE LINK MODULATION FORMAT
A complete end-to-end Inductive Communications link was assembled and tested in the laboratory, demonstrating a viable design approach to the vehicle/wayside communications. Included in the demonstration was the transmission and recovery of a safe-to-proceed clock signal, speed limit command, and a field of variable data.

An important part of the demonstration was testing the ability of the link to perform in the presence of noise. To this end, the link was subjected to impulse noise modeled from data collected at Morgantown, the Surface Transportation Test Facility (STTF), and the Seattle Metro installation.

The layout for the Inductive Communications Demonstration is shown in Figure 4.1-3. This arrangement is intended to simulate the wayside to vehicle FSK uplink, including transmission and reception of the speed limit message, variable data, and the safe-to-proceed clock signal.

The FSK message originates in the Z8002 Development Module. (The Z8002 Development Module is a general purpose hardware/software development tool consisting of a Z8002 microprocessor, 16K RAM, ROM, monitor, and I/O ports.) A CRT terminal allows an operator to enter a 25 bit message of arbitrary content; this message is then passed through to the Communications Processor via a shared memory space. The Communications Processor adds to this data field the 7 bit speed limit and the 16 bit Cyclic Redundancy Check (CRC) code. The complete 48 bit message is clocked out serially to the modulator. Timing pulses necessary for the serial data transfer and recognition of the beginning of new messages are provided by the data clock and frame clock signals from the Clock Module. The data clock toggles the modulator "carrier enable" input, producing the safe-to-proceed clock. The FSK modulator output is amplified in the Loop Driver and applied to the Guideway Loop. The transmitted signal is inductively coupled into the Receive Antenna and applied to the Digital Receiver for detection.

A second loop antenna couples the noise signal from the Impulse Noise Generator into the receiver. Figure 4.1-4 shows frequency domain
FIGURE 4.1-3: INDUCTIVE COMMUNICATIONS DEMONSTRATION CONFIGURATION
FIGURE 4.1-4: SPECTRUM ANALYZER PHOTOS SHOWING FSK SIGNAL WITH AND WITHOUT NOISE
pictures of the FSK with and without the generated noise. Figure 4.1-5 shows a time domain picture of the signal together with the generated noise. The bit error rate test results were as follows:

<table>
<thead>
<tr>
<th></th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>Messages transmitted</td>
<td>710,223</td>
</tr>
<tr>
<td>Messages received</td>
<td>710,222</td>
</tr>
<tr>
<td>Detected errors</td>
<td>0</td>
</tr>
<tr>
<td>Bit error rate</td>
<td>$3 \times 10^{-8}$</td>
</tr>
</tbody>
</table>

From this data, it can be seen that this Digital FSK Receiver using the digital discrimination technique displays almost no sensitivity to the noise environment created for our test. The tests showed, as predicted, that the Digital Receiver is not sensitive to the amplitude of the impulse noise, but rather to the number of pulses per bit time.

We know from the demodulation scheme used that the receiver will not perform as well in an environment where significant sinusoidal interference is present. Tests were thus run to determine the ability of the receiver to operate in the presence of an interfering sinusoid. The Digital Receiver threshold (the level at which the receiver can accurately decode FSK signals) was adjusted to -50 dBV RMS (3 dB below the operating level, -47 dBV RMS) and a steady tone was coupled into the receive antenna using a summing amplifier to sum the FSK carrier and the interfering sinusoid. The level of the interfering signal was increased until a threshold was reached where errors began to occur. The results of these tests are shown in Figure 4.1-6. It can be seen from this that the Digital FSK Receiver has a rather wide interference bandwidth for sinusoids. However, high level sinusoids, other than 60 Hz, are not expected. If required, a 60 Hz notch filter can be added.

4.1.1 Communication Processor

The communication processing is performed by one 8 bit microcomputer for each uplink/downlink loop pair. The Communication Processor transfers data to and from the TCCS by storing the data in a processor dedicated Shared Memory (located on-card). This data consists of uplink and down-
FSK Plus "Extended" Noise

FIGURE 4.1-5: OSCILLOSCOPE PHOTO SHOWING SIGNAL AND NOISE
FIGURE 4.1-6: PLOT OF RECEIVER SENSITIVITY TO SINUSOIDALS VERSUS FREQUENCY
link messages and processor control and status bits. The Communication Processor formats the uplink message by combining 1) the data from the Shared Memory and 2) four hardwired speed limit bits and three hardwired vertical redundancy check bits from the backplane. The Communication Processor then outputs this uplink message as a serial data stream to the uplink modulator and the Speed Limit Checker. The Communication Processor also receives downlink messages from the receiver. The received downlink messages are decoded, time-tagged, and placed in the Shared Memory for access by the TCCS. A block diagram is shown in Figure 4.1.1-1.

The Communication Processor software resides in a programmable Read Only Memory (ROM). The software is divided into three major modules: the Main Communications Routine, the Uplink Interrupt Routine, and the Downlink Interrupt Routine. These modules are diagrammed in Figure 4.1.1-2.

Main Communications Routine

The Main Communications Routine has a structure as diagrammed in Figure 4.1.1-3.

Upon power up, the processor executes all three initialization routines. Subsequent to this initialization, the processor remains in the Background Routine performing a checksum test on the program ROM, until interrupted for an Uplink or Downlink routine. That is, the communication processor software is interrupt driven as shown in Figure 4.1.1-4.

Uplink Interrupt Routine

The uplink routine is called whenever a positive transition is detected on the data clock. The Uplink Interrupt Routine performs the following functions:

1) Read uplink data from the Shared Memory
2) Perform Uplink Initialization when prompted to do so by the TCCS through the Shared Memory
FIGURE 4.1.1-1: COMMUNICATION PROCESSOR BLOCK DIAGRAM

DEC UNIBUS DVRS/RCVRS

UNIBUS FROM TCCS

8 MHz

FRAME

BUS DVRS/RCVRS

PORT 1

Z8603

PORT 2

PORT 0

ECL RCVR

DATA CK STROBE FRAME

P30 P31 P32

TTL RCVRS

TTL DVR

8 MHz

XMIT

RCV DATA

HARD-WIRED VRC

HARD-WIRED SPEED LIMIT

BUFFER

LOGIC (PAL'S)

SHARED MEMORY (2K X 16 RAM)

EPROM

RESET
Figure 4.1.1-2: Communication Processor Software Structure

Figure 4.1.1-3: Main Communications Routine
FIGURE 4.1.1-4: COMMUNICATION PROCESSOR SOFTWARE INTERRUPT SOURCES

BACKGROUND ROUTINE (FOREVER)

UPLINK INTERRUPT ROUTINE (UPLINK PROCESSING)

DOWNLINK INTERRUPT ROUTINE (DOWNLINK PROCESSING)

RISING EDGE OF "DATA CLOCK"

FALLING EDGE OF FSK RCVR "STROBE"
3) Read Hardwired Speed Limit and Vertical Redundancy Check code
4) Format uplink message
5) Calculate Cyclic Redundancy Check (CRC) code and attach to message
6) Output serial message to Modulator

The uplink software has a structure as diagrammed in Figure 4.1.1-5. The uplink message format is shown in Figure 4.1.1-6.

Downlink Interrupt Routine

The downlink processing is called whenever a negative transition is detected on the data strobe from the FSK receiver. The Downlink Interrupt Routine performs the following functions:

1) Detect frame by measuring time since last receiver strobe
2) Assign time tag to message
3) Format received data and deposit in shared memory
4) Perform Downlink Initialization when prompted to do so by the TCP through the Shared Memory
5) Check ability to write to Shared Memory with Read-After-Write check
6) Report Read-After-Write errors to Test Control Processor
7) Report receiver strobe errors to the TCP

The received message structure is shown in Figure 4.1.1-7. The downlink software has a structure as diagrammed in Figure 4.1.1-8.

4.1.2 Speed Limit Checker Processor

The Speed Limit Checker (SLC) verifies that the correct speed limit has been embedded in the uplink message and provides failsafe detection of speed limit errors (refer to Figure 4.1-1). The SLC output to the safe-to-proceed control card disparity detector is an inverted Frame Clock; this inverted Frame Clock is the result of a successful self-test and a check on the Communication Processor generated speed limit. The self-test verifies the ability of the SLC to detect an erroneous speed limit. Each SLC card verifies speed limit generation from up to four Communication Processors.
**FIGURE 4.1.1-6:**  
**UPLINK MESSAGE FORMAT**

```
<table>
<thead>
<tr>
<th>47</th>
<th>32 31</th>
<th>20 19</th>
<th>16 15</th>
<th>12 11</th>
<th>9</th>
<th>8</th>
<th>7</th>
<th>6</th>
<th>3 2</th>
<th>0</th>
</tr>
</thead>
<tbody>
<tr>
<td>CRC</td>
<td>VEHICLE ID OR DATA</td>
<td>FUNCTION CODE</td>
<td>COMMAND</td>
<td>LINE SPEED</td>
<td>X</td>
<td>X</td>
<td>SPEED LIMIT</td>
<td>VRC</td>
<td></td>
<td></td>
</tr>
</tbody>
</table>
```

**FIGURE 4.1.1-7:**  
**DOWNLINK MESSAGE FORMAT**

```
<table>
<thead>
<tr>
<th>47</th>
<th>32 31</th>
<th>20 19</th>
<th>16 15</th>
<th>0</th>
</tr>
</thead>
<tbody>
<tr>
<td>CRC</td>
<td>ID</td>
<td>FUNCTION CODE</td>
<td>DATA</td>
<td></td>
</tr>
</tbody>
</table>
```
FIGURE 4.1.1-8: DOWNLINK SOFTWARE STRUCTURE
The function of the SLC software is to compare serial data received from each Communication Processor to data hardwired to the SLC card. For each Communication Processor monitored, a dynamic signal is output (Speed Limit Status Output) which can be disparity checked with a Frame Clock from the Master Clock circuitry.

The SLC hardware is based on a Zilog 8 bit microcomputer. A block diagram of the SLC is shown in Figure 4.1.2-1. Since the SLC monitors the serial data from four communication processors, the hardware accepts four sets of hardwired speed limit data and outputs four dynamic signals which indicate the status of the four serial inputs. An interface diagram is shown in Figure 4.1.2-2. A diagram showing the speed limit status output and frame inputs in relation to the STP control card is shown in Figure 4.1.2-3.

SLC Software

The central point in the design of the SLC software is safety; the SLC must be failsafe since the uplinked speed limit must be generated and transmitted in a failsafe manner. For the SLC, this means that all hardware and software failures must result in an output which is detectable. Failure of the microcomputer to correctly execute instructions, or failure of instructions (or one instruction) in program memory, or failure of data items in memory, or erroneous transfer of data must be detectable.

The SLC software design approach was to develop software which 1) could be shown to have no single undetectable failures and 2) that combinations of multiple failures resulting in an unsafe condition are so complex as to be implausible (one in a million years). The SLC software design methodology is summarized below:

- Exercise safety-critical operations using test data every check cycle (40 ms).
- Require the results of the processing of test data to be the complement of the results expected with good real data.
FIGURE 4.1.2-1: SPEED LIMIT CHECKER BLOCK DIAGRAM
FIGURE 4.1.2-2:
SPEED LIMIT CHECKER INTERFACES

DATA FROM COMM PROCESSOR 1 → SPEED LIMIT STATUS 1
DATA FROM COMM PROCESSOR 2 → SPEED LIMIT STATUS 2
DATA FROM COMM PROCESSOR 3 → SPEED LIMIT STATUS 3
DATA FROM COMM PROCESSOR 4 → SPEED LIMIT STATUS 4

4 HARDWIRED SPEED LIMITS

8 MHz CLOCK → 16 LINES → FRAME CLOCK (25 Hz)
FIGURE 4.1.2-3:
SPEED LIMIT CHECKER
SPEED LIMIT STATUS OUTPUT

FRAME 2
FROM MASTER CLOCK

DATA
FROM
COMM PROCESSOR

SPEED LIMIT
CHECKER

FRAME 1
FROM MASTER CLOCK

SPEED LIMIT STATUS

STP CONTROL
(DISPARITY
DETECTOR AND
LATCH)

STP TRACER

STP TRACER

40 ms
800 μs
1600 μs
o Monitor the results using a failsafe detector to detect the failure of the speed limit checker to output the results of processing both real and test data.

o Design software modules that are shared by test and real data so that all processing errors cause the shared modules to output externally detectable anomalous results.

The SLC software (see Figure 4.1.2-4) accepts serial data from the Communication Processor and parallel fixed data from the backplane. The fixed data is compared against the real data to give the RESULTS (REAL) output every 40 ms. The fixed data is also compared against the other 15 invalid speed limits which have been generated from the fixed data. This process gives the RESULTS (TEST) which is the complement of RESULTS (REAL). The SLC software, therefore, generates a dynamic output that has a timing relationship as given in Figure 4.1.2-5. Failures in the SLC produce a different output which is detected by the Disparity Detector.

4.1.3 Safe-To-Proceed Control

The original MPM disparity detector was designed by the Bendix Corporation in the early 1970's. It was intended to meet the failsafe criterion, and Bendix performed and documented a safety analysis that supported this objective. The design has been in use in the Morgantown system up to the present, and field data has indicated exceptional reliability. (This does not substantiate it's safety, but does indicate the integrity of the design.)

In 1982, Boeing safety personnel conducted an in-depth safety evaluation of the design, which involved detailed circuit analysis to determine unsafe fault configurations, and included a quantitative fault tree analysis of the initial findings, applying generic failure rate data from Military sources. The numerical results showed that the MPM design exceeded the MPM safety criteria, and met the AGRT safety goal of an MTBUF of better than one million years.
MAIN EXECUTIVE

INITIALIZATION

FRAME FALLING EDGE INTERRUPT
FIGURE 4.1.2-4:
SPEED LIMIT CHECKER
SOFTWARE STRUCTURE

BACKGROUND ROM CHECK

TIMER INTERRUPT

0, 48

OUTPUT & COMPARE

PREPARE FOR NEXT COMPARISON

3, 4, 5, 6

READ DATA

1, 2, 7 thru 47

NO OPERATION
FIGURE 4.1.2-5:
SPEED LIMIT CHECKER PROCESSING TIMING

<table>
<thead>
<tr>
<th>VRC</th>
<th>SPEED LIMIT</th>
</tr>
</thead>
<tbody>
<tr>
<td>46</td>
<td>47</td>
</tr>
<tr>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>0</td>
<td>1</td>
</tr>
<tr>
<td>2</td>
<td>3</td>
</tr>
<tr>
<td>4</td>
<td>5</td>
</tr>
<tr>
<td>6</td>
<td>7</td>
</tr>
<tr>
<td>8</td>
<td>9</td>
</tr>
</tbody>
</table>

UPLINK BIT TIME

FRAME 1

FRAME 2

DATA CLOCK

SPEED LIMIT STATUS
(1 of 4)

Diagram shows results when speed limit is correct for prior frame and all self-checks pass.

The purpose of the Safe-To-Proceed (STP) control is to interrupt the Master Clock-to-Modulator data clock (tracer) when a disparity exists between the Logic A and B inputs. Figure 4.1.3-1 shows the STP card in the GCU and Collision Avoidance Subsystem (CAS) applications.

A block diagram is shown in Figure 4.1.3-2. The Disparity Detector and Latches are the heart of the card. The Logic A and B inputs must be complements of each other in order for the data clock to continue uninterrupted through the card. Disparities longer than 800 us result in the data clock being permanently interrupted by a Disparity Latch.

4.1.4 FSK Receiver

Past FSK receiver designs have utilized analog bandpass filters to detect spectral energy within FSK passbands in order to demodulate FSK signals. Such schemes have an inherent problem in severe impulse noise environments because impulses are composed of an infinite number of spectral components. An analog bandpass filter designed to detect FSK frequencies would detect spectral energy within its passband even when the only input to the filter is a series of pulses with Pulse Repetition Frequencies (PRF) lower than the FSK frequencies. With several impulse noise sources, all with their own pulse widths and PRF's, the spectral makeup of the signal can become quite complex. The Digital FSK Receiver, however, minimizes the effect of this because of its unique method of frequency demodulation. As shown in Figure 4.1.4-1, the Digital FSK Receiver measures the duration of each cycle of the received downlink signal (115.11 KHz or 113.48 KHz) and determines the frequency of the sinusoid based on the time measured. In addition to determining frequency at the end of each cycle of received signal, the receiver digitally integrates the results of the decisions made after each cycle. This technique results in a very accurate decoding of the FSK data be-
FIGURE 4.1.3-1:

800 µs

FRAME 2

SPEED LIMIT CHECKER
(<50 µs DELAY)

MCAS 2
(10 µs DELAY)

1600 µs

LOGIC B

1600 µs

LOGIC B
STP CONTROL APPLICATION

FRAME 1

MASTER CLOCK

STP TRACER IN

GCU STP CONTROL CARD

STP TRACER

CAS STP CONTROL CARD

STP TRACER OUT

MODULATOR

1600μs

LOGIC A

MCAS 1

1600μs

LOGIC A

STP TRACER FROM MASTER CLOCK

COMM PROCESSOR

(10μs DELAY)
Figure 4.1.3-2: STP Control Block Diagram

- Frame 2
  - 800μs
  - Speed Limit Checker *
  - <=50μs Delay

- Frame 1
  - 1600μs
  - STP Tracer In

- Logic B
  - 1600μs
  - Level Converter

- Logic A
  - 1600μs
  - Disparity Detector *

- Disparity Latch #1 *
- Disparity Latch #2 *
- Buffer *

- STP Card
- STP Tracer Out to CAS
- STP Control Card

*Safety Critical
1. After converting sinusoid to TTL square wave, the discriminator measures the period of the cycle last received. The frequency is determined based on the time measures.

![Diagram of a waveform with periods marked T]

\[ \frac{1}{T} = \text{Frequency} \]

2. The receiver integrates the total number of frequency decisions made during each data bit transmission. The result of the integration is dumped and the data bit is set at the output at the end of the data bit transmission.

FIGURE 4.1.4-1 METHOD OF FREQUENCY DEMODULATION
cause the time duration of each interfering noise element is very short relative to the bit transmission time. The noise impulses are short (20 us) compared to the bit time (400 us). Since the Pulse Repetition Frequency of the noise sources is less than 1 KHz, each source can contribute only one pulse per data bit time. Even when impulses from all four noise sources appear in one bit time, there is sufficient time for the receiver to make an accurate decision.

The purpose of the digital receiver is to decode FSK analog inputs and produce the corresponding digital code with the correct timing. The receiver consists of two sections: an analog front end and a digital demodulator. Block diagrams of these two sections are shown in Figures 4.1.4-2 and -3. The analog front end amplifies and bandpass filters low level input signals. A limiter removes amplitude variations and a threshold detector passes signals above 0.4 volts.

The digital section consists of an up counter that counts between signal zero crossings, a Programmable Array Logic (PAL) decoder that maps counter outputs to convenient jump addresses, and a microcomputer that chooses the PAL code that occurs most often, and strobes out the corresponding code.

The Front End Circuit

The Front End Circuit is the interface between the analog signal received from the FSK antenna and the digital demodulator. It accepts the signals from the antenna through an instrumentation amplifier designed with an input impedance of 150 ohms to match the impedance of the receive loop. The buffered signal is subjected to a broad preselection filter and then a hard limiter before being converted to TTL levels by a comparator at its output stage. The TTL compatible square wave output is delivered to the Frequency Discriminator and the Carrier Start Detector.

The design of the preselection filter required careful consideration. Due to the nature of the demodulation concept used, a problem results
FIGURE 4.1.4-2: ANALOG FRONT END BLOCK DIAGRAM
FIGURE 4.1.4-3: DIGITAL DEMODULATOR BLOCK DIAGRAM
when one tries to filter the signal received to any great extent. To understand the problem, let us examine why the digital demodulation technique is so attractive for our application.

Recall that the reason why this concept was conceived was because it was known from past experience that the major type of interference expected in our application would be very sharp impulse spikes occurring at relatively low repetition rates. Gaussian noise is expected to be negligible and sinusoidal interference is expected to be very low. In such an environment the Digital Discriminator is ideal because the major type of interference is present only during the very sharp spikes and does not interfere with the reception during an entire bit time. It is important to note here that interference which is present during the entire bit time, such as a continuous high level sinusoid, could deteriorate the receiver performance. Power line 60 Hz interference for instance, would make the receiver inoperable if it were not somehow filtered out. (Figure 4.1.4-4 shows the effects of both types of noise.)

We know from the Fourier Theorem that any impulse is actually a sum of an infinite number of sinusoids. Subjecting such an impulse to a bandpass filter can alter the phase and amplitude relationships of these sinusoidal components and thus alter the shape of the impulse spike.

Consider then what happens when we subject such an impulse spike to a bandpass filter. As we begin eliminating spectral components by progressively making the passband narrower, rise and fall times suffer. The waveform becomes "stretched out" until eventually the filter allows but one spectral component through, a steady sinusoid. Also, even with a very broad passband, if the phase relationships between the spectral components are altered, we will experience a degradation in the settling time of the response. This too will result in extending the duration of the interference caused by the impulse spike. Both phenomena pose a problem for the Digital Receiver, because the interference ceases to be a short spike which interferes with the reception for only a small fraction of the bit time.
FIGURE 4.1.4-4: EFFECTS OF SINUSOIDAL INTERFERENCE AND IMPULSE NOISE
We can now see the dilemma that we have. On one hand, no band limiting is desired so that all impulse spikes can be received without stretching their short time duration. However, on the other hand, it would be desirable to make the passband as narrow as possible around the FSK frequencies in order to eliminate any interference from sinusoidal noise sources. This trade must be performed in order to optimize the receiver to the environment expected.

The AGRT vehicle is expected to utilize a propulsion unit similar to the unit used on the Seattle Metro electric trolley system. Tests on the Seattle Metro vehicle show that up to four independent sources contribute to the impulse noise interference. Each source generates noise at relatively low PRF's (less than 800 Hz) but due to the fact that they are not synchronous, it is possible for all of them to occur during any single bit time. It was determined from this that the filter should not be allowed to "stretch" a spike more than 2 FSK cycle times (about 20 us).

In order to meet the above requirement, a very broad filter with maximally linear phase delay is required. This was implemented by cascading two 3-pole low pass Bessel filters with 3 dB frequencies at around 150 KHz and a differentiator with unity gain at 100 KHz. Figure 4.1.4-5 shows photos of the filter response curve and the time domain response of the filter to a rectangular impulse.

The Digital Discriminator

The Digital Discriminator is the heart of the Digital FSK Receiver (refer to Figure 4.1.4-3). It times every cycle of carrier received at its squared carrier input and determines if the period corresponded to one of the two valid frequencies. Its function is therefore to select a code which corresponds to the frequency which occurs most often. A diagram of the receiver software structure is shown in Figure 4.1.4-6.
Frequency Response

Time Domain Response To A Rectangular Impulse

FIGURE 4.1.4-5: FRONT END FILTER CHARACTERISTICS
FIGURE 4.1.4-6: RECEIVER SOFTWARE STRUCTURE

- **INITIALIZATION ROUTINE**
- **JUMP TO ADDRESS (FREQUENCY)**
- **TIMBER INTERRUPT ROUTINE**
- **FSK CARRIER DETECTION ROUTINES**
- **CARRIER ABSENCE DETECTION ROUTINES**
Signal Levels

The minimum signal level to the receiver was selected as -47 dBV RMS. This is the same as the MPM level. The vehicle antenna drive level was calculated from the link attenuation factors and is shown graphically in Figure 4.1.4-7 for reference.

4.1.5 FSK Modulator

The FSK Modulator transforms the binary input from the Communication Processor to analog Frequency Shift Keyed data at approximately 1 VRMS. The logic low output frequency is 108.884 KHz and the logic high output frequency is 110.344 KHz. The frequency accuracy is 0.2% and the total harmonic distortion is 5%.

The modulator produces an output when the enable input is logic low. A new frequency is selected on the negative transition of the enable input.

A block diagram is shown in Figure 4.1.5-1. The data input programs the counters to count down to zero (with 8 MHz clock) in 1/110340 seconds or 1/108840 seconds thereby producing one of the required frequencies. A typical output is shown in Figure 4.1.5-2.

4.1.6 Loop Driver

The purpose of the Loop Driver is to amplify the approximately 1 VRMS signal from the modulator to drive up to 250 milliamps peak into a loop up to 1000 feet long and up to 2000 feet of feedline. The Loop Driver is capable of driving a worst case loop of 280 ohm at 30°. The 250 milliamp drive requirement is derived from the vehicle receiver minimum signal level requirement, -47 dBV RMS. Figure 4.1.6-1 shows the uplink path losses. The actual drive requirement is 188 milliamps peak, however, the Loop Driver was designed with a 250 milliamp capability so that the same design could be used in the Collision Avoidance System inductive link.
FIGURE 4.1.4-7: VEHICLE ANTENNA DRIVER TO GCU RECEIVER LINK LOSSES
FIGURE 4.1.5-1:

32 MHz CLOCK

DATA

DIGITAL COUNT-DOWN CIRCUITS

ENABLE/DISABLE

STP TRACER (DATA CK)
MODULATOR BLOCK DIAGRAM

DIGITAL-TO-SINE-WAVE CONVERTER (LOW-PASS FILTER) → VARIABLE GAIN OUTPUT → TO LOOP DRIVER
FIGURE 4.1.5-2
MODULATOR OUTPUT EXAMPLE
**Figure 4.1.6-1: Uplink Path Losses**

- **Loop**: $+32\text{dBV}_{\text{rms}} = 56V_p = 188\text{mA}$
- **Driver Output**: $+30 \text{dBV}_{\text{rms}}$
- **Feedline SWR+ATTN=6dB**: $+20 \text{dBV}_{\text{rms}}$
- **Loop SWR+ATTN=6dB**: $+10 \text{dBV}_{\text{rms}}$
- **20dBV_{rms}**: $+0 \text{dBV}_{\text{rms}}$
- **Lateral/Angular Off-Track**: $3.5\text{dB}$
- **Ride Height Variation**: $2\text{dB}$
- **Merge/Diverge X-Over**: $6\text{dB}$

**Worst Case Uplink Transfer Ratio**: $67\text{dB}$

$$V_T = \text{Transfer Ratio} = V_{\text{OUT}}/V_{\text{IN}}$$

$$= V_{\text{OUT}}/I_{\text{IN}}^{\text{RIN}} = Z_T/R_{\text{IN}}$$

$$= 0.5/300 = -55.5\text{dB}$$

**(For Z_T = -6dB)**

**Receiver Must Accept**: $-47\text{dBV}_{\text{rms}}$
The attenuation due to each component of the total path loss is shown in Figure 4.1.6-1. The off-tracking attenuation and transfer impedance were the result of lab measurements. The ride height variation contributes 2 dB attenuation as shown in Figure 4.1.6-2. The merge-diverge contribution results from an increase in loop width at intersections which results in less intercepted signal at the vehicle antenna. This is shown in Figure 4.1.6-3.

Much work went into verifying that the radiation from the uplink loop would not exceed the limit specified by the Federal Communication Commission in the Code of Federal Regulations, Title 47, Part 15. The GCU is categorized by Part 15 as a restricted radiation device. The radiated electric field strength cannot exceed 15 microvolts per meter at a distance of one wavelength divided by 6.28.

The measured radiated signal from a MPM test track 1/4 wavelength loop was 3.9 microvolts per meter (when scaled for maximum AGRT drive); this represents a margin of 12 dB. This margin is unchanged for longer loop lengths because the radiation resistance of a two-wire transmission line does not increase after the length has reached 1/4 wavelength. This is derived in a paper in the Proceedings of the I.R.E., November 1951, p. 1408.

A block diagram of the Loop Driver is shown in Figure 4.1.6-4. Notice that a thermostat controls both the analog switch and power relay; under output short circuit or other over-heat conditions, the thermostat removes input drive and power to the power amp.

4.1.7 Loops and Feedlines

The guideway loops consist of two #16 AWG stranded double-jacketed wires spaced 6 \pm 0.25 inches apart. The wires are placed in slots in the guideway running surface which are 0.25 inch \pm 0.125/-0.0 inch wide and 0.375 inch \pm 0/- .125 inch deep. The centerline of the downlink loops is 23 inches \pm 0.125 inches to the left of the guideway centerline; the centerline of the uplink loops is 23 inches \pm 0.125 inches to the right of the guideway centerline.
FIGURE 4.1.6-2: VEHICLE ANTENNA RIDE HEIGHT VARIATION

NOMINAL 2" RIDE HEIGHT

- ANTENNA INSTALLATION: ± 0.25
- TIRE WEAR: ± 0.0
- GUIDEWAY IRREGULARITIES: ± 0.125
- TIRE DEFLECTION: ± 0.125

VARIATION: +0.5/-1.0 INCHES

0.5 INCH VERTICAL RISE \times \frac{4 \text{ dB}}{\text{INCH}} = 2 \text{ dB ATTENUATION}
FIGURE 4.1.6-3: SIGNAL ATTENUATION AT INTERSECTIONS
FIGURE 4.1.6-4: LOOP DRIVER BLOCK DIAGRAM
Loop cross-overs are placed in all loops longer than 20 feet; these cross-overs are spaced greater than 10 feet apart but less than 100 feet apart. The number of cross-overs is adjusted such that the number of divided areas is an even number to minimize noise coupled from the power rail.

Uplink and downlink loop termination resistors are located to the side of the guideway so that wire splices and resistors are not required in guideway slots where severe environmental conditions would create corrosion.

A twisted shielded pair feedline connects the loop to the station electronics; the feedline characteristic impedance is 150 ohms. Feedline length is less than 2000 feet.

The loop length is restricted to 1000 feet and feedline length to 2000 feet in order to restrict the variation in drive impedance and input power. This combination presents a maximum drive impedance of 250 ohms at 30 degrees (for nominal $Z_0 = 150$ ohm, 6 dB SWR, and 100 KHz).

The GCU provides a continuous safe-to-proceed signal which must also be continuous at the vehicle. Loop-to-Loop boundaries represent a problem without some mechanisms which allows for a continuous signal. Notice in Figure 4.1.7-1 that the signal strength decreases with distance at a loop boundary. Two adjacent active loops therefore create a zone of confusion 27 inches wide (worst case). The vehicle avoids confusion here by switching between its dual receivers and antennas at each loop boundary. The vehicle antennas are spaced at 27.5 inches.

4.2 Presence Detection Subsystem

The function of the Presence Detection Subsystem is to detect vehicle entry into FSK loops and to detect vehicle entry/exit to/from station berths and channel entry. This subsystem reports these events to the TCCS.
FIGURE 4.1.7-1: SIGNAL PROFILE AT LOOP BOUNDARY

-26 dBV RMS

-36

-46

-56

-63 dBV RMS

FSK RECEIVER MUST REJECT

LONGITUDINAL OFFSET X

13 12 11 10 9 8 7 6 5 4 3 2 1 0 -1 -2 -3 -4 -5 -6 -7 -8 -9 -10 -11 -12 -13 -14 -15

27.5 INCH UPLINK ANTENNA SEPARATION

AFT UPLINK ANTENNA

MAXIMUM OUTPUT LOOP

FORWARD UPLINK ANTENNA

-26 dBV RMS ↔ -47 dBV RMS +21 dB

MAXIMUM UPLINK SIGNAL

MINIMUM SIGNAL

SIGNAL VARIATION

-63 dBV RMS

FSK RECEIVER MUST REJECT
The main components of the Presence Detection subsystem are:

1) Permanent magnets mounted on both sides of the vehicle guide axle.

2) A guideway PD (Presence Detector) reed switch which is actuated by a vehicle magnet.

3) PD electronics which interface the PD's to the PD CPU.

4) A PD Processor which identifies and time tags PD switch closure and stores the information in a PD shared memory.

5) A PD Shared Memory.

Figure 4.2-1 shows a block diagram of this subsystem.

4.2.1 Presence Detector Electronics

The Presence Detector (PD) Electronics interface the presence detectors to the PD CPU. The PD Electronics provide optical isolation of the PD's from the PD CPU. Each PD Electronics card can handle 16 PD's.

4.2.2 Presence Detector Processor

Hardware

The Presence Detection processing is performed by an 8-bit microcomputer. The processor executes programs from a memory system private to the processor. A block diagram is shown in Figure 4.2.2-1.

The PD processor transfers data to the TCP by storing the data in 8-bit bytes in a processor dedicated Shared Memory which can be accessed by the TCP. The PD processor receives data from the TCP by reading 8-bit bytes from the Shared Memory which were stored there by the TCP. The dedicated Shared Memory is physically located on the same circuit card as the PD processor.
FIGURE 4.2-1: PRESENCE DETECTION SUBSYSTEM BLOCK DIAGRAM
FIGURE 4.2.2-1

UNIBUS
FROM
TCCS

DEC
UNIBUS
DVRS/RCVS

BUS
DVRS/
RCVRS

SHARED
MEMORY
(2K X 16 RAM)

LOGIC
(PAL'S)

8 MHz
(NOT USED)

FRAME
(NOT USED)
Software

The PD processing software monitors the outputs of the PD electronics. When an output indicates a PD hit, the PD CPU fetches a time tag from the shared memory and places the time tag and the PD number in the Shared Memory. The PD CPU then interrupts the TCP to indicate the new data placed in the Shared Memory.

After initialization the PD software jumps to a background routine which does a checksum on the program memory. An internal Z8 counter interrupts this task every 400 us to sample the 16 PD inputs. The general software structure is shown in Figure 4.2.2-2.

Figures 4.2.2-3 and -4 show a time line for a short PD hit (closure) and a long PD hit. PD closures which exceed 1.0 second represent failed PD's or a stopped vehicle and are reported as a timed-out PD.

4.2.3 Presence Detectors

The Presence Detectors (PD's) consist of four reed switches in an environmentally protected plastic package (approximately 1" x 1" x 2.5") which are installed just below the guideway surface. The reed switches close when a vehicle mounted horseshoe magnet pair is within ± 6.0 inches centerline-to-centerline.

The four reed switches are arranged in a dual series parallel circuit such that two series switches are in parallel with the other two series switches. This arrangement was taken from the MPM design.

Notice from Figure 4.3-1 that the PD is installed such that the edge nearest the guideway centerline is 4.0 inches from the steering rail. This location corresponds with the MPM vehicle location and is compatible with other guideway equipment.
Figure 4.2.2-3 Nominal PD Closure Timeline

Vehicle travelling @ 60ft/sec (40.9mi/hr)
PD sensing distance = 2"

Time of PD hit = \( \frac{2''}{12''/ft} \times \frac{60ft/sec}{60ft/sec} = 2.78\text{mSEC} \)  
Minimum PD closure time

Vehicle travelling @ 60ft/sec (40.9mi/hr)
PD sensing distance = 2"

Time of PD hit = \( \frac{2''}{12''/ft} \times \frac{60ft/sec}{60ft/sec} = 2.78\text{mSEC} \)  
Minimum PD closure time
LENGTH OF PD HIT \( \geq 1 \) SEC.

SPEED OF VEHICLE = \( \frac{2''}{1 \text{ sec}} \) = \( .17 \text{ FT/SEC} (\text{.12 MI/HR}) \)

VEHICLE TRAVELLING LESS THAN \( .17 \text{ FT/SEC} \) WILL CAUSE PD PROCESSOR TO REPORT A PD TIMEOUT.
FIGURE 4.3-1: GUIDEWAY CROSS-SECTION
4.3 Magnetic Signalling Subsystem

The Magnetic Signalling Subsystem consists of magnets embedded in the guideway surface which perform one of three different functions dependent on the lateral guideway location as shown in Figure 4.3-1. The magnets actuate vehicle mounted reed switches and initiate vehicle action to switch, perform a station stop or start a position correction or calibration maneuver as explained in Sections 4.3.1, 4.3.2, and 4.3.3.

The Magnetic Signalling Subsystem is an interface between the vehicle and wayside. The wayside magnet locations are shown in Figure 4.3-1 and the vehicle reed switch locations are shown in Figure 4.3-2.

The Switch Initiate and PC/CAL magnets are required to actuate the vehicle reed switch, with a distance uncertainty less than ±5.0 inches. The station stop distance uncertainty is required to be less than ±2.0 inches. These requirements were derived from system level requirements.

The AGRT magnetic signalling design is based on the MPM design; tests on the prototype design indicated that the MPM design of ±6.0 inch uncertainty would not meet the AGRT requirements. The sensitive parameter was found from tests to be lateral off-tracking and, therefore, the design focused on reducing this error source. A summary of the AGRT design is given in Table 4.3-1. Tables 4.3-2 and 4.3-3 give the make up of the mechanical movement sources.

A magnet pre-installation test is also required to verify that the magnetic strength is within a predetermined window. Tests indicated that approximately 30% of the distance uncertainty was due to variations in magnet strength and approximately 60% was due to reed switch to magnet movement. The magnet pre-installation test consists of placing a magnet in a test fixture and determining the closure distance. This distance is written on the magnet as an installation offset.
FIGURE 4.3-2: VEHICLE REED SWITCH LOCATIONS
<table>
<thead>
<tr>
<th>Magnet Orientation</th>
<th>Longitudinal Bar</th>
<th>Longitudinal Bar</th>
<th>Transverse Bar</th>
</tr>
</thead>
<tbody>
<tr>
<td>Reed Switch Assembly Orientation</td>
<td>Longitudinal</td>
<td>Longitudinal</td>
<td>Transverse</td>
</tr>
<tr>
<td>Nominal Ride Height</td>
<td>2.0&quot;</td>
<td>2.0&quot;</td>
<td>2.0&quot;</td>
</tr>
<tr>
<td>Total Lateral Off-Tracking</td>
<td>± 2.0&quot;</td>
<td>± 2.0&quot;</td>
<td>± 1.0&quot;</td>
</tr>
<tr>
<td>Total Angular Off-Tracking</td>
<td>± 17°</td>
<td>± 17°</td>
<td>± 10°</td>
</tr>
<tr>
<td>Total Vertical Variation</td>
<td>± 0.625</td>
<td>± 0.625</td>
<td>± 0.625</td>
</tr>
<tr>
<td>Vehicle Station Number</td>
<td>103.5</td>
<td>108.5</td>
<td>105.75</td>
</tr>
<tr>
<td>Vehicle Lateral Location</td>
<td>13.5&quot; Right</td>
<td>8.0&quot; Left</td>
<td>CENTER LINE</td>
</tr>
</tbody>
</table>

**Table 4.3-1**
Magnetic Signalling Configuration
**TABLE 4.3-2**  
**ANGULAR OFF-TRACKING COMPONENTS**

<table>
<thead>
<tr>
<th>COMPONENT</th>
<th>PC/CAL SWITCH</th>
<th>STOP</th>
</tr>
</thead>
<tbody>
<tr>
<td>VEHICLE REED SWITCH ASSEMBLY INSTALLATION</td>
<td>± 2°</td>
<td>± 2°</td>
</tr>
<tr>
<td>VEHICLE REED SWITCH ASSEMBLY/MAGNET ANGULAR OFF-TRACKING</td>
<td>± 10°</td>
<td>± 3°</td>
</tr>
<tr>
<td>MAGNET INSTALLATION</td>
<td>± 3°</td>
<td>± 3°</td>
</tr>
<tr>
<td>REED SWITCH INSTALLATION IN VEHICLE REED SWITCH ASSEMBLY</td>
<td>± 2°</td>
<td>± 2°</td>
</tr>
</tbody>
</table>

± 17 DEGREES  + 10 DEGREES

**TABLE 4.3-3**  
**VERTICAL VARIATION COMPONENTS**

<table>
<thead>
<tr>
<th>COMPONENT</th>
<th>VEHICLE REED SWITCH ASSEMBLY</th>
<th>BAR MAGNET INSTALLATION</th>
<th>TIRE WEAR</th>
<th>GUIDEWAY IRREGULARITIES</th>
<th>TIRE DEFLECTION AND BRAKING WEIGHT TRANSFER</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td>+ 0.25</td>
<td>- 0.25</td>
<td>- 0.0</td>
<td>+ 0.125</td>
<td>+ 0.125</td>
</tr>
</tbody>
</table>

- 0.5
The above configurations give ± 3.6 inches distance uncertainty for the longitudinal configuration and ± 1.5 inches for the transversal configuration.

4.3.1 Stop Initiate Magnets

When a vehicle detects a station stop magnet, it begins a profiled stop to a station berth unless cancelled by a previously uplinked "No Stop" command. After a preprogrammed distance, the vehicle discards the "No Stop" command to allow for stopping at a succeeding berth. The stop magnet is located on the guideway centerline.

4.3.2 Switch Initiate Magnets

The Switch Initiate Magnet initiates vehicle switching action if a "Switch Right" or "Switch Left" command was previously uplinked to the vehicle. The "Switch Initiate" magnets are longitudinally mounted 8.0 inches to the left of the guideway centerline.

4.3.3 Position Correction/Calibration Magnets

The PC/CAL magnets have three functions:

1) Initiate vehicle odometer calibration if requested by uplink
2) Provide a reference for position correction uplink window
3) Provide a reference for speed transitions

The PC/CAL magnet is located 13.5 inches to the right of the guideway centerline.

4.4 Master Clock

The Master Clock provides synchronizing clocks and microprocessor clocks to all GCU equipment.

The Master Clock provides the following outputs:
1. Data Clock
2. Frame Clock 1
3. Frame Clock 2
4. 8 MHz CPU Clock
5. 32 MHz Clock

The rising edges of Frame Clock 1 and Frame Clock 2 are synchronous. The duration of the positive Frame Pulse is 1600 us for Frame Clock 1 and 800 us for Frame Clock 2. Each of the two Frame Clock signals are independently derived from a 32 MHz clock. The 8 MHz CPU Clock is also derived from a 32 MHz Clock.

The Master Clock accepts an input from the (series connected) runout switches which cause removal of the data clock output if one of the (normally closed) run-out switches opens; activation of a run-out switch occurs upon vehicle steering failure.

The 32 MHz CPU Clock has a redundant backup source. The 8 MHz CPU Clock will not be interrupted for more than 500 ns unless the backup 32 MHz source has failed. Failure of either the primary or the backup 32 MHz source is visually indicated on the Master Clock card.

The Master Clock 8 MHz CPU Clock is returned from the SLC processors and used as a source for the Data and Frame Clocks.

A block diagram is shown in Figure 4.4-1.

4.5 Run-out Switches

The run-out switches are mounted on the guideway in the path of the steering axle guidewheel. They prevent vehicles, which have failed to properly switch, from proceeding into an unprotected section of guideway by causing a STP removal when actuated. The normally-closed switches open when actuated by a vehicle guidewheel and disable the Master Clock outputs.

The run-out switch to the Master Clock interface is shown in Figure 4.5-1. One switch is shown but represents all of them in series.
FIGURE 4.4-1: MASTER CLOCK BLOCK DIAGRAM

- Oscillator A Failure
- Oscillator B Failure
- Oscillator Monitor and Enable
- 32 MHz A
- 32 MHz B
- 32 MHz
- 8 MHz
- 8 MHz A
- 8 MHz B
- 8 MHz C
- Differential Drivers
  - ECL
  - 32 MHz A
  - 32 MHz B
  - 32 MHz Shield
- Differential Drivers
  - TTL
  - Data CK A
  - Data CK B
- Frame Generator
- Frame 1A
- Frame 1B
- Frame 2A
- Frame 2B

FROM G/WAY RUN-OUT SH (NORMALLY CLOSED)
FIGURE 4.5-1: RUN-OUT SWITCH/MASTER CLOCK INTERFACE

INPUT-OUTPUT ISOLATION:
3000 VDC COMMON MODE
5.0 SAFETY PHILOSOPHY

The primary purpose of the GCU is to provide an interface between the TCCS and VCCS. The primary safety requirement is to generate a speed limit in a failsafe manner and react to erroneous speed limit detection by removal of the STP signal. The GCU design meets the AGRT safety goal of no unsafe failures in a million years by the use of an exercised checked redundant configuration.

The Speed Limit Checker (SLC) and STP Control make up an exercised checked redundant configuration. A conventional checked redundant configuration (Figure 5.0-1) consists of two processors whose outputs are voted to select the safest result and then compared in order to shut down operation if a disparity occurs. When the output is binary (safe/not safe), the combined result of the voting and disparity detection is simply safe-to-proceed (STP) or not safe-to-proceed. Figure 5.0-2 illustrates the configuration used by the wayside Collision Avoidance System (CAS), described in report number UMTA-WA-06-0011-84-2, Advanced Group Rapid Transit Odometer Data Downlink Collision Avoidance System Design Summary, and originally considered for the Speed Limit Checker. One monitor directly removes STP (via the AND gate) if an unsafe condition is detected. The other monitor serves as a reference for the disparity detector to remove STP if the output from the first monitor is erroneous. Disparity detector STP removal is latched because a disparity indicates that an equipment failure has occurred.

A checked redundant configuration has no advantage over an unchecked redundant configuration unless failures in the monitors are visible to the disparity detector. This requires special consideration since the normal output from both monitors is STP ON (i.e., it is safe-to-proceed). Thus under normal operation the logic which removes the STP is not exercised unless special provision is made to exercise that logic. Such provision is essential since otherwise a latent (undetected) failure could occur in one monitor without shutting down the system. This defeats the disparity detector, allowing an unacceptably long time period for a failure to occur in the second monitor.
FIGURE 5.0-1 Checked redundant Configuration

FIGURE 5.0-2 Checked Redundant Configuration for CAS

FIGURE 5.0-3: CHECKED REDUNDANT SPEED LIMIT CHECKER CONFIGURATION
The above considerations have led to development of extensive self exercising provisions for the CAS and Speed Limit Checker. The self exercising provisions are considered to be nearly as safety critical as the primary logic since otherwise the failure opportunity window is too large (relative to the monitor mean time between unsafe failures (MBTUF)) to meet failsafe criteria. The self exercising concept used on the wayside is to periodically input test data which causes removal of the STP signal. The STP removal occurs at a time when it is expected by the vehicles, i.e., during the 1.6 ms frame mark embedded in the STP every 40 ms.

Recognizing that the redundant monitor simply provides a reference to the disparity detector (against which the primary monitor is judged), and that in the case of the Speed Limit Checker the reference pattern is fixed unless an equipment failure occurs, the redundant monitor can be replaced by a fixed pattern reference - namely the frame mark (Figure 5.0-3). This is feasible due to the following design considerations which are unique to the Speed Limit Checker.

1. The Communication Processor generates a speed limit and the Speed Limit Checker verifies it. Thus the Communication Processor and Speed Limit Checker are redundant with dissimilar software.

2. Latent failures do not apply to the Communication Processor speed limit generation since incorrect speed limits will be detected immediately by the speed limit checker.

3. The Speed Limit Checker is subjected to an exceptionally high level of self exercising - capability to detect every possible speed limit error is verified every 600 ms. Also, the functional simplicity of the speed limit checker allows exceptionally detailed failure analysis. This provides a high level of confidence that all failure modes will produce a detectable disparity.

4. Use of a fixed reference pattern as the opposing input to the disparity detector reduces the probability of simultaneous failure of
the primary monitor and the reference. While the probability of simultaneous failure is small, the fixed reference does provide a slight improvement.

Use of a fixed standard (reference pattern) instead of the output from a redundant monitor is feasible for the Speed Limit Checker because a speed limit error can only be caused by equipment failure. This approach is not applicable to the CAS because CAS STP removal will usually be initiated by a vehicle conflict (minimum safe separation violation). The latched STP removal initiated by the disparity detector would be inappropriate for an ordinary conflict since the STP must be restored as soon as the conflict is resolved.

In summary, the functional requirements of the Speed Limit Checker are unique in several aspects which make a redundant checker unnecessary:

1. The redundancy between the Communication Processor and the Speed Limit Checker.

2. The lack of latent speed limit failure modes in the communication monitor.

3. The high level of self exercising confidence possible in the Speed Limit Checker.

4. The applicability of a fixed standard.
6.0 ANALYSES

Two types of analyses were performed on the GCU equipment: circuit analyses and safety analyses.

6.1 Circuit Analyses

A preliminary thermal analysis was performed on each circuit card to verify operation in the Engineering Development System (EDS) environment of 40°F to 90°F. Other circuit card level analyses were performed depending on the circuit type, such as timing analyses for digital circuits. No problems were found.

6.2 Safety Analyses

Safety analyses were performed on the STP Control Card, Speed Limit Checker, the Modulator, and Loop Driver.

6.2.1 STP Control

A very thorough series of safety analyses was performed on the STP Control. The AGRT design is based on the MPM Disparity Checker card with component value changes made for increased speed. The safety analyses showed a need for a second latch as is shown in the present design. The latch circuit used was a slightly modified version of the first latch. This configuration is shown in Section 4.1.3.

6.2.2 Speed Limit Checker

In the AGRT checked redundant configuration (see Section 5.0) each monitor outputs a "safe" indication if the data monitored represents a safe situation. Otherwise, the indication changes to "not safe."

The disparity detector outputs "safe" as long as the two monitors have identical output. If the monitors ever disagree the "safe" indication is removed and will not be restored when the disparity ends. Thus any
failure detected by test data will result in permanent removal of the "safe" indication.

The AND gate outputs "safe" if and only if monitor 1 and the disparity detector both indicate "safe," hence the output is "safe" only if both monitors indicate "safe" and have had no previous disparity.

Since the capability of each monitor to detect and react to an unsafe condition is not exercised under normal operating conditions, false data is periodically interjected to represent unsafe conditions, thence verifying the monitoring capability. Since various unsafe conditions must be detectable, the false data cycles through various cases at a rate which assures that all cases will be exercised within a short interval (less than a minute).

Thus each monitor has two functions:

1. A monitoring function to detect and react to potentially unsafe conditions.

2. An exercising function to interject false data representing each unique unsafe condition which must be detected.

Two resultant failure rates are of interest:

1. \( \lambda_T \) = rate for failures lasting until the end of the life cycle (T).

2. \( \lambda_T = \lambda_1 \)

For a single channel:

\[
\lambda_T = p_1 \lambda_1 \quad \lambda_{T_1} = \lambda_1
\]

The dual channel rates are

\[
\lambda_T = \lambda_1^2 (p_1^2 T + 2 \tau_1) \quad \lambda_{T_1} = \lambda_1^2 p_1 T
\]
The speed limit checker is not checked redundant. However, the speed limit checker is redundant to the communication processor (speed limit generator). The modulator transmits messages (including speed limit) from the communication processor if the disparity detector allows a modulating signal ("safe-to-proceed") to reach the modulator. Using the frame mark as a reference, the disparity detector requires the speed limit checker output to alternate between "safe" (38.4 ms) and "not safe" (1.6 ms). Otherwise the "safe-to-proceed" is removed and latched off.

There are only 16 possible speed limits, hence 15 erroneous speed limits are used by the exerciser function. Thus, response to every possible erroneous speed limit is exercised every 600 ms ($\tau_1$).

The fault tree representing undetected transmission of a bad speed limit (Figure 6.0-1) is similar to that for a checked redundant monitor with the following differences:

1. There is only one monitor.

2. The second entry to the top AND gate is a bad speed limit from the communication processor. The AND gate is sequential, i.e., the checker must fail before the communication processor can fail undetected.

3. An undetected checker failure can occur if the frame mark and speed limit checker fail in the same 40 ms interval ($\tau_2$).

The failure rates for the speed limit error are:

$$\lambda_T = \lambda_1 (p_1 + 2 \lambda_2 \tau_2) \quad \lambda_{\tau_1} = \lambda_1$$

The rates for undetected speed limit error are:

$$\lambda_T = \lambda_0 \lambda_1 (p_1 \tau/2 + \lambda_2 \tau_2) \quad \lambda_{\tau_1} = \lambda_0 \lambda_1 \tau_1$$
FIGURE 6.0-1: FAULT TREE FOR SPEED LIMIT CONFIGURATION
This provides adequate protection if

\[
\begin{align*}
\lambda_0 &= 10^{-6}, \quad \lambda_1 = 10^{-5}, \quad \lambda_2 = 10^{-4} \\
\rho_1 &= 10^{-3}, \quad T = 10^4 \text{ hours (annual verification of monitoring function)}
\end{align*}
\]

given that \( \tau_1 = 600 \text{ms} \times 2 \times 10^{-4} \) hours (invalid data cycle time)

\( \tau_2 = 40 \text{ms} \times 10^{-5} \) hours (frame time)

Then \( \lambda_T \approx 10^{-11} \left( 10^{-3} \times \frac{10^4}{2} + 10^{-4} \times 10^{-5} \times 10^4 \right) \)

\( \lambda_T \approx 10^{-11} \times 2 \times 10^{-4} \)

\approx .5 \times 10^{-10}

\approx 2 \times 10^{-15}

Where:

- \( \rho_1 \) = probability of exerciser failure
- \( \lambda_1 \) = speed limit monitor failure rate
- \( \lambda_2 \) = frame mark generation failure rate
- \( \lambda_0 \) = common processor speed omit generation failure rate

This is equivalent to a mean time between unsafe failure (MTBUF) of 2X10^6 years.

The above performance requirements are reasonable since

1. The probability that a random speed limit and VRC are valid and incorrect is \( 16/128 = .125 \), i.e., an order of magnitude less probable than the probability of an invalid combination.

2. The planned exercising algorithm can be implemented so that any undetectable failure combinations are extremely improbable.

3. Annual verification of the monitoring function can be achieved by external application of erroneous speed limits while the system is not operating.
The Speed Limit Checker software was modified between the Preliminary Design Review (PDR) and Critical Design Review (CDR) as a result of safety analyses. The present hardware/software configuration is shown in Section 4.1.2.

6.2.3 Loop Driver and Modulator

The Loop Driver was modified between PDR and CDR due to a concern in the reaction of the over-temperature circuit. The over-temperature circuit now removes the output stage power to eliminate the possibility of oscillation after an over-temperature condition. Previously, input drive was removed.

No safety related problems have been found in the Modulator.
7.0 DEVELOPMENT TESTS AND GCU STATUS

Developmental testing primarily included inductive link bit error rate tests, presence detector tests and card/rack integration.

Bit error rate testing was performed to verify operation of the Digital FSK Receiver in a severe impulse noise environment and is described in the Inductive Communication Link introduction, Section 4.1.

Vehicle reed switch assemblies and magnets were tested in order to gain confidence in meeting the station stop ± 2.0 inch distance uncertainty requirement. Actually, presence detectors were substituted for vehicle reed switch assemblies since the designs are similar and fabrication of the vehicle unit would have been costly. More information on the tests and the results can be found in Section 4.3.

Activity on the AGRT Guideway Communication Unit has been halted. The contract effort included design, development, and preliminary testing. Follow-on evaluation was not authorized.
8.0 CONCLUSIONS

Several useful concepts were developed during the design of the GCU and are listed below:

1) Digital FSK Receiver capable of operating in severe impulse noise environment. (See Sections 4.1 and 4.1.4.)

2) Exercised Speed Limit Checker with no known unsafe failure modes.

Safety analyses indicate that checked redundancy with embedded exercising is necessary and sufficient to achieve the high level of safety required for a safety system. The need for frequent exercising of safety critical functions is often overlooked. (In some applications normal operation exercises safety critical functions sufficiently to assure detection of latent failures in one channel before corresponding failures have time to occur in the opposite channel; this is true of the Collision Avoidance System implemented in the Morgantown People Mover, and is also true of any other checked redundant interlocking logic which relies upon external fail-safe disparity detection.) Frequent exercising is required for implementations in which normal operation does not exercise safety functions required to detect unsafe conditions.

A review of papers presented at a recent transportation conference (TRANSPAC '84) indicates that the above conclusions are not universally accepted. Of five microprocessor based systems, only one is extensively exercised - and that one is not checked redundant. A second system also used single string microprocessors, relying upon embedded self checks to detect failures. Of the three redundant configurations, two perform safety critical functions which are not exercised by normal operation, yet no provision for exercising these functions is mentioned.

Conclusive judgement of the safety of various microprocessor based systems cannot be made without determining the plausibility of various failure modes. In terms of the safety criteria which were applied to
the GCU speed limit checker (and at least one of the systems reviewed),
the GCU and any of the systems reviewed can be judged either safe or not
safe, depending upon which failure modes are considered plausible, and
which are not.

The GCU design philosophy is "reasonably" conservative. It is con­sidered plausible that a single physical failure of a microprocessor can
affect multiple software functions. At a minimum, functions containing
identical or similar instructions can fail due to a single physical
failure. The GCU speed limit checker design allows for a limited number
of simultaneous dissimilar instruction failures. This seems plausible
because dissimilar instructions may share a single link in the micro­
processor logic. However, the number of simultaneous dissimilar in­
struction failures which must be considered is believed to be limited
since failure of a widely used resource would cause complete failure,
i.e., the processor would no longer function well enough to produce the
dynamic output required to maintain the safe-to-proceed signal.

While the above "plausibility" criteria help judge the relative merits
of various design alternatives, they are no substitute for good quanti­
tative data. Some measure of the conditional probabilities associated
with various microprocessor failure modes (in terms of combinations of
instructions affected) is needed. Without such information a less con­serv­
ervative approach than that used for the GCU would not be easily justi­
ﬁed, nor would a more conservative approach.
9.0 RECOMMENDATIONS

9.1 Future Improvements

The GCU was designed with the best current design practices. In retrospect, however, some improvements could be made.

The experience of the Morgantown system with Presence Detectors (PDs) has indicated that future designers should consider a new PD design which reduces downtime. Insufficient data exists at this time for design suggestions, however, future designers should consider what effect tolerances will have on distance uncertainty for any design choice.

Integration of the GCU inductive link with the Collision Avoidance System inductive link is recommended; this modification appears to be technically feasible and would result in a significant savings in the number of guideway loops and associated equipment.

The AGRT Collision Avoidance System is called the Odometer Data Downlink Collision Avoidance System (ODDCAS) and is described in report number UMTA-WA-06-0011-84-2, titled Advanced Group Rapid Transit Odometer Data Downlink Collision Avoidance System Design Summary, October 1984. The 3-wire loops and two coil antennas described in that report are the suggested loop/antenna design.

The GCU and ODDCAS data could be time multiplexed as shown in Figure 9.1-1. A candidate block diagram is shown in Figure 9.1-2. This scheme assumes headway can be increased to approximately 5 seconds. An understanding of the above mentioned ODDCAS report is needed to discern an integrated ODDCAS/GCU system.
9.2 Potential Applications

The GCU is basically an interface unit and may be useful in future AGRT designs; the components developed for the GCU could be applied in a wide range of systems.

The Digital FSK Receiver concepts can be applied to any FSK communication system where impulse noise is the dominant problem. It has been applied in the AGRT Collision Avoidance System inductive link.
FIGURE 9.1-1: PROPOSED INDUCTIVE LINK TIMING DIAGRAM FOR INTEGRATED COMMAND/CONTROL AND COLLISION AVOIDANCE SYSTEM
FIGURE 9.1-2: PROPOSED BLOCK DIAGRAM FOR INTEGRATED COMMAND/CONTROL AND COLLISION AVOIDANCE SYSTEM
10.0 BIBLIOGRAPHY

"Morgantown People Mover Inductive Communications System Design Summary" Report No. UMTA-MA-06-0048-78-6
Final Report, December 1978. T. N. Johnson


"Morgantown People Mover Electromagnetic Compatibility Program" Report No. UMTA-MA-06-0048-80-10
Final Report, September 1980. T. H. Herring


"Programmable Digital Vehicle Control System"
28th Vehicular Technology Conference - IEEE

"Digital FSK Receiver Capable of Operating in High Impulse Noise Environments" 31st Vehicular Technology Conference - IEEE
Technical Paper, April 1981. E. Nishinaga

"A Vehicle Collision Avoidance System Using Time Multiplexed Hexadecimal FSK" 33rd Vehicular Technology Conference - IEEE