Communications-based Train Control - Main Features - Risks

Risks

The primary risk of a CBTC system is that if the communications link between any of the trains is disrupted then all or part of the system might have to enter a failsafe state until the problem is remedied. Depending on the severity of the communication loss, this state can range from vehicles temporarily reducing speed, coming to a halt or operating in a degraded mode until communications are re-established. If communication outage is permanent some sort of contingency operation must be implemented which may consist of manual operation using absolute block or, in the worst case, the substitution of an alternative form of transportation. As a result, high availability of CBTC systems is crucial for proper operation, especially if we consider that such systems are used to increase transport capacity and reduce headway. System redundancy and recovery mechanisms must then be thoroughly checked to achieve a high robustness in operation. With the increased availability of the CBTC system, it must also be considered the need for an extensive training and periodical refresh of system operators on the recovery procedures. In fact, one of the major system hazards in CBTC systems is the probability of human error and improper application of recovery procedures if the system becomes unavailable.

Communications failures can result from equipment malfunction, electromagnetic interference, weak signal strength or saturation of the communications medium. In this case, an interruption can result in a service brake or emergency brake application as real time situational awareness is a critical safety requirement for CBTC and if these interruptions are frequent enough it could seriously impact service. This is the reason why, historically, CBTC systems first implemented radio communication systems in 2003, when the required technology was mature enough for critical applications.

In systems with poor line of sight or spectrum/bandwidth limitations a larger than anticipated number of transponders may be required to enhance the service. This is usually more of an issue with applying CBTC to existing transit systems in tunnels that were not designed from the outset to support it. An alternate method to improve system availability in tunnels is the use of leaky feeder cable that, while having higher initial costs (material + installation) achieves a more reliable radio link.

CBTC systems that make use of open standards for wireless digital communications link have a much larger attack surface and can be subject to various types of hacking including intrusion of the communications network and tampering with safety critical messages that, in the worst case, could result in a safety hazard. Defensive techniques for open networks as, for example, the ones prescribed by standard EN 50159-2 must be carefully analyzed. These attacks can however be mitigated using various security controls that must be implemented to effectively making use of the CBTC safety advantages.

With the emerging services over open ISM radio bands (i.e. 2.4 GHz and 5.8 GHz) and the potential disruption over critical CBTC services, there is an increasing pressure in the international community (ref. report 676 of UITP organization, Reservation of a Frequency Spectrum for Critical Safety Applications dedicated to Urban Rail Systems) to reserve a frequency band especifically for radio-based urban rail systems. Such decision would help standarize CBTC systems across the market (a growing demand from most operators) and ensure availability for those critical systems.

As a CBTC system is required to have high availability and particularly, allow for a graceful degradation, a secondary method of signaling might be provided to ensure some level of non-degraded service upon partial or complete CBTC unavailability. This is particularly relevant for brownfield implementations (lines with an already existing signalling system) where the infrastructure design cannot be controlled and coexistence with legacy systems is required, at least, temporarily. For example the New York City Canarsie Line was outfitted with a backup automatic block signaling system capable of supporting 12tph, compared with the 26tph of the CBTC system. Although this is a rather common architecture for resignalling projects, it can negate some of the cost savings of CBTC if applied to new lines. This is still a key point in the CBTC development (and is still being discussed), since some providers and operators argue that a fully redundant architecture of the CBTC system may however achieve high availability values by itself.

In principle, CBTC systems may be designed with centralized supervision systems in order to improve maintainability and reduce installation costs. If so, there is an increased risk of a single point of failure that could disrupt service over an entire system or line. Fixed block systems usually work with distributed logic that are normally more resistant to such outages. Therefore, a careful analysis of the benefits and risks of a given CBTC architecture (centralized vs. distributed) must be done during system design.

When CBTC is applied to systems that previously ran under complete human control with operators working on sight it may actually result in a reduction in capacity (albeit with an increase in safety). This is because CBTC operates with less positional certainty than human sight and also with greater margins for error as worst-case train parameters are applied for the design (e.g. guaranteed emergency brake rate vs. nominal brake rate). For instance, CBTC introduction in the Center City trolley tunnel resulted initially in a marked increase in travel time and corresponding decrease in capacity when compared with the unprotected manual driving. This was the offset to finally eradicate vehicle collisions which on-sight driving cannot avoid and showcases the usual conflicts between operation and safety.