Question¬†– I’m a student majoring in mechanical engineering. I am currently doing a project designing a roller coaster. Presently I’m working on the safety and controls aspects of a roller coaster. Can provide me with a general overview of how a typical safety and controls system works?

A1: That’s not a small question. It’s probably like asking a surgeon for a general overview of how surgery is done. There are several points at which we could begin a discussion. Are you asking about how the block zones are created? Do you know what a block zone is?

To put it in perspective, the design of an average roller coaster control system takes about 1500 hours, plus another 1500 to build, install and test. (That is for someone who has experience designing many roller coaster control systems.) Average cost: $400,000.

Q2: I think the block zone works by sectioning the track into zones where each train is monitored… once the train is past a certain block then the next train can safely be launched without risk of injury… this can probably be optimized for maximum throughput… am I right?

A2: Excellent! Every zone ends with a brake, on a true roller coaster (as opposed to a vehicle with it’s own motor) the brake is usually a pneumatic device that pinches a fin on the bottom of a passing vehicle.

The entire track is divided into zones of lengths selected so that given the speed profile of the vehicle, each zone will be occupied for an equal time period. You will agree that the total number of zones must be equal to the total number of vehicles on the track, plus at least one zone so that the vehicles can progress. In practice, to maintain a smooth and continuous flow of vehicles around the track, there will be a number of zones equal to at least two times the number of vehicles, often many more. The load and unload areas, as well as any “wait”, “hold”, or “slow-down” areas are all zones too. They are just very short zones. Here again, the key is to make all of your zones of equal time. This involves understanding the ride dynamics and the people dynamics, i.e. how fast people are likely to get in and out of the vehicles. Next, you have to consider issues of vehicle length and how the apparent length may change in the curves. Also, consider how far the vehicle will penetrate a closed brake before stopping, with a worst-case entry speed. Often brakes cannot physically be mounted where you need them so compromises must be made. Lots of study goes into the zone layout. There are some tricks and interesting solutions that can be used to solve problems. Rides are delivered for a specific guest capacity. The zone layout is critical to obtaining that capacity.

Obviously, the point is that the control system does not open the brake until the zone ahead is clear. Sometimes two clear zones ahead are required. The brakes are normally closed so that every vehicle is normally moving toward a brake that will stop it unless conditions permit passage. Great effort goes into the design of the brakes and the control system to insure that if anything fails, the result will be brake closure. Mechanically, that usually means that the brakes are held closed by multiple large springs. To open the brakes requires air pressure and a long list of other conditions. Creating that long list of conditions can take 100’s of hours.

Q3: Is it possible to create a rover car to run through the track with a high speed camera mounted on it so that the structure can be inspected thoroughly? or what methods are used to inspect the structural integrity of the entire structure?

A3: Possible but not common practice. Things like this have been considered but are either not needed or are not cost effective. Inspections of structural integrity are usually done the old fashion way. Maintenance personnel walk the track and climb the supports each morning. Really. They sign off on the inspections. Some things are inspected less often than others. Areas of special concern are monitored by the control system, but these are simple things, usually.

Q4: How can we guarantee that trains won’t collide with each other?

A4: That is the job of the block zone system. That is the main point of the control system: to manage the block zones to maintain train separation. And 75% of that effort is about considering all the mechanical and control equipment failure scenarios, including the ones that are almost certain to never happen over the life of the system. Big topic.

Q5: Is there any way of creating an automated system of inspecting the cars for damage to the frame or wheels?

Q6: Yes. Sometimes we monitor the gap between the frame of the vehicle and the track at selected points. The values are very consistent until mechanical deterioration begins. Even more common is monitoring a vehicle’s time in the zones. There is a well defined normal range of times for each zone, determined empirically after operations begins. Anything out of the ordinary demands an explanation. Usually we just annunciate small deviations but shut the ride down instantly for larger deviations. That is often part of the fail-safety of the system.

Q7: What about anti roll back?

A7: This is a mechanical device on a ride with a chain lift. Are you asking about what happens if at train does not make it over a hill and comes back?

Q8: Since we want to use LIM’s what are the safety considerations of controlling large voltages, and does Birket design the controls for the LIM or do the manufacturers do that?

A8: We do part or all of this work. The safety issues related to the high voltages are generally addressed by following the National Electrical Code, NFPA 79. That is a “cookbook” kind of thing. Not too hard. Expensive equipment, though.

Q9: What controls are used to make the ride failsafe even with an operator error?

A9: Big, big topic. Another day.

Q10: If we are using an LIM what would we use prevent the train from rolling backwards if it happens to stop in the middle of the ride during a loop or higher elevation. We were thinking of using some kind of ratchet. Are we on the right track?

A10: Right now I can count all the world’s LIM launched coasters on my fingers, so you can make this up as you go along just like we do! Except for one coaster being discussed now, the LIMs are always on a level section of track, so no anti-roll back is required there. If your LIMs are on an uphill grade then you will need anti-roll back there, just as on a conventional coaster with a chain lift. Yes, the ones I’ve seen are a ratchet device. I’ve seen various designs. I’m not a mechanical guy at all, so I don’t notice much about the anti-roll back design. Seems sometimes that there is one dog (is that the right word?) beneath the vehicle in the center, and sometimes two, one on each side. Sometimes the mechanical design is altered to reduce the noise.

Anti-roll back is usually used only in one, maybe two places on the track, and as a “device of last resort” at that. If your LIMs are on a grade, the anti-roll back would take on great significance, unlike with a chain lift. On a normal ride you are just worried about the chain breaking – not likely.

In other areas of the ride, like all the hills and valleys, we do not use anti-roll backs of the ratchet type, although I don’t see why not. We just use pneumatic brakes. These brakes are always closed. The computer opens them for a second to let the train pass if the zone ahead is free. They snap shut behind the train so that if the train comes back to the brake (and it does happen) the brake will stop the “roll back”. Obviously if there is any possibility of this happening you will need at least two brakes between trains, else you will have two trains colliding in the brake! (Brakes are usually very short compared to the vehicle length.) It gets complicated.

Sometimes, like if there is a bad bearing on a train or anything else to slow it down, a train will “valley”. It doesn’t make it over a hill, comes back, doesn’t make it over some previous hill, keeps going back and forth and finally settles in a valley. They winch it out. Not a good thing. From a safety point of view though it is ok as long as the block zone control system holds the next train in the previous zone. As you see, there is much to consider and study, because you don’t want to find out about these things after the installation is complete. Most of “design” time is study of the “what-ifs”. There are formal approaches to this study called “Fault Tree Analysis” and “Failure Mode and Effects Analysis” about which large boring books have been written. (Did I say that?) It is very important stuff.

Q11: When the passengers are unloaded off the train, is there a central control button where all restraints are released? In addition to the central control, is there a physical mechanical device where it can override the electronics. If there is can you briefly describe how the device works?

A11: Yes, in the operator’s booth, or sometimes it is track-side. It depends on the layout of the ride and the park’s own policy. Sometime we program it so that it takes two operators to release the restraints. Same with the gates that open to let people on the vehicle. Yes again, there is always an override. Usually it is mechanical, usually right on the vehicle. We controls engineers like that because it keeps us out of the hot seat when our equipment fails. In other words, it is one less failure mode we have to study.

How it works. Pneumatics again, usually. Usually the vehicles will have a “button” or lever under the vehicle or along the side near the bottom. Pressing it releases the restraints. The control system controls the brakes in the unload area so as to position the train with the buttons or levers adjacent to plates that are operated by a pneumatic cylinder. When the controls detect that the train has stopped and is in the right position, the controls activate the air valve to press the plate on the button. The manual release is just to go press on the button or lever yourself, which may require a pry-bar or some other mechanical advantage.

Q12: What are the main physical problems we should check by maintenance? We think of weld cracks, loosing of nuts & bolts, etc.

A12: This is mostly a mechanical issue, since we build most of the control system components to be self checking these days. After maintenance walks the track to check the thing you mention, there is a start up procedure each morning. In our systems, the control system requires that an operator walk to every Emergency Stop button, and there may be dozens located all over the load, unload and track areas, and press each one. Each time it stops the ride, requiring use of the key to restart the ride. It can take several minutes, but when you are done you are very sure that all of the buttons work. (We do other things to make sure the buttons have not been tampered with, but this is the final test.)

Then, after the computer has witnessed every button being pressed, the computer requires that it see a vehicle actually be caught in every brake, since if thing go normally during the day the zone brakes never actually get to catch a train. On our best system, the computer actually measures the capture force or the distance penetration of the vehicle into the brake. If yours does not do this, you should at least have maintenance stick something into the brake, let the brake snap shut on it and then tug on it, to make sure that the brake has a strong grip.

Q13: Like you said last time this is a big topic, but can you go over things that you consider to be most important on the following question. What controls are used to make the ride failsafe even with an operator error?

A13: We try hard to get it down to the point where there is only about one mistake that an operator can make. That is pressing the go button before everyone is fully seated. Eventually, we will find away to monitor that everyone is seated, and in some places we do now, but it is difficult. Operators, usually paid minimum wage and bored stiff, make lots of mistakes. We take away from the operator every action we can, especially the repetitive ones. On some rides, the only repetitive action for the operator is to press the launch button when everyone is seated. We even light the button that he/she is to press when the train ahead is clear.

Basically, the computer knows (because we program it in software) what the next logical operator action should be, and when that action will be safe. For example, the operator can hold down the dispatch button or press it repeatedly, and nothing will happen until conditions on the track ahead are correct. Further, if the computer sees that the button is pressed too soon (depending on the nature of the ride and park policy) the computer may be programmed to ignore further operator action until a maintenance person inserts a key to clear the error. Similarly, if a button is to be pressed and released, the computer ignores it after it has been held for about two seconds, even if conditions for the button’s use become correct while the button is being held down.

Restated, the computer knows the location and state of every vehicle. If an operator’s action is not appropriate for the state of the ride, the operator’s action is ignored. (Depending on circumstances, the operator’s mis-dead may be printed in a log file for review, but not usually.)

One trick we use to keep operators on their toes when pressing the dispatch button is to give them two buttons, spaced about two feet apart. The computer requires that they press them at the same time, within about .1 second of each other, and for not more than about one second. We position the buttons so that the operator must be facing the vehicle to press the buttons. Also, we light a light to tell them just when to press the button. We may put the light in the distance, just beyond the vehicle, so that we know that the operator was looking at the train when he/she pressed the button. In some cases, we will require that two operators do this at the same time, from two different locations. This starts to get extreme, and we have the lawyers to thank. In some rides the computer monitors the seatbelts. Scanning lasers and imaging has been discussed to see of the riders are properly positioned and seated. And so on.

A few years ago this was not true. Operators were critical to the operation. They actually operated the brakes with switches or a big levers. No more. They just can’t be trusted, at least not against the cost of today’s lawsuits, which is sad in some ways. The same is not true of maintenance operators. Since these people are not doing repetitive actions and usually have a greater since of responsibility, they often do (and must be able to) make some important decisions. This is required because they deal with the unusual circumstances, like adding and removing trains from the track, positioning them for maintenance, and fixing things like trains caught in a valley. We program the computer to catch the worst of their mistakes but not every little thing.

When all is said and done, do you know what gets people hurt on rides? They try to get out after the ride starts. Usually, it is a kid goofing around, or even an adult. On a modern ride, you are VERY safe if you just stay in your seat.