Seat mechanism on BORG Assimilator fails

---

john13601 said:Well Rollergator the local news did say that Carowinds maintenance was going to take the train apart to find the problem. So it probably is still in pieces

---

Makes sense, john...

I do find it kinda weird that they're RUNNING the ride while still trying to "find" the problem. Not that it stopped me from riding on Sunday, LOL.

....and the vertical loop on Borg is ultra-intense compared to those on X-Flight/Batwing/FireHawk... :)

edit: wanted to include the quoted post, since it skipped pages... ;)

*** Edited 3/28/2007 6:15:39 PM UTC by rollergator***

Going back to the S&S drop tower situation...

Are you aware that the S&S control system has changed? When "Power Tower" opened at Cedar Point, there were apparently no detection switches for the restraint position, and in fact I am not certain that there was any control at all over the restraints. In operation, the bars remained unlocked until the carriage was brought up to weigh. This has the benefit of giving the operator a means for detecting an unfastened safety belt: if the belt is not fastened, the bar flies up in the air. Once all the belts were fastened, the carriage was lifted to weigh, which disconnected the carriage from the contact that released the restraints, thus locking them. There was no need to monitor the locked/unlocked status because in the absence of electrical power to release the restraints, all the restraints would be locked. And until the passage of whatever version of F 2291 that includes that which is now known as F 2291-06a:6.4.3 (it got renumbered in 06a) there was never any industry requirement to monitor the *position* of any restraint...only its locked/unlocked status, and removing the unlock mechanism was enough to assume that it locked.

By 1999, Power Tower had been updated to the current setup with contacts for each seat.

--Dave Althoff, Jr.

I don't know electrical control details of S&S rides but if they manufactured "Power Towers" without automated (electrical) restraint monitoring it's an absolute shame as doing so would be all but state of the art even 20 years ago. If it's true I even wonder how they passed ride inspections.
That said, it must noted that safety inspections of ride automation systems (electrical/electromechanical, electronic, programmable electronic ones) is not very stringent in some U.S. states. Some European countries, especially Germany, are much more severe. Also some inspection companies are more strict than others. For example, many currently operated rides would not be able to get a TUeV Sued approval.
BTW, according to ASTM standards, restraints are subdivised in categories according to the expected accelerations. For each category, specific requirements must be met.

You must remember that amusement ride inspections are real-world inspections based on decades of real-world experience moreso than engineering standards. That is changing, but even today, even with F 24 committee standards in play in many jurisdictions and the industry looking to the F 2291 standards for design guidelines, ride operations is still a very hands-on business, and the amount of automation and detection used on rides is traditionally limited to that which can be considered *reasonable*. As an example of *why* higher levels of automation are not employed in ride safety systems, look no further than the Majestic Catch'N Air ride. That's an update of the old Flying Coaster ride. The big difference is that while an Aeroaffiliates Flying Coaster (if you can find one; Kennywood has one...) is a very simple ride and will almost always be working, Catch'N Air is an extremely complicated ride, and most of the time will NOT be working due to the perpetual failure of the switches on the lap bars. Flying Coaster didn't have switches on the lap bars. (it did have a cool locking mechanism, though, one that most people won't even notice!)

It's been common for decades to build restraint systems which are mechanically or electrically operated by equipment located in the loading area. By the very design of the system, it is not possible to leave the restraints unlocked once the vehicle has left the loading area...the means for automatically unlocking the restraints simply does not exist. For that reason, there is really no point in trying to monitor the status of the restraint. The closest we've traditionally seen to that is the Arrow multi-element coasters, where the restraints are "bi-stable"--that is, they can stay "open" during the ride--where a pedal counter checks to make sure the mechanism is in the locked position before the train gets past the top of the lift. On most rides, though, once you're past the busbar in the station, the restraints lock. So monitoring is not needed.

Don't get me started on ASTM 2291-06a:6.4.3. It took two years for the committee to write that section and they did such a poor job of it that the best thing for it would be to strike that section altogether. That means eliminating the poorly-constructed 5-level classification system, and it means eliminating the chart or graph that suggests (note it is a SUGGESTION, not a REQUIREMENT) a restraint based solely on the acceleration criteria. If section 6.4.3 were simply eliminated from the 2291-06a standard, all of the technical requirements would still apply, and if the 6.4.3 guidelines ever made any sense at all the analysis (required in 5.1 and 6.3) will come up with the appropriate system. But the short-cut given in 6.4.3 would go away, and we could all quit worrying about how to create a Class 5 restraint, given that it is impossible to comply with all the requirements of Class 5 in a reasonable fashion using existing technology.

--Dave Althoff, Jr.
(member, ASTM F-24...but joined AFTER the offending section passed)

@RideMan:
Many thanks for your very interesting and detailed reply. I totally agree that standards are only standards and in many domains there are lots of issues related to them (sometimes they even prevent useful innovations). The real world is complex and developments have a fast pace but standard drafts take eternities to get finalized and procedures to modify them are complex and slow, especially for worldwide (e.g. ISO, IEC...) and European (e.g. EN) standards.
Standards should only be considered as basic guidelines but they are never an ultimate reference to decide if something is safe or not and it is not even their purpose. Safety is primarily the responsability of each manufacturer and from that POV some are more serious and formal than others (as are both independant inspection bodies and official inspectors too).

One obvious drawback of standards is when they become a totally unjustified obstacle to new technical developments. A good example concerned issues with safety programmable controllers for SIL 3 (Safety Integrity level 3) applications (as defined in IEC 61508 and associated stds.) for use in the U.S. due to OSHA restrictions which didn't take in account SIL 3 qualified programmable electronic automation systems.

IMO whenever possible restraints should be of the monostable type where power is mandatorily required to maintain it in the unlocked state, so in case of any problem there's a defined failsafe state where all retraints are locked (although not necessarily closed). Bistable locking/unlocking systems are not very good.

Overall it's far safer to rely on automated systems to monitor restraint statuses. Human factor issues are known and operator reliability is hard to assess anyway as persons don't come with a guaranteed maximal dangerous failure rate. Of course it's also a question of engineering, many current designs, including the very common dual (non-safety) PLC configurations don't meet SIL requirements because the calculated SIL is too low or because it can't be determined reliably due to missing manufacturer data for safety-critical components of the system.

One point I disagree is about restraint monitoring, IMO a minimal closure position (and that's unrelated to the locked/unlocked status) of all restraints should be monitored according to SIL 3 and, as far as technically "reasonably" possible, the restraint locking status itself should also be monitored by the ride automation system. Further, redundant locking mechanisms should be mandatory for all over-the-shoulder restraints as well as lap bars (I don't address undetected failures of a subsystem of a redundant system here as it's a complex discussion).

Of course monitoring can also be performed mechanically if it's appropriate, there is no absolute need for an embarked electrical/electronic system. For roller coasters and some other type of rides it's best to not have any embarked source of energy so, if restraint unlocking is controlled electrically, nothing can go wrong from that POV once the ride has started.
Once a roller coaster train has left the station it becomes pointless to monitor anything on-board, as basic principle a restraint has to be safely closed to some (maximal aperture) position *and* locked from the moment a train leaves the boarding station.

I also agree that the 5-level restraint classification system based on charts with acceleration "areas" is not a great idea. I'd prefer if some freedom would be left in the standard but have really very serious and experienced inspection bodies like TÜV Süd (I don't work for them! LOL, they're just known to be very strict) or so which would examine individual rides to determine if a proposed restraint design is adequate or not. Just using accelerations as criterion is too simplistic.
(Edited for typos.)
*** Edited 3/30/2007 4:01:49 AM UTC by Vallean***

We are in agreement in principle. I think I need to start by saying that. 8-) My point is mostly historical. There is one area, though, where I must challenge you. I use the word "challenge" very specifically, as this gets to part of the problem with the ASTM Class 5 restraint.

(for those of you playing along: ASTM Class 5 restraint as described in F 2291-06a:6.4.3.8 includes a locking restraint device for each individual patron, where the final latching position of the restraint is variable in relation to the patron, the device is automatically locked, can only be automatically or manually unlocked by the operator, must have a redundant locking device, and the device must include an external indicator of correct or incorrect application. Failure of any monitored device shall either stop the ride cycle or inhibit cycle start.)

Here is the problem: How do you create a device which can automatically indicate whether an adjustable restraint is in a "safe" position? The reality is that such an indication is typically going to be done with a limit switch (or a mechanical equivalent) which means--
a) if the device allows the ride to accommodate the largest riders who can be safely contained on the ride, the device must indicate "safe" when the restraint is in its minimum-closed position, which the use of an adjustable restraint suggests may not be safe for the smallest possible rider. This is clearly not acceptable.

Or...

b) The device must indicate "safe" only when the restraint is closed to the MINIMUM SAFE POSITION for the SMALLEST rider who can be permitted to ride

If this is the case, then *by definition* there is no margin of safety gained by closing the restraint further, and the limit switch will not allow a larger rider to ride with the restraint further open, even though it may be perfectly safe to allow that with the larger rider. In other words, the very presence of the go/no-go indicating device effectively eliminates all benefits of an adjustable restraint. So why not just admit it and go back to a single position restraint, which is effectively what the adjustable restraint becomes with the addition of the go/no go switch.

That's the first issue.

The second issue is a reading of the ASTM standards on restraints. It turns out that the ASTM standard DOES provide all of the flexibility that both of us would like to see, but it does it in a rather back-handed way which is going to cause problems down the road. Let me walk you through the standard for a moment....

Section 5.1 dictates that the designer will undertake a thorough analysis of the ride.

Section 5.4, in particular Section 5.4.2, allows that the documentation relating to the ride, including the analysis data, may be considered proprietary and does not need to be distributed with the ride. This will become important when we get into Section 6, particularly 6.4.3. Section 5.5.2 further restricts the amount of documentation that needs to be made available to regulatory agencies.

Section 6.1 says that the ride must be designed to support and contain the rider.

Section 6.3 requires a detailed analysis of the ride and a consideration of all relevant factors. At least a dozen potential factors are listed, and there is a requirement in the standard that ALL relevant factors be considered in order to provide an appropriate restraint.

Section 6.4.3 says, now that you've done that complete analysis, now use ONLY the acceleration data and use one of these five restraint types in accordance with this chart. 6.4.3.3 even says you MUST use the restraint type specified in the chart as a minimum, based on sustained acceleration.

Section 6.4.3.4 - 6.4.3.9 describe the five classes of restraints

Section 6.4.4.1 says that in spite of what 6.4.3.3 says, this chart is only a design guideline and the analysis required in 6.3 may indicate the need for a different restraint class (either higher or lower) than indicated in the chart. In other words, forget about the chart and do what the analyis told you to do. In fact, here are six specific reasons not to go strictly by the chart we told you to use in 6.4.3.3.

Finally, now that you've conducted an analysis (6.3) and chosen a restraint system, you need not publish the rationale (5.5.2). Even though there may be perfectly good reasons not to follow the chart in 6.4.3, and even though the chart is identified as strictly a *design guide* and is NOT to be used for performance testing, because such detailed requirements are given in 6.4.3, any damned inspector with an accelerometer will now do exactly what 6.4.4.1 says NOT to do, and will compare the measured acceleration data with the chart and try to determine what kind of restraint is appropiriate, regardless of what the manufacturer's analysis said.

Is this not the most convoluted and wrong-headed way to go about defining a restraining system for a ride?

--Dave Althoff, Jr.

I totally agree with you. Maybe there was a misunderstanding as English is not my first language. Obviously there is no viable (i.e. reasonably affordable, reliable, easy to operate and requiring low maintenance) solution to verify automatically if a restraint in a position *safe* for each individual patron. I differentiate clearly between the locking status (only two states: restraint safely locked *exclusive or* not safely locked) and the position of the restraint which is itself variable as patron body metrics (or however it's called) vary, that position can be either be varied continuously or in discrete increments (typical with ratchet locked devices). As mentioned in my message above, only a minimal closing position can be monitored and that is totally in accordance with your message and that position limit has to be defined for the "largest" patron for whom de seat and restraint are designed.

Automation can't prevent all human errors and it's not even the role of a ride automation system. If a patron cheats, typically voluntarily not positioning a restraint correctly, I don't think the manufacturer nor ride operators or parks are to blame and that point is clearly addressed by ASTM as well as various state laws. IMO it is required and sufficient if, as fare as the restraint position itself is concerned, only a minimum closure position for the "largest" patron is monitored.

The locking system monitoring is a different issue as it concerns an internal mechanism which cannot be routinely checked by the patron or ride operators beside slightly pushsing the restraint to verify if it can't move freely.

Personally I'm favorable to those short safety belt piece used just to secure over-the-shoulder restraints as they represent an additional layer of protection. The fact that they can be defeated by patrons is secondary, I mean we can't prevent someone from jumping off a bridge either.

I agree that detailed risk assessement analysis data does not require to be released to ride owners as many of them don't have the required technical background but such data should be, at least upon request, released to state officials under (implied) non-disclosure agreement. Independant bodies like e.g. TÜV Süd will require such information but they'll perform their own risk assessment, not just check the submitted data.

Like laws, all standards are compromises which try to conciliate interests from various pressure groups, therefore it's not surprising that some oddities remain and wording isn't necessarily crystal clear either. Beside ASTM and a few DIN and Japanese standards there aren't many stds. around which specifically apply to rides.
Fortunately, as far as the automation system is concerned, IEC 61508 (which is also EN 61508 as well as various national 1:1 equivalents) will be considered as general "state of the art" reference even if not necessarily specifically cited by local laws. If ride automation systems which currently do not meet SIL 3 requirements, and there are many of them,
have to be adapted or not is unclear. Although EN 61508 has been around in the process industry since quite some time (around year 2000) it has tended to replace the conceptually flawed EN 954 approach only relatively recently in non-process domains. What happens if there is an accident on a roller coaster built in 2006 and the investigation shows that the ride automation system does only meet SIL 2? Should all rides with typical dual non-safety PLCs (Programmable Logic Controllers are basically some programmable industrial microprocessor-based devices which control rides and other industrial equipments in many domains) configurations be retrofitted with true safety PLCs? It's not that easy as you've to perform a complete risk assessment, it's not just about replacing some PLC racks. So, are current ride automation systems safe? Some meet SIL 3, some don't formally meet SIL 3 but can be considered as safe enough in real life and some are definitely not safe enough from a formal technical POV.