AAR LCCM Use Cases
Locomotive Command and Control Module (LCCM) Use Cases
Version 1.0
Table of Contents
1.0
Establish Controlling Application to LCCM Communication Link ..................................................... 2
2.0
LCCM Discovery by Controlling Application ...................................................................................... 3
3.0
Monitor Mode................................................................................................................................... 4
4.0
Engage Auto ...................................................................................................................................... 6
5.0
Disengage Auto ................................................................................................................................. 9
6.0
Direct Control .................................................................................................................................. 11
7.0
Exit................................................................................................................................................... 13
8.0
Alternate Flow A: LCCM Discovery over Class D connection .......................................................... 14
9.0
Exception Flows .............................................................................................................................. 15
9.1
Exception Flow A: Communication Loss Between Controlling Application and LCCM .......... 15
9.2
Exception Flow B: Failure to apply Controlling Application Command Critical Fault ............. 17
9.3
Exception Flow C: Failure to Meet Criteria to transition to Auto ........................................... 19
9.4
Exception Flow D: Simultaneous Throttle and DB command ................................................ 20
9.5
Exception Flow E: Communication Loss Between Controlling Application and LCCM While in
Monitor Mode............................................................................................................................................. 21
9.6
Exception Flow F: Failure of LCCM to Authenticate Controlling Application ......................... 22
9.7
Exception Flow G: Communication Loss Between Controlling Application and LCCM In Direct
Control…. .................................................................................................................................................... 23
10.0
Recovery Flows ............................................................................................................................... 25
10.1
Recovery Flow A: Invalid Command Provide by Controlling Application ............................... 25
10.2
Recovery Flow B: Message Integrity Failure........................................................................... 27
10.3
Recovery Flow C: Failure to apply Command Non-Critical Fault ............................................ 28
Appendix A: LCCM State Transition Diagram.............................................................................................. 29
Appendix B: LCCM Asynchronous Messaging Sequence Diagram .............................................................. 30
1
AAR LCCM Use Cases
1.0
Establish Controlling Application to LCCM Communication Link
Identifier: UC 1
Description: The process to establish a Controlling Application to LCCM communication link,
which consist of establishing the EMP Class D link, and Controlling Application authentication.
Preconditions: (Default State) Operational Controlling Application with Operational Private
Key, and Operational LCCM with List of allowable Operational Private Keys.
Post-conditions: Controlling Application to LCCM communication link is established and
Controlling Application is authenticated. Controlling application commands the LCCM to
Monitor Mode.
Main Flow:
1. LCCM opens TCP Port 3600 and listens for Class D socket request.
2. Controlling Application establishes Class D socket on TCP Port 3600 at IP address
10.255.255.50 per Class D Specification S-9356.
3. Controlling Application transmits Authentication Request Message (652) populated with
Controlling Application identification parameters.
4. LCCM generates 128 bit random number (b) and calculates LCCM Public Key (𝐵 =
𝑞 𝑏 𝑚𝑜𝑑 𝑝)
5. LCCM transmits Authentication Response Message (752) with LCCM Public Key and hard
coded p and q values.
6. Controlling Application generates 128 bit random number (a), calculates Controlling
Application public key(𝐴 = 𝑞 𝑎 𝑚𝑜𝑑 𝑝), calculates encryption key (𝑆 = 𝐵 𝑎 𝑚𝑜𝑑 𝑝) and
encrypts OPK using encryption key and AES-128 CBC Algorithm.
7. Controlling Application transmits Authentication Data Message (653) containing
Controlling Application Public Key and encrypted OPK.
8. LCCM calculates encryption key (𝑆 = 𝐴𝑏 𝑚𝑜𝑑 𝑝) and decrypts OPK using key.
9. LCCM verifies decrypted OPK is on LCCM OPK list. [9.6
Exception Flow F: Failure of
LCCM to Authenticate Controlling Application]
10. LCCM transmits Authentication Data Response Message (753) with Authentication
Status set to Authentication Accepted.
11. LCCM logs Controlling Application identification.
2
AAR LCCM Use Cases
2.0
LCCM Discovery by Controlling Application
Identifier: UC 2
Description: The process of Controlling Application discovering LCCMs and their
configurations.
Preconditions: LCCM is powered up in any state.
Post-conditions: Controlling Application discovers connected LCCMs. LCCM stays in the same
state, no transition.
Main Flow:
1. LCCM registers with the ICR via the M-9154A specification.
2. Controlling Application obtains routes for all LCCMs via ICC Router (M-9154A)
3. Controlling Application transmits Locomotive Command Module Status Request
message via the ICR over EMP Class C link via ICR. [8.0 Alternate Flow A: LCCM
Discovery over Class D connection]
a. Controlling Application will communicate directly (not thru ICR) with the LCCM
on the lead locomotive
4. LCCM receives message and verifies message is valid
a. EMP Message ID 651
b. CRC-32 is valid
5. Within 1000 ms of receiving the Locomotive Command Module Status Request
message, the LCCM transmits a Locomotive Command Module Status via the ICR (LCCM
on lead locomotive will communicate directly to Controlling Application) over the EMP
Class C link via ICR.
a. EMP Header Message Number field shall be populated with the EMP Header
Message Number received in the Locomotive Command Module Status Request
message
b. The LCCM shall populate the Manufacturer ID, Part number, Software Version
and Road Number values and set the validity bits to valid to indicate which fields
have valid data.
c. LCCM shall set the validity bits of all supported capabilities to valid.
6. Controlling Application verifies message is valid
a. EMP Message ID 751
b. CRC-32 is valid
7. Controlling Application processes LCCM status data
3
AAR LCCM Use Cases
3.0
Monitor Mode
Identifier: UC 3
Description: The process to enter and operate in monitor mode.
Preconditions: LCCM operating in the Default, Disengaging Auto state, or Direct Control.
Post-conditions: LCCM operating in Monitor Mode, with Control Heartbeat Established.
Main Flow:
1. Controlling Application determines conditions to enable transition to monitor mode
have been met
a. Transition from Default: The Controlling Application to LCCM communication link
is established and Controlling Application is authenticated.
b. Transition from Disengaging Auto: Master Controller Handle matches
commanded propulsion control state
c. Transition from Direct Control: Propulsion control state and train line state
match
2. Controlling Application transmits Locomotive Command Message (650) with the
Command field set to Monitor Mode (0):
a. All other fields in the Locomotive Command Message (650) will be recorded but
not asserted by the LCCM when the Command field is set to Monitor Mode.
3. LCCM receives message and transmits a copy of the Locomotive Command Message
(650) to LDARS, if there was a change to any of the Command fields from the previous
message.
4. LCCM verifies Locomotive Command Message (650) is valid. [10.0 Recovery Flows
5. 10.1 Recovery Flow A: Invalid Command Provide by Controlling Application] [10.2
Recovery Flow B: Message Integrity Failure]
6. LCCM transitions to monitor mode.
7. LCCM sets propulsion control to cab controls.
8. The LCCM transmits a Locomotive Command Response Message (750), at the status
update rate configured in the most recent Locomotive Command Message (650):
a. Status fields are populated with current values
b. Validity bits for all status fields with current values are set to valid
i. Current value defined as less than 1 second old for speed data, and less
than 2 seconds old for all other status fields
4
AAR LCCM Use Cases
c. Validity bits for status fields that meet any of the following conditions are set to
invalid:
i. Unsupported statuses
ii. Statuses which are not current
iii. Statuses detected as not accurate
d. Validity bits for all control fields are set to invalid (0)
e. Command Control field is set to Monitor Mode
9. LCCM transmits the same Locomotive Command Response Message (750) to LDARS, if
the message has a change in Control field from the previous message.
10. LCCM establishes the Control Heartbeat, upon receiving two valid consecutive
Locomotive Command Message (650) within 10 seconds.
11. Controlling Application verifies Locomotive Command Response Message (750) is valid
and processes message.
12. Controlling Application transmits Locomotive Command Message (650) with Command
field set to Monitor Mode at periodic rate of 0.2 – 5 Hz to maintain the Controlling
Application to LCCM communication link. [9.5
Exception Flow E: Communication
Loss Between Controlling Application and LCCM While in Monitor Mode]
13. Repeat steps 3 thru 9 of Main Flow.
5
AAR LCCM Use Cases
4.0
Engage Auto
Identifier: UC 4
Description: The process to engage and operate in Auto.
Preconditions: LCCM operating in monitor mode, with an established Control Heartbeat.
Post-conditions: LCCM operating in Auto.
Main Flow:
1. Controlling Application transmits Locomotive Command Message (650) with the
Command field set to Engage Auto (2):
a. Command fields populated per the desired control commands to be applied
b. Validity bits for commands fields to be asserted are set to valid (1)
c. Validity bits are set to invalid (0) for commands fields NOT to be asserted
2. LCCM receives a Commanded Mode of Engage Auto and verifies that it is valid. [10.0
Recovery Flows
3. 10.1 Recovery Flow A: Invalid Command] [10.2
Recovery Flow B: Message Integrity
Failure]
4. The LCCM transmits a copy of the Locomotive Command Message (650) to LDARS, if
there was a change to any of the Command fields from the previous message.
5. LCCM asserts all Command fields which it is configured to support, and that have the
Validity Bits set to valid in the Locomotive Command Message (650). [9.2 Exception
Flow B: Failure to apply Controlling Application Command Critical Fault][10.3
Recovery Flow C: Failure to apply Command Non-Critical Fault]
6. LCCM cuts out the Master Control Handle and drives propulsion commands.
7. LCCM will slew discontinuous throttle commands using LCCM minimum slew rate as
required.
8. The LCCM transmits a Locomotive Command Response Message (750), at the status
update rate configured in the most recent Locomotive Command Message (650):
a. Status fields are populated with current values
b. Validity bits for all status fields with current values are set to valid
i. Current value defined as less than 1 second old for speed data, and less
than 2 seconds old for all other status fields
c. Validity bits for status fields that meet any of the following conditions are set to
invalid:
i. Unsupported statuses
ii. Statuses which are not current
iii. Statuses detected as not accurate
6
AAR LCCM Use Cases
d. Control fields are set to value being asserted by LCCM
e. Validity bits for all control fields being asserted by LCCM are set to valid (1)
f. Validity bits for all control fields NOT being asserted by LCCM are set to invalid
(0)
g. Command Control Field is set to Auto Engaging (2)
9. LCCM transmits the same Locomotive Command Response Message (750) to LDARS, if
the message has a change in Control field from the previous message.
10. Controlling Application verifies Locomotive Command Response Message (750) is valid.
11. Controlling Application Continues to send Locomotive Command Message (650) with
the Engage Auto command at a minimum rate of 0.2 Hz and maximum rate of 5 Hz until
the status received via the Locomotive Command Response Message (750) reflect the
Auto Mode criteria have been met. [9.3
Exception Flow C: Failure to Meet Criteria to
transition to Auto] [9.0
Exception Flows
12. 9.1
Exception Flow A: Communication Loss Between Controlling Application and LCCM]
13. Controlling Application transmits Locomotive Command Message (650) with the
Command field set to Auto Mode (1), at a minimum rate of 0.2 Hz and maximum rate of
5 Hz:
a. Command fields populated per the desired control commands to be applied
b. Validity bits for command fields to be asserted are set to valid (1)
c. Validity bits are set to invalid (0) for command fields NOT to be asserted
14. LCCM verifies Locomotive Command Message (650) is valid. [10.0 Recovery Flows
15. 10.1 Recovery Flow A: Invalid Command] [10.2
Recovery Flow B: Message Integrity
Failure]
16. LCCM applies Auto Mode as defined by Locomotive Command Message (650) Command
Field.
17. LCCM asserts all Command fields which it is configured to support, and that have the
Validity Bits set to valid in the Locomotive Command Message (650). [9.2 Exception
Flow B: Failure to apply Controlling Application Command Critical Fault][10.3
Recovery Flow C: Failure to apply Command Non-Critical Fault][9.4 Exception
Flow D: Simultaneous Throttle and DB command]
18. LCCM will slew discontinuous throttle commands using LCCM minimum slew rate as
required.
19. The LCCM transmits a Locomotive Command Response Message (750), at the status
update rate configured in the most recent Locomotive Command Message (650):
a. Status fields populated with current values
b. Validity bits for all status fields with current values are set to valid
i. Current value defined as less than 1 second old for speed data, and less
than 2 seconds old for all other status fields
7
AAR LCCM Use Cases
c. Validity bits for status fields that meet any of the following conditions are set to
invalid:
i. Unsupported statuses
ii. Statuses which are not current
iii. Statuses detected as not accurate
d. Control fields set to value being asserted by LCCM
i. In the event of throttle slewing the target notch is applied to the control
field
e. Validity bits for all control fields being asserted by LCCM set to valid (1)
f. Validity bits for all control fields NOT being asserted by LCCM set to invalid (0)
g. Command Control Field set to Auto Engaged (1)
20. LCCM transmits the same Locomotive Command Response Message (750) to LDARS, if a
mode transition or state change occurred.
21. Controlling Application verifies Locomotive Command Response Message (750) is valid.
22. Repeat steps 13 thru end of Main Flow.
8
AAR LCCM Use Cases
5.0
Disengage Auto
Identifier: UC 5
Description: The process to disengage Auto.
Preconditions: LCCM operating in Auto or Engage Auto mode.
Post-conditions: LCCM operating in Monitor Mode.
Main Flow:
1. Controlling Application system determines the need to disengage auto.
2. Controlling Application transmits Locomotive Command Message (650) with the
Command field set to Disengage Auto (3):
a. Command fields populated per the desired control commands to be applied
b. Validity bits for commands fields to be asserted are set to valid (1)
c. Validity bits are set to invalid (0) for commands fields NOT to be asserted
3. LCCM receives the message and verifies Locomotive Command Message (650) is valid.
[10.0 Recovery Flows
4. 10.1 Recovery Flow A: Invalid Command] [10.2
Recovery Flow B: Message Integrity
Failure]
5. The LCCM transmits a copy of the Locomotive Command Message (650) to LDARS, if
there was a change to any of the Command fields from the previous message.
6. LCCM asserts all Command fields which it is configured to support, and that have the
Validity Bits set to valid in the Locomotive Command Message (650). [9.2 Exception
Flow B: Failure to apply Controlling Application Command Critical Fault][10.3
Recovery Flow C: Failure to apply Command Non-Critical Fault] [9.4
Exception Flow D: Simultaneous Throttle and DB command]
7. The LCCM transmits a Locomotive Command Response Message (750), at the status
update rate configured in the most recent Locomotive Command Message (650):
a. Status fields populated with current values
b. Validity bits for all status fields with current values are set to valid
i. Current value defined as less than 1 second old for speed data, and less
than 2 seconds old for all other status fields
c. Validity bits for status fields that meet any of the following conditions are set to
invalid:
i. Unsupported statuses
ii. Statuses which are not current
iii. Statuses detected as not accurate
d. Control fields are set to value being asserted by LCCM
9
AAR LCCM Use Cases
e. Command Control Field is set to Auto Disengaging (3)
f. Validity bits for all control fields being asserted by LCCM are set to valid (1).
g. Validity bits for all control fields NOT being asserted by LCCM are set to invalid
(0)
8. LCCM transmits the same Locomotive Command Response Message (750) to LDARS, if
the message has a change in Control field from the previous message.
9. Controlling Application verifies Locomotive Command Response Message (750) is valid.
10. steps 2 – 8 (between controlling application and the LCCM) are repeated at a minimum
rate of 0.2 Hz and maximum rate of 5 Hz until Controlling Application determines that it
can release propulsion control to cab control [9.0 Exception Flows
11. 9.1
Exception Flow A: Communication Loss Between Controlling Application and LCCM].


While steps 2-7 are repeated, the LCCM commands the Loco throttle to reduce 1
notch every 3 seconds until the throttle is in idle position. Once the throttle is
physically placed by the driver to IDLE position, the LCCM removes the load from the
throttle trainlines and then disengages by returning locomotive control to cab
control.
If DB is applied (Hold DB state) then the LCCM exits Auto Mode and ends propulsion
control by maintaining dynamic brake until the operator matches or exceeds the last
dynamic brake command and then disengaging by returning locomotive control to
the cab.
12. Controlling Application transmits Locomotive Command Message (650) with the
Command field set to Monitor Mode (0):
a. All other fields in the Locomotive Command Message (650) will be ignored when
the Command field is set to Monitor Mode
13. See Monitor Mode Step #3.
10
AAR LCCM Use Cases
6.0
Direct Control
Identifier: UC 6
Description: Controlling Application directly commands control of trail locomotive via Direct
Control command to trail locomotive LCCM.
Preconditions: LCCM operating in Monitor Mode and the control heartbeat is established.
Post-conditions: LCCM Operating in Direct Control
Main Flow:
1. Controlling Application transmits Locomotive Command Message (650) with the
Command field set to Direct Control (4):
a. Command fields populated per the desired control commands to be applied
b. Validity bits for commands fields to be asserted are set to valid (1)
c. Validity bits are set to invalid (0) for commands fields NOT to be asserted
2. LCCM receives message and transmits a copy of the Locomotive Command Message
(650) to LDARS, if there was a change to any of the Command fields from the previous
message.
3. LCCM verifies Commanded Mode of Direct Control is valid. [10.0 Recovery Flows
4. 10.1 Recovery Flow A: Invalid Command] [10.2
Recovery Flow B: Message Integrity
Failure]
5. LCCM asserts all Command fields which it is configured to support, and that have the
Validity Bits set to valid in the Locomotive Command Message (650). [9.2 Exception
Flow B: Failure to apply Controlling Application Command Critical Fault][10.3
Recovery Flow C: Failure to apply Command Non-Critical Fault][9.4 Exception
Flow D: Simultaneous Throttle and DB command]
6. LCCM cuts out the train lines, disables Distributed Power control and drives propulsion
commands via LCCM.
7. LCCM will slew discontinuous throttle commands using LCCM minimum slew rate as
required.
8. The LCCM transmits a Locomotive Command Response Message (750), at the status
update rate configured in the most recent Locomotive Command Message (650):
a. Status fields are populated with current values
b. Validity bits for all status fields with current values are set to valid
i. Current value defined as less than 1 second old for speed data, and less
than 2 seconds old for all other status fields
c. Validity bits for status fields that meet any of the following conditions are set to
invalid:
11
AAR LCCM Use Cases
i. Unsupported statuses
ii. Statuses which are not current
iii. Statuses detected as not accurate
d. Control fields are set to value being asserted by LCCM
e. Validity bits for all control fields being asserted by LCCM are set to valid (1)
f. Validity bits for all control fields NOT being asserted by LCCM are set to invalid
(0)
g. Command Control Field is set to Direct Control (4)
9. LCCM transmits the same Locomotive Command Response Message (750) to LDARS, if
the message has a change in Control field from the previous message.
10. Controlling Application verifies Locomotive Command Response Message (750) is valid.
11. Controlling Application Continues to send Locomotive Command Message (650) with
the Direct Control command at a minimum rate of 0.2 Hz and maximum rate of 5 Hz.
[9.7 Exception Flow G: Communication Loss Between Controlling Application and
LCCM In Direct Control]
12
AAR LCCM Use Cases
7.0
Exit
Identifier: UC 7
Description: Exit Command from Controlling Application drops the Controlling Application to
LCCM communication link and the LCCM transitions to the default state.
Preconditions: LCCM operating in Monitor Mode
Post-conditions: LCCM is in the default state. Controlling Application is still authenticated and
Class D link is still active.
Main Flow:
1. Controlling Application transmits Locomotive Command Message (650) with the
Command field set to Exit (5):
a. All other fields in the Locomotive Command Message (650) will be ignored when
the Command field is set to Exit
2. LCCM receives message and transmits a copy of the Locomotive Command Message
(650) to LDARS, if there was a change to any of the Command fields from the previous
message.
3. LCCM verifies Locomotive Command Message (650) is valid. [10.0 Recovery Flows
4. 10.1 Recovery Flow A: Invalid Command Provide by Controlling Application] [10.2
Recovery Flow B: Message Integrity Failure]
5. LCCM transitions to Exit state
6. LCCM ignores all Locomotive Command Messages (650), except for Exiting and LCCM
Response Rate commands.
7. Controlling Application stops sending Locomotive Command Messages (650) to LCCM
8. LCCM continues transmitting Locomotive Command Response Message (750) to
Controlling Application at the commanded rate
9. LCCM transmits the same Locomotive Command Response Message (750) to LDARS, if
the message has a change in Control field from the previous message.
10. LCCM determines communication loss with Controlling Application (after 5 seconds
without valid communication with Controlling Application)
11. LCCM terminates communication with Controlling Application and enters the default
state.
13
AAR LCCM Use Cases
8.0
Alternate Flow A: LCCM Discovery over Class D connection
Description: Controlling Application transmits Locomotive Command Module Status Request
Message over Class D link.
Precondition: The LCCM is prepared to receive messages on the Class D socket on Port 3600.
1. Controlling Application transmits Locomotive Command Module Status Request
message via the ICR over an EMP Class D link on port 3600 using the IP Address provided
by the ICR.
a. Controlling Application will communicate directly (not thru ICR) with the LCCM
on the lead locomotive
2. LCCM receives message and verifies message is valid
a. EMP Message ID 651
b. CRC-32 is valid
3. Within 1000 ms of receiving the Locomotive Command Module Status Request
message, the LCCM transmits a Locomotive Command Module Status via the ICR (LCCM
on lead locomotive will communicate directly to Controlling Application) over the EMP
Class D link on port 3600.
a. EMP Header Message Number field shall be populated with the EMP Header
Message Number received in the Locomotive Command Module Status Request
message
b. The LCCM shall populate the Manufacturer ID, Part number, Software Version
and Road Number values and set the validity bits to valid to indicate which fields
have valid data.
c. LCCM shall set the validity bits of all supported capabilities to valid.
4. Controlling Application verifies message is valid
a. EMP Message ID 751
b. CRC-32 is valid
5. Controlling Application processes LCCM status data
6. Steps 1 – 5 repeated for each LCCM Controlling Application wants to discover
14
AAR LCCM Use Cases
9.0 Exception Flows
9.1 Exception Flow A: Communication Loss Between Controlling Application
and LCCM
Description: LCCM fails to receive a valid Locomotive Command Message (650) within 5000
ms.
1. LCCM fails to receive valid Locomotive Command Message (650) within 5000 ms of the
previous valid Locomotive Command Message (650):
a. Controlling Application Message Integrity Failure Fault
i. HMAC integrity check failure
ii. Sequence number integrity check failure
b. Invalid Command Provided by Controlling Application
c. No receipt of Locomotive Command Message (650)
2. LCCM generates the following fault code “Communication Loss Between Controlling
Application and LCCM".
a. Fault code shall remain active until the conditions which generated the fault no
longer exist or 5000 ms, whichever is longer.
3. LCCM unestablishes the Control Heartbeat
4. LCCM idle down by reducing one throttle notch every 3000 ms to idle or continuing to
hold current DB command and alert engineer of fault via Bell.
5. If commanding Asynchronous DP mode, the LCCM leaves the DP commands in the last
state and commands the DP system to return the DP remote control buttons to the
operator screen.
6. LCCM logs fault code. (Recommended LCCM action)
7. Following a critical fault LCCM will NACK all Locomotive Command Messages (650):
a. Set all command validity bits to invalid (0).
b. Status fields are populated with current values
c. Validity bits for all status fields with current values are set to valid
i. Current value defined as less than 1 second old for speed data, and less
than 2 seconds old for all other status fields
d. Validity bits for status fields that meet any of the following conditions are set to
invalid:
i. Unsupported statuses
ii. Statuses which are not current
iii. Statuses detected as not accurate
e. Command Control field set to idle Down / Hold DB
15
AAR LCCM Use Cases
8. LCCM returns propulsion control to cab controls once operator matches idle or DB
command with the Master Controller Handle and enters default state.
9. Once propulsion control is under cab control and LCCM is in the default state, the LCCM
ceases transmission of Locomotive Command Response Messages (750) and will now
respond to a valid Controlling Application command to transition to Monitor Mode.
10. LCCM remains in Default state until Controlling Application transmits valid Locomotive
Command Message (650) with the Command field set to Monitor mode (0).
11. Following a period of inactivity from Controlling Application, the LCCM will drop the
Class D connection
16
AAR LCCM Use Cases
9.2 Exception Flow B: Failure to apply Controlling Application Command
Critical Fault
Description: LCCM was unable to apply a critical command, resulting in critical fault.
1. LCCM determines a critical command was not applied:
a. Local Throttle
b. Train Line Throttle
c. Distributed Power
2. LCCM Generates Critical Fault Code(s) indicating which command(s) failed to be applied.
a. Fault code shall remain active until the conditions which generated the fault no
longer exist or 5000 ms, whichever is longer.
3. LCCM idle down by reducing one throttle notch every 3000 ms to idle or continuing to
hold current DB command and alerts engineer of fault via Bell.
4. LCCM logs fault code(s).
5. The LCCM transmits a Locomotive Command Response Message (750), at the status
update rate configured in the most recent Locomotive Command Message (650):
a. Status fields populated with current values
b. Validity bits for all status fields with current values are set to valid
i. Current value defined as less than 1 second old for speed data, and less
than 2 seconds old for all other status fields
c. Validity bits for status fields that meet any of the following conditions are set to
invalid:
i. Unsupported statuses
ii. Statuses which are not current
iii. Statuses detected as not accurate
d. Validity bits for all control fields being asserted by LCCM are set to valid
e. Validity bits for all control fields NOT being asserted by LCCM are set to invalid
(includes command fields for which fault occurred)
f. Number of fault codes set to number of faults and Fault Code Field set indicate
all current fault codes.
g. Command Control field set to idle Down / Hold DB
6. Controlling Application Verifies message is valid.
7. Following a critical fault LCCM will NACK all Locomotive Command Messages (650):
a. Set all command validity bits to invalid (0)
b. Current status values populated with most recent data (less than 1 second old
for speed data, and less than 2 seconds old for all other status fields)
c. Validity bits for all status fields with current values are set to valid (1)
d. Validity bits for any status fields without current values are set to invalid (0)
17
AAR LCCM Use Cases
e. Command Control field set to idle Down / Hold DB
8. LCCM returns propulsion control to cab controls once operator matches idle or DB
command with the Master Controller Handle.
9. Once propulsion control is under cab control, the LCCM will transition to the default
state and will now respond to a valid Controlling Application command to transition to
Monitor Mode. [9.5 Exception Flow E: Communication Loss Between Controlling
Application and LCCM]
18
AAR LCCM Use Cases
9.3
Exception Flow C: Failure to Meet Criteria to transition to Auto
Description: Locomotive fails to meet criteria to enable transition to Auto.
1. Controlling Application determines criteria to transition to Auto has not been met within
the defined time limit.
2. Controlling Application terminates Auto Engaging by sending Locomotive Command
Message (650) with Disengaging Auto command set.
3. Go to Disengage Auto Use Case Step #1.
19
AAR LCCM Use Cases
9.4
Exception Flow D: Simultaneous Throttle and DB command
Description: LCCM commanding throttle per Controlling Application Locomotive Command
Message (650) and the LCCM detects dynamic brake command from MC Handle.
1. LCCM detects DB command status while commanding throttle per Controlling
Application Locomotive Command Message (650).
2. LCCM enters Idle down / Hold DB state, drops load and holds DB command.
3. LCCM generates a Local Throttle fault & a Trainline Throttle fault.
a. Fault code shall remain active until the conditions which generated the fault no
longer exist or 5000 ms, whichever is longer.
4. LCCM returns propulsion control to cab controls once operator matches DB command
with the Master Controller Handle and enters default state.
20
AAR LCCM Use Cases
9.5 Exception Flow E: Communication Loss Between Controlling Application
and LCCM While in Monitor Mode
Description: LCCM fails to receive a valid Locomotive Command Message (650) within 5000
milliseconds of the last valid Locomotive Command Message (650).
1. LCCM fails to receive valid Locomotive Command Message (650) within 5000 ms of the
last valid Locomotive Command Message (650):
a. Controlling Application Message Integrity Failure Fault
i. HMAC integrity check failure
ii. Sequence number integrity check failure
b. Invalid Command Provided by Controlling Application
c. No receipt of Locomotive Command Message (650)
2. LCCM generates the following fault code “Communication Loss Between Controlling
Application and LCCM”.
a. Fault code shall remain active until the conditions which generated the fault no
longer exist or 5000 ms, whichever is longer.
3. LCCM logs fault code. (Recommended LCCM action)
4. LCCM enters Default state (No communication with Controlling Application, EMP Class D
link still established).
5. LCCM remains in Default state until Controlling Application transmits valid Locomotive
Command Message (650) with the Command field set to Monitor mode (0).
6. Following a period of inactivity from Controlling Application, the LCCM will drop the
Class D connection
21
AAR LCCM Use Cases
9.6 Exception Flow F: Failure of LCCM to Authenticate Controlling
Application
Description: LCCM does not authenticate Controlling Application, because the Controlling
Application OPK key is not on LCCM OPK list.
1. LCCM fails to authenticate Controlling Application due to invalid OPK.
2. LCCM transmits Authentication Data Response Message with Authentication Status set
to Authentication Rejected.
3. LCCM closes the Class D socket connection.
4. Controlling Application Class D link dropped.
5. LCCM sends data to event recorder.
6. LCCM re-opens TCP Port 3600 and listens for Class D socket request from Controlling
Application.
22
AAR LCCM Use Cases
9.7 Exception Flow G: Communication Loss Between Controlling Application
and LCCM In Direct Control
Description: LCCM fails to receive a valid Locomotive Command Message (650) within 5000
ms.
1. LCCM fails to receive valid Locomotive Command Message (650) within 5000 ms of the
previous valid Locomotive Command Message (650):
a. Controlling Application Message Integrity Failure Fault
i. HMAC integrity check failure
ii. Sequence number integrity check failure
b. Invalid Command Provided by Controlling Application
c. No receipt of Locomotive Command Message (650)
2. LCCM Generates the following fault code “Communication Loss Between Controlling
Application and LCCM”.
a. Fault code shall remain active until the conditions which generated the fault no
longer exist or 5000 ms, whichever is longer.
3. LCCM unestablishes the Control Heartbeat
4. LCCM transitions to train lines by adjusting one throttle notch every 3000 ms to train
line match and alert engineer of fault via Bell.
5. LCCM logs fault code. (Recommended LCCM action)
6. Following a critical fault LCCM will NACK all Locomotive Command Messages (650):
a. Set all command validity bits to invalid (0).
b. Status fields populated with current values
c. Validity bits for all status fields with current values are set to valid
i. Current value defined as less than 1 second old for speed data, and less
than 2 seconds old for all other status fields
d. Validity bits for status fields that meet any of the following conditions are set to
invalid:
i. Unsupported statuses
ii. Statuses which are not current
iii. Statuses detected as not accurate
e. Command Control field set to idle Down / Hold DB
7. LCCM transitions to the default state, ceases transmission of Locomotive Command
Response Messages (750) and will now respond to a valid Controlling Application
command to transition to Monitor Mode.
8. Following a period of inactivity from Controlling Application, the LCCM will drop the
Class D connection
23
AAR LCCM Use Cases
24
AAR LCCM Use Cases
10.0 Recovery Flows
10.1 Recovery Flow A: Invalid Command Provide by Controlling Application
Description: Locomotive Command Message (650) request invalid mode transition, or contains
in an invalid command.
1. LCCM determines Command is invalid:
a. Mode transition requested by Locomotive Command Message (650) is not
allowed see Appendix A: LCCM State Transition Diagram
b. Unsupported Command (Simultaneous DB and Throttle)
c. Failure to provide a valid Local Throttle Command when in Auto Engage, Auto, or
Auto Disengage
d. Failure to provide a valid Local Throttle Command or a Valid Train Line Throttle
Command when in Direct Control
2. LCCM continues to operate based on the periodic reception of a valid Locomotive
Command Message (650) from Controlling Application (mechanism referred to as
control heartbeat) and will stop when it detects a loss of heatbeat (timeout).
3. LCCM generates the following fault code “Invalid Command Provided by Controlling
Application”
a. Fault code shall remain active until the conditions which generated the fault no
longer exist or 5000 ms, whichever is longer.
4. LCCM logs fault code. (Recommended LCCM action)
5. The LCCM transmits a Locomotive Command Response Message (750), at the status
update rate configured in the most recent Locomotive Command Message (650):
a. Incremented EMP sequence number
b. Number of fault codes set to 1 and Fault Code Field set to Invalid Command
Provided by Controlling Application Fault code
c. Status fields populated with current values
d. Validity bits for all status fields with current values are set to valid
i. Current value defined as less than 1 second old for speed data, and less
than 2 seconds old for all other status fields
e. Validity bits for status fields that meet any of the following conditions are set to
invalid:
i. Unsupported statuses
ii. Statuses which are not current
iii. Statuses detected as not accurate
f. Validity bits for all control fields set to invalid
6. Controlling Application Receives Locomotive Command Response Message (750) and
verifies integrity.
25
AAR LCCM Use Cases
7. Controlling Application repeats the command at a minimum rate of 0.2 Hz and
maximum rate of 5 Hz.
8. Continue in Monitor Mode Step #3, Engage Auto Main Flow Step #1.c, or Disengage
Auto Step #3.
26
AAR LCCM Use Cases
10.2 Recovery Flow B: Message Integrity Failure
Description: Message integrity check fails. Message HMAC, or sequence number, did not pass
integrity check.
1. LCCM determines either HMAC or Sequence Number is invalid.
2. LCCM continues to operate based on the last valid Locomotive Command Message
(650).
3. LCCM generates the following fault code “Controlling Application Message Integrity
Failure”.
a. Fault code shall remain active until the conditions which generated the fault no
longer exist or 5000 ms, whichever is longer.
4. LCCM logs fault code. (Recommended LCCM action)
5. The LCCM transmits a Locomotive Command Response Message (750), at the status
update rate configured in the most recent Locomotive Command Message (650):
a. Number of fault codes set to 1 and Fault Code Field Set to the Controlling
Application Message Integrity Failure Fault code.
b. Status fields populated with current values
c. Validity bits for all status fields with current values are set to valid
i. Current value defined as less than 1 second old for speed data, and less
than 2 seconds old for all other status fields
d. Validity bits for status fields that meet any of the following conditions are set to
invalid:
i. Unsupported statuses
ii. Statuses which are not current
iii. Statuses detected as not accurate
e. Validity bits for all control fields set to invalid
f. Command Control field set to last valid Command
6. Controlling Application Receives Locomotive Command Response Message (750) and
verifies integrity.
7. Controlling Application repeats the command at a minimum rate of 0.2 Hz and
maximum rate of 5 Hz for each Locomotive Command Message (650) sent.
8. Continue in Monitor Mode Main Flow Step #3 or Engage Auto Main Flow Step #1.c or
Disengage Auto Step #3.
27
AAR LCCM Use Cases
10.3 Recovery Flow C: Failure to apply Command Non-Critical Fault
Description: LCCM was unable to apply a non-propulsion control command, resulting in noncritical fault.
1. LCCM determines a non-propulsion control command was not applied
2. LCCM Generates Non-Critical Fault Code(s) indicating which command(s) failed to be
applied.
a. Fault code shall remain active until the conditions which generated the fault no
longer exist or 5000 ms, whichever is longer.
3. LCCM continues to operate based on the last received valid Locomotive Command
Message (650) from Controlling Application.
4. LCCM logs fault code(s).
5. The LCCM transmits a Locomotive Command Response Message (750), at the status
update rate configured in the most recent Locomotive Command Message (650):
a. Status fields populated with current values
b. Validity bits for all status fields with current values are set to valid
i. Current value defined as less than 1 second old for speed data, and less
than 2 seconds old for all other status fields
c. Validity bits for status fields that meet any of the following conditions are set to
invalid:
i. Unsupported statuses
ii. Statuses which are not current
iii. Statuses detected as not accurate
d. Validity bits for all control fields being asserted by LCCM set to valid
e. Validity bits for all control fields NOT being asserted by LCCM set to invalid
(includes command fields for which fault occurred)
f. Number of fault codes set to number of faults and Fault Code Field set indicate
all current fault codes
6. Controlling Application Verifies message is valid.
7. Controlling Application repeats the auto engage command at a minimum rate of 0.2 Hz
and maximum rate of 5 Hz.
8. Continue in Engage Auto Main Flow Step #1.c or Disengage Auto Step #3.
28
AAR LCCM Use Cases
Appendix A: LCCM State Transition Diagram
LCCM State Transition Diagram
Nominal State Transition
Fault State Transition
T6D
Transition
TD0
T0D
T02
T04
T05
T13
Description
Controlling Application system has 1) established a Class D connection, 2) been successfully authenticated, AND 3)
sent a valid Locomotive Command Message (650) with the Command field set to 0: Monitor Mode.
7: Train Line Match
T7D
4: Direct Control
Unexpected Comm Loss with Controlling Application while in Monitor Mode. Comm Loss is defined as a lack of valid
heartbeat control messages, even if the Class D socket connection remains open.
T04
T47
T40
T02
Receipt of valid Locomotive Command Message (650) with the Command field set to 2: Engage Auto while in the
Monitor Mode state
T26
2: Auto Engaging
D: Default
Receipt of valid Locomotive Command Message (650) with the Command field set to 4: Direct Control while in the
Monitor Mode state
0: Monitor Mode
T23
T0D
T30
Receipt of valid Locomotive Command Message (650) with the Command field set to 5: Exit while in the Monitor
Mode state. Controlling Application transmits Exit command when it is preparing to drop the Class D connection
with LCCM.
Receipt of valid Locomotive Command Message (650) with the Command field set to 3: Disengage Auto while in the
Auto Engaged state.
T16
LCCM detects a critical fault or loss of control heartbeat while in the Auto Engaged state.
T21
Receipt of valid Locomotive Command Message (650) with the with the Command field set to 1: Auto Mode while in
the Auto Engaging state.
T23
Receipt of valid Locomotive Command Message (650) with the Command field set to 3: Disengage Auto while in the
Auto Engaging state.
T26
LCCM detects a critical fault or loss of control heartbeat while in the Auto Engaging state.
T30
Receipt of valid Locomotive Command Message (650) with the Command field set to 0: Monitor Mode while in the
Auto Disengaging state.
T36
LCCM detects a critical fault or loss of control heartbeat while in the Auto Disengaging state.
T40
Receipt of valid Locomotive Command Message (650) with the Command field set to 0: Monitor Mode while in the
Direct Control state.
T47
LCCM detects a critical fault or loss of control heartbeat while in the Direct Control state. LCCM will slew control to
match the train lines, and then revert to cab control.
T5D
Controlling Application drops the Class D socket connection or stops sending Locomotive Command Messages (650)
while in the Exiting state.
T6D
LCCM detects that the Master Controller handle has been moved to idle (in motoring) or to match or exceed the last
dynamic brake command (in braking).
T7D
LCCM has slewed controls to match the train lines and reverted to cab control.
29
T5D
T05
T16
T21
TD0
1: Auto Engaged
6: Idle Down / Hold DB
T13
3: Auto Disengaging
T23
T36
5: Exiting
State
D: Default
Description
Default LCCM state. LCCM will be in this state on power up, after transitioning out of an error state, or
upon loss of control heartbeat when in Monitor Mode. In the default state, LCCM may or may not be
connected to Controlling Application via a Class D socket connection. The only transition out of the
default state is via a valid Monitor Mode command from an authenticated Controlling Application
system. When in the default state, LCCM will ignore Locomotive Command Messages (650) until it
receives a valid Monitor Mode command from Controlling Application.
0: Monitor Mode
1: Auto Engaged
2: Auto Engaging
3: Auto
Disengaging
4: Direct Control
5: Exiting
6: Idle Down /
Hold DB
Monitor Mode state commanded by Controlling Application via the Monitor Mode Command
Auto Engaged state commanded by Controlling Application via the Auto Mode Command
Auto Engaging state commanded by Controlling Application via the Engage Auto Command
Auto Disengaging state commanded by Controlling Application via the Disengage Auto Command
7: Train Line
Match
LCCM error state upon detection of a critical fault or loss of control heartbeat while in the Direct
Control state. LCCM will automatically transition from this state back to the default state once it has
slewed the controls to match the train lines and transitioned back to cab controls.
Direct Control state commanded by Controlling Application via the Direct Control Command
Exiting state commanded by Controlling Application via the Exit Command
LCCM error state upon detection of a critical fault or loss of control heartbeat while in the Auto
Engaging, Auto Engaged, or Auto Disengaging states. LCCM will automatically transition from this state
back to the default state once the Master Controller has been moved to idle (in motoring) or has
matched (or exceeded) the currently applied dynamic brake settings (in braking). When in this state,
LCCM will respond to command messages with current status, but will not implement further
commands from Controlling Application.
AAR LCCM Use Cases
Appendix B: LCCM Asynchronous Messaging Sequence Diagram
EM
After successful authentication,
EM initiates the control heartbeat
by sending a valid Locomotive
Command Message to command
the LCCM to Monitor Mode. LCCM
will respond with a periodic
Locomotive Command Response
message every 1000 ms unless
commanded by EM to transmit at
a different rate (valid range: 2005000 ms).
M-9155
LCCM
EM Authentication : Success
Loco Command Msg (Monitor Mode)
Loco Command Response Msg
Loco Command Response Msg
To keep the socket connection
alive, EM must send a Locomotive
Command Message at a minimum
rate of 5000 ms between
messages (0.2 Hz) and a maximum
rate of 200 ms between messages
(5.0 Hz). If there are no command
changes, EM should repeat the
previous command with a new
message sequence number.
The rate of Locomotive Command
Messages from EM may be
variable as needed, within the
allowable timing constraints of
200-5000 ms between messages.
Loco Command Msg
Loco Command Response Msg
Loco Command Msg
Loco Command Response Msg
Loco Command Response Msg
Loco Command Msg
LCCM Asynchronous Messaging
30
LCCM Command
Response Period
Min: 200 ms
Max: 5000 ms
Default: 1000 ms
Rate defined by EM
in Locomotive
Command message
(650)
LCCM will declare a comm loss
fault if a valid Locomotive
Command Message is not
received from EM at the
minimum rate of every 5000 ms
(0.2 Hz)