DK3074293T3 - PROCEDURE FOR TROUBLESHOOTING IN A SIGNAL POST COMPUTER SYSTEM AND SIGNAL POST COMPUTER SYSTEM - Google Patents

PROCEDURE FOR TROUBLESHOOTING IN A SIGNAL POST COMPUTER SYSTEM AND SIGNAL POST COMPUTER SYSTEM Download PDF

Info

Publication number
DK3074293T3
DK3074293T3 DK15700439.1T DK15700439T DK3074293T3 DK 3074293 T3 DK3074293 T3 DK 3074293T3 DK 15700439 T DK15700439 T DK 15700439T DK 3074293 T3 DK3074293 T3 DK 3074293T3
Authority
DK
Denmark
Prior art keywords
signal
computer system
channel
display
designed
Prior art date
Application number
DK15700439.1T
Other languages
Danish (da)
Inventor
Thomas Gehrke
Original Assignee
Siemens Ag
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Ag filed Critical Siemens Ag
Application granted granted Critical
Publication of DK3074293T3 publication Critical patent/DK3074293T3/en

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L25/00Recording or indicating positions or identities of vehicles or trains or setting of track apparatus
    • B61L25/06Indicating or recording the setting of track apparatus, e.g. of points, of signals
    • B61L25/08Diagrammatic displays
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L19/00Arrangements for interlocking between points and signals by means of a single interlocking device, e.g. central control
    • B61L19/06Interlocking devices having electrical operation
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L19/00Arrangements for interlocking between points and signals by means of a single interlocking device, e.g. central control
    • B61L19/06Interlocking devices having electrical operation
    • B61L2019/065Interlocking devices having electrical operation with electronic means

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Train Traffic Observation, Control, And Security (AREA)
  • Safety Devices In Control Systems (AREA)
  • Debugging And Monitoring (AREA)

Description

Description
The invention relates to a method for revealing errors in a signal-box computer system having an operating channel, the input signals of which represent state indications of a railway safety system that are secure with regard to signalling and the output signals of which are designed for the operation of at least one element, for example a light signal, of the railway safety system and are visualised on a display, as well as a signal-box computer system for performing the method.
As part of auxiliary operations in the signal-box computer system it must be ensured that the basis for a decision, i.e. the indication view on the display that is shown to the operator, corresponds to the actual status of the railway safety installation. The primary aim of the auxiliary operation is to offer the operator as secure as possible a basis for a decision in critical situations. Display protection in this case is based in principle on the comparison of two images, namely the image on the display that is made available to the operator, and the image of a reference system which generates the same display.
In a known system of this type an operating channel and a reference channel are provided to this end. These computer channels process the information from the railway safety system, which represents a secure indication source, for example an ESTW - electronic interlocking. The operating channel and the reference channel are identical in terms of their input signals and algorithms used. In error-free signal processing the reference image of the reference channel and the status image of the operating channel match. To establish this match, checksums are determined in both channels and are transmitted to the secure indication source for comparison as part of the auxiliary operation.
In this known method the full display image is checked with pixel-precise accuracy. Consequently a significantly larger image region than necessary is checked and possible errors in a less relevant or even irrelevant image region of the display can prevent a command from being released. A disadvantage, in addition to the background test of all pixels, is above all the considerable effort required for the checksum comparison. Very high SIL demands are thereby placed on the individual systems. The SIL safety levels are defined in the CENELEC standard EN50129 from SIL 0 - not safe in terms of signalling - to SIL 4 - high-grade safety in terms of signalling.
Furthermore the screen sizes for status image and reference image must be identical, so that it is not possible to zoom during the auxiliary operation. A method and a system according to the precharacterising clauses of the independent claims are known from document WO 2011 154 343 A2.
The object of the invention is to specify a method and a signal-box computer system of a generic type, which in the event of a high-grade secure disclosure of errors tolerate irrelevant pixel errors and have a higher availability, wherein the aim is to minimise SIL requirements.
According to the invention the object is achieved by the method according to claim 1.
The object is also achieved with an inventive signal-box computer system according to claim 2.
In this way the operator is given a secure basis for decision, in which the safety method is significantly simplified and is tolerant against insignificant pixel errors compared to the known solution involving the complete read-out of the screen contents and the back-calculation into a process map, and the claimed method is significantly simpler, since not the entire screen contents are back-calculated in full, but only the current status changes are transmitted in machine-readable form on an optical path, preferably via QR codes, and as it were are traced.
The system development costs are reduced, since the SIL requirements are largely relocated into the reference system as an autonomous component. In the ideal case only an SIL level of 0 is necessary via the operating channel and for the reference system an SIL level less than 4, depending on the security required for the overall system. Thus a clearer division is achieved between secure and insecure functionality. Furthermore the inventive solution also permits zooming, as the QR code contains status information that is not dependent on the image used.
Since the reference system only evaluates the image portion of the text pixels or graphics pixels that is significant for the element status displayed, the method overall is significantly less prone to pixel errors than the known method. As a result the availability of the signal-box system is increased.
It is further advantageous that the software of the operating channel can be replaced more easily because of the low security level, without jeopardising the system certification. A further advantage is that the function of the workstation need be extended only slightly for the output of the status changes in the form of QR codes. It is however also possible to retain the workstation unchanged and to display the QR code on a separate output device.
In a particularly preferable embodiment according to claim 3 it is provided that the readback channel is designed to output first checksums and the logic channel is designed to output second checksums. The two checksums are transferred by the reference system in the normal manner for the command release process to the secure indication source, for example an ESTW -Electronic Interlocking - or an ETCS - European Train Control System - in order to be compared with one another there.
The invention is explained in greater detail below based on a figurative representation. The figure shows essential modules of an inventive signal-box computer system.
Instead of the known, essentially identical computer channels, a workstation computer acting as an operating channel 1 and a reference system 2 are provided, that use very different algorithms for very different tasks.
The operating channel 1 generates a process image 4 from messages of a railway safety system 3 that are secure with regard to signalling by means of a projected signal-box logic, said process image 4 being conditioned to visualise a corresponding text display and/or graphics display on a display 5. The operation, in order e.g. to set a light signal from STOP to PROCEED, must be embodied as an auxiliary operation, because otherwise the signal box would violate its safety rules. The auxiliary operation is sent by the operating channel 1 to the signal box.
Simultaneously with the initiation of the operation the colour display shown on the display 5 is checked by the reference system 2 in respect of pixel errors and errors during signal processing in the operating channel 1. To this end the operation-specific state changes are initially generated as QR - Quick Response - codes and are read by a QR code reader 7 of a readback channel 8 of the reference system 2. The corresponding image pixels are converted in a computer 9 into a machine-readable second process map 10, which enables the formation of checksums.
In a logic channel 11 of the reference system 2 a second checksum is formed by way of a process image 12 of said logic channel 11. The process image 12 is - as is the process image 4 in the case of the operating channel - formed directly from the projected signal-box logic and thus directly from the state indications of the railway safety system 3 that are secure with regard to signalling.
The checksums of the readback channel 8 and of the logic channel 11 are compared with one another by a comparator 13, which is preferably part of the region of the signal-box system that is secure with regard to signalling. Only if the two checksums match can it be assumed that the signal processing in the operating channel 1 has been executed without error and the display 5 in the relevant pixel regions is error-free, so that the release of the command can take place. In this safety method the pixel regions of the display 5 that are not needed for current operations handling are ignored, thereby resulting in a very high availability of the overall system.
The interplay of operating channel 1 and reference system 2 with the two independent channels 8 and 11 for the pixel evaluation and for the process evaluation results in high safety that is secure with regard to signalling, wherein the operating channel 1 secured by the reference system 2 can have a safety level SIL 0. As a result the functional scope with SIL greater than 0 is restricted to the reference system 2 and can be significantly reduced - in respect of the overall system - compared to the known embodiment.

Claims (3)

1. Fremgangsmåde til fejlvisning i et signalpostcomputersystem med en betjeningskanal (1), hvis indgangssignaler repræsenterer signalteknisk sikre tilstandsmeldinger fra et jernbarnesikringsanlæg (3), og hvis udgangssignaler er udformet til betjening af mindst et element, f.eks. et lyssignal, fra jernbanesikringsanlægget (3) og visualiseres på et display (5), kendetegnet ved, at, når der indledes en betjening af elementet, det kun er betjeningsspecifikke tilstandsændringer, der genereres som optisk koderede, især QR - Quick Response - koderede, elementspecifikke pixeldata på displayet (5) og læses af en tilbagelæsekanal (8) og sammenlignes med elementspecifikke data fra en procesafbildning (12) af de signalteknisk sikre tilstandsmeldinger.A method of debugging a signal mail computer system with an operating channel (1), whose input signals represent signal-safe state messages from an iron child restraint system (3) and whose output signals are designed to operate at least one element, e.g. a light signal, from the railway safety system (3) and visualized on a display (5), characterized in that when an operation of the element is initiated, only operation-specific state changes are generated as optically encoded, especially QR - Quick Response encoded, element-specific pixel data on the display (5) and read by a read-back channel (8) and compared with element-specific data from a process image (12) by the signal-safe state messages. 2. Signalpostcomputersystem med fejlvisning, hvor signalpostcomputersy-stemet har en betjeningskanal (1), hvis indgangssignaler repræsenterer signalteknisk sikre tilstandsmeldinger fra et jernbanesikringsanlæg (3), og hvis udgangssignaler er udformet til betjening af mindst et element, f.eks. et lyssignal, fra et jernbanesikringsanlæg (3), og et display, på hvilket betjeningskanalens (1) udgangssignaler visualiseres, en komparator (13) og et referencesystem (2), kendetegnet ved, at signalpostcomputersystemet er udformet til, når der indledes en betjening af elementet, kun at generere betjeningsspecifikke tilstandsændringer som optisk koderede elementspecifikke pixeldata på displayet (5), og referencesystemet (2) har en tilbagelæsekanal (8) til læsning af optisk koderede, især QR - Quick Response - koderede, elementspecifikke pixeldata på displayet (5) og en logikkanal (11) til generering af en procesafbildning (12) af de signalteknisk sikre tilstandsmeldinger fra jernbanesikringsanlægget (2), hvor tilbagelæsekanalen (8) og logikkanalen (11) er forbundet med komparatoren (13).An error message signal computer computer system, wherein the signal mail computer system has an operating channel (1) whose input signals represent signal-safe state messages from a railway safety system (3) and whose output signals are designed to operate at least one element, e.g. a light signal, from a railway safety system (3), and a display on which the output signals of the operating channel (1) are visualized, a comparator (13) and a reference system (2), characterized in that the signal post computer system is designed for when operation of a the element, only to generate operation-specific state changes such as optically encoded element specific pixel data on the display (5), and the reference system (2) has a read-back channel (8) for reading optically encoded, in particular QR - Quick Response encoded element specific pixel data on the display (5) and a logic channel (11) for generating a process image (12) of the signal-technically safe state messages from the rail safety system (2), wherein the read-back channel (8) and logic channel (11) are connected to the comparator (13). 3. Signalpostcomputersystem ifølge krav 2, kendetegnet ved, at tilbagelæsekanalen (8) er udformet til at afgive første kontrolsummer, og logikkanalen (11) er udformet til at afgive anden kontrolsummer.Signal mail computer system according to claim 2, characterized in that the read-back channel (8) is designed to deliver the first check sum and the logic channel (11) is designed to give the second check sum.
DK15700439.1T 2014-01-29 2015-01-09 PROCEDURE FOR TROUBLESHOOTING IN A SIGNAL POST COMPUTER SYSTEM AND SIGNAL POST COMPUTER SYSTEM DK3074293T3 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102014201551.0A DE102014201551A1 (en) 2014-01-29 2014-01-29 Method for error disclosure in a interlocking computer system and interlocking computer system
PCT/EP2015/050296 WO2015113792A2 (en) 2014-01-29 2015-01-09 Method for revealing errors in a signal-box computer system, and signal-box computer system

Publications (1)

Publication Number Publication Date
DK3074293T3 true DK3074293T3 (en) 2018-04-30

Family

ID=52354961

Family Applications (1)

Application Number Title Priority Date Filing Date
DK15700439.1T DK3074293T3 (en) 2014-01-29 2015-01-09 PROCEDURE FOR TROUBLESHOOTING IN A SIGNAL POST COMPUTER SYSTEM AND SIGNAL POST COMPUTER SYSTEM

Country Status (7)

Country Link
EP (1) EP3074293B1 (en)
DE (1) DE102014201551A1 (en)
DK (1) DK3074293T3 (en)
ES (1) ES2671422T3 (en)
HU (1) HUE039139T2 (en)
NO (1) NO2696690T3 (en)
WO (1) WO2015113792A2 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
PT3549841T (en) * 2018-04-06 2022-06-29 Thales Man & Services Deutschland Gmbh Train traffic control system and method for carrying out safety critical operations within a train traffic control system
RS63339B9 (en) * 2018-04-06 2022-11-30 Thales Man & Services Deutschland Gmbh Train traffic control system and method for safe displaying a state indication of a route and train control system
DE102019208925A1 (en) * 2019-06-19 2020-12-24 Siemens Mobility GmbH Procedure for generic display security and operating system
DE102019208924A1 (en) * 2019-06-19 2020-12-24 Siemens Mobility GmbH Input procedure for safety-critical operating commands and operating system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CH683953A5 (en) * 1992-04-30 1994-06-15 Siemens Integra Verkehrstechni Procedure to improve the signal-related safety of the user interface of a data processing system.
DE4332143A1 (en) * 1993-09-17 1995-03-23 Siemens Ag Process for operating a visual display device and devices for carrying out the process
DE19703574A1 (en) * 1997-01-31 1998-08-06 Alsthom Cge Alcatel Process for the safe display of an image on a monitor
DE102010023891A1 (en) * 2010-06-11 2011-12-15 Siemens Aktiengesellschaft Method and device for detecting a faulty display of image data on a display unit
DE102012212386A1 (en) * 2012-07-16 2014-01-16 Siemens Aktiengesellschaft Process image of a technical plant
DE102012221714A1 (en) * 2012-11-28 2014-05-28 Siemens Aktiengesellschaft Method for fault disclosure in interlocking computer system with control channel, involves comparing pixel data of display with process data of process image of state information of reference system for display-protection

Also Published As

Publication number Publication date
WO2015113792A3 (en) 2015-09-24
DE102014201551A1 (en) 2015-07-30
EP3074293B1 (en) 2018-02-28
ES2671422T3 (en) 2018-06-06
HUE039139T2 (en) 2018-12-28
NO2696690T3 (en) 2018-03-03
WO2015113792A2 (en) 2015-08-06
EP3074293A2 (en) 2016-10-05

Similar Documents

Publication Publication Date Title
DK3074293T3 (en) PROCEDURE FOR TROUBLESHOOTING IN A SIGNAL POST COMPUTER SYSTEM AND SIGNAL POST COMPUTER SYSTEM
AU2010270280B2 (en) Method for representation of safety-relevant information on a display and apparatus for the application of the method
US9925994B2 (en) Cutout systems and methods
KR20140055294A (en) System and method relating between functions of system and criteria to classify the importance degree of component in the plant
KR20160086082A (en) Protection system for nuclear plant and Method of operating protection system for nuclear plant
DE102010015285A1 (en) Method and device for confirming a fail-safe state of a safety-critical system
CN105644589A (en) Method, device and system for displaying train operation state information
CN104995641A (en) Method for revealing errors in a signal box computer system, and signal box computer system
SA516371217B1 (en) Method for Handling a Safety Critical Command in a Computer Network
ES2919925T3 (en) Train traffic control system and method for carrying out safety-critical operations within a train traffic control system
JP5416475B2 (en) Ground device and train control device
JP4102306B2 (en) Method for controlling railway operation process requiring safety and apparatus for carrying out this method
CN111124418B (en) Communication data timeout judging method based on VCP redundant codes
US20200158534A1 (en) Procedure for handling exceptional conditions of a measurement system
JP5612995B2 (en) Input bypass type fail-safe device and program for fail-safe
JP6925154B2 (en) Signal control device and method
CN107430539A (en) Safety-related computer system
KR102536023B1 (en) How to perform essential safety operations within the train operation control system and within the train operation control system
JP6242760B2 (en) Failure detection system, failure detection device and detection method thereof
JP6584055B2 (en) System recovery circuit and system recovery method
JP5860659B2 (en) Train operation management system
PT105242A (en) SIGNALING SYSTEMS
JP5057158B2 (en) Railroad crossing control system
KR20180107388A (en) Stop control system of railroad train
JP2010012947A (en) Vehicle type distinction method of railway vehicle