EP3686080B1 - Method for securely operating a railway engineering system and network node of a data network - Google Patents

Method for securely operating a railway engineering system and network node of a data network Download PDF

Info

Publication number
EP3686080B1
EP3686080B1 EP20150501.3A EP20150501A EP3686080B1 EP 3686080 B1 EP3686080 B1 EP 3686080B1 EP 20150501 A EP20150501 A EP 20150501A EP 3686080 B1 EP3686080 B1 EP 3686080B1
Authority
EP
European Patent Office
Prior art keywords
state
input
distributed database
stored
network node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP20150501.3A
Other languages
German (de)
French (fr)
Other versions
EP3686080C0 (en
EP3686080A1 (en
Inventor
Stephan Griebel
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens Mobility GmbH
Original Assignee
Siemens Mobility GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Mobility GmbH filed Critical Siemens Mobility GmbH
Publication of EP3686080A1 publication Critical patent/EP3686080A1/en
Application granted granted Critical
Publication of EP3686080C0 publication Critical patent/EP3686080C0/en
Publication of EP3686080B1 publication Critical patent/EP3686080B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L15/00Indicators provided on the vehicle or vehicle train for signalling purposes ; On-board control or communication systems
    • B61L15/0072On-board train data handling
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/40Handling position reports or trackside vehicle data

Definitions

  • the invention relates to a method for the safe operation of a railway system, in which a state of at least one line element of the railway system or a value representative of the state is stored.
  • the states of elements of the external signal box system are recorded. These elements are, for example, light signals, switches, axle counters and the like. A defined status of these elements is, for example, the displayed signal aspect or the set point position.
  • the states of the elements of the interlocking system are recorded and z. B. verified for safe operation or safe display.
  • the states of the elements serve, for example, as a basis for safe route setting by the interlocking computers and for safe display in the interlocking computers. For safe operation and display, it must be ensured that the operator, such as a dispatcher, only sees the states that are actually set. Since erroneous information about the states could have serious consequences for the operator, a great deal of effort may have been required to date to ensure safe operation.
  • a distributed database also known as distributed ledger technology, is a database distributed across multiple locations, regions or participants. All participants in this decentralized database can view all records. The technology provides an auditable history of all information stored in the specific records.
  • each participant processes and verifies a transaction or piece of information, thereby creating a record of that item and creating a consensus as to its veracity.
  • a distributed database can be embodied in one of several ways, for example as a blockchain.
  • a blockchain i.e. a block chain, is usually understood to be a continuously expandable list of data records called blocks, which are linked together using cryptographic processes. Each block typically contains a cryptographically secure hash value of the previous block and, if necessary, a time stamp and other transaction data.
  • the blockchain is generated by a so-called miner and distributed to all participants in the distributed database.
  • this changed status or the value of the route element that is representative of the changed status is stored in the distributed database according to the invention in such a way that the change is recognizable, at least in sufficient time.
  • Each new record of a changed state contains a current timestamp, which makes it easy to recognize a change from an earlier point in time.
  • a blockchain is used as a distributed database, the changed state can be appended to the existing blockchain in a new block and distributed to all participants. The old states can still be read out in the previous blocks.
  • the operator is requested by at least one first input and a second input later than the first input by at least one operator and the operator is only executed if the state stored in the distributed database changes or the representative value of the state of the track element has not changed between the first input and the second input.
  • the first input is made at the beginning of an operator action and the second input concludes the operator action.
  • This embodiment ensures that the states of the route elements have not changed during the operator action. If a change is found between the first and second input, the execution of the operator action can be blocked and a new check by the operator can be requested.
  • the status or the representative value of the status can be stored in a blockchain.
  • Blockchain technology is a special embodiment of a distributed database in which changed states are stored and distributed in a block of the blockchain.
  • a blockchain offers a very high level of security, since the blocks with the states cannot be changed later, and is therefore very trustworthy.
  • the status stored in the distributed database or a representative value of the status can be checked using a proof-of-authority method, in particular using a PKI - Public Key Infrastructure , be verifiable.
  • the PKI makes it possible to check whether the saved state or states were set by a trustworthy participant, namely the miner.
  • a very specific computer can be authorized to create new blocks. This computer uses its PKI so that the other computers in the data network recognize from the PKI that the authorized and trustworthy computer created the data.
  • the invention also relates to a network node of a data network in a railway system with at least one memory having the features of claim 4.
  • the network node is designed as part of a distributed database in which a status of at least a route element of the railway system or a value that is representative of the condition is stored, and the network node is designed to store a changed status or a value of the route element that is representative of the changed status in the distributed database in such a way that the change can be identified.
  • the network node is designed to operate the railway technical system by at least one first input and a second input subsequent to the first input by at least one operator, with the operation only being carried out if no change in the status and the representative value of the state of the link element was detected between the first input and the second input.
  • the invention also relates to a railway system with at least one data network, having the features of patent claim 5.
  • the data network has at least one network node.
  • the route elements 3 are intended to be part of an external signal box system here, for example.
  • the route elements 3 can be, for example, light signals, points, axle counting devices, track circuits or the like.
  • the railway system 1 also includes various network nodes 4 which are connected to one another and form the data network 2 .
  • the network nodes 4 in turn are formed by various computing devices, such as an operating and display computer 5, an interlocking computer 6 and several element computers 7.
  • the operating and display computer 5 is arranged, for example, in a control center of the railway system 1 and controls the display of the railway system 1 in this control center.
  • the signal box computer 6 is designed for the usual signal box tasks and the elements computer 7 are part of the line elements and z. B. also provided for controlling this.
  • the network nodes 4 together form a distributed database 8, which is a blockchain here, for example, which is distributed to each network node.
  • the blockchain is therefore available on all network nodes 4 .
  • the method according to the invention for operating the system 1 is described below: During operation of the railway system 1, the states of the track elements 3 change continuously. Each time the status of a route element 3 changes, the new, current status of the route elements 3 and in particular the element computers 7 is passed on to the interlocking computer 6 .
  • the interlocking computer 6 is in the exemplary embodiment in figure 1 designed to, for the new, changed state of the route element 3 a new block of create blockchain.
  • the interlocking computer 6 thus takes over the task of the so-called miner, which creates or calculates new blocks of the blockchain, appends them to the existing blockchain and distributes them.
  • the interlocking computer 6 verifies the new block using the proof-of-authority method.
  • a PKI Public Key Infrastructure
  • the interlocking computer 6 validates the new block with its personal key.
  • the interlocking computer 6 By using the proof-of-authority method, it is possible for the interlocking computer 6 to send the new block with the changed status of the route element 3 within a relatively small time window of z. B. maximum 5 seconds created and distributed. This is an advantage over the alternative proof-of-work method, which would require more computing power and time.
  • the current status or the new blockchain is then distributed to all network nodes 4 .
  • the current states of the route elements 3 are thus always stored in the blockchain and can be read out by all network nodes 4 . If the status changes, the current status is saved in the blockchain together with the current time. That is, the new state flows into a new block and is distributed as a new or updated blockchain.
  • the operating and display computer 5 in the control center of the railway system graphically displays the status of the route elements 3 for the operator.
  • the operator is, for example, a dispatcher.
  • FIG. 2 shows this graphic display with the reference number 9.
  • the status of the route elements 3 at the respective point in time is in 2 shown with reference numeral 10.
  • the blockchain of the distributed database 8 with the history of the various states of the route elements 3 stored therein is shown with reference numeral 11 .
  • the safe operation of the railway system 1 by an operator in the control center is shown schematically in 3 shown.
  • the operator starts a so-called command-release required operation of the railway system 1 by a first input, for example by a separate keystroke.
  • the operator enters the operation into the operation and display computer 5 and confirms at the end of the operation, ie with a time delay, with a second input, for example again by pressing a separate button.
  • step 13 in 3 checked by the control and display computer 5 and/or by the interlocking computer 6 whether one of the states of the route elements 3 has changed between the first and the second input.
  • the period of time between the first and second input is greater than 5 seconds and thus larger than the time window for creating a new block. This ensures that when the state changes, a new block is calculated, appended, signed and distributed before the second input is made. An unnoticed change of status is therefore not possible.
  • step 14 in 3 the operation is executed if the state has not changed between the first and second input. However, in step 14, the service is rejected if a state change between the first and second inputs is detected. Thus, the previously necessary test steps from the prior art are no longer necessary.
  • all network nodes 4 can check the respective states of the route elements 3 by accessing the blockchain.
  • the status information in the distributed database 8 can also be used for diagnostic purposes.
  • a diagnostic computer (not shown) can also be integrated into the data network 2 for this purpose.
  • the method according to the invention makes it possible to dispense with some test steps that are customary today when operating the railway system 1 and the operator input, as a result of which the implementation is significantly less complicated and less complex. As in 3 shown, only a few process steps are required for this.

Description

Die Erfindung betrifft ein Verfahren zum sicheren Bedienen einer eisenbahntechnischen Anlage, bei dem ein Zustand von wenigstens einem Streckenelement der eisenbahntechnischen Anlage oder ein für den Zustand repräsentativer Wert abgespeichert wird.The invention relates to a method for the safe operation of a railway system, in which a state of at least one line element of the railway system or a value representative of the state is stored.

Bei einer eisenbahntechnischen Anlage, die beispielsweise eine Stellwerksaußenanlage aufweist, werden die Zustände von Elementen der Stellwerksaußenanlage erfasst. Diese Elemente sind beispielsweise Lichtsignale, Weichen, Achszähler und ähnliches. Ein definierter Zustand dieser Elemente ist beispielsweise der angezeigte Signalbegriff oder die eingestellte Weichenstellung. Die Zustände der Elemente der Stellwerksaußenanlage werden erfasst und z. B. für eine sichere Bedienung bzw. sichere Anzeige verifiziert. Die Zustände der Elemente dienen beispielsweise als Grundlage für eine sichere Fahrstraßeneinstellung durch die Stellwerksrechner und der sicheren Anzeige in den Stellwerksrechnern. Für die sichere Bedienung bzw. Anzeige muss sichergestellt sein, dass der Bediener, wie beispielsweise ein Fahrdienstleiter, nur die Zustände angezeigt bekommt, die auch wirklich eingestellt sind. Da fehlerhafte Informationen über die Zustände an den Bediener schwerwiegende Folgen haben könnten, muss bisher unter Umständen ein hoher Aufwand betrieben werden, um die sichere Bedienung zu gewährleisten.In a railway system that has, for example, an external signal box system, the states of elements of the external signal box system are recorded. These elements are, for example, light signals, switches, axle counters and the like. A defined status of these elements is, for example, the displayed signal aspect or the set point position. The states of the elements of the interlocking system are recorded and z. B. verified for safe operation or safe display. The states of the elements serve, for example, as a basis for safe route setting by the interlocking computers and for safe display in the interlocking computers. For safe operation and display, it must be ensured that the operator, such as a dispatcher, only sees the states that are actually set. Since erroneous information about the states could have serious consequences for the operator, a great deal of effort may have been required to date to ensure safe operation.

Die Verwendung von Blockchain im Eisenbahnbereich ist bekannt aus Feras Naser: "REVIEW: THE POTENTIAL USE OF BLOCKCHAIN TECHNOLOGY IN RAILWAY APPLICATIONS: AN INTRODUCTION OF A MOBILITY AND SPEECH RECOGNITION PROTOTYPE", 2018 IEEE International Conference on Big Data (Big Data), 01.12.2018, Seiten 4516-4524 .The use of blockchain in the railway sector is known from Feras Naser: "REVIEW: THE POTENTIAL USE OF BLOCKCHAIN TECHNOLOGY IN RAILWAY APPLICATIONS: AN INTRODUCTION OF A MOBILITY AND SPEECH RECOGNITION PROTOTYPE", 2018 IEEE International Conference on Big Data (Big Data), 12/01/2018, pages 4516-4524 .

Es ist daher die Aufgabe der Erfindung, ein vereinfachtes Verfahren zum sicheren Bedienen einer eisenbahntechnischen Anlage der eingangs genannten Art bereitzustellen.It is therefore the object of the invention to provide a simplified method for the safe operation of a railway system of the type mentioned at the outset.

Die Aufgabe wird für das eingangs genannte Verfahren durch den Gegenstand von Patentanspruch 1 gelöst.The object is achieved for the method mentioned by the subject matter of patent claim 1.

Dies hat den Vorteil, dass die in einer verteilten Datenbank abgelegten Informationen vertrauenswürdig sind und eine weitere Überprüfung der Informationen entfallen kann. Dadurch kann der Aufwand für die sichere Bedienung reduziert werden, so dass die angewendeten Verfahren vereinfacht werden können.This has the advantage that the information stored in a distributed database is trustworthy and further checking of the information can be omitted. As a result, the effort required for safe operation can be reduced, so that the methods used can be simplified.

Unter einer verteilen Datenbank, die auch Distributed Ledger Technologie genannt wird, ist eine auf mehrere Standorte, Regionen oder Teilnehmer verteilte Datenbank zu verstehen. Alle Teilnehmer dieser dezentralen Datenbank können alle Datensätze anzeigen. Die Technologie bietet eine überprüfbare Historie aller Informationen, die in den bestimmten Datensätzen gespeichert sind. In einer verteilten Datenbank verarbeitet und verifiziert jeder Teilnehmer eine Transaktion oder Information und erzeugt dadurch eine Aufzeichnung dieses Elements und schafft einen Konsens über deren Wahrhaftigkeit. Eine verteilte Datenbank kann in einer von mehreren Möglichkeiten beispielsweise als Blockchain ausgebildet sein. Unter einer Blockchain, also einer Blockkette, wird üblicherweise eine kontinuierlich erweiterbare Liste von als Blöcken bezeichneten Datensätzen verstanden, die mittels kryptographischer Verfahren miteinander verkettet sind. Jeder Block enthält dabei typischerweise einen kryptographisch sicheren Hashwert des vorhergehenden Blocks und ggf. einen Zeitstempel und weitere Transaktionsdaten. Die Blockchain wird von einem sogenannten Miner erzeugt und auf alle Teilnehmer der verteilten Datenbank verteilt.A distributed database, also known as distributed ledger technology, is a database distributed across multiple locations, regions or participants. All participants in this decentralized database can view all records. The technology provides an auditable history of all information stored in the specific records. In a distributed database, each participant processes and verifies a transaction or piece of information, thereby creating a record of that item and creating a consensus as to its veracity. A distributed database can be embodied in one of several ways, for example as a blockchain. A blockchain, i.e. a block chain, is usually understood to be a continuously expandable list of data records called blocks, which are linked together using cryptographic processes. Each block typically contains a cryptographically secure hash value of the previous block and, if necessary, a time stamp and other transaction data. The blockchain is generated by a so-called miner and distributed to all participants in the distributed database.

Durch die konstruktiv bedingte Sicherheit einer verteilten Datenbank kann ein Misstrauen gegenüber der Richtigkeit der abgelegten Zustände der Streckenelemente entfallen. Somit können auch durch das Misstrauen bedingte bisherige Sicherungsverfahren entfallen, die die eisenbahntechnische Anlage insgesamt vereinfachen. Der Zustand bzw. der repräsentative Wert des Zustands ist bei jedem Teilnehmer der verteilten Datenbank in im Wesentlichen gleicher Weise vorhanden.Due to the structurally related security of a distributed database, mistrust of the correctness of the stored states of the line elements can be eliminated. Thus Previous security procedures that were caused by distrust and simplify the railway system as a whole can also be eliminated. The state or the representative value of the state is present in essentially the same way for each participant in the distributed database.

Bei einer Veränderung des Zustands des Streckenelements wird dieser veränderte Zustand oder der für den veränderten Zustand repräsentative Wert des Streckenelements in der verteilten Datenbank erfindungsgemäß so abgespeichert, dass die Veränderung erkennbar ist, zumindest in ausreichender Zeit. Jeder neue Datensatz über einen veränderten Zustand enthält einen aktuellen Zeitstempel, durch den eine Veränderung gegenüber einem früheren Zeitpunkt leicht erkennbar ist. Wenn als verteilte Datenbank eine Blockchain verwendet wird, kann der veränderte Zustand in einem neuen Block an die vorhandene Blockchain angehängt und an alle Teilnehmer verteilt werden. In den vorherigen Blöcken sind die alten Zustände weiterhin auslesbar.If the status of the route element changes, this changed status or the value of the route element that is representative of the changed status is stored in the distributed database according to the invention in such a way that the change is recognizable, at least in sufficient time. Each new record of a changed state contains a current timestamp, which makes it easy to recognize a change from an earlier point in time. If a blockchain is used as a distributed database, the changed state can be appended to the existing blockchain in a new block and distributed to all participants. The old states can still be read out in the previous blocks.

Um sicherzustellen, dass während einer Bedienhandlung die Zustände gleich geblieben sind, wird erfindungsgemäß die Bedienung durch wenigstens eine erste Eingabe und eine zur ersten Eingabe spätere zweite Eingabe von wenigstens einem Bediener angefordert und die Bedienung nur ausgeführt, wenn sich der in der verteilten Datenbank abgespeicherte Zustand oder der repräsentative Wert des Zustands des Streckenelements zwischen der ersten Eingabe und der zweiten Eingabe nicht verändert hat. Beispielsweise erfolgt die erste Eingabe zu Beginn einer Bedienhandlung und die zweite Eingabe schließt die Bedienhandlung ab. Durch diese Ausführungsform ist sichergestellt, dass sich die Zustände der Streckenelemente während der Bedienhandlung nicht verändert haben. Sollte eine Veränderung zwischen der ersten und der zweiten Eingabe festgestellt werden, kann die Ausführung der Bedienhandlung blockiert werden und eine erneute Überprüfung durch den Bediener angefordert werden.In order to ensure that the states have remained the same during an operator action, according to the invention the operator is requested by at least one first input and a second input later than the first input by at least one operator and the operator is only executed if the state stored in the distributed database changes or the representative value of the state of the track element has not changed between the first input and the second input. For example, the first input is made at the beginning of an operator action and the second input concludes the operator action. This embodiment ensures that the states of the route elements have not changed during the operator action. If a change is found between the first and second input, the execution of the operator action can be blocked and a new check by the operator can be requested.

Die erfindungsgemäße Lösung kann durch vorteilhafte Ausgestaltungen weiterentwickelt werden, die im Folgenden beschrieben sind.The solution according to the invention can be further developed by advantageous configurations that are described below.

In einer vorteilhaften Ausgestaltung kann der Zustand oder der repräsentative Wert des Zustands in einer Blockchain abgespeichert werden. Die Blockchain-Technologie ist eine spezielle Ausführungsform einer verteilten Datenbank, bei der veränderte Zustände in einem Block der Blockchain abgespeichert und verteilt werden. Eine Blockchain bietet eine sehr hohe Sicherheit, da die Blöcke mit den Zuständen nachträglich nicht verändert werden können, und ist dadurch sehr vertrauenswürdig.In an advantageous embodiment, the status or the representative value of the status can be stored in a blockchain. Blockchain technology is a special embodiment of a distributed database in which changed states are stored and distributed in a block of the blockchain. A blockchain offers a very high level of security, since the blocks with the states cannot be changed later, and is therefore very trustworthy.

Um den Aufwand bei der Datenspeicherung in der verteilten Datenbank und insbesondere der Blockchain möglichst gering zu halten, kann der in der verteilten Datenbank abgespeicherte Zustand oder repräsentative Wert des Zustands mittels eines Proof-of-Authority-Verfahrens, insbesondere mittels einer PKI - Public Key Infrastructure, verifizierbar sein. Durch die PKI ist es überprüfbar, ob der abgespeicherte Zustand bzw. die Zustände von einem vertrauenswürdigen Teilnehmer, nämlich dem Miner, eingestellt wurden. Beispielsweise kann in einem Bahnnetzwerk ein ganz bestimmter Rechner zur Erstellung neuer Blöcke berechtigt sein. Dieser Rechner verwendet dabei seine PKI, so dass die übrigen Rechner in Datennetzwerk erkennen anhand der PKI, dass der berechtigte und vertrauenswürdige Rechner die Daten erstellt hat.In order to keep the effort involved in storing data in the distributed database and in particular the blockchain as low as possible, the status stored in the distributed database or a representative value of the status can be checked using a proof-of-authority method, in particular using a PKI - Public Key Infrastructure , be verifiable. The PKI makes it possible to check whether the saved state or states were set by a trustworthy participant, namely the miner. For example, in a railway network, a very specific computer can be authorized to create new blocks. This computer uses its PKI so that the other computers in the data network recognize from the PKI that the authorized and trustworthy computer created the data.

Die Erfindung betrifft weiterhin einen Netzwerkknoten eines Datennetzwerkes in einer eisenbahntechnischen Anlage mit wenigstens einem Speicher mit den Merkmalen des Patentanspruchs 4. Erfindungsgemäß ist zur Lösung der eingangs genannten Aufgabe vorgesehen, dass der Netzwerkknoten als Teil einer verteilten Datenbank ausgebildet ist, in der ein Zustand von wenigstens einem Streckenelement der eisenbahntechnischen Anlage oder ein für den Zustand repräsentativer Wert abgespeichert ist, und der Netzwerkknoten dazu ausgebildet ist, einen veränderten Zustand oder einen für den veränderten Zustand repräsentativen Wert des Streckenelements in der verteilten Datenbank so abzuspeichern, dass die Veränderung erkennbar ist. Dies hat den oben bereits beschriebenen Vorteil, dass Zustandsänderungen in der verteilten Datenbank leicht erkennbar sind.The invention also relates to a network node of a data network in a railway system with at least one memory having the features of claim 4. According to the invention, to solve the task mentioned at the outset, it is provided that the network node is designed as part of a distributed database in which a status of at least a route element of the railway system or a value that is representative of the condition is stored, and the network node is designed to store a changed status or a value of the route element that is representative of the changed status in the distributed database in such a way that the change can be identified. This has the advantage already described above, that state changes in the distributed database are easily recognizable.

Erfindungsgemäß ist der Netzwerkknoten zum Bedienen der eisenbahntechnischen Anlage durch wenigstens eine erste Eingabe und eine zur ersten Eingabe spätere zweite Eingabe von wenigstens einem Bediener ausgebildet, wobei die Bedienung nur ausgeführt wird, wenn mittels Auslesen aus der ersten verteilten Datenbank keine Veränderung des Zustands und des repräsentativen Werts des Zustands des Streckenelements zwischen der ersten Eingabe und der zweiten Eingabe erkannt wurde. Dies hat den Vorteil, dass gleich überprüft werden kann, dass sich Zustände der Streckenelemente während einer Bedienhandlung des Bedieners, beispielsweise des Fahrdienstleiters, nicht geändert haben.According to the invention, the network node is designed to operate the railway technical system by at least one first input and a second input subsequent to the first input by at least one operator, with the operation only being carried out if no change in the status and the representative value of the state of the link element was detected between the first input and the second input. This has the advantage that it can be checked immediately that the states of the route elements have not changed during an operator action by the operator, for example the dispatcher.

Schließlich betrifft die Erfindung auch eine eisenbahntechnische Anlage mit wenigstens einem Datennetzwerk, mit den Merkmalen des Patentanspruchs 5. Erfindungsgemäß weist das Datennetzwerk wenigstens einen Netzwerkknoten nach Anspruch 4 auf.Finally, the invention also relates to a railway system with at least one data network, having the features of patent claim 5. According to the invention, the data network has at least one network node.

Im Folgenden wird die Erfindung mit Bezug auf die beigefügten Zeichnungen erläutert.In the following, the invention will be explained with reference to the accompanying drawings.

Es zeigen:

Fig. 1
eine schematische Darstellung einer beispielhaften Ausführungsform der erfindungsgemäßen eisenbahntechnischen Anlage;
Fig. 2
eine schematische Darstellung einer beispielhaften Ausführungsform eines erfindungsgemäßen Verfahrens zur Bedienung der Anlage aus Fig. 1;
Fig. 3
eine weitere schematische Darstellung der beispielhaften Ausführungsform des erfindungsgemäßen Verfahrens aus Fig. 2.
Show it:
1
a schematic representation of an exemplary embodiment of the railway system according to the invention;
2
a schematic representation of an exemplary embodiment of a method according to the invention for operating the system 1 ;
3
a further schematic representation of the exemplary embodiment of the method according to the invention 2 .

Fig. 1 zeigt eine eisenbahntechnische Anlage 1, die ein Datennetzwerk 2 und mehrere Streckenelemente 3 umfasst. Die Streckenelemente 3 sollen hier beispielsweise Teil einer Stellwerksaußenanlage sein. Die Streckenelemente 3 können dabei beispielsweise Lichtsignale, Weichen, Achszähleinrichtungen, Gleisstromkreise oder ähnliches sein. 1 shows a railway system 1, which includes a data network 2 and several track elements 3. The route elements 3 are intended to be part of an external signal box system here, for example. The route elements 3 can be, for example, light signals, points, axle counting devices, track circuits or the like.

Die eisenbahntechnische Anlage 1 umfasst weiterhin verschiedene Netzwerkknoten 4, die miteinander verbunden sind und das Datennetzwerk 2 ausbilden. Die Netzwerkknoten 4 wiederum werden durch verschiedene Recheneinrichtungen ausgebildet, wie einen Bedien- und Anzeigerechner 5, einen Stellwerksrechner 6 und mehrere Elementenrechner 7. Der Bedien- und Anzeigenrechner 5 ist beispielsweise in einer Leitstelle der eisenbahntechnischen Anlage 1 angeordnet und steuert die Anzeige der eisenbahntechnischen Anlage 1 in dieser Leitstelle. Der Stellwerksrechner 6 ist für die üblichen Stellwerksaufgaben ausgebildet und die Elementenrechner 7 sind Teil der Streckenelemente und z. B. auch zur Steuerung dieser vorgesehen.The railway system 1 also includes various network nodes 4 which are connected to one another and form the data network 2 . The network nodes 4 in turn are formed by various computing devices, such as an operating and display computer 5, an interlocking computer 6 and several element computers 7. The operating and display computer 5 is arranged, for example, in a control center of the railway system 1 and controls the display of the railway system 1 in this control center. The signal box computer 6 is designed for the usual signal box tasks and the elements computer 7 are part of the line elements and z. B. also provided for controlling this.

Die Netzwerkknoten 4 bilden zusammen eine verteilte Datenbank 8 aus, die hier beispielsweise eine Blockchain ist, die an jeden Netzwerkknoten verteilt ist. Die Blockchain ist also auf allen Netzwerkknoten 4 verfügbar.The network nodes 4 together form a distributed database 8, which is a blockchain here, for example, which is distributed to each network node. The blockchain is therefore available on all network nodes 4 .

Im Folgenden wird das erfindungsgemäße Verfahren zum Bedienen der Anlage 1 beschrieben:
Im Betrieb der eisenbahntechnischen Anlage 1 ändern sich die Zustände der Streckenelemente 3 kontinuierlich. Bei jeder Zustandsänderung von einem Streckenelement 3 wird der neue, aktuelle Zustand von den Streckenelementen 3 und insbesondere den Elementenrechnern 7 an den Stellwerksrechner 6 weitergegeben.The method according to the invention for operating the system 1 is described below:
During operation of the railway system 1, the states of the track elements 3 change continuously. Each time the status of a route element 3 changes, the new, current status of the route elements 3 and in particular the element computers 7 is passed on to the interlocking computer 6 .

Der Stellwerksrechner 6 ist bei der beispielhaften Ausführungsform in Figur 1 dazu ausgebildet, für den neuen, geänderten Zustand des Streckenelements 3 einen neuen Block der Blockchain zu erstellen. Der Stellwerksrechner 6 übernimmt somit die Aufgabe des sogenannten Miners, der neue Blöcke der Blockchain erstellt bzw. errechnet, an die bestehende Blockchain anhängt und verteilt. Um den Aufwand beim Erstellen des neuen Blocks für den Stellwerksrechner 6 gering zu halten und diesen möglichst schnell zu erstellen, verifiziert der Stellwerksrechner 6 den neuen Block mit Hilfe des Proof-of-Authority-Verfahrens. Dafür wird insbesondere eine PKI (Public Key Infrastructure) genutzt und der Stellwerksrechner 6 validiert den neuen Block mit seinem persönlichen Schlüssel. Durch Verwendung des Proof-of-Authority-Verfahrens ist es möglich, dass der Stellwerksrechner 6 den neuen Block mit dem veränderten Zustand des Streckenelements 3 innerhalb eines relativ kleinen Zeitfensters von z. B. maximal 5 Sekunden erstellt und verteilt. Dies ist ein Vorteil gegenüber dem alternativen Proof-of-Work-Verfahren, das mehr Rechnerkapazität und Zeit benötigen würde. Anschließend wird der aktuelle Stand bzw. die neue Blockchain an alle Netzwerkknoten 4 verteilt. In der Blockchain sind somit immer die aktuellen Zustände der Streckenelemente 3 hinterlegt und können von allen Netzwerkknoten 4 ausgelesen werden. Bei einer Zustandsänderung wird der aktuelle Zustand zusammen mit dem aktuellen Zeitpunkt in der Blockchain abgespeichert. Das heißt, dass der neue Zustand in einen neuen Block fließt und als neue oder aktualisierte Blockchain verteilt wird.The interlocking computer 6 is in the exemplary embodiment in figure 1 designed to, for the new, changed state of the route element 3 a new block of create blockchain. The interlocking computer 6 thus takes over the task of the so-called miner, which creates or calculates new blocks of the blockchain, appends them to the existing blockchain and distributes them. In order to keep the effort involved in creating the new block for the interlocking computer 6 low and to create this as quickly as possible, the interlocking computer 6 verifies the new block using the proof-of-authority method. In particular, a PKI (Public Key Infrastructure) is used for this and the interlocking computer 6 validates the new block with its personal key. By using the proof-of-authority method, it is possible for the interlocking computer 6 to send the new block with the changed status of the route element 3 within a relatively small time window of z. B. maximum 5 seconds created and distributed. This is an advantage over the alternative proof-of-work method, which would require more computing power and time. The current status or the new blockchain is then distributed to all network nodes 4 . The current states of the route elements 3 are thus always stored in the blockchain and can be read out by all network nodes 4 . If the status changes, the current status is saved in the blockchain together with the current time. That is, the new state flows into a new block and is distributed as a new or updated blockchain.

Von dem Bedien- und Anzeigerechner 5 in der Leitstelle der eisenbahntechnischen Anlage wird der Zustand der Streckenelemente 3 für den Bediener grafisch angezeigt. Der Bediener ist in diesem Fall beispielsweise ein Fahrdienstleiter.The operating and display computer 5 in the control center of the railway system graphically displays the status of the route elements 3 for the operator. In this case, the operator is, for example, a dispatcher.

Fig. 2 zeigt diese grafische Anzeige mit dem Bezugszeichen 9. Der Zustand der Streckenelemente 3 zum jeweiligen Zeitpunkt ist in Fig. 2 mit Bezugszeichen 10 dargestellt. Dazwischen ist die Blockchain der verteilten Datenbank 8 mit der darin abgespeicherten Historie der verschiedenen Zustände der Streckenelemente 3 mit Bezugszeichen 11 dargestellt. 2 shows this graphic display with the reference number 9. The status of the route elements 3 at the respective point in time is in 2 shown with reference numeral 10. In between, the blockchain of the distributed database 8 with the history of the various states of the route elements 3 stored therein is shown with reference numeral 11 .

Die sichere Bedienung der eisenbahntechnischen Anlage 1 durch einen Bediener in der Leitstelle ist schematisch in Fig. 3 dargestellt. Im ersten Verfahrensschritt 12 in Fig. 3 startet der Bediener eine sogenannte kommandofreigabepflichtige Bedienung der eisenbahntechnischen Anlage 1 durch eine erste Eingabe, beispielsweise durch einen gesonderten Tastendruck. Anschließend gibt der Bediener die Bedienung in den Bedien- und Anzeigenrechner 5 ein und bestätigt am Ende der Bedienung, also zeitversetzt, durch eine zweite Eingabe, beispielsweise wiederum einen gesonderten Tastendruck. Anschließend wird im Schritt 13 in Fig. 3 vom Bedien- und Anzeigerechner 5 und/oder vom Stellwerksrechner 6 geprüft, ob sich einer der Zustände der Streckenelemente 3 zwischen der ersten und der zweiten Eingabe verändert hat. Der Zeitraum zwischen der ersten und der zweiten Eingabe ist größer als 5 Sekunden und damit größer als das Zeitfenster zur Erstellung eines neuen Blocks. Damit ist sichergestellt, dass bei einer Zustandsänderung ein neuer Block errechnet, angehängt, signiert und verteilt ist, bevor die zweite Eingabe erfolgt. Eine unbemerkte Zustandsänderung ist daher nicht möglich.The safe operation of the railway system 1 by an operator in the control center is shown schematically in 3 shown. In the first process step 12 in 3 the operator starts a so-called command-release required operation of the railway system 1 by a first input, for example by a separate keystroke. The operator then enters the operation into the operation and display computer 5 and confirms at the end of the operation, ie with a time delay, with a second input, for example again by pressing a separate button. Then in step 13 in 3 checked by the control and display computer 5 and/or by the interlocking computer 6 whether one of the states of the route elements 3 has changed between the first and the second input. The period of time between the first and second input is greater than 5 seconds and thus larger than the time window for creating a new block. This ensures that when the state changes, a new block is calculated, appended, signed and distributed before the second input is made. An unnoticed change of status is therefore not possible.

Im Schritt 14 in Fig. 3 wird die Bedienung ausgeführt, wenn sich der Zustand zwischen der ersten und der zweiten Eingabe nicht verändert hat. Im Schritt 14 wird jedoch die Bedienung abgelehnt, wenn eine Zustandsänderung zwischen der ersten und der zweiten Eingabe festgestellt wurde. Somit entfallen die bisherig notwendigen Prüfschritte aus dem Stand der Technik.In step 14 in 3 the operation is executed if the state has not changed between the first and second input. However, in step 14, the service is rejected if a state change between the first and second inputs is detected. Thus, the previously necessary test steps from the prior art are no longer necessary.

Durch das erfindungsgemäße Verfahren können alle Netzwerkknoten 4 durch deren Zugriff auf die Blockchain die jeweiligen Zustände der Streckenelemente 3 überprüfen.With the method according to the invention, all network nodes 4 can check the respective states of the route elements 3 by accessing the blockchain.

Für Diagnosezwecke können die Zustandsinformationen in der verteilten Datenbank 8 außerdem ebenfalls herangezogen werden. Hierfür kann auch ein Diagnoserechner (nicht dargestellt) im Datennetzwerk 2 eingebunden sein.The status information in the distributed database 8 can also be used for diagnostic purposes. A diagnostic computer (not shown) can also be integrated into the data network 2 for this purpose.

Durch das erfindungsgemäße Verfahren kann auf einige heute übliche Prüfschritte bei der Bedienung der eisenbahntechnischen Anlage 1 und der Bedieneingabe verzichtet werden, wodurch die Umsetzung deutlich unkomplizierter und weniger aufwändig ist. Wie in Fig. 3 dargestellt, sind hierfür nur wenige Prozessschritte nötig.The method according to the invention makes it possible to dispense with some test steps that are customary today when operating the railway system 1 and the operator input, as a result of which the implementation is significantly less complicated and less complex. As in 3 shown, only a few process steps are required for this.

Claims (5)

  1. Method for securely operating a railway engineering system (1),
    with which a state of at least one track element (3) in the railway engineering system (1) or a value which is representative of the state is stored in a distributed database (8),
    characterised in that
    with a change in the state of the track element (3), this changed state or the value of the track element (3) which is representative of the changed state is stored in the distributed database (8) in such a way that the change can be identified, wherein the operation is requested by means of at least one first input and a second input which is subsequent to the first input by at least one operator and the operation is only executed if the state stored in the distributed database (8) or the representative value of the state of the track element (3) has not changed between the first input and the second input.
  2. Method according to claim 1,
    characterised in that
    the state or the representative value of the state is stored in a blockchain.
  3. Method according to one of the preceding claims,
    characterised in that
    the state stored in the distributed database (8) or
    representative value of the state can be verified by means of a proof of authority method, in particular by means of a PKI - public key infrastructure.
  4. Network node (4) of a data network (2) in a railway engineering system (1),
    having at least one storage device, wherein the network node (4) is embodied as part of a distributed database (8) in which a state of at least one track element (3) of the railway engineering system (1) or a value which is representative of the state is stored,
    characterised in that
    the network node (4) is embodied a changed state or a value of the track element (3) which is representative of the changed state is stored in the distributed database such that the change can be identified and the network node (4) is embodied for operation of the railway engineering system (1) by means of at least one first input and a second input which is subsequent to the first input by at least one operator,
    wherein the operation is only executed if, by means of reading out from the distributed database, no change in the state or the representative value of the state of the track element (3) was identified between the first input and the second input.
  5. Railway engineering system (1) with at least one data network (2),
    characterised in that
    the data network (2) has at least one network node (4) according to claim 4.
EP20150501.3A 2019-01-23 2020-01-07 Method for securely operating a railway engineering system and network node of a data network Active EP3686080B1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
DE102019200777.5A DE102019200777A1 (en) 2019-01-23 2019-01-23 Method for the safe operation of a railway system and network nodes of a data network

Publications (3)

Publication Number Publication Date
EP3686080A1 EP3686080A1 (en) 2020-07-29
EP3686080C0 EP3686080C0 (en) 2023-08-16
EP3686080B1 true EP3686080B1 (en) 2023-08-16

Family

ID=69143459

Family Applications (1)

Application Number Title Priority Date Filing Date
EP20150501.3A Active EP3686080B1 (en) 2019-01-23 2020-01-07 Method for securely operating a railway engineering system and network node of a data network

Country Status (3)

Country Link
EP (1) EP3686080B1 (en)
DE (1) DE102019200777A1 (en)
ES (1) ES2962845T3 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AT524500B1 (en) * 2020-12-04 2023-02-15 Plasser & Theurer Export Von Bahnbaumaschinen Gmbh Method and system for operating a railway system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102015218971A1 (en) * 2015-09-30 2017-03-30 Siemens Aktiengesellschaft Safety procedure for a rail network

Also Published As

Publication number Publication date
EP3686080C0 (en) 2023-08-16
ES2962845T3 (en) 2024-03-21
DE102019200777A1 (en) 2020-07-23
EP3686080A1 (en) 2020-07-29

Similar Documents

Publication Publication Date Title
WO2018137856A1 (en) Method and device for the computer-supported creation and execution of a control function
WO2011107068A2 (en) Communication system for recording, storing, transferring, and providing data in a process-oriented manner
EP3686080B1 (en) Method for securely operating a railway engineering system and network node of a data network
EP0856792A2 (en) Method for the safe display of an image on a monitor
EP1638246B1 (en) Method for substitution of cryptogtaphic data
DE102004051130A1 (en) Method and automation system for operating and / or observing at least one field device
DE102018202626A1 (en) Method for the computer-aided parameterization of a technical system
AT522276B1 (en) Device and method for checking the integrity of sensor data streams
EP3703333B1 (en) Method, apparatus and system for processing at least one information item in a safety system
EP3586261B1 (en) Method for secure access to data
DE1966991A1 (en) FAIL-SAFE DATA PROCESSING SYSTEM
DE102019005545A1 (en) Method for operating a machine data communication network and machine data communication network
EP3771613B1 (en) Method and device for controlling a rail system
EP3619885A1 (en) Method for blockchain-based, asymmetric key management and security-relevant installation
DE19843048C2 (en) Method for a software access change in a network node of a telecommunications network and a network node suitable for performing such a method
EP0823687A1 (en) Computer network and method for the approval of building and construction plans
EP4032243A1 (en) System and method for managing data of an automation field device in a secure manner against manipulation
EP3826226A1 (en) Method of registering travel for railway system and registration participant
EP3893065A1 (en) Method for payment based execution of a function of a field device to be implemented, corresponding field device and service unit
EP4339066A1 (en) Dynamics model for a rail vehicle
EP3889710A1 (en) Control system of a technical assembly
EP3786027A1 (en) Operating method for vehicles in a driving area
EP3800517A1 (en) Redundant automation system, method for providing such an automation system, computer program and computer-readable medium
EP3831692A1 (en) Control system for a traffic network and method for preparing and/or adapting such a control system
DE10207526A1 (en) Process for the automatic recording of an intervention in a production plant

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20210105

RBV Designated contracting states (corrected)

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

RIC1 Information provided on ipc code assigned before grant

Ipc: B61L 27/40 20220101ALI20230217BHEP

Ipc: B61L 27/00 20060101ALI20230217BHEP

Ipc: B61L 15/00 20060101AFI20230217BHEP

INTG Intention to grant announced

Effective date: 20230313

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

Ref country code: DE

Ref legal event code: R096

Ref document number: 502020004685

Country of ref document: DE

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

Free format text: LANGUAGE OF EP DOCUMENT: GERMAN

U01 Request for unitary effect filed

Effective date: 20230828

U07 Unitary effect registered

Designated state(s): AT BE BG DE DK EE FI FR IT LT LU LV MT NL PT SE SI

Effective date: 20230904

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20231117

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20231216

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230816

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20231116

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20231216

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230816

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20231117

U20 Renewal fee paid [unitary effect]

Year of fee payment: 5

Effective date: 20240119

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230816

REG Reference to a national code

Ref country code: ES

Ref legal event code: FG2A

Ref document number: 2962845

Country of ref document: ES

Kind code of ref document: T3

Effective date: 20240321

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230816

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230816

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230816

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230816

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20240212

Year of fee payment: 5