CA2009790A1 - Secure transmission in remote control and supervision system - Google Patents
Secure transmission in remote control and supervision systemInfo
- Publication number
- CA2009790A1 CA2009790A1 CA 2009790 CA2009790A CA2009790A1 CA 2009790 A1 CA2009790 A1 CA 2009790A1 CA 2009790 CA2009790 CA 2009790 CA 2009790 A CA2009790 A CA 2009790A CA 2009790 A1 CA2009790 A1 CA 2009790A1
- Authority
- CA
- Canada
- Prior art keywords
- eot
- transmitting
- train device
- hot
- unique
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Landscapes
- Selective Calling Equipment (AREA)
Abstract
SECURE TRANSMISSION FOR REMOTE CONTROL
AND SUPERVISION SYSTEMS
ABSTRACT OF THE DISCLOSURE
A transmission protocol for use in transmitting commands to an end of train (EOT) device controls a train's brake system. A head of train (HOT) device, typically located in the locomotive cab, is provided with a thumbwheel switch for inputting numbers which identify the EOT
device. In the simplest implementation, the EOT
device will respond to any HOT that dials its number and it will do whatever it is told to do.
To prevent dangerous commands from being executed in error, either several repetitions of the command must be sent to the EOT device by the HOT device within a predetermined period of time before the command, or the command takes the form of a very large predefined number or a combination of the two. The next level of security requires only a minimum increase in circuit complexity. A memory is added to the EOT device and a unique ID number is assigned to the HOT device. The HOT unique ID
is communicated to the EOT device during an arming sequence, and the unique ID is imbedded in the memory of the EOT. Once armed, with the HOT unique ID stored in the memory, the EOT device will respond only to that particular HOT device.
Security is increased by replacing the unique ID of the HOT device with a "password". The password can consist of a very large (32 bits) number that has the mathematical characteristic of being the product of one unique pair of prime numbers.
AND SUPERVISION SYSTEMS
ABSTRACT OF THE DISCLOSURE
A transmission protocol for use in transmitting commands to an end of train (EOT) device controls a train's brake system. A head of train (HOT) device, typically located in the locomotive cab, is provided with a thumbwheel switch for inputting numbers which identify the EOT
device. In the simplest implementation, the EOT
device will respond to any HOT that dials its number and it will do whatever it is told to do.
To prevent dangerous commands from being executed in error, either several repetitions of the command must be sent to the EOT device by the HOT device within a predetermined period of time before the command, or the command takes the form of a very large predefined number or a combination of the two. The next level of security requires only a minimum increase in circuit complexity. A memory is added to the EOT device and a unique ID number is assigned to the HOT device. The HOT unique ID
is communicated to the EOT device during an arming sequence, and the unique ID is imbedded in the memory of the EOT. Once armed, with the HOT unique ID stored in the memory, the EOT device will respond only to that particular HOT device.
Security is increased by replacing the unique ID of the HOT device with a "password". The password can consist of a very large (32 bits) number that has the mathematical characteristic of being the product of one unique pair of prime numbers.
Description
Z(~0979~
SECURE TRANSMISSION IN REMOTE CONTROL
AND SUPERVISION SYSTEM
DESCRIPTION
BACKGROUND OF THE INVENTION
Field of the Invention The present invention generally relates to telecommunications systems and, more particularly, to a method of secure transmission in remote -control and supervision systems particularly adapted for railroad trains.
Description of the Prior Art End of train (EOT) devices are now in common use on several major railroads. These devices are typically mounted on the trailing coupler of the last car in the train and are equipped with pressure monitoring and telemetering circuitry. A
hose is connected between the train's brake pipe and the EOT device so that the air pressure of the brake pipe at the end of the train can be monitored. The monitored pressure is transmitted to a head of train (HOT) device mounted on the console in the locomotive cab. The HOT device provides the engineman with a display of brake pipe pressure at the end of the train and, in response to a command from the EOT device, signals the engineman that an emergency condition exists such as a sudden loss of air pressure or air pressure falling below a predetermined level.
.. . . . . . .
, - ' ' . ~'.; ;' ' ' ' . . . . .
: ;:
. :, ~ . : . . .
TL-88-01 2~ 0~
The current EOT transmissions are one way;
that is, the transmissions are from the end of the train to the head of the train only. It has been proposed to provide two way transmission in EOT
systems so that command and control transmissions can be made from the head of the train to the end of the train. One application for such a transmission would be for the remote control of the emergency application of brakes at the end of the train. Currently, emergency application of brakes is initiated at the locomotive and progresses along the brake pipe to the end of the train. This process can take considerable time for long trains, and if there is a restriction in the brake pipe, the brakes beyond the restriction may not be actuated. By initiating the emergency braking process at the end of the train as well as the head of the train, the process not only can be considerably shortened, but more importantly, the brakes will be applied at the end of the train even if there is a restriction along the length of the brake pipe. Thus, a fail/safe emergency operation of the brakes is provided.
U.S. Patent No. 4,641,892 to Schmid discloses an emergency brake system which enables the engineman in the locomotive cab to remotely initiate emergency braking at the end of the train or at any intermediate car of the train. Schmid merely discloses a telemetry link from the locomotive to a remote radio receiver for transmitting an emergency brake command. This system does not recognize the potential problems of such a system which may be caused by accidental or improper transmission to the receiver by a ~ransmitter other than that in the locomotive.
,~ : ' :
'' ', ' : ' ' :
.. ~ : ' TL-88-01 Z~10~790 In end of train systems, it is necessary to key receivers on a train to respond to transmitters on that particular train and not to other transmitters which may be on trains in the vicinity, whether in a train yard or on the road.
In current EOT systems, this is typically done by dialing in a number in the HOT receiver in the locomotive cab that corresponds to the transmitted identification (ID) number of the EOT unit mounted at the end of the train. This "keying" operation is important to assure the validity of data transmitted to the engineman in the locomotive, but it becomes critical when the emergency application of brakes is concerned. Further, such emergency control must be safeguarded against accidental actuation caused, for example, when an engineman in another locomotive dials in the wrong ID or even sabotage which might occur by the intentional transmission by an off-train transmitter of an emergency brake command.
U.S. Patents No. 3,273,145 to Joy et al., No.
3,380,399 to Southard et al., 3,639,755 to Wrege, No. 3,699,522 to Haner, Jr., Nos. 4,553,723 and 4,582,280 to Nicols et al., No. 4,723,737 to Mimoun, and No. 4,735,383 to Corrie all disclose various train communication systems. The Joy et al. and Mimoun systems involve no security in transmission. Southard et al. disclose a remote control and supervision system for master and slave locomotives in a train which uses addressing and multiple transmission techniques to insure the integrity of the communication link. The Wrege and Haner, Jr. systems use an addressing scheme to provide some level of security in the transmission.
The two Nichols et al. patents are both directed to ,, "
.
TL-88-01 2~0~79~
an air brake operating system which includes apparatus for verifying the establishment of a communication link by signalling through the mechanical coupling in the train. Corrie discloses a procedure for transmission and acknowledgment of vital control information.
SUMMARY OF TH~ INVENTION
It is therefore and object of the present invention to provide a transmission protocol for use in transmitting commands to an end of train (EOT) device for controlling a train's brake system.
It is another object of this invention to provide a technique for the secure transmission of control and command signals from the head of a train to the end of the train, or to intermediate positions of the train, to control various functions, including brakes, lights and the like.
It is a further object of the invention to provide a transmission protocol for the secure remote control of emergency and testing operations, particularly for the control and testing of railroad brake systems.
According to the invention, the Head of Train (HOT) device, typically located in the locomotive cab, is provided with a thumbwheel switch or similar input device for inputting numbers which identify an End of Train (EOT) device. In the simplest implementation of the invention, the EOT
device will respond to any HOT that dials its number and it will do whatever it is told to do.
To prevent dangerous commands from being executed in error, either several repetitions of the command , must be sent to the EOT device by the HOT device within 9790 a predetermined period of time before the command, or the command takes the form of a very large predefined number or a combination of the two. This is the minimum security provided by the invention but has the advantage of being simple while limiting the possibility of an erroneous e~ecution of a command.
The next level of ~ecurity provided by an alternate e~bodiment of the invention requires only a minimum increase in circuit complexity yet provides security against all except very sophisticated and knowledgeable n saboteurs n with proper equipment. In this embodiment, a memory i6 added to the EOT device and a unique ID number is ascigned to the HOT device. The HOT unique ID is communicated to the EOT device during an arming æequence, and the unique ID i 6 imbedded in the memory of the EOT. Once armed, with the Hot unique ID stored in the memory, the EOT device will respond only to that particular HOT device. It will be observed that this level of security is not mutually exclusive with the basic implementation of the invention, and the two procedures can be combined to provide an even greater level of security.
In a further embodiment of the invention, security is increased by replacing the unique ID of the HOT device with a "pa~word". The "pas6word" can consict of a very large (e.g. 32 bits) number that has the characteristic of being the product of two unique prime numbers. The choice of 32 bitC is arbitrary and could be larger or smaller. The added ~ecurity of this embodiment i8 provided 3~ by another characteristic of the "password" which is that it i~ a difficult mathematical task to derive the two unique prime sdla~ S
.: :
~ '. .:~ , ' ` ' :
TL-88-01 2(J~
numbers. The system of this embodiment works as follows: First, during the arming sequence, the unique ID ti.e.~ the "pas~wordn) iB ~ent from the HOT to the EOT which stores the ID in its memory. After that, the EOT responds only to instructions that carry either the "password" or the two unique prime numbers associated with the "password". For non-critical commands, like turning the lights on and off or other routine commands, the "password" is sent. For a critical command, the unique pair of prime numbers is sent by the HOT device. Then the EOT device multiplies these numbers and compares the product to the "password" stored in the memory.
Alternatively, the password may be any predetermined number which is transmitted by the HOT device scrambled in a predefined manner. The EOT device, using a "descrambling" algorithm, descrambles the transmitted number and compares it to the "password" stored in the memory.
BRIEP DESCRIPTION OF THE DRAWINGS
The foregoing and other objects, aspects and advantages of the invention will be better understood from the following detailed description of a preferred embodiment of the invention with reference to the drawings, in which:
Figure 1 is a block diagram of an end-of-train (EOT) device;
Figure 2 is a block diagram of a head-of-train (HOT) device;
Figure 2A is a block diagram of an existing HOT device showing a retrofit to provide bidirectional communication;
: ~ : ~. , , : . :
" ~ ' ~ ' :' ,'' . ' . :
l'L-8~-01 2(~0979~
Figure 3 is a flow diagram illustrating the procedure for keying a HOT to an EOT in a first embodiment of the invention;
Figure 4A is a flow diagram illustrating the - 5 command procedure according to a first variation of the first embodiment of the invention;
: Figure 4B is a flow diagram illustrating the command procedure according to a second variation ;
of the first embodiment of the invention;
Figure 4C is a flow diagram illustrating the command procedure according to a third variation, combining the first and second variations, of the first embodiment of the invention;
Figure S is a flow diagram illustrating the arming procedure at the HO~ according to a second embodiment of the invention;
Figure 5A is a flow diagram of a modification of the process shown in Figure 5 where a two-man arming process is implemented;
Figure 6 is a flow diagram illustrating the arming procedure at the EOT according to the second .
embodiment of the invention;
Figure 6A is a flow diagram of a modification of the process shown in Figure 6 where a two-man arming process is implemented;
Figure 7 is a flow diagram illustrating the logic of the program for transmitting an emergency brake command from the HOT according to the second embodiment of the invention;
Figure 8 is a flow diagram illustrating the logic of the program for executing an emergency brake command at the EOT according to the second embodiment of the invention;
Figure 8A is a flow diagram of a modification 35 of the process shown in Figure 8 where a two-man ~, . ! . ~ ' ', ', . ' ' ' , ~ ' . ' ' . ' ., . . ' '~ ', , ' . , .
` ' . . ' ' ' '': . . . , . ' ` .
, ' ' '' '.
~' ' ' '' " ~
TL-88-01 2(1~/9 7 9~
arming process is implemented;
Figure 9 is a flow diagram illustrating the arming procedure at the HOT according to a third embodiment of the invention;
- 5 Figure 10 is a flow diagram illustrating the arming procedure at the EOT according to the third embodiment of the invention;
Figure 11 is a flow diagram illustrating the logic of the program for transmitting an emergency brake command from the HOT according to the third embodiment of the invention; and Figure 12 is a flow diagram illustrating the logic of the program for executing an emergency brake command at the EOT according to the third embodiment of the invention.
DETAILED DESCRIPTION OF A PREFERRED
EMBODIMENT OF THE INVENTION
~ eferring now to the drawings, and more particularly to Figure 1, there is shown a block diagram of an EOT device which may be used in the practice of the invention. The EOT device includes a pressure transducer 20 which monitors the pressure of the train brake pipe 21 and generates an electrical signal that is sampled and converted to a digital number. The digital number is input to a microprocessor driven circuit 22 which processes the digital number and stores the number for transmission to a HOT device. Periodically, or if the digital number changes by more than one unit, the microprocessor 22 controls a radio transceiver 24 to transmit the pressure data to the HOT device. The EOT devices currently in service comprise these three basic components, except that - . "
.. : - . : :. . :, , ~ - .- . -., - , . . .
.
TL-88-01 Z(~(~5, ~
the transceiver 24 is simply a transmitter since the communication between the EOT device and HOT
device is one way. In addition, the EQT is typically provided with a test switch 23 and a display 25 which allows pressure to be displayed on command.
As mentioned, it is desireable to transmit to the EOT from the HOT in order to remotely control various functions, including the emergency application of brakes. Therefore, the transceiver 24 not only transmits data to the HOT, it also receives commands from the HOT. The microprocessor driven circuit thus processes the commands and, in the case of an emergency brake command, generates a signal to a valve actuator 26 that drives a valve 28 connected to the brake pipe 21. ~s will be explained in more detail hereinafter, the implementation of the second and third embodiments of the invention requires the addition of a memory 29. The memory may be implemented with an EPROM
(electronically programmable read only memory) or similar device. It should be noted that the memory need not be a nonvolatile memory since the EOT is operated on battery power thereby inherently providing battery backup. In addition, the EOT may be provided with an arm enable switch 27 and an armed light 30, both of which are optional. The arm enable switch 27 would be used in the practice of certain embodiments to be described in more detail below.
Figure 2 shows in block diagram form the HOT
device, which in many respects is similar in overall ~esign to the EOT device. More particularly, the HOT device includes a microprocessor driven circuit 31 which receives .
SECURE TRANSMISSION IN REMOTE CONTROL
AND SUPERVISION SYSTEM
DESCRIPTION
BACKGROUND OF THE INVENTION
Field of the Invention The present invention generally relates to telecommunications systems and, more particularly, to a method of secure transmission in remote -control and supervision systems particularly adapted for railroad trains.
Description of the Prior Art End of train (EOT) devices are now in common use on several major railroads. These devices are typically mounted on the trailing coupler of the last car in the train and are equipped with pressure monitoring and telemetering circuitry. A
hose is connected between the train's brake pipe and the EOT device so that the air pressure of the brake pipe at the end of the train can be monitored. The monitored pressure is transmitted to a head of train (HOT) device mounted on the console in the locomotive cab. The HOT device provides the engineman with a display of brake pipe pressure at the end of the train and, in response to a command from the EOT device, signals the engineman that an emergency condition exists such as a sudden loss of air pressure or air pressure falling below a predetermined level.
.. . . . . . .
, - ' ' . ~'.; ;' ' ' ' . . . . .
: ;:
. :, ~ . : . . .
TL-88-01 2~ 0~
The current EOT transmissions are one way;
that is, the transmissions are from the end of the train to the head of the train only. It has been proposed to provide two way transmission in EOT
systems so that command and control transmissions can be made from the head of the train to the end of the train. One application for such a transmission would be for the remote control of the emergency application of brakes at the end of the train. Currently, emergency application of brakes is initiated at the locomotive and progresses along the brake pipe to the end of the train. This process can take considerable time for long trains, and if there is a restriction in the brake pipe, the brakes beyond the restriction may not be actuated. By initiating the emergency braking process at the end of the train as well as the head of the train, the process not only can be considerably shortened, but more importantly, the brakes will be applied at the end of the train even if there is a restriction along the length of the brake pipe. Thus, a fail/safe emergency operation of the brakes is provided.
U.S. Patent No. 4,641,892 to Schmid discloses an emergency brake system which enables the engineman in the locomotive cab to remotely initiate emergency braking at the end of the train or at any intermediate car of the train. Schmid merely discloses a telemetry link from the locomotive to a remote radio receiver for transmitting an emergency brake command. This system does not recognize the potential problems of such a system which may be caused by accidental or improper transmission to the receiver by a ~ransmitter other than that in the locomotive.
,~ : ' :
'' ', ' : ' ' :
.. ~ : ' TL-88-01 Z~10~790 In end of train systems, it is necessary to key receivers on a train to respond to transmitters on that particular train and not to other transmitters which may be on trains in the vicinity, whether in a train yard or on the road.
In current EOT systems, this is typically done by dialing in a number in the HOT receiver in the locomotive cab that corresponds to the transmitted identification (ID) number of the EOT unit mounted at the end of the train. This "keying" operation is important to assure the validity of data transmitted to the engineman in the locomotive, but it becomes critical when the emergency application of brakes is concerned. Further, such emergency control must be safeguarded against accidental actuation caused, for example, when an engineman in another locomotive dials in the wrong ID or even sabotage which might occur by the intentional transmission by an off-train transmitter of an emergency brake command.
U.S. Patents No. 3,273,145 to Joy et al., No.
3,380,399 to Southard et al., 3,639,755 to Wrege, No. 3,699,522 to Haner, Jr., Nos. 4,553,723 and 4,582,280 to Nicols et al., No. 4,723,737 to Mimoun, and No. 4,735,383 to Corrie all disclose various train communication systems. The Joy et al. and Mimoun systems involve no security in transmission. Southard et al. disclose a remote control and supervision system for master and slave locomotives in a train which uses addressing and multiple transmission techniques to insure the integrity of the communication link. The Wrege and Haner, Jr. systems use an addressing scheme to provide some level of security in the transmission.
The two Nichols et al. patents are both directed to ,, "
.
TL-88-01 2~0~79~
an air brake operating system which includes apparatus for verifying the establishment of a communication link by signalling through the mechanical coupling in the train. Corrie discloses a procedure for transmission and acknowledgment of vital control information.
SUMMARY OF TH~ INVENTION
It is therefore and object of the present invention to provide a transmission protocol for use in transmitting commands to an end of train (EOT) device for controlling a train's brake system.
It is another object of this invention to provide a technique for the secure transmission of control and command signals from the head of a train to the end of the train, or to intermediate positions of the train, to control various functions, including brakes, lights and the like.
It is a further object of the invention to provide a transmission protocol for the secure remote control of emergency and testing operations, particularly for the control and testing of railroad brake systems.
According to the invention, the Head of Train (HOT) device, typically located in the locomotive cab, is provided with a thumbwheel switch or similar input device for inputting numbers which identify an End of Train (EOT) device. In the simplest implementation of the invention, the EOT
device will respond to any HOT that dials its number and it will do whatever it is told to do.
To prevent dangerous commands from being executed in error, either several repetitions of the command , must be sent to the EOT device by the HOT device within 9790 a predetermined period of time before the command, or the command takes the form of a very large predefined number or a combination of the two. This is the minimum security provided by the invention but has the advantage of being simple while limiting the possibility of an erroneous e~ecution of a command.
The next level of ~ecurity provided by an alternate e~bodiment of the invention requires only a minimum increase in circuit complexity yet provides security against all except very sophisticated and knowledgeable n saboteurs n with proper equipment. In this embodiment, a memory i6 added to the EOT device and a unique ID number is ascigned to the HOT device. The HOT unique ID is communicated to the EOT device during an arming æequence, and the unique ID i 6 imbedded in the memory of the EOT. Once armed, with the Hot unique ID stored in the memory, the EOT device will respond only to that particular HOT device. It will be observed that this level of security is not mutually exclusive with the basic implementation of the invention, and the two procedures can be combined to provide an even greater level of security.
In a further embodiment of the invention, security is increased by replacing the unique ID of the HOT device with a "pa~word". The "pas6word" can consict of a very large (e.g. 32 bits) number that has the characteristic of being the product of two unique prime numbers. The choice of 32 bitC is arbitrary and could be larger or smaller. The added ~ecurity of this embodiment i8 provided 3~ by another characteristic of the "password" which is that it i~ a difficult mathematical task to derive the two unique prime sdla~ S
.: :
~ '. .:~ , ' ` ' :
TL-88-01 2(J~
numbers. The system of this embodiment works as follows: First, during the arming sequence, the unique ID ti.e.~ the "pas~wordn) iB ~ent from the HOT to the EOT which stores the ID in its memory. After that, the EOT responds only to instructions that carry either the "password" or the two unique prime numbers associated with the "password". For non-critical commands, like turning the lights on and off or other routine commands, the "password" is sent. For a critical command, the unique pair of prime numbers is sent by the HOT device. Then the EOT device multiplies these numbers and compares the product to the "password" stored in the memory.
Alternatively, the password may be any predetermined number which is transmitted by the HOT device scrambled in a predefined manner. The EOT device, using a "descrambling" algorithm, descrambles the transmitted number and compares it to the "password" stored in the memory.
BRIEP DESCRIPTION OF THE DRAWINGS
The foregoing and other objects, aspects and advantages of the invention will be better understood from the following detailed description of a preferred embodiment of the invention with reference to the drawings, in which:
Figure 1 is a block diagram of an end-of-train (EOT) device;
Figure 2 is a block diagram of a head-of-train (HOT) device;
Figure 2A is a block diagram of an existing HOT device showing a retrofit to provide bidirectional communication;
: ~ : ~. , , : . :
" ~ ' ~ ' :' ,'' . ' . :
l'L-8~-01 2(~0979~
Figure 3 is a flow diagram illustrating the procedure for keying a HOT to an EOT in a first embodiment of the invention;
Figure 4A is a flow diagram illustrating the - 5 command procedure according to a first variation of the first embodiment of the invention;
: Figure 4B is a flow diagram illustrating the command procedure according to a second variation ;
of the first embodiment of the invention;
Figure 4C is a flow diagram illustrating the command procedure according to a third variation, combining the first and second variations, of the first embodiment of the invention;
Figure S is a flow diagram illustrating the arming procedure at the HO~ according to a second embodiment of the invention;
Figure 5A is a flow diagram of a modification of the process shown in Figure 5 where a two-man arming process is implemented;
Figure 6 is a flow diagram illustrating the arming procedure at the EOT according to the second .
embodiment of the invention;
Figure 6A is a flow diagram of a modification of the process shown in Figure 6 where a two-man arming process is implemented;
Figure 7 is a flow diagram illustrating the logic of the program for transmitting an emergency brake command from the HOT according to the second embodiment of the invention;
Figure 8 is a flow diagram illustrating the logic of the program for executing an emergency brake command at the EOT according to the second embodiment of the invention;
Figure 8A is a flow diagram of a modification 35 of the process shown in Figure 8 where a two-man ~, . ! . ~ ' ', ', . ' ' ' , ~ ' . ' ' . ' ., . . ' '~ ', , ' . , .
` ' . . ' ' ' '': . . . , . ' ` .
, ' ' '' '.
~' ' ' '' " ~
TL-88-01 2(1~/9 7 9~
arming process is implemented;
Figure 9 is a flow diagram illustrating the arming procedure at the HOT according to a third embodiment of the invention;
- 5 Figure 10 is a flow diagram illustrating the arming procedure at the EOT according to the third embodiment of the invention;
Figure 11 is a flow diagram illustrating the logic of the program for transmitting an emergency brake command from the HOT according to the third embodiment of the invention; and Figure 12 is a flow diagram illustrating the logic of the program for executing an emergency brake command at the EOT according to the third embodiment of the invention.
DETAILED DESCRIPTION OF A PREFERRED
EMBODIMENT OF THE INVENTION
~ eferring now to the drawings, and more particularly to Figure 1, there is shown a block diagram of an EOT device which may be used in the practice of the invention. The EOT device includes a pressure transducer 20 which monitors the pressure of the train brake pipe 21 and generates an electrical signal that is sampled and converted to a digital number. The digital number is input to a microprocessor driven circuit 22 which processes the digital number and stores the number for transmission to a HOT device. Periodically, or if the digital number changes by more than one unit, the microprocessor 22 controls a radio transceiver 24 to transmit the pressure data to the HOT device. The EOT devices currently in service comprise these three basic components, except that - . "
.. : - . : :. . :, , ~ - .- . -., - , . . .
.
TL-88-01 Z(~(~5, ~
the transceiver 24 is simply a transmitter since the communication between the EOT device and HOT
device is one way. In addition, the EQT is typically provided with a test switch 23 and a display 25 which allows pressure to be displayed on command.
As mentioned, it is desireable to transmit to the EOT from the HOT in order to remotely control various functions, including the emergency application of brakes. Therefore, the transceiver 24 not only transmits data to the HOT, it also receives commands from the HOT. The microprocessor driven circuit thus processes the commands and, in the case of an emergency brake command, generates a signal to a valve actuator 26 that drives a valve 28 connected to the brake pipe 21. ~s will be explained in more detail hereinafter, the implementation of the second and third embodiments of the invention requires the addition of a memory 29. The memory may be implemented with an EPROM
(electronically programmable read only memory) or similar device. It should be noted that the memory need not be a nonvolatile memory since the EOT is operated on battery power thereby inherently providing battery backup. In addition, the EOT may be provided with an arm enable switch 27 and an armed light 30, both of which are optional. The arm enable switch 27 would be used in the practice of certain embodiments to be described in more detail below.
Figure 2 shows in block diagram form the HOT
device, which in many respects is similar in overall ~esign to the EOT device. More particularly, the HOT device includes a microprocessor driven circuit 31 which receives .
2~10~7~
input8 from a thumbwheel dial switch 32, an emergency brake switch 33 and other command or function switches 34. The microprocessor driven circuit 31 is provided with an EPROM 3S, similar to EPROM 29. The microprocessor driven circuit 31 tran~mits commands to and receives data from the EOT via a transceiver 36. Data received from the EOT device and other information useful to the engineman i6 displayed on a suitable di~play device 38 such as a CRT (cathode ray tube), LED (light emitting display), LCD (liquid crystal display) or other such display device.
Similar to the EOT device, the HOT device may be optionally provided with an arm switch 37.
Figure 2A shows a conventional HOT device with a retrofit to provide the function~ of the HOT device shown in Figure 2. In Figure 2A, like reference numerals de6ignate identical or similar components as shown in Figure 2. More specifically, the HOT device is illustrated in the figure above the dotted line and the retrofit component , below the dotted line. The HOT device is already equipped with a microprocessor driven circuit 31a and in the retrofit, this is supplemented by a logic unit 31b. The HOT device is also equipped with an RF receiver 36a. The tran~mit function is accomplished by the addition of a transmitter 36b coupled to the antenna by a transmit/receive 36c.
In operation, the microprocessor driven circuit 31a initiates a test by simply outputting a "test" command logic unit 3~b, When the EOT receives a "te~t" transmis~ion, it responds with an acknowledge transmission. When the micro-proce6sor 31a receives this acknowledge transmission from the EOT, it knows the ~ystem i6 operational. Otherwise, the logic unit 31b repetitively performs the dedicated functions described below under the control of the crystal oscillator 39.
In the first embodiment of the invention, the sd/ss 10 - . . .
.:
- : : .
,, ~ . , .
TL~88-01 11 2~
arming procedure at the HOT, as illustrated in Figure 3, is very simple. Basically, all that may be done is to read the dialed number of the EOT
device at function block 40. This number is entered by the engineman using the thumbwheel dial switch 32~ In order to do this, the engineman must know the number of the EOT that has been installed at the end of his train by railroad personnel.
This is normally communicated to the engineman via voice radio. This procedure is no different than that already in use.
For additional security, the arming procedure can be done in a manner that requires the coordinated action by two individuals. The purpose of this procedure is to discourage or prevent malicious and/or erroneous arming by the engineman at the HOT. For example, if the engineman were to accidentally dial in the wrong EOT number at the HOT and if the EOT having that number were within radio range, the wrong EOT would be erroneously armed.
In this two-man procedure, the EOT with the arm enable switch 27 shown in Figure 1 and the HOT
is provided with arm switch 37 shown in Figures 2 or 2A. The EOT can only be armed for a period of time, say ten seconds, after its arm enable switch 27 is pressed. The engineman then must press the arm switch 37 on the HOT within this ten second time period. This two-man arming procedure may be used in any of several embodiments to be described or, alternatively, the arming procedure can be carried out by the engineman alone.
Although the arming procedure may be conventional, the command procedure initiated at the HOT is entirely new. The first variation is .. . .
, ' , . . .
.: .
TL-88-01 12 2(~09~90 shown in Figure 4A. In decision block ~2, at test is made to determine if the engineman has actuated switch 34, shown in Figures 2 or 2A. If not, the program loops waiting for an input from emergency brake switch 34. When an input is received from switch 34, the HOT transmits the emergency brake command together with the EOT number a predetermined number of times, as indicated in function block 44. At the EOT, the command execution procedure, as shown in Figure 4A, monitors received transmissions for the EOT number in decision block 46, and when the EOT number for that particular EOT device is detected, the decoded transmission is checked in decision block 48 to determine if it includes the emergency brake command. Here it should be mentioned that it is quite possible that other commands, such as operating lights and the like, could be implemented. But for purposes of this description, we are only concerned with the emergency brake command. If the emergency brake command is detected, then in function block 50 the number of times the command is detected is counted. A test is made in decision block 52 to determine if a predetermined period of time has passed after beginning the count of emergency brake commands.
If so, the count is reset and the process exits in function block 54. Otherwise, a test in made in decision block 56 to determine if the count equals a predetermined number. Note that this number may be a number less than the predetermined number of times the command is transmitted by the ~OT device but in any case should be a sufficiently large number to insure reliable reception of the command.
If the count equals the predetermined number, the .~
, TL-88-01 2(3~979~
brakes are applied in function block 57; otherwise, the program loops back to decision block 52 to again test the timeout period.
In a second variation of the first embodiment, the command procedure at the HOT is illustrated in Figure 4B as simply transmitting the emergency brake command with the EOT number and some predefined number, at function block 58. This predefined number may be built into the EOT device and read from a table in the HOT device or, as will be described in more detail with respect to the second and third embodiments, it may be loaded into memory in the EOT device during the arming procedure. The command execution procedure at the EOT, as illustrated in Figure 4B, first tests a received transmission to determine if the EOT
number for that particular EOT device has been received, as indicated in decision block 60. When the EOT number is detected, a test is then made in decision block 62 to determine if an emergency brake command ha~ been decoded. If so, a further test i8 made in decision block 64 for the predetermined number. If the number is not detected, then the process exists without applying the brakes, but if the number is detected, the emergency brake procedure is initiated in function block 65.
The third variation of this first procedure is illustrated in Figure 4C and comprises a combination of the first and second variations to further improve the security of the procedure.
When an input is received from switch 34, the HOT
transmits the emergency brake command together with the EOT number and the predefined number a predetermined number of times, as indicated in - : ~ , . , :. ' ` . ' .
. .
TL-88-01 2~3~
function block 66. At the EOT, the command execution procedure, as shown in Figure 4C, monitors received transmissions for the EOT number in decision block 67, and when the EOT number for that particular EOT device is detected, the decoded transmission is checked in decision block 68 to determine if it includes the emergency brake command. If the emergency brake command is detected, a test is made in decision block 69 for the predefined number. If the predefined number is not detected, the process exits. However, if the predefined large number is detected, then in function block 70 the number of times the command is detected is counted. A test is made in decision block 72 to determine if a predetermined period of time has passed after beginnins the count of emergency brake commands. If so, the count is reset and the process exits in function block 74.
Otherwise, a test in made in decision block 76 to determine if the count equals a predetermined number. If the count equals the predetermined number, the brakes are applied in function block 77; otherwise, the program loops back to decision block 72 to ayain test the timeout period.
In the second embodiment of the invention, the arming procedure is an active procedure. At the HOT device, the dialed number of the EOT is read at function block 80 as before, but in addition, the HOT transmits the EOT number with a uni~ue ID
number of the HOT device to the EOT, as indicated in function block 82 in Figure 5. At the EOT, the procedure is shown in Figure 6 as first testing for the EOT number in decision block 84. When the EOT
number for that particular EOT device is detected, a check is made in decision block 86 to determine , TL-88-01 zn~7~
if the EOT is already armed. If it is, control goes to other processes supported by the EOT.
However, if it is not yet armed, then a test is made in decision block 87 for the unique HOT ID
number. When the HOT ID number is detected, then it is stored in memory in function block 88, and the process exits. Once armed, the EOT will respond only to the HOT which transmits both its EOT number and the unique ID number of the HOT.
As mentioned, the memory may be implemented as an EPROM so that the EOT can be reset by clearing the address space in the EPROM for the HOT ID
number and resetting a flag indicating that the EOT
has been disarmed. This would typically be done by maintenance personnel in the yard prior to installing the EOT on a train. In certain EOT
devices, access to the reset switch is only by partial disassembly of the device; that is, by separating the transceiver electronics package from a battery module. Such partial disassembly can not be done while the EOT is mounted on a coupler.
As previously mentioned, the arming procedure may be a two-man operation requiring the cooperation of railroad personnel at the end of the train. In this case, the EOT and HOT are provided with arm enable switch 27 (shown in Figure 1) and arm switch 37 (shown in Figures 2 and 2A), respectively. In this case, the arming procedure shown in Figures 5 and 6 may be modified as shown in Figures 5A and 6A. At the HOT, reading the dialed number of the EOT may be dispensed with and instead the arm switch 27 on the HOT is monitored, as indicated by decision block 81. When the arm switch 27 is pressed, the arm command is transmitted with a unique HOT number to the EOT at ; . .
-': ' , .
TL-88-nl 2(~0S790 function block 82a. In Figure 6A, the EOT detects the arm command in decision block 83 and then determines in decision block 85 whether the arm command has been received within the time period allowed for arming; e.g. ten seconds. If not, the process exits; otherwise, a test is made in decision block 86 to determine if the EOT is already armed. If it is, the process exits;
otherwise~ the test is made in decision block 87 to determine if the a unique HOT number has been received. If not, the process exits without arming the EOT, but otherwise, the unique HOT number is stored in memory in function block 88. Thereafter, the unique HOT number is used as a password for controlling operation of functions at the EOT.
The command procedure at the HOT as illustrated in Figure 7 first tests for an input from switch 34 in decision block 90. When an input from switch 34 is detected, the HOT transmits the emergency brake command together with the EOT
number and the unique HOT ID number at function block 92. In the case where the two man arming procedure is implemented, it is not necessary to transmit the EOT number.
At the EOT, the procedure as illustrated in Pigure 8 is to first test for the EOT number of that particular EOT device, as indicated in decision block 94. When that number is detected, a test is then made in decision block 96 for the unique HOT ID number. If the unique HOT ID number is not detected, control passes to other processes supported by the EOT that may not require the HOT
ID. If the HOT ID number is detected, then a test is made in decision block 98 to determine if the emergency brake command has been decoded. If not, .
.
2~309790 the process exits; otherwise, the emergency brake operation is initiated in function block 99.
Alternatively, when the two-man arming process is employed, the process shown in Figure 8A may be employed. In this case, it is not necessary to transmit the EOT number. Instead, a test is made in decision block 96 for the unique HOT number.
When that number is detected, a test is made in decision block 98 for the emergency brake command.
If the emergency brake command is not detected, control passes to other processes. If, however, the emergency brake command is detected, the brake process is initiated in function block 99.
It will be observed that the process described with respect to Figures 5 to 8A inclusive represent a variation of the procedure described with respect to Figure 4B. As i~ the Figure 4B procedure, this procedure could be combined with the procedure illustrated in Figure 4A wherein the command is transmitted a predetermined number of times before the emergency brake operation i~ initiated.
Turning now to Figure 9, the arming procedure for the third embodiment is illustrated. At the HOT device, the dialed number of the EOT is read at function block 100 as before, but in addition, the ~OT transmits the EOT number with a number which is the product of two prime numbers, as indicated in function block 102. This number is the "password".
At the EOT, the procedure is shown in Figure 10 as first testing for the EOT number in decision block 104. When the EOT number for that particular EOT
device is ~etected, a check is made in decision block 106 to determine if the EOT is already armed.
If it is, control goes to other processes supported by the EOT. ~owever, if it is not yet armed, then -~, `' ~ .
TL-88-01 Z~0~7~
a test is made in decision block 107 to determine if a "password" has been received.
Note here again that the arming procedure can be a two-man operation as previously described. In that case, it would be necessary for the arm switch 37 on the HOT be pressed within a predetermined time period after the arm enable switch 27 on the EOT is pressed before the process could proceed to decision block 107. Failure to press the arm switch 37 within the predetermined time period will result in the process exiting without arming the EOT. Assuming, however, that the process continues, then when the password is received, then it is stored in memory in function block 108, and the process exits.
Once armed, the EOT will respond only to the HOT which transmits both its EOT number and either the password or the two prime numbers. The password i8 effective for ordinary commands, while the two prime numbers is required for the emergency brake command. The command procedure at the HOT as illustrated in Figure 11 first tests for an input from switch 34 in decision block 110. When an input from switch 34 is detected, the HOT transmits the emergency brake command together with the EOT
number and the two prime numbers at function block 112. This is the process for critical commands, such as emergency application of the brakes. For non-critical commands, an alternative process is to transmit the "password", i.e., the product of the two prime numbers, rather than the two prime numbers.
At the EOT, the procedure as illustrated in Figure 12 is to first test for the EOT number of that particular EOT device, as indicated in . :: . .: . . : : . . : . : - .: :. . - . .: . . , :.:: :-: .: :. : . :: .: . .
TL-8~-01 2()CJ~790 decision block 114. When that number is detected, a test is then made in decision block 115 to determine if the two prime numbers have been received. If the two prime numbers are not detected, a test is made in decision block 116 to determine if the "password" is detected. If so, control passes to other processes supported by the EOT that may not require the security afforded by the invention for critical commands. Note that by using the "password", a certain level of security is still provided for non-critical commands. If neither of the two prime numbers or the password are detected, the control returns to monitoring for the EOT number.
If the two prime numbers are detected, then they are multiplied in function block 117, and a test is made in decision block 118 to determine if the product equals the number stored in memory. If not, the process exists; otherwise, a test is made in decision block 119 to determine if the emergency brake command has been decoded. If not, the process exits: o~herwi~e, the emergency brake operation is initiated in function block 120.
Again, the process described with respect to Figures 9 to 12 inclusive may be considered a further refinement on the process disclosed in Figure 4B. Therefore, this process could also be combined with the process shown in Figure 4A to further increase the security of the system.
As was previously mentioned, the EOT may be disarmed by maintenance personnel by resetting the EPROM memory which stores the predefined number or "password" and/or the EOT number. Vigarming can be done by ~imply disconnecting the EOT battery power~
.. ~ .... . ............ - -- .: ~. : .. . .
'- ' ~ ,,.
TL-88-01 ~ 0 9 7 9V
:
Alternatively, disarming can also be accomplished by a command sent by the HOT which armed the EOT.
While the invention has been described in terms of a specific preferred embodiment, those skilled in the art will recognize that the invention may be practiced with modification within the spirit and scope of the appended claims.
' ' :, , - .
.
, ~ ' ' , ' . :. ' , .
input8 from a thumbwheel dial switch 32, an emergency brake switch 33 and other command or function switches 34. The microprocessor driven circuit 31 is provided with an EPROM 3S, similar to EPROM 29. The microprocessor driven circuit 31 tran~mits commands to and receives data from the EOT via a transceiver 36. Data received from the EOT device and other information useful to the engineman i6 displayed on a suitable di~play device 38 such as a CRT (cathode ray tube), LED (light emitting display), LCD (liquid crystal display) or other such display device.
Similar to the EOT device, the HOT device may be optionally provided with an arm switch 37.
Figure 2A shows a conventional HOT device with a retrofit to provide the function~ of the HOT device shown in Figure 2. In Figure 2A, like reference numerals de6ignate identical or similar components as shown in Figure 2. More specifically, the HOT device is illustrated in the figure above the dotted line and the retrofit component , below the dotted line. The HOT device is already equipped with a microprocessor driven circuit 31a and in the retrofit, this is supplemented by a logic unit 31b. The HOT device is also equipped with an RF receiver 36a. The tran~mit function is accomplished by the addition of a transmitter 36b coupled to the antenna by a transmit/receive 36c.
In operation, the microprocessor driven circuit 31a initiates a test by simply outputting a "test" command logic unit 3~b, When the EOT receives a "te~t" transmis~ion, it responds with an acknowledge transmission. When the micro-proce6sor 31a receives this acknowledge transmission from the EOT, it knows the ~ystem i6 operational. Otherwise, the logic unit 31b repetitively performs the dedicated functions described below under the control of the crystal oscillator 39.
In the first embodiment of the invention, the sd/ss 10 - . . .
.:
- : : .
,, ~ . , .
TL~88-01 11 2~
arming procedure at the HOT, as illustrated in Figure 3, is very simple. Basically, all that may be done is to read the dialed number of the EOT
device at function block 40. This number is entered by the engineman using the thumbwheel dial switch 32~ In order to do this, the engineman must know the number of the EOT that has been installed at the end of his train by railroad personnel.
This is normally communicated to the engineman via voice radio. This procedure is no different than that already in use.
For additional security, the arming procedure can be done in a manner that requires the coordinated action by two individuals. The purpose of this procedure is to discourage or prevent malicious and/or erroneous arming by the engineman at the HOT. For example, if the engineman were to accidentally dial in the wrong EOT number at the HOT and if the EOT having that number were within radio range, the wrong EOT would be erroneously armed.
In this two-man procedure, the EOT with the arm enable switch 27 shown in Figure 1 and the HOT
is provided with arm switch 37 shown in Figures 2 or 2A. The EOT can only be armed for a period of time, say ten seconds, after its arm enable switch 27 is pressed. The engineman then must press the arm switch 37 on the HOT within this ten second time period. This two-man arming procedure may be used in any of several embodiments to be described or, alternatively, the arming procedure can be carried out by the engineman alone.
Although the arming procedure may be conventional, the command procedure initiated at the HOT is entirely new. The first variation is .. . .
, ' , . . .
.: .
TL-88-01 12 2(~09~90 shown in Figure 4A. In decision block ~2, at test is made to determine if the engineman has actuated switch 34, shown in Figures 2 or 2A. If not, the program loops waiting for an input from emergency brake switch 34. When an input is received from switch 34, the HOT transmits the emergency brake command together with the EOT number a predetermined number of times, as indicated in function block 44. At the EOT, the command execution procedure, as shown in Figure 4A, monitors received transmissions for the EOT number in decision block 46, and when the EOT number for that particular EOT device is detected, the decoded transmission is checked in decision block 48 to determine if it includes the emergency brake command. Here it should be mentioned that it is quite possible that other commands, such as operating lights and the like, could be implemented. But for purposes of this description, we are only concerned with the emergency brake command. If the emergency brake command is detected, then in function block 50 the number of times the command is detected is counted. A test is made in decision block 52 to determine if a predetermined period of time has passed after beginning the count of emergency brake commands.
If so, the count is reset and the process exits in function block 54. Otherwise, a test in made in decision block 56 to determine if the count equals a predetermined number. Note that this number may be a number less than the predetermined number of times the command is transmitted by the ~OT device but in any case should be a sufficiently large number to insure reliable reception of the command.
If the count equals the predetermined number, the .~
, TL-88-01 2(3~979~
brakes are applied in function block 57; otherwise, the program loops back to decision block 52 to again test the timeout period.
In a second variation of the first embodiment, the command procedure at the HOT is illustrated in Figure 4B as simply transmitting the emergency brake command with the EOT number and some predefined number, at function block 58. This predefined number may be built into the EOT device and read from a table in the HOT device or, as will be described in more detail with respect to the second and third embodiments, it may be loaded into memory in the EOT device during the arming procedure. The command execution procedure at the EOT, as illustrated in Figure 4B, first tests a received transmission to determine if the EOT
number for that particular EOT device has been received, as indicated in decision block 60. When the EOT number is detected, a test is then made in decision block 62 to determine if an emergency brake command ha~ been decoded. If so, a further test i8 made in decision block 64 for the predetermined number. If the number is not detected, then the process exists without applying the brakes, but if the number is detected, the emergency brake procedure is initiated in function block 65.
The third variation of this first procedure is illustrated in Figure 4C and comprises a combination of the first and second variations to further improve the security of the procedure.
When an input is received from switch 34, the HOT
transmits the emergency brake command together with the EOT number and the predefined number a predetermined number of times, as indicated in - : ~ , . , :. ' ` . ' .
. .
TL-88-01 2~3~
function block 66. At the EOT, the command execution procedure, as shown in Figure 4C, monitors received transmissions for the EOT number in decision block 67, and when the EOT number for that particular EOT device is detected, the decoded transmission is checked in decision block 68 to determine if it includes the emergency brake command. If the emergency brake command is detected, a test is made in decision block 69 for the predefined number. If the predefined number is not detected, the process exits. However, if the predefined large number is detected, then in function block 70 the number of times the command is detected is counted. A test is made in decision block 72 to determine if a predetermined period of time has passed after beginnins the count of emergency brake commands. If so, the count is reset and the process exits in function block 74.
Otherwise, a test in made in decision block 76 to determine if the count equals a predetermined number. If the count equals the predetermined number, the brakes are applied in function block 77; otherwise, the program loops back to decision block 72 to ayain test the timeout period.
In the second embodiment of the invention, the arming procedure is an active procedure. At the HOT device, the dialed number of the EOT is read at function block 80 as before, but in addition, the HOT transmits the EOT number with a uni~ue ID
number of the HOT device to the EOT, as indicated in function block 82 in Figure 5. At the EOT, the procedure is shown in Figure 6 as first testing for the EOT number in decision block 84. When the EOT
number for that particular EOT device is detected, a check is made in decision block 86 to determine , TL-88-01 zn~7~
if the EOT is already armed. If it is, control goes to other processes supported by the EOT.
However, if it is not yet armed, then a test is made in decision block 87 for the unique HOT ID
number. When the HOT ID number is detected, then it is stored in memory in function block 88, and the process exits. Once armed, the EOT will respond only to the HOT which transmits both its EOT number and the unique ID number of the HOT.
As mentioned, the memory may be implemented as an EPROM so that the EOT can be reset by clearing the address space in the EPROM for the HOT ID
number and resetting a flag indicating that the EOT
has been disarmed. This would typically be done by maintenance personnel in the yard prior to installing the EOT on a train. In certain EOT
devices, access to the reset switch is only by partial disassembly of the device; that is, by separating the transceiver electronics package from a battery module. Such partial disassembly can not be done while the EOT is mounted on a coupler.
As previously mentioned, the arming procedure may be a two-man operation requiring the cooperation of railroad personnel at the end of the train. In this case, the EOT and HOT are provided with arm enable switch 27 (shown in Figure 1) and arm switch 37 (shown in Figures 2 and 2A), respectively. In this case, the arming procedure shown in Figures 5 and 6 may be modified as shown in Figures 5A and 6A. At the HOT, reading the dialed number of the EOT may be dispensed with and instead the arm switch 27 on the HOT is monitored, as indicated by decision block 81. When the arm switch 27 is pressed, the arm command is transmitted with a unique HOT number to the EOT at ; . .
-': ' , .
TL-88-nl 2(~0S790 function block 82a. In Figure 6A, the EOT detects the arm command in decision block 83 and then determines in decision block 85 whether the arm command has been received within the time period allowed for arming; e.g. ten seconds. If not, the process exits; otherwise, a test is made in decision block 86 to determine if the EOT is already armed. If it is, the process exits;
otherwise~ the test is made in decision block 87 to determine if the a unique HOT number has been received. If not, the process exits without arming the EOT, but otherwise, the unique HOT number is stored in memory in function block 88. Thereafter, the unique HOT number is used as a password for controlling operation of functions at the EOT.
The command procedure at the HOT as illustrated in Figure 7 first tests for an input from switch 34 in decision block 90. When an input from switch 34 is detected, the HOT transmits the emergency brake command together with the EOT
number and the unique HOT ID number at function block 92. In the case where the two man arming procedure is implemented, it is not necessary to transmit the EOT number.
At the EOT, the procedure as illustrated in Pigure 8 is to first test for the EOT number of that particular EOT device, as indicated in decision block 94. When that number is detected, a test is then made in decision block 96 for the unique HOT ID number. If the unique HOT ID number is not detected, control passes to other processes supported by the EOT that may not require the HOT
ID. If the HOT ID number is detected, then a test is made in decision block 98 to determine if the emergency brake command has been decoded. If not, .
.
2~309790 the process exits; otherwise, the emergency brake operation is initiated in function block 99.
Alternatively, when the two-man arming process is employed, the process shown in Figure 8A may be employed. In this case, it is not necessary to transmit the EOT number. Instead, a test is made in decision block 96 for the unique HOT number.
When that number is detected, a test is made in decision block 98 for the emergency brake command.
If the emergency brake command is not detected, control passes to other processes. If, however, the emergency brake command is detected, the brake process is initiated in function block 99.
It will be observed that the process described with respect to Figures 5 to 8A inclusive represent a variation of the procedure described with respect to Figure 4B. As i~ the Figure 4B procedure, this procedure could be combined with the procedure illustrated in Figure 4A wherein the command is transmitted a predetermined number of times before the emergency brake operation i~ initiated.
Turning now to Figure 9, the arming procedure for the third embodiment is illustrated. At the HOT device, the dialed number of the EOT is read at function block 100 as before, but in addition, the ~OT transmits the EOT number with a number which is the product of two prime numbers, as indicated in function block 102. This number is the "password".
At the EOT, the procedure is shown in Figure 10 as first testing for the EOT number in decision block 104. When the EOT number for that particular EOT
device is ~etected, a check is made in decision block 106 to determine if the EOT is already armed.
If it is, control goes to other processes supported by the EOT. ~owever, if it is not yet armed, then -~, `' ~ .
TL-88-01 Z~0~7~
a test is made in decision block 107 to determine if a "password" has been received.
Note here again that the arming procedure can be a two-man operation as previously described. In that case, it would be necessary for the arm switch 37 on the HOT be pressed within a predetermined time period after the arm enable switch 27 on the EOT is pressed before the process could proceed to decision block 107. Failure to press the arm switch 37 within the predetermined time period will result in the process exiting without arming the EOT. Assuming, however, that the process continues, then when the password is received, then it is stored in memory in function block 108, and the process exits.
Once armed, the EOT will respond only to the HOT which transmits both its EOT number and either the password or the two prime numbers. The password i8 effective for ordinary commands, while the two prime numbers is required for the emergency brake command. The command procedure at the HOT as illustrated in Figure 11 first tests for an input from switch 34 in decision block 110. When an input from switch 34 is detected, the HOT transmits the emergency brake command together with the EOT
number and the two prime numbers at function block 112. This is the process for critical commands, such as emergency application of the brakes. For non-critical commands, an alternative process is to transmit the "password", i.e., the product of the two prime numbers, rather than the two prime numbers.
At the EOT, the procedure as illustrated in Figure 12 is to first test for the EOT number of that particular EOT device, as indicated in . :: . .: . . : : . . : . : - .: :. . - . .: . . , :.:: :-: .: :. : . :: .: . .
TL-8~-01 2()CJ~790 decision block 114. When that number is detected, a test is then made in decision block 115 to determine if the two prime numbers have been received. If the two prime numbers are not detected, a test is made in decision block 116 to determine if the "password" is detected. If so, control passes to other processes supported by the EOT that may not require the security afforded by the invention for critical commands. Note that by using the "password", a certain level of security is still provided for non-critical commands. If neither of the two prime numbers or the password are detected, the control returns to monitoring for the EOT number.
If the two prime numbers are detected, then they are multiplied in function block 117, and a test is made in decision block 118 to determine if the product equals the number stored in memory. If not, the process exists; otherwise, a test is made in decision block 119 to determine if the emergency brake command has been decoded. If not, the process exits: o~herwi~e, the emergency brake operation is initiated in function block 120.
Again, the process described with respect to Figures 9 to 12 inclusive may be considered a further refinement on the process disclosed in Figure 4B. Therefore, this process could also be combined with the process shown in Figure 4A to further increase the security of the system.
As was previously mentioned, the EOT may be disarmed by maintenance personnel by resetting the EPROM memory which stores the predefined number or "password" and/or the EOT number. Vigarming can be done by ~imply disconnecting the EOT battery power~
.. ~ .... . ............ - -- .: ~. : .. . .
'- ' ~ ,,.
TL-88-01 ~ 0 9 7 9V
:
Alternatively, disarming can also be accomplished by a command sent by the HOT which armed the EOT.
While the invention has been described in terms of a specific preferred embodiment, those skilled in the art will recognize that the invention may be practiced with modification within the spirit and scope of the appended claims.
' ' :, , - .
.
, ~ ' ' , ' . :. ' , .
Claims (12)
1. A method of controlling emergency functions of brakes in 2 railroad train equipped with a head of train device and an end of train device comprising the steps of:
transmitting a command signal from said head of train device to said end of train device;
receiving said command signal at said end of train device;
confirming at said end of train device that the command signal is valid; and executing a commanded function for a valid command signal.
transmitting a command signal from said head of train device to said end of train device;
receiving said command signal at said end of train device;
confirming at said end of train device that the command signal is valid; and executing a commanded function for a valid command signal.
2. The method according to claim 1 wherein said step of transmitting includes transmitting an end of train device number with said command signal and said confirming step includes detecting said end of train device number.
3. The method according to claim 2 wherein said transmitting step is further performed by transmitting said command signal repetitiously a predetermined number of times and said confirming step is performed by counting the number of times said command signal is received within a predetermined period of time.
4. The method according to claim 2 wherein said transmitting step is further performed by transmitting said command signal with a predefined large number and said confirming step is further performed by detecting said predefined large number.
5. The method according to claim 2 wherein said transmitting step is further performed by transmitting said command signal with a predefined large number repetitiously a predetermined number of times and said confirming step is performed by detecting said predefined large number and counting the number of times said command signal is received within a predetermined period of time.
6. The method according to claim 2 further wherein said head of train device is assigned a unique identification number and said end of train device is provided with a memory, said method further comprising the step of arming said end of train device by transmitting said unique identification number from said head of train device to said end of train device and storing the unique identification number in the memory of said end of train device, and wherein said transmitting step thereafter is performed by transmitting said unique identification number as part of said command signal and said confirming step is performed by checking a received identification number with the unique identification number stored in the memory of said end of train device.
7. The method recited in claim 6 wherein said transmitting step is performed by transmitting said command signal repetitiously a predetermined number of times and said confirming step is performed by counting the number of times said command signal is received within a predetermined period of time.
8. The method recited in claim 6 wherein said unique identification number comprises a large number which is the product of two prime numbers and wherein said step of transmitting is performed by transmitting said two prime numbers to said end of train device as part of said command signal and said confirming step is performed by first multiplying said prime numbers to form a product and then comparing said product with the number stored in memory.
9. The method recited in claim 1 further comprising the step of initially arming said end of train device before transmitting a command signal.
10. The method recited in claim 9 wherein said step of initially arming is performed by the following steps:
pressing an arm enable switch on said end of train device; and within a predetermined period of time after pressing said arm enable switch, transmitting an arm signal to said end of train device.
pressing an arm enable switch on said end of train device; and within a predetermined period of time after pressing said arm enable switch, transmitting an arm signal to said end of train device.
11. The method recited in claim 9 wherein said step of initially arming is performed by the following steps:
reading a dialed number for the end of train device;
transmitting said dialed number with a unique number to said end of train device; and storing the unique number in memory in said end of train device.
reading a dialed number for the end of train device;
transmitting said dialed number with a unique number to said end of train device; and storing the unique number in memory in said end of train device.
12. The method recited in claim 11 wherein said unique number is a product of two prime numbers and wherein said transmitting step is performed by transmitting either said unique number or said two prime numbers as part of said command signal and said confirming step is performed by checking a received unique number with the unique number in memory in said end of train device for noncritical commands or first multiplying said prime numbers to form a product and then comparing said product with the unique number in memory for critical commands.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US31387789A | 1989-02-23 | 1989-02-23 | |
| US313,877 | 1989-02-23 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2009790A1 true CA2009790A1 (en) | 1990-08-23 |
Family
ID=23217548
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA 2009790 Abandoned CA2009790A1 (en) | 1989-02-23 | 1990-02-12 | Secure transmission in remote control and supervision system |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA2009790A1 (en) |
-
1990
- 1990-02-12 CA CA 2009790 patent/CA2009790A1/en not_active Abandoned
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US5016840A (en) | Method to authorize a head of train unit to transmit emergency commands to its associated rear unit | |
| CA2315613C (en) | Dual-protocol locomotive control system and method | |
| US5507457A (en) | Train integrity detection system | |
| US4487060A (en) | Railway brake pressure monitor | |
| US5374015A (en) | Railroad telemetry and control systems | |
| US5813635A (en) | Train separation detection | |
| US5738311A (en) | Distributed power train separation detection | |
| US4553723A (en) | Railroad air brake system | |
| US6230085B1 (en) | Train detection system and a train detection method | |
| US8112189B2 (en) | Method and system for providing redundancy in railroad communication equipment | |
| US4582280A (en) | Railroad communication system | |
| EP1122146A1 (en) | Radio interference detection and screening system for locomotive control unit radios | |
| CA2314034A1 (en) | Two way field tester for eot device | |
| AU5258699A (en) | Automated in situ testing of railroad telemetry radios | |
| US4885689A (en) | Multilingual code receivers | |
| GB2580925A (en) | Train protection system | |
| US6230086B1 (en) | Railway information transmission method and system | |
| CA2009790A1 (en) | Secure transmission in remote control and supervision system | |
| JP4331382B2 (en) | Train information communication system and train information communication method | |
| US6374165B2 (en) | Railway information transmission method and system | |
| JP2786112B2 (en) | Train approach warning system | |
| KR20050051078A (en) | Twc apparatus | |
| KR101157378B1 (en) | System and method for checking data transmitting and receiving status of train | |
| JPS61262997A (en) | Alarm monitor system | |
| JPH0578463B2 (en) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Dead |