CA2467972A1 - Method for controlling a safety-critical railroad operating process and device for carrying out said method - Google Patents
Method for controlling a safety-critical railroad operating process and device for carrying out said method Download PDFInfo
- Publication number
- CA2467972A1 CA2467972A1 CA002467972A CA2467972A CA2467972A1 CA 2467972 A1 CA2467972 A1 CA 2467972A1 CA 002467972 A CA002467972 A CA 002467972A CA 2467972 A CA2467972 A CA 2467972A CA 2467972 A1 CA2467972 A1 CA 2467972A1
- Authority
- CA
- Canada
- Prior art keywords
- computer
- reliable
- terms
- commercial
- computers
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1497—Details of time redundant execution on a single processing unit
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L21/00—Station blocking between signal boxes in one yard
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1608—Error detection by comparing the output signals of redundant hardware
- G06F11/1625—Error detection by comparing the output signals of redundant hardware in communications, e.g. transmission, interfaces
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1629—Error detection by comparing the output of redundant processing systems
- G06F11/1641—Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1675—Temporal synchronisation or re-synchronisation of redundant processing components
- G06F11/1683—Temporal synchronisation or re-synchronisation of redundant processing components at instruction level
Abstract
The invention relates to a method for controlling a safety-critical railway operating process in which the programme necessary for the above is divided into a system software (V,PMS) and a software (BO) specific for railway management. External commands (K) and messages (M), which affect the control , are recorded and transmitted to commercial computers (R1,R2) in which the actual process control runs, by means of the system software running in one or several secure signalling computers (SR*), as defined by the relevant railwa y operating condition. The processing of the programme specific for railway management can occur in two channels, parallel or serially, whereby the monitoring of whether the commercial computers have reached the same result is carried out in the secure signalling computers. The output (SB) to the proce ss (BA) for control also occurs from there, so long as the secure comparison recognises that the commercial computers have provided the corresponding process result at least twice, otherwise the signalling connection to the process elements (W,S) is securely cut. The advantage of the invention is th at the same software can always be used for the secure signalling computers and the railway management software can be separately developed and checked without being linked tothe system software. Significant cost and time saving s can thus be made relative to the state of the art without affecting safety.< /SDOAB>
Description
Description Method for controlling a safety-critical railroad operating process and device for carrying out said method The invention relates to a method according to the preamble of patent claim 1, and to a device for carrying out this method according to the preamble of patent claim 12.
Railroad operating processes are processes which are safety - critical because any malfunctions which happen not to be detected in good time and whose effect on the process is not prevented, can lead to considerable damage to property and possibly also place people in danger. For this reason, hitherto, devices which are reliable in terms of signaling technology have been used for controlling such processes, the objective of said devices being to detect malfunctions both within the process to be controlled and within the process control system itself and to subsequently place the process in a safe state, or leave it in such a state.
Such control systems which are reliable in terms of signaling technology can be embodied in different technologies, for example using relay technology or electronic technology. In process control which is reliable in terms of signal technology using computers, hither to expensive special computers have been used which process the waiting/queued processing orders on two channels and continuously compare, by means of signaling technology, processing sequences for correspondence in terms of contents. Control instructions which are produced are output to the process elements of the process to be controlled only if both processing channels have each arrived at the same result; otherwise, the connection to the process is interrupted, unless there is at least one backup computer which can take over, and actually takes over, the functions of the failed computer.
The abovementioned functions of the reliable inputting and outputting of data and the comparison of data with, if appropriate, reliable shutting down of process elements are brought about by the system software of the reliable computers. In addition, the reliable computers have hitherto also contained the railroad administration-specific software for the actual process control, for example the signaling cabin operations.
The railroad administration-specific software is determined by the operating rules of the respective railroad administration and it describes, for example, the dependencies, predefined by it, of the setting and release of the routes (Signal+Draht [Signal and Wire], 77 (1985) 12, pp. 259-265). The railroad administration-specific software does not only differ from railroad administration to railroad administration but also at least partially from one piece of equipment to another in the same railroad administration. This means that the software which is to be loaded into a computer which is reliable in terms of signaling technology and runs on said computer differs from one application case to another, it being necessary to prove or make credible the freedom from faults of the loaded software by means of a safety certificate for each application case. As a result of the proliferation of the system software and of the railroad administration-specific software in each computer, this leads to complex software packets which are difficult to manage and which are time-consuming and costly to produce and to test.
The object of the present invention is to disclose a method for controlling a safety-critical railroad operating process in accordance with the preamble of WO 03/047937 - 2a - PCT/DE01/04485 patent claim 1 and whose programs, which are necessary for the reliable WO 03/04?93? - 3 - PCT/DE01/04485 process control, are less costly to produce and which makes it possible to react quickly and cost-effectively to any changed requirements of a railroad operator with respect to the process control system. The object of the invention is also to disclose a device for carrying out this method.
The invention achieves this object by means of the features of claim 1 and/or of claim 12. The basic idea of the invention consists in exporting the railroad administration-specific software from the computer or computers which are reliable in terms of signaling technology to commercial computers which process the data there at least twice in each case and test it reliably for correspondence before outputting it to the process in the computers which are reliable in terms of signaling technology. The computers which are reliable in terms of signaling technology have not only the function of performing data comparison but essentially also the function of reliably acquiring the incoming messages and commands, and transmitting them to the commercial computers as well as reliably acting on the process elements and in the event of a fault interrupting the connection to the process elements in a way which is reliable in terms of signaling technology.
Advantageous embodiments and developments of the method according to the invention and the device according to the invention are disclosed in the subclaims.
The invention is explained in more detail below with reference to the exemplary embodiment illustrated in the drawing, in which:
Figure 1 is a schematic view of the structure of the device according to the invention for WO 03/047937 - 3a - PCT/DE01/04485 controlling a safety - critical railroad operating process and Figure 2 shows the structure of a corresponding device which is embodied according to the prior art.
WO 03/047937 - 4 - PCT/DEOlj04485 Figure 2 shows a known computer SR which is reliable in terms of signaling technology, for executing a process by means of preferably identical processing programs in two independent processing channels K1, K2. The reliable computer SR stands for any desired number of computers which are reliable in terms of signaling technology; their number is determined essentially by the magnitude of the process to be controlled. The process to be controlled is a railroad operating process with which a railroad system BA is to be acted on. As representatives for the process elements of the railroad system, a railroad switch W and a signal S are indicated in the drawing. The control and the monitoring of the process elements is carried out by means of control and monitoring circuits which have been developed for that purpose, which are not explicitly illustrated in the drawing and via which control instructions SB are output by the reliable computer SR to the process elements and messages M are input into the reliable computer from said process elements.
The computer SR which is reliable in terms of signaling technology outputs the messages M transmitted to it by the process to an input and display computer EAR via a communications bus KB. Said input and display computer EAR serves, inter alia, for monitoring the railroad operating process according to representation rules defined in the respective railroad operating rules; it is preferably embodied as a computer which is process-protected in terms of signaling technology. Using the input and display computer EAR, the commands K for controlling the railroad operating process are also generated and transmitted to the computer SR which is reliable in terms of signaling technology. The inputting can be carried out here by an operator, for example a stationmaster, or else by means of an WO 03/047937 - 4a - PCT/DE01/04485 automatic system, for example for automatic points changing or the transit mode.
The messages and commands are processed in the computer which is reliable in terms of signaling technology, on two channels in accordance with the conditions and dependencies which are defined in the respective operating rules of a railroad operator. The data, addresses and control signals which are respectively present on the buses of the two processing systems are continuously compared with one another in a way which is reliable in terms of signaling technology in order to be able to detect immediately any discrepancies.
Test programs ensure that the input/output register of the reliable computer and its program memories and main memories as well as its address registers are checked within predefined minimum time periods to determine whether their memories can assume either the one state or the other. Any malfunctions are thus detected in an event-controlled or time-controlled fashion and lead to the external equipment being reliably shut down:
control instructions to railroad switches can then no longer be output and the signals go to the Stop setting.
By virtue of the fact that the conditions and dependencies which are predefined by the respective operating rules of a railroad administration and are represented in the drawing by elliptical place markers B0, are stored in the program memories of the reliable computer SR and mixed up with the system software, the software which is stored in the reliable computers in order to control the railroad operating process is individual software which is very complex and extraordinarily costly both to produce and test.
In the device according to the invention (illustrated in Figure 1) for controlling a railroad operating process there is also at least one computer SR* which is reliable in terms of signaling technology and has two processing channels Kl* and K2* which are preferably WO 03/047937 - 5a - PCT/DE01/04485 both structured and operated identically. The function of said computer SR* is, similarly to the conventional computer SR which is reliable in terms of signaling technology, to reliably acquire, and feed to the processing means, all the messages M and commands K which are fed to it. In addition, its function is to output control instructions SB, produced reliably in terms of signaling technology, to the process elements W, S of the respective railroad equipment BA and to ensure that the outputting of such control instructions is prohibited, in a way which is reliable in terms of signaling technology, in the event of a fault. The processing of the conditions and dependencies, defined by the respective railroad operating rules BO, for controlling and monitoring the railroad operating process does not take place, in contrast to the prior art, in the computer or computers SR* which is/are reliable in terms of signaling technology but rather in commercial computers R1, R2, ... Rn in which the equipment-specific data for controlling the railroad operating process is also stored; the computers R1, R2 are representative of one or more computer pairs, each computer also being able to belong to more than one pair; three computer pairs can therefore be formed from three computers. They each carry out processing orders A fed to them by the reliable computer SR*
independently of the respective other computer in accordance with the conditions and dependencies defined for the process control in the respective railroad operating rules BO. The two computers of each commercial computer pair R1, R2 transmit their working results to the computer SR* which is reliable in terms of signaling technology, the chronologically first computer R1 or R2 bringing about a waiting point with time monitoring, at which point the system waits for the working result of the other computer or computers, or in the event of the time being exceeded a fault procedure is carried out. Test mechanisms PM for the plausibility of the messages fed to the commercial WO 03/047937 - 6a - PCT/DE01/04485 computer pairs Rl, R2, and of the signatures of the outputs and memory areas produced by them are indicated schematically in Figure 1. The commands K which are fed to the reliable computer SR* via the input and display computer EAR are converted by said computer SR* into processing orders A and transferred to the commercial computers R1, R2 in the form of telegrams; they bring about the processing therein in accordance with the conditions and dependencies of the respective railroad operating rules B0.
Tn the event of program points which provide for the programs to be further processed only after a predefined waiting time being reached by the commercial computers during the processing of the railroad administration-specific software by said computers, the computer which is reliable in terms of signaling technology ensures, in response to a corresponding request by the commercial computers, synchronization of the processing programs of the commercial computers for further processing of the programs after the expiry of the waiting time. For example, after the expiry of a waiting time of several seconds a sensor message which is determined by the commercial computers will be read in and evaluated.
The processing results E which are determined by the commercial computer pair R1, R2 are fed as telegrams to the computer SR* which is reliable in terms of signaling technology, distributed there between the two processing channels K1*, K2* in a way which is reliable in terms of signaling technology and compared for correspondence in a way which is reliable in terms of signaling technology. The function block V represents in the drawing the reliable distribution of messages and the reliable comparison of the results produced by the commercial computers R1, R2, the programs which relate to the above being stored as system software in said function block V. The test mechanisms PMS of the computer which is reliable in terms of signaling technology are embodied in a way which is reliable in terms of signaling technology, in contrast to the test WO 03/047937 - 7a - PCT/DE01/04485 mechanisms PM of the commercial computers R1, R2.
The particular advantage of the device according to the invention in comparison with a corresponding device embodied according to the prior art is that only the functions of the reliable inputting and outputting and of the reliable data comparison are to be implemented in the computer which is reliable in terms of signaling technology, and this is done independently of the requirements and conditions respectively defined by the operating rules of the individual railroad administrations. In this way, not only is the system software which runs in the reliable computer or reliable computers simple and easy to manage but it is also the same for all application cases, that is to say no longer has to be produced newly from case to case and subjected to approval testing. The railroad administration-specific software which is determined by the different operating rules of the individual railroad administrations runs in the commercial computers. Its interaction with the system software of the reliable computers does not need to be tested.
Instead, all that is necessary is to comply with the specified interface between the computer which is reliable in terms of signaling technology and the commercial computer and to test the functionality of the actual railroad administration-specific software which is to be implemented in the commercial computers, i.e. to test whether certain inputs actually lead to certain outputs. This functionality testing takes place separately from the testing of the system software and is, in contrast to the prior art, no longer integrated into the system software of the reliable computers, which is itself also easier to manage than in the prior art.
The production of the railroad administration-specific software does not necessarily have to take place at the manufacturer of the computers which are reliable in WO 03/047937 - 8a - PCT/DE01/04485 terms of signaling technology, who is responsible for the safety of the processing events in terms of signaling technology. Instead, it is possible to allocate orders for the production of the programs for the commercial computers to qualified engineering offices or the like which have to reconcile the software produced by them with the respective railroad administration and, for example, an approval authority such as the Eisenbahnbundesamt (German Federal Railroad Office). This makes it possible to adapt the programs for controlling and monitoring a safety - critical railroad operating process to the respective conditions very much more quickly and economically than hitherto without having to make any compromises in terms of safety as a result.
In the exemplary embodiment illustrated above, the commercial computers Rl, R2 stand for one or more double computer systems or computer systems provided with redundant computers in whose individual computers in each case identical programs for processing the conditions and dependencies predefined by the respective railroad operating rules are to run, in which case preferably either only specific sub-functions of the operating rules are to be implemented in each case by the individual commercial computers or else only specific parts of the railroad equipment are to be acted on in each case. However, the arrangement can also be configured such that the commercial computers R1, R2 are each individual computers in which the programs, determined by the operating rules of a railroad administration, of the railroad administration-specific software are processed repeatedly, and at least twice in succession, independently of one another. The railroad administration-specific software which is necessary for this can be configured in different ways or else can be identical in terms of contents for both processing procedures.
For the transmission of the results produced by the commercial computers to the computer or computers which WO 03/047937 - 9a - PCT/DE01/04485 is/are reliable in terms of signaling technology, a data transmission which is preferably not reliable in terms of signaling technology is preferably used, during which transmission either the results which are produced on two channels either serially or in parallel are transmitted to the reliable computer or computers on two channels, or else said results are transmitted twice in succession over just one channel. A second or third redundant channel increases the availability. Any data falsifications on the transmission path from the commercial computers to the computers which are reliable in terms of signaling technology, and vice versa, can be detected in the receiving computer by a signature which is entered by the dispatching computer and which encodes the telegram contents by means of a computing rule. During the serial transmission of data to the reliable computers, the data is provided with identifiers which make it possible for the computers which are reliable in terms of signaling technology to detect whether the transmitted data is current and actually originates from different computer channels of the commercial computers and/or whether it is the result is of different processing procedures; during the transmission of data over separate buses, the computers which are reliable in terms of signaling technology can detect, from the data transmitted to them via one bus or the other, whether or not this data also actually originates from the one computer or the other of a commercial computer pair.
In an advantageous embodiment of the invention, the commercial computer or computers can be embodied as what are referred to as operating console computers, by means of which the commands from a railroad employee or from an automatic system can be output for execution to the railroad operating process and the acknowledgements of the railroad operating process can be displayed. In the operating console computers, the programs for inputting and displaying commands and messages and the programs via which the process elements are controlled WO 03/047937 - l0a - PCT/DE01/04485 in accordance with the railroad operating rules then run independently of one another. The programs for the inputting of commands and the displaying of the process events can also be combined with the programs for process control, such as are respectively predefined by the railroad operating rules.
The computer or computers which are reliable in terms of signaling technology can also be embodied as an m of n computer system in which the decision as to whether control instructions, and if so which control instructions, are to be output to the process can be taken by majority decision by at least two intact computers.
The outputting of the control instructions to the process takes place on two channels; each computer has the possibility of preventing the outputting of control instructions when processing errors are detected.
The method according to the invention and the device according to the invention can be used advantageously for all safety - critical railroad operating processes.
Such an application can be, for example, the reliable control of a railroad operation by a signal cabin or else also, for example, the reliable control of a railroad crossing, of an axle counting system or of track-mounted and vehicle-mounted equipment of a continuous automatic train control system (LZB).
Railroad operating processes are processes which are safety - critical because any malfunctions which happen not to be detected in good time and whose effect on the process is not prevented, can lead to considerable damage to property and possibly also place people in danger. For this reason, hitherto, devices which are reliable in terms of signaling technology have been used for controlling such processes, the objective of said devices being to detect malfunctions both within the process to be controlled and within the process control system itself and to subsequently place the process in a safe state, or leave it in such a state.
Such control systems which are reliable in terms of signaling technology can be embodied in different technologies, for example using relay technology or electronic technology. In process control which is reliable in terms of signal technology using computers, hither to expensive special computers have been used which process the waiting/queued processing orders on two channels and continuously compare, by means of signaling technology, processing sequences for correspondence in terms of contents. Control instructions which are produced are output to the process elements of the process to be controlled only if both processing channels have each arrived at the same result; otherwise, the connection to the process is interrupted, unless there is at least one backup computer which can take over, and actually takes over, the functions of the failed computer.
The abovementioned functions of the reliable inputting and outputting of data and the comparison of data with, if appropriate, reliable shutting down of process elements are brought about by the system software of the reliable computers. In addition, the reliable computers have hitherto also contained the railroad administration-specific software for the actual process control, for example the signaling cabin operations.
The railroad administration-specific software is determined by the operating rules of the respective railroad administration and it describes, for example, the dependencies, predefined by it, of the setting and release of the routes (Signal+Draht [Signal and Wire], 77 (1985) 12, pp. 259-265). The railroad administration-specific software does not only differ from railroad administration to railroad administration but also at least partially from one piece of equipment to another in the same railroad administration. This means that the software which is to be loaded into a computer which is reliable in terms of signaling technology and runs on said computer differs from one application case to another, it being necessary to prove or make credible the freedom from faults of the loaded software by means of a safety certificate for each application case. As a result of the proliferation of the system software and of the railroad administration-specific software in each computer, this leads to complex software packets which are difficult to manage and which are time-consuming and costly to produce and to test.
The object of the present invention is to disclose a method for controlling a safety-critical railroad operating process in accordance with the preamble of WO 03/047937 - 2a - PCT/DE01/04485 patent claim 1 and whose programs, which are necessary for the reliable WO 03/04?93? - 3 - PCT/DE01/04485 process control, are less costly to produce and which makes it possible to react quickly and cost-effectively to any changed requirements of a railroad operator with respect to the process control system. The object of the invention is also to disclose a device for carrying out this method.
The invention achieves this object by means of the features of claim 1 and/or of claim 12. The basic idea of the invention consists in exporting the railroad administration-specific software from the computer or computers which are reliable in terms of signaling technology to commercial computers which process the data there at least twice in each case and test it reliably for correspondence before outputting it to the process in the computers which are reliable in terms of signaling technology. The computers which are reliable in terms of signaling technology have not only the function of performing data comparison but essentially also the function of reliably acquiring the incoming messages and commands, and transmitting them to the commercial computers as well as reliably acting on the process elements and in the event of a fault interrupting the connection to the process elements in a way which is reliable in terms of signaling technology.
Advantageous embodiments and developments of the method according to the invention and the device according to the invention are disclosed in the subclaims.
The invention is explained in more detail below with reference to the exemplary embodiment illustrated in the drawing, in which:
Figure 1 is a schematic view of the structure of the device according to the invention for WO 03/047937 - 3a - PCT/DE01/04485 controlling a safety - critical railroad operating process and Figure 2 shows the structure of a corresponding device which is embodied according to the prior art.
WO 03/047937 - 4 - PCT/DEOlj04485 Figure 2 shows a known computer SR which is reliable in terms of signaling technology, for executing a process by means of preferably identical processing programs in two independent processing channels K1, K2. The reliable computer SR stands for any desired number of computers which are reliable in terms of signaling technology; their number is determined essentially by the magnitude of the process to be controlled. The process to be controlled is a railroad operating process with which a railroad system BA is to be acted on. As representatives for the process elements of the railroad system, a railroad switch W and a signal S are indicated in the drawing. The control and the monitoring of the process elements is carried out by means of control and monitoring circuits which have been developed for that purpose, which are not explicitly illustrated in the drawing and via which control instructions SB are output by the reliable computer SR to the process elements and messages M are input into the reliable computer from said process elements.
The computer SR which is reliable in terms of signaling technology outputs the messages M transmitted to it by the process to an input and display computer EAR via a communications bus KB. Said input and display computer EAR serves, inter alia, for monitoring the railroad operating process according to representation rules defined in the respective railroad operating rules; it is preferably embodied as a computer which is process-protected in terms of signaling technology. Using the input and display computer EAR, the commands K for controlling the railroad operating process are also generated and transmitted to the computer SR which is reliable in terms of signaling technology. The inputting can be carried out here by an operator, for example a stationmaster, or else by means of an WO 03/047937 - 4a - PCT/DE01/04485 automatic system, for example for automatic points changing or the transit mode.
The messages and commands are processed in the computer which is reliable in terms of signaling technology, on two channels in accordance with the conditions and dependencies which are defined in the respective operating rules of a railroad operator. The data, addresses and control signals which are respectively present on the buses of the two processing systems are continuously compared with one another in a way which is reliable in terms of signaling technology in order to be able to detect immediately any discrepancies.
Test programs ensure that the input/output register of the reliable computer and its program memories and main memories as well as its address registers are checked within predefined minimum time periods to determine whether their memories can assume either the one state or the other. Any malfunctions are thus detected in an event-controlled or time-controlled fashion and lead to the external equipment being reliably shut down:
control instructions to railroad switches can then no longer be output and the signals go to the Stop setting.
By virtue of the fact that the conditions and dependencies which are predefined by the respective operating rules of a railroad administration and are represented in the drawing by elliptical place markers B0, are stored in the program memories of the reliable computer SR and mixed up with the system software, the software which is stored in the reliable computers in order to control the railroad operating process is individual software which is very complex and extraordinarily costly both to produce and test.
In the device according to the invention (illustrated in Figure 1) for controlling a railroad operating process there is also at least one computer SR* which is reliable in terms of signaling technology and has two processing channels Kl* and K2* which are preferably WO 03/047937 - 5a - PCT/DE01/04485 both structured and operated identically. The function of said computer SR* is, similarly to the conventional computer SR which is reliable in terms of signaling technology, to reliably acquire, and feed to the processing means, all the messages M and commands K which are fed to it. In addition, its function is to output control instructions SB, produced reliably in terms of signaling technology, to the process elements W, S of the respective railroad equipment BA and to ensure that the outputting of such control instructions is prohibited, in a way which is reliable in terms of signaling technology, in the event of a fault. The processing of the conditions and dependencies, defined by the respective railroad operating rules BO, for controlling and monitoring the railroad operating process does not take place, in contrast to the prior art, in the computer or computers SR* which is/are reliable in terms of signaling technology but rather in commercial computers R1, R2, ... Rn in which the equipment-specific data for controlling the railroad operating process is also stored; the computers R1, R2 are representative of one or more computer pairs, each computer also being able to belong to more than one pair; three computer pairs can therefore be formed from three computers. They each carry out processing orders A fed to them by the reliable computer SR*
independently of the respective other computer in accordance with the conditions and dependencies defined for the process control in the respective railroad operating rules BO. The two computers of each commercial computer pair R1, R2 transmit their working results to the computer SR* which is reliable in terms of signaling technology, the chronologically first computer R1 or R2 bringing about a waiting point with time monitoring, at which point the system waits for the working result of the other computer or computers, or in the event of the time being exceeded a fault procedure is carried out. Test mechanisms PM for the plausibility of the messages fed to the commercial WO 03/047937 - 6a - PCT/DE01/04485 computer pairs Rl, R2, and of the signatures of the outputs and memory areas produced by them are indicated schematically in Figure 1. The commands K which are fed to the reliable computer SR* via the input and display computer EAR are converted by said computer SR* into processing orders A and transferred to the commercial computers R1, R2 in the form of telegrams; they bring about the processing therein in accordance with the conditions and dependencies of the respective railroad operating rules B0.
Tn the event of program points which provide for the programs to be further processed only after a predefined waiting time being reached by the commercial computers during the processing of the railroad administration-specific software by said computers, the computer which is reliable in terms of signaling technology ensures, in response to a corresponding request by the commercial computers, synchronization of the processing programs of the commercial computers for further processing of the programs after the expiry of the waiting time. For example, after the expiry of a waiting time of several seconds a sensor message which is determined by the commercial computers will be read in and evaluated.
The processing results E which are determined by the commercial computer pair R1, R2 are fed as telegrams to the computer SR* which is reliable in terms of signaling technology, distributed there between the two processing channels K1*, K2* in a way which is reliable in terms of signaling technology and compared for correspondence in a way which is reliable in terms of signaling technology. The function block V represents in the drawing the reliable distribution of messages and the reliable comparison of the results produced by the commercial computers R1, R2, the programs which relate to the above being stored as system software in said function block V. The test mechanisms PMS of the computer which is reliable in terms of signaling technology are embodied in a way which is reliable in terms of signaling technology, in contrast to the test WO 03/047937 - 7a - PCT/DE01/04485 mechanisms PM of the commercial computers R1, R2.
The particular advantage of the device according to the invention in comparison with a corresponding device embodied according to the prior art is that only the functions of the reliable inputting and outputting and of the reliable data comparison are to be implemented in the computer which is reliable in terms of signaling technology, and this is done independently of the requirements and conditions respectively defined by the operating rules of the individual railroad administrations. In this way, not only is the system software which runs in the reliable computer or reliable computers simple and easy to manage but it is also the same for all application cases, that is to say no longer has to be produced newly from case to case and subjected to approval testing. The railroad administration-specific software which is determined by the different operating rules of the individual railroad administrations runs in the commercial computers. Its interaction with the system software of the reliable computers does not need to be tested.
Instead, all that is necessary is to comply with the specified interface between the computer which is reliable in terms of signaling technology and the commercial computer and to test the functionality of the actual railroad administration-specific software which is to be implemented in the commercial computers, i.e. to test whether certain inputs actually lead to certain outputs. This functionality testing takes place separately from the testing of the system software and is, in contrast to the prior art, no longer integrated into the system software of the reliable computers, which is itself also easier to manage than in the prior art.
The production of the railroad administration-specific software does not necessarily have to take place at the manufacturer of the computers which are reliable in WO 03/047937 - 8a - PCT/DE01/04485 terms of signaling technology, who is responsible for the safety of the processing events in terms of signaling technology. Instead, it is possible to allocate orders for the production of the programs for the commercial computers to qualified engineering offices or the like which have to reconcile the software produced by them with the respective railroad administration and, for example, an approval authority such as the Eisenbahnbundesamt (German Federal Railroad Office). This makes it possible to adapt the programs for controlling and monitoring a safety - critical railroad operating process to the respective conditions very much more quickly and economically than hitherto without having to make any compromises in terms of safety as a result.
In the exemplary embodiment illustrated above, the commercial computers Rl, R2 stand for one or more double computer systems or computer systems provided with redundant computers in whose individual computers in each case identical programs for processing the conditions and dependencies predefined by the respective railroad operating rules are to run, in which case preferably either only specific sub-functions of the operating rules are to be implemented in each case by the individual commercial computers or else only specific parts of the railroad equipment are to be acted on in each case. However, the arrangement can also be configured such that the commercial computers R1, R2 are each individual computers in which the programs, determined by the operating rules of a railroad administration, of the railroad administration-specific software are processed repeatedly, and at least twice in succession, independently of one another. The railroad administration-specific software which is necessary for this can be configured in different ways or else can be identical in terms of contents for both processing procedures.
For the transmission of the results produced by the commercial computers to the computer or computers which WO 03/047937 - 9a - PCT/DE01/04485 is/are reliable in terms of signaling technology, a data transmission which is preferably not reliable in terms of signaling technology is preferably used, during which transmission either the results which are produced on two channels either serially or in parallel are transmitted to the reliable computer or computers on two channels, or else said results are transmitted twice in succession over just one channel. A second or third redundant channel increases the availability. Any data falsifications on the transmission path from the commercial computers to the computers which are reliable in terms of signaling technology, and vice versa, can be detected in the receiving computer by a signature which is entered by the dispatching computer and which encodes the telegram contents by means of a computing rule. During the serial transmission of data to the reliable computers, the data is provided with identifiers which make it possible for the computers which are reliable in terms of signaling technology to detect whether the transmitted data is current and actually originates from different computer channels of the commercial computers and/or whether it is the result is of different processing procedures; during the transmission of data over separate buses, the computers which are reliable in terms of signaling technology can detect, from the data transmitted to them via one bus or the other, whether or not this data also actually originates from the one computer or the other of a commercial computer pair.
In an advantageous embodiment of the invention, the commercial computer or computers can be embodied as what are referred to as operating console computers, by means of which the commands from a railroad employee or from an automatic system can be output for execution to the railroad operating process and the acknowledgements of the railroad operating process can be displayed. In the operating console computers, the programs for inputting and displaying commands and messages and the programs via which the process elements are controlled WO 03/047937 - l0a - PCT/DE01/04485 in accordance with the railroad operating rules then run independently of one another. The programs for the inputting of commands and the displaying of the process events can also be combined with the programs for process control, such as are respectively predefined by the railroad operating rules.
The computer or computers which are reliable in terms of signaling technology can also be embodied as an m of n computer system in which the decision as to whether control instructions, and if so which control instructions, are to be output to the process can be taken by majority decision by at least two intact computers.
The outputting of the control instructions to the process takes place on two channels; each computer has the possibility of preventing the outputting of control instructions when processing errors are detected.
The method according to the invention and the device according to the invention can be used advantageously for all safety - critical railroad operating processes.
Such an application can be, for example, the reliable control of a railroad operation by a signal cabin or else also, for example, the reliable control of a railroad crossing, of an axle counting system or of track-mounted and vehicle-mounted equipment of a continuous automatic train control system (LZB).
Claims (20)
1. A method for controlling a safety-critical railroad operating process using at least one computer which is reliable in terms of signaling technology and which outputs to process elements in a way which is reliable in terms of signaling technology control instructions produced reliably in terms of signaling technology from incoming commands in accordance with a set of railroad operating rules, and feeds messages originating from said process elements to a process state monitoring system and process control system, characterized in that only one system software package (V, PMS), whose programs enable the reliable computer to perform inputting/outputting which is reliable in terms of signaling technology and the data comparison which is reliable in terms of signal technology, is stored in the reliable computer (SR*), and in that the railroad administration-specific software (BO) which includes the conditions and dependencies predefined for the railroad operating process by a railroad administration by means of its set of railroad operating rules, is stored in at least one commercial computer (R1, R2) which is not reliable in terms of signaling technology, in that processing orders (A) are generated from the computer which is reliable in terms of signaling technology, from the commands (K) and the messages (M) fed to it, and are transmitted to the commercial computer or computers, in that the processing orders are processed there independently from one another, at least twice, in that the results (E) which are produced in the process and/or intermediate results are transmitted to the reliable computer and checked there for correspondence of their contents in a -12a-way which is reliable in terms of signaling technology, the reliable computer accepting only those results and/or intermediate results and outputting to the process (BA), in a way which is reliable in terms of signaling technology, only those control instructions (SB) derived therefrom, which have been made available by the commercial computer in such a way that they correspond on at least two occasions.
2. The method as claimed in claim 1, characterized in that identical or differing software is used for the at least two-fold execution of processing orders in the commercial computer.
3. The method as claimed in claim 1 or 2, characterized in that the time events which occur during the execution of the railroad administration-specific software (BO) are synchronized by the computer (SR*) which is reliable in terms of signaling technology, at the request of the commercial computers.
4. The method as claimed in one of claims 1 to 3, characterized in that the results and/or intermediate results which are determined by the commercial computer are transmitted to the reliable computer by means of communication channels which are not reliable in terms of signaling technology.
5. The method as claimed in one of claims 1 to 4, characterized in that transmission of data in telegrams is provided, and in that the telegrams have signatures added to them, from which the respective receiving computer can detect whether these telegrams have been transmitted in a non-falsified form.
6. The method as claimed in one of claims 1 to 5, characterized in that a transmission of data in telegrams is provided, and in that the telegrams have signatures added to them from which the computer which is reliable in terms of signaling technology can detect whether falsifications have occurred in the program memories and the data memories of the commercial computers, or whether the CPU of a commercial computer is no longer operating correctly.
7. The method as claimed in one of claims 1 to 6, characterized in that the processing orders are processed essentially simultaneously in at least two commercial computers (R1, R2) in each case or are processed in a chronologically serial fashion in just one single computer, and in that the results and/or intermediate results which are obtained are fed to the reliable computer in each case in pairs for the purpose of comparison.
8. The method as claimed in claim 7, characterized in that telegrams have identifiers added to them, from which the reliable computer can detect whether these telegrams have actually been produced separately.
9. The method as claimed in claim 7, characterized in that the reliable computer detects, by reference to the result messages of the commercial computers which are fed to it via different inputs, whether these telegrams originate from different computers.
10. The method as claimed in one of claims 1 to 9, characterized in that systematic errors in the operating system software (BO) of the commercial computers are prevented by using differing operating systems on the computers (R1 to Rn) involved.
11. The method as claimed in one of claims 1 to 10, characterized in that systematic errors in the hardware of the commercial computers are prevented by using differing computer components (motherboard, CPU, memory) on the computers (R1 to Rn) involved.
12. A device for carrying out a method for controlling a safety-critical railroad operating process using at least one computer which is reliable in terms of signaling technology and which outputs to process elements in a way which is reliable in terms of signaling technology control instructions produced reliably in terms of signal technology from incoming commands in accordance with a set of railroad operating rules, and feeds messages originating from said process elements to a process state monitoring system and process control system, characterized in that only a system software package whose programs enable the reliable computer to perform the inputting/outputting (K,E,M,A,SB) in a way which is reliable in terms of signaling technology and the data comparison which is reliable in terms of signaling technology is then implemented in the computer (SR*) which is reliable in terms of signaling technology, and in that at least one commercial computer (R1, R2) is provided which is not reliable in terms of signaling technology and in which the railroad administration-specific software which includes the conditions and dependencies for the control of the railroad operating process which are predefined by a railroad administration by means of its railroad operating rules (BO) is implemented, in that the -15a-reliable computer and the commercial computer are connected to a communications system (BUS) via which the reliable computer transmits processing orders (A) to the commercial computer and receives results (E) and/or intermediate results from it, the commercial computer being designed to execute each processing order independently of one another at least twice, in that the reliable computer checks the results and/or intermediate results which are transmitted to it at least in pairs in each case by the commercial computer for correspondence between their contents in a way which is reliable in terms of signaling technology and derives therefrom control instructions (SB) for process elements (W, S) as a function of the check result and causes them to be output to the process via drivers provided for this purpose.
13. The device as claimed in claim 12, characterized in that it is also the case that only programs (BO) whose functionality has been proven are installed in the commercial computer.
14. The device as claimed in claim 12 or 13, characterized in that the commercial computer executes the processing orders with identical or differing software at least twice in each case.
15. The device as claimed in one of claims 12 to 14, characterized in that at least two commercial computers which execute the same processing orders in pairs independently of one another are provided.
16. The device as claimed in one of claims 12 to 15, characterized in that, in order to process different functionalities or sub-functionalities or to control and monitor different equipment parts, in each case a plurality of commercial computers (R1, R2) are provided in single-computer or multicomputer designs.
17. The device as claimed in one of claims 12 to 16, characterized in that the at least one commercial computer is an operating console computer via which commands (K) can be input into the reliable computer and messages (M) can be displayed.
18. The device as claimed in one of claims 12 to 17, characterized in that the reliable computer is an m v n computer system.
19. The device as claimed in one of claims 12 to 18, characterized in that the reliable computer is designed to detect, from identifiers which are added to the results and/or intermediate results which are transmitted by the at least one commercial computer, whether these results and/or intermediate results originate from different processing processes.
20. The device as claimed in claim 12, characterized in that the reliable computer outputs any control instructions to the process on two channels.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/DE2001/004485 WO2003047937A1 (en) | 2001-11-22 | 2001-11-22 | Method for controlling a safety-critical railway operating process and device for carrying out said method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2467972A1 true CA2467972A1 (en) | 2003-06-12 |
Family
ID=5648319
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002467972A Abandoned CA2467972A1 (en) | 2001-11-22 | 2001-11-22 | Method for controlling a safety-critical railroad operating process and device for carrying out said method |
Country Status (8)
| Country | Link |
|---|---|
| JP (1) | JP4102306B2 (en) |
| KR (1) | KR20040063935A (en) |
| CN (1) | CN1289345C (en) |
| AU (1) | AU2002224742A1 (en) |
| CA (1) | CA2467972A1 (en) |
| HK (1) | HK1069363A1 (en) |
| MX (1) | MXPA04004840A (en) |
| WO (1) | WO2003047937A1 (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2929056B1 (en) * | 2008-03-19 | 2010-04-16 | Alstom Transport Sa | DEVICE FOR DETECTING A SECURITY THRESHOLD OF A RAIL SYSTEM |
| DE102012211273A1 (en) * | 2012-06-29 | 2014-01-02 | Siemens Aktiengesellschaft | Method and arrangement for controlling a technical installation |
| DE102013218814A1 (en) | 2013-09-19 | 2015-03-19 | Siemens Aktiengesellschaft | Method for operating a safety-critical system |
| CN105822665A (en) * | 2016-06-02 | 2016-08-03 | 株洲时代新材料科技股份有限公司 | Integrated metal joint bearing in low-floor vehicle fixed hinge and assembly method thereof |
| CN112462731B (en) * | 2020-10-16 | 2022-06-24 | 北京西南交大盛阳科技股份有限公司 | Safety supervision control method, safety supervision control device, computer equipment and safety supervision system |
| EP4293957A1 (en) * | 2022-06-16 | 2023-12-20 | Siemens Mobility GmbH | Method and assembly for creating a control signal |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE3323269A1 (en) * | 1983-06-28 | 1985-01-10 | Siemens AG, 1000 Berlin und 8000 München | DEVICE FOR THE OPERATION OF A COMPUTER-CONTROLLED ACTUATOR |
| ATE110477T1 (en) * | 1990-08-14 | 1994-09-15 | Siemens Ag | HIGH SECURITY MULTIPLE COMPUTER SYSTEM WITH THREE COMPUTERS. |
| DE4107639A1 (en) * | 1991-03-09 | 1992-09-10 | Standard Elektrik Lorenz Ag | DEVICE FOR SIGNAL-SAFE REMOTE CONTROL OF A SUBSTATION IN A RAILWAY SYSTEM |
-
2001
- 2001-11-22 AU AU2002224742A patent/AU2002224742A1/en not_active Abandoned
- 2001-11-22 MX MXPA04004840A patent/MXPA04004840A/en active IP Right Grant
- 2001-11-22 KR KR10-2004-7007825A patent/KR20040063935A/en not_active Application Discontinuation
- 2001-11-22 CA CA002467972A patent/CA2467972A1/en not_active Abandoned
- 2001-11-22 CN CNB018238238A patent/CN1289345C/en not_active Expired - Fee Related
- 2001-11-22 JP JP2003549144A patent/JP4102306B2/en not_active Expired - Fee Related
- 2001-11-22 WO PCT/DE2001/004485 patent/WO2003047937A1/en active Application Filing
-
2005
- 2005-03-09 HK HK05102045A patent/HK1069363A1/en not_active IP Right Cessation
Also Published As
| Publication number | Publication date |
|---|---|
| JP2005511386A (en) | 2005-04-28 |
| JP4102306B2 (en) | 2008-06-18 |
| MXPA04004840A (en) | 2004-08-02 |
| KR20040063935A (en) | 2004-07-14 |
| CN1289345C (en) | 2006-12-13 |
| WO2003047937A1 (en) | 2003-06-12 |
| CN1558848A (en) | 2004-12-29 |
| AU2002224742A1 (en) | 2003-06-17 |
| HK1069363A1 (en) | 2005-05-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7209811B1 (en) | System and method for controlling a safety-critical railroad operating process | |
| WO2017107665A1 (en) | Safety computer system for use in train control | |
| US11016463B2 (en) | Control and data-transfer system, gateway module, I/O module, and method for process control | |
| US4270715A (en) | Railway control signal interlocking systems | |
| US9043044B2 (en) | System and method for communicating data in a consist | |
| CA2052926A1 (en) | Control and monitoring method in an electrical automation system for a technical installation | |
| JP7206410B2 (en) | Safety systems and methods of operating safety systems | |
| CN101458304A (en) | Embedded boundary scanning technique verification platform | |
| CA2467972A1 (en) | Method for controlling a safety-critical railroad operating process and device for carrying out said method | |
| CN103516456A (en) | Method for operating network equipment, network device and network equipment | |
| US5382950A (en) | Device for implementing an interrupt distribution in a multi-computer system | |
| KR100840243B1 (en) | Fault tolerant system for ground train control system using industrial computer | |
| EP3477483B1 (en) | Methods for managing communications involving a lockstep processing system | |
| KR100945854B1 (en) | Fault detection circuit of railroad signal controller | |
| US9002480B2 (en) | Method for operation of a control network, and a control network | |
| CN115562233B (en) | Safety control device of track traffic vehicle-mounted control system | |
| CN106648998A (en) | Safety computer system based on CMC chip | |
| KR100414031B1 (en) | Multiple system processor, controller connected to multiple system processor, and multiple system processing system | |
| US6832331B1 (en) | Fault tolerant mastership system and method | |
| JP5612995B2 (en) | Input bypass type fail-safe device and program for fail-safe | |
| JP6063339B2 (en) | Train control system | |
| JPS62150948A (en) | Bus faulty part detection system | |
| JPS6398242A (en) | Series data exchanger | |
| KR100835383B1 (en) | Fault tolerance controller of double onboard equipment for railway signaling system using extra time | |
| JP2007323190A (en) | Calculation control system for performing data communication and its communication method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| FZDE | Discontinued |