DE102007043053B4 - Signal-safe electronic element control for carrying out a driving operation of rail vehicles - Google Patents

Abstract

Method for signal-technically safe electronic element control for carrying out a driving operation of rail vehicles, consisting of a signal-technically safe operating and observation level, a safety level and a process level containing the elements to be controlled as well as data transmission devices between the components of these levels, either by operator input on the operating and observation level or commands to control at least one element of the process level can be given by internal program execution in the secure computer system at the security level, the safety-related tests and algorithms for ensuring process security being performed by the secure computer system at the security level, whereas the computers or other components of the operating and observation level and the process level can meet lower security requirements, characterized in that - by the secure computer system stem of the security level, the safety-relevant control of elements of the process level is triggered if i. In the case of commands that are entered by the operator input on the operating and monitoring level, the commands are transmitted to the secure computer system on the security level using a data transmission device, checked there for plausibility and transferred back to the operating and monitoring level in a new coded form the software of the at least one computer at the operating and monitoring level checks the newly coded command of the secure computer system positively for plausibility and successfully transmits the result in the final coded form to the secure computer system at the security level, and if additionally via a separate communication path of the assigned process element for safety-relevant operations, a double or anti-valent contact and / or additionally coded digital addresses were read in and checked positively, ii. a command to control at least one element of the process level is issued by internal program execution in the secure computer system of the security level, - the control of elements of the process level is safely terminated with a corresponding error message as soon as at least one of the aforementioned plausibility checks of the commands used in at least one of the participating computer is negative.

Description

The invention relates to a method and a device for the signal-technically safe electronic control of elements that guide and secure the running of rail vehicles.

The operation of rail vehicles on technically secured routes is managed and secured centrally by a signal box responsible for the relevant infrastructure area.

The elements of the external system of the signal box, e.g. Signals, switches, level crossings, block devices, etc. must be safely controlled and monitored by the signal box logic, which means that the elements of the outdoor area are in a state with a sufficient degree of probability, even in the event of any errors in the system, which ensure the safety of the system Driving operations not endangered.

The signaling safety of actuating and monitoring devices is implemented with the help of safety-related components, with all components involved in the actuating and monitoring processes being checked accordingly.

A comparative overview of the different electronic interlocking types used by various railway administrations with regard to the computer components, system structures, security concepts and hardware and software design is described in the article "Security and Telecommunications Technology" in Signal + Draht 3, 1997. The systems in use differ among other things in terms of one or two channels, safe or non-safe operating systems, operating concept and costs.

Safe display and operation is required, especially in German ESTW.

Examples of the system architecture in German ESTW can be found in the overview articles "SIMIS D", in Signal + Draht 3, 2006 and "The Bombardier solution for a new ESTW design at DB AG", in Signal + Draht 5, 2005.

All established, primarily proprietary electronic LST concepts are based on "procedural safeguards". For example, a classic 2-out-of-3 processor system consists of commercially available electronic components, such as the Intel Pentium 1. A specific application programmed in the standard processors maps the security mechanisms. The results of the test applications are compared on hardware partitions designed from standard semiconductor components and safety shutdowns are triggered in the event of a fault.

Some of the principles of procedural security are already being used today in railway security technology.

Process safety from source to sink is implemented for safety-related operations in a signal box. The company-neutral SBS interface prescribed by DB AG defines corresponding dialogues. Corresponding procedures in the safe signal box core and in the operator station rule out a malfunction of the interface and the display in the event of safety-critical operation.

In order to meet the high security requirements for operation and display, however, it was previously necessary not only to use secure computer technology in the signal box core, but also in the areas of element control and operation / display. This means that there are safe and therefore cost-intensive components at both ends of the process, i.e. at the source and sink.

In DE 10 2005 043 305 A1 describes a system architecture for controlling and monitoring components of a railway protection system. Here, an automation platform, which comprises several modules, in particular CPU, power supply, module for safety-related signal processing, module for non-safety-related signal processing, communication module, is connected via special interfaces to safety-related and non-safety-related components of the railroad safety system. A programmable logic controller (PLC) serves as the automation platform. The predetermined software structure of the automation platform is usually arranged in a modular or hierarchical manner in such a way that the logistics of the railway protection system, in particular the signal box logistics, can be organized in function-specific software programs.

Out DE 196 06 894 C2 a device for signal-safe control and monitoring of electrical consumers in the railway industry is known, in which each consumer circuit has at least two series-connected, independently controllable, signal-technically unsafe switches for opening / closing the circuit. The two switches can be controlled by independent computer channels of a secure computer system. Each wire in the circuit contains one of the two switches. It is at least one detector provided for the detection of a test voltage derived from a feed or test current flowing through the consumer or at least indirectly connected by the consumer and dependent on the operating state of the consumer. A switch that is closed or opened at the wrong time changes the voltage significantly compared to the test voltage that occurs when the switch is in the correct position. The detector output signals are evaluated by the two computer channels of the secure computer system, and the computer system detects an untimely opening / closing of at least one of the switches from the occurrence of detector output signals not expected at that time.

Out DE 100 53 023 C1 A method for controlling a safety-critical railway operating process and a device for carrying out this method are known. In this case, at least one signal-technically safe computer is used which, from incoming commands in accordance with a railway operating order, outputs signal commands, which have been developed in a signal-technically safe manner, to process elements and feeds messages originating from there to process status monitoring and process control. In this case, only a system software is stored in the secure computer, the programs of which enable the secure computer to carry out a signal-safe input / output and signal-safe data comparison. The predetermined conditions and dependencies that are decisive for the railway operating process are stored in one or more commercial computers that are not signal-secure. The computer, which is secure in terms of signaling technology, uses the commands and messages supplied to it to generate processing orders which are transmitted to the commercial computer or computers and are processed there at least twice independently of one another. The results or interim results obtained in this process are transmitted back to the secure computer, where they are signal-technically checked for consistency.

Out Ludwig Wehner: "DAS ESTW DER BAUFORM SEL", in SIGNAL + Draht, Vol. 76, No. 5, May 1st, 1984, pages 83 to 88, XP009068645, ISSNI 0037-4997, TELZLAFF VERLAG GMBH , Darmstadt, DE, electronic interlockings (ESTW), in particular the type Standard-Elektrtk-Lorenz (SEL) emerge. A system hierarchy is shown, which comprises a controlling control level, a securing security level and an energy-switching control level, which are connected by means of transmission devices. The functions that have no safety responsibility are summarized on the control level. This is essentially a human-machine interface. Central functions of the signal box are summarized in the security level. Positioning information is determined in security modules. On the job level, information and energy are managed separately. The positioning information is transmitted to the devices on the level.

The ZSB2000 interlocking is known from the company publication of Scheidt & Bachmann GmbH, "ZSB2000 system description of control and operating system" from 28.09.206, in which a system architecture comprises a control and operating system, a signal-safe control level and a signal-safe field level. The safe levels communicate via a modem connection. Components of the control and operating level are interconnected via a second, independent modem link.

EP 1 702 827 A1 shows an operator station system with signal-safe command output according to safety level CENELEC SIL4 and signal-unsafe command display for the operation and monitoring of a SIL4 signal box. The operator station system is designed as a single channel, the channel corresponding to a computer of a multi-channel SIL4 operator station system that has several identical computers, both in terms of hardware and in terms of software.

A common disadvantage of the prior art described above is that the system architecture is still quite complex and therefore expensive; also in relation to the safe operation and display required in Germany, which has to be implemented technically.

In the established solutions, special, manufacturer-specific "control parts" ensure adaptation to the rail-specific conditions and insulation.

Long, star-shaped copper connections to the outer elements mean that the control elements must be able to withstand high dielectric strength and various cable faults. Classically, this leads to complex rail-specific special developments.

Traditionally, the desired event has so far not been evaluated in the control concepts. The signal is e.g. B. checked the lamp current and inferred whether the signal lamp shines with sufficient probability. For turnouts, one assumes a positive connection of the control rods and the bearing and transmission parts with the turnout tongues or the centerpiece and evaluates appropriate switch packages (usually in the turnout drive housing) for the feedback of the condition of the turnout. The 4-wire circuits used reduce and complicate them the number of confirmations and their safety-related plausibility checks.

It is therefore an object of the invention, using industrial standards for control and security technology in an electronic signal box, to implement the electronic control of elements which guide and secure the operation of rail vehicles, and at the same time as efficiently and inexpensively as possible to meet the high requirements with regard to safety and function in Network of the Deutsche Bahn AG.

The required safe display and operation must also be guaranteed.

This object is achieved according to the features of the preamble of claim 1.

The system architecture is based on the proven industrial level model, consisting of an operating and monitoring level, a security level and a process level.

According to the invention, a fully graphical system based on market standards represents the operating and monitoring level.

The security level is formed by a secure computer system.

The elements of the outdoor area to be controlled as well as other signaling devices such as neighboring signal boxes, block devices, level crossings, etc. are located on the process level.

The components of the different levels communicate via corresponding data transmission devices.

The safety-related tests and algorithms to ensure process security are carried out exclusively by the secure computer system at the security level, whereas the computers or other components of the operating and monitoring level and the process level can meet lower security requirements.

In terms of safety technology, the method is based on a variant of the known method security, although according to the invention the security procedures always take effect consistently at the end points (source and sink) of the actions, the intermediate and final results are, however, only checked in the safe signal box core. Thus, the process allows for all components outside of the safe signal box core, i.e. for communication as well as for the process level, cost-effective components according to industry standards that meet a lower security level.

A great advantage of the method is that the high effort for secure software design, secure programming and testing as well as secure hardware is only required at one point in the secure interlocking core.

By applying the CENELEC standards, a quantitative consideration of the malfunction of individual modules, programs and data connections is possible, so that different types of procedural security can be calculated with regard to the required SIL.

It is provided according to the invention to safely trigger commands to control elements of the process level. A distinction must be made here in which way commands are issued to the process level.

If commands are entered by the operator input on the operating and monitoring level, they are transmitted to the secure computer system in the security level using a data transmission device, and are checked there for plausibility. Plausible commands are re-encoded and transmitted back to the operating and monitoring level. The newly coded command of the secure computer system is also checked for plausibility in the at least one computer at the operating and monitoring level, and the result of the plausibility check is transmitted in final coded form to the secure computer system in the security level.

In addition, in the case of such safety-relevant manual operator inputs, it must generally be ensured via a separate communication path that operation in this form is explicitly desired. For this purpose, in particular a double or non-equivalent contact is closed and / or additionally coded digital addresses are read in and checked.

If all of these conditions are met, it can be assumed with sufficient certainty that element control from the operating and monitoring level is actually desired on the one hand, and that the command is plausible on the other hand, and that communication with the element and the correct addressing of the element at the process level are working properly . Accordingly, the command to control the element can be triggered by the secure computer.

However, as soon as at least one of the aforementioned plausibility checks of the commands used in at least one of the participating If the computer fails, the control of elements of the process level must be safely canceled with an appropriate error message.

If the commands for controlling at least one element of the process level are issued on the basis of the internal program execution in the secure computer system of the security level, the control is triggered directly by the secure computer system of the security level.

Claim 2 describes how the triggering event generated by the command triggered according to claim 1 is monitored in terms of signal technology.

After the command to control an element of the process level has been triggered by the secure computer system of the security level, it is transmitted to the appropriate element in the process level via a data transmission device. The effect of this command leads to at least one activation event, the result of which is monitored by a suitable sensor system and reported back to the secure computer system at the security level. The results of each control event must be checked several times with regard to the required logical and timely sequence. Since only a secure computer system is available in the secure interlocking core, all tests must also be carried out there. This is achieved by multiple but time-delayed tests in the only secure computer system, so that multiple dialogs are created for each result, which lead to the end result. After a positive check of all results of the control events, a successful element control is assumed in the secure computer system and this is revealed. If the checking of at least one result of the control events in at least one of the multiple dialogs results in a contradiction to the required logical and timely sequence, the secure computer system assumes faulty element control and also reveals this.

The multiple, time-delayed testing of the different events at only one point in the safe signal box core requires a powerful computer architecture. It must ensure that the time required for the tests required depending on the desired level of safety and the subsequent setting of the elements of the process level is no longer than the maximum time required by the approval authority within which the signal term "stop" must be shown (stop time) .

The tried and tested processors and communication systems available today make this possible.

According to claim 3, an advantageous embodiment of the invention is that the secure computer system of the security level consists of a modular system for industrial automation systems. This eliminates the previously required complex special developments for rail operations.

A decentralizable process level is described in claim 4, which is connected to the security level via a data network. Logically passive components are used at the process level, which convert the transferred data to digital input / output bits in a process-safe manner. Basically, the decentralized process element only converts network telegrams from the safe interlocking core into digital outputs and reports changes to the digital inputs event-controlled or on request from the safe interlocking core, also via the communication network.

Both the communication in the entire process chain and the function of the decentralized, generally non-secure elements of the process level must be checked continuously according to claim 5. In the actions initiated by the secure signal box core, this is done via dialog-oriented process security.

Mechanisms triggered and monitored by the security level must cyclically check the communication in the process chain and the function of the elements in the process level. In the event of a fault, at least the power supply to the associated process level element is safely switched off from the security level.

If necessary, the signal supply voltage is additionally separated in such a way that only the elements belonging to the signal term "Halt" are supplied with voltage in the event of a fault.

In claim 6 an apparatus is described which implements the method mentioned in claim 1.

The system architecture is based on the proven industrial level model, consisting of an operating and monitoring level, a security level and a process level.

According to the invention, a fully graphical system based on market standards represents the operating and monitoring level.

The security level is formed by a secure computer system.

The elements of the outdoor area to be controlled as well as other signaling devices such as neighboring signal boxes, block devices, level crossings, etc. are located on the process level.

The components of the different levels communicate via corresponding data transmission devices.

A secure computer system is only on the security level. It performs the safety-related tests and algorithms to ensure process security, whereas the computers or other components of the operating and monitoring level as well as the process level meet lower security requirements.

In terms of safety, the device is based on a variant of the known procedural safeguarding, the safeguarding procedures taking effect consistently at the end points (source and sink) of the actions, but the intermediate and end results are only checked in the safe signal box core. This means that all components outside the safe signal box core, i.e. both for communication and for the process level, are components according to industry standards that meet a lower security level.

The complex, safe programming and testing as well as expensive hardware is only required at one point in the safe interlocking core.

By applying the CENELEC standards, a quantitative consideration of the malfunction of individual modules, programs and data connections is possible, so that different types of procedural security can be calculated with regard to the required SIL.

According to the invention, the device reliably triggers commands to control elements of the process level. A distinction is made in which way commands are issued to the process level.

If at least one command is entered by the operator input on the operating and monitoring level, a data transmission device transmits the command to the secure computer system in the security level. The secure computer system checks the command for plausibility. Plausible commands are re-encoded and transmitted back to the operating and monitoring level. The newly coded command of the secure computer system is also checked for plausibility in the at least one computer at the operating and monitoring level, and the result of the plausibility check is transmitted in final coded form to the secure computer system in the security level. In addition, in the case of such safety-relevant manual control inputs, a separate communication path generally ensures that control in this form is explicitly desired. For this purpose, the operator must in particular make a double or non-equivalent contact and / or additionally encoded digital addresses are read in and checked. If these conditions are met, it can be assumed with sufficient certainty that element control from the operating and monitoring level is actually desired on the one hand and that the command is plausible on the other hand and communication with the element at the process level is working properly. The safe computer accordingly triggers the command to control the element.

However, as soon as at least one of the aforementioned plausibility checks of the commands used in at least one of the computers involved is negative, the secure computer system safely stops the activation of elements at the process level with a corresponding error message.

If the commands for controlling at least one element of the process level are issued due to the internal program flow in the secure computer system of the security level, the secure computer system of the security level triggers the control directly.

Claim 7 describes how the secure computer system reliably monitors the triggering event generated by the command triggered according to claim 6 in terms of signal technology.

After the command to control an element of the process level has been triggered by the secure computer system of the security level, it is transmitted to the appropriate element in the process level via a data transmission device. The effect of this command leads to at least one activation event, the result of which is monitored by a suitable sensor system and reported back to the secure computer system at the security level. The end results of the control events include, for example, the feedback from optical sensors when light signals are switched on or the use of magnetic sensors, such as industrial Beros for monitoring the mechanically correct circulation of a turnout in question.

The results of each control event must be checked several times with regard to the required logical and timely sequence become. Since only a secure computer system is available in the secure interlocking core, all tests must also be carried out there. For this reason, the software checks the results in the secure computer system several times, but with a time delay, so that multiple dialogs are created for each result, which lead to the final result.

After a positive check of all the results of the control events, the secure computer system assumes successful element control and reveals this. If the checking of at least one result of the control events reveals a contradiction to the required logical and timely sequence, the secure computer system assumes faulty element control and also reveals this.

The multiple, time-delayed testing of the different events at only one point in the safe signal box core requires a powerful computer architecture. It ensures that the time required for the tests required depending on the desired security level and the subsequent setting of the elements of the process level is no longer than the maximum time required by the approval authority within which the signal term "Halt" must be shown (stop time) .

The tried and tested processors and communication systems available today make this possible.

According to claim 8, an advantageous embodiment of the invention is that the secure computer system of the security level consists of a fail-safe programmable logic controller (PLC).

The logic implemented on the PLC is programmed according to DIN EN 61131 and can therefore be easily ported to other PLC systems.

A decentralizable process level is described in claim 9, which is connected to the security level via a LAN (Local Area Network). Standard ETs (electronic isolating strips) or small PLC systems act in a process-safe manner as logically passive converters for the data transmitted via Ethernet or another standardized data network technology, so that digital input / output bits are available behind the converters.

The process level, as a multiplier for the LST, accounts for the main cost and LCC share.

ETs are standard products in industrial automation and are offered by many companies with a similar range of services.

Thanks to neutral network addressing and comparable performance features of the manufacturers, the selected supplier can be easily replaced.

In addition, compact small PLC systems are now on the market. These can also perform ET functions. It can also be used, but requires CENELEC-compliant "code inspection".

According to the invention, standard components are placed close to the target object through consistent decentralization and controlled by the secure signal box core via LAN connections (copper cable or fiber optic cable). This results in very short cable lengths and protected cable routes within the outdoor area. Thus, significantly lower induced voltages for safety and protection considerations on the cables can be assumed.

Both the communication in the entire process chain and the function of the decentralized, generally not secure elements of the process level must be checked continuously according to claim 10.

For this purpose, watchdogs triggered and monitored by the security level cyclically check the communication in the process chain and the function of the elements in the process level. In the event of a fault, the fuse level safely switches off at least the power supply to the associated element of the process level. If necessary, the signal supply voltage is additionally separated in such a way that only the elements belonging to the signal term "Halt" are supplied with voltage in the event of a fault.

The invention is explained in more detail below with reference to a drawing with two figures and an example in an advantageous embodiment.

• 1: die Darstellung der dialogorientierten Sicherungskette zwischen sicherem Stellwerkskern und Prozessebene, inkl. Watchdog,
• 2: die Prinzipschaltung des Prozesselements „Signal“ mit Ethernet-Schnittstelle, Elektronischer Trennleiste, Stromversorgung und Überwachung des Lichtstroms mit einem optischen Sensor.

The drawing shows in

• 1 : the representation of the dialog-oriented security chain between the safe signal box core and the process level, including watchdog,
• 2nd : the basic circuit of the process element "Signal" with Ethernet interface, electronic isolating strip, power supply and monitoring of the luminous flux with an optical sensor.

The system architecture of an electronic signal box for carrying out the operation of rail vehicles is divided into the three levels of operation / observation, security and process elements. A fully graphical system based on market standards can be found in the operation and observation level ( 1 ).

The security level ( 2nd ) is formed by a secure computer system that is designed as a fail-safe PLC, such as a SIMATIC S7-F.

At the process level ( 4th ) there are the elements of the outdoor system to be controlled as well as other signaling equipment such as neighboring signal boxes, level crossings, etc. For reasons of clarity, only the process element "Signal" is named. The other process elements on the process level are only indicated by the dashed representation of the Ethernet.

Via copper cables, the data is, for example, in an Ethernet LAN ( 5 ) between the security level ( 2nd ) and the decentralized elements ( 6 ) the process level ( 4th ) exchanged. This results in very short cable lengths and protected cable routes within the outdoor area. Thus, significantly lower induced voltages on the cables can be assumed. Cable faults can easily be revealed, since only low ohmic resistances can be assumed for the short cable runs. Ground faults are only relevant as a double fault due to the electrical isolation of the supply voltage and are revealed in terms of hardware and in process security. In addition, simple earth faults can be detected by earth fault detectors.

Electronic separating strips (ET, 7 ) used. As logically passive components, the ET ( 7 ) over Ethernet ( 5 ) transferred data into digital input / output bits.

• Der Stellwerkskern (3) löst im ersten SPS-Zyklus ein Daten-Telegramm aus, welches von der ET (7) des angesprochenen Signal-Prozesselements einen Digitalausgang (DA, 9) rücksetzt. Diese Rücksetzung steuert ein zwangsgeführtes Relais K1 (16) ab. K1 (16) hat einen Öffner im Stromkreis der Signallampe.

If, for example, a signal light bulb ( 20 ) are switched on, the process chain for safe control and feedback of the lamp thread looks like this:

• The signal box core ( 3rd ) triggers a data telegram in the first PLC cycle, which is sent from the ET ( 7 ) of the addressed signal process element a digital output (DA, 9 ) resets. This reset controls a positively driven relay K1 ( 16 ). K1 ( 16 ) has an NC contact in the signal lamp circuit.

The NO contact of the electronic relay (ELR, 17th ) the potential of the signal lamp voltage.

This potential is now realized by a digital input ( 8th ) of the process element is detected and via the ET ( 7 ) via network ( 5 ) to the safe PLC ( 3rd ) transmitted. The safe PLC ( 3rd ) expects this reaction (change of the status of the corresponding DE bit from 0 to 1) for the triggering of the next process step, namely the activation of a further digital output ( 9 ) of the process element. This DA ( 9 ) now controls the ELR ( 17th ) on. The ELR closes the circuit consisting of a power source ( 10th ), Break contact relay K1 ( 16 ), Normally open of the ELR ( 17th ) and lamp thread ( 20 ). Since the relay contact of the K1 ( 16 ) is already closed, it is protected, which significantly increases the service life of the relay. A corresponding sequence when deleting the signal term also serves to protect the relay contact. The lifespan of the ELR ( 17th ), however, is not affected by the number of switching operations.

With at least one optical sensor ( 15 ) The corresponding signal lamp now recognizes that the signal light bulb is lit correctly. Via a digital input ( 8th ) at the ET ( 7 ) this information is sent to the safe signal box core ( 3rd ) transmitted. The expected response (change in the status of the corresponding DE bit from 0 to 1) has thus occurred in good time. The signal box core ( 3rd ) can check for a logical sequence and also evaluate the timely result of the visual feedback in a defined time window. After a positive test, the safe signal box logic can assume that the process is correct and the signal optics ( 20 ) in the central route logic.

It can be assumed that the non-signal-safe components can only handle the untimely display of a signal giving a journey with a THR of> 10 exp -4 per hour.

The possible malfunction of the communication, e.g. with the consequence that a pending green is not switched off must be monitored. Also the possible malfunction of the ET.

For this, a watchdog ( 11 ) used. This must be in a defined pulse / pause ratio from a digital output ( 9 ) the ET ( 7 ) can be controlled. If the pulse does not appear in a defined time window, the watchdog passivates ( 11 ) the power supply ( 10th ). The pulse is generated by the safe signal box core.

Is the cyclical pulse on the watchdog ( 11 ), this is how the ET works ( 7 ) and communication to the safe signal box core ( 3rd ).

If the communication fails, the digital output ( 9 ) the ET ( 7 ) not cyclically requested to output the watchdog pulse. The pulse does not come and the watchdog ( 11 ) interrupts the power supply ( 10th ).

If the ET ( 7 ), the cyclical impulse and the required pulse / pause ratio, which the watchdog ( 11 ) expected, absent or pending in another pulse sequence. The watchdog ( 11 ) recognizes this and cuts off the power supply ( 10th ).

The watchdog ( 11 ) switches itself via the make contact of a positively driven small relay ( 12th ) the supply voltage of the ET ( 7 ). If the pulse fails to appear, the positively driven relay ( 12th ) and the supply voltage is interrupted. The safe signal box core ( 3rd ) recognizes this by the absence of the Ethernet telegrams.

To test the positively driven relay ( 12th ) and the entire watchdog function, the watchdog pulse from the safe interlocking core ( 3rd ) exposed briefly. Via the break contact of the positively driven relay ( 12th ) the supply voltage is then expected at a DE of the ET. If the relay contacts are welded or there is another error in the communication chain of the watchdog pulse, this is revealed in the test cycle. For the duration of the interruption of the supply voltage, the ET supply voltage is connected behind the watchdog relay via a capacitor ( 13 ) buffered.

If necessary, the signal voltages of driving terms can be derived from further contacts of the positively driven relay. 18th ) and the signal voltage containing terms are switched on ( 19th ) become.

Through the process chain of the safe software of the signal box core ( 3rd ) further errors of each element and also secondary errors are revealed:

• Jede Aktion an einem Element (6) der Prozessebene (4) wird über die zugehörige ET (7) initiiert. Bei einem Defekt der ET wird das Absteuern des DA (9) für Relais 16 nicht ausgeführt. Also kommt auch keine Rückmeldung des anstehenden Potentials am ELR (17) an. Der sichere Stellwerkskern (3) erkennt den Fehler.

Defect of the ET ( 7 ):

• Every action on an element ( 6 ) the process level ( 4th ) is via the associated ET ( 7 ) initiated. If the ET is defective, the shutdown of the DA ( 9 ) for relays 16 not executed. So there is no feedback of the potential at the ELR ( 17th ) on. The safe signal box core ( 3rd ) recognizes the error.

1. 1. Durchlegiertes Relais (16):
   • Das Relais ist ständig angezogen. Die zugehörige Rückmeldung über DE (8) kommt nicht zustande. Der sichere Stellwerkskern (3) erkennt den Fehler.
2. 2. Hochohmiges Relais (16):
   • Das Relais ist bereits im Grundzustand abgefallen. Die zugehörige Rückmeldung des Potentials am ELR (17) ist zur Unzeit da. Der sichere Stellwerkskern (3) erkennt den Fehler.

Defect on the DA ( 9 ) in the ET ( 7 ):

1. 1. Alloyed relay ( 16 ):
   • The relay is constantly energized. The associated feedback via DE ( 8th ) does not come about. The safe signal box core ( 3rd ) recognizes the error.
2. 2.High-resistance relay ( 16 ):
   • The relay has already dropped out in the basic state. The corresponding feedback of the potential at the ELR ( 17th ) is out of time. The safe signal box core ( 3rd ) recognizes the error.

• Rückmeldungen kommen nicht oder zur Unzeit an. Der sichere Stellwerkskern (3) erkennt den Fehler.

Defect on DE ( 8th ) in the ET ( 7 ):

• Feedback does not arrive or arrives at the wrong time. The safe signal box core ( 3rd ) recognizes the error.

A further second error disclosure results from the following, identical procedure with the ELR ( 17th ), and additionally by reading back the light:

1. 1. Durchlegiert:
   • Licht wird ständig detektiert. Die zugehörige Rückmeldung über DE (8) steht zur Unzeit an. Der sichere Stellwerkskern (3) erkennt den Fehler.
2. 2. Hochohmig:
   • Licht wird nach Ansteuern des ELR (17) nicht detektiert. Der sichere Stellwerkskern (3) erkennt den Fehler.

Defect in the feedback of the light: DE light sensor / sensor ( 15 ):

1. 1. Alloyed:
   • Light is constantly being detected. The associated feedback via DE ( 8th ) is due at the wrong time. The safe signal box core ( 3rd ) recognizes the error.
2. 2. High impedance:
   • After the ELR ( 17th ) not detected. The safe signal box core ( 3rd ) recognizes the error.

Even when the light is working correctly, errors due to incidence of extraneous light can occur.

An incidence of extraneous light only acts as a secondary error in connection with the initial error "defective control / illumination". An effect only occurs if exactly in the time window in which the optical feedback of a control of the signal optics ( 20 ) is present, external light falls on and despite the lack of signal illumination for positive feedback from the optical sensor ( 15 ) cares.

If there is already external light, the safe signal box core detects this ( 3rd ) because the optical sensor ( 15 ) brings positive feedback at the wrong time.

The case of the incidence of extraneous light exactly in the time window of the term control is through suitable positioning and protection of the sensor ( 15 ) sufficiently manageable in front of extraneous light.

In order to reveal signal optics that do not change their status over a long period of time, short signaling cycles must be carried out by the safe interlocking core, e.g. once every 24h when several track sections in front of the element are free.

Communication defect:

Through multiple telegrams ( 14 ) triggering an action results in a high level of computational error control. In the safe signal box core ( 3rd ) a communication error is revealed via a plausibility check. If a telegram is implausible, the safe signal box core passivates the system.

Since the process cannot be processed on time if the communication is defective, additional security is provided.

In addition, the watchdog ( 11 ) integrated in the overall chain of communication. This reveals errors in communication promptly.

If one takes into account the multiple dialogs, the opposing activation of relays (switched off) and ELR (activated switched) in combination with the dialog-oriented testing of the procedure in the safe interlocking logic, there are communication errors with a probability, the SIL 4th correspond to exclude.

Defect in the lamp base:

A socket closure (main and secondary thread burn) is triggered by the fuse ( 22 ) and by the DE ( 8th ) at the ELR ( 17th ) detected.

Defect on the main thread:

The optical sensor ( 15 ) does not give positive feedback after connection.

Switching to the secondary thread can be triggered. In addition, information is sent to the dispatcher (main thread e.g. "Red N1" defective).

Through time-shifted, independent procedures in the safe signal box core ( 3rd ), their plausibility checks and the timely checking of the light emission of the addressed light source ( 20 ) Process security is created in the secure software, including the non-secure components of the process level ( 4th ).

With a safety-related manual operation of the signal in the operating and monitoring level ( 1 ) Instead of the automatic control described above, it is generally necessary that the manual operation is explicitly confirmed before the command is triggered. For this purpose, a decentralized process element KF (release command not shown) is installed in this example via a separate communication path in connection with a push button / key switch with a double contact on the operator station system. As a result, the KF operating dialog is mapped with the safe signal box core.

Reference list

1

Operating and monitoring level

2nd

Security level

3rd

Secure computer system (secure signal box core)

4th

Process level

5

Ethernet

6

Process element

7

Electronic divider

8th

Digital input

9

digital output

10th

Power supply

11

Watchdog

12th

positively driven small relay

13

Buffer capacitor

14

Multiple dialogues

15

Optical sensor

16

Forced relay K1

17th

Electronic relay (ELR)

18th

Switch for driving terms

19th

Stop button (red)

20

Signal light bulb

21

Watchdog relay

22

Fuse

Claims (10)

Process for signal-technically safe electronic element control for carrying out a driving operation of rail vehicles, consisting of a signal-technically safe operating and observation level, a safety level and a process level containing the elements to be controlled, as well as data transmission devices between the components of these levels, either by operator input on the operating and observation level or commands to control at least one element of the process level can be given by internal program execution in the secure computer system at the security level, the safety-related tests and algorithms for ensuring process security being performed by the secure computer system at the security level, whereas the computers or other components of the operating and observation level as well as the process level can meet lower security requirements, characterized in that - the security-relevant control of elements of the process level is triggered by the secure computer system of the security level if i. In the case of commands that are entered by the operator input on the operating and monitoring level, the commands are transmitted to the secure computer system on the security level using a data transmission device, checked there for plausibility and transmitted back to the operating and monitoring level in a new coded form the software of the at least one computer at the operating and monitoring level positively checks the newly coded command of the secure computer system for plausibility and successfully transmits the result in the final coded form to the secure computer system at the security level, and if additionally via a separate communication path of the assigned process element for safety-relevant operations, a double or anti-valent contact and / or additionally coded digital addresses were read in and checked positively, ii. a command to control at least one element of the process level is issued by internal program execution in the secure computer system of the security level, - the control of elements of the process level is safely terminated with a corresponding error message as soon as at least one of the aforementioned plausibility checks of the commands used in at least one of the participating computer is negative. Process for signal-technically safe electronic element control for carrying out a driving operation of rail vehicles according to at least one of the preceding claims, characterized in that the trigger command for controlling elements of the process level is transmitted from a secure computer system of the security level to the appropriate element of the process level via a data transmission device and there leads to at least one actuation event, the result of which is monitored by a suitable sensor system and reported back to the secure computer system at the security level, - the results of the actuation events are checked for the required logical and timely sequence via multiple dialogs in the secure computer system of the security level, after a positive test result of all results of the control events in the secure computer system, successful element control is assumed and this is revealed, - with a negative test result of at least one result of the control events from a faulty element control and this is disclosed. Method for signal-technically safe electronic element control for carrying out a driving operation of rail vehicles according to at least one of the preceding claims, characterized in that the safe computer system of the security level consists of a modular system for industrial automation systems. Method for the signal-technically safe electronic element control for carrying out a driving operation of rail vehicles according to at least one of the preceding claims, characterized in that the decentralizable process level is connected to the security level via a data network, the data being transferred from logically passive components to digital inputs / outputs. Output bits can be implemented reliably. Method for signal-technically safe electronic element control for carrying out a driving operation of rail vehicles according to at least one of the preceding claims, characterized in that the triggering and monitored mechanisms cyclically trigger the communication in the entire process chain and the function of the decentralized, generally non-safe elements of the Process level is checked, and at least the power supply to the associated element of the process level is switched off in the event of a fault and, if necessary, the signal supply voltage is also separated in such a way that, in the event of a fault, only the elements belonging to the signal term “Halt” are supplied with voltage. Device for signal-technically safe electronic element control for carrying out a driving operation of rail vehicles, consisting of a signal-technically safe operating and observation level, a safety level and a process level containing the elements to be controlled as well as data transmission devices between the components of these levels, either by operator input on the operating and observation level or commands to control at least one element of the process level can be given by internal program execution in the secure computer system at the security level, the safety-related tests and algorithms for ensuring process security taking place in the secure computer system at the security level, whereas the computers or other components of the operating and Observation level and the process level can meet lower security requirements, characterized in that - the secure computer system of S level triggers the safety-related control of elements of the process level if i. In the case of commands that are entered by the operator input on the operating and monitoring level, the commands are transmitted to the secure computer system on the security level using a data transmission device, checked there for plausibility and transmitted back to the operating and monitoring level in a new coded form the software of the at least one computer at the operating and monitoring level positively checks the newly coded command of the secure computer system for plausibility and successfully transmits the result in the final coded form to the secure computer system at the security level, and if additionally via a separate communication path of the assigned process element for safety-relevant operations, a double or non-equivalent contact and / or additionally coded digital addresses were read in and checked positively, ii. a command to control at least one element of the process level is issued by internal program execution in the secure computer system of the security level, - the control of elements of the process level is safely terminated with a corresponding error message as soon as at least one of the aforementioned plausibility checks of the commands used in at least one of the participating computer is negative. Device for signal-technically safe electronic element control for carrying out a driving operation of rail vehicles according to at least one of the preceding claims, characterized in that - the trigger command for controlling elements of the process level is transmitted via a data transmission device from the secure computer system of the security level to the appropriate element of the process level and there leads to at least one actuation event, the result of which is monitored by a suitable sensor system and reported back to the secure computer system at the security level, - the secure computer system at the security level checks the results of the actuation events via multiple dialogs for the required logical and timely sequence, - the secure computer system after positive Test result of all results of the control events assumes successful element control and reveals this - the secure computer system in the event of a negative test result of at least one result of the control events from a faulty element control and reveals this. Device for signal-technically safe electronic element control for carrying out a driving operation of rail vehicles according to at least one of the preceding claims, characterized in that the safe computer system of the security level consists of a fail-safe programmable logic controller (PLC). Device for the signal-technically safe electronic element control for carrying out a driving operation of rail vehicles according to at least one of the preceding claims, characterized in that the decentralizable process level is connected to the security level via LAN (Local Area Network), whereby standard ET (electronic isolating strip) or small PLC Systems act as logically passive converters of the data transmitted via Ethernet or another data network technology to digital input / output bits. Device for the signal-technically safe electronic element control for carrying out a driving operation of rail vehicles according to at least one of the preceding claims, characterized in that watchdogs triggered and monitored by the safety level cyclically communicate in the entire process chain as well as the function of the decentralized, generally not safe elements of the process level Check and the safety level by means of positively driven contacts of the watchdog relay switches off at least the power supply to the associated element of the process level in the event of a fault and, if necessary, additionally separates the signal supply voltage in such a way that only the elements belonging to the signal term "Halt" are supplied with voltage in the event of a fault.

Images