EP0120339B1 - Device for reliable process control - Google Patents

Device for reliable process control Download PDF

Info

Publication number
EP0120339B1
EP0120339B1 EP84102198A EP84102198A EP0120339B1 EP 0120339 B1 EP0120339 B1 EP 0120339B1 EP 84102198 A EP84102198 A EP 84102198A EP 84102198 A EP84102198 A EP 84102198A EP 0120339 B1 EP0120339 B1 EP 0120339B1
Authority
EP
European Patent Office
Prior art keywords
data
microcomputer
process control
release
relay connection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired
Application number
EP84102198A
Other languages
German (de)
French (fr)
Other versions
EP0120339B2 (en
EP0120339A1 (en
Inventor
Manfred Dipl.-Ing. Homeister
Jürgen Ing. grad. Raimer
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Original Assignee
Siemens AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG filed Critical Siemens AG
Priority to AT84102198T priority Critical patent/ATE25220T1/en
Publication of EP0120339A1 publication Critical patent/EP0120339A1/en
Publication of EP0120339B1 publication Critical patent/EP0120339B1/en
Application granted granted Critical
Publication of EP0120339B2 publication Critical patent/EP0120339B2/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L21/00Station blocking between signal boxes in one yard
    • B61L21/04Electrical locking and release of the route; Electrical repeat locks
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/30Trackside multiple control systems, e.g. switch-over between different systems

Definitions

  • the invention relates to a device according to the preamble of claim 1.
  • auxiliary control In the case of an auxiliary control, the admissibility of this control is no longer checked at a separate security level, that is to say that the command data defined by such an auxiliary control could possibly result in a hazard when output to the process.
  • the processing of such auxiliary controls is therefore to be monitored and controlled appropriately by humans. This happens regularly in that the data processing system supplies the operator with control data before the data is output to the process, which inform the operator of the pending auxiliary action and give the operator the option of either taking this data back or releasing it to the process.
  • the data processing system charged by the operator with process control orders itself has to make the decision as to whether an operation is a regular or an auxiliary operation, i.e. whether the command data derived from an operation is to be passed on directly to the process or by the operator to be authorized separately. Since the possibility must be expected that the data processing system will incorrectly classify an entered process control order and, although it is an auxiliary operation, the corresponding command data will be released directly to the process, the data processing system must be set up according to safety-related aspects. As a device for data processing, either a signal processing device that is secure in terms of signal technology comes into question. B.
  • the data processing system connected between the operating device and the process essentially has the function of a converter.
  • DE-AS 2260738 it is known (DE-AS 2260738) to convert the output data derived from input data in an electronic decoding device back into the input code in a separate coding device and with it before it is output to the process to compare with the original input code. If the original and the reoriented information match, the output data formed by the electronic decoding device are released; otherwise they will be blocked.
  • the known electronic decoding device does not obtain the data to be reconstructed in the respective input code from a data memory from which the decoded signals are later passed on to the process, but from an upstream decoding stage. This does not guarantee that the data later released to the process actually correspond to the data used by the additional coding device for the back coding.
  • the known electronic decoding device is not able to classify the data supplied to it. For the present case of process control by means of control and auxiliary operations, this means that the data supplied to the decoding device are in principle output by the decoding device to the process if they have been correctly implemented by the decoding device.
  • the known electronic decoding device can therefore not be used for safe process control, because it does not provide a way to distinguish dangerous commands (auxiliary controls) from harmless commands (control controls) and, for example, to separate the connection to the process in the event of a faulty but inherently sensible process control job.
  • the object of the present invention is to design a device according to the preamble of claim 1 so that a reliable classification of the respective process control order is possible, the release of the command data derived from a process control order to the process either directly (in the case of regular operation) or else after authorization by the operator initiating the process control order (for an auxiliary operator).
  • the drawing shows in the upper right part a data input device DE known per se, via which process control orders can be conveyed by an operator to the process to be controlled and / or monitored.
  • the process control orders entered are converted into command data in a downstream data processing system DV and output to the process via an output device AE.
  • the data input device consists of, for example, an alphanumeric input keyboard ET, via which an operator specifies the process control orders.
  • the process control orders entered in each case are visually displayed to the operator via a viewing device SG and can be output by the operator after a visual inspection using a key T to the data processing system DV.
  • the data processing system DV essentially consists of two independent microcomputers MC1 and MC2 which do not operate in a safety-related manner and a relay link RV which operates in a safety-related manner.
  • the process control orders coming from the data input DE arrive at the microcomputer MC1, which uses them to form the corresponding command data as they are required for controlling the process.
  • the microcomputer MC1 does not yet pass on the command data it has developed to the process, but instead stores them in an output device AE.
  • This output device essentially consists of a memory in which the command data supplied are stored for security purposes.
  • the microcomputer MC1 After the command data have been stored, the microcomputer MC1 reads the stored data back for testing purposes and compares it with the data it has developed.
  • the command data read back from the output device AE by the microcomputer MC1 arrive via an input doubler EV constructed in the feedback channel, but not only on the microcomputer MC1 directly affected by the process control orders, but also on the microcomputer MC2. Both microcomputers are thus informed of the command data available for execution. Both independently evaluate the command data to be executed with regard to the type of operator action to be carried out. If both microcomputers independently determine that the operation being carried out is a regular operation, which is checked separately for admissibility within the process, then both microcomputers release the output of the command data stored in the output device AE.
  • the relay link RV working downstream of the two microcomputers on the output side. If the two microcomputers come to different classification results, the relay link RV blocks the release of the command data stored in the output device AE. The operator can be informed of the malfunction in a suitable manner, for example by switching on an optical and / or acoustic detector. The response of this detector can cause the operator to delete the stored data and to carry out the operating action again. If the two microcomputers then classify the operation as a control operation, the command data which may have been updated by the repeated input in the output device AE are released.
  • the two microcomputers MC1 and MC2 can then release themselves do not cause the command data stored in the output device AE.
  • the targeted involvement of the respective initiating operator is required for the release.
  • the microcomputer MC2 determines the respective process control job from the command data supplied to it via the input doubler EV and feeds it to the operator via a separate control display KA.
  • the operator now has the task of comparing the process control job shown to him, for example, alphanumerically on the control display, with the job he entered into the data input device DE and deciding whether this job should be carried out or not.
  • release switching means acts on the two microcomputers MC1 and MC2 via the relay link RV with a corresponding control indicator. If both microcomputers classify the operation to be carried out as auxiliary operation and if the relay link DE supplies them with the control signals triggered by the actuation of the release switching means FS, then both microcomputers independently generate release signals for the output of the command data stored in the output device AE. In the relay linkage, these releases are possibly linked again with the release by the release switching means FS and then lead to the output of the command data pending for execution.
  • the data in the output device AE are deleted after a predeterminable period of time and the two microcomputers are brought into the basic position.
  • the two microcomputers update their free messages by constantly reading back the stored data and classifying this data. If one or both of them detects a change in the stored data, the microcomputer concerned immediately withdraws its release to the rice link RV.
  • the relay link prevents the output of the data stored in the output device AE or switches the output off immediately when the release has already been granted. The operator must be informed of such a fault in a suitable manner.
  • the re-release of data stored in the output device after the correct course of a data output or after the blocking of an output in the event of an error is to be made in terms of circuitry from the previous basic setting of the relay link RV.
  • the relay link RV can only assume the basic position if the command data pending in the output device AE has been deleted, both microcomputers have put their outputs to the relay link RV into a position which indicates their readiness for the next operation processing and the release switching means at the operator station has also assumed the basic position .
  • the microcomputer MC1 which is directly acted upon by the process control orders, has to determine the operator station from which an auxiliary operator was entered and report this to the relay linkage. From the knowledge of the operator station stored in the relay linkage, the microcomputer which is not directly acted upon by the process control data must exclusively supply the operator station with the read back process control data which was recognized by the other microcomputer as being necessary.
  • the relay linkage has to contain switching means which only recognize a release treatment if it is carried out from the operator station which was previously recognized as initiating.
  • the device according to the invention for safe process control can advantageously be used wherever a process has to be acted on from several operating stations with safety responsibility.
  • a preferred area of application is the control of an interlocking from several operator stations, whereby from these operator stations both operations that are monitored for admissibility in the subordinate interlocking level and operations that are intended to deliberately undermine the safety of the interlocking, in particular in fault situations, are to be carried out to be able to keep the company fairly fluid.

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Safety Devices In Control Systems (AREA)
  • Train Traffic Observation, Control, And Security (AREA)
  • Container Filling Or Packaging Operations (AREA)
  • Selective Calling Equipment (AREA)

Abstract

1. A device for the reliable process control employing two microcomputers which are independent of one another and do not operate so as to be safety-oriented and which commonly act upon the process which is to be controlled, and allow both control operations, whose reliability is tested in a separate safety plane outside the microcomputer, and also auxiliary operations, whose reliability is no longer tested, to be carried out, in particular for the control of a railroad signalling device of at least one operating location, characterized in that the one microcomputer (MC1) converts the process control instructions which are present in order to be carried out, into corresponding command data, and stores them in an output device (AE) and re-reads the stored data, where the reread data are simultaneously fed to the other microcomputer (MC2) by means of a safety-oriented input double (EV), that both microcomputers classify the data, which are fed thereto, independently of another in accordance with the respectively present process control instruction and feeds the classification results to a relay connection (RV) which when the classification results of the two microcomputers are identical causes the release of the data stored in the output device (AE), if the respectively classified process control instruction relates to a control operation, but during common recognition of an auxiliary operation makes the release of the data stored in the output device dependent upon a separate agreement of an operator, which is fed via the relay connection (RV).

Description

Die Erfindung bezieht sich auf eine Einrichtung nach dem Oberbegriff des Patentanspruches 1.The invention relates to a device according to the preamble of claim 1.

Bei der nicht vollautomatisierten Prozessteuerung haben sich vielerorts Bildschirmarbeitsplätze bewährt, von denen aus über eine beispielsweise alphanumerische Tastatur sowie eine optische Kontrollvorrichtung auf eine Datenverarbeitungsanlage und von dort auf den zu steuernden und/ oder zu überwachenden Prozess eingewirkt wird. Ein solcher Anwendungsfall ist beispielsweise in der Eisenbahnsignaltechnik bei der Steuerung eines Stellwerkes über ein oder mehrere sogenannte Nummernstellpulte gegeben. Bei dieser Art der Prozesssteuerung sind von ihrer Bedeutung und Auswirkung auf den Prozess grundsätzlich zwei Arten von Bedienungen zu unterscheiden und verschieden zu behandeln, nämlich sogenannte Regelbedienungen und sogenannte Hilfsbedienungen. Eine Regelbedienung kann nach ihrer Eingabe ohne weiteres Zutun des Bedieners an den Prozess ausgegeben werden, weil ihre Zulässigkeit in einer gesonderten Sicherheitsebene ausserhalb der Datenverarbeitungsanlage nach sicherungstechnischen Gesichtspunkten geprüft wird; ein eventueller Fehler kann nicht zu einem gefährlichen Zustand führen. Bei einer Hilfsbedienung wird die Zulässigkeit dieser Bedienung nicht mehr in einer gesonderten Sicherheitsebene geprüft, das heisst, die durch eine derartige Hilfsbedienung definierten Kommandodaten würden bei Ausgabe an den Prozess gegebenenfalls zu einer Gefährdung führen können. Die Verarbeitung solcher Hilfsbedienungen ist daher vom Menschen in geeigneter Weise zu überwachen und zu steuern. Dies geschieht regelmässig dadurch, dass die Datenverarbeitunsanlage vor der Ausgabe der Daten an den Prozess dem Bediener Kontrolldaten zuführt, die den Bediener von der zur Ausführung anstehenden Hilfshandlung unterrichten und ihm die Möglichkeit geben, diese Daten entweder zurückzunehmen oder an den Prozess freizugeben.In the non-fully automated process control, screen workstations have proven themselves in many places, from which, for example, an alphanumeric keyboard and an optical control device act on a data processing system and from there on the process to be controlled and / or monitored. Such an application is given, for example, in railway signaling technology when controlling an interlocking system via one or more so-called number control desks. With this type of process control, two types of controls must be distinguished and treated differently, namely so-called control controls and so-called auxiliary controls, in terms of their importance and effect on the process. A regular operation can be output to the process after the operator has made no further action, because its admissibility is checked in a separate security level outside the data processing system according to security aspects. a possible error cannot lead to a dangerous condition. In the case of an auxiliary control, the admissibility of this control is no longer checked at a separate security level, that is to say that the command data defined by such an auxiliary control could possibly result in a hazard when output to the process. The processing of such auxiliary controls is therefore to be monitored and controlled appropriately by humans. This happens regularly in that the data processing system supplies the operator with control data before the data is output to the process, which inform the operator of the pending auxiliary action and give the operator the option of either taking this data back or releasing it to the process.

Dabei hat die vom Bediener mit Prozesssteueraufträgen beaufschlagte Datenverarbeitungsanlage selbst die Entscheidung darüber zu treffen, ob es sich bei einer Bedienung um eine Regel- oder eine Hilfsbedienung handelt, das heisst, ob die aus einer Bedienungshandlung abgeleiteten Kommandodaten direkt an den Prozess weiterzugeben oder durch den Bediener gesondert zu autorisieren sind. Da mit der Möglichkeit gerechnet werden muss, dass die Datenverarbeitungsanlage einen eingegebenen Prozesssteuerauftrag falsch klassifiziert und, obgleich es sich um eine Hilfsbedienung handelt, die entsprechenden Kommandodaten direkt an den Prozess freigibt, ist die Datenverarbeitunsanlage nach sicherungstechnischen Gesichtspunkten aufzubauen. Als Einrichtung zur Datenverarbeitung kommt entweder eine signaltechnisch sichere Datenverarbeitungseinrichtung in Frage, die z. B. durch internen Vergleich der auf den Adress-, Daten- und Steuerbussen zweier Mikrocomputer anliegenden Signale eventuelle Diskrepanzen zwischen den von beiden Mikrocomputern erarbeiteten Ergebnissen frühzeitig erkennt und daraufhin die Ausgabe von Daten an den Prozess unterbindet, oder aber es werden z. B. zwei nicht sicherungstechnisch arbeitende Mikrocomputer eingesetzt, deren Arbeitsergebnisse in einer externen, sicheren Vergleichseinrichtung miteinander verknüpft werden und die gemeinsam auf den zu steuernden Prozess einwirken.The data processing system charged by the operator with process control orders itself has to make the decision as to whether an operation is a regular or an auxiliary operation, i.e. whether the command data derived from an operation is to be passed on directly to the process or by the operator to be authorized separately. Since the possibility must be expected that the data processing system will incorrectly classify an entered process control order and, although it is an auxiliary operation, the corresponding command data will be released directly to the process, the data processing system must be set up according to safety-related aspects. As a device for data processing, either a signal processing device that is secure in terms of signal technology comes into question. B. by internal comparison of the signals on the address, data and control busses of two microcomputers signals possible discrepancies between the results worked out by both microcomputers early and then prevents the output of data to the process, or z. B. used two non-safety working microcomputers, the work results of which are linked together in an external, safe comparison device and which together act on the process to be controlled.

Die zwischen die Bedienungseinrichtung und den Prozess geschaltete Datenverarbeitungsanlage hat im wesentlichen die Funktion eines Umsetzers. Um eventuelle Fehler beim Umsetzen von Eingangs- in Ausgangsdaten erkennen zu können, ist es bekannt (DE-AS 2260738), die in einer elektronischen Decodiereinrichtung aus Eingangsdaten abgeleiteten Ausgangsdaten vor ihrer Ausgabe an den Prozess in einer gesonderten Codiereinrichtung wieder in den Eingangscode umzusetzen und mit dem ursprünglichen Eingangscode zu vergleichen. Bei Übereinstimmung der ursprünglichen und der rückorientierten Information werden die von der elektronischen Decodiereinrichtung gebildeten Ausgangsdaten freigegeben; im anderen Fall werden sie gesperrt. Die bekannte elektronische Decodiereinrichtung bezieht die in den jeweiligen Eingangscode rückzubildenden Daten nicht aus einem Datenspeicher, aus dem die decodierten Signale später an den Prozess weitergegeben werden, sondern aus einer vorgeschalteten Decodierstufe. Damit ist nicht gewährleistet, dass die später an den Prozess freigegebenen Daten auch tatsächlich den Daten entsprechen, die von der zusätzlichen Codiereinrichtung für die Rückcodierung benutzt werden.The data processing system connected between the operating device and the process essentially has the function of a converter. In order to be able to recognize possible errors when converting input data into output data, it is known (DE-AS 2260738) to convert the output data derived from input data in an electronic decoding device back into the input code in a separate coding device and with it before it is output to the process to compare with the original input code. If the original and the reoriented information match, the output data formed by the electronic decoding device are released; otherwise they will be blocked. The known electronic decoding device does not obtain the data to be reconstructed in the respective input code from a data memory from which the decoded signals are later passed on to the process, but from an upstream decoding stage. This does not guarantee that the data later released to the process actually correspond to the data used by the additional coding device for the back coding.

Die bekannte elektronische Decodiereinrichtung ist nicht in der Lage, die ihr zugeführten Daten zu klassifizieren. Für den vorliegenden Fall der Prozesssteuerung durch Regel- und Hilfsbedienungen heisst dies, dass die der Decodiereinrichtung zugeführten Daten von dieser grundsätzlich dann an den Prozess ausgegeben werden, wenn sie von der Decodiereinrichtung ordnungsgerecht umgesetzt worden sind. Die bekannte elektronische Decodiereinrichtung kann daher nicht für die sichere Prozesssteuerung verwendet werden, denn sie gibt keine Möglichkeit, gefährliche Kommandos (Hilfsbedienungen) von ungefährlichen Kommandos (Regelbedienungen) zu unterscheiden und beispielsweise bei einem fehlerhaften, aber in sich sinnvollen Prozesssteuerauftrag die Verbindung zum Prozess aufzutrennen.The known electronic decoding device is not able to classify the data supplied to it. For the present case of process control by means of control and auxiliary operations, this means that the data supplied to the decoding device are in principle output by the decoding device to the process if they have been correctly implemented by the decoding device. The known electronic decoding device can therefore not be used for safe process control, because it does not provide a way to distinguish dangerous commands (auxiliary controls) from harmless commands (control controls) and, for example, to separate the connection to the process in the event of a faulty but inherently sensible process control job.

Aufgabe der vorliegenden Erfindung ist es, eine Einrichtung nach dem Oberbegriff des Patentanspruches 1 so auszubilden, dass eine sichere Klassifizierung des jeweils anliegenden Prozesssteuerauftrages möglich ist, wobei die Freigabe der aus einem Prozesssteuerauftrag abgeleiteten Kommandodaten an den Prozess entweder direkt (bei einer Regelbedienung) oder aber nach Autorisierung durch den den Prozesssteuerauftrag veranlassenden Bediener (bei einer Hilfsbedienung) erfolgt.The object of the present invention is to design a device according to the preamble of claim 1 so that a reliable classification of the respective process control order is possible, the release of the command data derived from a process control order to the process either directly (in the case of regular operation) or else after authorization by the operator initiating the process control order (for an auxiliary operator).

Die Erfindung löst diese Aufgabe durch die kennzeichnenden Merkmale des Patentanspruches 1. Vorteilhafte Aus- und Weiterbildungen der erfindungsgemässen Einrichtung sind in den Unteransprüchen angegeben.The invention solves this problem by the characterizing features of the patent 1. Advantageous training and further developments of the device according to the invention are specified in the subclaims.

Die Erfindung ist nachstehend näher erläutert, wobei auf die Zeichnung Bezug genommen ist. Die Zeichnung zeigt im oberen rechten Teil eine an sich bekannte Dateneingabeeinrichtung DE, über die von einem Bediener Prozesssteueraufträge an den zu steuernden und/oder zu überwachenden Prozess vermittelt werden können. Die eingegebenen Prozesssteueraufträge werden in einer nachgeordneten Datenverarbeitungsanlage DV in Kommandodaten umgesetzt und über eine Ausgabeeinrichtung AE an den Prozess ausgegeben.The invention is explained in more detail below, reference being made to the drawing. The drawing shows in the upper right part a data input device DE known per se, via which process control orders can be conveyed by an operator to the process to be controlled and / or monitored. The process control orders entered are converted into command data in a downstream data processing system DV and output to the process via an output device AE.

Die Dateneingabeeinrichtung besteht aus einer beispielsweise alphanumerischen Eingabetastatur ET, über die ein Bediener die Prozesssteueraufträge vorgibt. Die jeweils eingegebenen Prozesssteueraufträge werden dem Bediener über ein Sichtgerät SG optisch dargestellt und können vom Bediener nach Sichtkontrolle über eine Taste T an die Datenverarbeitungsanlage DV ausgegeben werden.The data input device consists of, for example, an alphanumeric input keyboard ET, via which an operator specifies the process control orders. The process control orders entered in each case are visually displayed to the operator via a viewing device SG and can be output by the operator after a visual inspection using a key T to the data processing system DV.

Die Datenverarbeitungsanlage DV besteht im wesentlichen aus zwei voneinader unabhängigen nicht sicherungstechnisch arbeitenden Mikrocomputern MC1 und MC2 sowie einer sicherungstechnisch arbeitenden Relaisverknüpfung RV. Die von der Dateneingabe DE kommenden Prozesssteueraufträge gelangen zu dem Mikrocomputer MC1, der aus ihnen entsprechende Kommandodaten bildet, wie sie für die Steuerung des Prozesses benötigt werden. Der Mikrocomputer MC1 gibt die von ihm erarbeiteten Kommandodaten aber noch nicht an den Prozess weiter, sondern hinterlegt sie in einer Ausgabeeinrichtung AE. Diese Ausgabeeinrichtung besteht im wesentlichen aus einem Speicher, in dem die zugeführten Kommandodaten sicherungstechnisch abgelegt sind.The data processing system DV essentially consists of two independent microcomputers MC1 and MC2 which do not operate in a safety-related manner and a relay link RV which operates in a safety-related manner. The process control orders coming from the data input DE arrive at the microcomputer MC1, which uses them to form the corresponding command data as they are required for controlling the process. However, the microcomputer MC1 does not yet pass on the command data it has developed to the process, but instead stores them in an output device AE. This output device essentially consists of a memory in which the command data supplied are stored for security purposes.

Nach der Hinterlegung der Kommandodaten liest der Mikrocomputer MC1 die hinterlegten Daten zu Prüfzwecken zurück und vergleicht sie mit den von ihm erarbeiteten Daten. Die vom Mikrocomputer MC1 aus der Ausgabeeinrichtung AE zurückgelesenen Kommandodaten gelangen über einen in den Rückmeldekanal geschalteten sicherungstechnisch aufgebauten Eingabeverdoppler EV, aber nicht nur auf den durch die Prozesssteueraufträge direkt beaufschlagten Mikrocomputer MC1, sondern auch auf den Mikrocomputer MC2. Beide Mikrocomputer sind damit über die zur Ausführung anliegenden Kommandodaten informiert. Beide bewerten unabhängig voneinander die zur Ausführung anliegenden Kommandodaten hinsichtlich der Art der zur Ausführung kommenden Bedienungshandlung. Stellen beide Mikrocomputer unabhängig voneinander fest, dass es sich bei der zur Ausführung kommenden Bedienung um eine Regelbedienung handelt, die innerhalb des Prozesses gesondert auf Zulässigkeit geprüft wird, so geben beide Mikrocomputer die Ausgabe der in der Ausgabeeinrichtung AE gespeicherten Kommandodaten frei. Dies geschieht über die den beiden Mikrocomputern ausgangsseitig nachgeordnete sicherungstechnisch arbeitende Relaisverknüpfung RV. Kommen die beiden Mikrocomputer zu unterschiedlichen Klassifizierungsergebnissen, so sperrt die Relaisverknüpfung RV die Freigabe der in der Ausgabeeinrichtung AE gespeicherten Kommandodaten. Die eingetretene Störung kann dem Bediener auf geeignete Weise zur Kenntnis gebracht werden, beispielsweise durch Anschalten eines optischen und/oder akustichen Melders. Das Ansprechen dieses Melders kann den Bediener zum Löschen der gespeicherten Daten und zur erneuten Vornahme der Bedienungshandlung veranlassen. Klassifizieren die beiden Mikrocomputer dann die Bedienung als Regelbedienung, werden die durch die nochmalige Eingabe in der Ausgabeeinrichtung AE gegebenenfalls aktualisierten Kommandodaten freigegeben.After the command data have been stored, the microcomputer MC1 reads the stored data back for testing purposes and compares it with the data it has developed. The command data read back from the output device AE by the microcomputer MC1 arrive via an input doubler EV constructed in the feedback channel, but not only on the microcomputer MC1 directly affected by the process control orders, but also on the microcomputer MC2. Both microcomputers are thus informed of the command data available for execution. Both independently evaluate the command data to be executed with regard to the type of operator action to be carried out. If both microcomputers independently determine that the operation being carried out is a regular operation, which is checked separately for admissibility within the process, then both microcomputers release the output of the command data stored in the output device AE. This takes place via the relay link RV working downstream of the two microcomputers on the output side. If the two microcomputers come to different classification results, the relay link RV blocks the release of the command data stored in the output device AE. The operator can be informed of the malfunction in a suitable manner, for example by switching on an optical and / or acoustic detector. The response of this detector can cause the operator to delete the stored data and to carry out the operating action again. If the two microcomputers then classify the operation as a control operation, the command data which may have been updated by the repeated input in the output device AE are released.

Handelt es sich bei einer Bedienung um eine Hilfsbedienung, die in keiner nachgeordneten Sicherheitsebene überprüft wird, sondern innerhalb des zu steuernden und/oder zu überwachenden Prozesses direkt zur Auswirkung kommt, so können die beiden Mikrocomputer MC1 und MC2 von sich aus die Freigabe der dann in der Ausgabeeinrichtung AE gespeicherten Kommandodaten nicht veranlassen. Für die Freigabe ist die gezielte Mitwirkung des jeweils veranlassenden Bedieners erforderlich. Hierzu ermittelt der Mikrocomputer MC2 aus den ihm über den Eingabeverdoppler EV zugeführten Kommandodaten den jeweils zugehörigen Prozesssteuerauftrag und führt diesen dem Bediener über eine gesonderte Kontrollanzeige KA zu. Der Bediener hat nun die Aufgabe, den ihm auf der Kontrollanzeige beispielsweise alphanumerisch dargestellten Prozesssteuerauftrag mit dem von ihm in die Dateneingabeeinrichtung DE eingegebenen Auftrag zu vergleichen und zu entscheiden, ob dieser Auftrag zur Ausführung kommen soll oder nicht. Hat er sich für die Ausführung entschieden, so hat der Bediener ein gesondertes Freigabeschaltmittel FS zu betätigen. Dieses Freigabeschaltmittel wirkt über die Relaisverknüpfung RV mit einem entsprechenden Steuerkennzeichen auf die beiden Mikrocomputer MC1 und MC2 ein. Haben beide Mikrocomputer die zur Ausführung anliegende Bedienung als Hilfsbedienung klassifiziert und werden ihnen von der Relaisverknüpfung DE die durch die Betätigung des Freigabeschaltmittels FS ausgelösten Steuersignale zugeführt, so erarbeiten beide Mikrocomputer unabhängig voneinander Freigabesignale für die Ausgabe der in der Ausgbeeinrichtung AE gespeicherten Kommandodaten. Diese Freigaben werden in der Relaisverknüpfung gegebenenfalls nochmals mit der Freigabe durch die Freigabeschaltmittel FS verknüpft und führen dann zur Ausgabe der zur Ausführung anliegenden Kommandodaten.If an operation is an auxiliary operation that is not checked at a subordinate security level, but rather has an effect within the process to be controlled and / or monitored, the two microcomputers MC1 and MC2 can then release themselves do not cause the command data stored in the output device AE. The targeted involvement of the respective initiating operator is required for the release. For this purpose, the microcomputer MC2 determines the respective process control job from the command data supplied to it via the input doubler EV and feeds it to the operator via a separate control display KA. The operator now has the task of comparing the process control job shown to him, for example, alphanumerically on the control display, with the job he entered into the data input device DE and deciding whether this job should be carried out or not. Once he has decided on the version, the operator must actuate a separate release switch FS. This release switching means acts on the two microcomputers MC1 and MC2 via the relay link RV with a corresponding control indicator. If both microcomputers classify the operation to be carried out as auxiliary operation and if the relay link DE supplies them with the control signals triggered by the actuation of the release switching means FS, then both microcomputers independently generate release signals for the output of the command data stored in the output device AE. In the relay linkage, these releases are possibly linked again with the release by the release switching means FS and then lead to the output of the command data pending for execution.

Verweigert der Bediener seine Zustimmung zur Freigabe der zur Ausführung anstehenden Kommandodaten, so werden nach Ablauf einer vorgebbaren Zeitspanne die in der Ausgabeeinrichtung AE stehenden Daten gelöscht und die beiden Mikrocomputer in die Grundstellung geführt.If the operator refuses to approve the command data to be executed, the data in the output device AE are deleted after a predeterminable period of time and the two microcomputers are brought into the basic position.

Solange die Kommandodaten in der Ausgabeeinrichtung AE gespeichert sind, aktualisieren die beiden Mikrocomputer durch ständiges Rücklesen der gespeicherten Daten und Klassifizierung dieser Daten ihre Freimeldungen. Stellt einer von ihnen oder beide eine Änderung der gespeicherten Daten fest, so nimmt der betroffene Mikrocomputer seine Freigabe an die Reiaisverknüpfung RV augenblicklich zurück. Die Relaisverknüpfung unterbindet dabei die Ausgabe der in der Ausgabeeinrichtung AE gespeicherten Daten bzw. schaltet die Ausgabe augenblicklich ab, wenn die Freigabe schon erteilt ist. Eine solche Störung ist dem Bediener auf geeignete Art und Weise anzuzeigen. Die erneute Freigabe von in der Ausgabeeinrichtung gespeicherten Daten nach dem ordnungsgemässen Verlauf einer Datenausgabe oder nach dem Sperren einer Ausgabe im Fehlerfall ist schaltungstechnisch von der vorherigen Grundstellung der Relaisverknüpfung RV abhängig zu machen. Die Relaisverknüpfung RV kann die Grundstellung nur einnehmen, wenn die in der Ausgabeeinrichtung AE anstehenden Kommandodaten gelöscht sind, beide Mikrocomputer ihre Ausgaben an die Relaisverknüpfung RV in eine ihre Bereitschaft für die nächste Bedienungsbearbeitung kennzeichnende Lage gebracht haben und das Freigabeschaltmittel am Bedienplatz ebenfalls die Grundstellung eingenommen hat.As long as the command data are stored in the output device AE, the two microcomputers update their free messages by constantly reading back the stored data and classifying this data. If one or both of them detects a change in the stored data, the microcomputer concerned immediately withdraws its release to the rice link RV. The relay link prevents the output of the data stored in the output device AE or switches the output off immediately when the release has already been granted. The operator must be informed of such a fault in a suitable manner. The re-release of data stored in the output device after the correct course of a data output or after the blocking of an output in the event of an error is to be made in terms of circuitry from the previous basic setting of the relay link RV. The relay link RV can only assume the basic position if the command data pending in the output device AE has been deleted, both microcomputers have put their outputs to the relay link RV into a position which indicates their readiness for the next operation processing and the release switching means at the operator station has also assumed the basic position .

Sind mehrere Dateneingabeeinrichtungen vorhanden, so ist sicherzustellen, dass eine Freigabe der aus einer Hilfsbedienung abgeleiteten Kommandodaten nur von demjenigen Bediener aus vorgenommen werden kann, der die zugehörige Bedienung veranlasst hat. Zu diesem Zweck hat der durch die Prozesssteueraufträge direkt beaufschlagte Mikrocomputer MC1 denjenigen Bedienplatz zu ermitteln, von dem aus eine Hilfsbedienung eingegeben wurde und diesen der Relaisverknüpfung zu melden. Der durch die Prozesssteuerdaten nicht direkt beaufschlagte Mikrocomputer hat aus der Kenntnis des in der Relaisverknüpfung gespeicherten Bedienplatzes heraus ausschliesslich denjenigen Bedienplatz mit den rückgelesenen Prozesssteuerdaten zu versorgen, der von dem anderen Mikrocomputer als veranlassend erkannt wurde. Die Relaisverknüpfung hat Schaltmittel zu beinhalten, welche eine Freigabebehandlung nur dann anerkennen, wenn sie von demjenigen Bedienplatz aus erfolgt, der zuvor als veranlassend erkannt wurde.If there are several data input devices, it must be ensured that the command data derived from an auxiliary control can only be released by the operator who initiated the associated control. For this purpose, the microcomputer MC1, which is directly acted upon by the process control orders, has to determine the operator station from which an auxiliary operator was entered and report this to the relay linkage. From the knowledge of the operator station stored in the relay linkage, the microcomputer which is not directly acted upon by the process control data must exclusively supply the operator station with the read back process control data which was recognized by the other microcomputer as being necessary. The relay linkage has to contain switching means which only recognize a release treatment if it is carried out from the operator station which was previously recognized as initiating.

Die erfindungsgemässe Einrichtung zur sicheren Prozesssteuerung ist mit Vorteil überall dort einzusetzen, wo von insbesondere mehreren Bedienplätzen aus mit Sicherheitsverantworung auf einen Prozess einzuwirken ist. Ein bevorzugtes Anwendungsgebiet ist die Steuerung eines Stellwerkes von mehreren Bedienplätzen aus, wobei von diesen Bedienplätzen aus sowohl Bedienungshandlungen auszuführen sind, die in der nachgeordneten Stellwerksebene auf Zulässigkeit überwacht werden, als auch Bedienungshandlungen, die insbesondere in Störsituationen die Sicherheit des Stellwerkes bewusst unterlaufen sollen, um den Betrieb einigermassen flüssig halten zu können.The device according to the invention for safe process control can advantageously be used wherever a process has to be acted on from several operating stations with safety responsibility. A preferred area of application is the control of an interlocking from several operator stations, whereby from these operator stations both operations that are monitored for admissibility in the subordinate interlocking level and operations that are intended to deliberately undermine the safety of the interlocking, in particular in fault situations, are to be carried out to be able to keep the company fairly fluid.

Claims (10)

1. A device for the reliable process control employing two microcomputers which are independent of one another and do not operate so as to be safety-oriented and which commonly act upon the process which is to be controlled, and allow both control operations, whose reliability is tested in a separate safety plane outside the microcomputer, and also auxiliary operations, whose reliability is no longer tested, to be carried out, in particular for the control of a railroad signalling device of at least one operating location, characterised in that the one microcomputer (MC1) converts the process control instructions which are present in order to be carried out, into corresponding command data, and stores them in an output device (AE) and re-reads the stored data, where the re-read data are simultaneously fed to the other microcomputer (MC2) by means of a safety-oriented input doubler (EV), that both microcomputers classify the data, which are fed thereto, independently of another in accordance with the respectively present process control instruction and feeds the classification results to a relay connection (RV) which when the classification results of the two microcomputers are identical causes the release of the data stored in the output device (AE), if the respectively classified process control instruction relates to a control operation, but during common recognition of an auxiliary operation makes the release of the data stored in the output device dependent upon a separate agreement of an operator, which is fed via the relay connection (RV).
2. A device as claimed in claim 1, characterised in that the release of the data stored in the output device (AE) is made dependent upon the previous ground state of the relay connection (RV) and that the ground state of the relay connection is made dependent upon the ground state of the output device (AE), the ground state of the two microcomputer outputs relative to the relay connection (RV) and upon the ground state of the release switching means which are adjustable when an operator agrees to an auxiliary operation.
3. A device as claimed in ctaim 1, characterised in that the two microcomputers constantly effect their release when the appropriate requirements are present.
4. A device as claimed in claim 3, characterised in that the two microcomputers monitor the command data, which are stored in the output device, in respect of continuity by re-reading said data, that each microcomputer separately cancels its release to the relay connection (RV) when said data change and that the relay connection subsequently prevents the output of the data stored in the output device (AE).
5. A device as claimed in claim 1, characterised in that the microcomputer (MC2) which is not directly acted upon by the process control instructions, converts the command data, which are fed to the microcomputer by means of the input doubler (EV), into the corresponding process control instructions when an auxiliary operation occurs and places them at the operator's disposal on a visual screen (KA).
6. A device as claimed in claim 5, characterised in that the microcomputer (MC1) which is directly acted upon by the process control data determines the operating location during the auxiliary operations from which an auxiliary operation has been read-in, that from the knowledge of the operating location which is respectively determined by the other microcomputer (MC1), the microcomputer (MC2) which is not directly acted upon by the process control data, only supplies the operating location with the re-read process control data which has been recognised by the microcomputer (MC1), which is directly acted upon by the process control data, as being instigating, and that the relay connection comprises switching means which only recognise a release operation if it has been effected from the operating location which has previously been recognised as being instigating.
7. A device as claimed in claim 6, characterised in that the microcomputer (MC1) which is directly acted upon by the process control data informs the relay connection (RV) of the operating location which has been respectively determined by itself, and that the other microcomputer (MC2) interrogates the respectively determined operating location at that point.
8. A device as claimed in claim 6, characterised in that the microcomputer (MC1) which is directly acted upon by the process control data informs the output device (AE) of the operating location, which is respectively determined by itself, together with the command data, and that the other microcomputer (MC2) derives the respectively determined operating locatien from the re-read data.
9. A device as claimed in claim 6, characterised in that the microcomputer (MC1) which is directly acted upon by the process control data, directly informs the other microcomputer (MC2) of the operating location which is respectively determined by said microcomputer.
10. A device as claimed in claims 1, 5 or 6, characterised in that the release of an auxiliary operation, which has been recognised by the relay connection (RV) as being valid, by an operator leads to the output of corresponding auxiliary releases to the relay connection (RV) in both microcomputers (MC1, MC2) and that the relay connection subsequently triggers the release of the command data stored in the output device (AE).
EP84102198A 1983-03-25 1984-03-01 Device for reliable process control Expired - Lifetime EP0120339B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AT84102198T ATE25220T1 (en) 1983-03-25 1984-03-01 DEVICE FOR SAFE PROCESS CONTROL.

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE3310975 1983-03-25
DE19833310975 DE3310975A1 (en) 1983-03-25 1983-03-25 DEVICE FOR SAFE PROCESS CONTROL

Publications (3)

Publication Number Publication Date
EP0120339A1 EP0120339A1 (en) 1984-10-03
EP0120339B1 true EP0120339B1 (en) 1987-01-28
EP0120339B2 EP0120339B2 (en) 1991-07-03

Family

ID=6194696

Family Applications (1)

Application Number Title Priority Date Filing Date
EP84102198A Expired - Lifetime EP0120339B2 (en) 1983-03-25 1984-03-01 Device for reliable process control

Country Status (3)

Country Link
EP (1) EP0120339B2 (en)
AT (1) ATE25220T1 (en)
DE (2) DE3310975A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19742330C1 (en) * 1997-09-19 1998-10-29 Siemens Ag Firewall implementation for computer network
DE4432419C2 (en) * 1994-09-02 2003-04-24 Siemens Ag Procedure for handling commands requiring approval and device for carrying out the procedure

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE4010123A1 (en) * 1990-03-29 1991-10-02 Siemens Ag DEVICE FOR CONTROLLING AN ACTUATOR FROM AT LEAST ONE REMOTE CONTROL PANEL
DE4107639A1 (en) * 1991-03-09 1992-09-10 Standard Elektrik Lorenz Ag DEVICE FOR SIGNAL-SAFE REMOTE CONTROL OF A SUBSTATION IN A RAILWAY SYSTEM
DE19828452A1 (en) * 1998-06-26 1999-12-30 Alcatel Sa Operator station equipment for signaling systems
GB2348034A (en) * 1999-03-17 2000-09-20 Westinghouse Brake & Signal An interlocking for a railway system
AU737646B2 (en) * 1999-05-21 2001-08-23 Hitachi Information & Control Systems Inc. Plant operating and monitoring system, and plant operating and monitoring method
DE10261450B4 (en) * 2002-12-31 2007-10-11 Danfoss Drives A/S Electric motor with integrated electronic control device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
BE795522A (en) * 1972-02-18 1973-06-18 Stin ELECTRONIC DECODING DEVICE FOR REMOTE CONTROL DEVICES IN RAILWAY INSTALLATIONS
DE2303828A1 (en) * 1973-01-26 1974-08-01 Standard Elektrik Lorenz Ag CONTROL PROCEDURE WITH THREE COMPUTERS OPERATING IN PARALLEL

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE4432419C2 (en) * 1994-09-02 2003-04-24 Siemens Ag Procedure for handling commands requiring approval and device for carrying out the procedure
DE19742330C1 (en) * 1997-09-19 1998-10-29 Siemens Ag Firewall implementation for computer network

Also Published As

Publication number Publication date
ATE25220T1 (en) 1987-02-15
EP0120339B2 (en) 1991-07-03
EP0120339A1 (en) 1984-10-03
DE3310975A1 (en) 1984-09-27
DE3462231D1 (en) 1987-03-05

Similar Documents

Publication Publication Date Title
DE3522418C2 (en)
EP2445771B1 (en) Method to create an electronic interlocking for replacing an existing interlocking
EP0963594A1 (en) Modular safety switch
EP0120339B1 (en) Device for reliable process control
CH654425A5 (en) Redundant control arrangement
EP3814857A1 (en) Machine tool with control device
DE102008009746A1 (en) Method for implementing a universal route safety technology using industrially available PLC components
DE19826875A1 (en) Numerical control with a spatially separate input device
EP0059789B1 (en) Device for testing the functions of a multi-computer system
DE3223779A1 (en) Error-protected light-signal control device with fewer wires
WO2015071169A1 (en) Level crossing safety system
EP0920391A1 (en) Process and device for control and monitoring a traffic control system
EP3343301B1 (en) Method for programming a safety device
EP1760558B1 (en) System and method for assessing the safety of a technical system
EP0864875B1 (en) Method for testing a safety circuit
EP0108244B1 (en) Ripple control receiver
DE2841533A1 (en) Control circuit for machine - has carrier frequency of radio transmission channel in remote control mode, and on failure replaced by preset program sequence
EP0448796B1 (en) Control device for an interlocking system of at least one remote control panel
EP0473834A1 (en) Electronic interlocking control system, set up according to the local processor control principle
DE102015113366B3 (en) Light curtain and method for resetting a configuration
DE2318072C3 (en) System for monitoring and error messages in safety systems
DE19949710B4 (en) Method and device for fail-safe communication between central units of a control system
DE3127363A1 (en) Computer-controlled signal box
EP3048498B1 (en) Method for reading diagnostic data from a safety control device
DE10233879B4 (en) Method for controlling and monitoring a safety-critical system, in particular a traffic signal system, and device for carrying out the method

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Designated state(s): AT CH DE LI NL

17P Request for examination filed

Effective date: 19841026

17Q First examination report despatched

Effective date: 19860423

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AT CH DE LI NL

REF Corresponds to:

Ref document number: 25220

Country of ref document: AT

Date of ref document: 19870215

Kind code of ref document: T

REF Corresponds to:

Ref document number: 3462231

Country of ref document: DE

Date of ref document: 19870305

PLBI Opposition filed

Free format text: ORIGINAL CODE: 0009260

26 Opposition filed

Opponent name: STANDARD ELEKTRIK LORENZ AG

Effective date: 19871016

NLR1 Nl: opposition has been filed with the epo

Opponent name: STANDARD ELEKTRIK LORENZ AG

PUAH Patent maintained in amended form

Free format text: ORIGINAL CODE: 0009272

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: PATENT MAINTAINED AS AMENDED

27A Patent maintained in amended form

Effective date: 19910703

AK Designated contracting states

Kind code of ref document: B2

Designated state(s): AT CH DE LI NL

REG Reference to a national code

Ref country code: CH

Ref legal event code: AEN

NLR2 Nl: decision of opposition
NLR3 Nl: receipt of modified translations in the netherlands language after an opposition procedure
PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 19920521

Year of fee payment: 9

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: CH

Payment date: 19920622

Year of fee payment: 9

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: AT

Payment date: 19930224

Year of fee payment: 10

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LI

Effective date: 19930331

Ref country code: CH

Effective date: 19930331

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: NL

Payment date: 19930331

Year of fee payment: 10

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DE

Effective date: 19931201

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AT

Effective date: 19940301

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Effective date: 19941001

NLV4 Nl: lapsed or anulled due to non-payment of the annual fee