EP0503336A2 - Arrangement for fail-safe remote control of a substation in a railway system - Google Patents

Arrangement for fail-safe remote control of a substation in a railway system Download PDF

Info

Publication number
EP0503336A2
EP0503336A2 EP19920102996 EP92102996A EP0503336A2 EP 0503336 A2 EP0503336 A2 EP 0503336A2 EP 19920102996 EP19920102996 EP 19920102996 EP 92102996 A EP92102996 A EP 92102996A EP 0503336 A2 EP0503336 A2 EP 0503336A2
Authority
EP
European Patent Office
Prior art keywords
substation
computer
central station
security code
command
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP19920102996
Other languages
German (de)
French (fr)
Other versions
EP0503336A3 (en
EP0503336B1 (en
Inventor
Alan C. Knight
Helmut Uebel
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alcatel Lucent Deutschland AG
Original Assignee
Alcatel SEL AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alcatel SEL AG filed Critical Alcatel SEL AG
Publication of EP0503336A2 publication Critical patent/EP0503336A2/en
Publication of EP0503336A3 publication Critical patent/EP0503336A3/xx
Application granted granted Critical
Publication of EP0503336B1 publication Critical patent/EP0503336B1/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/30Trackside multiple control systems, e.g. switch-over between different systems

Definitions

  • the invention relates to a device according to the preamble of patent claim 1.
  • the known remote control requires a special, signal-technically secure command line for transmitting the execution command.
  • the invention has for its object to provide a remote control device that enables a transmission of commands to be carried out safely by signaling without a special command line that is safe by signaling.
  • a device that solves this problem is represented by the features of claim 1.
  • the device according to the invention enables the use of commercially available, non-secure computers, e.g. Personal computer, in the central station.
  • Special security measures are limited to checking the redundantly received report image data by comparison. All test and security measures can be carried out in the substation using the two computer channels.
  • Special, signal-safe circuit parts, such as those e.g. would be necessary to receive a safe execution coming.
  • claim 3 protects the transmitted message information from corruption by bit lines that have become static at parallel computer inputs and outputs.
  • the manual switching of the screen required according to claim 4 to the computer system capable of displaying the security code prevents a thoughtless routine confirmation of requested auxiliary operations.
  • the figure schematically shows a central station Z and a substation UST1 with their most important devices and a transmission link U connecting both stations. Additional substations UST2 can also be connected to the transmission link.
  • the central station contains two computer systems R1, R2, e.g. Personal computer, which can be alternately connected to a display device M via a changeover switch MS to display a stored message image. Only the computer system R1 has a manual input T and a printer D for recording actions that are required to be recorded. Data output on the transmission link Ü via a modem MZ is also only possible from the computer system R1.
  • R1, R2, e.g. Personal computer which can be alternately connected to a display device M via a changeover switch MS to display a stored message image.
  • Only the computer system R1 has a manual input T and a printer D for recording actions that are required to be recorded.
  • Data output on the transmission link Ü via a modem MZ is also only possible from the computer system R1.
  • the substation UST1 has a computer system which is secure in terms of signal technology and has two computer channels, each of which consists of a main computer UR1, UR2 and a front-end computer VR1, VR2.
  • the two main computers are connected to one another via a neighboring computer connection NRB and via a control and message bus SMB to the hardware STW of the substation to be controlled.
  • connection to the transmission path runs here via the upstream computer of the computer channels. These are connected to a substation modem MU with separate outputs in the output direction. In contrast, inputs of both upstream computers are acted upon in parallel from a common output of the modem.
  • Control commands which are entered in the central station and are intended to result in an actuating action without special security responsibility in the substation, enter the computer system R1 from the input T.
  • the computer system develops the command corresponding to the control command and outputs it to the modem MZ, from where it is, e.g. as a serial, frequency-modulated data telegram, which is transmitted on the transmission link.
  • the substation modem MU converts the data telegram into the originally entered command and feeds it to the pre-computers of the computer channels parallel to.
  • Both computer channels now decode the control command contained in the received command. They exchange interim results and the end result via the neighboring computer connection NRB and compare their own result with that of the neighboring computer channel. If the results are determined by both computer channels, the control command is output on the control and message bus and the actuating action is thus triggered.
  • reporting lines of the control and reporting bus These are queried at regular intervals and after each actuation by both computer channels for their switching status.
  • the result of the query is sent to the substation modem MU separately from both primary computers and transmitted to the central station as a reporting data telegram.
  • One of the upstream computers outputs its data in inverted form to the modem.
  • both computer systems receive the reporting data transmitted from both computer channels of the substation in parallel and compare the simply transmitted data with the inverted transmitted data. If there is a match, the transmitted current switching states are saved and taken into account in the display of the message image. From the change in the message screen, the operator can see whether the control command entered by him has been carried out.
  • a control command for this is likewise entered into the computer system R1 via the operating device T and transmitted as a command to the substation.
  • a command with security responsibility is identified as such by an addition or a special form of input. But it can also only be in the substation, e.g. by comparing the received command with pre-stored lists of safety-relevant and non-safety-relevant commands, it can be determined whether the command to be executed has safety meaning.
  • the computer channels of the substation determine when a command transmitted from the central station relates to an actuating action that is to be carried out with security responsibility.
  • the control command contained in the transmitted command is first stored in the substation in terms of signal technology.
  • the associated actuating action has not yet been carried out.
  • a specially marked message data telegram is transmitted to the central station via the signaling-safe signaling path, which simulates the actuation that has not yet been carried out.
  • the computer controlling the display device displays this anticipated actuation action in a special shape or color on the display device.
  • the actuation action to be carried out is thus "reflected" back into the central station.
  • the operator can check again whether the mirrored command corresponds to the originally entered command and can finally decide whether the command should be executed.
  • the computer channels of the substation contain a program for generating a special security code.
  • This program is processed when a command triggering an actuating action with security responsibility is recognized and the determined security code is transmitted to the central station together with the data required to mirror the actuating action to be performed.
  • the security code can now be displayed in the central station and, after being entered again, can be transferred back to the substation as an execution command. There it is compared with the originally generated security code stored there. If there is agreement, the execution command is given. The prepared actuation is carried out.
  • the computer system R2 In the central station, only the computer system R2 that is not used for command transmission contains a program for receiving and displaying the security code. The computer system R1 is unable to record and display the security code or to transmit it back to the substation.
  • the security code can only be retransmitted if the computer system R2 uses e.g. manually operable switch MS connected to the display device and thus enabled to display the security code to the operator.
  • the operator is forced to enter the displayed security code into the computer system R1 by means of the operating device T if he wants to effect its transmission to the subordinate station and thus the execution of the prepared actuating command.
  • the security code can also be transmitted to the central station in encrypted form, decrypted in a decrypted form in the second computer with the aid of a decryption program contained only there, and after re-entering it Substation be transferred back.

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Selective Calling Equipment (AREA)
  • Remote Monitoring And Control Of Power-Distribution Networks (AREA)
  • Electric Propulsion And Braking For Vehicles (AREA)

Abstract

In the remote-control of substations (UST1) in railway systems, a control command which triggers a control action with a responsibility for safety is initially transmitted without fail-safe security into the substation. Subsequently, the control action is reflected back into the central control station (Z) via the transmission path which has been configured in a fail-safe manner, before said action is carried out. After a further check of the control command, an execution command which acts in a fail-safe manner is transmitted to the substation. A security code which is produced in the substation and stored there is used as the execution command. Said code is transferred to the central control station together with the control action to be reflected back. Said code is input again into the central control station as an execution command, transmitted to the substation in a non-secure fashion and compared there with the original security code. If they correspond to one another, the control action is carried out.

Description

Die Erfindung betrifft eine Einrichtung gemäß dem Oberbegriff des Patentanspruchs 1.The invention relates to a device according to the preamble of patent claim 1.

Eine solche Einrichtung ist in ihren wesentlichen Teilen z.B. in einem Beitrag der Stadtbahn-Gesellschaft Rhein-Ruhr, Gelsenkirchen mit dem Titel "Konzeptionelle Festlegung der Verbindungsschaltung - Datenübertrager und -konzentrator - der Stadtbahn Rhein-Ruhr SSR" in der BMFT-Veröffentlichung "Statusseminar BMFT '82" enthalten.The essential parts of such a device are e.g. contained in a contribution by the Stadtbahn-Gesellschaft Rhein-Ruhr, Gelsenkirchen with the title "Conceptual definition of the connection circuit - data transmitter and concentrator - of the Stadtbahn Rhein-Ruhr SSR" in the BMFT publication "Status Seminar BMFT '82".

Hier ist auf Seite 46 die Fernsteuerung von Streckenstellwerken von einem Zentralstellwerk aus beschrieben. Ein dem Streckenstellwerk zugeordneter, intelligenter Datenübertrager und - konzentrator (DÜK) empfängt Stellkommandos von dem Zentralstellwerk und leitet sie an das Strekkenstellwerk weiter. Signaltechnisch sicher auszuführende Kommandos werden vom Datenübertrager und -konzentrator signaltechnisch sicher an das Zentralstellwerk zurückgespiegelt und erst ausgeführt, wenn nach nochmaliger Kontrolle durch den Bediener ein von diesem eingegebenes, signaltechnisch sicher übertragenes Ausführungskommando empfangen wird.The remote control of interlockings from a central signal box is described on page 46. An intelligent data transmitter and concentrator (DÜK) assigned to the line interlocking receives control commands from the central signal box and forwards them to the line interlocking. Commands that are to be executed safely in terms of signaling are safely reflected back to the central signal box by the data transmitter and concentrator and are only executed when, after repeated checking by the operator, an execution command entered by the operator and transmitted in terms of signaling is received safely.

Die bekannte Fernsteuerung benötigt neben einer für Regelbedienungen verwendeten Übertragungsleitung eine besondere, signaltechnisch sichere Kommandoleitung zur Übertragung des Ausführungskommandos.In addition to a transmission line used for control operations, the known remote control requires a special, signal-technically secure command line for transmitting the execution command.

Der Erfindung liegt die Aufgabe zugrunde, eine Fernsteuereinrichtung zu schaffen, die eine Übertragung signaltechnisch sicher auszuführender Kommandos ohne eine besondere, signaltechnisch sichere Kommandoleitung ermöglicht.The invention has for its object to provide a remote control device that enables a transmission of commands to be carried out safely by signaling without a special command line that is safe by signaling.

Eine Einrichtung, die diese Aufgabe löst, wird durch die Merkmale des Patentanspruchs 1 wiedergegeben. Die Einrichtung nach der Erfindung ermöglicht den Einsatz handelsüblicher, nicht sicherer Rechner, z.B. Personal Computer, in der Zentralstation. Besondere Sicherungsmaßnahmen beschränken sich dort auf die Prüfung der redundant empfangenen Meldebilddaten durch Vergleich. In der Unterstation können alle Prüf- und Sicherungsmaßnahmen mittels der beiden Rechnerkanäle ausgeführt werden. Besondere, signaltechnisch sicher arbeitende Schaltungsteile, wie sie z.B. zum Empfang eines sicheren Ausführungskommendos notwendig wären, können entfallen.A device that solves this problem is represented by the features of claim 1. The device according to the invention enables the use of commercially available, non-secure computers, e.g. Personal computer, in the central station. Special security measures are limited to checking the redundantly received report image data by comparison. All test and security measures can be carried out in the substation using the two computer channels. Special, signal-safe circuit parts, such as those e.g. would be necessary to receive a safe execution coming.

Weiterbildungen der Einrichtung nach der Erfindung sind Gegenstand der Unteransprüche. So erlaubt der Einsatz von Vorrechnern in den Rechnerkanälen der Unterstation gemäß Anspruch 2 eine Trennung der für die sichere Meldungsübertragung und den Kommandoempfang auszuführenden Verarbeitungsschritte von der Kommandoausgabe an die Stellelemente und der Erfassung von deren aktuellem Schaltzustand.Developments of the device according to the invention are the subject of the dependent claims. For example, the use of pre-computers in the computer channels of the substation allows the processing steps to be carried out for secure message transmission and command reception to be separated from the command output to the control elements and the detection of their current switching state.

Der Gegenstand des Anspruchs 3 sichert die übertragene Meldungsinformation vor Verfälschung durch statisch gewordene Bitleitungen an parallelen Rechnerein- und ausgängen.The subject matter of claim 3 protects the transmitted message information from corruption by bit lines that have become static at parallel computer inputs and outputs.

Die gemäß Anspruch 4 erforderliche manuelle Umschaltung des Bildschirms auf das zur Darstellung des Sicherungscodes befähigte Rechnersystem verhindert eine unbedachte routinemäßige Bestätigung angeforderter Hilfsbedienungen.The manual switching of the screen required according to claim 4 to the computer system capable of displaying the security code prevents a thoughtless routine confirmation of requested auxiliary operations.

Anhand einer Figur soll nachstehend die Einrichtung nach der Erfindung ausführlich beschrieben werden.The device according to the invention will be described in detail below with reference to a figure.

In der Figur sind schematisch eine Zentralstation Z und eine Unterstation UST1 mit ihren wichtigsten Geräten sowie eine beide Stationen verbindende Übertragungsstrecke Ü dargestellt. An der Übertragungsstrecke können zusätzlich weitere Unterstationen UST2 angeschlossen sein.The figure schematically shows a central station Z and a substation UST1 with their most important devices and a transmission link U connecting both stations. Additional substations UST2 can also be connected to the transmission link.

Die Zentralstation enthält zwei Rechnersysteme R1, R2, z.B. Personal-Computer, die zur Darstellung eines gespeicherten Meldebildes über einen Umschalter MS wechselweise mit einer Anzeigeeinrichtung M verbunden werden können. Nur das Rechnersystem R1 besitzt eine manuelle Eingabe T und einen Drucker D zur Aufzeichnung protokollpflichter Handlungen. Auch die Datenausgabe auf die Übertragungsstrecke Ü über ein Modem MZ ist nur vom Rechnersystem R1 aus möglich.The central station contains two computer systems R1, R2, e.g. Personal computer, which can be alternately connected to a display device M via a changeover switch MS to display a stored message image. Only the computer system R1 has a manual input T and a printer D for recording actions that are required to be recorded. Data output on the transmission link Ü via a modem MZ is also only possible from the computer system R1.

Über das Modem MZ empfangene Daten werden jedoch parallel beiden Rechnersystemen zugeführt.However, data received via the MZ modem is fed in parallel to both computer systems.

Die Unterstation UST1 besitzt ein signaltechnisch sicheres Rechnersystem mit zwei Rechnerkanälen, die jeweils aus einem Hauptrechner UR1, UR2 und einem Vorrechner VR1, VR2 bestehen. Die beiden Hauptrechner sind über eine Nachbarrechnerverbindung NRB miteinander und über einen Steuer- und Meldebus SMB mit der zu steuernden Hardware STW der Unterstation verbunden.The substation UST1 has a computer system which is secure in terms of signal technology and has two computer channels, each of which consists of a main computer UR1, UR2 and a front-end computer VR1, VR2. The two main computers are connected to one another via a neighboring computer connection NRB and via a control and message bus SMB to the hardware STW of the substation to be controlled.

Die Verbindung zur Übertragungsstrecke verläuft hier über die Vorrechner der Rechnerkanäle. Diese sind in Ausgaberichtung mit getrennten Ausgängen an ein Unterstationsmodem MU angeschlossen. Eingänge beider Vorrechner werden dagegen von einem gemeinsamen Ausgang des Modems aus, parallel beaufschlagt.The connection to the transmission path runs here via the upstream computer of the computer channels. These are connected to a substation modem MU with separate outputs in the output direction. In contrast, inputs of both upstream computers are acted upon in parallel from a common output of the modem.

Steuerbefehle, die in der Zentralstation eingegeben werden und eine Stellhandlung ohne besondere Sicherheitsverantwortung in der Unterstation bewirken sollen, gelangen von der Eingabe T in das Rechnersystem R1. Das Rechnersystem erarbeitet das dem Steuerbefehl entsprechende Kommando und gibt dieses auf das Modem MZ aus, von wo aus es, z.B. als serielles, frequenzmoduliertes Datentelegramm, auf die Übertragungsstrecke ausgesendet wird.Control commands, which are entered in the central station and are intended to result in an actuating action without special security responsibility in the substation, enter the computer system R1 from the input T. The computer system develops the command corresponding to the control command and outputs it to the modem MZ, from where it is, e.g. as a serial, frequency-modulated data telegram, which is transmitted on the transmission link.

Das Unterstationsmodem MU setzt das Datentelegramm in das ursprünglich eingegebene Kommando um und führt dieses den Vorrechnern beider Rechnerkanäle parallel zu.The substation modem MU converts the data telegram into the originally entered command and feeds it to the pre-computers of the computer channels parallel to.

Beide Rechnerkanäle decodieren nun den in dem empfangenen Kommando enthaltenen Steuerbefehl. Dabei tauschen sie Zwischenergebnisse und das Endergebnis über die Nachbarrechnerverbindung NRB gegenseitig aus und vergleichen ihr eigenes Ergebnis mit dem des Nachbarrechnerkanals. Bei von beiden Rechnerkanälen festgestellter Übereinstimmung der Ergebnisse wird der Steuerbefehl auf den Steuer- und Meldebus ausgegeben und die Stellhandlung damit ausgelöst.Both computer channels now decode the control command contained in the received command. They exchange interim results and the end result via the neighboring computer connection NRB and compare their own result with that of the neighboring computer channel. If the results are determined by both computer channels, the control command is output on the control and message bus and the actuating action is thus triggered.

Die Rückmeldung des Vollzugs der ausgelösten Stellhandlung erfolgt über Meldeleitungen des Steuer- und Meldebusses. Diese werden in regelmäßigen Zeitabständen sowie nach jeder Stellhandlung von beiden Rechnerkanälen auf ihren Schaltzustand hin abgefragt. Das Abfrageergebnis wird von beiden Vorrechnern getrennt dem Unterstationsmodem MU zugeführt und als Meldedatentelegramm zur Zentralstation übertragen. Hierbei gibt einer der Vorrechner seine Daten in invertierter Form auf das Modem aus. In der Zentralstation empfangen beide Rechnersysteme parallel die von beiden Rechnerkanälen der Unterstation übermittelten Meldedaten und führen einen Vergleich der einfach übertragenen Daten mit den invertiert übertragenen Daten durch. Bei Übereinstimmung werden die übertragenen aktuellen Schaltzustände abgespeichert und bei der Darstellung des Meldebildes berücksichtigt. Aus der Veränderung des Meldebildes erkennt der Bediener, ob der von ihm eingegebene Steuerbefehl ausgeführt wurde.The completion of the triggered actuation is reported back via reporting lines of the control and reporting bus. These are queried at regular intervals and after each actuation by both computer channels for their switching status. The result of the query is sent to the substation modem MU separately from both primary computers and transmitted to the central station as a reporting data telegram. One of the upstream computers outputs its data in inverted form to the modem. In the central station, both computer systems receive the reporting data transmitted from both computer channels of the substation in parallel and compare the simply transmitted data with the inverted transmitted data. If there is a match, the transmitted current switching states are saved and taken into account in the display of the message image. From the change in the message screen, the operator can see whether the control command entered by him has been carried out.

Soll eine Stellhandlung mit Sicherheitsverantwortung ausgeführt werden, so wird ein Steuerbefehl hierzu ebenfalls über die Bedieneinrichtung T in das Rechnersystem R1 eingegeben und als Kommando zur Unterstation übertragen. Üblicherweise wird ein Befehl mit Sicherheitsverantwortung bereits bei der Eingabe durch einen Zusatz oder eine besondere Form der Eingabe als solcher gekennzeichnet. Es kann aber auch erst in der Unterstation, z.B. durch Vergleich des eingegangenen Kommandos mit vorgespeicherten Listen sicherheitsrelevanter und nicht sicherheitsrelevanter Kommandos, ermittelt werden, ob der auszuführende Befehl Sicherheitsbedeutung hat. In jedem Falle stellen die Rechnerkanäle der Unterstation fest, wann ein von der Zentralstation her übertragenes Kommando eine Stellhandlung betrifft, die mit Sicherheitsverantwortung auszuführen ist.If an actuating action with safety responsibility is to be carried out, a control command for this is likewise entered into the computer system R1 via the operating device T and transmitted as a command to the substation. Typically, a command with security responsibility is identified as such by an addition or a special form of input. But it can also only be in the substation, e.g. by comparing the received command with pre-stored lists of safety-relevant and non-safety-relevant commands, it can be determined whether the command to be executed has safety meaning. In any case, the computer channels of the substation determine when a command transmitted from the central station relates to an actuating action that is to be carried out with security responsibility.

In einem solchen Fall wird der in dem übertragenen Kommando enthaltene Steuerbefehl in der Unterstation zunächst signaltechnisch sicher zwischengespeichert. Die zugehörige Stellhandlung wird jedoch noch nicht vollzogen. Über den signaltechnisch sicheren Meldeweg wird ein besonders gekennzeichnetes Meldedatentelegramm an die Zentralstation übertragen, das die noch nicht vollzogene Stellhandlung simuliert vorwegnimmt. Der die Anzeigeeinrichtung steuernde Rechner stellt diese vorweggenommene Stellhandlung in besonderer Form oder Farbe an der Anzeigeeinrichtung dar. Die auszuführende Stellhandlung ist damit in die Zentralstation "zurückgespiegelt". Der Bediener kann nochmals kontrollieren, ob der gespiegelte Stellbefehl dem ursprünglich eingegebenen Stellbefehl entspricht und kann endgültig darüber befinden, ob der Stellbefehl ausgeführt werden soll.In such a case, the control command contained in the transmitted command is first stored in the substation in terms of signal technology. However, the associated actuating action has not yet been carried out. A specially marked message data telegram is transmitted to the central station via the signaling-safe signaling path, which simulates the actuation that has not yet been carried out. The computer controlling the display device displays this anticipated actuation action in a special shape or color on the display device. The actuation action to be carried out is thus "reflected" back into the central station. The operator can check again whether the mirrored command corresponds to the originally entered command and can finally decide whether the command should be executed.

Das hierzu erforderliche Ausführungskommando muß jedoch signaltechnisch sicher in der Unterstation vorliegen.However, the execution command required for this must be safely available in the signaling station.

Um dies zu erreichen, enthalten die Rechnerkanäle der Unterstation ein Programm zur Erzeugung eines speziellen Sicherungscodes. Dieses Programm wird bei Erkennen eines eine Stellhandlung mit Sicherheitsverantwortung auslösenden Kommandos abgearbeitet und der ermittelte Sicherungscode wird zusammen mit den zur Spiegelung der vorzunehmenden Stellhandlung erforderlichen Daten in die Zentralstation übertragen. Der Sicherungscode kann nun in der Zentralstation angezeigt und nach erneuter Eingabe als Ausführungskommando in die Unterstation zurück übertragen werden. Er wird dort mit dem dort abgespeicherten, ursprünglich erzeugten Sicherungscode verglichen. Bei Übereinstimmung gilt das Ausführungskommando als gegeben. Die vorbereitete Stellhandlung wird ausgeführt.To achieve this, the computer channels of the substation contain a program for generating a special security code. This program is processed when a command triggering an actuating action with security responsibility is recognized and the determined security code is transmitted to the central station together with the data required to mirror the actuating action to be performed. The security code can now be displayed in the central station and, after being entered again, can be transferred back to the substation as an execution command. There it is compared with the originally generated security code stored there. If there is agreement, the execution command is given. The prepared actuation is carried out.

In der Zentralstation enthält nur das nicht zur Kommandoübertragung verwendete Rechnersystem R2 ein Programm zum Empfang und zur Darstellung des Sicherungscodes. Das Rechnersystem R1 ist nicht in der Lage, den Sicherungscode aufzunehmen und anzuzeigen oder von sich aus zur Unterstation zurückzuübertragen.In the central station, only the computer system R2 that is not used for command transmission contains a program for receiving and displaying the security code. The computer system R1 is unable to record and display the security code or to transmit it back to the substation.

Damit ist eine versehentliche Rückübertragung des Sicherungscodes ausgeschlossen. Eine Rückübertragung des Sicherungscodes ist nur möglich, wenn das Rechnersystem R2 mittels des z.B. manuell betätigbaren Umschalters MS mit der Anzeigeeinrichtung verbunden und damit in die Lage versetzt wird, den Sicherungscode dem Bediener anzuzeigen. Der Bediener ist gezwungen, den angezeigten Sicherungscode mittels der Bedieneinrichtung T in das Rechnersystem R1 einzugeben, wenn er dessen Übertragung an die Unterstelle und damit die Ausführung des vorbereiteten Stellbefehls bewirken will.This prevents accidental retransmission of the security code. The security code can only be retransmitted if the computer system R2 uses e.g. manually operable switch MS connected to the display device and thus enabled to display the security code to the operator. The operator is forced to enter the displayed security code into the computer system R1 by means of the operating device T if he wants to effect its transmission to the subordinate station and thus the execution of the prepared actuating command.

Um die Sicherheit bezüglich einer fehlerhaften versehentlichen Rückübertragung des Sicherungscodes noch weiter zu erhöhen, kann der Sicherungscode auch in verschlüsselter Form zur Zentralstation übertragen, im zweiten Rechner mit Hilfe eines nur dort enthaltenen Entschlüsselungsprogramms entschlüsselt in entschlüsselter Form zur Anzeige gebracht und nach erneuter Eingabe zur Unterstation zurückübertragen werden.In order to further increase the security with regard to an erroneous inadvertent retransmission of the security code, the security code can also be transmitted to the central station in encrypted form, decrypted in a decrypted form in the second computer with the aid of a decryption program contained only there, and after re-entering it Substation be transferred back.

Claims (4)

1. Einrichtung zur signaltechnisch sicheren Fernsteuerung einer eine Eisenbahnanlage steuernden Unterstation, insbesondere eines dem Streckenbereich eines Bahnhofes zugeordneten Unterstellwerks, welches ein Mehrrechnersystem mit mindestens zwei voneinander unabhängigen, alle Ergebnisse parallel erarbeitenden und durch gegenseitigen Vergleich auf Übereinstimmung prüfenden Rechnerkanälen aufweist, von einer Zentralstation aus, die mindestens zwei voneinander unabhängige Rechnersysteme, eine Bedieneinrichtung und eine Anzeigeeinrichtung enthält und über eine Datenverbindung mit dem Mehrrechnersystem der Unterstation verbunden ist, wobei die Unterstation ein von der Zentralstation übertragenes, eine Stellhandlung mit Sicherheitsverantwortung bewirkendes Kommando als solches erkennt, die Stellhandlung in die Zentralstation zurückspiegelt und erst nach Empfang eines besonderen Ausführungsbefehls ausführt, dadurch gekennzeichnet, daß zur Eingabe von Kommandos, die in der Unterstation (UST1) Stellhandlungen mit Sicherheitsverantwortung bewirken, die Bedieneinrichtung (T) der Zentralstation (Z) nur mit einem ersten Rechnersystem (R1) verbunden ist und dieses Rechnersystem die Übertragung der Kommandos an die Unterstation bewirkt, daß das Mehrrechnersystem der Unterstation ein Programm zur Erzeugung eines Sicherungscodes besitzt, und zu jeder zurückzuspiegelnden Stellhandlung einen charakteristischen Sicherungscode erzeugt und zur Zentralstation überträgt, daß nur ein nicht zur Kommandoübertragung benutztes zweites Rechnersystem (R2) der Zentralstation ein Programm zur Aufnahme und Anzeige des Sicherungscodes besitzt und diesen zusammen mit einem aktuellen Meldebild und der gespiegelten Stellhandlung auf der Anzeigeeinrichtung anzeigt, daß als Ausführungsbefehl der angezeigte Sicherungscode über die Bedieneinrichtung (T) in das erste Rechnersystem (R1) eingegeben und von diesem zur Unterstation übertragen wird, daß der Sicherungscode in der Unterstation mit dem dort gespeicherten, ursprünglich erzeugten Sicherungscode verglichen wird und daß eine Ausführung der gespiegelten Stellhandlung erst erfolgt, wenn dieser Vergleich Übereinstimmung ergeben hat.1. A device for the remote control of a substation controlling a railway system, in particular a substation assigned to the route area of a train station, which has a multicomputer system with at least two independent computer channels, all of which produce results in parallel and check each other for consistency, from a central station, which contains at least two mutually independent computer systems, an operating device and a display device and is connected to the multi-computer system of the substation via a data connection, the substation recognizing a command transmitted by the central station and causing an actuating action with safety responsibility as such, reflecting the actuating action back into the central station and only executes after receiving a special execution command, characterized in that for entering commands that are in the substat ion (UST1) control actions with security responsibility, the control device (T) of the central station (Z) is only connected to a first computer system (R1) and this computer system, the transmission of commands to the substation, causes the multicomputer system of the substation to generate a program possesses a security code, and generates a characteristic security code for each actuating action to be mirrored and transmits it to the central station, that only a second computer system (R2) of the central station not used for command transmission has a program for recording and displaying the security code and this together with a current message and the mirrored actuating action on the display device indicates that as an execution command, the displayed security code is entered via the operating device (T) in the first computer system (R1) and transmitted by this to the substation, that the security code in the substation n is compared with the originally generated security code stored there and that the mirrored actuating action is not carried out until this comparison has shown agreement. 2. Einrichtung nach Anspruch 1, dadurch gekennzeichnet, daß die Rechnerkanäle der Unterstation aus je einem Hauptrechner (UR1, UR2) und je einem Vorrechner (VR1, VR2) bestehen, und daß die Vorrechner den Empfang von Kommandos steuern und Meldungen signaltechnisch sicher an die Zentralstation ausgeben.2. Device according to claim 1, characterized in that the computer channels of the substation consist of a main computer (UR1, UR2) and a front-end computer (VR1, VR2), and that the front-end computers control the receipt of commands and signals safely to the signaling Issue central station. 3. Einrichtung nach Anspruch 1 oder 2, dadurch gekennzeichnet, daß einer der Rechnerkanäle der Unterstation seine Meldungsdaten in invertierter Form ausgibt und daß die Rechnersysteme der Zentralstation eine Meldung nur dann als richtig weiterverarbeiten, wenn diese in gewöhnlicher und in invertierter Form vorliegt.3. Device according to claim 1 or 2, characterized in that one of the computer channels of the substation outputs its message data in inverted form and that the computer systems of the central station only process a message as correct if it is in the usual and inverted form. 4. Einrichtung nach einem der vorstehenden Ansprüche, dadurch gekennzeichnet, daß die Anzeigeeinrichtung (M) mittels eines manuell bedienbaren Umschalters (MS) mit den Rechnersystemen (R1, R2) wechselweise verbunden werden kann.4. Device according to one of the preceding claims, characterized in that the display device (M) by means of a manually operated switch (MS) with the computer systems (R1, R2) can be connected alternately.
EP92102996A 1991-03-09 1992-02-22 Arrangement for fail-safe remote control of a substation in a railway system Expired - Lifetime EP0503336B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE4107639 1991-03-09
DE4107639A DE4107639A1 (en) 1991-03-09 1991-03-09 DEVICE FOR SIGNAL-SAFE REMOTE CONTROL OF A SUBSTATION IN A RAILWAY SYSTEM

Publications (3)

Publication Number Publication Date
EP0503336A2 true EP0503336A2 (en) 1992-09-16
EP0503336A3 EP0503336A3 (en) 1994-02-23
EP0503336B1 EP0503336B1 (en) 1996-01-31

Family

ID=6426903

Family Applications (1)

Application Number Title Priority Date Filing Date
EP92102996A Expired - Lifetime EP0503336B1 (en) 1991-03-09 1992-02-22 Arrangement for fail-safe remote control of a substation in a railway system

Country Status (4)

Country Link
EP (1) EP0503336B1 (en)
AT (1) ATE133620T1 (en)
DE (2) DE4107639A1 (en)
ES (1) ES2085505T3 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1038752A1 (en) * 1999-03-17 2000-09-27 Westinghouse Brake And Signal Holdings Limited An interlocking for a railway system
EP1197418A1 (en) * 2000-10-13 2002-04-17 Siemens Aktiengesellschaft Control method for a safety critical railway operation process and device for carrying out this method
WO2003047937A1 (en) * 2001-11-22 2003-06-12 Siemens Aktiengesellschaft Method for controlling a safety-critical railway operating process and device for carrying out said method
US7209811B1 (en) 2001-11-22 2007-04-24 Siemens Aktiengesellschaft System and method for controlling a safety-critical railroad operating process
TWI817164B (en) * 2020-07-21 2023-10-01 德商世創電子材料公司 Method and apparatus for simultaneously slicing a multiplicity of slices from a workpiece

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19745994A1 (en) * 1997-10-20 1999-04-22 Cit Alcatel Process for the exchange of data between application processes in a secure multi-computer system
DE10309200A1 (en) * 2003-02-25 2004-09-16 Siemens Ag Procedure for securing the train sequence in train control mode
EP1596517B1 (en) * 2004-05-10 2008-03-05 Siemens Aktiengesellschaft Method of transmission of redundantly provided data over a single channel
DE102007061807A1 (en) 2007-12-19 2009-07-09 Db International Gmbh Element controlling method for control and safety system, involves characterizing condition of clients actually determined by sensors at exterior system of clients by monitoring-transaction messages
DE102008012953B4 (en) * 2008-03-06 2022-01-27 Bombardier Transportation Gmbh Checking of display systems in rail vehicles
DE102019208924A1 (en) * 2019-06-19 2020-12-24 Siemens Mobility GmbH Input procedure for safety-critical operating commands and operating system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE3232167C1 (en) * 1982-08-30 1983-10-20 Siemens AG, 1000 Berlin und 8000 München Secured data transmission device for non-equivalent information pairs in railway security installations
EP0120339A1 (en) * 1983-03-25 1984-10-03 Siemens Aktiengesellschaft Device for reliable process control
DE3742118A1 (en) * 1987-12-11 1989-06-22 Siemens Ag Data transmission device with secure signalling

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE2549197A1 (en) * 1975-11-03 1977-05-05 Siemens Ag Remote signalling system for railways - inverts binary values of control information after each cycle from out stations
SU557367A1 (en) * 1975-12-25 1977-05-05 Предприятие П/Я В-8117 System of duplicated digital computers (cvm)
US4368534A (en) * 1979-01-29 1983-01-11 General Signal Corporation Keyboard controlled vital digital communication system
DE2912928C2 (en) * 1979-03-31 1986-10-23 Standard Elektrik Lorenz Ag, 7000 Stuttgart Device for the transmission of binary coded information for the remote control of railway signal systems
DE2921860C2 (en) * 1979-05-25 1986-07-31 Licentia Patent-Verwaltungs-Gmbh, 6000 Frankfurt Device for locating and controlling a track-bound vehicle with linear motor drive
DE2934039A1 (en) * 1979-08-23 1981-03-26 Robert Bosch Gmbh, 70469 Stuttgart Protected remote control of radio station channel - requires instructions to be validated by exchange and acknowledged by remote station
DE3211977A1 (en) * 1982-03-31 1983-10-06 Siemens Ag OPERATIONAL MONITORING OF TRANSMISSION ROUTES FOR DIGITAL SIGNALS
DE3412049A1 (en) * 1984-03-30 1985-10-17 Licentia Patent-Verwaltungs-Gmbh, 6000 Frankfurt SIGNAL-SAFE DATA PROCESSING DEVICE
DE3513357A1 (en) * 1985-04-15 1986-10-16 Fernsprech- und Signalbau KG Schüler & Vershoven, 4300 Essen Circuit arrangement, in particular for a safety coupling switch in deep mining

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE3232167C1 (en) * 1982-08-30 1983-10-20 Siemens AG, 1000 Berlin und 8000 München Secured data transmission device for non-equivalent information pairs in railway security installations
EP0120339A1 (en) * 1983-03-25 1984-10-03 Siemens Aktiengesellschaft Device for reliable process control
DE3742118A1 (en) * 1987-12-11 1989-06-22 Siemens Ag Data transmission device with secure signalling

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
SIGNAL & DRAHT Bd. 72, Nr. 1/2 , April 1980 , DARMSTADT (DE) Seiten 74 - 80 G]NTHER ET AL. 'DUS 800 - EIN SIGNALTECHNISCH SICHERES MIKROCOMPUTER-FERNWIRKSYSTEM' *
SIGNAL & DRAHT Bd. 77, Nr. 4 , April 1985 , DARMSTADT (DE) Seiten 67 - 72 HALFPAP ET AL. 'SAFE L 90 - EIN SICHERES SYSTEM ZUR FERNSTEUERUNG VON STELLWERKEN ]BER DIREKTE EINGABEN AM BILDSCHIRM' *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1038752A1 (en) * 1999-03-17 2000-09-27 Westinghouse Brake And Signal Holdings Limited An interlocking for a railway system
US6308117B1 (en) 1999-03-17 2001-10-23 Westinghouse Brake & Signal Holdings Ltd. Interlocking for a railway system
EP1197418A1 (en) * 2000-10-13 2002-04-17 Siemens Aktiengesellschaft Control method for a safety critical railway operation process and device for carrying out this method
WO2003047937A1 (en) * 2001-11-22 2003-06-12 Siemens Aktiengesellschaft Method for controlling a safety-critical railway operating process and device for carrying out said method
US7209811B1 (en) 2001-11-22 2007-04-24 Siemens Aktiengesellschaft System and method for controlling a safety-critical railroad operating process
TWI817164B (en) * 2020-07-21 2023-10-01 德商世創電子材料公司 Method and apparatus for simultaneously slicing a multiplicity of slices from a workpiece

Also Published As

Publication number Publication date
EP0503336A3 (en) 1994-02-23
EP0503336B1 (en) 1996-01-31
DE59205198D1 (en) 1996-03-14
ES2085505T3 (en) 1996-06-01
ATE133620T1 (en) 1996-02-15
DE4107639A1 (en) 1992-09-10

Similar Documents

Publication Publication Date Title
EP0503336B1 (en) Arrangement for fail-safe remote control of a substation in a railway system
WO1997035282A1 (en) Data-transmission device, consisting of a pulse generator and a monitoring unit, for use in vehicle, and pulse generator for use with the monitoring unit
DE102007032805A1 (en) Method and system architecture for secure single-channel communication for controlling a safety-critical rail operation process
DE102012221714A1 (en) Method for fault disclosure in interlocking computer system with control channel, involves comparing pixel data of display with process data of process image of state information of reference system for display-protection
DE2701925A1 (en) VEHICLE CONTROL SYSTEM WITH HIGH RELIABILITY
EP0978775B1 (en) Method for faultfree data transmission between a numerical controller and a remotely separated device
AT402909B (en) METHOD FOR GUARANTEING THE SIGNAL TECHNICAL SECURITY OF THE USER INTERFACE OF A DATA PROCESSING SYSTEM
EP2274874A1 (en) Examination of a communication connection between field devices
DE3125724C2 (en)
DE2423195A1 (en) MAINTENANCE DEVICE
DE19826875A1 (en) Numerical control with a spatially separate input device
WO2016037829A1 (en) Method and device for the secure communication between a first and a second participant
DE2912928C2 (en) Device for the transmission of binary coded information for the remote control of railway signal systems
EP1498836A1 (en) Data transferring method between RFID reader/writer and its functional unit, reader/writer and functional unit
EP0392328B1 (en) Method of continuosly monitoring signals of a safe information display
DE10330115B4 (en) Device for controlling a system controlled by an operator, in particular a signal box of a railway system
EP1133096B1 (en) Method and system for fail-safe data transfer between fail-safe computers
WO2014128036A1 (en) Method for revealing errors in a signal box computer system, and signal box computer system
DE3742118C2 (en)
EP3753802A1 (en) Method for generic display protection and control system
EP0106985B1 (en) Operation monitoring of digital transmission links
DE4125812C2 (en) Process for secure data transmission
DE3529056C2 (en)
DE102022211587B4 (en) Safe operation of redundant, single-fault tolerant control units in the vehicle with signed signals
DE10040866A1 (en) Computer system for transmitting information telegrams includes multi-channel computers with safe signals and interfaces interconnected via a one-channel transmission medium without safe signals.

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT CH DE ES FR GB LI NL

RAP3 Party data changed (applicant data changed or rights of an application transferred)

Owner name: ALCATEL SEL AKTIENGESELLSCHAFT

PUAL Search report despatched

Free format text: ORIGINAL CODE: 0009013

AK Designated contracting states

Kind code of ref document: A3

Designated state(s): AT CH DE ES FR GB LI NL

17P Request for examination filed

Effective date: 19940712

17Q First examination report despatched

Effective date: 19950120

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AT CH DE ES FR GB LI NL

REF Corresponds to:

Ref document number: 133620

Country of ref document: AT

Date of ref document: 19960215

Kind code of ref document: T

REF Corresponds to:

Ref document number: 59205198

Country of ref document: DE

Date of ref document: 19960314

GBT Gb: translation of ep patent filed (gb section 77(6)(a)/1977)

Effective date: 19960222

ET Fr: translation filed
REG Reference to a national code

Ref country code: ES

Ref legal event code: FG2A

Ref document number: 2085505

Country of ref document: ES

Kind code of ref document: T3

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

26N No opposition filed
REG Reference to a national code

Ref country code: GB

Ref legal event code: IF02

REG Reference to a national code

Ref country code: CH

Ref legal event code: NV

Representative=s name: JUERG ULRICH C/O ALCATEL STR AG

Ref country code: CH

Ref legal event code: EP

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20110218

Year of fee payment: 20

Ref country code: AT

Payment date: 20110126

Year of fee payment: 20

Ref country code: NL

Payment date: 20110216

Year of fee payment: 20

Ref country code: DE

Payment date: 20110216

Year of fee payment: 20

Ref country code: CH

Payment date: 20110214

Year of fee payment: 20

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20110216

Year of fee payment: 20

Ref country code: ES

Payment date: 20110315

Year of fee payment: 20

REG Reference to a national code

Ref country code: DE

Ref legal event code: R071

Ref document number: 59205198

Country of ref document: DE

REG Reference to a national code

Ref country code: DE

Ref legal event code: R071

Ref document number: 59205198

Country of ref document: DE

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

Ref country code: NL

Ref legal event code: V4

Effective date: 20120222

REG Reference to a national code

Ref country code: GB

Ref legal event code: PE20

Expiry date: 20120221

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DE

Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION

Effective date: 20120223

REG Reference to a national code

Ref country code: ES

Ref legal event code: FD2A

Effective date: 20120509

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GB

Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION

Effective date: 20120221

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION

Effective date: 20120223

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK07

Ref document number: 133620

Country of ref document: AT

Kind code of ref document: T

Effective date: 20120222