EP0503336B1 - Système de commande à distance d'une sous-station d'une manière fiable dans une installation de chemin de fer - Google Patents
Système de commande à distance d'une sous-station d'une manière fiable dans une installation de chemin de fer Download PDFInfo
- Publication number
- EP0503336B1 EP0503336B1 EP92102996A EP92102996A EP0503336B1 EP 0503336 B1 EP0503336 B1 EP 0503336B1 EP 92102996 A EP92102996 A EP 92102996A EP 92102996 A EP92102996 A EP 92102996A EP 0503336 B1 EP0503336 B1 EP 0503336B1
- Authority
- EP
- European Patent Office
- Prior art keywords
- station
- sub
- computer
- central station
- computer system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Classifications
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L27/00—Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
- B61L27/30—Trackside multiple control systems, e.g. switch-over between different systems
Definitions
- the invention relates to a device according to the preamble of patent claim 1.
- a device is from Signal & Draht, Vol. 77, No. 4, April 1985, pages 67-72, "SAFE L go", Halfpap et al. known.
- the known remote control requires a special, signal-technically secure command line for transmitting the execution command.
- the invention has for its object to provide a remote control device that enables a transmission of commands to be carried out safely by signaling without a special command line that is safe by signaling.
- a device that solves this problem is represented by the features of claim 1.
- the device according to the invention enables the use of commercially available, non-secure computers, e.g. Personal computer, in the central station.
- Special security measures are limited to checking the redundantly received report image data by comparison. All test and security measures can be carried out in the substation using the two computer channels.
- claim 3 protects the transmitted message information from corruption by bit lines that have become static at parallel computer inputs and outputs.
- the manual switching of the screen required according to claim 4 to the computer system capable of displaying the security code prevents thoughtless routine confirmation of requested auxiliary operations.
- the figure schematically shows a central station Z and a substation UST1 with their most important devices and a transmission link U connecting both stations. Additional substations UST2 can also be connected to the transmission link.
- the central station contains two computer systems R1, R2, e.g. Personal computer, which can be alternately connected to a display device M via a changeover switch MS to display a stored message image. Only the computer system R1 has a manual input T and a printer D for recording actions that are required to be recorded. Data output on the transmission link Ü via a modem MZ is also only possible from the computer system R1.
- R1, R2, e.g. Personal computer which can be alternately connected to a display device M via a changeover switch MS to display a stored message image.
- Only the computer system R1 has a manual input T and a printer D for recording actions that are required to be recorded.
- Data output on the transmission link Ü via a modem MZ is also only possible from the computer system R1.
- the substation UST1 has a computer system which is secure in terms of signal technology and has two computer channels, each of which consists of a main computer UR1, UR2 and a front-end computer VR1, VR2.
- the two main computers are connected to one another via a neighboring computer connection NRB and via a control and message bus SMB to the hardware STW of the substation to be controlled.
- connection to the transmission path runs here via the upstream computer of the computer channels. These are connected to a substation modem MU in the output direction with separate outputs. In contrast, inputs of both upstream computers are acted upon in parallel from a common output of the modem.
- Control commands which are entered in the central station and are intended to result in an actuating action without special security responsibility in the substation, pass from the input T into the computer system R1.
- the computer system develops the command corresponding to the control command and outputs it to the modem MZ, from where it is, e.g. as a serial, frequency-modulated data telegram, which is transmitted on the transmission link.
- the substation modem MU converts the data telegram into the originally entered command and routes it to the pre-computers of both computer channels in parallel.
- Both computer channels now decode the control command contained in the received command. They exchange interim results and the end result via the neighboring computer connection NRB and compare their own result with that of the neighboring computer channel. If the results are determined by both computer channels, the control command is output on the control and message bus and the actuating action is thus triggered.
- reporting lines of the control and reporting bus These are queried at regular intervals and after each actuation by both computer channels for their switching status.
- the result of the query is sent to the substation modem MU separately from both pre-computers and transmitted to the central station as a reporting data telegram.
- one of the front computers gives his Data in inverted form on the modem.
- both computer systems receive the reporting data transmitted from both computer channels of the substation in parallel and compare the simply transmitted data with the inverted transmitted data. If there is a match, the transmitted current switching states are saved and taken into account in the display of the message image. From the change in the message screen, the operator can see whether the control command he has entered has been executed.
- a control command for this is likewise entered into the computer system R1 via the operating device T and transmitted as a command to the substation.
- a command with security responsibility is identified as such by an addition or a special form of input. But it can also only be in the substation, e.g. by comparing the received command with pre-stored lists of safety-relevant and non-safety-relevant commands, it can be determined whether the command to be executed has safety meaning.
- the computer channels of the substation determine when a command transmitted from the central station relates to an actuating action that is to be carried out with security responsibility.
- the control command contained in the transmitted command is first stored in the substation in a signal-safe manner.
- the associated actuation is not yet carried out.
- a specially marked message data telegram is transmitted to the central station via the signaling-safe signaling path, which simulates the actuation that has not yet been carried out.
- the computer controlling the display device displays this anticipated actuation action in a special shape or color on the display device.
- the actuation action to be carried out is thus "mirrored" in the central station. The operator can check again whether the mirrored command corresponds to the originally entered command and can finally decide whether the command should be carried out.
- the computer channels of the substation contain a program for generating a special security code.
- This program is processed when a command triggering an actuating action with security responsibility is recognized and the determined security code is transmitted to the central station together with the data required to mirror the actuating action to be performed.
- the security code can now be displayed in the central station and, after being entered again, can be transferred back to the substation as an execution command. There it is compared with the originally generated security code stored there. If there is a match, the execution command is given. The prepared actuation is carried out.
- the computer system R2 In the central station, only the computer system R2 that is not used for command transmission contains a program for receiving and displaying the security code. The computer system R1 is unable to record and display the security code or to transmit it back to the substation.
- the security code can only be retransmitted if the computer system R2 is connected to the display device by means of the manually operable switch MS, for example, and is thus able to display the security code to the operator.
- the operator is forced to enter the displayed security code into the computer system R1 by means of the operating device T if it wants to transmit it to the subordinate station and thus to execute the prepared actuating command.
- the security code can also be transmitted in encrypted form to the central station, decrypted in a decrypted form in the second computer with the aid of a decryption program only contained therein, and transmitted back to the substation after being entered again become.
Landscapes
- Engineering & Computer Science (AREA)
- Mechanical Engineering (AREA)
- Selective Calling Equipment (AREA)
- Remote Monitoring And Control Of Power-Distribution Networks (AREA)
- Electric Propulsion And Braking For Vehicles (AREA)
Claims (4)
- Système de télécommande, sûr au point de vue technique de signal, d'une sous-station (UST1) commandant une installation de chemin de fer, en particulier d'une sous-station d'aiguillage correspondant à la zone de voie d'une gare, système qui présente un système de plusieurs ordinateurs (VR1, VR2, UR1, UR2) comportant au moins deux canaux d'ordinateur indépendants l'un de l'autre, traitant tous les résultats en parallèle et contrôlant une coïncidence par comparaison mutuelle, depuis une station centrale Z qui contient au moins deux systèmes d'ordinateur (R1, R2) indépendants l'un de l'autre, un dispositif de manoeuvre (T) et un visuel (M) et qui est reliée, par l'intermédiaire d'une liaison de données (Ü) avec le système de plusieurs ordinateurs de la sous-station, système dans lequel la sous-station reconnaît comme tel un ordre transmis par la station centrale et déclenchant une intervention sur aiguillage avec justification de sécurité, répercute en écho l'intervention sur aiguillage dans la station centrale et n'exécute l'ordre qu'après réception d'une instruction d'exécution particulière et dans lequel le système comporte la sous-station, la station centrale et la liaison de données,
caractérisé par le fait que pour l'entrée d'ordres qui, dans la sous-station (UST1), déclenchent des interventions sur aiguillage avec justification de sécurité, le dispositif de manoeuvre (T) de la station centrale (Z) n'est relié qu'avec un premier système d'ordinateur (R1) et ce système d'ordinateur assure la transmission des ordres à la sous-station, que le système de plusieurs ordinateurs de la sous-station possède un programme pour produire un code de sécurité et, à chaque intervention sur aiguillage répercutée en écho, produit un code de sécurité caractéristique et le transmet à la station centrale, que seul un second système d'ordinateur (R2) de la station centrale, qui n'est pas utilisé pour la transmission de l'ordre, possède un programme pour recevoir et afficher le code de sécurité et affiche celui-ci sur le visuel avec un synoptique actualisé et avec l'intervention sur l'aiguillage répercutée en écho, que, comme instruction d'exécution, c'est le code de sécurité affiché qui est entré dans le premier système d'ordinateur (R1) par l'intermédiaire du dispositif de manoeuvre (T) et transmis à la sous-station par ce système d'ordinateur, que, dans la sous-station, le code de sécurité est comparé avec le code de sécurité produit à l'origine qui y est mémorisé et qu'une exécution de l'intervention sur aiguillage répercutée en écho ne se fait que si cette comparaison a indiqué une coïncidence. - Système selon la revendication 1, caractérisé par le fait que les canaux d'ordinateur de la sous-station sont chacun constitués d'un ordinateur principal (UR1, UR2) et d'un préordinateur (VR1, s) et que les préordinateurs commandent la réception des ordres et émettent les annonces à la station centrale de façon sûre au point de vue technique de signal.
- Système selon la revendication 1 ou 2, caractérisé par le fait que l'un des canaux d'ordinateur de la sous-station émet ses données d'annonce après les avoir changées de signe et que les systèmes d'ordinateur de la station centrale ne considèrent alors une annonce comme correcte et ne la traitent que si celle-ci se présente à la fois sous sa forme habituelle et sous sa forme après changement de signe.
- Système selon l'une des revendications précédentes, caractérisé par le fait que le visuel (M) peut être alternativement relié aux systèmes d'ordinateurs (R1, R2) au moyen d'un commutateur (MS) manoeuvrable manuellement.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE4107639A DE4107639A1 (de) | 1991-03-09 | 1991-03-09 | Einrichtung zur signaltechnisch sicheren fernsteuerung einer unterstation in einer eisenbahnanlage |
DE4107639 | 1991-03-09 |
Publications (3)
Publication Number | Publication Date |
---|---|
EP0503336A2 EP0503336A2 (fr) | 1992-09-16 |
EP0503336A3 EP0503336A3 (fr) | 1994-02-23 |
EP0503336B1 true EP0503336B1 (fr) | 1996-01-31 |
Family
ID=6426903
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP92102996A Expired - Lifetime EP0503336B1 (fr) | 1991-03-09 | 1992-02-22 | Système de commande à distance d'une sous-station d'une manière fiable dans une installation de chemin de fer |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP0503336B1 (fr) |
AT (1) | ATE133620T1 (fr) |
DE (2) | DE4107639A1 (fr) |
ES (1) | ES2085505T3 (fr) |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE19745994A1 (de) * | 1997-10-20 | 1999-04-22 | Cit Alcatel | Verfahren zum Austausch von Daten zwischen Applikationsprozessen in einem sicheren Mehrrechnersystem |
GB2348034A (en) * | 1999-03-17 | 2000-09-20 | Westinghouse Brake & Signal | An interlocking for a railway system |
DE10053023C1 (de) * | 2000-10-13 | 2002-09-05 | Siemens Ag | Verfahren zum Steuern eines sicherheitskritischen Bahnbetriebsprozesses und Einrichtung zur Durchführung dieses Verfahrens |
CN1289345C (zh) * | 2001-11-22 | 2006-12-13 | 西门子公司 | 控制安全苛刻的铁路运行过程的方法和实施该方法的装置 |
US7209811B1 (en) | 2001-11-22 | 2007-04-24 | Siemens Aktiengesellschaft | System and method for controlling a safety-critical railroad operating process |
DE10309200A1 (de) * | 2003-02-25 | 2004-09-16 | Siemens Ag | Verfahren zur Sicherung der Zugfolge im Zugleitbetrieb |
EP1596517B1 (fr) * | 2004-05-10 | 2008-03-05 | Siemens Aktiengesellschaft | Procédé de transmission sur un seul canal de données fournies sous forme redondante |
DE102007061807A1 (de) | 2007-12-19 | 2009-07-09 | Db International Gmbh | Sicheres Verfahren zum Steuern von Elementen der Leit- und Sicherungstechnik mit kabelloser Datenübertragung über große Stellentfernungen hinweg |
DE102008012953B4 (de) * | 2008-03-06 | 2022-01-27 | Bombardier Transportation Gmbh | Überprüfung von Anzeigesystemen in Schienenfahrzeugen |
DE102019208924A1 (de) * | 2019-06-19 | 2020-12-24 | Siemens Mobility GmbH | Eingabeverfahren für sicherheitskritische Bedienkommandos und Bediensystem |
EP3943265A1 (fr) * | 2020-07-21 | 2022-01-26 | Siltronic AG | Procédé et dispositif de séparation simultanée d'une pluralité de disques d'une pièce |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE2549197A1 (de) * | 1975-11-03 | 1977-05-05 | Siemens Ag | Einrichtung zur funktionskontrolle in fernmelde-, fernbedienungs-, insbesondere eisenbahnsicherungsanlagen |
SU557367A1 (ru) * | 1975-12-25 | 1977-05-05 | Предприятие П/Я В-8117 | Система дублированных цифровых вычислительных машин (цвм) |
US4368534A (en) * | 1979-01-29 | 1983-01-11 | General Signal Corporation | Keyboard controlled vital digital communication system |
DE2912928C2 (de) * | 1979-03-31 | 1986-10-23 | Standard Elektrik Lorenz Ag, 7000 Stuttgart | Einrichtung zur Übermittlung binär kodierter Information zur Fernsteuerung von Eisenbahnsignalanlagen |
DE2921860C2 (de) * | 1979-05-25 | 1986-07-31 | Licentia Patent-Verwaltungs-Gmbh, 6000 Frankfurt | Einrichtung zur Ortung und Steuerung eines spurgebundenen Fahrzeuges mit Linearmotorantrieb |
DE2934039A1 (de) * | 1979-08-23 | 1981-03-26 | Robert Bosch Gmbh, 70469 Stuttgart | Warn- und sicherheitseinrichtung fuer ein fernstuerungssystem |
DE3211977A1 (de) * | 1982-03-31 | 1983-10-06 | Siemens Ag | Betriebsueberwachung von uebertragungsstrecken fuer digitale signale |
DE3232167C1 (de) * | 1982-08-30 | 1983-10-20 | Siemens AG, 1000 Berlin und 8000 München | Gesicherte Datenübertragungseinrichtung für paarweise antivalente Informationen in Eisenbahnsicherungsanlagen |
DE3310975A1 (de) * | 1983-03-25 | 1984-09-27 | Siemens AG, 1000 Berlin und 8000 München | Einrichtung zur sicheren prozesssteuerung |
DE3412049A1 (de) * | 1984-03-30 | 1985-10-17 | Licentia Patent-Verwaltungs-Gmbh, 6000 Frankfurt | Signaltechnisch sichere datenverarbeitungseinrichtung |
DE3513357A1 (de) * | 1985-04-15 | 1986-10-16 | Fernsprech- und Signalbau KG Schüler & Vershoven, 4300 Essen | Schaltungsanordnung, insbesondere fuer einen sicherheitskoppelschalter im untertagebergbau |
DE3742118A1 (de) * | 1987-12-11 | 1989-06-22 | Siemens Ag | Signaltechnisch sichere datenuebertragungseinrichtung |
-
1991
- 1991-03-09 DE DE4107639A patent/DE4107639A1/de not_active Withdrawn
-
1992
- 1992-02-22 ES ES92102996T patent/ES2085505T3/es not_active Expired - Lifetime
- 1992-02-22 AT AT92102996T patent/ATE133620T1/de active
- 1992-02-22 EP EP92102996A patent/EP0503336B1/fr not_active Expired - Lifetime
- 1992-02-22 DE DE59205198T patent/DE59205198D1/de not_active Expired - Lifetime
Also Published As
Publication number | Publication date |
---|---|
ES2085505T3 (es) | 1996-06-01 |
ATE133620T1 (de) | 1996-02-15 |
DE59205198D1 (de) | 1996-03-14 |
EP0503336A2 (fr) | 1992-09-16 |
EP0503336A3 (fr) | 1994-02-23 |
DE4107639A1 (de) | 1992-09-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE69718754T2 (de) | Kombiniertes Fernzugriffs- und Sicherheitssystem | |
DE3486199T3 (de) | Werkführungssystem. | |
EP0093881B1 (fr) | Système de supervision pour une ou plusieurs stations de procédé de construction similaire | |
EP0503336B1 (fr) | Système de commande à distance d'une sous-station d'une manière fiable dans une installation de chemin de fer | |
DE102007032805A1 (de) | Verfahren und Systemarchitektur zur sicheren einkanaligen Kommunikation zum Steuern eines sicherheitskritischen Bahnbetriebsprozesses | |
DE2701925A1 (de) | Fahrzeugsteuerungssystem mit hoher zuverlaessigkeit | |
EP0978775B1 (fr) | Méthode de transmission sûre de données entre une commande numérique et un appareil à distance | |
AT402909B (de) | Verfahren zur gewährleistung der signaltechnischen sicherheit der benutzeroberfläche einer datenverarbeitungsanlage | |
EP2274874A1 (fr) | Contrôle de la liaison de communication entre des appareils de terrain | |
EP0970869B1 (fr) | Procédé d'affichage sécurisé de l'état d'une installation de signalisation | |
DE19826875A1 (de) | Numerische Steuerung mit einem räumlich getrennten Eingabegerät | |
DE19960959C2 (de) | Vorrichtung zum manipulationssicheren Datenaustausch in einem Kraftfahrzeug | |
DE2423195A1 (de) | Wartungsvorrichtung | |
EP0392328B1 (fr) | Mèthode pour le contrôle permanent des signaux pour l'affichage des informations sur un écran | |
DE2912928C2 (de) | Einrichtung zur Übermittlung binär kodierter Information zur Fernsteuerung von Eisenbahnsignalanlagen | |
EP3753802A1 (fr) | Procédé de sauvegarde d'affichage générique et système d'exploitation | |
EP1133096B1 (fr) | Procédé et système de transmission de données a sûreté intégrée entre des ordinateurs à sécurité intrinsèque | |
DE10330115B4 (de) | Einrichtung zum Steuern eines von einer Bedienperson gesteuerten Systems, insbesondere eines Stellwerks eines Eisenbahnsystems | |
DE3232167C1 (de) | Gesicherte Datenübertragungseinrichtung für paarweise antivalente Informationen in Eisenbahnsicherungsanlagen | |
DE3742118C2 (fr) | ||
EP1963162B1 (fr) | Procede et dispositif de surveillance sure et d'evaluation d'etats de fonctionnement d'au moins un systeme de controle du trafic et utilisation de ce procede et de ce dispositif | |
DE3529056C2 (fr) | ||
DE102022211587B4 (de) | Sicherer Betrieb von redundanten, einfehlertoleranten Steuergeräten im Fahrzeug mit signierten Signalen | |
EP3957033B1 (fr) | Calculateur et procédé pour faire fonctionner un calculateur | |
EP3957052B1 (fr) | Calculateur et procédé pour faire fonctionner un calculateur |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT CH DE ES FR GB LI NL |
|
RAP3 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: ALCATEL SEL AKTIENGESELLSCHAFT |
|
PUAL | Search report despatched |
Free format text: ORIGINAL CODE: 0009013 |
|
AK | Designated contracting states |
Kind code of ref document: A3 Designated state(s): AT CH DE ES FR GB LI NL |
|
17P | Request for examination filed |
Effective date: 19940712 |
|
17Q | First examination report despatched |
Effective date: 19950120 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AT CH DE ES FR GB LI NL |
|
REF | Corresponds to: |
Ref document number: 133620 Country of ref document: AT Date of ref document: 19960215 Kind code of ref document: T |
|
REF | Corresponds to: |
Ref document number: 59205198 Country of ref document: DE Date of ref document: 19960314 |
|
GBT | Gb: translation of ep patent filed (gb section 77(6)(a)/1977) |
Effective date: 19960222 |
|
ET | Fr: translation filed | ||
REG | Reference to a national code |
Ref country code: ES Ref legal event code: FG2A Ref document number: 2085505 Country of ref document: ES Kind code of ref document: T3 |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
26N | No opposition filed | ||
REG | Reference to a national code |
Ref country code: GB Ref legal event code: IF02 |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: NV Representative=s name: JUERG ULRICH C/O ALCATEL STR AG Ref country code: CH Ref legal event code: EP |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: FR Payment date: 20110218 Year of fee payment: 20 Ref country code: AT Payment date: 20110126 Year of fee payment: 20 Ref country code: NL Payment date: 20110216 Year of fee payment: 20 Ref country code: DE Payment date: 20110216 Year of fee payment: 20 Ref country code: CH Payment date: 20110214 Year of fee payment: 20 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: GB Payment date: 20110216 Year of fee payment: 20 Ref country code: ES Payment date: 20110315 Year of fee payment: 20 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R071 Ref document number: 59205198 Country of ref document: DE |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R071 Ref document number: 59205198 Country of ref document: DE |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: PL Ref country code: NL Ref legal event code: V4 Effective date: 20120222 |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: PE20 Expiry date: 20120221 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: DE Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION Effective date: 20120223 |
|
REG | Reference to a national code |
Ref country code: ES Ref legal event code: FD2A Effective date: 20120509 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: GB Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION Effective date: 20120221 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: ES Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION Effective date: 20120223 |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: MK07 Ref document number: 133620 Country of ref document: AT Kind code of ref document: T Effective date: 20120222 |