EP2039583A1 - Railway radio control system - Google Patents

Railway radio control system Download PDF

Info

Publication number
EP2039583A1
EP2039583A1 EP08252720A EP08252720A EP2039583A1 EP 2039583 A1 EP2039583 A1 EP 2039583A1 EP 08252720 A EP08252720 A EP 08252720A EP 08252720 A EP08252720 A EP 08252720A EP 2039583 A1 EP2039583 A1 EP 2039583A1
Authority
EP
European Patent Office
Prior art keywords
train
radio communication
radio
control unit
authentication process
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP08252720A
Other languages
German (de)
French (fr)
Other versions
EP2039583B1 (en
Inventor
Tsuyoshi Yorishige
Yoshihide c/o Hitachi Ltd.Intell Prop. Group Nagatsugu
Kenichi c/o Hitachi Ltd.Intell.Prop.Group Sakai
Hiroshi c/o Hitachi Ltd. Intell.Prop.group Taoka
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Ltd
Original Assignee
Hitachi Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Ltd filed Critical Hitachi Ltd
Publication of EP2039583A1 publication Critical patent/EP2039583A1/en
Application granted granted Critical
Publication of EP2039583B1 publication Critical patent/EP2039583B1/en
Not-in-force legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L15/00Indicators provided on the vehicle or vehicle train for signalling purposes ; On-board control or communication systems
    • B61L15/0018Communication with or on the vehicle or vehicle train
    • B61L15/0027Radio-based, e.g. using GSM-R
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L15/00Indicators provided on the vehicle or vehicle train for signalling purposes ; On-board control or communication systems
    • B61L15/0018Communication with or on the vehicle or vehicle train
    • B61L15/0036Conductor-based, e.g. using CAN-Bus, train-line or optical fibres
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/70Details of trackside communication

Definitions

  • the present invention relates to the art of realizing a stable data communication by establishing a plurality of radio communication channels between a train and a communication base station, the art of train control performed via radio and the art of a safe and stable data communication system using a plurality of radio communications that adopt a data encryption system of data transmitted on radio communication channels and a security authentication technique required for entering the radio-controlled zone.
  • Communication systems are utilized to perform train control via a "blocking system" in which only a single train is accepted to travel within a single section.
  • ERTMS/ETCS utilizes GSM-R (GSM-Railway) using a GSM network as the radio communication system.
  • the data is encrypted before radio transmission so as to ensure the confidentiality of data, and the received data is decrypted, thereby protecting the data information from the exterior.
  • Patent document 1 discloses a method for controlling the train by transmitting the control information for operating the train safely on a railroad via wire to the train.
  • the disclosure realizes a train control system having a high security extent by providing a radio control unit, a data encryption system and a radio transmitter malfunction detection system for utilizing radio communication for train control.
  • Japanese patent application laid-open publication 2006-129432 discloses a train authentication technique of a train control system using radio communication.
  • the key used for encrypting and decrypting data on the communication channels is determined per each train, which is notified from a ground train control unit through the authentication process of the train.
  • the authentication process is performed at the ground train control unit in response to an authentication request sent from an on-train control unit via an on-train radio control unit.
  • the authentication process is performed with the aim to prevent impersonation access to the whole system. Further, the authentication process is performed at the start up of the train, the entry of the train to the control section and periodically during traveling of the train to update the encryption key, so as to change the encryption pattern of data of the train and to prevent the data from being read from the exterior.
  • the arrangement of establishing a plurality of radio communication channels between the on-train control unit of a single train and the ground train control unit is aimed at realizing a stable and continuous data communication between the on-train control unit and the ground train control unit by realizing redundant radio communication channels.
  • This art realizes a highly reliable data communication by providing redundant multiple radio communication channels using multiple CHs, multiple antennas and radio control units under the following radio communication environments: (1) preventing interference bymultipath fading of radio waves withinbuildings in the urban area or within tunnels; (2) preventing interference by noise from other radio communication systems; and (3) change in radio status caused by the movement of the train.
  • the control system When the ground train control unit recognizes start up or system entry of the train, the control system must perform an authentication process to notify information such as acceptance to enter system or an encryption key allocated uniquely to each train. If this authentication process must be performed with all the plurality of radio communication channels of a single train, the ground train supervising system must perform a large number of processes determined by the number of trains times the number of radio communication channels, by which the process load becomes excessive.
  • the above-mentioned system also has another drawback in that the encryption rules determinedbetween the on-train control unit and the ground train control unit by the authentication process must be set to correspond to the number of radio communication channels per a single train, and the processing load related to data communication becomes excessive.
  • the object of providing redundant radio communication channels is as mentioned earlier. According to the present system configuration in which the defection of data is prevented since other radio communication channels are connected even if one radio communication channel is disconnected, some radio communication channels may not be able to perform the authentication process at the time of initial start up of the train according for example to the position of the train, the environment of the radio or the apparatus status of the radio control unit. Such radio communication channel may recover its connection by the movement of the train.
  • the radio communication channel for performing data communication for train control and a radio communication channel for performing authentication process, and since the processing mode of the ground train control unit differs for each of the radio communication channels for a single train, the process performed by the ground train control unit becomes too complex.
  • the object of the present invention is to provide a train control system having redundant data communication channels using a plurality of radio communication channels using difference channels (CH) between the on-train control unit and the ground train control unit so as to prevent disconnection of communication of control data in the bidirectional radio communication between the on-train control unit and the ground train control unit in a train control system, wherein each of the radio communication channels are made effective as safe and stable data communication channels.
  • CH difference channels
  • the present invention provides a train control system establishing radio communication between a plurality of on-train radio control apparatuses moving on a predetermined track and a plurality of ground train radio control units disposed along a predetermined track, so as to establish parallel simultaneous radio communications on a plurality of radio communication channels of various communication frequencies between the plurality of on-train radio communication apparatuses and the plurality of ground train radio control units, characterized in that one radio communication channel is selected out of the plurality of radio communication channels to perform an authentication request and an authentication process, wherein an encryption key obtained by the authentication process is used as a common encryption key shared by the plurality of on-train radio control units to encrypt data communication between the plurality of on-train radio control units and the plurality of ground train radio control units.
  • the present invention also characterizes in that the authentication request and the authentication process required at the time of entry of the on-train radio control unit to the train control system or at the initial start up of the on-train radio control unit are performed by switching the selected radio communication channels.
  • the present invention also characterizes in that a supervising system of the on-train radio control unit for selecting a single radio communication channel and performing the authentication request generates a random number for the authentication process, and hands over the random number to only the radio communication channel for performing the authentication request and the authentication process.
  • the present invention further characterizes in that the data on the plurality of radio communication channels are encrypted using an encryption key generated by a ground train supervising system and notified via the ground train radio control unit to the on-train radio control unit, wherein the encryption key is notified from the ground train radio control unit while performing authentication of a single radio communication channel, and the supervising system of the ground train radio control unit shares the encryption key with other on-train radio control units to be used for encrypting data sent via other radio communication channels that have not performed authentication, so that the data sent on all the plurality of radio communication channels established between the on-train radio control units and the ground train radio control units can be encrypted.
  • the present invention also characterizes in that the supervising system of the on-train radio control unit observes the status of radio waves of a plurality of radio communication channels and the status of apparatuses of the on-train radio control units, so as to determine a single radio communication channel for performing the authentication process and to start the authentication process.
  • the present invention further characterizes in that the train control system is equipped with an authentication retry function in which if the authentication process is not completed within a certain period of time or if radio communication is disconnected during the authentication process, the authentication process is discontinued and terminated, then the supervising system selects another radio communication channel to restart the authentication process, so as to switch the radio communication channel to retry the authentication request and the authentication process.
  • the present invention also characterizes in that when the authentication is completed via a single radio communication channel, data communication of the on-train radio control unit within the train control system is accepted, and the supervising system of the on-train radio control apparatus shares the authentication completion information and the encryption key with other radio communication channels, so that the data communication on the remaining radio communication channels are also accepted and started, by which the data communication of the train control system is activated.
  • data is communicated via a plurality of radio communication channels between the on-train control unit of a single train and the ground train control unit so as to ensure the redundancy of data communication, and a secure and appropriate authentication is performed by executing a security authentication between the on-train and ground train control units using one of the plurality of radio communication channels. Further, by sharing the encryption key obtained by the authentication process with other radio communication channels to start data communication, the security of data sent via the redundant radio communication channels can be guaranteed effectively.
  • the authentication process is performed via only one radio communication channel, so that compared to the system in which all the radio communication channels must perform the authenticationprocess, the loadof authenticating a single train is very small. This is also effective from the viewpoint of reducing load of the ground train control unit that controls the plurality of trains traveling on one railroad track.
  • the authentication request and the authentication process required during initial start up of the on-train radio control unit or the entry of the on-train radio control unit to the train control system is performed by switching the selected radio communication channels, so that even if the radio communication status or the status of the radio transmitter or the antenna is not good, the authentication process can be performed by switching to another radio communication channel, so that the plurality of radio communication channels can be performed effectively under a condition in which the authentication process is required.
  • the supervising system of the on-train radio control unit for selecting a single radio communication channel and executing the authentication request generates random numbers for the authentication process, and hands over the random number only to the radio communication channel that performs the authentication request and the authentication process, so that the authentication request and the authentication process can be performed effectively only by the supervising system and the radio communication channel performing the authentication process.
  • the data on the plurality of radio communication channels is encrypted using an encryption key generated by the ground train supervising system and notified via the round-based radio control unit to the on-train radio control unit.
  • the encryption key is notified from the ground train radio control unit upon performing authentication on a single radio communication channel, and the supervising system of the ground train radio control unit demands the on-train radio control unit to share the encryption key for encrypting data with other radio communication channels that have not performed authentication.
  • the data on all the plurality of radio communication channels between the on-train radio control unit and the ground train radio control unit can be encrypted, so that compared to the system where all the radio communication channels must perform the authentication process, the authentication process is restricted to a single radio communication channel, the load for performing the authentication process of a single train can be reduced, and the load applied to the ground train control unit that controls the plurality of trains traveling on one railroad track can be reduced.
  • the radio wave status of the plurality of radio communication channels and the apparatus status of the on-train radio control unit is monitored by the supervising system of the on-train radio control unit, and by determining the single radio communication channel for performing the authentication process and starting the authentication process, the radio wave status of the plurality of radio communication channels and the apparatus status of the on-train radio control unit can be monitored efficiently, and the authentication process can be started efficiently, compared to the system in which a plurality of on-train radio control units monitor the status respectively.
  • the present invention can further be equipped with an authentication retry function that disconnects and terminates the authentication process if the authentication process is not completed within a certain period of time or if the radio communication is disconnected during the authentication process, and selects another radio communication channel to retry the authentication process by the supervising system so as to switch the radio communication channel for retrying the authentication request and the authentication process.
  • an authentication retry function that disconnects and terminates the authentication process if the authentication process is not completed within a certain period of time or if the radio communication is disconnected during the authentication process, and selects another radio communication channel to retry the authentication process by the supervising system so as to switch the radio communication channel for retrying the authentication request and the authentication process.
  • the authentication process when the authentication process is completed via a single radio communication channel, data communication of the on-train radio control unit in the train control system is accepted, and the supervising system of the on-train radio control unit shares the authentication completion information and the encryption key with other radio communication channels, so that data communication via the remaining radio communication channels is also accepted and started, and the data communication of the train control system can be started.
  • the security of data encryption of the radio communication channels not having performed the authentication process is also ensured.
  • the data sent on the radio communication channels are encrypted for confidentiality.
  • the plurality of radio communication channels formed between a single train and a ground train control unit use the same encryption key to encrypt the same control data, so that identical information are transmitted via the respective radio communication channels.
  • An authentication process is performed to prevent impersonation access from the exterior of the system to the radio transmission channels.
  • the encryption key generated by the ground train control unit is notified to the on-train control unit.
  • the authentication process is performed between the train and the ground train control unit.
  • the authentication process recognizes the authentication request from the train via the radio communication path, and determines whether or not to accept access of the train to the system. When access is accepted, an encryption key used for encrypting the data on the radio communication channel is notified to the train. If authentication requests are sent via each of the plurality of radio communication channels between the ground train control unit and a single train, the ground train control unit must receive a large number of authentication requests corresponding to the number of radio communication channels to authenticate only a single train, so that when it is necessary to authenticate multiple trains, the process to be performed at the ground train control unit will become too complex and the load will become excessive. By restricting the number of radio communication channels subjected to authenticationprocesstoone, and having only one authentication request for a single radio communication channel to be output per a single train, the process load of the ground train control unit can be reduced.
  • the present system corresponds to such data communication malfunction by establishing a plurality of radio communication channels.
  • the authentication process is performed on a single radio communication channel, if the above-mentioned problems causing defective data communication occurs and the radio communication control unit cannot perform the authentication process, switching among the plurality of radio communication channels is performed for example by the following processes:
  • data communication is performed via a plurality of radio communication channels established between the on-train control unit of a single train and the ground train control unit, so as to ensure the redundancy of data communication. Further, by executing a security authentication between the on-train and ground train control units using a single radio communication channel out of the plurality of radio communication channels, it becomes possible to perform a secure and appropriate authentication effectively, and by sharing the encryption key obtained in the security authentication process with other radio communication channels when data communication is started, security of data can be guaranteed in the redundant radio communication channels.
  • the authentication process performed when starting up the train, when entering the system and when updating the encryption key is performed by selecting one of the plurality of radio communication paths, so that even if the radio communication status or the statuses of the radio transmitter or the antenna is not good, the authentication process can be performed by switching to another radio communication channel, so that the plurality of radio transmission channels can be used effectively in such a state where authentication process is necessary.
  • the present system restricts the authentication process to be performed by only a single radio communication channel, so that the load of the authentication process is very small. Therefore, the load on the ground train control unit that controls the large number of trains on a single track can be effectively reduced.
  • the channels When an authentication process is performed for all the plurality of radio communication channels, the channels will have various different encryption keys, and the load of the decryption process by the ground train control unit becomes excessive.
  • the encryption key obtained via the authentication process by the on-train control unit is distributed and shared with other on-train control units, so that the data encryption of the radio communication channels that did not perform authentication process will also be security-ensured.
  • all the data communicated on the plurality of radio communication channels between the ground train control unit and a single train are protected by the same encryption key as that used in the authentication process.
  • FIG. 1 is a diagram showing the on-train and ground train control units according to embodiment 1 of the present invention.
  • the ground-based facilities include a ground train control unit 10 that generates information to a train 90 accompanying the bidirectional data communication with the train 90, and a ground train radio communication apparatus AP 111 for realizing radio communication (hereinafter referred to as ground train radio control apparatus: AP).
  • a supervising system AP master 14 of the plurality of ground train radio control units that exist along the railroad tracks is arranged between the ground train control unit 10 and the AP 111.
  • an on-train control unit 12 functioning as the supervising system of the train 90 and an on-train radio control unit STA 131 for performing radio communication (hereinafter referred to as on-train radio control unit: STA) are provided as the train-based facilities.
  • STA on-train radio control unit
  • four STAs, STA 131, STA 132, STA 133 and STA 134 are disposed on a train 90, with four radio communication channels formed between the on-train control unit 12 and the ground train control unit 10.
  • each STA has established radio communication channels with the AP 111, AP 112, AP 113 and AP 114.
  • the respective radio communication channels use different channels (CH), and when the on-train radio control units STA 131, STA 132, STA 133 and STA 134 each having an antenna 8 communicate with the base-stations AP 111, AP 112, AP 113 and AP 114 having different installationenvironments and each having an antenna 8, the environments of the radio communication channels are set to be varied, so that when the radio transmission path is disconnected due to radio wave environment or the status of operation of the on-train radio communication system STA, the data from another on-train radio communication system STA is used for processing data of the on-train control unit 12.
  • CH channel
  • FIG. 2 is a data communication flow chart of the radio communication channel according to embodiment 1 of the present invention.
  • the train 90 communicates data with the ground-based facility.
  • the information that the ground train control unit 10 wishes to send to a single train is at first transmitted to the AP master 14.
  • the information having been subjected to encryption process in the AP master 14 is then send to each of the APs 111 through 114.
  • Each AP 111 through 114 transmits the encrypted train control information to each STA 131 through 134 having established radio communication, respectively, and each STA 131 through 134 having received the data sends the decrypted data to the on-train control unit 12.
  • each STA 131 through 13 encrypts the data and sends the data to each AP 111 through 114 having established radio communication channels.
  • the AP 111 through 114 notifies the received data to the AP master 14, and the AP master 14 decrypts the data.
  • the decrypted data from the on-train control unit 12 is notified from the AP master 14 to the ground train control unit 10.
  • the on-train control unit 12 usually uses data from a single STA for control, but if data reception error such as the missing of data or missing of data update occurs, or if data disconnection of the radio communication channel occurs, the data received by other STA are used for control. This redundancy of radio communication channels enables to prevent data from the ground train control unit 10 from being discontinued.
  • the radio communication channels are open networks, so that the data must be encrypted to ensure confidentiality of the data.
  • the encryption key required for the encryption is generated by the ground train control unit 10 per each train 90, and during the authentication process performed during start up of the train or the system entry of the train, the key is handed over from the ground train control unit 10 to the on-train control unit 12.
  • FIG. 3 is a flowchart showing the authentication process performed among the various apparatuses according to embodiment 1 of the present invention.
  • the on-train control unit 12 generates a random number.
  • the on-train control unit 12 selects an STA 13 for performing authentication, and outputs an authentication request by handing over the generated random number.
  • the STA 13 transmits the random number to the AP master 14 via a radio communication channel.
  • the AP master 14 encrypts the random number using an authentication key shared in advance by the STA 13 and the AP master 14.
  • the data is sent to the STA 13, and the STA 13 decrypts the same.
  • the STA 13 receives the random number again from the on-train control unit 12 that had been received previously, and compares the same with the random number that had been encrypted and decrypted using the authentication key so as to confirm that they match.
  • the ground train control unit 10 generates a random number.
  • the ground train control unit 10 hands over the generated random number to the AP master 14.
  • the AP master 14 transmits the random number to the STA 13 using AP 11 having a secured radio communication channel that is performing authentication process.
  • the STA 13 encrypts the random number using an authentication key shared in advance by the STA 13 and the AP master 14.
  • the data is sent to the AP master 14, and the AP master 14 decrypts the same.
  • theAPmaster 14 receives the random number again from the ground train control unit 10 that had been received previously, and compares the same with the random number that had been encrypted and decrypted using the authentication key, so as to confirm that they match.
  • the ground train control unit 10 encrypts the encryption key determined uniquely for each train, which is notified to the on-train control unit 12 via the radio communication channel established between the AP master 14 and the STA 13.
  • the on-train control unit 12 subjects the encryption key received at the time of completion of authentication to a sharing process to share the same with other STAs not subjected to the authentication process, and then notifies that the authentication has completed. Thereby, radio communication using all four STAs is started.
  • FIG. 4 is a data communication flow chart illustrating the authentication process performed using radio communication channels according to embodiment 1 of the present invention.
  • STA 131 is performing the authentication process.
  • the authentication process is performed using a single radio communication channel 41 via the process shown in FIG. 3 .
  • the on-train control unit 12 performs an discontinuation-termination process of the authentication process, and outputs an authentication process request to STA 132 so as to switch the STA performing the authentication process.
  • This arrangement constitutes an authentication retry function.
  • the encryption key notified from the ground train control unit 10 through the authentication process is shared via the on-train control unit 12 with other STAs 132, 133 and 134.
  • all the radio communication channels have completed the authentication process and are able to communicate data using the distributed encryption key, so that the data communication of all four radio communication channels are protected from interception from the exterior.
  • the authentication is performed using a single wire communication channel and single STA. If the authentication is not completed within a certain period of time and the authentication key is not notified to the on-train control unit 12, the system is equipped with a retry function to perform an authentication discontinuation-termination process so as to switch the authentication request to another STA to retry the authentication.
  • the authentication process can be performed by switching the STA used for authentication.
  • the authentication process must be performed for four times per a single train, and the process load of the AP master 14 and the ground train control unit 10 becomes excessive.
  • the on-train control unit 12 must perform an authentication process corresponding to the radio communication status in addition to performing the train control based on the communicated data, and the performance load of the system becomes excessive.
  • the train control unit according to embodiment 1 of the present invention By applying the train control unit according to embodiment 1 of the present invention to perform the authentication process using an STA administering a single radio communication channel and share the encryption key obtained through the authentication process with other STAs administering other radio communication channels, the STAs not having performed the authentication process can also share the encryption key to perform encryption anddecryptionofdata. Thus, even in STAs not having established radio communication during the authentication process can share the encryption key after the authentication of a single STA has completed, so that when radio communication has been established while the train is moving, encrypted data can be communicated immediately.
  • the present invention is applicable to signaling systems for moving vehicles such as railway cars, monorails and light rail transits (LRT).
  • the present invention is applicable not only to railway cars, but also to systems aimed at performing highly reliable transmission on an open network by adopting redundant data communication using a plurality of radio communication channels.

Abstract

Train control system establishing radio communication between a plurality of on-train radio control apparatuses moving on a predetermined path and a plurality of ground train radio control units disposed along a predetermined path, so as to establish parallel simultaneous radio communications on a plurality of radio communication channels of various communication frequencies between the plurality of on-train radio communication apparatuses and the plurality of ground train radio control units, wherein
one radio communication channel is selected out of the plurality of radio communication channels to perform an authentication request and an authentication process, wherein an encryption key obtained by the authentication process is used as a common encryption key shared by the plurality of on-train radio control units to encrypt data communication between the plurality of on-train radio control units and the plurality of ground train radio control units.

Description

    BACKGROUND OF THE INVENTION Field of the invention
  • The present invention relates to the art of realizing a stable data communication by establishing a plurality of radio communication channels between a train and a communication base station, the art of train control performed via radio and the art of a safe and stable data communication system using a plurality of radio communications that adopt a data encryption system of data transmitted on radio communication channels and a security authentication technique required for entering the radio-controlled zone.
    • Description of the related art
  • Communication systems are utilized to perform train control via a "blocking system" in which only a single train is accepted to travel within a single section.
  • Recently, there are demands to cut down costs related to the train communication system by introducing a radio communication system. In the United States and China, a CBTC (Communication Based Train Control) system is being introduced to perform train control via radio communication.
  • On the other hand, in Europe, the introduction of a system called ERTMS/ETCS is started. ERTMS/ETCS utilizes GSM-R (GSM-Railway) using a GSM network as the radio communication system.
  • In a train control system that realizes bidirectional communication of mutual control information between a ground train control unit of the train and a on-train control unit of the train performing radio control of the train using a radio band, which is an open network, the data is encrypted before radio transmission so as to ensure the confidentiality of data, and the received data is decrypted, thereby protecting the data information from the exterior.
  • International publication 98/41435 (patent document 1) discloses a method for controlling the train by transmitting the control information for operating the train safely on a railroad via wire to the train. The disclosure realizes a train control system having a high security extent by providing a radio control unit, a data encryption system and a radio transmitter malfunction detection system for utilizing radio communication for train control.
  • Japanese patent application laid-open publication 2006-129432 (patent document 2) discloses a train authentication technique of a train control system using radio communication. The key used for encrypting and decrypting data on the communication channels is determined per each train, which is notified from a ground train control unit through the authentication process of the train. The authentication process is performed at the ground train control unit in response to an authentication request sent from an on-train control unit via an on-train radio control unit. The authentication process is performed with the aim to prevent impersonation access to the whole system. Further, the authentication process is performed at the start up of the train, the entry of the train to the control section and periodically during traveling of the train to update the encryption key, so as to change the encryption pattern of data of the train and to prevent the data from being read from the exterior.
  • The arrangement of establishing a plurality of radio communication channels between the on-train control unit of a single train and the ground train control unit is aimed at realizing a stable and continuous data communication between the on-train control unit and the ground train control unit by realizing redundant radio communication channels. This art realizes a highly reliable data communication by providing redundant multiple radio communication channels using multiple CHs, multiple antennas and radio control units under the following radio communication environments: (1) preventing interference bymultipath fading of radio waves withinbuildings in the urban area or within tunnels; (2) preventing interference by noise from other radio communication systems; and (3) change in radio status caused by the movement of the train.
  • When the ground train control unit recognizes start up or system entry of the train, the control system must perform an authentication process to notify information such as acceptance to enter system or an encryption key allocated uniquely to each train. If this authentication process must be performed with all the plurality of radio communication channels of a single train, the ground train supervising system must perform a large number of processes determined by the number of trains times the number of radio communication channels, by which the process load becomes excessive.
  • The above-mentioned system also has another drawback in that the encryption rules determinedbetween the on-train control unit and the ground train control unit by the authentication process must be set to correspond to the number of radio communication channels per a single train, and the processing load related to data communication becomes excessive.
  • The object of providing redundant radio communication channels is as mentioned earlier. According to the present system configuration in which the defection of data is prevented since other radio communication channels are connected even if one radio communication channel is disconnected, some radio communication channels may not be able to perform the authentication process at the time of initial start up of the train according for example to the position of the train, the environment of the radio or the apparatus status of the radio control unit. Such radio communication channel may recover its connection by the movement of the train. If the authentication process is to be performed after the connection has recovered, there will be two types of radio communication channels connected, the radio communication channel for performing data communication for train control anda radio communication channel for performing authentication process, and since the processing mode of the ground train control unit differs for each of the radio communication channels for a single train, the process performed by the ground train control unit becomes too complex.
    • SUMMARY OF THE INVENTION
  • The object of the present invention is to provide a train control system having redundant data communication channels using a plurality of radio communication channels using difference channels (CH) between the on-train control unit and the ground train control unit so as to prevent disconnection of communication of control data in the bidirectional radio communication between the on-train control unit and the ground train control unit in a train control system, wherein each of the radio communication channels are made effective as safe and stable data communication channels.
  • The present invention provides a train control system establishing radio communication between a plurality of on-train radio control apparatuses moving on a predetermined track and a plurality of ground train radio control units disposed along a predetermined track, so as to establish parallel simultaneous radio communications on a plurality of radio communication channels of various communication frequencies between the plurality of on-train radio communication apparatuses and the plurality of ground train radio control units, characterized in that one radio communication channel is selected out of the plurality of radio communication channels to perform an authentication request and an authentication process, wherein an encryption key obtained by the authentication process is used as a common encryption key shared by the plurality of on-train radio control units to encrypt data communication between the plurality of on-train radio control units and the plurality of ground train radio control units.
  • The present invention also characterizes in that the authentication request and the authentication process required at the time of entry of the on-train radio control unit to the train control system or at the initial start up of the on-train radio control unit are performed by switching the selected radio communication channels.
  • The present invention also characterizes in that a supervising system of the on-train radio control unit for selecting a single radio communication channel and performing the authentication request generates a random number for the authentication process, and hands over the random number to only the radio communication channel for performing the authentication request and the authentication process.
  • The present invention further characterizes in that the data on the plurality of radio communication channels are encrypted using an encryption key generated by a ground train supervising system and notified via the ground train radio control unit to the on-train radio control unit, wherein the encryption key is notified from the ground train radio control unit while performing authentication of a single radio communication channel, and the supervising system of the ground train radio control unit shares the encryption key with other on-train radio control units to be used for encrypting data sent via other radio communication channels that have not performed authentication, so that the data sent on all the plurality of radio communication channels established between the on-train radio control units and the ground train radio control units can be encrypted.
  • The present invention also characterizes in that the supervising system of the on-train radio control unit observes the status of radio waves of a plurality of radio communication channels and the status of apparatuses of the on-train radio control units, so as to determine a single radio communication channel for performing the authentication process and to start the authentication process.
  • The present invention further characterizes in that the train control system is equipped with an authentication retry function in which if the authentication process is not completed within a certain period of time or if radio communication is disconnected during the authentication process, the authentication process is discontinued and terminated, then the supervising system selects another radio communication channel to restart the authentication process, so as to switch the radio communication channel to retry the authentication request and the authentication process.
  • The present invention also characterizes in that when the authentication is completed via a single radio communication channel, data communication of the on-train radio control unit within the train control system is accepted, and the supervising system of the on-train radio control apparatus shares the authentication completion information and the encryption key with other radio communication channels, so that the data communication on the remaining radio communication channels are also accepted and started, by which the data communication of the train control system is activated.
  • According to the present invention, data is communicated via a plurality of radio communication channels between the on-train control unit of a single train and the ground train control unit so as to ensure the redundancy of data communication, and a secure and appropriate authentication is performed by executing a security authentication between the on-train and ground train control units using one of the plurality of radio communication channels. Further, by sharing the encryption key obtained by the authentication process with other radio communication channels to start data communication, the security of data sent via the redundant radio communication channels can be guaranteed effectively.
  • Further according to the present invention, the authentication process is performed via only one radio communication channel, so that compared to the system in which all the radio communication channels must perform the authenticationprocess, the loadof authenticating a single train is very small. This is also effective from the viewpoint of reducing load of the ground train control unit that controls the plurality of trains traveling on one railroad track.
  • Further according to the present invention, the authentication request and the authentication process required during initial start up of the on-train radio control unit or the entry of the on-train radio control unit to the train control system is performed by switching the selected radio communication channels, so that even if the radio communication status or the status of the radio transmitter or the antenna is not good, the authentication process can be performed by switching to another radio communication channel, so that the plurality of radio communication channels can be performed effectively under a condition in which the authentication process is required.
  • Moreover, according to the present invention, the supervising system of the on-train radio control unit for selecting a single radio communication channel and executing the authentication request generates random numbers for the authentication process, and hands over the random number only to the radio communication channel that performs the authentication request and the authentication process, so that the authentication request and the authentication process can be performed effectively only by the supervising system and the radio communication channel performing the authentication process.
  • Further according to the present invention, the data on the plurality of radio communication channels is encrypted using an encryption key generated by the ground train supervising system and notified via the round-based radio control unit to the on-train radio control unit. The encryption key is notified from the ground train radio control unit upon performing authentication on a single radio communication channel, and the supervising system of the ground train radio control unit demands the on-train radio control unit to share the encryption key for encrypting data with other radio communication channels that have not performed authentication. Thereby, the data on all the plurality of radio communication channels between the on-train radio control unit and the ground train radio control unit can be encrypted, so that compared to the system where all the radio communication channels must perform the authentication process, the authentication process is restricted to a single radio communication channel, the load for performing the authentication process of a single train can be reduced, and the load applied to the ground train control unit that controls the plurality of trains traveling on one railroad track can be reduced.
  • Further according to the present invention, the radio wave status of the plurality of radio communication channels and the apparatus status of the on-train radio control unit is monitored by the supervising system of the on-train radio control unit, and by determining the single radio communication channel for performing the authentication process and starting the authentication process, the radio wave status of the plurality of radio communication channels and the apparatus status of the on-train radio control unit can be monitored efficiently, and the authentication process can be started efficiently, compared to the system in which a plurality of on-train radio control units monitor the status respectively.
  • The present invention can further be equipped with an authentication retry function that disconnects and terminates the authentication process if the authentication process is not completed within a certain period of time or if the radio communication is disconnected during the authentication process, and selects another radio communication channel to retry the authentication process by the supervising system so as to switch the radio communication channel for retrying the authentication request and the authentication process. Thus, even if the radio communication status or the radio transmitter/antenna status is not good, the radio communication can be switched to another radio communication channel to execute the authentication process, and the plurality of radio communication channels can be used effectively in a state where the authentication process is required.
  • Further according to the present invention, when the authentication process is completed via a single radio communication channel, data communication of the on-train radio control unit in the train control system is accepted, and the supervising system of the on-train radio control unit shares the authentication completion information and the encryption key with other radio communication channels, so that data communication via the remaining radio communication channels is also accepted and started, and the data communication of the train control system can be started. Thereby, the security of data encryption of the radio communication channels not having performed the authentication process is also ensured. In other words, all the data on the plurality of radio communication channels between the ground train control unit and a single train is protected by the same encryption key as the authentication process, and the present invention enables to overcome the drawback of the prior art having to distribute different encryption keys and increasing the decryption process load of the ground train control unit.
    • BRIEF DESCRIPTION OF THE DRAWINGS
    • FIG. 1 is a system configuration diagram illustrating the on-train and ground-based systems according to embodiment 1 of the present invention;
    • FIG. 2 is a flow chart of data communication of radio communication channels according to embodiment 1 of the present invention;
    • FIG. 3 is a chart of the flow during authentication process of apparatuses according to embodiment 1 of the present invention; and
    • FIG. 4 is a flow chart of the data communication during the authentication process on the radio communication channel according to embodiment 1 of the present invention.
    DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • Now, we will describe the preferred embodiments of the present invention.
  • According to a representative preferred embodiment of the present invention, the data sent on the radio communication channels are encrypted for confidentiality. The plurality of radio communication channels formed between a single train and a ground train control unit use the same encryption key to encrypt the same control data, so that identical information are transmitted via the respective radio communication channels. There are a plurality of communication channels established between the ground train control unit and a single train, but since the same control data are encrypted using the same encryption key, the data sent via the plurality of radio communication paths will be the same. By adopting a system in which a radio communication channel preferentially used for data is set in advance, and when the radio communication path is disconnected or when an invalid data is received, the data sent via another radio communication channel is used for control, it becomes possible to prevent the transmission and reception of data, train control and train administration data sent via the plurality of radio communication channels from becoming extremely long and complicated.
  • An authentication process is performed to prevent impersonation access from the exterior of the system to the radio transmission channels. Through the authentication process, the encryption key generated by the ground train control unit is notified to the on-train control unit. When starting up the train, when entering the system, and each time when the encryption key is updated periodically while the train is moving, the authentication process is performed between the train and the ground train control unit.
  • The authentication process recognizes the authentication request from the train via the radio communication path, and determines whether or not to accept access of the train to the system. When access is accepted, an encryption key used for encrypting the data on the radio communication channel is notified to the train. If authentication requests are sent via each of the plurality of radio communication channels between the ground train control unit and a single train, the ground train control unit must receive a large number of authentication requests corresponding to the number of radio communication channels to authenticate only a single train, so that when it is necessary to authenticate multiple trains, the process to be performed at the ground train control unit will become too complex and the load will become excessive. By restricting the number of radio communication channels subjected to authenticationprocesstoone, and having only one authentication request for a single radio communication channel to be output per a single train, the process load of the ground train control unit can be reduced.
  • There is a possibility that data communication on the radio communication channel cannot be performed such as due to radio wave interference caused by noise, differences in radio wave property due to installation positions of the antennas, the distance between the ground base station, the malfunction of the radio communication control unit or the antenna, and so on. The present system corresponds to such data communication malfunction by establishing a plurality of radio communication channels.
  • Though the authentication process is performed on a single radio communication channel, if the above-mentioned problems causing defective data communication occurs and the radio communication control unit cannot perform the authentication process, switching among the plurality of radio communication channels is performed for example by the following processes:
    1. (A) If the authentication process is not completed within a fixed period of time, the on-train control unit switches the authentication process/ authentication request to another radio communication system.
    2. (B) The on-train control unit designates the radio communication channel for performing the authentication process by recognizing the data communication statuses such as the apparatus status of the radio communication control unit and the status of the radio communication.
  • According to a representative embodiment of the present invention, data communication is performed via a plurality of radio communication channels established between the on-train control unit of a single train and the ground train control unit, so as to ensure the redundancy of data communication. Further, by executing a security authentication between the on-train and ground train control units using a single radio communication channel out of the plurality of radio communication channels, it becomes possible to perform a secure and appropriate authentication effectively, and by sharing the encryption key obtained in the security authentication process with other radio communication channels when data communication is started, security of data can be guaranteed in the redundant radio communication channels.
  • The authentication process performed when starting up the train, when entering the system and when updating the encryption key is performed by selecting one of the plurality of radio communication paths, so that even if the radio communication status or the statuses of the radio transmitter or the antenna is not good, the authentication process can be performed by switching to another radio communication channel, so that the plurality of radio transmission channels can be used effectively in such a state where authentication process is necessary.
  • Compared to the case where the authentication process is performed for all the radio communication channels, the present system restricts the authentication process to be performed by only a single radio communication channel, so that the load of the authentication process is very small. Therefore, the load on the ground train control unit that controls the large number of trains on a single track can be effectively reduced.
  • When an authentication process is performed for all the plurality of radio communication channels, the channels will have various different encryption keys, and the load of the decryption process by the ground train control unit becomes excessive. However, according to the present invention in which the train is authenticated using a single radio communication channel, the encryption key obtained via the authentication process by the on-train control unit is distributed and shared with other on-train control units, so that the data encryption of the radio communication channels that did not perform authentication process will also be security-ensured. In other words, all the data communicated on the plurality of radio communication channels between the ground train control unit and a single train are protected by the same encryption key as that used in the authentication process.
  • Now, the preferred embodiment of the present invention will be described in detail with reference to the drawings.
    • [Embodiment 1]
  • FIG. 1 is a diagram showing the on-train and ground train control units according to embodiment 1 of the present invention. In FIG. 1, the ground-based facilities include a ground train control unit 10 that generates information to a train 90 accompanying the bidirectional data communication with the train 90, and a ground train radio communication apparatus AP 111 for realizing radio communication (hereinafter referred to as ground train radio control apparatus: AP). A supervising system AP master 14 of the plurality of ground train radio control units that exist along the railroad tracks is arranged between the ground train control unit 10 and the AP 111.
  • In FIG. 1, an on-train control unit 12 functioning as the supervising system of the train 90 and an on-train radio control unit STA 131 for performing radio communication (hereinafter referred to as on-train radio control unit: STA) are provided as the train-based facilities. According to the present embodiments, four STAs, STA 131, STA 132, STA 133 and STA 134 are disposed on a train 90, with four radio communication channels formed between the on-train control unit 12 and the ground train control unit 10. Here, each STA has established radio communication channels with the AP 111, AP 112, AP 113 and AP 114.
  • The respective radio communication channels use different channels (CH), and when the on-train radio control units STA 131, STA 132, STA 133 and STA 134 each having an antenna 8 communicate with the base-stations AP 111, AP 112, AP 113 and AP 114 having different installationenvironments and each having an antenna 8, the environments of the radio communication channels are set to be varied, so that when the radio transmission path is disconnected due to radio wave environment or the status of operation of the on-train radio communication system STA, the data from another on-train radio communication system STA is used for processing data of the on-train control unit 12.
  • FIG. 2 is a data communication flow chart of the radio communication channel according to embodiment 1 of the present invention. In FIG. 2, the train 90 communicates data with the ground-based facility. The information that the ground train control unit 10 wishes to send to a single train is at first transmitted to the AP master 14. The information having been subjected to encryption process in the AP master 14 is then send to each of the APs 111 through 114. Each AP 111 through 114 transmits the encrypted train control information to each STA 131 through 134 having established radio communication, respectively, and each STA 131 through 134 having received the data sends the decrypted data to the on-train control unit 12.
  • When data is to be sent from the train 90 to the ground, the on-train control unit 12 hands over the data that must be sent to the ground to each STA 131 through 134. Each STA 131 through 13 encrypts the data and sends the data to each AP 111 through 114 having established radio communication channels. The AP 111 through 114 notifies the received data to the AP master 14, and the AP master 14 decrypts the data. The decrypted data from the on-train control unit 12 is notified from the AP master 14 to the ground train control unit 10.
  • The on-train control unit 12 usually uses data from a single STA for control, but if data reception error such as the missing of data or missing of data update occurs, or if data disconnection of the radio communication channel occurs, the data received by other STA are used for control. This redundancy of radio communication channels enables to prevent data from the ground train control unit 10 from being discontinued.
  • The radio communication channels are open networks, so that the data must be encrypted to ensure confidentiality of the data. The encryption key required for the encryption is generated by the ground train control unit 10 per each train 90, and during the authentication process performed during start up of the train or the system entry of the train, the key is handed over from the ground train control unit 10 to the on-train control unit 12.
  • FIG. 3 is a flowchart showing the authentication process performed among the various apparatuses according to embodiment 1 of the present invention. At first, the on-train control unit 12 generates a random number. The on-train control unit 12 selects an STA 13 for performing authentication, and outputs an authentication request by handing over the generated random number. The STA 13 transmits the random number to the AP master 14 via a radio communication channel. The AP master 14 encrypts the random number using an authentication key shared in advance by the STA 13 and the AP master 14. The data is sent to the STA 13, and the STA 13 decrypts the same. Once more, the STA 13 receives the random number again from the on-train control unit 12 that had been received previously, and compares the same with the random number that had been encrypted and decrypted using the authentication key so as to confirm that they match.
  • Next, the ground train control unit 10 generates a random number. The ground train control unit 10 hands over the generated random number to the AP master 14. The AP master 14 transmits the random number to the STA 13 using AP 11 having a secured radio communication channel that is performing authentication process. The STA 13 encrypts the random number using an authentication key shared in advance by the STA 13 and the AP master 14. The data is sent to the AP master 14, and the AP master 14 decrypts the same. Once more, theAPmaster 14 receives the random number again from the ground train control unit 10 that had been received previously, and compares the same with the random number that had been encrypted and decrypted using the authentication key, so as to confirm that they match.
  • Once the matching of the random numbers is confirmed by the two sets of random number encryption-decryption sequences mentioned above, the authentication is completed, and the ground train control unit 10 encrypts the encryption key determined uniquely for each train, which is notified to the on-train control unit 12 via the radio communication channel established between the AP master 14 and the STA 13.
  • The on-train control unit 12 subjects the encryption key received at the time of completion of authentication to a sharing process to share the same with other STAs not subjected to the authentication process, and then notifies that the authentication has completed. Thereby, radio communication using all four STAs is started.
  • FIG. 4 is a data communication flow chart illustrating the authentication process performed using radio communication channels according to embodiment 1 of the present invention. In FIG. 4, STA 131 is performing the authentication process. The authentication process is performed using a single radio communication channel 41 via the process shown in FIG. 3. When the authentication process is not completed within a certain period of time, if the radio communication status is deteriorated during the procedure, or if the STA 131 malfunctions, the on-train control unit 12 performs an discontinuation-termination process of the authentication process, and outputs an authentication process request to STA 132 so as to switch the STA performing the authentication process. This arrangement constitutes an authentication retry function.
  • The encryption key notified from the ground train control unit 10 through the authentication process is shared via the on-train control unit 12 with other STAs 132, 133 and 134. Thus, all the radio communication channels have completed the authentication process and are able to communicate data using the distributed encryption key, so that the data communication of all four radio communication channels are protected from interception from the exterior.
  • The authentication is performed using a single wire communication channel and single STA. If the authentication is not completed within a certain period of time and the authentication key is not notified to the on-train control unit 12, the system is equipped with a retry function to perform an authentication discontinuation-termination process so as to switch the authentication request to another STA to retry the authentication.
  • According to the above-described system of the present invention, even if only a single radio communication channel is used to perform authentication and the radio communication status is deteriorated or the STA malfunctions, the authentication process can be performed by switching the STA used for authentication.
  • If the present invention is not applied and the authentication process must be performed for each of the plurality of radio communication channels, the authentication process must be performed for four times per a single train, and the process load of the AP master 14 and the ground train control unit 10 becomes excessive.
  • Further, if the present invention is not applied and the radio communication status of the target radio communication channel is not good so that authentication process cannot be performed, data communication cannot be performed until the radio communication status is improved. In such case, the on-train control unit 12 must perform an authentication process corresponding to the radio communication status in addition to performing the train control based on the communicated data, and the performance load of the system becomes excessive.
  • By applying the train control unit according to embodiment 1 of the present invention to perform the authentication process using an STA administering a single radio communication channel and share the encryption key obtained through the authentication process with other STAs administering other radio communication channels, the STAs not having performed the authentication process can also share the encryption key to perform encryption anddecryptionofdata. Thus, even in STAs not having established radio communication during the authentication process can share the encryption key after the authentication of a single STA has completed, so that when radio communication has been established while the train is moving, encrypted data can be communicated immediately.
  • The present invention is applicable to signaling systems for moving vehicles such as railway cars, monorails and light rail transits (LRT). The present invention is applicable not only to railway cars, but also to systems aimed at performing highly reliable transmission on an open network by adopting redundant data communication using a plurality of radio communication channels.

Claims (7)

  1. A train control system establishing radio communication between a plurality of on-train radio control apparatuses moving on a predetermined path and a plurality of ground train radio control units disposed along a predetermined path, so as to establish parallel simultaneous radio communications on a plurality of radio communication channels of various communication frequencies between the plurality of on-train radio communication apparatuses and the plurality of ground train radio control units, characterized in that
    one radio communication channel is selected out of the plurality of radio communication channels to perform an authentication request and an authentication process, wherein an encryption key obtained by the authentication process is used as a common encryption key shared by the plurality of on-train radio control units to encrypt data communication between the plurality of on-train radio control units and the plurality of ground train radio control units.
  2. The train control system according to claim 1, wherein the authentication request and the authentication process required at the time of entry of the on-train radio control unit to the train control system or at the initial start up of the on-train radio control unit are performed by switching the selected radio communication channels.
  3. The train control system according to claim 2, wherein a supervising system of the on-train radio control unit for selecting a single radio communication channel and performing the authentication request generates a random number for the authentication process, and hands over the random number to only the radio communication channel for performing the authentication request and the authentication process.
  4. The train control system according to claim 2, wherein the data on the plurality of radio communication channels are encrypted using an encryption key generated by a ground train supervising system and notified via the ground train radio control unit to the on-train radio control unit, wherein the encryption key is notified from the ground train radio control unit while performing authentication of a single radio communication channel, and the supervising system of the ground train radio control unit shares the encryption key with other on-train radio control units to be used for encrypting data sent on other radio communication channels that have not performed authentication, so that the data sent on all the plurality of radio communication channels established between the on-train radio control units and the ground train radio control units can be encrypted.
  5. The train control system according to claim 1 or claim 2, wherein the supervising system of the on-train radio control unit observes the status of radio waves of a plurality of radio communication channels and the status of apparatuses of the on-train radio control units, so as to determine a single radio communication channel for performing the authentication process and to start the authentication process.
  6. The train control system according to claim 5, wherein the train control system is equipped with an authentication retry function in which if the authentication process is not completed within a certain period of time or if video communication is disconnected during the authentication process, the authentication process is discontinued and terminated, then the supervising system selects another radio communication channel to restart the authentication process, so as to switch the radio communication channel to retry the authentication request and the authentication process.
  7. The train control system according to claim 5, wherein when the authentication is completed via a single radio communication channel, data communication of the on-train radio control unit within the train control system is accepted, and the supervising system of the on-train radio control apparatus shares the authentication completion information and the encryption key with other radio communication channels, so that the data communication on the remaining radio communication channels are also accepted and started, by which the data communication of the train control system is activated.
EP08252720A 2007-09-18 2008-08-15 Railway radio control system Not-in-force EP2039583B1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2007240874A JP4471996B2 (en) 2007-09-18 2007-09-18 Train control system

Publications (2)

Publication Number Publication Date
EP2039583A1 true EP2039583A1 (en) 2009-03-25
EP2039583B1 EP2039583B1 (en) 2011-08-03

Family

ID=39962735

Family Applications (1)

Application Number Title Priority Date Filing Date
EP08252720A Not-in-force EP2039583B1 (en) 2007-09-18 2008-08-15 Railway radio control system

Country Status (4)

Country Link
EP (1) EP2039583B1 (en)
JP (1) JP4471996B2 (en)
CN (1) CN101391616B (en)
AT (1) ATE518718T1 (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102209366A (en) * 2010-03-31 2011-10-05 中兴智能交通(无锡)有限公司 Vehicle-mounted communication method and system
RU2444455C2 (en) * 2010-06-03 2012-03-10 Открытое Акционерное Общество "Российские Железные Дороги" Data transmission system for controlling train movement in tunnel
WO2012136525A1 (en) * 2011-04-05 2012-10-11 Siemens Aktiengesellschaft Key management system and method for a train protection system
DE102011084344A1 (en) * 2011-10-12 2013-04-18 Siemens Aktiengesellschaft Method for optimizing the runtime for packet-oriented mobile transmission of data telegrams
DE102011118076A1 (en) * 2011-11-04 2013-05-08 Airbus Operations Gmbh Method for significantly increasing the availability of wireless connections
US9128815B2 (en) 2013-01-14 2015-09-08 Thales Canada Inc Control system for vehicle in a guideway network
DE102014226902A1 (en) * 2014-12-23 2016-01-14 Siemens Aktiengesellschaft Establishing a secure data transmission connection in rail traffic
EP2939901A4 (en) * 2012-12-28 2016-09-21 Toshiba Kk Train control system and train control method
EP2874860B1 (en) 2012-10-04 2016-11-02 Siemens Aktiengesellschaft Operating system for operating functional units in a rail vehicle
WO2019076032A1 (en) * 2017-10-20 2019-04-25 北京全路通信信号研究设计院集团有限公司 Method and system for classified storage of keys
EP3495233A4 (en) * 2016-08-04 2019-11-06 Mitsubishi Electric Corporation Wireless train control system and wireless train control method
WO2019242967A1 (en) * 2018-06-19 2019-12-26 Siemens Mobility GmbH Method for data transfer within a rail vehicle and/or between the rail vehicle and at least one external unit, communication system, rail vehicle and unit
US11420662B2 (en) 2016-11-17 2022-08-23 Hitachi Rail Sts S.P.A. Device and method for the safe management of vital communications in the railway environment

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2011104435A (en) * 2011-02-09 2012-08-20 Закрытое акционерное общество "АЭРО-КОСМИЧЕСКИЕ ТЕХНОЛОГИИ" (RU) PASSENGER TRAIN SECURITY AND COMMUNICATION SYSTEM
DE102011083122A1 (en) 2011-09-21 2013-03-21 Siemens Aktiengesellschaft Method for operating a vehicle-side receiving device of a train control system and vehicle-side receiving device
CN102497429B (en) * 2011-12-13 2014-08-06 南京恩瑞特实业有限公司 Multi-redundancy processing method for train-ground data transmission in rail transit
CN103052030B (en) * 2012-12-10 2016-05-11 成都瑞杰斯特科技有限公司 Train-installed communication network reconnection method and reconnecting system
JP6001467B2 (en) * 2013-01-28 2016-10-05 株式会社日立製作所 Signal security system
JP6051092B2 (en) * 2013-04-15 2016-12-27 株式会社日立製作所 Train control system
JP6241067B2 (en) * 2013-05-16 2017-12-06 三菱電機株式会社 Wireless device
DE102014204146A1 (en) * 2014-03-06 2015-09-10 Siemens Aktiengesellschaft Method for controlling a rail vehicle connected to a CBTC system and CBTC system having at least one rail vehicle
CN104768151B (en) * 2015-04-16 2018-04-20 北京交通大学 Access key amending method based on vehicle-ground wireless communication system
CN105025479B (en) * 2015-07-27 2019-03-05 北京交通大学 Vehicle-ground wireless communication of urban railway transport system authentication key configures system and method
CN105142137B (en) * 2015-07-27 2018-10-12 北京交通大学 Vehicle-ground wireless communication of urban railway transport system authentication key configures system and method
US11044603B2 (en) 2016-04-28 2021-06-22 Mitsubishi Electric Corporation On-vehicle device, ground data-managing device, ground-to-vehicle communication security system, and ground-to-vehicle communication method
CN106347413B (en) * 2016-09-27 2019-06-21 中车青岛四方机车车辆股份有限公司 A kind of single cab signal host control vehicle method and system
US20190359235A1 (en) * 2017-02-10 2019-11-28 Mitsubishi Electric Corporation On-board wireless system
KR102185389B1 (en) * 2018-10-29 2020-12-01 한국철도기술연구원 Railway Vehicle Remote Test System
EP3976441A4 (en) * 2019-05-31 2023-01-25 Hitachi, Ltd. Train control system, train control device, and train control method
CA3151398A1 (en) * 2019-10-17 2021-04-22 Thales Canada Inc. Method for cbtc system migration using autonomy platform
CN111148073B (en) * 2020-04-03 2020-07-31 北京全路通信信号研究设计院集团有限公司 Secret key management method and system for train-ground communication transmission information

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE4310644A1 (en) * 1993-04-01 1994-10-06 Deutsche Aerospace Method for reducing the bit error rate in the transmission of digital data via radio and arrangement for carrying out the method
WO1998041435A1 (en) 1997-03-19 1998-09-24 Hitachi, Ltd. Method and system for controlling train by radio
JP2006129432A (en) 2004-09-30 2006-05-18 Hitachi Ltd Method of updating encryption key in distributed environment, encryption key updating system, authentication server constituting the encryption key updating system, mobile object, and radio base station
US20070028099A1 (en) * 2003-09-11 2007-02-01 Bamboo Mediacasting Ltd. Secure multicast transmission

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4371629B2 (en) * 2002-04-25 2009-11-25 日本電気株式会社 Group encryption communication method, authentication method, computer and program
JP2005318448A (en) * 2004-04-30 2005-11-10 Yahata Denki Sangyo Kk Inductive loop type radio communications system
JP2007013754A (en) * 2005-07-01 2007-01-18 Matsushita Electric Ind Co Ltd Base station, mobile station, server, and mobile communication system using them
JP4710579B2 (en) * 2005-12-06 2011-06-29 日本電気株式会社 Train radio interference avoidance system and in-train radio terminal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE4310644A1 (en) * 1993-04-01 1994-10-06 Deutsche Aerospace Method for reducing the bit error rate in the transmission of digital data via radio and arrangement for carrying out the method
WO1998041435A1 (en) 1997-03-19 1998-09-24 Hitachi, Ltd. Method and system for controlling train by radio
EP0970868A1 (en) * 1997-03-19 2000-01-12 Hitachi, Ltd. Method and system for controlling train by radio
US20070028099A1 (en) * 2003-09-11 2007-02-01 Bamboo Mediacasting Ltd. Secure multicast transmission
JP2006129432A (en) 2004-09-30 2006-05-18 Hitachi Ltd Method of updating encryption key in distributed environment, encryption key updating system, authentication server constituting the encryption key updating system, mobile object, and radio base station

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102209366B (en) * 2010-03-31 2013-09-18 中兴智能交通(无锡)有限公司 Vehicle-mounted communication method and system
CN102209366A (en) * 2010-03-31 2011-10-05 中兴智能交通(无锡)有限公司 Vehicle-mounted communication method and system
RU2444455C2 (en) * 2010-06-03 2012-03-10 Открытое Акционерное Общество "Российские Железные Дороги" Data transmission system for controlling train movement in tunnel
WO2012136525A1 (en) * 2011-04-05 2012-10-11 Siemens Aktiengesellschaft Key management system and method for a train protection system
DE102011084344A1 (en) * 2011-10-12 2013-04-18 Siemens Aktiengesellschaft Method for optimizing the runtime for packet-oriented mobile transmission of data telegrams
DE102011118076A1 (en) * 2011-11-04 2013-05-08 Airbus Operations Gmbh Method for significantly increasing the availability of wireless connections
DE102011118076B4 (en) 2011-11-04 2024-04-18 Airbus Operations Gmbh Methods to significantly increase the availability of wireless connections
US10624026B2 (en) 2011-11-04 2020-04-14 Airbus Operations Gmbh Method for considerably enhancing the availability of wireless connections
US9950719B2 (en) 2012-10-04 2018-04-24 Siemens Aktiengesellschaft Operator control system for operator control of functional units for a rail vehicle
EP2874860B1 (en) 2012-10-04 2016-11-02 Siemens Aktiengesellschaft Operating system for operating functional units in a rail vehicle
EP2939901A4 (en) * 2012-12-28 2016-09-21 Toshiba Kk Train control system and train control method
US9128815B2 (en) 2013-01-14 2015-09-08 Thales Canada Inc Control system for vehicle in a guideway network
DE102014226902A1 (en) * 2014-12-23 2016-01-14 Siemens Aktiengesellschaft Establishing a secure data transmission connection in rail traffic
EP3495233A4 (en) * 2016-08-04 2019-11-06 Mitsubishi Electric Corporation Wireless train control system and wireless train control method
US11117601B2 (en) 2016-08-04 2021-09-14 Mitsubishi Electric Corporation Radio train control system and radio train control method
US11420662B2 (en) 2016-11-17 2022-08-23 Hitachi Rail Sts S.P.A. Device and method for the safe management of vital communications in the railway environment
WO2019076032A1 (en) * 2017-10-20 2019-04-25 北京全路通信信号研究设计院集团有限公司 Method and system for classified storage of keys
WO2019242967A1 (en) * 2018-06-19 2019-12-26 Siemens Mobility GmbH Method for data transfer within a rail vehicle and/or between the rail vehicle and at least one external unit, communication system, rail vehicle and unit

Also Published As

Publication number Publication date
ATE518718T1 (en) 2011-08-15
JP2009067357A (en) 2009-04-02
CN101391616A (en) 2009-03-25
CN101391616B (en) 2011-04-06
EP2039583B1 (en) 2011-08-03
JP4471996B2 (en) 2010-06-02

Similar Documents

Publication Publication Date Title
EP2039583B1 (en) Railway radio control system
JP3269635B2 (en) Wireless train control method and wireless train control system
JP6092548B2 (en) Radio system and train control system
KR101852048B1 (en) communication system for tracked vehicle
CN110366518B (en) Ad-hoc communication network
US20200139995A1 (en) Secure locomotive communication system
Lakshminarayana et al. Signal jamming attacks against communication-based train control: Attack impact and countermeasure
CN111148073B (en) Secret key management method and system for train-ground communication transmission information
JP5016394B2 (en) Wireless control security system
JPH08316899A (en) Train radio system and mobile station
JP5503692B2 (en) Wireless control security system
EP3495233B1 (en) Wireless train control system and wireless train control method
EP3219575B1 (en) Method for securing the exchange of authentication keys and associated key management module
JP2009049738A (en) Train control system by radio
JP2018056736A (en) Radio system for radio type train control system
US11958519B2 (en) Method for operating a railway system, and vehicle of a railway system
US20220007186A1 (en) Secure Vehicle Communication System
CN1756149B (en) Cipher key updating method of dispersible environment and its system
JP2009137555A (en) Train control system
KR102287253B1 (en) Communication switching technology in case of error of direct communication between adjacent trains
CN115297475B (en) Quantum key distribution method for rail transit system
US6574466B2 (en) Method of securing transmission of information utilizing time variant techniques with error detecting code
KR20000076389A (en) Method and system for controlling train by radio
KR102322903B1 (en) Interworking method for mitigation of interference between unlicensed communication for train operation and unlicensed communication for passenger service
RU2784101C1 (en) Train traffic control system

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20080903

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL BA MK RS

17Q First examination report despatched

Effective date: 20090903

AKX Designation fees paid

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

RIC1 Information provided on ipc code assigned before grant

Ipc: B61L 3/22 20060101AFI20101104BHEP

Ipc: H04W 12/04 20090101ALN20101104BHEP

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

Ref country code: CH

Ref legal event code: NV

Representative=s name: TROESCH SCHEIDEGGER WERNER AG

REG Reference to a national code

Ref country code: NL

Ref legal event code: T3

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602008008589

Country of ref document: DE

Effective date: 20110929

REG Reference to a national code

Ref country code: SE

Ref legal event code: TRGR

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110803

LTIE Lt: invalidation of european patent or patent extension

Effective date: 20110803

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110803

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110803

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110803

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20111103

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20111205

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20111203

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 518718

Country of ref document: AT

Kind code of ref document: T

Effective date: 20110803

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110803

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110803

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110803

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20111104

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110803

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110803

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110831

Ref country code: BE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110803

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110803

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110803

REG Reference to a national code

Ref country code: IE

Ref legal event code: MM4A

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110803

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110803

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110803

26N No opposition filed

Effective date: 20120504

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110815

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602008008589

Country of ref document: DE

Effective date: 20120504

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20111114

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110815

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20111103

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110803

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110803

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 9

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 10

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 11

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: NL

Payment date: 20210716

Year of fee payment: 14

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: IT

Payment date: 20210712

Year of fee payment: 14

Ref country code: FR

Payment date: 20210715

Year of fee payment: 14

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: CH

Payment date: 20210816

Year of fee payment: 14

Ref country code: SE

Payment date: 20210810

Year of fee payment: 14

Ref country code: DE

Payment date: 20210706

Year of fee payment: 14

Ref country code: GB

Payment date: 20210707

Year of fee payment: 14

REG Reference to a national code

Ref country code: DE

Ref legal event code: R119

Ref document number: 602008008589

Country of ref document: DE

REG Reference to a national code

Ref country code: SE

Ref legal event code: EUG

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

REG Reference to a national code

Ref country code: NL

Ref legal event code: MM

Effective date: 20220901

GBPC Gb: european patent ceased through non-payment of renewal fee

Effective date: 20220815

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220816

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220831

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220831

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220901

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220815

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220831

Ref country code: DE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20230301

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GB

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220815