EP2088051B1 - Method and device for secure setting of a route for a rail vehicle - Google Patents

Method and device for secure setting of a route for a rail vehicle Download PDF

Info

Publication number
EP2088051B1
EP2088051B1 EP08002440A EP08002440A EP2088051B1 EP 2088051 B1 EP2088051 B1 EP 2088051B1 EP 08002440 A EP08002440 A EP 08002440A EP 08002440 A EP08002440 A EP 08002440A EP 2088051 B1 EP2088051 B1 EP 2088051B1
Authority
EP
European Patent Office
Prior art keywords
route
keys
control
signal aspect
monitoring elements
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Not-in-force
Application number
EP08002440A
Other languages
German (de)
French (fr)
Other versions
EP2088051A1 (en
Inventor
Jon Felix
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens Schweiz AG
Original Assignee
Siemens Schweiz AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Schweiz AG filed Critical Siemens Schweiz AG
Priority to EP08002440A priority Critical patent/EP2088051B1/en
Priority to DE502008003266T priority patent/DE502008003266D1/en
Priority to AT08002440T priority patent/ATE506241T1/en
Publication of EP2088051A1 publication Critical patent/EP2088051A1/en
Application granted granted Critical
Publication of EP2088051B1 publication Critical patent/EP2088051B1/en
Not-in-force legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L21/00Station blocking between signal boxes in one yard
    • B61L21/04Electrical locking and release of the route; Electrical repeat locks

Definitions

  • the present invention relates to a method and a device for safely setting a route for a rail vehicle.
  • railway networks are particularly in the area of stations and in particular in the area of large stations due to the large number of control elements used, such as switches and signals, etc., and monitoring elements used, such as track circuits, axle counter, etc., highly complex systems that avoid persons - and property damage must be operated with a very high level of security interlocking technology.
  • the signal box has the task to allow the train runs provided in the control system (according to the timetable) and also due to delays individually controlled train runs through the setting of driveway.
  • a route is usually a piece of a track for the rail vehicle, which starts at a start signal point and ends with the arrival of the next start signal point usually.
  • the control and monitoring elements involved for the setting of a road then the control and monitoring elements involved as well as the possibly. Required edge protection, etc.
  • SIL4 describes in systems with permanently high Security requirements a probability of default between 10 -9 and 10 -8 per hour.
  • the involved control and monitoring elements and their desired position or statement are assigned and queried with the request of the road on the part of the interlocking and possibly set. If the route is set and secured, the associated signal term "TRAVEL" generated on the start signal can be displayed in conventional train control systems or transmitted at ETCS level 2 via a Radio Block Center in the cab of the rail vehicle.
  • the present invention is therefore based on the object of specifying a method and a system for the secure setting of a road, which make it possible to proceed in the setting of safe road with redistribution of hierarchical segmentation decentralized and less proprietary.
  • Each setting and monitoring element can, so to speak, check whether it is basically available for setting the requested road and, if so, whether it already has the correct state.
  • state is meant here, for example, the position of a switch or the blocking of a switch for the flank protection or even the presence of the free-field state of a track vacancy detector.
  • the required safety check or proof thereof is greatly simplified and can be carried out generically, for example for the type "switch" or the "track free detector".
  • the signal ground generator which checks the presence of the main and sub-keys required for the travel command (eg the signal term "green lamp ON", red lamp OFF).
  • Subkey is intended to imply that the master key and the subkey represent a unique amount of data that can be uniquely assigned to a setting or monitoring element and its respective state. and monitoring element and a logical "1" for the availability of the setting and monitoring element Further subkeys may then be transmitted, for example, as further logical "ones" with the above-mentioned data
  • the main circuits and one or more shunts au ch be summarized in a record.
  • the choice of the component "key” here further implies that the respective master key and any subkey (s) are a unique set of data identifying the respective setting and monitoring element and their respective state. Furthermore, a certain authenticity attribute can also be seen in the concept of the key, for example the signal originator allows recognizing the key as such and belonging to a particular element, which also provides a significant safety gain, but can also be achieved purely in the context of signal generation. Further, the above method and system allow expansion and modification to be made comparatively easily on an existing road or in the establishment of a new road because only the new or changed positioning and monitoring elements are equipped with new keys and the algorithm on the signal ground generator must be adapted to the new situation. However, the method basically implemented in the signal generation generator for generating the signal term as such also remains unchanged, which is why the validation of a larger network area is considerably simplified.
  • the hardware used can be predominantly of the type SIL0, since the signaling safety on the one hand on the control and monitoring elements themselves and on the other hand in the configuration of the master key and the subkey and the check for the complete existence of the keys can be reduced in the Signalbegriffer Weger.
  • An advantageous embodiment of the invention may provide that a Signalbegriffer Weger is definable for each route, the control and participation elements involved in the road is communicated within the message to which Signalbegriffer Weger the respective master key and, if necessary, the respective subkey to send ,
  • a Signalbegriffermaschineer is definable for each route, the control and participation elements involved in the road is communicated within the message to which Signalbegriffer Weger the respective master key and, if necessary, the respective subkey to send ,
  • the process of signal generation with a signal associated with the corresponding start signal logic unit where the road begins.
  • the entire interlocking logic remains unchanged, if, for example, within the Driveway new elements installed, modified or removed. Only in the algorithm for driving concept formation, this process must be mapped.
  • the Signalbegriffer Weger is advantageously associated with the actuator that outputs the respective signal term optically to a signal or in the case of ETCS level 2 and higher the Signalbegriffer Weger is advantageously associated with the actuator that the respective signal term for wireless transmission to an on-board computer of the rail vehicle to a higher-level entity passes.
  • the master keys and any subkeys that may be present may be generated and secured by a secure coding method (CRC, MD4) and thus checked for authenticity by the signal conditioner. Then, not only can it be unambiguously checked that all the required keys have been sent, but it can also be unambiguously checked whether these sent keys are really the very keys whose transmission was expected.
  • CRC secure coding method
  • the Signalbegriffer Weger the control and monitoring elements to receive the receipt of an authenticizable master key and, if necessary, further authentizierbarer subkey.
  • the setting and monitoring elements are so feedback that their keys have actually arrived at the right Signalbegriffermaschineer and could be authenticated by this.
  • the receipt of this receipt can further be used, for example, to block the corresponding element for the further dispatch of keys.
  • the setting and monitoring elements can either already with the transmission of their associated master key or after receiving the acknowledgment of the program to re-broadcast their Main key blocked.
  • no other Signalbegriffermaschineer possible to obtain a master key of this so blocked setting and monitoring elements. In this way, the reservation of a road can be easily and also again outsourced security related to the control and monitoring elements.
  • a monitoring entity is provided, which can replace a missing for generating the desired with the request of the road signal term master key and the possible subkey by an explicitly transmitted intervention key. In this way, intervention can be intervened in a case of failure deliberately in compliance with the safety signal, then set under defined (also definable) conditions an emergency train or other bypasses the disturbed road (if necessary. Also the avoidance of another road) to trigger.
  • a further advantageous embodiment of the invention may provide that the control and monitoring elements that have sent their respective master key and, if necessary, further shunts to the Signalbegriffgenerierer, the Signal Generators cyclically provide an assurance of the sent master key and possibly. Additional subkey. In this way, the Signalbegriffer Weger always be sure that all required keys are still reserved by the control and monitoring elements with him. At the same time, this cyclical confirmation could also be used as a request, whether the transmitted to him master key and possibly also sent subkey actually still needed or, for example, due to a temporary disruption, the keys have actually been returned but not yet arrived. Signal generation generators and setting and monitoring elements trigger each other so as to achieve a process-oriented key positioning as possible.
  • the method may be further configured such that the failure to confirm the assertion of the transmitted master and subkeys results in a response of the signal conditioner.
  • One possible reaction is the immediate withdrawal of the driving concept. The same can apply if the confirmation is lost in the communication path. It can be provided that the higher-level instance - if necessary, taking into account a certain timeout - causes the Signalbegriffermaschineer to give back all received main and subkeys.
  • the signal term generator can execute an algorithm specified for the requested travel route, which checks the presence of the master key required for granting a driving license via the requested travel route as well as any additional subkeys.
  • FIG. 1 shows a simple railway system 2 in an initial configuration in which no route FS is set.
  • the system 2 has a control center 4, a server unit 6 and adjusting and monitoring elements 8 to 24 arranged along a simple track topology. Further, the system 2 comprises two signals 26, 28 to which in each case a signal unit 30 or 32 is assigned.
  • each of the setting and monitoring elements 8 to 24 has means M for detecting the state at a security level SIL4, which is shown in the lower third of the symbol S.
  • SIL4 security level
  • the symbol S In the upper part of the symbol S is an associated, within the railway system 2 unique address AD.
  • available keys KA are shown; Correspondingly, on the left side, the currently unavailable (locked) keys KL are located.
  • the setting and monitoring elements 8 to 24 can be subdivided generically into two functionalities. With 14 and 22 two actual control elements are shown, which monitor only the position of a switch, but can also adjust this. All other elements 8, 10, 12, 16, 18, 20 and 24 are provided for determining the track occupancy and may be, for example axle counting systems, track circuits or the like. These elements usually have only one key referred to in the context of this application with the element-side designations A, B, D, Q, N, X and Y, which stands for their availability. An availability of such elements then only results if the track section monitored by them is not occupied, ie free.
  • the adjusting elements 14 and 22 differ herebefore in the sense that although they also each have a master key C and E, but also extends over more Subkeys C li , C re , E li and E re have, each representing a particular state of the actuator, so in the points, for example, the control states "distracted” or “not distracted” or "position left” or “position right” ,
  • the main and possibly further existing subkeys are unambiguous and secured in the present embodiment in the appendix by means of CRC32.
  • a possible alternative backup could also be MD4, for example.
  • One-to-one means in the context existing here that each key (main key as well as secondary key) occurs only once in the entire area to be protected.
  • FIG. 2 Now shows the state after the setting of the road FS, ranging from the signal 26 to the signal 28.
  • a corresponding command for setting the route FS to the server unit 6 was transmitted in the control center 4.
  • a first client-server process R-1 accepts this setting command.
  • This first client-server process R-1 also always has a current image of the state of the control and monitoring elements 8 to 24 and the signal units 30 and 32.
  • verifies the first client-server process R -1 the presence and release of all necessary major and minor keys.
  • the first client-server process R-1 communicates directly with the participating setting and monitoring elements 8 to 24 and thus already provides preliminary clarifications with regard to the adjustability of the road FS. He further checks whether the signal unit 30 of the start signal 26 is empty in the present case, so does not contain any keys. The first client-server process R-1 does not require any knowledge of the nature and nature of the main and possibly existing subkeys at this point. With a successful completion of these clarifications, the first client-server process R-1 transfers the further setting routine to a second one Client-server process R-2. This second client-server process R-2 now causes the involved control and monitoring elements, here 10, 12, 14, 16, 18 and 22, in addition to the required for this road main and auxiliary key, here A, B, C.
  • This third client-server process R-3 provides the affected signal unit 30 with a last release key R-3io for enabling the corresponding route FS.
  • a last release key R-3io for enabling the corresponding route FS.
  • the signal 26 now shows green light, so that a train driver can enter the road.
  • the algorithm executed in the signal unit 30 determines the valid signal term.
  • survival telegrams securing the road in an advantageous manner.
  • the survival telegrams are exchanged between the actuating and monitoring elements 10 to 18 and 22 and the signal unit 30 involved in the route.
  • the control and monitoring elements 10 to 18 and 22 confirm the signal unit 30 basically in this way the allocation of their master key.
  • this confirmation can also be interpreted with caution that the control and monitoring elements request the return of their master key as well as the subkey involved, if necessary, cyclically in the case of the signal unit 30.
  • the process can be designed so that the setting and monitoring elements either for the first time after their occupancy (ie the actual train crossing) in the signal unit 30 request the return of the corresponding key no longer needed.
  • the signal unit 30 can already return the first request, which is no longer required, to the requesting setting and monitoring elements. With the return of the first of the keys still needed before the signal unit 30 is no longer able to maintain the signal concept "RIDE".
  • the signal 26 accordingly shows red light; Driving concept "HALT".
  • the syntax of the main keys and any subkeys can be designed so that with a simple processing (for example, an addition of all necessary key) in the signal unit 30 a valid Beautysentelegramm is generated as a driving concept, so to speak.
  • the balise telegram derived from the keys can be used to control the optical signals.
  • the main and auxiliary keys can also be evaluated directly on the on-board computer of the rail vehicle.
  • the master and subkeys are in this case transmitted wirelessly (for example with a transparent data beacon) to the vehicle. Since the transmission of train control data by means of transparent data balises, for example within the framework of ETCS Level 1, has to achieve a particularly high level of safety anyway (here again SIL4 is required), this solution would not even require any additional effort in terms of safety testing. If the main keys and the subkeys also contain further information regarding the topology of the route, not only the driver's license but also the speed profile for the route lying in front of the rail vehicle can be generated with the on-board computer.
  • auxiliary key In combination with the existing on the signal unit (regular) main and auxiliary key can then be generated together with the emergency key, the originally intended driving concept or even just an auxiliary signal term or other underboostedere signal terms.
  • this emergency key for example, temporarily provided detours can be realized, as may be the case for example during construction or maintenance.

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Train Traffic Observation, Control, And Security (AREA)
  • Seats For Vehicles (AREA)
  • Steering Controls (AREA)
  • Controls For Constant Speed Travelling (AREA)
  • Platform Screen Doors And Railroad Systems (AREA)

Abstract

The method involves adjusting and monitoring elements (8 to 24) assigned to conditions corresponding to the route. Each adjusting and monitoring element is assigned to a definite master key and definite auxiliary key corresponding to possible conditions. A route is requested for driving a rail vehicle. An independent claim is included for a system for safe alignment of route for rail vehicle.

Description

Die vorliegende Erfindung betrifft ein Verfahren und eine Vorrichtung zur sicheren Einstellung einer Fahrstrasse für ein Schienenfahrzeug.The present invention relates to a method and a device for safely setting a route for a rail vehicle.

Eisenbahnnetze sind im besonderen im Bereich von Bahnhöfen und dabei im Besonderen im Bereich von grossen Bahnhöfen aufgrund der Vielzahl von eingesetzten Stellelementen, wie Weichen und Signalen etc., und eingesetzten Überwachungselementen, wie Gleisstromkreise, Achszähler etc., hochkomplexe Systeme, die zur Vermeidung von Personen- und Sachschäden mit einer auf sehr hohem Sicherheitniveau liegenden Stellwerktechnik betrieben werden müssen. Das Stellwerk hat dabei die Aufgabe, die im Leitsystem vorgesehenen Zugläufe (gemäss des Fahrplans) sowie die auch aufgrund von Verspätungen individuell zu steuernden Zugläufe durch die Einstellung von Fahrstrasse zu ermöglichten. Eine Fahrstrasse stellt dabei in der Regel ein Stück eines Fahrweges für das Schienenfahrzeug dar, das an einem Startsignalpunkt beginnt und mit dem Erreichen des in der Regel nächsten Startsignalpunktes endet. Für die Einstellung einer Fahrstrasse werden dann die daran beteiligten Stell- und Überwachungselemente sowie der ggfs. erforderliche Flankenschutz etc. eingestellt und temporär gesichert, wenn für die Stell- und Überwachungselement diese Einstellung zulässig ist. Eine diesbezügliche Diskussion verfügbarer elektronischer Stellwerke ist beispielsweise in dem Artikel von U. Maschek: "Elektronische Stellwerke - ein internationaler überblick", publiziert in der Zeitschrift SIGNAL + DRAHT, Telzlaff Verlag GmbH, Darmstadt, DE, Bd. 89, Nr. 3, 01. März 1997, Seiten 15/16, 18 bis 23, XP000779765 ISSN: 0037-4997 , nachlesbar.Railway networks are particularly in the area of stations and in particular in the area of large stations due to the large number of control elements used, such as switches and signals, etc., and monitoring elements used, such as track circuits, axle counter, etc., highly complex systems that avoid persons - and property damage must be operated with a very high level of security interlocking technology. The signal box has the task to allow the train runs provided in the control system (according to the timetable) and also due to delays individually controlled train runs through the setting of driveway. A route is usually a piece of a track for the rail vehicle, which starts at a start signal point and ends with the arrival of the next start signal point usually. For the setting of a road then the control and monitoring elements involved as well as the possibly. Required edge protection, etc. are set and temporarily secured if the setting and monitoring element this setting is allowed. A discussion of available electronic interlockings in this regard is for example in the article of U. Maschek: "Electronic interlockings - an international overview", published in the journal SIGNAL + DRAHT, Telzlaff Verlag GmbH, Darmstadt, DE, Vol. 89, No. 3, 01. March 1997, pages 15/16, 18 to 23 , XP000779765 ISSN: 0037-4997 , readable.

Aufgrund der hohen Sicherheitsanforderungen ist daher die in einem Stellwerk und seinen Aussenanlagen angeordnete Hardware vielfach hochgradig proprietär ausgeführt, um bestimmten besonders sicherheitsrelevante Einstellungen und Überwachungsroutinen für die Einstellung von Fahrstrassen in direkter Verbindung von dem Stellwerkrechner zu den Stell- und Überwachungselementen beispielsweise auf einem SIL4-Level (IEC / DIN EN 61508) ausführen zu können. SIL4 beschreibt dabei bei Systemen mit permanent hohen Sicherheitsanforderungen eine Ausfallwahrscheinlichkeit zwischen 10-9 und 10-8 pro Stunde.Due to the high safety requirements, therefore, the arranged in a signal box and its outdoor equipment often highly proprietary designed to certain particular safety-relevant settings and monitoring routines for the setting of routes in direct connection from the interlocking computer to the control and monitoring elements, for example, on a SIL4 level (IEC / DIN EN 61508). SIL4 describes in systems with permanently high Security requirements a probability of default between 10 -9 and 10 -8 per hour.

Für den ordnungsgemässen Zuglauf müssen die vorstehend genannten Fahrstrasse daher aufgrund der vorhandenen Zugdichten sehr schnell aufgebaut, reserviert und wieder abgebaut werden. Zu jeder Zugstrasse werden die daran beteiligten Stell- und Überwachungselemente sowie deren gewünschte Position bzw. Aussage zugeordnet und mit der Anforderung der Fahrstrasse seitens des Stellwerks abgefragt und ggfs. eingestellt. Ist die Fahrstrasse eingestellt und gesichert, kann auch der zugehörige Signalbegriff "FAHRT" am Startsignal generiert bei herkömmlichen Zugsicherungssystemen angezeigt oder beim ETCS-Level 2 über ein Radio Block Center in den Führerstand des Schienenfahrzeugs übertragen werden.For the proper train running the above road must therefore be built up very quickly due to the existing train densities, reserved and dismantled again. For each train road the involved control and monitoring elements and their desired position or statement are assigned and queried with the request of the road on the part of the interlocking and possibly set. If the route is set and secured, the associated signal term "TRAVEL" generated on the start signal can be displayed in conventional train control systems or transmitted at ETCS level 2 via a Radio Block Center in the cab of the rail vehicle.

Aufgrund der heutigen hierarchischen Segmentierung der Stellwerksaufgaben findet die Überprüfung das an einer angeforderten Fahrstrasse beteiligten Stell- und Überwachungselemente immer aus dem Stellwerk heraus statt, was bedingt, dass die zum Stellwerk gelangenden Informationen einerseits hochzuverlässig und sicher sein müssen und andererseits dann auch hochzuverlässig in das Stellwerk übertragen werden müssen, weil dann im Stellwerk entschieden werden wird, ob eine Fahrstrasse tatsächlich eingestellt werden kann. Diese Randbedingungen führen - wie schon weiter oben angeführt- dazu, dass im Besonderen die eingesetzte Hardware hochproprietär und dadurch in der Anschaffung und im Betrieb unter der Beachtung der geforderten RAMS (Reliability, Availability, Maintainability, Safety) vergleichsweise teuer ist. Besonders die Verwendung von sicheren Rechnerkerne, die in der Regel in einer höheren Programmiersprache kodiert sind, benötigen eine vergleichsweise aufwendige (komplexe) Projektierung im Bereich der Hard- und Software.Due to the present hierarchical segmentation of the interlocking tasks, the check involved in a requested road control and monitoring always takes place from the interlocking, which requires that the information reaching the interlocking must be highly reliable and safe on the one hand and then highly reliable in the interlocking must be transferred, because then it will be decided in the signal box, if a road can actually be adjusted. These boundary conditions lead - as already mentioned above - to the fact that in particular the hardware used is highly proprietary and therefore comparatively expensive to purchase and to operate in compliance with the required RAMS (Reliability, Availability, Maintainability, Safety). In particular, the use of secure computer cores, which are usually encoded in a high-level programming language, require a comparatively complex (complex) configuration in the field of hardware and software.

Der vorliegenden Erfindung liegt daher die Aufgabe zugrunde, ein Verfahren und ein System zur sicheren Einstellung von einer Fahrstrasse anzugeben, die es ermöglichen, bei der Einstellung von sicheren Fahrstrasse unter Umverteilung der hierarchischen Segmentierung dezentraler und weniger proprietär vorgehen zu können.The present invention is therefore based on the object of specifying a method and a system for the secure setting of a road, which make it possible to proceed in the setting of safe road with redistribution of hierarchical segmentation decentralized and less proprietary.

Diese Aufgabe wird bezüglich des Verfahrens erfindungsgemäss durch ein Verfahren zur sicheren Einstellung einer Fahrstrasse für ein Schienenfahrzeug gelöst, wobei der Fahrstrasse an der Fahrstrasse beteiligte Stell- und Überwachungselemente sowie deren etwaige, zur Fahrstrasse korrespondierende Zustände zugeordnet sind und wobei jedem Stell- und Überwachungselement ein eindeutiger Hauptschlüssel und etwaige eindeutige zu den möglichen Zuständen korrespondierende Nebenschlüssel zugeordnet sind, mit den folgenden Verfahrensschritten:

  • a) die von dem Schienenfahrzeug zu befahrende Fahrstrasse wird angefordert;
  • b) eine Mitteilung an die an der angeforderten Fahrstrasse beteiligten Stell- und Überwachungselemente wird ausgesendet;
  • c) in Antwort auf die ausgesendete Mitteilung prüfen die Stell- und Überwachungselemente ihre jeweilige Verfügbarkeit für die Einstellung des für die Fahrstrasse vorgesehenen Zustands und stellen diesen Zustand im Falle ihrer jeweiligen Verfügbarkeit ein bzw. verifizieren das Vorliegen des für die Einstellung der Fahrstrasse erforderlichen Zustands;
  • d) im Falle des Vorliegens der genannten Verfügbarkeit wird ausserdem der Hauptschlüssel und etwaige weitere Nebenschlüssel von jedem der an der Fahrstrasse beteiligten Stell- und Überwachungselemente gesendet; und
  • d) ein mit der Anforderung der Fahrstrasse verbundener Signalbegriff für die angeforderte Fahrstrasse wird nur im Fall der vollständigen Übersendung der dieser Fahrstrasse zugeordneten Hauptschlüssel und etwaiger weiterer Nebenschlüssel erzeugt.
This object is achieved with respect to the method according to the invention by a method for safe adjustment of a road for a rail vehicle, wherein the road associated with the road Stell- and monitoring elements and their possible, corresponding to the road conditions are assigned and each control and monitoring element a unique Main key and any unique sub-key corresponding to the possible states are assigned, with the following process steps:
  • a) the road to be traveled by the rail vehicle is requested;
  • b) a message to the control and monitoring elements involved in the requested road is sent out;
  • c) in response to the sent message, the setting and monitoring elements check their respective availability for the setting of the condition for the road and set this state in the case of their respective availability or verify the presence of the required state for the setting of the road;
  • d) in the event of said availability, the master key and any additional subkeys are also sent by each of the control and monitoring elements involved in the route; and
  • d) a connected to the request of the road signal for the requested route is only generated in the case of the complete transmission of this road associated master key and any other subkey.

Bezüglich des Systems wird die vorstehend genannte Aufgabe erfindungsgemäss durch ein System zur sicheren Einstellung von einer Fahrstrasse für ein Schienenfahrzeug gelöst, wobei der Fahrstrasse an den Fahrstrassen beteiligte Stell- und Überwachungselemente sowie deren etwaige, zur jeweiligen Fahrstrasse korrespondierende Zustände zugeordnet sind und wobei jedem Stell- und Überwachungselement ein eindeutiger Hauptschlüssel und etwaige eindeutige zu den möglichen Zuständen korrespondierende Nebenschlüssel zugeordnet sind, mit:

  1. a) einer Leitstelle, in der die von dem Schienenfahrzeug zu befahrende Fahrstrasse anforderbar ist;
  2. b) einer Kommunikationseinheit, mit der über ein Kommunikationsnetzwerk eine Mitteilung an die an der angeforderten Fahrstrasse beteiligten Stell- und Überwachungselemente aussendbar ist;
  3. c) die Stell- und Überwachungselemente mit Rechenmitteln ausgestattet sind, mit denen in Antwort auf die ausgesendete Mitteilung ihre jeweilige Verfügbarkeit für die Einstellung des für die Fahrstrasse vorgesehenen Zustands prüfbar ist, wobei die Rechenmittel im Falle der jeweiligen Verfügbarkeit den erforderlichen Zustand einstellen bzw. das Vorliegen des für die Einstellung der Fahrstrasse erforderlichen Zustands verifizieren und wobei mittels der Rechenmittel im Falle des Vorliegens der genannten Verfügbarkeit der Hauptschlüssel und etwaige weitere Nebenschlüssel von jedem der an der Fahrstrasse beteiligten Stell- und Überwachungselemente über das Kommunikationsnetzwerk aussendbar sind; und
  4. d) einem Signalbegrifferzeuger, mit dem ein mit der Anforderung der Fahrstrasse verbundener-Signalbegriff für die angeforderte Fahrstrasse nur im Fall der vollständigen Übersendung der dieser Fahrstrasse zugeordneten Hauptschlüssel und etwaiger weiterer Nebenschlüssel erzeugbar ist.
With regard to the system, the above-mentioned object is achieved according to the invention by a system for the secure setting of a road for a rail vehicle, wherein the road associated with the routes and control elements are associated with their possible, corresponding to the respective road conditions and wherein each Stell- and monitoring element are assigned a unique master key and any unique subkeys corresponding to the possible states, comprising:
  1. a) a control center in which the road to be traveled by the rail vehicle is requestable;
  2. b) a communication unit with which a communication to the control and monitoring elements involved in the requested road can be transmitted via a communication network;
  3. c) the setting and monitoring elements are equipped with computing means with which in response to the sent message their respective availability for the setting of the intended condition for the road testable, the computing means in the case of the respective availability set the required state or Verify presence of the required for the setting of the road condition and wherein by means of the computing means in the case of the presence of said availability of the master key and any other subkey from each of the road involved control and monitoring elements via the communication network can be transmitted; and
  4. d) a Signalbegrifferzeuger with which a connected to the request of the road signal for the requested route is only in the case of the complete transmission of this road associated master key and any other subkey generated.

Auf diese Weise wird zur sicheren Einstellung der Fahrstrasse eine Verlagerung bzw. Verteilung einer notwendigen Sicherungsebene auf die an der Fahrstrasse beteiligten Elemente erreicht. Jedes Stell- und Überwachungselement kann sozusagen selbst prüfen, ob es grundsätzlich für die Einstellung der angeforderten Fahrstrasse verfügbar ist und, wenn ja, ob es auch schon den richtigen Zustand aufweist. Mit Zustand ist hier beispielsweise die Lage einer Weiche oder die Blockierung einer Weiche für den Flankenschutz oder aber auch das Vorliegen des Freimelde-Zustands eines Gleisfreimelders gemeint. Die erforderliche Sicherheitsprüfung bzw. deren Nachweisführung wird so stark vereinfacht und kann generisch, beispielsweise für den Typ "Weiche" oder den "Gleisfreimelder", durchgeführt werden. Die weitere sicherheitsrelevante Prüfung wird hier dann nur noch seitens des Signalbegrifferzeugers erforderlich, der das Vorliegen der für den Fahrtbefehl (z.B. der Signalbegriff "Grüne Lampe AN; rote Lampe AUS) erforderlichen Haupt- und Nebenschlüssel prüft. Die Wahl der Nomenklatur "Hauptschlüssel" und "Nebenschlüssel" soll dabei implizieren, dass der Hauptschlüssel und der Nebenschlüssel eine eindeutige Datenmenge darstellen, die eindeutig einem Stell- oder Überwachungselement und seinem jeweiligen Zustand zugeordnet werden kann. Diese Schlüssel können beispielsweise ein Datenstring sein, der beispielsweise auch nur aus einer ID des Stell- und Überwachungselements und einer logischen "1" für die Verfügbarkeit des Stell- und Überwachungselements bestehen kann. Weitere Nebenschlüssel können dann beispielsweise als weitere logische "Einsen" mit den vorstehend genannten Daten übermittelt werden. Somit können der Hauptschlüssen und einer oder mehrere Nebenschlüsse auch in einem Datensatz zusammengefasst sein. Die Wahl des Bestandteils "Schlüssel" möchte hier weiter implizieren, dass der jeweilige Hauptschlüssel und der oder die etwaigen Nebenschlüssel eine eindeutige Datenmenge zur Kennzeichnung des jeweiligen Stell- und Überwachungselements sowie seines jeweiligen Zustands sind. Weiter kann in dem Begriff des Schlüssels auch ein gewisses Authentizitätsattribut gesehen werden, das es beispielsweise dem Signalbegrifferzeuger erlaubt, den Schlüssel als solchen und zu einem bestimmten Element zugehörig zu erkennen, was ebenfalls einen erheblichen Sicherheitszugewinn darstellt, der aber ebenfalls rein im Kontext der Signalbegrifferzeugung erzielt werden kann. Weiter erlauben es das vorstehende Verfahren und das vorstehende System Erweiterung und Modifizierungen an einer bestehende Fahrstrasse oder bei der Einrichtung einer neuen Fahrstrasse vergleichsweise einfach durchführen zu können, weil nur die neuen oder geänderten Stell- und Überwachungselemente mit neuen Schlüsseln ausgestattet und der Algorithmus auf dem Signalbegrifferzeuger an die neue Situation angepasst werden muss. Das im Signalbegrifferzeuger aber grundsätzlich implementierte Verfahren zur Erzeugung des Signalbegriffs bleibt als solches aber ebenfalls unverändert, weshalb auch die Validierung eines grösseren Netzbereichs erheblich vereinfacht ist.In this way, for the safe adjustment of the road a shift or distribution of a necessary Secured level reached on the elements involved in the road. Each setting and monitoring element can, so to speak, check whether it is basically available for setting the requested road and, if so, whether it already has the correct state. By state is meant here, for example, the position of a switch or the blocking of a switch for the flank protection or even the presence of the free-field state of a track vacancy detector. The required safety check or proof thereof is greatly simplified and can be carried out generically, for example for the type "switch" or the "track free detector". The further safety-related check is then only required here by the signal ground generator, which checks the presence of the main and sub-keys required for the travel command (eg the signal term "green lamp ON", red lamp OFF). Subkey "is intended to imply that the master key and the subkey represent a unique amount of data that can be uniquely assigned to a setting or monitoring element and its respective state. and monitoring element and a logical "1" for the availability of the setting and monitoring element Further subkeys may then be transmitted, for example, as further logical "ones" with the above-mentioned data Thus, the main circuits and one or more shunts au ch be summarized in a record. The choice of the component "key" here further implies that the respective master key and any subkey (s) are a unique set of data identifying the respective setting and monitoring element and their respective state. Furthermore, a certain authenticity attribute can also be seen in the concept of the key, for example the signal originator allows recognizing the key as such and belonging to a particular element, which also provides a significant safety gain, but can also be achieved purely in the context of signal generation. Further, the above method and system allow expansion and modification to be made comparatively easily on an existing road or in the establishment of a new road because only the new or changed positioning and monitoring elements are equipped with new keys and the algorithm on the signal ground generator must be adapted to the new situation. However, the method basically implemented in the signal generation generator for generating the signal term as such also remains unchanged, which is why the validation of a larger network area is considerably simplified.

In Summe ist daher auch festzuhalten, dass auch die eingesetzte Hardware überwiegend vom Typ SIL0 sein kann, da die signaltechnische Sicherheit einerseits auf den Stell- und Überwachungselementen selbst und andererseits in der Projektierung der Hauptschlüssel und der Nebenschlüssel sowie der Überprüfung auf das vollständige Vorliegen der Schlüssel im Signalbegrifferzeuger reduziert werden kann.In sum, therefore, it should also be noted that the hardware used can be predominantly of the type SIL0, since the signaling safety on the one hand on the control and monitoring elements themselves and on the other hand in the configuration of the master key and the subkey and the check for the complete existence of the keys can be reduced in the Signalbegrifferzeuger.

Eine vorteilhafte Ausgestaltung der Erfindung kann es vorsehen, dass für jede Fahrstrasse ein Signalbegrifferzeuger definierbar ist, wobei den an der Fahrstrasse beteiligten Stell- und Überwachungselementen im Rahmen der Mitteilung mitteilbar ist, an welchen Signalbegrifferzeuger die jeweiligen Hauptschlüssel und ggfs. die jeweiligen Nebenschlüssel zu senden sind. Somit ist es möglich, den Vorgang der Signalbegrifferzeugung mit einer dem entsprechenden Startsignalpunkt zugeordneten Logikeinheit dort durchzuführen, wo die Fahrstrasse ihren Anfang nimmt. Auf diese Weise bleibt beispielsweise auch die gesamte Stellwerklogik unverändert, wenn beispielsweise innerhalb der Fahrstrasse neue Elemente eingebaut, geändert oder entfernt werden. Einzigallein in dem Algorithmus zur Fahrbegriffbildung muss dieser Vorgang abgebildet werden. Mit anderen Worten heisst dies, dass der Signalbegrifferzeuger vorteilhafterweise mit dem Stellelement assoziiert ist, das den jeweiligen Signalbegriff optisch an einem Signal ausgibt oder im Falle von ETCS Level 2 und höher der Signalbegrifferzeuger vorteilhafterweise mit dem Stellelement assoziiert ist, das den jeweiligen Signalbegriff zur drahtlosen Übersendung an einen Bordcomputer des Schienenfahrzeugs an eine übergeordnete Instanz übergibt.An advantageous embodiment of the invention may provide that a Signalbegrifferzeuger is definable for each route, the control and participation elements involved in the road is communicated within the message to which Signalbegrifferzeuger the respective master key and, if necessary, the respective subkey to send , Thus, it is possible to carry out the process of signal generation with a signal associated with the corresponding start signal logic unit where the road begins. In this way, for example, the entire interlocking logic remains unchanged, if, for example, within the Driveway new elements installed, modified or removed. Only in the algorithm for driving concept formation, this process must be mapped. In other words, this means that the Signalbegrifferzeuger is advantageously associated with the actuator that outputs the respective signal term optically to a signal or in the case of ETCS level 2 and higher the Signalbegrifferzeuger is advantageously associated with the actuator that the respective signal term for wireless transmission to an on-board computer of the rail vehicle to a higher-level entity passes.

Zur weiteren Erhöhung der Sicherheit können die Hauptschlüssel und die ggfs. vorhandenen Nebenschlüssel nach einem sicheren Codierverfahren (CRC, MD4) erzeugt und gesichert sind und so von dem Signalbegrifferzeuger auf Authenzität geprüft werden. Dann kann nicht nur eineindeutig geprüft werden, ob alle erforderlichen Schlüssel gesendet wurden, sondern es kann ebenfalls eineindeutig geprüft werden, ob diese gesendeten Schlüssel auch wirklich genau die Schlüssel sind, deren Übermittlung erwartet worden ist.To further increase security, the master keys and any subkeys that may be present may be generated and secured by a secure coding method (CRC, MD4) and thus checked for authenticity by the signal conditioner. Then, not only can it be unambiguously checked that all the required keys have been sent, but it can also be unambiguously checked whether these sent keys are really the very keys whose transmission was expected.

In einer weiteren bevorzugten Ausführungsform der Erfindung kann der Signalbegrifferzeuger den Stell- und Überwachungselementen den Erhalt eines authentizierbaren Hauptschlüssels und ggfs. weiterer authentizierbarer Nebenschlüssel quittieren. Die Stell- und Überwachungselemente erhalten so eine Rückkopplung, dass ihre Schlüssel auch tatsächlich am richtigen Signalbegrifferzeuger angekommen sind und von diesem authentifiziert werden konnten. Der Empfang dieser Quittung kann weiter beispielsweise dafür genutzt werden, das entsprechende Element für die weitere Versendung von Schlüsseln zu blockieren. Andersherum gesagt, können die Stell- und Überwachungselemente entweder bereits mit dem Senden ihres zugehörigen Hauptschlüssels oder dann nach dem Erhalt der Quittierung der Sendung zur erneuten Sendung ihres Hauptschlüssels blockiert sein. Somit ist es während dieser Zeit keinem anderen Signalbegrifferzeuger möglich, einen Hauptschlüssel dieser so blockierten Stell- und Überwachungselemente zu erhalten. Auf diese Weise kann die Reservierung einer Fahrstrasse einfach und ebenfalls wieder sicherheitstechnisch ausgelagert an die Stell- und Überwachungselemente gelöst werden.In a further preferred embodiment of the invention, the Signalbegrifferzeuger the control and monitoring elements to receive the receipt of an authenticizable master key and, if necessary, further authentizierbarer subkey. The setting and monitoring elements are so feedback that their keys have actually arrived at the right Signalbegrifferzeuger and could be authenticated by this. The receipt of this receipt can further be used, for example, to block the corresponding element for the further dispatch of keys. In other words, the setting and monitoring elements can either already with the transmission of their associated master key or after receiving the acknowledgment of the program to re-broadcast their Main key blocked. Thus, it is during this time no other Signalbegrifferzeuger possible to obtain a master key of this so blocked setting and monitoring elements. In this way, the reservation of a road can be easily and also again outsourced security related to the control and monitoring elements.

Gelegentlich kann es vorkommen, dass entweder die Funktionalität eines Stell- oder Überwachungselements gestört ist oder eine Kommunikationsstörung zu einem Stell- oder Überwachungselement vorliegt, sodass die angeforderte Fahrstrasse nicht eingestellt werden kann, weil der Hauptschlüssel dieses Elements nicht an den entsprechenden Signalbegrifferzeuger gesendet wird. Ein derartiger Fehler kann beispielsweise auch durch einen Achszähler verursacht werden, bei dem aufgrund von ungünstigen EMV-Interferenzen eine unterschiedliche Anzahl von Waggonachsen in einem Abschnitt ein- und ausgezählt worden sind, obwohl alle Waggons des Zuges den Abschnitt nach dessen Befahrung verlassen haben. In einer vorteilhaften Ausgestaltung der Erfindung ist daher eine Überwachungsinstanz vorgesehen, die einen zur Erzeugung des mit der Anforderung der Fahrstrasse gewünschten Signalbegriffs fehlenden Hauptschlüssel sowie der etwaigen Nebenschlüssel durch einen explizit übermittelten Interventionsschlüssel ersetzen kann. Auf diese Weise kann in einem Störungsfall gezielt unter Beachtung der signaltechnischen Sicherheit eingegriffen werden, um dann unter definierten (auch definierbaren) Bedingungen eine Notzugfahrstrasse einzustellen bzw. weitere Umgehungen der gestörten Fahrstrasse (ggfs. auch das Ausweichen auf eine andere Fahrstrasse) anzustossen.Occasionally, it may happen that either the functionality of a setting or monitoring element is disturbed or there is a communication disturbance to a setting or monitoring element, so that the requested route can not be set, because the main key of this element is not sent to the appropriate Signalbegrifferzeuger. Such an error can also be caused, for example, by an axle counter in which, due to unfavorable EMC interferences, a different number of wagon axles have been counted in and out of a section, even though all wagons of the train have left the section after being driven through. In an advantageous embodiment of the invention, therefore, a monitoring entity is provided, which can replace a missing for generating the desired with the request of the road signal term master key and the possible subkey by an explicitly transmitted intervention key. In this way, intervention can be intervened in a case of failure deliberately in compliance with the safety signal, then set under defined (also definable) conditions an emergency train or other bypasses the disturbed road (if necessary. Also the avoidance of another road) to trigger.

Eine weitere vorteilhafte Ausgestaltung der Erfindung kann es vorsehen, dass die Stell- und Überwachungselemente, die ihre jeweiligen Hauptschlüssel und ggfs. weitere Nebenschlüssen an den Signalbegriffgenerierer gesendet haben, dem Signalbegriffgenerierer zyklisch eine Zusicherung des gesendeten Hauptschlüssels und ggfs. weiterer Nebenschlüssel übermitteln. Auf diese Weise kann der Signalbegrifferzeuger immer sicher sein, dass alle erforderlichen Schlüssel immer noch von den Stell- und Überwachungselementen bei ihm reserviert sind. Zugleich könnte diese zyklische Bestätigung auch als Anfrage genutzt werden werden, ob die an ihn übersendeten Hauptschlüssel und ggfs. auch übersendeten Nebenschlüssel tatsächlich noch gebraucht werden oder beispielsweise aufgrund einer temporären Leitungsstörung die Schlüssel eigentlich schon wieder zurückgegeben worden, aber eben noch nicht angekommen sind. Signalbegrifferzeuger und Stell- und Überwachungselemente triggern sich so gegenseitig, um eine möglichst prozessnahe Schlüsselpositionierung zu erzielen. Sobald das in der Fahrstrasse erstgelegene Überwachungselemente den Zustand "BELEGT" anzeigt, kann dieser Hauptschlüssel wieder vom Signalbegriffgenerierer an das Überwachungselement zurückgegeben werden. Sobald der Signalbegrifferzeuger einen Hauptschlüssel wieder zurückgegeben hat, ist dieser auch nicht mehr in der Lage den gewünschten Signalbegriff zu generieren. Ein Lichtsignal würde in diesem Fall sofort von "FAHRT" auf "HALT" umstellen.A further advantageous embodiment of the invention may provide that the control and monitoring elements that have sent their respective master key and, if necessary, further shunts to the Signalbegriffgenerierer, the Signal Generators cyclically provide an assurance of the sent master key and possibly. Additional subkey. In this way, the Signalbegrifferzeuger always be sure that all required keys are still reserved by the control and monitoring elements with him. At the same time, this cyclical confirmation could also be used as a request, whether the transmitted to him master key and possibly also sent subkey actually still needed or, for example, due to a temporary disruption, the keys have actually been returned but not yet arrived. Signal generation generators and setting and monitoring elements trigger each other so as to achieve a process-oriented key positioning as possible. As soon as the first surveillance element in the road indicates the status "BUSY", this master key can be returned to the monitoring element by the signal term generator. Once the Signalbegrifferzeuger has returned a master key again, this is no longer able to generate the desired signal term. In this case, a light signal would switch immediately from "TRAVEL" to "STOP".

Das Verfahren kann weiter so ausgestaltet sein, dass das Ausbleiben der Bestätigung der Zusicherung der gesendeten Haupt- und Nebenschlüssel zu einer Reaktion des Signalbegrifferzeugers führt. Eine mögliche Reaktion ist die sofortige Rücknahme des Fahrbegriffs. Gleiches kann gelten, wenn die Bestätigung auf dem Kommunikationsweg verloren geht. Es kann vorgesehen sein, dass die übergeordnete Instanz - ggfs. unter Beachtung einer gewissen Zeitsperre - den Signalbegrifferzeuger veranlasst, alle erhaltenen Haupt- und Nebenschlüssel zurück zu geben.The method may be further configured such that the failure to confirm the assertion of the transmitted master and subkeys results in a response of the signal conditioner. One possible reaction is the immediate withdrawal of the driving concept. The same can apply if the confirmation is lost in the communication path. It can be provided that the higher-level instance - if necessary, taking into account a certain timeout - causes the Signalbegrifferzeuger to give back all received main and subkeys.

Grundsätzlich ist daher zweckmässig, wenn der Signalbegrifferzeuger die für die Einstellung einer Fahrstrasse gesendeten Hauptschlüssel und ggfs. weiteren Nebenschlüssel nach einer komplettierten Befahrung der eingestellten Fahrstrasse an die jeweiligen Stell- und Überwachungselemente zurückgibt oder wenn der Signalbegrifferzeuger die für die Einstellung einer Fahrstrasse gesendeten Hauptschlüssel und ggfs. weiteren Nebenschlüssel nach Fortschritt der Fahrt des Schienenfahrzeugs auf der eingestellten Fahrstrasse abschnittweise an die jeweiligen Stell- und Überwachungselemente zurückgibt.In principle, therefore, it is expedient if the Signalbegrifferzeuger the sent for the setting of a route main key and possibly further Subkey after a completed driving the set road back to the respective control and monitoring elements returns or if the Signalbegrifferzeuger sent for the setting of a road main key and possibly. Additional subkey after progress of the journey of the rail vehicle on the set road in sections to the respective setting and Returns monitoring elements.

Wie schon mehrfach weiter vorangehend angedeutet kann der Signalbegriffgenerierer in einer weiteren bevorzugten Ausführungsform einen für die angeforderte Fahrstrasse spezifizierten Algorithmus ausführen, der das Vorhandensein der für die Erteilung einer Fahrerlaubnis über die angeforderte Fahrstrasse erforderlichen Hauptschlüssel sowie etwaiger Nebenschlüssel überprüft.As already indicated several times above, in a further preferred embodiment the signal term generator can execute an algorithm specified for the requested travel route, which checks the presence of the master key required for granting a driving license via the requested travel route as well as any additional subkeys.

Weitere vorteilhafte Ausgestaltungen der Erfindung sind den übrigen Unteransprüchen zu entnehmen.Further advantageous embodiments of the invention can be found in the remaining subclaims.

Die Erfindung wird nachfolgend anhand der Zeichnung beispielsweise näher erläutert. Dabei zeigen:

Figur 1
eine einfaches Eisenbahnsystem in einer Ausgangskonfiguration, bei der keine Fahrstrasse eingestellt ist; und
Figur 2
das Eisenbahnsystem nach Figur 1 nach der Einstellung einer Fahrstrasse.
The invention will be explained in more detail with reference to the drawing, for example. Showing:
FIG. 1
a simple railway system in an initial configuration in which no route is set; and
FIG. 2
the railway system after FIG. 1 after the setting of a road.

Figur 1 zeigt ein einfaches Eisenbahnsystem 2 in einer Ausgangskonfiguration, bei der keine Fahrstrasse FS eingestellt ist. Das System 2 weist eine Leitstelle 4, eine Servereinheit 6 und entlang einer einfachen Gleistopologie angeordnete Stell- und Überwachungselemente 8 bis 24 auf. Weiter umfasst das System 2 zwei Signale 26, 28, denen jeweils eine Signaleinheit 30 bzw. 32 zugeordnet ist. Wie unten links in der Legende zur Figur 1 dargestellt, weist jedes der Stell- und Überwachungselemente 8 bis 24 Mittel M zum Erfassen des Zustandes auf einem Sicherheitslevel SIL4 auf, was im unteren Drittel des Symbols S dargestellt. Im oberen Teil des Symbols S befindet sich eine zugehörige, innerhalb des Eisenbahnsystems 2 eineindeutige Adresse AD. Im mittleren Bereich auf der rechten Seite sind zur Verfügung stehende Schlüssel KA gezeigt; entsprechend befinden sich auf der linken Seite die momentan nicht verfügbaren (verschlossenen) Schlüssel KL. Auf die Schlüssel wird dann nachstehend noch im Detail eingegangen werden. Hier an dieser Stelle ist hervorzuheben, dass einzigallein die Mittel M zum Erfassen des Zustands des Stell- und Überwachungselements 8 bis 24 und zur Freigabe der Schlüssel auf SIL4 befindlicher Sicherheitsstufe arbeiten müssen. Für die Genehmigung derartig aufgebauter Eisenbahnsysteme 2 sind daher an dieser Stelle nur die Mittel M generisch zu überprüfen und zuzulassen. FIG. 1 shows a simple railway system 2 in an initial configuration in which no route FS is set. The system 2 has a control center 4, a server unit 6 and adjusting and monitoring elements 8 to 24 arranged along a simple track topology. Further, the system 2 comprises two signals 26, 28 to which in each case a signal unit 30 or 32 is assigned. As bottom left in the legend to FIG. 1 1, each of the setting and monitoring elements 8 to 24 has means M for detecting the state at a security level SIL4, which is shown in the lower third of the symbol S. In the upper part of the symbol S is an associated, within the railway system 2 unique address AD. In the middle area on the right hand side, available keys KA are shown; Correspondingly, on the left side, the currently unavailable (locked) keys KL are located. The keys will then be discussed in detail below. It should be emphasized at this point that only the means M for detecting the state of the setting and monitoring elements 8 to 24 and for releasing the keys at SIL4 located security level must work. For approval of railway systems 2 constructed in this way, only the means M are therefore to be generically checked and approved at this point.

In der gezeigten Topologie sind die Stell- und Überwachungselemente 8 bis 24 generisch in zwei Funktionalitäten unterteilbar. Mit 14 und 22 sind zwei tatsächliche Stellelemente gezeigt, die nur die Stellung einer Weiche überwachen, sondern diese auch verstellen können. Alle übrigen Elemente 8, 10, 12, 16, 18, 20 und 24 sind zur Feststellung der Gleisbelegung vorgesehen und können beispielsweise Achszählsysteme, Gleisstromkreise oder ähnliches sein. Diese Elemente haben in der Regel nur einen im Kontext dieser Anmeldung Hauptschlüssel genannten Schlüssel mit den elementseitigen Bezeichnungen A, B, D, Q, N, X und Y, der für ihre Verfügbarkeit steht. Eine Verfügbarkeit derartiger Elemente ergibt sich dann nur, wenn der von ihnen überwachte Gleisabschnitt nicht belegt, also frei, ist. Die Stellelemente 14 und 22 unterscheiden sich hiervor in dem Sinne, dass sie zwar auch über je einen Hauptschlüssel C und E, erweitert jedoch auch über weitere Nebenschlüssel Cli, Cre, Eli und Ere verfügen, die jeweils einem bestimmten Zustand des Stellelements repräsentieren, also bei den Weichen zum Beispiel die Stellzustände "Abgelenkt" oder "Nicht abgelenkt" oder auch "Lage links" oder "Lage rechts". Die Haupt- und die ggfs. weiter vorhandenen Nebenschlüssel sind eineindeutig und im vorliegenden Ausführungsbeispiel im Anhang mittels CRC32 gesichert. Eine mögliche alternative Sicherung könnte beispielsweise auch MD4 sein. Eineindeutig bedeutet im hier vorhandenen Kontext, dass jeder Schlüssel (Haupt- wie Nebenschlüssel) im gesamten zu sichernden Bereich nur exakt einmal vorkommt.In the topology shown, the setting and monitoring elements 8 to 24 can be subdivided generically into two functionalities. With 14 and 22 two actual control elements are shown, which monitor only the position of a switch, but can also adjust this. All other elements 8, 10, 12, 16, 18, 20 and 24 are provided for determining the track occupancy and may be, for example axle counting systems, track circuits or the like. These elements usually have only one key referred to in the context of this application with the element-side designations A, B, D, Q, N, X and Y, which stands for their availability. An availability of such elements then only results if the track section monitored by them is not occupied, ie free. The adjusting elements 14 and 22 differ herebefore in the sense that although they also each have a master key C and E, but also extends over more Subkeys C li , C re , E li and E re have, each representing a particular state of the actuator, so in the points, for example, the control states "distracted" or "not distracted" or "position left" or "position right" , The main and possibly further existing subkeys are unambiguous and secured in the present embodiment in the appendix by means of CRC32. A possible alternative backup could also be MD4, for example. One-to-one means in the context existing here that each key (main key as well as secondary key) occurs only once in the entire area to be protected.

Figur 2 zeigt nun den Zustand nach der Einstellung der Fahrstrasse FS, die vom Signal 26 bis zum Signal 28 reicht. Hierzu wurde in der Leitstelle 4 ein entsprechender Befehl zur Einstellung der Fahrstrasse FS an die Servereinheit 6 übermittelt. Ein erster Client-Server-Prozess R-1 nimmt diesen Einstellbefehl entgegen. Dieser erste Client-Server-Prozess R-1 besitzt zudem immer ein aktelles Abbild vom Zustand der Stell- und Überwachungselemente 8 bis 24 sowie der Signaleinheiten 30 und 32. Bevor nun versucht wird die Fahrstrasse einzustellen, verifiziert der erste Client-Server-Prozess R-1 das Vorhandensein und die Freigabe aller notwendigen Haupt- und Nebenschlüssel. FIG. 2 Now shows the state after the setting of the road FS, ranging from the signal 26 to the signal 28. For this purpose, a corresponding command for setting the route FS to the server unit 6 was transmitted in the control center 4. A first client-server process R-1 accepts this setting command. This first client-server process R-1 also always has a current image of the state of the control and monitoring elements 8 to 24 and the signal units 30 and 32. Before now trying to set the route, verifies the first client-server process R -1 the presence and release of all necessary major and minor keys.

Der erste Client-Server-Prozess R-1 kommuniziert hierbei direkt mit den beteiligten Stell- und Überwachungselementen 8 bis 24 und stellt so bereits einleitende Abklärungen hinsichtlich der Einstellbarkeit der Fahrstrasse FS an. Er prüft weiter, ob die Signaleinheit 30 des Startsignals 26 im vorliegenden Fall leer ist, also keine Schlüssel beinhaltet. Der erste Client-Server-Prozess R-1 benötigt an dieser Stelle keinerlei Kenntnisse zur Art und Beschaffenheit der Haupt- und ggfs. vorhandener Nebenschlüssel. Mit einem erfolgreichen Abschluss dieser Klärungen übergibt der erste Client-Server-Prozess R-1 die weitere Einstellroutine an einen zweiten Client-Server-Prozess R-2. Dieser zweite Client-Server-Prozess R-2 veranlasst nun die beteiligten Stell- und Überwachungselemente, hier 10, 12, 14, 16, 18 und 22, dazu, die für diese Fahrstrasse benötigten Haupt- und Nebenschlüssel, hier A, B, C, Cli (Nebenschlüssel), D und E, Eli (Nebenschlüssel) an die Signaleinheit 30 zu senden. Dabei sind diese Schlüssel nicht nur die direkt dem Fahrweg zugeordneten Elemente, sondern auch solche im Falle des Elements 22, die den Flankenschutz für die einzustellende Fahrstrasse FS bereitstellen. Auch dieser zweite Client-Server-Prozess R-2 muss keinerlei Kenntnisse von der Art und Beschaffenheit der Haupt- und Nebenschlüssel haben. Die beteiligten Stell- und Überwachungselemente 10 bis 18 und 22 senden in Antwort auf die Aufforderung ihre diesbezüglichen Haupt- und Nebenschlüssel an die Signaleinheit 30. Die Signaleinheit 30 verifiziert (authentiziert), ob es sich bei den erhaltenen Schlüsseln um gültige Schlüssel handelt. Damit dies hier mit der geforderten Sicherheit nach SIL4 gefolgert werden kann, werden hochsichere Prüfverfahren nach CRC oder MD4 angewendet. Kommt der zweite Client-Server-Prozess R-2 zu dem verifizierten Ergebnis, dass alle beteiligten Stell- und Überwachungselemente 10 bis 18 und 22 ihre Hauptschlüssel, hier A, B, C, D, E und X, sowie die zugehörigen Nebenschlüssel, hier Cli und Eli, abgegeben haben, wird die weitere Verarbeitung an einen dritten Client-Server-Prozess R-3 übergeben.In this case, the first client-server process R-1 communicates directly with the participating setting and monitoring elements 8 to 24 and thus already provides preliminary clarifications with regard to the adjustability of the road FS. He further checks whether the signal unit 30 of the start signal 26 is empty in the present case, so does not contain any keys. The first client-server process R-1 does not require any knowledge of the nature and nature of the main and possibly existing subkeys at this point. With a successful completion of these clarifications, the first client-server process R-1 transfers the further setting routine to a second one Client-server process R-2. This second client-server process R-2 now causes the involved control and monitoring elements, here 10, 12, 14, 16, 18 and 22, in addition to the required for this road main and auxiliary key, here A, B, C. , C li (subkey), D and E, E li (subkey) to send to the signal unit 30. These keys are not only the elements directly assigned to the route, but also those in the case of the element 22, which provide the flank protection for the route FS to be set. Again, this second client-server process R-2 does not need to have any knowledge of the nature and nature of the master and subkeys. The involved control and monitoring elements 10 to 18 and 22 send in response to the request their respective main and subkeys to the signal unit 30. The signal unit 30 verifies (authenticates) whether the keys obtained are valid keys. In order to be able to conclude this with the required safety according to SIL4, highly reliable test methods according to CRC or MD4 are used. If the second client-server process R-2 comes to the verified result, that all participating control and monitoring elements 10 to 18 and 22 their master key, here A, B, C, D, E and X, and the associated subkey, here C li and E li , the further processing is passed to a third client-server process R-3.

Dieser dritte Client-Server-Prozess R-3 liefert der betroffenen Signaleinheit 30 einen letzten Freigabeschlüssel R-3io zur Freigabe der entsprechenden Fahrstrasse FS. Bildlich ist dies in Figur 2 anhand der in der Signaleinheit 30 eingetragenen Haupt- und Nebelschlüssel sowie anhand den im rechten mittleren Bereich der Stell- und Überwachungselemente eingetragenen Buchstaben Re (=reserviert) dargestellt. Ausserdem zeigt das Signal 26 nun grünes Licht, sodass ein Zugführer in die Fahrstrasse einfahren kann.This third client-server process R-3 provides the affected signal unit 30 with a last release key R-3io for enabling the corresponding route FS. Figuratively this is in FIG. 2 based on the registered in the signal unit 30 main and fog key and based on the registered in the right middle area of the control and monitoring elements letter Re (= reserved) shown. In addition, the signal 26 now shows green light, so that a train driver can enter the road.

In der Signaleinheit 30 läuft für die Darstellung des Signalbegriffs "Grünes Licht = FAHRT" noch einmal ein mit SIL4 ausgeführter Prozess zur Bildung dieses Signalbegriffs ab. Mit Hilfe der Haupt- und Nebenschlüssel ermittelt der in der Signaleinheit 30 ausgeführte Algorithmus den gültigen Signalbegriff. Während dieser Phase bis zur Auflösung der Fahrstrasse sichern bzw. überwachen hier an dieser Stelle so genannte Überlebenstelegramme die Sicherung der Fahrstrasse in vorteilhafter Weise. Die Überlebenstelegramme werden dabei zwischen den an der Fahrstrasse beteiligten Stell- und Überwachungselementen 10 bis 18 und 22 und der Signaleinheit 30 ausgetauscht. Die Stell- und Überwachungselemente 10 bis 18 und 22 bestätigen der Signaleinheit 30 im Grunde genommen auf diese Weise die Vergabe ihrer Hauptschlüssel. Gleichzeitig kann mann diese Bestätigung aber auch dahingendend interpretieren, dass die Stell- und Überwachungselemente auf diese Weise quasi auch zyklisch bei der Signaleinheit 30 die Rückgabe ihrer Hauptschlüssel sowie der ggfs. involvierten Nebenschlüssel anfragen. Der Prozess kann dabei so ausgestaltet sein, dass die Stell- und Überwachungselemente entweder erstmalig nach ihrer Belegung (also der tatsächlichen Zugüberfahrt) bei der Signaleinheit 30 die Rückgabe des entsprechenden nicht mehr benötigten Schlüssel anfragen. Hierbei kann die Signaleinheit 30 bereits der erstmaligen Anfrage die nun nicht mehr benötigten Hauptschlüssel und allfällige Nebenschlüssel an die anfragenden Stell- und Überwachungselemente zurückgeben. Mit der Rückgabe des ersten der zuvor noch benötigten Schlüssel ist aber die Signaleinheit 30 nicht mehr in der Lage den Signalbegriff "FAHRT" aufrechtzuerhalten. Das Signal 26 zeigt entsprechend rotes Licht; Fahrbegriff "HALT".In the signal unit 30 runs again for the representation of the signal term "green light = RIDE" from a process executed with SIL4 to form this signal concept. With the help of the main and auxiliary keys, the algorithm executed in the signal unit 30 determines the valid signal term. During this phase until the dissolution of the road secure or monitor here at this point so-called survival telegrams securing the road in an advantageous manner. The survival telegrams are exchanged between the actuating and monitoring elements 10 to 18 and 22 and the signal unit 30 involved in the route. The control and monitoring elements 10 to 18 and 22 confirm the signal unit 30 basically in this way the allocation of their master key. At the same time, however, this confirmation can also be interpreted with caution that the control and monitoring elements request the return of their master key as well as the subkey involved, if necessary, cyclically in the case of the signal unit 30. The process can be designed so that the setting and monitoring elements either for the first time after their occupancy (ie the actual train crossing) in the signal unit 30 request the return of the corresponding key no longer needed. In this case, the signal unit 30 can already return the first request, which is no longer required, to the requesting setting and monitoring elements. With the return of the first of the keys still needed before the signal unit 30 is no longer able to maintain the signal concept "RIDE". The signal 26 accordingly shows red light; Driving concept "HALT".

Bei einer Verwendung von Transparent-Datenbalisen als Stellelemente kann dabei die Syntax der Hauptschlüssel und allfälliger Nebenschlüssel so konzipiert sein, dass mit einer einfachen Verarbeitung (beispielsweise einer Addition aller notwendigen Schlüssel) in der Signaleinheit 30 ein gültiges Balisentelegramm sozusagen als Fahrbegriff generiert wird. Zusätzlich bzw. auch alterniv kann das aus den Schlüsseln abgeleitete Balisentelegramm zur Ansteuerung der optischen Signale verwendet werden.When using transparent data balises as control elements, the syntax of the main keys and any subkeys can be designed so that with a simple processing (for example, an addition of all necessary key) in the signal unit 30 a valid Balisentelegramm is generated as a driving concept, so to speak. In addition or alternatively, the balise telegram derived from the keys can be used to control the optical signals.

In einer weiteren alternativen Ausgestaltung der Erfindung können die Haupt- und Nebenschlüssel auch direkt auf dem Bordrechner des Schienenfahrzeugs ausgewertet werden. Die Haupt- und Nebenschlüssel werden in diesem Fall drahtlos (beispielsweise mit einer Transparentdaten-Balise) auf das Fahrzeug übertragen. Da die Übermittlung von Zugbeeinflussungsdaten mittels Transparentdaten-Balisen, beispielsweise im Rahmen von ETCS Level 1, sowieso ein besonders hohes Sicherheitsniveau erreichen muss (auch hier ist SIL4 gefordert), wäre für diese Lösung nicht einmal ein zusätzlicher Aufwand hinsichtlich der Sicherheitsprüfung erforderlich. Enthalten die Hauptschlüssel und die Nebenschlüssel auch noch weitere Informationen bezüglich der Topologie der Fahrstrasse, kann mit dem Bordrechner nicht nur die Fahrerlaubnis, sondern auch das Geschwindigkeitsprofil für die vor dem Schienenfahrzeug liegende Fahrstrasse generiert werden.In a further alternative embodiment of the invention, the main and auxiliary keys can also be evaluated directly on the on-board computer of the rail vehicle. The master and subkeys are in this case transmitted wirelessly (for example with a transparent data beacon) to the vehicle. Since the transmission of train control data by means of transparent data balises, for example within the framework of ETCS Level 1, has to achieve a particularly high level of safety anyway (here again SIL4 is required), this solution would not even require any additional effort in terms of safety testing. If the main keys and the subkeys also contain further information regarding the topology of the route, not only the driver's license but also the speed profile for the route lying in front of the rail vehicle can be generated with the on-board computer.

Im Falle einer Störung, also wenn beispielsweise einzelne Elemente der Fahrstrasse gestört sind oder wenn korrekt abgesendete Haupt- und Nebenschlüssel nicht ankommen, erfolgt eine Meldung an eine übergeordnete Instanz, beispielsweise die Leitstelle 2. Diese Störung hat somit zur Folge, dass auf der Sicherungsebene der Fahrstrasse die erforderlichen Schlüssel nicht ordnungsgemäss abgegeben werden können, weshalb der Fahrbegriff in der Signaleinheit 30 nicht generiert werden kann. Um nun hier doch eine Fahrerlaubnis erteilen zu können, ist hier ein gezielter Eingriff der übergeordneten Instanz insofern ermöglicht, dass die übergeordnete Instanz einen Interventionsschlüssel, nachfolgend vereinfacht Notschlüssel genannt, generieren und an die betroffene Signaleinheit übermitteln kann. In Kombination mit den auf der Signaleinheit vorhandenen (regulären) Haupt- und Nebenschlüssel kann dann zusammen mit dem Notschlüssel der ursprünglich vorgesehene Fahrbegriff oder aber auch nur ein Hilfssignalbegriff oder andere tieferwertigere Signalbegriffe generiert werden. Mit Hilfe dieser Notschlüssel können beispielsweise auch temporär vorgesehene Umfahrungen realisiert werden, wie dies beispielsweise bei Bau- oder Wartungsarbeiten der Fall sein kann.In the event of a fault, that is, for example, if individual elements of the road are disturbed or if correctly sent main and subkeys do not arrive, a message is sent to a higher authority, such as the control center 2. This disorder has the consequence that at the backup level of Driving the necessary keys can not be properly delivered, which is why the driving concept in the signal unit 30 can not be generated. In order to be able to issue a driving license here, a targeted intervention of the superordinate authority is made possible in that the higher-level instance generates an intervention key, referred to below as an emergency key, and can transmit to the affected signal unit. In combination with the existing on the signal unit (regular) main and auxiliary key can then be generated together with the emergency key, the originally intended driving concept or even just an auxiliary signal term or other unterwertigere signal terms. With the help of this emergency key, for example, temporarily provided detours can be realized, as may be the case for example during construction or maintenance.

Wie schon vorstehend erläutert können diese Grundprinzipien mit einer derartigen Verteilung der Haupt- und Nebenschlüssel auf die Stell- und Überwachungselemente auch für das moderne europäische Zugsicherungssystem ETCS übernommen. Bei einer Anwendung nach Level 2, bei der die Fahrbegriffe nicht mehr mittels Lichtsignalen angezeigt werden, wird anstelle der Generierung der optischen Fahrbegriffe von der Signaleinheit entsprechende Fahrberechtigungsschlüssel generiert, welche eine temporäre Gültigkeit besitzen. Die Fahrberechtigungsschlüssel werden zyklisch erneuert und dem RBC-Interface-Rechner zur weiteren Verarbeitung und Übermittlung auf den Fahrzeugführerstand übergeben. Grundsätzlich bleibt aber auch hier die gesamte vorstehend beschriebene Philosophie der dezentral verteilten Sicherheitprüfung komplett erhalten.As already explained above, these basic principles can be adopted with such a distribution of the main and auxiliary key on the control and monitoring elements for the modern European train control system ETCS. In an application according to Level 2, in which the driving terms are no longer displayed by means of light signals, instead of generating the optical driving terms of the signal unit corresponding driving authorization key is generated, which have a temporary validity. The drive authorization keys are cyclically renewed and transferred to the RBC interface computer for further processing and transmission to the driver's cab. In principle, however, the entire philosophy of the decentrally distributed safety test described above also remains completely intact.

Aufgrund der dezentral in den Signaleinheiten vorhandenen Fahrstrasseninformationen können mit diesen vorstehend beschriebenen Verfahren auch neue Konzepte zur Automatisierung realisiert werden, indem beispielsweise auf dezentraler Ebene eine starre Zuglenkung mittels Kommunikation zwischen den Signaleinheiten realisiert werden kann. Das würde bedeuten, dass die Signaleinheit, deren Fahrstrassen gerade aktuell befahren wird, ggfs. unter Berücksichtigung der voraussichtlichen Fahrdauer die Stell- und Überwachungselemente der nachfolgenden Fahrstrasse anweist, die für die Einstellung der nachfolgenden Fahrstrasse erforderlichen Haupt- und Nebenschlüssel an die der nachfolgenden Fahrstrasse zugeordneten Signaleinheit zu senden. Aus diese Weise kann sich quasi ein selbst fortschreibendes System von eingestellten Fahrstrassen ergeben, ohne dass die übergeordnete Instanz im Regelbetrieb eingreifen muss. Die übergeordnete Instanz kann sich so ganz auf die Aspekte der Konfliktlösung beschränken. Eine derartige Lösung setzt es natürlich weiter voraus, dass die Signaleinheit, deren Fahrstrasse aktuell befahren wird, die nachfolgend einzustellende Fahrstrasse kennt. Auch dieser Vorgang ist vergleichsweise einfach automotisierbar, indem beispielsweise anhand der Zugnummer des in eingestellte Fahrstrasse einlaufenden Zuges durch Zugriff auf eine dezentrale oder auch zentrale Datenbank die nachfolgende Fahrstrasse ermittelt wird. Weiter wäre es auch möglich, in der Signaleinheit die fahrplanmässige Abfolge der die Fahrstrasse befahrenden Züge mit einem Hinweis auf die nachfolgende Fahrstrasse zu speichern. Natürlich wäre es auch möglich, der übergeordneten Instanz einen Vorschlag für die nachfolgend einzustellende Fahrstrasse zu machen und diesen Vorschlag dort quittieren zu lassen, bevor die entsprechenden Stell- und Überwachungselemente zur Übersendung ihrer Haupt- und Nebenschlüssel aufgefordert werden.Due to the decentralized present in the signal units road information can be realized with these methods described above, new concepts for automation by, for example, at a decentralized level rigid train steering can be realized by means of communication between the signal units. This would mean that the signal unit whose routes are currently being traveled, if necessary, taking into account the probable driving time, the control and monitoring elements of the subsequent road instructs to send the required for the setting of the following road main and auxiliary key to the subsequent road associated signal unit. In this way, a self-updating system of set routes can result, as it were, without the higher-level entity having to intervene in regular operation. The parent entity can thus confine itself entirely to the aspects of conflict resolution. Of course, such a solution further presupposes that the signal unit whose route is currently being traveled knows the route to be subsequently set. This process is comparatively easy to automotis by, for example, based on the train number of incoming train in set train by accessing a decentralized or central database, the following road is determined. Furthermore, it would also be possible to store in the signal unit the timetable sequence of the trains driving along the route with an indication of the following road. Of course, it would also be possible to make a proposal to the higher-level authority for the road to be set subsequently and to have this proposal acknowledged there before the corresponding control and monitoring elements are requested to send their main and auxiliary keys.

Claims (22)

  1. Method for secure setting of a route (FS) for a rail vehicle, wherein the route (FS) is assigned control and monitoring elements (8 to 24) involved in the route (FS) as well as any of their states corresponding to the route (FS), characterised in that
    each control and monitoring element (8 to 24) is assigned a unique master key (A to E, N, X, Y) and any unique subsidiary keys (Cli, Cre, Eli, Ere) corresponding to the possible states, said method comprising the following steps:
    a) the route (FS) to be travelled by the rail vehicle is requested;
    b) a message is transmitted to the control and monitoring elements (10 to 18, 22) involved in the requested route (FS);
    c) in response to the transmitted message the control and monitoring elements (10 to 18, 22) check their respective availability for setting the state provided for the route (FS) and in the event of their respective availability set said state or, as the case may be, verify the presence of the state required for setting the route (FS);
    d) if the said availability is present the master key (A to E, N, X, Y) and any further subsidiary keys (Cli, Cre, Eli, Ere) are also sent by each of the control and monitoring elements (10 to 18, 22) involved in the route (FS); and
    e) a signal aspect for the requested route (FS) associated with the request for the route (FS) is generated only if the master keys (A to E, N, X, Y) assigned to said route (FS) and any further subsidiary keys (Cli, Cre, Eli, Ere) are transmitted in full.
  2. Method according to claim 1,
    characterised in that
    a signal aspect generator (30, 32) is defined for each route (FS), wherein within the scope of the message it is communicated to the control and monitoring elements (10 to 18, 22) involved in the route (FS) to which signal aspect generator (30, 32) the respective master keys (A to E, N, X, Y) and where applicable the respective subsidiary keys (Cli, Cre, Eli, Ere) are to be sent.
  3. Method according to claim 1 or 2,
    characterised in that
    the master keys (A to E, N, X, Y) and any subsidiary keys (Cli, Cre, Eli, Ere) present are generated in accordance with a secure coding method (CRC, MD4) and checked for authenticity by the signal aspect generator (30, 32).
  4. Method according to one of claims 1 to 3,
    characterised in that
    the signal aspect generators (30, 32) acknowledge the receipt of an authenticatable master key and any further subsidiary keys to the control and monitoring elements (8 to 24).
  5. Method according to one of claims 1 to 4,
    characterised in that
    with the transmission of their associated master key (A to E, N, X, Y) and where applicable with the acknowledgement of the transmission the control and monitoring elements (8 to 24) are blocked for a new transmission of their master key (A to E, N, X, Y).
  6. Method according to one of claims 1 to 5,
    characterised in that
    a missing master key (A to E, N, X, Y) required for generating the signal aspect can be replaced by an intervention key explicitly transmitted by a monitoring entity.
  7. Method according to one of claims 1 to 6,
    characterised in that
    the control and monitoring elements (8 to 24) which have sent their respective master keys (A to E, N, X, Y) and any further subsidiary keys (Cli, Cre, Eli, Ere) to the signal aspect generator (30, 32) cyclically confirm the acknowledgement of the transmitted master key (A to E, N, X, Y) and any further subsidiary keys (Cli, Cre, Eli, Ere) to the signal aspect generator (30, 32).
  8. Method according to one of claims 1 to 7,
    characterised in that
    the master keys (A to E, N, X, Y) sent for the purpose of setting a route (FS) and any further subsidiary keys (Cli, Cre, Eli, Ere) are returned after travel over the set route (FS) has been completed.
  9. Method according to one of claims 1 to 7,
    characterised in that
    the master keys (A to E, N, X, Y) sent for the purpose of setting a route (FS) and any further subsidiary keys (Cli, Cre, Eli, Ere) are returned to the respective control and monitoring elements (10 to 18, 22) section by section according to the rail vehicle's progress in travelling on the set route (FS).
  10. Method according to one of claims 1 to 9,
    characterised in that
    the signal aspect generator (30, 32) executes an algorithm which is specified for the requested route (FS) and which checks the presence of the requisite master keys (A to E, N, X, Y) as well as any subsidiary keys (Cli, Cre, Eli, Ere).
  11. System for secure setting of a route for a rail vehicle, wherein the route is assigned control and monitoring elements involved in the routes as well as any of their states corresponding to the respective route,
    characterised in that
    each control and monitoring element is assigned a unique master key and any unique subsidiary keys corresponding to the possible states, said system comprising:
    a) a control centre in which the route to be travelled by the rail vehicle can be requested;
    b) a communication unit by means of which a message can be transmitted over a communication network to the control and monitoring elements involved in the requested route;
    c) control and monitoring elements which are equipped with computing means with the aid of which, in response to the transmitted message, their respective availability for setting the state provided for the route can be checked,
    wherein in the event of the respective availability the computing means set the requisite state or, as the case may be, verify the presence of the state required for setting the route and wherein if the said availability is present the master key and any further subsidiary keys can be transmitted with the aid of the computing means over the communication network by each of the control and monitoring elements involved in the route; and
    d) a signal aspect generator by means of which a signal aspect for the requested route associated with the request for the route can be generated only if the master keys assigned to said route and any further subsidiary keys are transmitted in full.
  12. System according to claim 11,
    characterised in that
    a signal aspect generator can be defined for each route, wherein within the scope of the message it can be communicated to the control and monitoring elements involved in the route to which signal aspect generator the respective master keys and where applicable the respective subsidiary keys are to be sent.
  13. System according to claim 12,
    characterised in that
    the signal aspect generator is associated with the control element which outputs the respective signal aspect visually at a signal.
  14. System according to claim 12,
    characterised in that
    the signal aspect generator is associated with the control element which passes on the respective signal aspect to a higher-ranking entity for wireless transmission to an onboard computer of the rail vehicle.
  15. System according to one of claims 11 to 14,
    characterised in that
    the master keys and any subsidiary keys present are generated in accordance with a secure coding method (CRC, MD4) and checked for authenticity by the signal aspect generator.
  16. System according to one of claims 11 to 15,
    characterised in that
    the signal aspect generator acknowledges the receipt of an authenticatable master key and any further authenticatable subsidiary keys to the control and monitoring elements.
  17. System according to one of claims 11 to 16,
    characterised in that
    with the transmission of their associated master key and where applicable with the acknowledgement of the transmission the control and monitoring elements are blocked for a new transmission of their master key.
  18. System according to one of claims 11 to 17,
    characterised in that
    a monitoring entity replaces a missing master key required for generating the signal aspect desired with the request for the route as well as any subsidiary key with an explicitly transmitted intervention key.
  19. System according to one of claims 11 to 18,
    characterised in that
    the control and monitoring elements which have sent their respective master keys and any further subsidiary keys to the signal aspect generator cyclically confirm the acknowledgement of the transmitted master key and any further subsidiary keys to the signal aspect generator.
  20. System according to one of claims 11 to 19,
    characterised in that
    the signal aspect generator returns the master keys sent for the purpose of setting a route and any further subsidiary keys to the respective control and monitoring elements after travel over the set route has been completed.
  21. System according to one of claims 11 to 20,
    characterised in that
    the signal aspect generator returns the master keys sent for the purpose of setting a route and any further subsidiary keys to the respective control and monitoring elements section by section according to the rail vehicle's progress in travelling on the set route.
  22. System according to one of claims 11 to 21,
    characterised in that
    the signal aspect generator executes an algorithm which is specified for the requested route and which checks the presence of the master keys required for the granting of a permit to travel over the requested route as well as any subsidiary keys.
EP08002440A 2008-02-11 2008-02-11 Method and device for secure setting of a route for a rail vehicle Not-in-force EP2088051B1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP08002440A EP2088051B1 (en) 2008-02-11 2008-02-11 Method and device for secure setting of a route for a rail vehicle
DE502008003266T DE502008003266D1 (en) 2008-02-11 2008-02-11 Method and device for the safe setting of a road for a rail vehicle
AT08002440T ATE506241T1 (en) 2008-02-11 2008-02-11 METHOD AND DEVICE FOR SAFE ADJUSTMENT OF A ROAD FOR A RAIL VEHICLE

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
EP08002440A EP2088051B1 (en) 2008-02-11 2008-02-11 Method and device for secure setting of a route for a rail vehicle

Publications (2)

Publication Number Publication Date
EP2088051A1 EP2088051A1 (en) 2009-08-12
EP2088051B1 true EP2088051B1 (en) 2011-04-20

Family

ID=39590280

Family Applications (1)

Application Number Title Priority Date Filing Date
EP08002440A Not-in-force EP2088051B1 (en) 2008-02-11 2008-02-11 Method and device for secure setting of a route for a rail vehicle

Country Status (3)

Country Link
EP (1) EP2088051B1 (en)
AT (1) ATE506241T1 (en)
DE (1) DE502008003266D1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4234361A1 (en) * 2022-02-25 2023-08-30 ALSTOM Holdings Method for controlling a plurality of track devices and railway control system

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2253524B1 (en) * 2009-05-19 2012-07-04 Siemens Schweiz AG Method and system for adjusting a route for rail-based traffic
DE102014212516A1 (en) * 2014-06-27 2015-12-31 Siemens Aktiengesellschaft Checking the authenticity of a balise
DE102015004068A1 (en) * 2015-03-30 2016-10-06 PINTSCH TIEFENBACH GmbH Method and system for operating a track system
DE102017201892A1 (en) 2017-02-07 2018-08-09 Siemens Aktiengesellschaft Method and device for adjusting at least one route of a railway installation

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6556898B2 (en) * 2001-05-18 2003-04-29 Bombardier Transportation Gmbh Distributed track network control system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4234361A1 (en) * 2022-02-25 2023-08-30 ALSTOM Holdings Method for controlling a plurality of track devices and railway control system

Also Published As

Publication number Publication date
EP2088051A1 (en) 2009-08-12
DE502008003266D1 (en) 2011-06-01
ATE506241T1 (en) 2011-05-15

Similar Documents

Publication Publication Date Title
EP3247609B1 (en) Method and device for automatically influencing track-bound vehicles
EP3541682B1 (en) Train-oriented line safety logic for railway safety systems
EP3782870B1 (en) Method and route control centre for operating a railway track
DE102013101927A1 (en) Device for automatically controlling rolling stock of train e.g. locomotive, has train end monitor attached with rolling stock of train, where device detects whether train end monitor is attached with rolling stock of train
EP2088051B1 (en) Method and device for secure setting of a route for a rail vehicle
EP2874857B1 (en) Operating a rail vehicle by means of an etcs device, railvehicle and apparatus
EP2870047B1 (en) Operation of a rail vehicle
DE102008045050A1 (en) Method for automatic train control in European train control system track, involves using identical procedures for formation of telegrams to control balises for point-like automatic train control and wireless-based automatic train control
EP3782869B1 (en) Train control system and method for controlling a train within a train control system
DE102012202046A1 (en) System for controlling, securing and / or monitoring lanes of track-bound vehicles and method for operating such a system
EP4079600A1 (en) Method for optimising occupancy assessment when issuing permission for a railway vehicle / train to proceed with a train ahead
EP2663483B1 (en) Arrangement for european train control system level 2 (etcs l2) train control
DE102019204135A1 (en) Method for the mixed operation of a track-bound route section with a switch as well as a route section and a switch
EP2819907B1 (en) Method for the auxiliary operation of a track element and operation control system
WO2017153132A1 (en) Track installation and method for operating a track installation
EP1892171A1 (en) Method for operation of an interlocking system and method for operation of a central control station
DE102004057907A1 (en) Shunting coordination process for rail vehicles involves passing specific protocol to relevant section control center
EP3109127A1 (en) Method for signalling an expansion of a movement authority from a route control station to a positioning body
EP3925851A1 (en) System and method for entry control of a rail vehicle
EP3221205B1 (en) Method and device for blocking and signaling a track section equipped with axle counters
EP1561663A1 (en) Train integrity monitoring system and method
EP4059807A1 (en) Method for optimized allocation of movement authority for a rail vehicle/train
DE102016217900A1 (en) Monitoring a rail vehicle
EP3943363B1 (en) Railway control system with restriction
DE102016217913A1 (en) Monitoring a rail vehicle

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL BA MK RS

17P Request for examination filed

Effective date: 20100208

17Q First examination report despatched

Effective date: 20100309

AKX Designation fees paid

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

Free format text: NOT ENGLISH

REG Reference to a national code

Ref country code: CH

Ref legal event code: NV

Representative=s name: SIEMENS SCHWEIZ AG

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

Free format text: LANGUAGE OF EP DOCUMENT: GERMAN

REF Corresponds to:

Ref document number: 502008003266

Country of ref document: DE

Date of ref document: 20110601

Kind code of ref document: P

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 502008003266

Country of ref document: DE

Effective date: 20110601

REG Reference to a national code

Ref country code: NL

Ref legal event code: VDEP

Effective date: 20110420

LTIE Lt: invalidation of european patent or patent extension

Effective date: 20110420

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110822

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

REG Reference to a national code

Ref country code: IE

Ref legal event code: FD4D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110721

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110820

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110731

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

26N No opposition filed

Effective date: 20120123

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 502008003266

Country of ref document: DE

Effective date: 20120123

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

BERE Be: lapsed

Owner name: SIEMENS SCHWEIZ A.G.

Effective date: 20120228

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20120229

GBPC Gb: european patent ceased through non-payment of renewal fee

Effective date: 20120211

REG Reference to a national code

Ref country code: FR

Ref legal event code: ST

Effective date: 20121031

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20120228

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GB

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20120211

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20120229

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110720

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110420

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20120211

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20080211

REG Reference to a national code

Ref country code: CH

Ref legal event code: PUE

Owner name: SIEMENS MOBILITY AG, CH

Free format text: FORMER OWNER: SIEMENS SCHWEIZ AG, CH

REG Reference to a national code

Ref country code: DE

Ref legal event code: R082

Ref document number: 502008003266

Country of ref document: DE

Representative=s name: FISCHER, MICHAEL, DR., DE

Ref country code: DE

Ref legal event code: R081

Ref document number: 502008003266

Country of ref document: DE

Owner name: SIEMENS MOBILITY AG, CH

Free format text: FORMER OWNER: SIEMENS SCHWEIZ AG, ZUERICH, CH

REG Reference to a national code

Ref country code: AT

Ref legal event code: PC

Ref document number: 506241

Country of ref document: AT

Kind code of ref document: T

Owner name: SIEMENS MOBILITY AG, CH

Effective date: 20190612

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: AT

Payment date: 20220110

Year of fee payment: 15

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20220419

Year of fee payment: 15

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: CH

Payment date: 20220509

Year of fee payment: 15

REG Reference to a national code

Ref country code: DE

Ref legal event code: R119

Ref document number: 502008003266

Country of ref document: DE

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

REG Reference to a national code

Ref country code: AT

Ref legal event code: MM01

Ref document number: 506241

Country of ref document: AT

Kind code of ref document: T

Effective date: 20230211

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20230228

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20230228

Ref country code: AT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20230211

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20230901