EP2125482B1

EP2125482B1 - Vital solid state controller

Info

Publication number: EP2125482B1
Application number: EP07866027.1A
Authority: EP
Inventors: David Baldwin; Ahtasham Ashraf
Original assignee: Central Signal LLC
Current assignee: Central Signal LLC
Priority date: 2006-12-22
Filing date: 2007-12-26
Publication date: 2014-05-14
Anticipated expiration: 2027-12-26
Also published as: CA2710041C; EP2125482A4; EP2125483A4; EP2125483B1; WO2008080169A1; CA2710038A1; CA2710038C; EP2125483A2; EP2125482A1; CA2710041A1; ATE549228T1

Abstract

A vital programmable logic device (VPD) is provided having at least two microprocessors. The VPD is configured to provide failsafe operation of a vital control system while operating in a closed circuit environment. In at least one embodiment of the present invention, railroad grade crossing signals are controlled by the VPD.

Description

The present invention relates to supervisory control systems. More specifically the present invention relates to an improved and cost effective vital programmable logic controller system.

BACKGROUND OF THE INVENTION

Conventional programmable logic controllers (PLC) are prevalent in various industries since they can provide a means for intelligently controlling, among other things, mechanical and electrical processes. Consistency and reliability of specific types of PLCs affects their use within process control applications. It is common for known PLCs to be sufficiently functional for a variety of uses, including traffic control, production and assembly lines, and electromechanical machinery control. However, PLCs have not been deemed suitable for use in railroad signal systems based in part upon the non-vital nature of known PLCs.
Railroad grade crossings often involve motor vehicle traffic that cross railroad tracks, the situs of which is notorious for motor vehicle-train collisions. A variety of warning systems intended to warn vehicle operators of approaching trains have employed two major warning systems. These major warning systems include an audible signal sent from the train itself and a visual warning signal located at the site of the grade crossing. The visual warning system almost always includes passive markings (road signs, roadway painted markings, etc.), but active markings (drop down gates, flashing lights, etc.) are not always employed.
Visual railroad signaling device functionality is often governed by national and/or local governing body signaling standards. By example, within the United States, any device designed for railroad signal service must conform to established federal, state and railroad signal standards for design and operation of the signaling devices. It is often the case that an audible signal and/or passive warning methods are not sufficient to provide a motor vehicle operator with sufficient time to avoid a collision. In the case of those crossings that do not have an active vital and preemptive visual warning system, the likelihood of a collision is increased significantly. It is therefore advantageous to provide an active vital and preemptive visual warning system. However, it is cost prohibitive for every grade crossing to have an active vital and preemptive warning system that adheres to the local signaling standards. It is advantageous to provide a cost effective active vital and preemptive warning system.
German Patent Application DE 195 32 640 A1 discloses a device that allows transmission of test data (P1,P2) from at least two independent, parallel, processors via a single transmission channel by inverting each test data, before inverting selected bits of each inverted test data using different maskings (M1,M2), with the results combined to provide a new test data (P1/P2). The new test data is transmitted along a single transmission channel together with the useful data (N1) from one of the processors via a common output channel for both processors.
Railroad signal standard practice for the design and function of signal systems is based upon the concept of a vital system. A vital system is often characterized as being failsafe and consistent with the closed circuit principle. A signal design is failsafe if the failure of any element of the system causes the system to revert to its safest condition. Operation at the safest condition is often activation of the warning system. In the case of railroad signal systems, failsafe design requires that if any element of the active system cannot perform its intended function that the active crossing warning devices will operate and continue to operate until the failure is repaired. In the case of railroad wayside signal systems, failsafe design requires that if any element necessary to the safe and proper operation of the system cannot perform its intended function that the system will revert to the safest condition, i.e. a red signal indicating stop or proceed at restricted speed according to rules is in effect. A signal design is in conformance with the closed circuit principle when the components of the system do not share elements which could afford alternative energy or logic paths, as these elements would violate the failsafe principle. It would be highly advantageous to employ cost effective and failsafe vehicle detection systems using microprocessors or PLCs.

SUMMARY OF THE INVENTION

The present invention comprises an apparatus according to claim 1 and a method for controlling a vital active warning device adjacent to a railroad track according to claim 12.

BRIEF DESCRIPTION OF THE DRAWINGS

Preferred embodiments of the invention are described below with reference to the following accompanying drawings, which are for illustrative purposes only. Throughout the following views, reference numerals will be used in the drawings, and the same reference numerals will be used throughout the several views and in the description to indicate same or like parts.

Fig. 1 shows a block diagram of the vital processing device (VPD) in accordance with at least one embodiment of the invention.
Fig. 2 is an alternative embodiment block diagram of the VPD of Fig. 1.
Fig. 3 is a schematic block diagram representing the device output control in accordance with at least one embodiment of the present invention.
Fig. 4 is a flow diagram of a health check protocol in accordance with at least one embodiment of the present invention.
Fig. 5 is a graphical representation of a system input/output schema in accordance with at least one embodiment of the invention.
Fig. 6 is a timing diagram representing a state of the system based upon the input and output of the system, in accordance with at least one embodiment of the invention.

DETAILED DESCRIPTION OF THE INVENTION

Referring to Figs. 1-2. In one aspect of the invention, a vital solid state processing device (VPD) 10 is provided. The device 10 includes a first controller 12, second controller 14, a first vital input 16, a second vital input 18, a third vital input 20, an optional fourth vital output 22, a first vital output 24, a second vital output 26, a third vital output 28, an optional fourth vital output 30, a health check line 32 and a third controller 34. Alternatively, greater than 3 vital input and vital output lines can be employed. The number of vital inputs and vital outputs is determined by the specific application requirements, and can be greater than about 3 inputs and 3 outputs depending upon the specific use requirements of the device 10. The device can be configured to provide independent and redundant processing of input states thereby configured such that the VPD output is not logically high if any hardware or component in the path between the output and the associated input is damaged, missing, or otherwise nonfunctional.
The device 10 also includes a communication port 36, memory module 38, real time clock (RTC) 40, battery 42 for back up power, a user interface 44, a radio module 46, GPS module 48, and a Bluetooth module 50 operably connected to the third controller 34, and alternatively operably connected to the first controller 12, second controller 14, or a combination of the three controllers 12, 14, 34.
The inputs 16, 18, 20, and 22 represent signals received from vital railroad relays (not shown) or alternative signal sources. Railroad relays are often existing devices connected to most railroad tracks. The relays are located near railroad grade crossings and can be utilized for active grade crossing warning systems. The device 10 outputs 24, 26, 28, 30 represent the vital outputs from the system 10 to system devices (not shown) such as, by example, drive relays and warning signals, which can include active grade crossing devices. In the system 10 default position, the grade crossing devices (not shown) are not activated when the outputs 22, 24, 26 are energized. Any of the outputs 24, 26, 28, 30 can be assigned to provide an output which corresponds to the health check line 32. Alternatively, the controllers 12, 14, 34 can be suitable microprocessors known within the art.
The two independent controllers 12, 14 of the system independently receive the same vital inputs 16, 18, 20, 22 and execute the timing functions, resulting in the outputs 24, 26, 28, 30. The controllers 12, 14 are completely redundant. In an alternative embodiment, the controllers 12, 14 can be logically redundant while having the capability to perform non-redundant processes. In yet another alternative embodiment, the system 10 can have more than two redundant controllers, and by example have three or four redundant controllers. The third controller 34 is operably connected to the first and second controllers 12, 14 and is configured to execute and control the housekeeping functions of the system 10. By example, housekeeping functions can include system data logging to memory 38, external communication and various other system functions. The third controller 34 is operably connected to and in communication with the GPS module 48 and Bluetooth module 50. Access to the system 10 can be password protected in order to prevent unwarranted access. The controllers 12, 14, 34 each can be a single processor package, or alternatively be multiple processors. Alternatively, the system 10 can provide redundant processing of all vital inputs and complementary control of vital outputs (Fig. 2), the device 10 being configured for vitality.
The user interfaces with the system 10 by providing input to the system via the interface 44. The user can choose to set the device timing parameters, login to the device, change the device authorization, initiate data log collection, display the logic states or display the state of the device. The interface 44 provides the user the ability to select varying operation parameters of the system 10 depending upon the particular characteristics of the signaling devices or grade crossing for which it serves. The memory module 38 can be used to store logged data identifying vital timing states. The communication devices 36, 46, 48, 50 can be employed to show real time device activity and remotely retrieve logged data, in addition to other interface connectivity purposes with the device 10.
The VPD 10 can be operably connected to a computer or suitable computing device (not shown) through communication port 36. A user can access the device 10 through the computer's graphical user interface, allowing the user to access various parameters and system functions of the device 10. By example, the user can, among other functions, login into the device, change access authorization, initiate data collection and logging, download device data logs, display the logic states of the device 10, access current or historical data states of the device 10, change device clock and view device data logs. Communication with the system 10 can be configured through the communication port 36, which by example, can be a USB port, an Internet port, or a file writer. System users can select operation parameters of the system 10 depending upon the particular application program and system applications. Logged data, including vital timing states, can be saved to the memory module 38. Multiple VPDs 10 can communicate with each other through the communication means 36, 46, 48, 50, as well as through a hardwire connection. Communication between VPDs 10 can include system data sharing and coordinated operation of devices 10, which can be operably connected to one or more networks.
Referring to Figure 3, the output of microprocessor 12 controls a dedicated relay driver circuit 60 that provides positive referenced energy to the positive terminal of the output 30. The output of microprocessor 14 controls a dedicated relay driver circuit 62 that provides negative referenced energy to the negative terminal of output 30. Should the VPD 10 application program make output 30 directly dependent upon the condition of input 16, the following conditions are employed: 1) Input 16 is connected to the first microprocessor 12 and to the second microprocessor 14 and the intervening components and connections are functional. The components and connections from input 16 to microprocessor 12 are independent of the connections from input 16 to microprocessor 14 to maintain fill redundancy. 2) Microprocessor 12 executes the same application program as microprocessor 14. 3) The operating clock of microprocessor 12 coincides with the operating clock of microprocessor 14 and the operating clock of microprocessor 14 coincides with the operating clock of microprocessor 12. 4) The positive relay driver circuit 60 and terminal of output 30 are connected to microprocessor 12. The negative relay driver circuit and terminal of output 30 is connected to microprocessor 14. Damage to or failure of any component in the input or output circuit of either microprocessor or the failure of either of the microprocessors will result in no energy at output 30 regardless of the status of input 16. Output 30 will be energized only if input 16 is energized and the VPD 10 is operating properly.
In an alternative embodiment, an output 24, 26, 28, 30 can represent a signal to a preemption signal device (not shown). When the output 24, 26, 28, 30 is de-energized the preemption signal device is activated. Preemptive signal devices include, by example, flashing light signals and other methods to warn motor vehicle operators that grade crossing signals will shortly be activated. The preemption signal devices are activated based upon a timing protocol that is predetermined by the system 10 user. Grade crossings are located in a wide variety of locations and under varying circumstances. Grade crossings can be in close proximity to alternate vehicle intersections, grade crossings can be located at varying distances from each other, and the location of the crossing can be with in an area of the railroad tracks that consistently has high or low speed locomotives.
In an alternative embodiment, a system output represents a signal to a crossing control device, by example, this can include mechanical devices for impeding vehicle traffic and flashing light signals used to prevent vehicles from traveling across a grade crossing when a locomotive is approaching. The control devices are representative of active warning systems known in the art. Active warning systems that impede traffic from traveling through the crossing are not utilized at all railroad grade crossings. At least one embodiment of the present invention provides a cost effective and novel system that will provide a solution for placing active preemptive warning systems at crossings that are currently limited to passive warning systems.
A VPD 10 application program can provide multiple independent and programmable timers convenient to systems control applications. A timer example application in which the condition of an assigned output corresponding to a specific input is delayed by either a predetermined or user selected value for the purpose of eliminating the unwanted effects of intermittent interruption of the input signal are contemplated. A further example is a timer application in which the condition of the assigned output(s) corresponding to specific inputs or sequential input changes, is maintained for a specific period or interrupted after a specific period. The period length can be either a programmed fixed variable or a user input variable.
Alternatively, the VPD 10 application program can identify and process sequential input changes to control conditions of assigned outputs. By example, the application compares the sequential status of two or more inputs to determine the condition of an assigned output. This feature allows the VPD 10 to provide a logical output that corresponds to directional movement of a vehicle, such as a locomotive or motor vehicle.
The VPD 10 can be configured to provide vital control for any control system application. The VPD 10 can be configured to provide single vital input control of multiple vital outputs. The VPD 10 can also be configured to allow a user to specify the sequence, delay, dependence or independence of controlled outputs. There is no limit to the number of software timers or alarms that can be defined. The VPD 10 utilizes redundant microprocessors 12, 1.4, each running the same application and each checking the health of the other processor to ensure integrity and vitality. The application program assigns the condition of specific outputs to be dependent upon the condition of specific inputs. The application program incorporates timers and sequential logic to define the input -output relationship. Each output provides a discrete positive and negative. Each output is hardware independent and electrically isolated from every other output. Each microprocessor receives identical information from each input and each microprocessor executes the same application program logic. Furthermore, the output of microprocessor 12 is identical to the output of the microprocessor 14.
In at least one embodiment of the present invention, the VPD 10 can be programmed by the user for a particular application through use of a Ladder Logic based programming Integrated Development Environment (IDE). The IDE provides advanced ladder logic editing, compiling, debugging, assembly and program download features. The editor, or system user, can provide a set of configurable blocks which can be arranged into a ladder logic program. These blocks can include Normally Open, Normally closed, Timers, Counters, Set, Reset, Single Output Up, Single Output Down, Data Move, Data Comparison, Data Conversion, Data Display, Data Communication and Binary Arithmetic tools. The editor also provides rich editing and ladder formatting tools. The compiler checks for syntax errors in the ladder program and generates mnemonics in case there are no syntax errors. The Assembler converts the program into a device specific hex file which is downloaded into the device using the program downloader built into the IDE. The ladder logic programming can also offer advanced debugging features for this dual controller based vital processing device. It can be configured for step by step debugging with real-time updates on the ladder blocks.
Now referring to Figure 4, an embodiment of the VPD 10 input and output scheme is provided. From the VPD start position 64 the health check protocol is initiated at step 66. If the health check is not confirmed then all outputs are de-energized at step 68. As a result of the outputs being de-energized the safest state of the VPD 10 occurs, and energy to any vital device controlled by any of the VPD 10 is removed. Deactivation of the VPD outputs in the event of a failed VPD health check 66 is consistent with the failsafe principles of the VPD 10. Subsequently, the VPD 10 identifies whether any input 16, 18, 20, 22 is energized at step 70. The application program is executed 72 and outputs are energized 74 consistent with the condition of the inputs mediated by the program logic. The VPD 10 then loops back to the health check step 66.
One system output 26 represents the result of the health check protocol that is executed by each of the controllers 12, 14. Output 26 is dedicated to vital relays with the purpose of indicating system 10 vitality. The controllers check the operations parameters through a health check monitor 32. The health check protocol is designed to monitor and compares the clock frequencies for each of the controllers. In the event that the clock frequencies of the two controllers are not consistent, the health check protocol causes the output 26 to become de-energized. Alternatively, if the monitoring function of the health check protocol identifies a problem with one or both of the controllers then output 26 is de-energized. In most situations the health check parameters are satisfied and output 26 remains energized. In the present embodiment, the health check is constantly maintained by the redundant controllers 12, 14 by exchanging precisely timed heartbeats.
In an alternative embodiment, a health-check protocol is executed separately by two independent microprocessors 12, 14. The health check protocol is configured to monitor and compare the clock frequencies for each of the controllers 12, 14, 34. In the event that the clock frequencies of the two controllers are not consistent, the health check protocol causes one of the designated vital outputs to become de- energized. Alternatively, if the monitoring function of the health check protocol identifies a problem with one or both of the microprocessors then health check output is de-energized. During normal system 10 operating conditions, the health check parameters are satisfied and the health check output remains energized. In the present embodiment, the health check is constantly maintained by the redundant controllers 12, 14 by exchanging precisely timed heartbeats.
Now referring to Figure 5, an embodiment of the VPD 10 health check scheme is described. The microprocessors 12 and 14 exchange an independently generated, precisely timed heartbeat clock which can have a time period of 1 second. The health check protocol is designed to keep check on the performance of timers and events that form the basis of any operational logic of an application. Delays and variations in timers' execution can result in compromise of the device vitality. Various hardware, software and environmental conditions pertaining to the device can result in timer variations and hence the dual redundant nature of the design of the VPD 10 is configured to address and counter such discrepancies. A Master timer in each microprocessor is used to update the heartbeat and other program timers simultaneously. Any shift in the Master timer will result in proportional drift in the heartbeat timer as well as other program timers. Both microprocessors will monitor this drift and upon exceeding a defined limit will generate a fault condition. Accurate timer operations ensure vital device operation.
In an alternative embodiment, the VPD 10 has an onboard GPS module for providing location, speed and direction of travel information. The microprocessor 34 requests the information from the GPS receiver through a communication port 36 (by example, serial RS232) and forwards it to the microprocessors 12 and 14. The information about speed, location and travel direction can be used by in a number of ways by the device depending on the application at hand. Bluetooth module 50 provides authenticated short range two way communication with a laptop, PDA, Smartphone, keypad or alternative mobile computing device. The Radio module 46 can be used for communication with a remote device, another VPD or other devices communicating on the same radio band. A graphical user interface discussed earlier can be used for changing the VPD 10 parameters. This user interface can be used on a laptop as well as a PDA or a Smartphone through the Bluetooth module 50 for parameter updates. A commercially available Bluetooth keypad/keyboard can be paired up with the VPD Bluetooth module 50 to provide user input options for a certain application.
In an alternative embodiment, the system 10 is configured to provide advance preemption and crossing signal control logic from the same track relay circuit. The system 10 further provides multiple independent and programmable loss of shunt timers in a single device. Additionally, the system 10 provides directional logic and programmable release timer functions in a single device.
Now referring to Figure 6, an alternative embodiment of the timing function is depicted. The user can select from several timing functions, rather than a pre-selected timing function. By example, a first timing function is a delay timer for output 24, which delays the operation of a crossing control with respect to the operation of preemption signals. An output delay timer is initiated by one of two situations, when input 16 or input 24 are de-energized. Upon the completion of the delay timer, output 24 is de-energized. The duration of this timer is user programmable and can be dependent upon a specific type of crossing. By example, a track section can receive fast moving trains, therefore it is necessary to delay the crossing control device for a shorter period of time than a track section that can receive slower moving trains. In an alternative embodiment, the system 10 can dynamically adjust the delay duration based upon the information received from the track relays on the inputs 16, 18, 20.
A second timing function can include an input interrupt delay timer. When any de-energized input is energized, an input interrupt delay timer that is dedicated to that specific input is initiated. The duration of this timer can be user programmable to increase the adaptability of the system. Regarding the timer, the input change is not processed until the timer has elapsed.
A third timing function can include an input sequence delay output timer. Upon the failure of either microprocessor to pass the health check protocol, energy is removed from all outputs. A sequence delayed output timer is initiated when inputs have been de-energized in two specific sequences: input 18, then input 16 de-energized followed by input 18 energized; or input 18, then input 20 de-energized followed by input 18 energized. Once the sequence delayed output timer is initiated output 24 and output 26 are energized upon reenergizing input 18. The sequence delay output timer can be user programmable.
During the operation of the sequence delay output timer the system will function as follows: input 20 and input 18 are energized and input 16 is de-energized. Output 24, output 26 and output 28 are also energized. Alternatively, input 16 and input 18 are energized and input 20 is de-energized and output 16, output 18 and output 20 energized. Upon the completion of the sequence delay output timer, if input 16 or input 20 is de-energized, then output 24 and output 26 are immediately de-energized. If all inputs are energized before completion of the sequence delay timer, output 24 and output 26 remain energized.
In an alternative embodiment of the system 10, isolated vital input and output relay terminals are included. This will allow for the system 10 to be retrofit into pre-existing grade crossings.
In at least one embodiment, the vital timing device 10 can be configured with at least four vital inputs and four vital outputs. The number of inputs is greater than the number of outputs, as each vital output has an associated input as a feedback to check the actual operation of the device attached to the corresponding output. The device has a small time window to confirm the agreement between a Vital Output and the associated feedback Input. Alternatively the device has less than four inputs and less than four outputs. In an alternative embodiment there are greater than four inputs and greater than 4 outputs.
In at least one embodiment of the present invention, the system 10 is designed for a railroad signal environment to perform vital signal functions. The primary application for the device is to enable the use of a single conventional track relay circuits to provide advance preemption of highway traffic light signals and initiate operation of highway-railroad grade crossing signals. In this application, the system 10 enhances the operational safety of the conventional circuit by providing vital loss of shunt timer function for each track relay input. The system 10 provides train movement directional logic, thereby eliminating at least two vital railroad relays and provides a vital directional logic release timer function which causes the crossing signals to operate should the receding track relay circuit fail to recover within a predetermined time following a train movement. In an alternative embodiment, the system 10 can be configured for a variety of control systems. By example, the system 10 can be configured for roadway motor vehicle traffic control systems. In yet another alternative embodiment, the system 10 can be configured for control systems not associated with vehicle detection, but where a cost effective vital logic controller system is advantageous.
Where traffic light signal preemption is necessary, any conventional signal track circuit or motion sensor is adequate to simultaneous preemption of the traffic light signals with the activation of the railroad crossing signals. Where it is desired for motor vehicle traffic light signal preemption to begin in advance of the operation of the railroad crossing signals, the only device available which also provides motion sensing features is a constant warning device with auxiliary programmable modules. As a result, the conversion from simultaneous to advance traffic signal preemption requires replacement of the motion sensor with a grade crossing predictor. The system 10 provides another solution. If the system 10 is controlled by the motion detector relay, the VPD can be programmed to provide a fixed amount of delay prior to the interrupt of the vital output which controls the operation of the railroad crossing signals. The system 10 vital output controlling the traffic light signals would initiate preemption as soon as the motion detector relay input is removed from the system 10. Railroad rules require that trains stopped or delayed in the approach to a crossing equipped with signals can not occupy the crossing until the signals have been operating long enough to provide warning (GCOR, 5^th Ed. - 6.32.2). Because of this rule the VPD provides a feature for advance preemption of traffic light signals that is not available from constant warning devices: advance preemption time, that is, the time between the initiation of traffic light signal preemption and operation of crossing signals is a constant and always the same regardless of train position. Constant warning devices do not provide this feature. When a train is delayed or stopped or reverses direction and then resumes approach to the crossing at a distance from the crossing that is at or less than the programmed required warning time for the crossing signals, as calculated by the constant warning device traffic light signal preemption is simultaneous. If the distance from the train to the crossing exceeds the crossing programmed warning time calculation the amount of advance preemption time is reduced proportional to the distance of the train from the crossing when it resumes its approach.
It is specifically intended that the present invention not be limited to the embodiments and illustrations contained herein, but include modified forms of those embodiments including portions of the embodiments and combinations of elements of different embodiments as come within the scope of the following claims.

Claims

An apparatus comprising a vital processing device (10) coupled to a railroad signaling device coupled to a railroad track, the vital processing device (10) configured to receive an input signal set comprising one or more input signals representing one or more conditions on the railroad track, the vital processing device (10) wherein:
a first controller device (12) configured to perform a first logic process using the input signal set to generate a first controller device output signal;

a second controller device (14) configured to perform the first logic process using the input signal set to generate a second controller device output signal; and

health check apparatus (32) configured to perform integrity testing of the first and second controller devices (12, 14);

wherein the first and second controller devices (12, 14) do not share components affording alternative energy or logic paths;

further wherein the vital processing device (10) sets the railroad signaling device to a railroad signaling device safest condition if at least one of the following occurs:
failure of one or more components of the vital processing device (10);

integrity testing failure by one or more of the first and second controller devices (12, 14); and

further wherein, when the first and second controller devices (12, 14) both pass integrity testing, and when there is no component failure within the vital processing device (10), the first and second controller device output signals are identical, are a function of the input signal set, and are used to control the railroad signaling device; characterized in that

the first controller device output signal of the first controller device (12) is provided to a first system device driver circuit (60) that generates positive referenced energy and the second controller device output signal of the second controller device (14) is provided to a second system device driver circuit (62) that generates negative referenced energy.
The apparatus of claim 1 wherein the first and second controller devices (12, 14) wherein the first and second controller devices (12, 14) are:
a pair of duplicate microprocessors;

a pair of duplicate programmable devices;

two microprocessors programmed to perform duplicate logic processing;

two programmable devices programmed to perform duplicate logic processing; or

identical, distinct logic devices.
The apparatus of any one of claims 1 to 2 wherein:
the first system device driver circuit (60) enables a current generating a first discrete DC voltage signal when the first controller device output signal is high and further wherein the first system device driver circuit (60) prevents current flow to generate any DC voltage signal when the first controller device output signal is low; and

the second system device driver circuit (62) enables a current generating a second discrete DC voltage signal when the second controller device output signal is high and further wherein the second system device driver circuit (62) prevents current flow to generate any DC voltage signal when the second controller device output signal is low;

wherein the first and second discrete DC voltage signals are required to produce a current flow and voltage differential to energize a relay in the railroad signaling device.
The apparatus of any one of claims I to 3 wherein the first system device driver circuit comprises an emitter follower transistor configuration (60), and further wherein the second system device driver circuit comprises an emitter follower transistor configuration (62).
The apparatus of any one of claims 1 to 4 wherein the first system device driver circuit (60) comprises an opto-isolator configuration, and further wherein the second system device driver circuit (62) comprises an opto-isolator configuration.
The apparatus of any one of claims 1 to 5 wherein the vital processing device (10) is further characterized by a third controller device (34) coupled to the first and second controller devices (12, 14), wherein the third controller device (34) performs one or more of the following:
controlling housekeeping functions for the first and second controller devices (12, 14);

permitting communications with a computer external to the vital processing device (10);

permitting communications with one or more other vital processing devices;

providing a user interface to control one or more of the following:
setting vital processing device timing parameters;

logging in to the vital processing device (10);

changing vital processing device authorization;

initiating data log collection;

device data logging and retrieval;

displaying logic states;

displaying one or more vital processing device states;

setting vital processing device operating parameters;

providing memory for storing data regarding the vital processing device (10).
The apparatus of any one of claims 1 to 6 wherein the health check apparatus comprises a pair of health check lines coupling the first controller device coupled to the second controller device, and further wherein integrity testing comprises at least one of the following:
monitoring independently generated, timed heartbeats of the first controller device and independently generated, timed heartbeats of the second controller device;

comparing independently generated, timed heartbeats of the first controller device and independently generated, timed heartbeats of the second controller device;

identifying a problem with at least one of the first and second controller devices using independently generated, timed heartbeats of the first controller device and independently generated, timed heartbeats of the second controller device.
The apparatus of any one of claims 1 to 6 wherein the health check apparatus is characterized by:
the first controller device (12) monitoring and checking the integrity of heartbeats generated by the second controller device (14); and

the second controller device (14) monitoring and checking the integrity of heartbeats generated by the first controller device (12).
The apparatus of any one of claims 1 to 8 wherein each input signal is a vital railroad track relay signal.
The apparatus of any one of claims 1 to 9 wherein the first and second controller devices (12, 14) are configured to provide independent and redundant processing of the input signal set.
The apparatus of any of claims 1-10 wherein the railroad signaling device comprises at least one of the following: a railroad track crossing warning device; a preemption signal device; a railroad track traffic status indicator, wayside signals, power switch control device, directional movement logic.
A method for controlling a vital active warning device adjacent a railroad track, the method comprising:
providing a vital input signal set to a vital processing device (10), the vital input signal set comprising one or more vital input signals from one or more railroad track relays;

the vital processing device (10) performing integrity testing of the vital processing device (10);

when the vital processing device (10) fails integrity testing, the vital processing device (10) causing active warning device safest mode operation;

when a component of the vital processing device (10) fails, the vital processing device (10) causing active warning device safest mode operation;

when the vital processing device (10) passes integrity testing and no component failure occurs, the vital processing device (10) generating a vital processing device vital output signal; and

when the vital processing device (10) does not cause active warning device safest mode operation due to integrity testing failure or component failure, controlling operation of the vital active warning device using the vital processing device vital output signal;

wherein the vital processing device (10) comprises first and second redundant processing units that do not share any element that affords an alternative energy or logic path

further wherein each processing unit performs identical logic processing of the input signal set to generate identical logic processing output signals when the vital processing device (10) passes integrity testing and suffers no component failure;

further wherein a processing device output signal comprising current flow and voltage differential is derived from the identical first and second logic processing output signals;

further wherein the generated identical processing output signals include a first logic processing output signal provided to a first system device driver circuit (60) that generates positive referenced energy and a second logic processing output signal provided to a second system device driver circuit (62) that generates negative referenced energy.
The method of Claim 12 further comprising deriving the vital processing device output signal from identical first and second logic processing output signals by:
providing the first logic processing output signal to the first system device driver circuit (60) in the vital processing device (10) to enable a current flow generating a first discrete DC voltage only when the first logic processing output signal is high; and

providing the second logic processing output signal to the second system device driver circuit (62) in the vital processing device (10) to enable a current flow generating a second discrete DC voltage only when the second logic processing output signal is high;
wherein the first and second discrete DC voltage signals are required to produce current flow and a voltage differential to energize a relay (Figure 2) in the active warning device.