EP2139745A1 - Elektronische eisenbahnstellwerkanlage - Google Patents

Elektronische eisenbahnstellwerkanlage

Info

Publication number
EP2139745A1
EP2139745A1 EP08734294A EP08734294A EP2139745A1 EP 2139745 A1 EP2139745 A1 EP 2139745A1 EP 08734294 A EP08734294 A EP 08734294A EP 08734294 A EP08734294 A EP 08734294A EP 2139745 A1 EP2139745 A1 EP 2139745A1
Authority
EP
European Patent Office
Prior art keywords
branch
vital
computer
executive
control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP08734294A
Other languages
English (en)
French (fr)
Other versions
EP2139745B1 (de
Inventor
Pavel Doubek
Martin Burda
Pavel Fuchs
Petr Jelinek
Ales Kiml
Lubomir Machacek
Josef Martinec
Jirí TEPLY
Zdenek Veverkova
Miloslav Vlcek
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
AZD Praha SRO
Original Assignee
AZD Praha SRO
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by AZD Praha SRO filed Critical AZD Praha SRO
Publication of EP2139745A1 publication Critical patent/EP2139745A1/de
Application granted granted Critical
Publication of EP2139745B1 publication Critical patent/EP2139745B1/de
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L21/00Station blocking between signal boxes in one yard
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L19/00Arrangements for interlocking between points and signals by means of a single interlocking device, e.g. central control
    • B61L19/06Interlocking devices having electrical operation

Definitions

  • the invention concerns the electronic railway interlocking equipment system, which is comprised of three essential levels, being the commanding level, control level and executive level.
  • the commanding level is comprised of at least one arrangement of operating computers, which contains one active commanding computer and zero or at least one passive commanding computer for displaying only information that is not relevant to signalling.
  • Each commanding computer system is data connected to the control level through a hub, connected to the vital computer of the respective branch for creating the vital core of the control level.
  • the control level can contain further stand-by vital computers for the respective branches, while the executive level is made up of at least one commanding device.
  • relay signalling equipment and electronic interlocking equipment with relay outputs are currently used in the Czech Republic for signalling traffic on railway lines and in railway stations.
  • Relay interlocking equipment no longer fulfils all the required functions at the current time.
  • the logical circuits of relay interlocking equipment are created by strictly specified circuit connections made up primarily of special signalling relays of the 1 st group of safety functions. This equipment is produced individually for each and every application and it is difficult to produce it separately for each application. It is also difficult to test this equipment for any production and design flaws in the production phase and when putting it into operation.
  • Relay equipment cannot easily adapt to newly formulated requirements on the activity of interlocking equipment and changes in the railyard. This relay interlocking equipment takes up a large built-up space.
  • the signalling equipment from SIEMENS AG, DE is composed of a special SIMIS processor kit meant for use in interlocking equipment.
  • the equipment works in 2 of 2 or 2 of 3 architecture with identical HW channels equipped with identical SW.
  • the interlocking equipment from Bombardier ATV which works with backed up (duplicate) 2 of 2 architecture with identical HW channels and different software, is also well known.
  • microprocessor interlocking equipment is also well known, primarily for the railway transport of the company CSEE-TRANSPORT. This equipment is comprised of two microprocessors arranged in parallel, the input of which is connected through an analogue- numerical converter to the output of analogue entry sensors.
  • ALCATEL AT's interlocking equipment which works in 2 of 2 architecture in some of its parts and in 2 of 3 architecture in some of its other parts.
  • the control part is made up of four vital computers, which are connected to a vital data network through the vital data network's hubs and to a control data network through the control data network's hubs.
  • branch A's main vital computer and branch B's main vital computer are connected with the vital data network's main hub and the control data network's main hub.
  • branch A's by-stand vital computer and branch B's by-stand vital computer are connected with the vital data network's stand-by hub and the control data network's stand-by hub.
  • the vital data network's main hub is connected to the vital data network's stand-by hub and the control data network's main hub is connected to the control data network's stand-by hub.
  • Branch A's main vital computer and branch A's stand-by vital computer are connected to the executive part, which is made up of at least one executing device.
  • Branch B's main computer and branch B's stand-by computer are connected to the executive part.
  • the vital data network's main hub is connected to at least one arrangement of operating computers, which is made up of at least one commanding computer and possibly at least one passive commanding computer.
  • the vital data network's stand-by hub may be connected to at least one system of commanding computers, which is made up of at least one commanding computer and possibly at least one passive commanding computer.
  • the control part can also be supplemented with a computer for maintenance, which can be connected through a redundant transceiver. In justified cases, the control part can be supplemented with a supervision system, connected by the main bridge or eventually by a stand-by bridge.
  • the connected equipment controls in a secure manner on the basis of the connected equipment's input data on the basis of the operators' requirements.
  • the equipment displays selected information to the operators. This interlocking equipment was successfully implemented in several dozen installations in the Czech Republic and abroad.
  • the executive part is comprised of branch A's executive computer, branch B's executive computer, a block of non-vital outputs, a supply block, a block of vital relay outputs, a block of input indications, a block of vital electronic outputs, a block of branch A's analogue inputs, a block of branch B's analogue inputs, a block of branch A's input indication controls, a block of branch B's input indication controls, a block of branch A's secure electronic output controls and a block of branch B's secure electronic output controls.
  • Branch A's executive computer is connected with the control part, the block of non-vital outputs, supply block, block of secure relay outputs, block of branch A's analogue inputs, block of branch A's input indication controls, block of branch A's secure electronic output controls and branch B's executive computer.
  • Branch B's executive computer is also connected with the control part, the block of non-vital outputs, supply block, block of secure relay outputs, block of branch B's analogue inputs, block of branch B's input indication controls and block of the 2 nd branch's electronic output controls.
  • the block of input indications is connected with the block of secure relay outputs, block of secure electronic outputs, a block of branch A's input indication controls and block of branch B's input indication controls.
  • the block of secure electronic outputs is also connected with the block of branch A's vital electronic output controls and the block of branch B's vital electronic output controls.
  • the block of branch A's analogue inputs is also connected with the block of branch B's analogue outputs.
  • the executive level can be positioned for the use of the means of remote data transferral.
  • the strengths of this invention are the backup of the electronic configuration with the use of the possibility of remote control and positioning.
  • the equipment enables the modification of its functions according to the operator's requirements.
  • this interlocking equipment is backed up in such a manner so that any loss of functionality of the backed-up part does not cause a limitation of functions.
  • During several operations of this interlocking equipment a few disadvantages have become apparent.
  • the use of up to four hubs in the control part is a disadvantage. Thus if any of them break down, the control part can not work in stand-by mode.
  • a breakdown of the executive part leads to a large part of the outer technological equipment being out of operation, which can lead to considerable limitations of railway traffic.
  • Another disadvantage is the impossibility of backing up and merging communication lines connecting the control and executive parts, which is then shown particularly in the demands on the number of means of remote data transmission.
  • the executive level's architectural concept used does not allow a subsequently fast reaction to demands for connecting other types of external technological equipment including adaptations to other railway operators' requirements.
  • Last but not least, the considerable robustness of the executive level and the insufficient elimination of the type N relay (UIC) are disadvantages.
  • the objective of this invention is to discover a processor electronic railway interlocking equipment system that fulfils all the functional requirements placed on this equipment in the Czech Republic and that can easily be modified for the requirements of other railway operators while eliminating the failings and specified disadvantages of the solution according to Czech patent no. 293 635.
  • the executive level of the interlocking equipment is comprised of at least one executive device.
  • the executive device which is used: for issuing non-vital commands vital contact commands - vital logical commands - vital coded logical commands vital electronic commands for reading input logical indications analogue inputs - for secure communications with other signalling devices and which communicates with the control part's vital computer or with the control part's stand-by vital computer
  • the executive device is made up of three basic parts: the control part of the executive device the executive part of the executive device - the supply part of the executive device.
  • control part of the executive device and the executive part of .the executive device are separately operating devices working in a secure manner pursuant to Czech standard CSN 34 2600 and also in accordance with valid European Standards EN 50 126, EN 50 128, 50 129, EN 159-1 and EN 159-2.
  • the control part of the executive device is connected to the control level of the interlocking equipment using two communication channels, the control part of the executive device is connected to the executive part of the executive device using other communication channels and the control part of the executive device is connected to the supply part of the executive device using at least one communication channel.
  • the control part of the executive device is made up of one or two mutually-connected control computers of the executive part, with one of them being a stand-by.
  • the control computer of the executive device works in two of two regime and is made up of a branch A's control computer, branch B's control computer, branch A's external communication interface, branch B's external communication interface, branch A's internal communication interface, branch B's internal communication interface, vital power source and watch interface. In some cases it is useful to add a diagnostic computer to this configuration.
  • the branch A's control computer is connected with the branch A's external communication interface
  • the branch A's control computer is connected with the branch A's internal communication interface
  • the branch A's control computer is connected with the diagnostic computer
  • the branch A control computer is connected with the branch B's control computer
  • the branch A's control computer is connected with the vital power source
  • the branch A's control computer is connected with the watch interface.
  • the branch B's control computer is connected with the branch B's external communication interface
  • the branch B's control computer is connected with the branch B's internal communication interface
  • the branch B's control computer is connected with the diagnostic computer
  • the branch B's control computer is connected with the branch B's control computer
  • the branch B's control computer is connected with the vital power source
  • the branch B's control computer is connected with the watch interface.
  • the vital power source is connected to the branch A's control computer, the branch B's control computer, the branch A's external communication interface, the branch B's external communication interface, the branch A's internal communication interface, the branch B's internal communication interface and the watch interface.
  • the watch interface is connected to the branch A's control computer, the branch B's control computer, the vital power source and it is connected to the supervision interface of the executive part's stand-by control computer.
  • the executive part of the executive device is made up of at least one executive component.
  • the executive component is made up of a total of nine function parts:
  • the 1 st function part works in two of two mode and is made up of the branch A's executive computer, the branch B's executive computer, branch A's internal communication interface, branch B internal communication interface and vital power source.
  • the branch A's executive computer is connected with the branch A's internal communication interface
  • the branch A's executive computer is connected with the branch B's executive computer and the branch A's executive computer is connected with the vital power source.
  • the branch B's executive computer is connected with the branch B's internal communication interface
  • the branch B's executive computer is connected with the branch A's executive computer and the branch B's executive computer is connected with the vital power source.
  • the 2 nd function part is made up of vital contact outputs, branch A's watch vital contact outputs and branch B's watch vital contact outputs.
  • the vital contact outputs are connected with the branch A's executive computer and with the branch B's executive computer of the 1 st function part.
  • the branch A's watch vital contact outputs are connected with the vital contact outputs and with the branch A's executive computer of the 1 st function part.
  • the branch B's watch vital contact outputs are connected with the vital contact outputs and with the branch B's executive computer of the 1 st function part.
  • the 3 rd function part is made up of vital logical outputs, branch A's watch vital logical outputs and branch B's watch vital logical outputs.
  • the vital logical outputs are connected with the branch A's executive computer and with the branch B's executive computer of the 1 st function part.
  • the branch A's watch vital logical outputs are connected with the vital logical outputs and with the branch A executive computer of the 1 st function part.
  • the branch B's watch vital logical outputs are connected with the vital logical outputs and with the branch B's executive computer of the 1 st function part.
  • the 4 th function part is made up of vital coded logical outputs, branch A's watch vital coded logical outputs and branch B's watch vital coded logical outputs.
  • the vital coded logical outputs are connected with the branch A's executive computer and with the branch B's executive computer of the 1 st function part.
  • the branch A's watch vital coded logical outputs are connected with the vital coded logical outputs and with the branch A's executive computer of the 1 st function part.
  • the branch B's watch vital coded logical outputs are connected with the vital coded logical outputs and with the branch B's executive computer of the 1 st function part.
  • the 5 th function part is made up of vital electronic outputs, branch A's watch vital electronic outputs and branch B's watch vital electronic outputs.
  • the vital electronic outputs are connected with the branch A's executive computer and with the branch B's executive computer of the 1 st function part.
  • the branch A's watch vital electronic outputs are connected with the vital electronic outputs and with the branch A's executive computer of the 1 st function part.
  • the branch B's watch vital electronic outputs are connected with the vital electronic outputs and with the branch B's executive computer of the 1 st function part.
  • the 6 th function part is made up of non-vital outputs.
  • the non-vital outputs are connected to the branch A executive computer and to the branch B's executive computer of the 1 st function part.
  • the 7 th function part is made up of logical inputs. The logical inputs are connected to the branch A's executive computer and to the branch B's executive computer of the 1 st function part.
  • the 8 th function part is made up of analogue inputs.
  • the analogue inputs are connected to the branch A's executive computer and to the branch B's executive computer of the 1 st function part.
  • the 9 th function part is made up of vital data interfaces.
  • the vital data interfaces are connected to the branch A's executive computer and to the branch B's executive computer of the 1 st function part.
  • the supply part of the executive device is made up of one or two sources, with one of them being a stand-by.
  • Each source is made up of two partial sources, being the source for branch A, the source for branch B, control circuits, measurement circuits and an internal communication interface.
  • the control circuits are connected to the source for branch A, the source for branch B and the internal communication interface.
  • the measurement circuits are connected to the source for branch A, the source for branch B and the internal communication interface.
  • the control level of the interlocking equipment is comprised of four vital computers that are mutually connected to two networks, being the vital data network and the control network.
  • the connection to the vital data network is achieved using hubs, and the connection to the control network is achieved by the vital computers' direct connection.
  • the branch A's vital'computer and the branch B's vital computer are 'connected with the vital data network hub.
  • the branch A's stand-by vital computer and the branch B's stand- by vital computer are connected with the stand-by vital data network hub:
  • the hub of the vital data network is connected to the stand-by hub of the vital data network.
  • the branch A's vital computer is directly connected to the branch B's vital computer and the branch B's vital computer is also directly connected to stand-by branch B's vital computer.
  • the branch A's vital computer and branch A's stand-by vital computer are connected to the executive part, which is made up of at least one executive device.
  • the branch B's vital computer and branch B's stand-by vital computer are connected to the executive part.
  • the hub of the vital data network is connected to at least one arrangement of operating computers, which is comprised of at least one active commanding computer and possibly by at least one passive commanding computer.
  • the stand-by hub of the vital data network is potentially connected to at least one arrangement of operating computers, which is comprised of at least one active commanding computer and possibly by at least one passive commanding computer.
  • This electronic interlocking equipment enables the division of the signalling equipment's control level into two reliability parts and two vital branches in the following arrangement.
  • the branch A's vital computer, branch B's vital computer, vital data network hub and the branch A's vital computer's direct connection to the branch B's vital computer make up the first reliability part of the control level.
  • the stand-by branch A's vital computer, stand-by branch B's vital computer, vital data network stand-by hub and the stand-by branch A's vital computer's direct connection to the stand-by branch B's vital computer make up the second reliability part of the control level.
  • the branch A's vital computer directly connected to the stand-by branch A's vital computer makes up the first vital branch of the control level.
  • the branch B's vital computer directly connected to the stand-by branch B's vital computer makes up the second vital branch of the control level.
  • the commanding level of the interlocking equipment is comprised of at least one command workplace.
  • the command workplace is made up of active and passive commanding computers, which are connected to the control level of the signalling equipment through the hub that is part of the control level of the signalling equipment.
  • the main advantage of this processor electronic railway interlocking equipment system according to this invention is achieving an economically-effective configuration with a decrease in the number of active elements (hubs), using the possibilities of its remote control and remote positioning.
  • the electronic interlocking equipment according to this invention enables its functionality to be modified according to the requirements of any operator.
  • the electronic interlocking equipment system according to this invention is backed up in its decisive parts, including the back-up of the communication branch, in such a manner so that any loss of the backed up parts' functionality does not cause any functional limitations.
  • the electronic interlocking equipment system operates safely in accordance with
  • the electronic interlocking equipment according to this invention enables cooperation with connected systems used for the support of controlled traffic.
  • Fig. 1 basic configuration of the electronic interlocking equipment system made up from three basic levels, being the executive, control and commanding levels
  • Fig. 2 basic configuration of the executive level's executive device made up of three parts, being the control, executive and supply parts
  • Fig. 3 basic configuration of the control computer of the executive device's controlpart
  • Fig. 4 basic configuration of the executive components of the executive part, made up of nine function parts
  • Fig. 5 basic configuration of source of the executive device's supply part
  • Fig. 6 alternative configuration of the electronic interlocking equipment from Fig. 1 with the connection of superior parts
  • Fig. 7 alternative configuration of the electronic interlocking equipment from Fig. 1 with a remote executive device
  • Fig. 8 alternative configuration of executive component from Fig. 4 for scanning logical inputs
  • Fig. 9 alternative configuration of executive component from Fig. 4 for contact control
  • Fig. 10 alternative configuration of executive component from Fig. 4 for logical outputs
  • Fig. 11 alternative configuration of executive component from Fig. 4 for additional coding
  • Fig. 12 alternative configuration of executive component from Fig. 4 for controlling signal devices or point machine motors by scanning logical inputs
  • Fig. 13 alternative configuration of executive component from Fig. 4 for the data control of the crossing control units, axle counters.
  • the reliability level includes the main part, the components of which are in the text below and in the diagrams without a numerical index, and the stand-by part, the components of which are marked with the lower index 1.
  • the vital level is made up of two branches, which is differentiated by the lower index A and lower index B in the text below and in the diagrams.
  • the electronic railway interlocking/signalling equipment system is comprised of three essential levels, being the executive level EL, control level CONL and commanding level COML.
  • the commanding level COML of the interlocking equipment is made up of two arrangements of operating computers, being the first arrangement AOC1 of the operating computers and the second arrangement AOC2 of the operating computers.
  • Each arrangement of operating computers, therefore the first arrangement AOC1 of the operating computers and the second arrangement AOC2 of the operating computers is made up of at least one active commanding computer ACC and zero, one or more passive commanding computers PCC.
  • the configuration of the first arrangement AOC1 of operating computers is made up of one active commanding computer ACC and one passive commanding computer PCC.
  • At least two active commanding computers ACC are used, they are divided as symmetrically as possible into two arrangements of operating computers, thus into the first arrangement AOC1 of the operating computers and into the second arrangement AOC2 of the operating computers.
  • at least two passive commanding computers PCC are used, they are divided as symmetrically as possible into two arrangements of operating computers, thus into the first arrangement AOC1 of the operating computers and into the second arrangement AOC2 of the operating computers.
  • the passive commanding computer PCC only displays information that is not fail- safe relevant to operating personnel.
  • This characteristic is made possible by communication in the vital data network in the control level CONL of the interlocking equipment, between the passive commanding computer PCC of the commanding level COML and the vital computer VC A for branch A, vital computer VC B for branch B, stand-by vital computer VCAl for branch A and stand-by vital computer VC B1 for branch B.
  • the vital computer VC A for branch A and vital computer VC B for branch B are connected, to the vital data network's first reliability branch, through the vital data network's hub HUB.
  • the vital data network's hub HUB is connected via a data link to the vital computer VC A for branch A, and via another data link to vital computer VC B for to the branch B, and via another data link with the vital data network's stand-by hub HUB 1 .
  • the stand-by vital computer VC A1 for branch A and stand-by vital computer VC B1 for branch B are connected to the vital data network's 2 nd reliability branch through the vital data network's stand-by hub HUB 1 so, that the vital data network's stand-by hub HUB 1 is connected via a data link to the stand-by vital computer VC A1 for branch A, and via another data link to the stand-by vital computer VC B1 branch B.
  • the second arrangement AOC2 of operating computers is connected to the vital data network's 2 nd reliability branch so, that the vital data network's stand-by hub HUB 1 is connected via a data link to the active commanding computer ACC. and to the passive commanding computer PCC.
  • the control data network is created, by a direct connection of the vital computer VC A for branch A to the vital computer VC B for branch B via an internal data link IDLCL control level, by a direct connection of the vital computer VC A for branch A to the stand- by vital computer VC ⁇ for branch A via an internal data line IDLCL A control level for branch A, and by a direct connection of the vital computer VC B for branch B to the standby vital computer VC B1 for branch B via an internal data link.
  • the vital computer VC A for branch A and stand-by vital computer VC A1 for branch A are connected to the executive level EL for the signalling equipment by another external data link EDL A for branch A.
  • the vital computer VC B for branch B and stand-by vital computer VC B1 for branch B are connected to the executive level EL of the signalling equipment by another external data link EDL B for branch B.
  • control level CONL of the electronic railway signalling equipment system works as follows:
  • Each active commanding computer ACC receives instructions for non-vital operations from the operating personnel, it also displays non-vital information for the operating personnel, in prescribed cases it accepts vital operating instructions from the operating personnel and also displays vital information for the operating personnel. These characteristics are enabled by communication between the active commanding computer ACC of the first arrangement AOCl of operating computers and/or the second arrangement AOC2 of operating computers the commanding level COML. with the vital computer VC A for branch A, with vital computer VC B for branch B, with stand-by vital computer VC A 1 for branch A and with stand-by vital computer VC B 1 for branch B, on the other hand in the vital data network in the control level CONL.
  • the vital computer VC A for branch A communicates with the executive device EJD of the executive level EL, through an external data link EDL A in such a manner, that it transmits requests for issuing non-vital commands, for vital contact commands, for vital logical commands, for vital coded logical commands, for vital electronic commands to the executive device ED. and receives information from the executive device ED about the status of input logical indications and about analogue vital inputs, to the extent, allowed by the executive device ED. Before being submitted to the executive device ED.
  • the submitted requests from the vital computer VC A for branch A are modified by a prescribed algorithm, according to the relevant values, that the vital computer VC A for branch A, submits to the vital computer VC B for branch B, through the internal data link IDLCL control level.
  • modified requests are secured by redundancy created by the vital computer VC A for branch A, as well as by redundancy created by the vital computer VC B for branch B.
  • the creation methods and the resulting redundancy created by the vital computer VC A for branch A , and the redundancy created by the vital computer VC B for branch B are different.
  • the redundancy, created by the vital computer VC B for branch B is submitted to the vital computer VC A for branch A, through an internal data link IDLCL control level.
  • the vital computer VC A for branch A receives datagrams, which contains indications from the executive device ED, from the executive device's ED for branch A, through a external data link EDL A for branch.A. After the vital computer VC A for branch A checks the identity and authenticity of the datagrams received by the control computer CC, they are submitted to the vital computer VC B by an internal data link IDLCL control level. The vital computer VC B for branch B controls these diagrams, submitted by an internal data link IDLCL control level for identity and authenticity pursuant to its algorithms.
  • the vital computer VC A for branch A also processes the operation commands, through the vital data network, being both non-vital operations and vital operations from each active commanding computer ACC of the first arrangement AOCl of operating computers or from each commanding computer of the second arrangement AOC2 of operating computers.
  • the vital computer VC A for branch A communicates with the vital computer VC B . for branch B, with which it mutually exchanges (via an internal data link IDLCL control level) the data necessary for the detection of the first failure of the vital computer VC A for branch A or vital computer VC B for branch B.
  • the vital computer VC A for branch A sends data, used for the repeated configuration of the variables, on the stand-by vital computer VC ⁇ for branch A, through the control data network's internal data link IDLCL A control level for branch A to the stand-by vital computer VC ⁇ for branch A, in certain time intervals so, that their values correspond to the values of the of the corresponding variables of the vital computer VC A for branch A.
  • the vital computer VC B for branch B communicates with the executive device ED of the executive level EL, through a external data link EDL B for branch B, in such a manner, that it transmits requests for issuing non-vital commands, for vital contact commands, for vital logical commands, for vital coded logical commands and for vital electronic commands, to the executive device ED. and receives information from the executive device ED about the status of input logical indications and about analogue vital inputs, to the extent, allowed by the executive device ED.
  • the submitted requests from the vital computer VC B for branch B are modified by a prescribed algorithm, according to the relevant values, that the vital computer VC B for branch B submits to the vital computer VC A for branch A, through the internal data link IDLCL control level.
  • modified requests are secured by redundancy, created by the vital computer VC B for branch B, as well as by redundancy, created by the vital computer VC A for branch A.
  • the creation methods and the resulting redundancy, created by the vital computer VC B for branch B, and the redundancy created by the vital computer VC A for branch A, are different.
  • the redundancy, created by the vital computer VC A for branch A, is submitted to the vital computer VC B branch B, through an internal data link IDLCL control level.
  • the vital computer VC B for branch B receives datagrams, which contain indications from the executive device ED, from the executive device's ED through a external data link EDL B for branch B. After the vital computer VC B for branch B checks the identity and authenticity of the datagrams, received by the control computer CC, they are submitted to the vital computer VC A for branch A, by an internal data link IDLCL control level.
  • the vital computer VC A for branch A also controls these diagrams, submitted by an internal data link
  • the vital computer VC B for branch B also processes the operation commands, through the vital data network, being both non-vital operations and vital operations fromeach active commanding computer ACC of the first arrangement AOCl of operatingcomputers or from each commanding computer of the second arrangement AOC2 of operating computers.
  • the vital computer VC B for branch B communicates with the vital computer VC A for branch A, with which it mutually exchanges (via arr internal data link IDLCL control level) the data necessary for the detection of the first failure of the vital computer VC B for branch B or vital computer VC A for branch A.
  • the vital computer VC B for branch B sends data used for the repeated configuration of the variables on the stand-by vital computer VC B1 for branch B through the control data network's internal data link IDLCL B control level for branch B to the stand-by vital computer VC B1 for branch B, in certain time intervals' so, that their values correspond to the values of the of the corresponding variables of the vitall computer VC B for branch B.
  • the stand-by vital computer VC A1 for branch A communicates with the stand-by vital computer VC B1.
  • branch B with which it mutually exchanges the data necessary for the eventual detection of the 1 st failure of the stand-by vital computer VC A1 for branch A or the stand-by vital computer VC B1 for branch B through the control data network's stand-by internal data link EDLCL 1 control level.
  • the stand-by vital computer VC A1 for branch A and the stand-by vital computer VC B1 for branch B during the failure of the vital computer VC A branch A, and/or the failure of the vital computer VC a for branch B, and/or the failure of the vital data network's hub HUB, the stand-by branch A vital computer VC A1 copies the necessary internal variables to the branch A vital computer VC A via the control data network's internal data link IDLCL A control level for branch A, in prescribed time intervals
  • the stand-by vital computer VC B1 for branch B copies the necessary internal variables to the vital computer VC B for branch B via the control data network's internal data link IDLCLR control level for branch B.
  • Ensuring synchronisation is a necessary condition for ensuring the reliable activities of the electronic interlocking equipment.
  • the synchronisation must be provided by the synchronised activity of the vital computers VC A . VC B . VC A1 . VC B1 _of the control level CONL and the executive device ED of the executive level EL and all of their communications.
  • the synchronisation is ensured by the realisation of a synchronous mode, where the vital computer VC A for branch A is the source of synchronisation marks at prescribed time intervals in the vital data network and control data network for the vital computer VC B for branch B, for the stand-by vital computer VC A1 for branch A and for the stand-by vital computer VC B1 for branch B, and also for the executive device ED of the executive level EL.
  • the stand-by vital computer VC A1 for branch A takes over its function as the source of synchronisation marks for all the aforementioned data networks.
  • the vital computer VC A for branch A, or the stand-by vital computer VC A1 for branch A in the event of its failure carries out the appropriate functions that are invoked by the operating commands through any of the active commanding computers ACC and also automatically carries out all the relevant traffic functions and ensures the processing and transfer of the train numbers.
  • the vital computer VC B for branch B, or the stand-by vital computer VC B1 for branch B, in the event of its failure carries out the appropriate functions that are invoked by the operating commands through any of the active commanding computers ACC and also automatically carries out all the relevant traffic functions.
  • the fail-safe effect in the sense of CZ Standard CSN 34 2600 and the proposed EN 50 129 is contained both by the use of the 2 of 2 system as a system with redundant safety with a sufficiently timely detection of the 1 st error," which cannot in and of itself cause an unsafe effect, though could cause an unsafe effect in combination with another error.
  • After detecting the 1st error there follows a vital reaction, which demonstrably prevents the occurrence or manifestation of other failures.
  • the detection of the 1 st error and the vital reaction demonstrably occurs in a time shorter than the occurrence of a 2 nd error (which could, in combination with the 1 st error, cause an unsafe effect) can be expected with the prescribed probability.
  • the vital computer VC A for branch A and stand-by vital computer VC A1 for branch A are also equipped with different softwarein comparison with the vital computer VC B for branch B and stand-by vital computer VC B1 for branch B, though the software for both vital computer VC A for the branch A and stand- by Vital computer VC A1 for branch A and the vital computer VC B for branch B and stand-by vital computer VC B1 for branch B, is processed according to a joint assignment.
  • FIG. 2 The configuration of the executive device ED, from which the executive level EL of the interlocking equipment fs created, is illustrated in Fig. 2.
  • the executive device ED is comprised of a control part CP, executive part EP and supply part SP. [0072] The executive device ED is connected to the control level CONL by connecting the control part CP to the control level CONL by external data link EDL A for branch A and with the control level CONL by external data link EDL B for branch B (Fig 1).
  • the control part CP is comprised of a control computer CC and stand-by control. computer CC J .
  • the control computer CC is connected to the stand-by control computer CC J by an internal data link JDLCP control part.
  • the stand-by control computer CC J is not essential and is used for increasing the reliability of the control part CP.
  • the executive part EP is made up of at least one executive component EC.
  • the supply part SP is cbmprised of a source S and a stand-by source S 1 .
  • the stand-by source S 1 is not essential and is used for increasing the reliability of the supply part SP.
  • the control computer CC, stand-by control computer CC 1 and executive component EC are connected by internal data links IDL A and IDL B for respective branches A,B.
  • the control part CP and supply part SP are connected by external data link EDL ⁇ for branch A or by external data link EDL E for branch B.
  • control computers CC. stand-by control computer CC 1 and each executive component EC are separately operating devices working in a secure manner pursuant to Czech standard CSN 34 2600 and also in accordance with valid European standards EN 50 126, EN 50 128, EN 50 129, EN 159-1 and EN 159-2.
  • the control computer CC A for branch A communicates through the external communication interface ECI A for branch A and using an external data link EDL ⁇ for branch A with the control level CONL and also through the internal communication interface ICI A for branch A and using an internal data link IDL A for branch A with the executive component EC making up the executive part EP of the executive device ED (Fig. 2).
  • the control computer CC B for branch B communicates through the external communication interface ECIg for branch B and using an external data link EDLg for branch B with the control level CONL and also through the internal communication interface ICIg for branch B and using an internal data link IDLg for branch B with the executive component EC making up the executive part EP of the executive device ED (Fig. 2).
  • Both the control computer CC A for branch A and the control computer CC B for branch B mutually communicate with each other together by an internal data link IDLCC control computer between these control computers CC A and CC B .
  • the vital source VS is connected to the control computer CC A for branch A and the control computer CC ⁇ Jor branch B, the external communication interface ECI ⁇ for branch A, the external communication interface ECIgJOr branch B, the internal communication interface ICIgfor branch A, the internal communication interface ICIg for branch B and the watch interface WJL
  • the vital source VS is a circuit with internal security and with a anti- packing function, generating the vital power supply for the supply of external communication interface ECI ⁇ for branch A, external communication interface ECI g Jbr branch B, internal communication interface ICL ⁇ . internal communication interface ICI ⁇ of the respective branch A or B and for the watch interface WI.
  • the activity of the vital source VS is controlled by the dynamic signals of the branch A control computer CC A for branch A and branch B control computer CCn for branch B.
  • the watch interface WI is connected with the control computer CC ⁇ for branch A and with the control computer CC B for_branch B.
  • the direct connection of the control computer CC and stand-by control computer QC ⁇ according to Fig. 2 is carried out by connecting the watch interface WI of the control computer CC to the watch interface WJ of the stand-by control computer CC 1 .
  • This connection of the control computer's CC watch interface WJ to the stand-by control computer's CC 1 watch interface WJ enables the hot backup mode in the control part of the executive device CP.
  • the equipment can favourably contain a diagnostic computer DC. which is connected to the control computer CC A for branch A via a data link and the diagnostic computer DC is also connected with the control computer CC B for branch B, using a data link.
  • control computer CC works as follows:
  • the control computer CC A for branch A and control computer CC B for branch B communicate with the control level CONL of the signalling equipment through external data link EDL A and external data link EDLg_for respective branches A,B- [0088]
  • the branchs A's control computer CC A receives datagrams from the vital computer VC A or the stand-by vital computer VC ⁇ 1 of the interlocking equipment's control level CONL. through an external communication interface ECI A and external data link EDL A .
  • the datagrams contain requests for issuing outputs to the executive part EP of the executive device ED.
  • control computer CC ⁇ for branch A After the identity and authenticity of the received datagrams are controlled by the control computer CC ⁇ for branch A, they are sent by an internal data link IDLCC control computers to the control computer CC ⁇ for branch B.
  • the control computer CC B for branch B also controls the identity and authenticity of these datagrams sent by the internal data link rjDLCC control computers, according to its algorithms.
  • the branch's A control computer CC A responds to the vital computer VC A or standby vital computer VC ⁇ of the signalling equipment's control level CONL by datagrams containing indications read by the executive part EP of the executive device ED. These datagrams are secured by redundancy created by the control computer CC ⁇ for branch A, as well as by redundancy created by the control computer CCg_ for branch B. The creation methods and the resulting redundancy created by the control computer CC ⁇ _for branch A, and the redundancy created by the control computer CC B for branch B, are different. The redundancy created by the control computer CC A for branch A is passed to the control computer CC B for branch B, by an internal data link IDLCC control computers.
  • the branch's B control computer CC B receives datagrams (which contain requests for issuing the outputs for the executive part EP for the executive device ED) from the vital computer VC B or the stand-by vital computer VC 51 for the signalling equipment's control level CONL through an external communication interface ECI A and data link EDL A for respective branches A,B- After the identity and authenticity for the received datagrams are controlled by the branch B control computer CC B they are sent by an internal data link IDLCC control computers to the branch A control computer CC ⁇ for branch B.
  • the control computer CC A for branch A also controls the identity and authenticity for these datagrams sent by the internal data link IDLCC control computers, according to its algorithms.
  • the control computer CC B for branch B responds to the vital computer VC 5 or standby vital computer VC ⁇ for branch B for the interlocking equipment's control level CONL by datagrams, containing indications read by the executive part EP for the executive device ED. These datagrams are secured by redundancy created by the control computer CC & _for branch B, as well as by redundancy created by the control computer CC ⁇ for branch A.
  • the creation methods and the resulting redundancy created by the branch A control computer CC A for branch A and the redundancy created by the control computer CC B for branch B, are different.
  • the redundancy created by the control computer CC & for branch A is passed to the control computer CC B for branch B by an internal data link IDLCC control computers.
  • the control computer CC A for branch A processes the datagrams received from the control level CONL. according to the given algorithms, and creates datagrams for the individual executive components EC for the executive part EP. These datagrams are secured by redundancy created by the control computer CC A for branch A, as well as by redundancy created by the control computer CjCg_for branch B.
  • the creation method and the incurred redundancy created by the control computer CC A for branch A and the redundancy created by the control computer CC B for branch B are different.
  • the redundancy created by the control computer CC B for branch B is passed to the control computer CC A for branch A, by an internal data link IDLCC control computers.
  • the control computer CC B for branch B processes the datagrams received from the control level CONL according to the given algorithms and creates datagrams for the individual executive components EC for the executive part EP. These datagrams are secured by redundancy created by the control computer CC ⁇ for branch B, as well as by redundancy created by the control computer CC ⁇ _for branch A.
  • the creation method and the incurred redundancy created by the control computer CC A for branch A and the redundancy created by the control computer CC B for branch B, are different.
  • the redundancy created by the control computer CC A for branch A is passed to the control computer CC B for branch B, by an internal data link IDLCC control computer.
  • control computer CC A for branch A After sending the datagram through the internal communication interface ICI A and data link EDL A for branch A to the individual executive components EC for the executive part EP the control computer CC A for branch A receives the datagrams containing the indications read by the executive components EC.
  • the control computer CC & for branch A processes the datagrams received from all the executive components EC for the executive part EP according to the algorithms into a consequent datagram meant for the vital computer VC A for branch A or for the stand-by vital computer VC ⁇ for branch A for the control level CONL.
  • the mutual exchange for data through an internal data link IDLCC control computers, between the control computer CC A' for-brahch A and the control computer CC B for branch B takes place.
  • control computer CCg for branch B After sending the datagram through the internal communication interface ICIg and data link IDL 5 for branch B' to the individual executive components EC for the executive part EP the control computer CCg for branch B, receives the datagrams containing the indications read by the executive components EC.
  • the control computer CC& for brarich B processes the datagrams received from all the executive components EC for the executive part EP, according to the algorithms into a consequent datagram meant for the vital computer VC f tfor branch B or for the stand-by vital computer yea ! for branch B for the control level CONL.
  • the control part CP for the executive device ED provides communication between the interlocking equipment's control level CONL and the executive device (Fig. 1) and also assures the control for the activities for the executive part EP for the executive device ED (Fig. 2).
  • a failure for the control part CP for the executive device ED means the failure for the entire executive device ED. It is therefore very advantageous to back up the control part CP for the executive device ED.
  • the principle for backing up is based on the characteristics for the watch interface WL .
  • the active control computer CC and stand-by control computer CC 1 have a mutually-connected watch interface WI by an internal data link IDLCP control part (Fig. 2).
  • the vital source VS for the control computer CC and the vital source VS for the starid-by control computer CC 1 generate power m a Safe' manner, which is then provided to the watch interface WI.
  • the control computer CC has information on the existence for the stand-by control dtfrhputor CC 1 and the stand-by control computer CC 1 has information on the existence for the'c ⁇ ntr ⁇ l computer CC ,
  • the activation for the control computer CC and stand-by control computer CC 1 is carried out in steps. If, during the activation for the control computer CC, no other control computer CC is detected by the watch interface WL the control computer CC converts to active status. Subsequently after the activation for the stand-by control computer CC 1 the existence for another control computer CC is detected by its watch interface WJ and the stand-by control computer CC 1 goes into hot-stand-by mode, whefe it waits from the necessary data from the control computer CC. The control computer CC detects the existence for a stand-by control computer CC 1 through its watch interface Wl. and sends it the necessary data for the proper hit stand-by activity.
  • the stand-by control computer CC 1 monitors the operation on the internal data links IDL A . IDL B for respective branches A,B on the external data links EDL A EDL B _for respective branches A,B; and it performs all activities according to the compatible with the control computer's CC algorithms, except for sending datagrams to the executive device ED and to the control level CONL.
  • the stand-by control computer CC 1 evaluates this termination, and the stand-by control computer CC 1 switches to active status, i.e. it becomes the control computer CC.
  • the security for the control computer CC is ensured as follows: [0101] The security for the control computer CC is based on the circuit for the vital source VS, which is designed as a circuit with internal security and an anti-packing function. If no failure is detected by the control computer CC ⁇ for branch A, the control computer CC A for branch A creates a dynamic signal for the vital source VS. If no failure is detected by the control computer CC 3 JOr branch B, the control computer CC B for branch B creates a dynamic signal for the vital source VS. The vital source VS only creates the vital power supply for the external communication interface ECI A . external communication interface ECIn. internal communication interface ICI A .
  • the control computer CC A for branch A stops communicating with control computer CC B for branch B, via the link IDLCC control computers.
  • the control computer CC B for branch B also stops executing its program, and thus also generating the dynamic signal for the vital source VS.
  • the vital source VS will no longer react to any subsequent failure, during which the dynamic signal could be restored, and the vital supply is not restored.
  • the control computer CC is in a secure state and irreversibly disengaged from its surroundings.
  • the control computer CC B for branch B stops executing its program, and thus also generating the dynamic signal for the vital source VS. with the result that the vital source VS stops generating the vital supply for the external communication interface ECU .
  • the control computer CC B for branch B stops communicating with control computer CC A for branch A, via the link IDLCC.
  • the control computer CC A for branch A also stops executing its program, and thus also generating the dynamic signal for the vital source VS.
  • the vital source VS will no longer react to any subsequent failure, during which the dynamic signal could be restored, and the vital supply is not restored.
  • the control computer CC is in a secure state and is irreversibly disengaged from its surroundings.
  • the user data stored in the datagrams submitted between the control level CONL and executive device ED have an identical value in branch A and in branch B obtained by the relevant algorithms for harmonising data between the branches A,B.
  • the datagrams submitted by the vital computer VC A for branch A to the executive device ED are given redundancy created by the vital computer VC A for branch A, as well as by redundancy created by the vital computer VC B for branch B
  • the creation method and resulting redundancy created by the vital computer VC A for branch A and the redundancy created by the vital computer VC B for branch B are different.
  • the control computer CC A for branch A checks their identity and authenticity according to security algorithms, both for branch A and branch B.
  • the datagrams are sent to the control computer CC B for branch B over the internal data link IDLCC control computers.
  • the control computer CCR for branch B also .checks the identity and authenticity for these datagrams according to security algorithms, both for branch A and branch B.
  • the datagrams sent by the vital computer VC B for branch B to the executive device ED are given redundancy created by the branch B vital computer VC B for branch B, as well as by redundancy created by the vital computer VC A for branch A.
  • the creation method and resulting redundancy created by the vital computer VC B for branch B, and the redundancy created by the vital computer VC A for branch A, are different.
  • control computer CC B for branch B After receiving these datagrams the control computer CC B for branch B checks their identity and authenticity according to security algorithms, both for branch B and branch A. After being successfully inspected, the datagrams are sent to the control computer CC A for branth A ovef the internal data link IDLCC. The control computer CC A for branch B also checks- "the identity and authenticity for these datagrams according to the security algorithms, both for branch A and for branch B. If a failure or damaged datagram occurs in branch A, both control computer CC A for branch A and control computer CC B for branch B, have the datagram from branch B available. If a failure or damaged datagram occurs in branch B, both control computer CC B for branch B and control computer CC A for branch A; 'have the datagram from branch A available.
  • the situation is analogous in the opposite direction for sending the datagrams, i.e. sending the datagrams from the executive device ED to the control level CONL.
  • the datagrams submitted by control computer CC A for branch A to the control level CONL are' given redundancy created by both the branch A control computer CC A for branch A, as well as by redundancy created by control computer CC ⁇ for branch B.
  • the creation method and resulting redundancy created by the control computer CC A for branch A, and the redundancy created by the control computer CCg for branch B, are different.
  • the vital computer VC A for branch A checks their identity and authenticity according to security algorithms, both for branch A and branch B.
  • the datagrams are sent to the vital computer VCB f° r branch B over the internal data link IDLCL.
  • the vital computer VC 5 for branch B also checks the identity and authenticity for these datagrams according to security algorithms, both for branch A and branch B.
  • the datagrams sent by the control computer CCg/or branch B to the control level CONL are given redundancy created by both the control computer CC E for branch B as well as by redundancy created by the branch A control computer CC ⁇ for branch A.
  • the creation method and resulting redundancy created by the control computer CC B for branch B , and the redundancy created by the branch A control computer CC A are different.
  • the vital computer VC ⁇ for branch B After receiving these datagrams the vital computer VC ⁇ for branch B checks their identity and authenticity, according to security algorithms/ both for branch A and branch B. After being successfully inspected, the datagrams are sent to the vital computer VC A for branch A over the internal data link IDLCL control level. The vital computer VC A for branch A also checks the identity and authenticity for these datagrams according to the security algorithms, both for branch A and for branch B. If a failure or damaged datagram occurs in branch A, both vital computer VC A and vital computer VC B for branch B have the datagram from branch B available. If a failure or damaged datagram occurs in branch B, both vital computer VC B for branch B and vital computer VC A for branch A , have the datagram from branch A available. [0106] It is possible to use one common medium for transmission since the creation method and subsequent redundancy for branch A and branch B are independent.
  • the diagnostic computed DC which gathers, stores and sorts the operational and functional statuses for the executive device ED that are sent from the control computer CC A for branch A and control computer CC B for branch B is used to ensure the transfer for the diagnostic data.
  • the fail-safe effect in the sense for CSN 34 2600 and the proposed EN 50 129 is contained both by the use for the 2 for 2 system as a system with redundant safety with a sufficiently timely detection for the "1 st error," which cannot in and for itself cause an unsafe effect, though could cause an unsafe effect in combination with another error. After detecting the 1st error there follows a vital reaction, which demonstrably prevents the occurrence or manifestation for other failures.
  • the detection for the 1 st error and the vital reaction demonstrably occurs in a time shorter than the occurrence for a 2 nd error (which could, in combination with the 1 st error, cause an unsafe effect) can be expected with the prescribed probability.
  • the vital computer VC A for branch A and stand-by vital computer VC ⁇ for branch A are also equipped with different sfortware in comparison with the vital computer VC B for branch B and stand-by vital computer VC ⁇ for branch B, though the sfortware for both the vital computer VC A for branch A and stand-by vital computer VC M for branch A, and the vital computer VC B for branch B and stand-by vital computer VC ⁇ i for branch A, is processed according to a joint assignment.
  • the executive component EC is comprised for nine function part ⁇ FPU 1 FPZtO 1 FP ⁇ .
  • the first function part FPl' and any for the second FP2 to the ninth function parts' FP9 or their combination is always necessary for the proper activity for the executive component EC. ' ⁇ ' > .J
  • the executive component EC thus always contains the first function.' part" FPl. connected with at least one other function part FP2 - FP9. always through s the l executive computer EC A for branch A and the executive computer EC ⁇ branch B, of also through the vital source VS.
  • the first function part FPl is comprised for two executive computers EC A . EC B . which are mutually connected by an internal data link IDLEC executive computers.
  • the executive computer EC A for branch A is connected in both directions with the internal communication interface ICI ⁇ for branch A, and is also connected to the vital source VS.
  • the executive computer EC B for branch B is connected in both directions with the internal communication interface ICI B for branch B and is also connected to the vital 'source VS.-
  • the vital source VS is connected to the two internal communication interfaces IC ⁇ A '.' ' ICIk.' connected to the internal data links IDL A . EPL B for the executive device ED.
  • the second function part FP2 is comprised for vital contact outputs VC ( D:" watch WVCO A vital contact oiifiirtits for branch A, and watch WVCOg vital cbniac ⁇ Ou ⁇ utsTor branch B.
  • the vital contact 'outputs VCO are connected to the watch WVCO A .
  • WVCO 3 vital Contact outputs for the respective branch A or B are also connected to the executive computers EC A . EC ⁇ for the respective branch A or B.
  • the third function part FP3 is comprised for vital logical outputs VLO.
  • the vital logical outputs VLO are connected to the watch WVL0 A .
  • the watch WVLQa, WVLOB vital logical outputs forfor the respective branch A or B are also connected to the executive computers EC A . ECg/or the respective branch A or B.
  • the fourth function part FP4 is comprised for vital coded logical outputs VCLO.
  • the vital coded logical outputs VCLO are connected to the watches WVCL0 A .
  • WVCLOB vital coded logical outputs forfor the respective branch A or B are also connected to the executive computers EC A . EC B for the respective branch A or B.
  • the fifth function part FP5 is comprised for vital analogue outputs VAO. watch WVA0 A vital analogue outputs for branch A, and watch WVAOB vital analogue outputs for branch B.
  • the vital analogue outputs VCO are connected to the watch WVAO A .
  • WV AOB vital analogue outputs for the respective branch A or B are also connected to the executive computers EC A . ECg/or the respective branch A or B.
  • the sixth function part FP6 is comprised for non-vital outputs NO.
  • the seventh function part FP7 is comprised for logical inputs LL which are connected with the executive computers EC A . EC B for the respective branch A or B.
  • the eighth function part FP8 is comprised for analogue inputs AL which are connected with the executive computers EC A . EC B for the respective branch A or B.
  • the ninth function part FP9 is comprised for the vital data interface VDL which is connected to the vital source VS and also to the executive computers EC A . ECR for the respective branch A or B.
  • the executive computer EC A for branch A communicates with the control part CP through the internal communication database ICI A and via the internal data link IDL A for branch A (Fig.2).
  • the executive computer EC B for branch B communicates with control part CP through the internal communication database ICI B and via the internal data link IDL B for branch B (Fig.2).
  • the vital source VS. is connected to the executive computers EC A and EC B . to the internal communication interfaces ICI A and ICI B . to the vital contact outputs VCO. vital logical outputs VLO, vital coded logical outputs VCLO. vital analogue outputs VAO and vital data interface VDI.
  • the vital source VS is a circuit with internal security and with a anti-packing function generating the vital power supply for the supply for internal communication interface IC I A for branch A, internal communication interface ICIB for branch B, vital contact outputs VCO. vital logical outputs VLO. vital coded logical outputs VCLO. Vital analogue outputs VAO and vital data interface VDI.
  • the activity for the vital sOurce VS is controlled by the dynamic signals for the executive computers EC A and ECg.
  • the executive component EC for the executive part EP for the executive device ED works as follows:
  • the executive computer EC A for branch A and executive computer EC B for branch B communicate with the control part CP for the executive device ED, through the internal data link IDL A for branch A and the internal data link FDLg for branch B.
  • the executive computer EC A for branch A receives datagrams frorrt the branch A control computer CC or from the branch A stand-by control computer CC 61 for the control part CP for the executive device ED (Fig. 2), which contain requests for issuing -outputs or requests for the transmission for scanned indications by the executive corriponeni EC through the internal communication interface ICI A and internal data link IDL A for branch A.
  • the identity and authenticity for the datagrams received by the executive computer EC A for branch A are checked, they are transmitted to the executive computer EC B for branch B, by an internal data link IDLEC executive computers.
  • the executive computer EC B for branch B also controls these diagrams, submitted by an internal data link IDLEC executive computers, for identity and authenticity pursuant to its algorithms.
  • the executive computer EC A for branch A responds via branch A for the control computer OC and via branch A for the stand-by control computer CC A1 (if the stand-by control computer CC 1 is used) with datagrams containing indications read by the executive component EC. These datagrams are secured by redundancy created by the executive : ⁇ ; u;i - 28 - ' ⁇ : computer EC A for branch A, as well as by redundancy created by the executive computer EC B _for branch B.
  • the creation method and the incurred redundancy created by the executive computer EC ⁇ for branch A and the redundancy created by the executive computer EC B for branch B 1 are different.
  • the redundancy created by the executive computer ECa/or branch A is passed to the executive computer EC B for branch B, by an internal data link IDLEC executive computers.
  • the executive computer EC B for branch B receives the datagrams from branch B for the control computer CC or from branch B for the stand-by control computer CC 51 for the control part for the executive device CP through the internal communication interface ICI B and internal data link IDIt ⁇ for branch B.
  • the datagrams contain requests for issuing outputs or requests for the transfer for indications scanned by the executive part EP.
  • the executive computer EC A for branch A also controls these diagrams, submitted by a data link IDLEC executive computers, for identity and authenticity pursuant to its algorithms.
  • the executive computer EC B for branch B responds via branch B for the control computer CC and via branch B for the stand-by control computer CCa 1 (if the stand-by control computer CC 1 is used) with datagrams containing indications read by the executive component EC. These datagrams are secured by redundancy created by the executive computer EC B for branch B, as well as by redundancy created by the executive computer EC ⁇ _for branch A. The 'creation method and the incurred redundancy created by the executive computer ECJ T for branch B and the redundancy created by the executive computer EC A for branch 11 A, are different.
  • the redundancy created by the executive computer EC B for branch tii is passed to the executive computer EC A for branch A, by an internal data link IDLEC executive computers. : , :; i u - : -. ⁇ ,
  • the executive cornptrter EC A for branch A processes the datagram received from the control part CP for the executive device ED pursuant to the given algorithms and the executive computer EC ⁇ f ⁇ r branch A, controls vital contact outputs VCO for issuing vital contact commands, the executive computer EC A for branch A controls Vital logical outputs VLO for issuing vital logical commands, the executive computer EC A for branch A controls vital coded logical outputs VCLO for issuing vital coded logical commands, the executive computer EC A for branch A controls vital analogue outputs VAO for issuing vital analogue commands, the executive computer EC A for branch A controls non-vital outputs NO for issuing non-vital commands'.
  • the executive computer EC A for branch A performs the control activities for the vital contact outputs VCO, through watch WVC0 A vital contact outputs for branch A.
  • the executive computer EC A for branch A performs the control activities for the vital logical outputs VLO through watch WVLO A vital logical outputs for branch A.
  • the executive computer EC A for branch A performs the control activities for the vital coded logical outputs VCLO through watch WVCL0 A vital coded logical outputs for branch A.
  • the executive computer EC ⁇ Jbr branch A performs the control activities for the vital analogue outputs VAO through watch WVAO A vital analogue outputs for branch A.
  • the executive computer EC B for branch B processes the datagram received from the control part CP for the executive device ED pursuant to the given algorithms and the executive computer EC B for branch B controls vital contact outputs VCO for issuing vital contact commands.
  • the executive computer EC B for branch B controls vital logical outputs VLO for issuing vital logical commands.
  • the executive computer EC B for branch B controls vital coded logical outputs VCLO for issuing vital coded logical commands.
  • the executive computer EC B for branch B controls vital analogue outputs VAO for issuing vital analogue commands.
  • the executive computer EC B for branch B controls non-vital outputs NO for issuing non-vital commands.
  • the executive computer ECp performs the control activities for the vital contact outputs VCO through watch WVCOg vital contact outputs for branch B.
  • the executive computer EC B for branch B performs the control activities for the vital logical outputs VLO through watch WVLOg vital logical outputs for branch B.
  • the executive computer EC B for branch B performs the control activities for the vital coded logical outputs VCLO through watch WVCLOR vital coded logical outputs for branch B.
  • the executive computer EC B for branch B performs the control activities for the vital analogue outputs VAO through watch WVAOg vital analogue outputs for branch B.
  • the watch WVC0 A vital contact outputs for branch A is used by the executive computer EC A for branch A to control the vital contact outputs VCO issued by the executive computer EC A for branch A, and to control the vital contact outputs VCO issued by the executive computer ECg for branch B.
  • the watch WVCOg vital contact outputs for branch B is used by the executive computer EC B for branch B to control the vital contact outputs issued by the executive computer EC B for branch B and to control the vital contact outputs issued by the executive computer EC ⁇ for branch A.
  • any detected discrepancy during the controls for the issued vital contact outputs calls a vital reaction.
  • the vital logical commands are only issued in the event that the executive computer EC A for branch A and executive computer EC B for branch B carry out the identical commanding for vital logical outputs VLO.
  • the watch WVLO A vital logical outputs for branch A is used by the executive computer EC ⁇ for branch A to control the vital logical outputs issued by the executive computer EC A for branch A, and to control the vital logical outputs issued by the executive computer EC B for branch B.
  • the watchs WVLOg vital logical outputs for branch B is used by the executive computer EC B for branch B, to control the vital logical outputs issued by the executive computer EC B for branch B, and to control the vital logical outputs issued by the executive computer EC ⁇ for branch A. Any detected discrepancy during the controls for the issued vital contact outputs calls a vital reaction. [0134] In order to achieve the required security for the vital coded logical commands, they are only issued in the event that the executive computer EC A for branch A and executive computer EC 5 for branch B carry out the identical commanding for vital coded logical outputs VCLO.
  • the watch WVCL0 A vital coded logical outputs for branch A is used by the executive computer EC A for branch A, to control this vital coded logical outputs .issued by the executive computer EC A for branch A, and to control the vital coded logical outputs issued by the executive computer ECgJbr branch B.
  • the watch WVCLOg vital coded logical outputs for branch B is used by the executive computer EC B for branch B to control the vital coded logical outputs, issued by the executive computer EC a for branch B, and to control the vital coded logical outputs issued by the executive computer EC ⁇ for branch A. Any detected discrepancy during the controls for the issued vital contact outputs calls a vital reaction.
  • the watch WVAOg vital analogue outputs for branch B is used by the executive computer EC B for branch B to control the vital analogue outputs issued by the executive computer EC B for branch B and to control the vital analogue outputs issued by the executive computer EC ⁇ for branch A. Any detected discrepancy during the controls for the issued vital contact outputs calls a vital reaction.
  • the executive computer EC A for branch A and executive computer EC B for branch B compare each other's values for the logical inputs LI.
  • An internal data link IDLEC executive computers is used in order to transfer the read indications between the executive computer EC ⁇ for branch A and executive computer EC B for branch B. Moreover all for the inputs are tested for the ability for their controlled switch to basic status. A discrepancy calls a vital reaction.
  • the executive computer EC A for branch A and executive computer EC B for branch B compare each other's values for the analogue inputs AI.
  • An internal data link IDLEC executive computers is used in order to transfer the read indications between the executive computer EC A for branch A and executive computer EC B for branch A A discrepancy calls a vital reaction.
  • the ninth function part comprised for a vital data interface VDI is used for the vital or non-vital data connection for some interlocking equipment and, in cooperation with the executive computer EC A for branch A and the executive computer EC B for branch B t performs the transformation for the data from/to the connected interlocking equipment into a suitable structure and performs the relevant algorithms.
  • the security for the executive component EC is based on the circuit for the vital source VS. which is designed as a circuit with internal security and an anti-packing function. If no failure is detected by the executive computer EC ⁇ for branch A, the executive computer EC A for branch A creates a dynamic signal for the vital source VS. If no failure is detected by the executive computer 'ECg for branch B, the executive computer EC 5 for branch B creates a dynamic signal for the vital source VS. Only during the activation for the executive component, i.e. for the controlled switching to voltage VA.
  • VB for source S and for the dynamic signal for the executive computer EC A for branch A, and for the dynamic; signal for the executive computer EC B for branch B, does the vital source VS create the vital power supply for the internal communication interface ICI ⁇ for branch A, internal communication interface ICI B for branch B, vital contact outputs VCO. vital logical outputs VLO. vital coded logical outputs VCLO. vital analogue outputs VAO and vital data interface VDI.
  • the executive computer EC A for branch A stops executing its program, and thus also generating the dynamic signal for the vital source VS, with the result that the vital source VS stops generating the vital supply for the internal communication interface ICL ⁇ for branch A, internal communication interface ICI B for branch B vital contact outputs VCO. vital logical outputs VLO. vital coded logical outputs VCLO. vital analogue outputs VAO and vital data interface VDI. which switch to the vital state.
  • the executive computer EC A for branch A stops communicating with executive computer EC B for branch B, via the internal data link IDLEC executive computers.
  • the executive computer EC B for branch B also stops executing its program, and thus also generating the dynamic signal for the vital source VS.
  • the vital source VS will no longer react to any subsequent failure, during which the dynamic signal would be restored, and the vital supply is not restored.
  • the executive component EC is in a secure state and irreversibly disengaged from its surroundings.
  • the executive computer EC B for branch B stops executing its program, and thus also generating the dynamic signal for the vital source VS, with the result that the vital source VS stops generating the vital supply for the internal communication interface ICI ⁇ for branch A, internal communication interface ICI B for branch B ⁇ vital contact outputs VCO.
  • the executive computer EC a for branch B stops communicating with ( executive computer EC ⁇ for'branch A, via the internal data link IDLEC executive computers-.
  • the executive computer EC A for branch A also stops executing its program, and thus also generating the dynamic Signal for the vital source VS.
  • the vital source VS will no longer react to any subsequent failure, during which the dynamic signal would be restored, and the vital supply is not restored.
  • the executive component EC is in a secure sltate and irreversibly disengaged from its surroundings. ' ' ' '
  • the user data stored in the datagrams submitted between the control part CP and executive part EP have an " identical value in branch A and in branch B obtained by the relevant algorithms for harmonising data between the branches.
  • the datagrams submitted by control computer CC ⁇ for branch A to the executive part EP are given redundancy created by both control computer CC A for branch A, as well as by redundancy created by control computer CC g for branch B.
  • the creation method and resulting redundancy created by the control computer CC ⁇ for branch A and the redundancy created by the branch B control computer CC B for branch B are different.
  • the executive computer EC ⁇ for branch A checks their identity and authenticity, according to security algorithms, both for branch A and branch B. After being successfully inspected, the datagrams are sent to the executive computer EC B for branch B over the internal data link IDLEC executive computers.
  • the executive computer EC B for branch B also checks the identity and authenticity for these datagrams, according to security algorithms, both for branch A and branch B.
  • the datagrams sent by the control computer CC B for branch B to the executive part EP are given redundancy created by both the control computer CC B for branch B, as, well as by redundancy created by the control computer CC A for branch A.
  • the creation method and resulting redundancy created by the control computer CC B for branch B, and the redundancy created by the control computer CC A for branch A are different.
  • the executive computer EC B for branch B checks their identity and authenticity according to security algorithms, both for branch B and branch A.
  • the datagrams are sent to the executive computer EC A for branch A over the internal data link EDLEC r executive computers.
  • the executive computer EC A for branch A also checks the identity and authenticity for these datagrams according to the security algorithms, both for branch A and for branch B. If a failure or damaged datagram occurs in branch A, both executive computer EC A for branch A and executive computer EC B for branch B have the datagram from branch B available. If a failure or damaged datagram occurs in branch B, both executive computer EC A for branch A and executive computer EC B for branch B, have the datagram from branch A available.
  • the situation is analogous in the opposite direction for sending the datagrams, i.e. sending the datagrams from the executive part EP to the control part CP.
  • the datagrams submitted by executive computer EC A for branch A to the control part CP are given redundancy created by both the executive computer EC ⁇ for branch A as well as by redundancy created by executive computer EC B for branch B.
  • the creation method and resulting redundancy created by the executive computer EC A for branch A and the redundancy created by the executive computer EC B for branch B, are different.
  • the control computer CC A for branch A checks their identity and authenticity according to security algorithms, both for branch A and branch B.
  • the datagrams are sent to the control computer CC B for branch B over the internal data link IDLCC control computers.
  • the control computer CC B for branch B also checks the identity and authenticity for these datagrams according to security algorithms, both for branch A and branch B.
  • the datagrams sent by the executive computer EC B for branch B to the control part CP are given redundancy created by both the executive computer EC B for branch B, as well as by redundancy created by the executive computer EC A for branch A.
  • the creation method and resulting redundancy created by the branch B executive computer EC B for branch B and the redundancy created by the executive computer EC A for branch A are different.
  • control computer CCg for branch B After receiving these datagrams the control computer CCg for branch B checks their identity and authenticity according to security algorithms, both for branch A and branch B. After being successfully inspected, the datagrams are sent to the control computer CC A for branch A over the internal data link IDLCC control computers. The control computer CC & for branch A also checks the identity and authenticity for these datagrams according to the security algorithms, both for branch A and for branch B. If a failure or damaged datagram occurs in branch A, both control computer CC A for branch A and control computer CC B for branch B, have the datagram from branch B available. If a failure or damaged datagram occurs in branch B, both control computer CC B for branch B and control computer CC A for branch A, have the datagram from branch A available. [0145] It is possible to use one common medium for transmission since the creation method and subsequent redundancy for branch A and branch B are independent.
  • the fail-safe effect in the sense for OSN 34 2600 and the proposed EN 50 129 is contained both by the use for the 2 for 2 system as a system with redundant safety and with a sufficiently timely detection for the "1 st error," which cannot in and for itself cause an unsafe effect, though could cause an unsafe effect in combination with another error.
  • After detecting the 1st error there follows a vital reaction, which demonstrably prevents the occurrence or manifestation for other failures.
  • the detection for the I s * error and the vital reaction demonstrably occurs in a time shorter than the occurrence for a 2 nd error (which could, in combination with the 1 st error, cause an unsafe effect) can be expected with the prescribed probability.
  • the configuration for source S for the supply part SP for the executive device ED is illustrated in Fig. 5, from which it is evident that it is put together from the following basic parts: the source SA, source SB, measurement circuits MC. control circuits CONC and internal communication interface ICI.
  • the source SA generates voltage VA meant for the supply for branch A for the control part CP for the executive device ED and branch A for the executive part EJP for the executive device ED as its output
  • the source SB generates voltage VB meant for the supply for branch B for the control part CP for the executive device ED and branch A for the executive part EP for the executive device ED.
  • the control circuits CONC are used to control the level for the voltage supply VA for source SA and to control the level for the voltage supply VB for source SB.
  • the measurement circuits MC are used to measure the voltage and current for the source SA_and to measure the voltage and current for the source SB.
  • the internal communication interface ICI is used for the source's S communication with the control part CP for the executive device ED.
  • the source SA and source SB are mutually independent and are supplied with supply voltage SV.
  • the output circuits for sources SA and SB are supplemented with circuits to prevent back current for the purpose for allowing back-ups.
  • One for the most stressed parts for the executive device is its supply part SP. It is very advantageous to back up the supply part SJP.
  • the principle for backing up the supply part SP is based on one for the basic characteristics for the control part CP and executive part EP for the executive device ED, which consist in the extended tolerance for their voltage VA and VB and is also based on the circuit design for the source S.
  • Both for the source's S mutually independent sources SA and SB are capable for delivering an output for two voltage levels, i.e. the basic voltage or decreased voltage, on the basis for the activities for .the control circuits. These two possible voltage levels are in the range for the voltages VA and VB for the control part CP and executive part EP for the executive device ED.
  • the control part CP for the executive device ED obtains information on the current load for source S and stand-by source S 1 through the measurement circuits MC for the source S and stand-by source S 1 , internal communications interface ICI for the source S and stand-by source S 1 .
  • the supply is provided by the source S, since its voltages VA and VB are higher than the voltages for the stand-by source S 1 .
  • the output current for source S, and thus for its partial sources SA and SB, is not zero and the output current for the stand-by source S 1 , and thus for both for its partial sources SA 1 and SB 1 , is zero or close to zero.
  • the stand-by source S 1 ensures the supply for energy and the current delivered to it is increased.
  • the control part CP for the executive device ED issues a command through the internal data interface ICI A or ICI B .
  • the information on the failure for source S is recorded in the diagnostic computer DC for the control part for the executive device ED.
  • the aforementioned solution enables the stand-by mode to be mutually alternated on both sources for the backed-up supply part SP for the executive device over time, thereby uncovering a failure for source S 1 , which is in stand-by mode.
  • Fig. 6 differs from the first example configuration pursuant to Fig. 1 in that the commanding level for the signalling equipment COML is connected to a watch remote commanding level RCL so that the bridge B for the watch part is connected by a data link to the vital data network's hub HUB, another data link with the vital data network's stand-by hub HUB 1 and another data link with the supervision system SS.
  • tK t! "' AA - l ⁇
  • the alternative configuration for the electronic interlocking equipment with a remote executive device pursuant to Fig. 7 differs from the I st example configuration pursuant to Fig. 1 in that a communication level CL comprised for communication equipment CE is inserted between the control level CONL and the executive level EL.
  • the vital "computer VC A and stand-by vital computer VC ⁇ for branch A are connected by an external data link EDL A for branch A to the communication equipment CE for the communication level CL.
  • the vital computer VC A and stand-by vital computer VCA 1 are connected by an external data link EDL ⁇ for branch A to the communication equipment CE for the communication level CL.
  • the communication equipment CE for the communication level CL is both connected by another external data link EDL A ' for branch A and another external data link EDL 5 ' for branch B to the executive device ED for the executive level EL.
  • This alternative configuration is used in the event when it is necessary to withdraw the executive level EL or its part from the control level CONL.
  • This specific alternative configuration with the designation SH contains the first function part FPl, connected to the seventh function part FP7.
  • the first function part FPJ . and seventh function part FP7 are described in detail in configuration example 4.
  • Fig. 8 differs from the 4 th configuration example illustrated in Fig.4 in that it does not contain the second function part FP2. third function part FP3. fourth function part FP4, fifth function part FP5. sixth function part FP6. eighth function part FP8 and ninth function part FP9.
  • FIG. 9 The display for an alternative configuration for the executive component EC designated as SCI. which is meant for issuing vital contact commands.
  • This specific alternative configuration with the designation SCI contains the first function part FPl and second function part FP2. both described in more detail in configuration example 4.
  • Fig. 9 differs from the 4 th configuration example in that it does not contain the third function part FP3 and other function parts, the fourth function part FP4 to the ninth function part FP9.
  • Fig. 10 differs from the 4* configuration example illustrated in Fig. 4 in that it does not contain the second function part FP2.
  • Fig. 11 The display for an alternative configuration for the executive component EC designated as TCI. which is meant for determining the occupancy for the track circuits, switching the track circuit equipment and for generating the frequency for additional coding.
  • This alternative configuration with the designation TCI contains the first function part FPl in combination with the third function part FP3.
  • Fig. 11 differs from the 4 th configuration example illustrated in Fig. 4 in that it does not contain the second function part FP2, fifth function part FP5, sixth function part FP6. eighth function part FP8 and ninth function part FP9.
  • Fig. 11 differs from the 4* configuration example illustrated in Fig. 4 in that it does not contain the second function part FP2 to fourth function part FP4. sixth function part FP6. seventh function part FP7 and ninth function part FP9.
  • SDI contains the first function part FPl connected to the ninth function part FP9.
  • Fig. 13 differs from the 4 th configuration example illustrated in Fig. 4 in that it does not contain the second function part FP2 to eighth function part FP8.
  • the specified configurations are example configurations and their scope is not comprehensive. Other example configurations and their combinations are possible in the framework for the patent claims for this invention.
  • the solution is meant for controlling adjacent equipment, e.g. signal equipment, points, level crossings, axle counters, track circuits, etc., which contribute to ensuring the traffic routes for railway vehicles.
  • adjacent equipment e.g. signal equipment, points, level crossings, axle counters, track circuits, etc.
  • ICI B -Internal Communication Interface ICI n forBranch B IDL A -Internal Data Link IDLA for Branch A IDLB -Internal Data Link IDLB for Branch B IDLCC - Internal Data Link IDLCC Control Computer IDLCL - Internal Data LmkJDLCLControl Level IDLCL A -Internal Data LmkJDLCL A Control Level for Branch A IDLCL B -Internal Data Link IDLCL B for Control Level for Branch B IDLCL, - Stand-By Internal Data Link IDLCL, Control Level
  • IDLEC Internal Data Link IDLEC Executive Computer
  • IDLCP Internal Data Link IDLCP Control Part

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Train Traffic Observation, Control, And Security (AREA)
  • Hardware Redundancy (AREA)
  • Vehicle Body Suspensions (AREA)
EP08734294A 2007-03-26 2008-03-26 Elektronische eisenbahnstellwerkanlage Active EP2139745B1 (de)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CZ20070224A CZ2007224A3 (cs) 2007-03-26 2007-03-26 Elektronický systém železnicního zabezpecovacího zarízení
PCT/CZ2008/000035 WO2008116429A1 (en) 2007-03-26 2008-03-26 Electronic railway interlocking equipment system

Publications (2)

Publication Number Publication Date
EP2139745A1 true EP2139745A1 (de) 2010-01-06
EP2139745B1 EP2139745B1 (de) 2011-02-02

Family

ID=39673355

Family Applications (1)

Application Number Title Priority Date Filing Date
EP08734294A Active EP2139745B1 (de) 2007-03-26 2008-03-26 Elektronische eisenbahnstellwerkanlage

Country Status (5)

Country Link
EP (1) EP2139745B1 (de)
AT (1) ATE497462T1 (de)
CZ (1) CZ2007224A3 (de)
DE (1) DE602008004830D1 (de)
WO (1) WO2008116429A1 (de)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8515697B2 (en) 2010-05-06 2013-08-20 Ansaldo Sts Usa, Inc. Apparatus and method for vital signal state detection in overlay rail signal monitoring
CN104914816A (zh) * 2015-04-16 2015-09-16 潘小胜 一种基于linux平台的铁路联锁机柜组自动控制装置
JP6435256B2 (ja) * 2015-12-03 2018-12-05 株式会社日立製作所 鉄道保安システム
DE102016225424A1 (de) * 2016-12-19 2018-06-21 Siemens Aktiengesellschaft Eisenbahnanlage sowie Verfahren zu deren Betrieb
CN108306989B (zh) * 2018-04-20 2020-02-14 北京全路通信信号研究设计院集团有限公司 一种用于铁路调度集中系统的主备机数据同步方法
WO2020201949A1 (en) * 2019-03-29 2020-10-08 L&T Technology Services Limited System for setting up communication between a signal equipment room (ser) and wayside devices
CN111010258B (zh) * 2019-12-23 2022-01-28 卡斯柯信号有限公司 一种基于编码的计算机联锁系统通信方法

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6556898B2 (en) * 2001-05-18 2003-04-29 Bombardier Transportation Gmbh Distributed track network control system
ITSV20020009A1 (it) * 2002-02-22 2003-08-22 Alstom Transp Spa Metodo per la generazione di unita' logiche di comando degli apparatidi stazione a computer vitale, cioe' nelle unita' centrali di comando
CZ2003601A3 (en) * 2003-02-28 2004-06-16 AŽD Praha s.r.o. Electronic alarm device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2008116429A1 *

Also Published As

Publication number Publication date
EP2139745B1 (de) 2011-02-02
WO2008116429A1 (en) 2008-10-02
ATE497462T1 (de) 2011-02-15
DE602008004830D1 (de) 2011-03-17
CZ2007224A3 (cs) 2009-02-11

Similar Documents

Publication Publication Date Title
EP2139745A1 (de) Elektronische eisenbahnstellwerkanlage
CN109693690B (zh) 磁浮运行控制系统
US10843716B2 (en) Method and apparatus for an interlocking control device
WO2006051355A1 (en) A control system, a method to operate a control system, a computer data signal and a graphical user interface for rail-borne vehicles
EP0108363B1 (de) System zur Verwaltung und Steuerung des Zugverkehrs
CN110758489A (zh) 一种列车自动防护系统
CN101643074A (zh) 主备控制中心的热备系统
CN111831507A (zh) 具有安全等级设计的tcms-riom控制单元
CN105501259B (zh) 适用于cbtc的地面控制方法及系统
US4181945A (en) High-reliability vehicle control system
KR101210930B1 (ko) 열차용 선로변 다중화 정보처리모듈의 자동 절체제어기 감시 및 통신유지장치
WO2020007532A1 (de) Verfahren zum sicheren austausch und zur sicheren anzeige von zustandsdaten von sicherheitstechnischen komponenten
EP2990296B1 (de) System zur ausserbetriebnahme eines gleisabschnittes sowie anschlussmittel zum anschluss eines solchen systems an ein zugsicherungssystem des gleises
CN107959586A (zh) 一种基于云平台的船端集成导航系统网络架构
CN110979406A (zh) 一种交叉复用的信号系统安全计算平台
CN202879526U (zh) 机车信号环线发码箱故障处理装置
CN109249964A (zh) 一种基于调度集中系统的时钟同步系统
He et al. Analysis of Technical Schemes for Restructuring of Signaling Systems in Urban Rail Transit
CN109677454B (zh) 城市轨道交通信号系统中安全计算机平台的状态监控方法
JPH04259042A (ja) 列車運行管理システム
CN204681380U (zh) 一种采用dsp技术的gps/北斗双机冗余系统
CN114475701A (zh) 一种用于有轨车辆的分布式道岔控制系统
CN115848453A (zh) 一种可配置的应急信号系统及应急方法
McDonald et al. 3-vehicle health monitoring on the Docklands Light Railway
Mitchell Overview of Microprocessor-Based Controls in Transit and Concerns About Their Introduction

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20091026

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: RS

RIN1 Information on inventor provided before grant (corrected)

Inventor name: DOUBEK, PAVEL

Inventor name: VLCEK, MILOSLAV

Inventor name: MACHACEK, LUBOMIR

Inventor name: FUCHS, PAVEL

Inventor name: KIML, ALES

Inventor name: JELINEK, PETR

Inventor name: TEPLY, JIRI

Inventor name: BURDA, MARTIN

Inventor name: VEVERKOVA, ZDENKA

Inventor name: MARTINEC, JOSEF

RAX Requested extension states of the european patent have changed

Extension state: RS

Payment date: 20091021

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: RS

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REF Corresponds to:

Ref document number: 602008004830

Country of ref document: DE

Date of ref document: 20110317

Kind code of ref document: P

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602008004830

Country of ref document: DE

Effective date: 20110317

REG Reference to a national code

Ref country code: NL

Ref legal event code: VDEP

Effective date: 20110202

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110513

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110503

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110502

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110602

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110602

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

REG Reference to a national code

Ref country code: SK

Ref legal event code: T3

Ref document number: E 9319

Country of ref document: SK

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: BE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110502

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110331

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

REG Reference to a national code

Ref country code: FR

Ref legal event code: ST

Effective date: 20111130

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

REG Reference to a national code

Ref country code: IE

Ref legal event code: MM4A

26N No opposition filed

Effective date: 20111103

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110404

Ref country code: DE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20111001

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110326

REG Reference to a national code

Ref country code: DE

Ref legal event code: R119

Ref document number: 602008004830

Country of ref document: DE

Effective date: 20111001

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

GBPC Gb: european patent ceased through non-payment of renewal fee

Effective date: 20120326

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GB

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20120326

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20120331

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20120331

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110326

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230523

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: LT

Payment date: 20240305

Year of fee payment: 17

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: CZ

Payment date: 20240229

Year of fee payment: 17

Ref country code: SK

Payment date: 20240301

Year of fee payment: 17