EP2139745B1 - Electronic railway interlocking equipment system - Google Patents

Electronic railway interlocking equipment system Download PDF

Info

Publication number
EP2139745B1
EP2139745B1 EP08734294A EP08734294A EP2139745B1 EP 2139745 B1 EP2139745 B1 EP 2139745B1 EP 08734294 A EP08734294 A EP 08734294A EP 08734294 A EP08734294 A EP 08734294A EP 2139745 B1 EP2139745 B1 EP 2139745B1
Authority
EP
European Patent Office
Prior art keywords
branch
vital
computer
executive
control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP08734294A
Other languages
German (de)
French (fr)
Other versions
EP2139745A1 (en
Inventor
Pavel Doubek
Martin Burda
Pavel Fuchs
Petr Jelinek
Ales Kiml
Lubomir Machacek
Josef Martinec
Jirí TEPLY
Zdenka Veverkova
Miloslav Vlcek
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
AZD Praha SRO
Original Assignee
AZD Praha SRO
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by AZD Praha SRO filed Critical AZD Praha SRO
Publication of EP2139745A1 publication Critical patent/EP2139745A1/en
Application granted granted Critical
Publication of EP2139745B1 publication Critical patent/EP2139745B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L21/00Station blocking between signal boxes in one yard
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L19/00Arrangements for interlocking between points and signals by means of a single interlocking device, e.g. central control
    • B61L19/06Interlocking devices having electrical operation

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Train Traffic Observation, Control, And Security (AREA)
  • Hardware Redundancy (AREA)
  • Vehicle Body Suspensions (AREA)

Abstract

The control level (CONL) is connected by at least one external data link (EDL<SUB>A</SUB>, EDL<SUB>B</SUB>) to the executive level (EL), which contains at least one executive device (ED), which has three basic parts, being the control part (CP) made up for at least one control computer (CC), the executive part (EP) made up for at least one executive component (EC) and the supply part (SP) made up for at least one source (S). The control part (CP), executive part (EP) and supply part (SP) are mutually connected by at least one internal data link (IDL<SUB>A</SUB>, IDL<SUB>B</SUB>) for the executive device (ED).

Description

    Technical Field
  • The invention concerns the electronic railway interlocking equipment system, which is comprised of three essential levels, being the commanding level, control level and executive level. The commanding level is comprised of at least one arrangement of operating computers, which contains one active commanding computer and zero or at least one passive commanding computer for displaying only information that is not relevant to signalling. Each commanding computer system is data connected to the control level through a hub, connected to the vital computer of the respective branch for creating the vital core of the control level. To increase the availability of the electronic interlocking equipment system, the control level can contain further stand-by vital computers for the respective branches, while the executive level is made up of at least one commanding device.
    • Background of the Invention
  • Both relay signalling equipment and electronic interlocking equipment with relay outputs are currently used in the Czech Republic for signalling traffic on railway lines and in railway stations. Relay interlocking equipment no longer fulfils all the required functions at the current time. The logical circuits of relay interlocking equipment are created by strictly specified circuit connections made up primarily of special signalling relays of the 1st group of safety functions. This equipment is produced individually for each and every application and it is difficult to produce it separately for each application. It is also difficult to test this equipment for any production and design flaws in the production phase and when putting it into operation. Relay equipment cannot easily adapt to newly formulated requirements on the activity of interlocking equipment and changes in the railyard. This relay interlocking equipment takes up a large built-up space. It is also known that this interlocking equipment does not provide the required comfort for operators and maintenance personnel. Relay interlocking equipment cannot be easily connected to the remote control system and the possibility for connecting it to the higher systems used to support the control of traffic processes is also insufficient.
  • There is some electronic interlocking equipment that eliminates some of the drawbacks of relay interlocking equipment.
  • There is, for example, the electronic interlocking with relay outputs known under the brand name K-2000 from the Czech company Starmon s.r.o., Choce
    Figure imgb0001
    , CZ, which works as a system with redundant safety in the 2 of 2 architecture.
  • The programmable interlocking equipment for trains and shunting components, particularly for siding and mine railways, by Czech company C-MODUL, spol. s r.o., Slu
    Figure imgb0002
    ovice, CZ, which also works as a system with redundant safety in the 2 of 2 architecture and uses relay outputs, is also well known.
  • Processor interlocking equipment for the remote control connecting railway interlocking relay and/or electronic equipment from the Czech company ARGO is also well known. This equipment also works in the 2 of 2 architecture.
  • Various implementations of both relay interlocking equipment and electronic signalling equipment are used elsewhere in the world.
  • For example the signalling equipment from SIEMENS AG, DE is composed of a special SIMIS processor kit meant for use in interlocking equipment. The equipment works in 2 of 2 or 2 of 3 architecture with identical HW channels equipped with identical SW.
  • The interlocking equipment from Bombardier ATV, which works with backed up (duplicate) 2 of 2 architecture with identical HW channels and different software, is also well known.
  • The microprocessor interlocking equipment is also well known, primarily for the railway transport of the company CSEE-TRANSPORT. This equipment is comprised of two microprocessors arranged in parallel, the input of which is connected through an analogue-numerical converter to the output of analogue entry sensors.
  • ALCATEL AT's interlocking equipment, which works in 2 of 2 architecture in some of its parts and in 2 of 3 architecture in some of its other parts.
  • The closest solution is the ESA 11 interlocking equipment from A
    Figure imgb0003
    D Praha s.r.o., Prague, the Czech Republic, under Czech patent no. 293 635. This signalling equipment works in 2 of 2 architecture with a backup of some of its parts. The interlocking equipment is made up of control and executive parts.
  • The control part is made up of four vital computers, which are connected to a vital data network through the vital data network's hubs and to a control data network through the control data network's hubs. Meanwhile branch A's main vital computer and branch B's main vital computer are connected with the vital data network's main hub and the control data network's main hub. Meanwhile branch A's by-stand vital computer and branch B's by-stand vital computer are connected with the vital data network's stand-by hub and the control data network's stand-by hub. The vital data network's main hub is connected to the vital data network's stand-by hub and the control data network's main hub is connected to the control data network's stand-by hub. Branch A's main vital computer and branch A's stand-by vital computer are connected to the executive part, which is made up of at least one executing device. Branch B's main computer and branch B's stand-by computer are connected to the executive part. The vital data network's main hub is connected to at least one arrangement of operating computers, which is made up of at least one commanding computer and possibly at least one passive commanding computer. The vital data network's stand-by hub may be connected to at least one system of commanding computers, which is made up of at least one commanding computer and possibly at least one passive commanding computer. The control part can also be supplemented with a computer for maintenance, which can be connected through a redundant transceiver. In justified cases, the control part can be supplemented with a supervision system, connected by the main bridge or eventually by a stand-by bridge. The connected equipment controls in a secure manner on the basis of the connected equipment's input data on the basis of the operators' requirements. The equipment displays selected information to the operators. This interlocking equipment was successfully implemented in several dozen installations in the Czech Republic and broad.
  • The executive part is comprised of branch A's executive computer, branch B's executive computer, a block of non-vital outputs, a supply block, a block of vital relay outputs, a block of input indications, a block of vital electronic outputs, a block of branch A's analogue inputs, a block of branch B's analogue inputs, a block of branch A's input indication controls, a block of branch B's input indication controls, a block of branch A's secure electronic output controls and a block of branch B's secure electronic output controls. Branch A's executive computer is connected with the control part, the block of non-vital outputs, supply block, block of secure relay outputs, block of branch A's analogue inputs, block of branch A's input indication controls, block of branch A's secure electronic output controls and branch B's executive computer. Branch B's executive computer is also connected with the control part, the block of non-vital outputs, supply block, block of secure relay outputs, block of branch B's analogue inputs, block of branch B's input indication controls and block of the 2nd branch's electronic output controls. The block of input indications is connected with the block of secure relay outputs, block of secure electronic outputs, a block of branch A's input indication controls and block of branch B's inputs indication controls. The block of secure electronic outputs is also connected with the block of branch A's vital electronic output controls and the block of branch B's vital electronic output controls. The block of branch A's analogue inputs is also connected with the block of branch B's analogue outputs. The executive level can be positioned for the use of the means of remote data transferral.
  • The strengths of this invention are the backup of the electronic configuration with the use of the possibility of remote control and positioning. The equipment enables the modification of its functions according to the operator's requirements. In its commanding and executive parts this interlocking equipment is backed up in such a manner so that any loss of functionality of the backed-up part does not cause a limitation of functions.
  • During several operations of this interlocking equipment a few disadvantages have become apparent. The use of up to four hubs in the control part is a disadvantage. Thus if any of them break down, the control part can not work in stand-by mode. A breakdown of the executive part leads to a large part of the outer technological equipment being out of operation, which can lead to considerable limitations of railway traffic. Another disadvantage is the impossibility of backing up and merging communication lines connecting the control and executive parts, which is then shown particularly in the demands on the number of means of remote data transmission. The executive level's architectural concept used does not allow a subsequently fast reaction to demands for connecting other types of external technological equipment including adaptations to other railway operators' requirements. Last but not least, the considerable robustness of the executive level and the insufficient elimination of the type N relay (UIC) are disadvantages.
  • The objective of this invention is to discover a processor electronic railway intertocking equipment system that fulfils all the functional requirements placed on this equipment in the Czech Republic and that can easily be modified for the requirements of other railway operators while eliminating the failings and specified disadvantages of the solution according to Czech patent no. 293 635 .
    • Summary of the Invention
  • This goal is fulfilled by the electronic railway interlocking equipment system pursuant to this invention, including three main levels, being the commanding level, control level and executive level. The essence of this invention consists in the new composition of these levels, especially the executive and control levels and also in the alternative overall new connection of these levels, as defined by claim 1. More details are provided below.
  • The executive level of the interlocking equipment is comprised of at least one executive device. In order to suitably configure the executive device, which is used:
    • for issuing
      • non-vital commands
      • vital contact commands
      • vital logical commands
      • vital coded logical commands
      • vital electronic commands
    • for reading
      • input logical indications
      • analogue inputs
    • for secure communications with other signalling devices and which communicates with the control part's vital computer or with the control part's stand-by vital computer, the executive device is made up of three basic parts:
    • the control part of the executive device
    • the executive part of the executive device
    • the supply part of the executive device.
  • The control part of the executive device and the executive part of the executive device are separately operating devices working in a secure manner pursuant to Czech standard
    Figure imgb0004
    SN 34 2600 and also in accordance with valid European Standards EN 50 126, EN 50 128, 50 129, EN 159-1 and EN 159-2.
  • The control part of the executive device is connected to the control level of the interlocking equipment using two communication channels, the control part of the executive device is connected to the executive part of the executive device using other communication channels and the control part of the executive device is connected to the supply part of the executive device using at least one communication channel.
  • The control part of the executive device is made up of one or two mutually-connected control computers of the executive part, with one of them being a stand-by.
  • The control computer of the executive device works in two of two regime and is made up of a branch A's control computer, branch B's control computer, branch A's external communication interface, branch B's external communication interface, branch A's internal communication interface, branch B's internal communication interface, vital power source and watch interface. In some cases it is useful to add a diagnostic computer to this configuration. The branch A's control computer is connected with the branch A's external communication interface, the branch A's control computer is connected with the branch A's internal communication interface, the branch A's control computer is connected with the diagnostic computer, the branch A control computer is connected with the branch B's control computer, the branch A's control computer is connected with the vital power source and the branch A's control computer is connected with the watch interface. The branch B's control computer is connected with the branch B's external communication interface, the branch B's control computer is connected with the branch B's internal communication interface, the branch B's control computer is connected with the diagnostic computer, the branch B's control computer is connected with the branch B's control computer, the branch B's control computer is connected with the vital power source and the branch B's control computer is connected with the watch interface. The vital power source is connected to the branch A's control computer, the branch B's control computer, the branch A's external communication interface, the branch B's external communication interface, the branch A's internal communication interface, the branch B's internal communication interface and the watch interface. The watch interface is connected to the branch A's control computer, the branch B's control computer, the vital power source and it is connected to the supervision interface of the executive part's stand-by control computer.
  • The executive part of the executive device is made up of at least one executive component. The executive component is made up of a total of nine function parts:
  • The 1st function part works in two of two mode and is made up of the branch A's executive computer, the branch B's executive computer, branch A's internal communication interface, branch B internal communication interface and vital power source. The branch A's executive computer is connected with the branch A's internal communication interface, the branch A's executive computer is connected with the branch B's executive computer and the branch A's executive computer is connected with the vital power source. The branch B's executive computer is connected with the branch B's internal communication interface, the branch B's executive computer is connected with the branch A's executive computer and the branch B's executive computer is connected with the vital power source.
  • The 2nd function part is made up of vital contact outputs, branch A's watch vital contact outputs and branch B's watch vital contact outputs. The vital contact outputs are connected with the branch A's executive computer and with the branch B's executive computer of the 1st function part. The branch A's watch vital contact outputs are connected with the vital contact outputs and with the branch A's executive computer of the 1st function part. The branch B's watch vital contact outputs are connected with the vital contact output and with the branch B's executive computer of the 1st function part.
  • The 3rd function part is made up of vital logical outputs, branch A's watch vital logical outputs and branch B's watch vital logical outputs. The vital logical outputs are connected with the branch A's executive computer and with the branch B's executive computer of the 1st function part. The branch A's watch vital logical outputs are connected with the vital logical outputs and with the branch A executive computer of the 1st function part. The branch B's watch vital logical outputs are connected with the vital logical outputs and with the branch B's executive computer of the 1st function part.
  • The 4th function part is made up of vital coded logical outputs, branch A's watch vital coded logical outputs and branch B's watch vital coded logical outputs. The vital coded logical outputs are connected with the branch A's executive computer and with the branch B's executive computer of the 1st function part. The branch A's watch vital coded logical outputs are connected with the vital coded logical outputs and with the branch A's executive computer of the 1st function part. The branch B's watch vital coded logical outputs are connected with the vital coded logical outputs and with the branch B's executive computer of the 1st function part.
  • The 5th function part is made up of vital electronic outputs, branch A's watch vital electronic outputs and branch B's watch vital electronic outputs. The vital electronic outputs are connected with the branch A's executive computer and with the branch B's executive computer of the 1st function part. The branch A's watch vital electronic outputs are connected with the vital electronic outputs and with the branch A's executive computer of the 1st function part. The branch B's watch vital electronic outputs are connected with the vital electronic outputs and with the branch B's executive computer of the 1st function part.
  • The 6th function part is made up of non-vital outputs. The non-vital outputs are connected to the branch A executive computer and to the branch B's executive computer of the 1st function part.
  • The 7th function part is made up of logical inputs. The logical inputs are connected to the branch A's executive computer and to the branch B's executive computer of the 1st function part.
  • The 8th function part is made up of analogue inputs. The analogue inputs are connected to the branch A's executive computer and to the branch B's executive computer of the 1st function part.
  • The 9th function part is made up of vital data interfaces. The vital data interfaces are connected to the branch A's executive computer and to the branch B's executive computer of the 1st function part.
  • For the executive part of the executive device the 1st function part is always mandatory and appropriate combination of the other function parts depends on the control of the external vital equipment.
  • The supply part of the executive device is made up of one or two sources, with one of them being a stand-by.
  • Each source is made up of two partial sources, being the source for branch A, the source for branch B, control circuits, measurement circuits and an internal communication interface. The control circuits are connected to the source for branch A, the source for branch B and the internal communication interface. The measurement circuits are connected to the source for branch A, the source for branch B and the internal communication interface.
  • The control level of the interlocking equipment is comprised of four vital computers that are mutually connected to two networks, being the vital data network and the control network. The connection to the vital data network is achieved using hubs, and the connection to the control network is achieved by the vital computers' direct connection.
  • The branch A's vital computer and the branch B's vital computer are connected with the vital data network hub. The branch A's stand-by vital computer and the branch B's stand-by vital computer are connected with the stand-by vital data network hub. The hub of the vital data network is connected to the stand-by hub of the vital data network. The branch A's vital computer is directly connected to the branch B's vital computer and the branch B's vital computer is also directly connected to stand-by branch B's Vital computer. The branch A's vital computer and branch A's stand-by vital computer are connected to the executive part, which is made up of at least one executive device. The branch B's vital computer and branch B's stand-by vital computer are connected to the executive part. The hub of the vital data network is connected to at least one arrangement of operating computers, which is comprised of at least one active commanding computer and possibly by at least one passive commanding computer. The stand-by hub of the vital data network is potentially connected to at least one arrangement of operating computers, which is comprised of at least one active commanding computer and possibly by at least one passive commanding computer.
  • This electronic interlocking equipment enables the division of the signalling equipment's control level into two reliability parts and two vital branches in the following arrangement. The branch A's vital computer, branch B's vital computer, vital data network hub and the branch A's vital computer's direct connection to the branch B's vital computer make up the first reliability part of the control level. The stand-by branch A's vital computer, stand-by branch B's vital computer, vital data network stand-by hub and the stand-by branch A's vital computer's direct connection to the stand-by branch B's vital computer make up the second reliability part of the control level. The branch A's vital computer directly connected to the stand-by branch A's vital computer makes up the first vital branch of the control level. The branch B's vital computer directly connected to the stand-by branch B's vital computer makes up the second vital branch of the control level.
  • The commanding level of the interlocking equipment is comprised of at least one command workplace. The command workplace is made up of active and passive commanding computers, which are connected to the control level of the signalling equipment through the hub that is part of the control level of the signalling equipment.
  • The main advantage of this processor electronic railway interlocking equipment system according to this invention is achieving an economically-effective configuration with a decrease in the number of active elements (hubs), using the possibilities of its remote control and remote positioning. The electronic interlocking equipment according to this invention enables its functionality to be modified according to the requirements of any operator.
  • The electronic interlocking equipment system according to this invention is backed up in its decisive parts, including the back-up of the communication branch, in such a manner so that any loss of the backed up parts' functionality does not cause any functional limitations. The electronic interlocking equipment system operates safely on accordance with Czech standard
    Figure imgb0005
    SN 34 2600 and also in accordance with valid European standards EN 50 126, EN 50 128, 50 129, EN 159-1 and EN 159-2.
  • The electronic interlocking equipment according to this invention enables cooperation with connected systems used for the support of controlled traffic.
    • Brief Description of the Drawings
  • The invention and its other advantaged will become apparent upon the following detailed description and upon reference to the drawings, in which illustrates.
    • Fig. 1
    basic configuration of the electronic interlocking equipment system, made up from three basic levels, being the executive, control and commanding levels,
    Fig. 2
    basic configuration of the executive level's executive device made up of three parts, being the control, executive and supply parts;
    Fig. 3
    basic configuration of the control computer of the executive device's control part,
    Fig. 4
    basic configuration of the executive components of the executive part, made up of nine function parts;
    Fig. 5
    basic configuration of source of the executive device's supply part;
    Fig. 6
    alternative configuration of the electronic interlocking equipment from Fig. 1 with the connection of superior parts;
    Fig. 7
    alternative configuration of the electronic interlocking equipment from Fig. 1 with a remote executive device;
    Fig. 8
    alternative configuration of executive component from Fig. 4 for scanning logical inputs,
    Fig. 9
    alternative configuration of executive component from Fig. 4 for contact control;
    Fig. 10
    alternative configuration of executive component from Fig. 4 for logical outputs;
    Fig. 11
    alternative configuration of executive component from Fig. 4 for additional coding;
    Fig. 12
    alternative configuration of executive component from Fig. 4 for controlling signal devices or point machine motors by scanning logical inputs; and
    Fig. 13
    alternative configuration of executive component from Fig. 4 for the data control of the crossing control units, axle counters.
  • It is possible to divide the electronic signalling equipment system in the diagrams into two imaginary levels, being the reliability and vital levels. The reliability level includes the main part, the components of which are in the text below and in the diagrams without a numerical index, and the stand-by part, the components of which are marked with the lower index 1. The vital level is made up of two branches, which is differentiated by the lower index A and lower index B in the text below and in the diagrams.
    • Description of the Invention Preferred Embodiment Example I (Fig. 1)
  • The electronic railway interlocking/signalling equipment system is comprised of three essential levels, being the executive level EL, control level CONL and commanding level COML.
  • The commanding level COML of the interlocking equipment is made up of two arrangements of operating computers, being the first arrangement AOC1 of the operating computers and the second arrangement AOC2 of the operating computers. Each arrangement of operating computers, therefore the first arrangement AOC1 of the operating computers and the second arrangement AOC2 of the operating computers, is made up of at least one active commanding computer ACC and zero, one or more passive commanding computers PCC. In this specific example the configuration of the first arrangement AOC1 of operating computers is made up of one active commanding computer ACC and one passive commanding computer PCC. If at least two active commanding computers ACC are used, they are divided as symmetrically as possible into two arrangements of operating computers, thus into the first arrangement AOC1 of the operating computers and into the second arrangement AOC2 of the operating computers. If at least two passive commanding computers PCC are used, they are divided as symmetrically as possible into two arrangements of operating computers, thus into the first arrangement AOC1 of the operating computers and into the second arrangement AOC2 of the operating computers.
  • The passive commanding computer PCC only displays information that is not fail-safe relevant to operating personnel. This characteristic is made possible by communication in the vital data network in the control level CONL of the interlocking equipment, between the passive commanding computer PCC of the commanding level COML and the vital computer VC A for branch A, vital computer VC B for branch B, stand-by vital computer VCA1 for branch A and stand-by vital computer VC B1 for branch B.
  • The vital computer VC A for branch A and vital computer VC B for branch B, are connected, to the vital data network's first reliability branch, through the vital data network's hub HUB. The vital data network's hub HUB is connected via a data link to the vital computer VC A for branch A, and via another data link to vital computer VC B for to the branch B, and via another data link with the vital data network's stand-by hub HUB 1 . Moreover, the first arrangement AOC1 for operating computers is connected to the vital data network's reliability branch A so, that the vital data network's hub HUB is connected via a data link with the active commanding computer ACC, and with the passive commanding computer PCC, which are the components of the first arrangement AOC1 of operating computers.
  • The stand-by vital computer VC A1 for branch A and stand-by vital computer VC B1 for branch B are connected to the vital data network's 2nd reliability branch through the vital data network's stand-by hub HUB 1 so, that the vital data network's stand-by hub HUB 1 is connected via a data link to the stand-by vital computer VC A1 for branch A, and via another data link to the stand-by vital computer VC B1 branch B. The second arrangement AOC2 of operating computers is connected to the vital data network's 2nd reliability branch so, that the vital data network's stand-by hub HUB 1 is connected via a data link to the active commanding computer ACC, and to the passive commanding computer PCC, which are the components of the second arrangement AOC2 of the operating computers.
  • The control data network is created, by a direct connection of the vital computer VC A for branch A to the vital computer VC B for branch B via an internal data link IDLCL control level, by a direct connection of the vital computer VC A for branch A to the stand-by vital computer VC A1 for branch A via an internal data line IDLCL A control level for branch A, and by a direct connection of the vital computer VC B for branch B to the stand-by vital computer VC B1 for branch B via an internal data link.
  • The vital computer VC A for branch A and stand-by vital computer VC A1 for branch A are connected to the executive level EL for the signalling equipment by another external data link EDL A for branch A. The vital computer VC B for branch B and stand-by vital computer VC B1 for branch B are connected to the executive level EL of the signalling equipment by another external data link EDL B for branch B.
  • The control level CONL of the electronic railway signalling equipment system works as follows:
  • Each active commanding computer ACC receives instructions for non-vital operations from the operating personnel, it also displays non-vital information for the operating personnel, in prescribed cases it accepts vital operating instructions from the operating personnel and also displays vital information for the operating personnel. These characteristics are enabled by communication between the active commanding computer ACC of the first arrangement AOC1 of operating computers and/or the second arrangement AOC2 of operating computers the commanding level COML, with the vital computer VC A for branch A, with vital computer VC B for branch B, with stand-by vital computer VC A1 for branch A and with stand-by vital computer VC B1 for branch B, on the other hand in the vital data network in the control level CONL.
  • The vital computer VC A for branch A communicates with the executive device ED of the executive level EL, through an external data link EDL A in such a manner, that it transmits requests for issuing non-vital commands, for vital contact commands, for vital logical commands, for vital coded logical commands, for vital electronic commands to the executive device ED, and receives information from the executive device ED about the status of input logical indications and about analogue vital inputs, to the extent, allowed by the executive device ED. Before being submitted to the executive device ED, the submitted requests from the vital computer VC A for branch A, are modified by a prescribed algorithm, according to the relevant values, that the vital computer VC A for branch A, submits to the vital computer VC B for branch B, through the internal data link IDLCL control level. Such modified requests are secured by redundancy created by the vital computer VC A for branch A, as well as by redundancy created by the vital computer VC B for branch B. The creation methods and the resulting redundancy created by the vital computer VC A for branch A, and the redundancy created by the vital computer VC B for branch B, are different. The redundancy, created by the vital computer VC B for branch B, is submitted to the vital computer VC A for branch A, through an internal data link IDLCL control level.
  • The vital computer VC A for branch A receives datagrams, which contains indications from the executive device ED, from the executive device's ED for branch A, through a external data link EDL A for branch_A. After the vital computer VC A for branch A checks the identity and authenticity of the datagrams received by the control computer CC, they are submitted to the vital computer VC B by an internal data link IDLCL control level. The vital computer VC B for branch B controls these diagrams, submitted by an internal data link IDLCL control level for identity and authenticity pursuant to its algorithms.
  • The vital computer VC A for branch A also processes the operation commands, through the vital data network, being both non-vital operations and vital operations from each active commanding computer ACC of the first arrangement AOC1 of operating computers or from each commanding computer of the second arrangement AOC2 of operating computers. The vital computer VC A for branch A communicates with the vital computer VC B for branch B, with which it mutually exchanges (via an internal data link IDLCL control level) the data necessary for the detection of the first failure of the vital computer VC A for branch A or vital computer VC B for branch B. In order to ensure reliable activities during the failure of the A vital computer VC A for branch A or during the failure of the vital computer VC B for branch B, the vital computer VC A for branch A sends data, used for the repeated configuration of the variables, on the stand-by vital computer VC A1 for branch A, through the control data network's internal data link IDLCL A control level for branch A to the stand-by vital computer VC A1 for branch A, in certain time intervals so, that their values correspond to the values of the of the corresponding variables of the vital computer VC A for branch A.
  • The vital computer VC B for branch B communicates with the executive device ED of the executive level EL, through a external data link EDL B for branch B, in such a manner, that it transmits requests for issuing non-vital commands, for vital contact commands, for vital logical commands, for vital coded logical commands and for vital electronic commands, to the executive device ED, and receives information from the executive device ED about the status of input logical indications and about analogue vital inputs, to the extent, allowed by the executive device ED. Before being sent to the executive device ED, the submitted requests from the vital computer VC B for branch B are modified by a prescribed algorithm, according to the relevant values, that the vital computer VC B for branch B submits to the vital computer VC A for branch A, through the internal data link IDLCL control level. Such modified requests are secured by redundancy, created by the vital computer VC B for branch B, as well as by redundancy, created by the vital computer VC A for branch A. The creation methods and the resulting redundancy, created by the vital computer VC B for branch B, and the redundancy created by the vital computer VC A for branch A, are different. The redundancy, created by the vital computer VC A for branch A, is submitted to the vital, computer VC B branch B, through an internal data link IDLCL control level.
  • The vital computer VC B for branch B, receives datagrams, which contain indications from the executive device ED, from the executive device's ED through a external data link EDL B for branch B. After the vital computer VC B for branch B checks the identity and authenticity of the datagrams, received by the control computer CC, they are submitted to the vital computer VC A for branch A, by an internal data link IDLCL control level. The vital computer VC A for branch A also controls these diagrams, submitted by an internal data link IDLCL control level for identity and authenticity pursuant to its algorithms.
  • The vital computer VC B for branch B also processes the operation commands, trough the vital data network being both non-vital operations and vital operations from each active commanding computer ACC of the first arrangement AOC1 of operating computers or from each commanding computer of the second arrangement AOC2 of operating computers. The vital computer VC B for branch B communicates with the vital computer VC A for branch A, a which it mutually exchanges (via an internal data link IDLCL control level) the data necessary for the defection of the first failure of the vital computer VC B for branch B or vital computer VC A for branch A., In order to ensure reliable activities during the failure of the vital computer VC B for branch B or during the failure of the vital computer VC A for branch A, the vital computer VC B for branch B sends data used for me repeated configuration of the variables on the stand-by vital computer VC B1 for branch B through the control data network's internal data link IDLCL B control level for branch B to the stand-by vital computer VC B1 for branch B, in certain time intervals so, that their values correspond to the values of the of the corresponding variable of the vital computer VC B for branch B.
  • The stand-by vital computer VC A1 for branch A communicates with stand-by vital computer VC B1 . branch B, with which it mutually exchanges the data necessary for the eventual detection of the 1st failure of the stand-by vital computer VC A1 for branch A or the stand-by vital computer VC B1 for branch B through the control data network's stand-by internal data link IDLCL 1 control level.
  • Connecting at least one active commanding computer ACC of the first arrangement AOC1 of operating computers, vital computer VC A for branch A and vital computer VC B for branch B to the vital data network's hub HUB, and also connecting at least one other active commanding computer ACC to the second arrangement AOC2 of operating computers, stand-by vital computer VC A1 for branch A and stand-by vital computer VC B1 for branch B to the vital data network's stand-by hub HUB 1 , ensures the operability of the signalling equipment during any failure of the first active commanding computer ACC of the first arrangement AOC1 of operating computers, and/or the other active commanding computer ACC to the second arrangement AOC2 of operating computers, and/or the vital computer VC A for branch A, and/or the vital computer VC B for branch B, and/or the stand-by vital computer VC A1 for branch A, and/or the stand-by vital computer VC B1 for branch B, and/or any of the data links mutually connecting the aforementioned elements.
  • In order to ensure the full functionality of the control level CONL, i.e. the stand-by vital computer VC A1 for branch A and the stand-by vital computer VC B1 for branch B, during the failure of the vital computer: VC A branch A, and/or the failure of the vital computer VC B for branch B, and/or the failure of the vital data network's hub HUB. the stand-by branch A vital computer VC A1 copies the necessary internal variables to the branch A vital computer VC A via the control data network's internal data link IDLCL A control level for branch A, in prescribed time intervals, and the stand-by vital computer VC B1 for branch B, copies the necessary internal variables to the vital computer VC B for branch B via the control data network's internal data link IDLCL B control level for branch B.
  • Ensuring synchronisation is a necessary condition for ensuring the reliable activities of the electronic interlocking equipment. The synchronisation must be provided by the synchronised activity of the vital computers VC A, VC B , VC A1 VC B1 of the control level CONL and the executive device ED of the executive level EL and all of their communications.
  • The synchronisation is ensured by the realisation of a synchronous mode, where the vital computer VC A for branch A is the source of synchronisation marks at prescribed time intervals in the vital data network and control data network for the vital computer VC B for branch B, for the stand-by vital computer VC A1 for branch A and for the stand-by vital computer VC B1 for branch B, and also for the executive device ED of the executive level EL.
  • During a failure of the vital computer VC A for branch A, the stand-by vital computer VC A1 for branch A takes over its function as the source of synchronisation marks for all the aforementioned data networks.
  • The vital computer VC A for branch A, or the stand-by vital computer VC A1 for branch A in the event of its failure, carries out the appropriate functions that are invoked by the operating commands through any of the active commanding computers ACC and also automatically carries out all the relevant traffic functions and ensures the processing and transfer of the train numbers.
  • The vital computer VC B for branch B, or the stand-by vital computer VC B1 for branch B, in the event of its failure, carries out the appropriate functions that are invoked by the operating commands through any of the active commanding computers ACC and also automatically carries out all the relevant traffic functions.
  • The fail-safe effect in the sense of CZ Standard
    Figure imgb0006
    SN 34 2600 and the proposed EN 50 129 is contained both by the use of the 2 of 2 system as a system with redundant safety with a suffciently timely detection of the "1st error," which cannot in and of itself cause an unsafe effect, though could cause an unsafe effect in combination with another error. After detecting the 1st error there follows a vital reaction, which demonstrably prevents the occurrence or manifestation of other failures. The detection of the 1st error and the vital reaction demonstrably occurs in a time shorter than the occurrence of a 2nd error (which could, in combination with the 1st error, cause an unsafe effect) can be expected with the prescribed probability. In order to ensure the vital effect the vital computer VC A for branch A and stand-by vital computer VC A1 for branch A, are also equipped with different software in comprarison with the vidal computer VC B for branch B and stand-by vital computer VG B1 for branch B, though the sofware for both vital computer VC A for the branch A and stand-by vital computer VC A1 for branch A and the vital computer VC B for branch A and stand-by vital computer VC B1 for branch B, is processed according to a joint assignment.
    • Example 2 (Fig 2)
  • The configuration the executive device ED, from which the executive level EL of the interlocking equipement is created, is illustrated in Fig.2.
  • The executive device ED is comprised of a control part CP, executive, part EP and supply part SP.
  • The executive device ED is connected to the control level CONL by connecting the control part CP to the control level CONL by external data link EDL A for branch A and with the control level CONL by external data link IDL B for branch B (Fig. 1).
  • The control part CP is comprised of a control computer CC and stand-by control computer CC 1 . The control computer CC is connected to the stand-by control computer CC 1 by an internal data link IDLCP control part. The stand-by control computer CC 1 is not essential and is used for increasing the reliability of the Control part CP.
  • The executive part EP is made up of at least one executive component EC
  • The supply part SP is comprised of a source S and a stand-by source S 1 . The stand-by source S 1 is not essential and is used for increasing the reliability of the supply par SP.
  • The control computer CC, stand-by control computer CC 1 and executive component EC are connected by internal data links IDL A and IDL B for respective branches A,B.
  • The control part CP and supply part SP are connected by external data link EDL A for branch A or by external data link EDL B for branch B.
  • The control computers CC, stand-by control computer CC 1 and each executive component EC are separately operating devices working in a secure manner pursuant to Czech standard
    Figure imgb0007
    SN 34 2600 and also in accordance with valid European standards EN 50 126, EN 50 128, EN 50 129, EN 159-1 and EN 159-2.
    • Example 3 (Fig. 3)
  • The configuration of the control computer CC of the control part CP of the executive device ED is specified in Fig. 3, from which it is evident that the basic configuration of the control computer CC of the control part CP of the executive device ED is put together from the following basic parts: the control computer CC A for branch A, control computer CC B for branch B, diagnostic computer DC, vital source VS, watch interface WI, external communication interface ECI A for branch A, external communication interface ECI B for branch B, internal communication interface ICI A for branch A and internal communication interface ICI B for branch B.
  • The control computer CC A for branch A communicates through the external communication interface ECI A for branch A and using an external data link EDL A for branch A with the control level CONL and also through the internal communication interface ICI A for branch A and using an internal data link IDL A for branch A with the executive component EC making up the executive part EP of the executive device ED (Fig. 2).
  • The control computer CC B for branch B communicates through the external communication interface ECI B for branch B and using an external data link EDL B for branch B with the control level CONL and also through the internal communication interface ICI B for branch B and using an internal data link IDL B for branch B with the executive component EC making up the executive part EP of the executive device ED (Fig. 2).
  • Both the control computer CC A for branch A and the control computer CC B for branch B mutually communicate with each other together by an internal data link IDLCC control computer between these control computers CC A and CC B .
  • The vital source VS is connected to the control computer CC A for branch A and the control computer CC B for branch B, the external communication interface ECI A for branch A. the external communication interface ECI B for branch B, the internal communication interface ICI A for branch A, the internal communication interface ICI B for branch B and the watch interface WI. The vital source VS is a circuit with internal security and with a anti-packing function, generating the vital power supply for the supply of external communication interface ECI A for branch A, external communication interface ECI B for branch B, internal communication interface ICI A , internal communication interface ICI B of the respective branch A or B and for the watch interface WI. The activity of the vital source VS is controlled by the dynamic signals of the branch A control computer CC A for branch A and branch B control computer CC B for branch B.
  • The watch interface WI is connected with the control computer CC A for branch A and with the control computer CC B for branch B. The direct connection of the control computer CC and stand-by control computer CC 1 according to Fig. 2 is carried out by connecting the watch interface WI of the control computer CC to the watch interface WI of the stand-by control computer CC 1 . This connection of the control computer's CC watch interface WI to the stand-by control computer's CC 1 watch interface WI enables the hot backup mode in the control part of the executive device CP.
  • The equipment can favourably contain a diagnostic computer DC, which is connected to the control computer CC A for branch A via a data link and the diagnostic computer DC is also connected with the control computer CC B for branch B, using a data link.
  • The control computer CC works as follows:
  • The control computer CC A for branch A and control computer CC B for branch B communicate with the control level CONL of the signalling equipment through external data link EDL A and external data link EDL B for respective branches A,B.
  • The branchs A's control computer CC A receives datagrams from the vital computer VC A or the stand-by vital computer VC A1 of the interlocking equipment's control level CONL, through an external communication interface ECI A and external data link EDL A . The datagrams contain requests for issuing outputs to the executive part EP of the executive device ED. After the identity and authenticity of the received datagrams are controlled by the control computer CC A for branch A, they are sent by an internal data link IDLCC control computers to the control computer CC B for branch B. The control computer CC B for branch B also controls the identity and authenticity of these datagrams sent by the internal data link IDLCC control computers, according to its algorithms.
  • The branch's A control computer CC A responds to the vital computer VC A or stand-by vital computer VC A1 of the signalling equipment's control level CONL by datagrams containing indications read by the executive part EP of the executive device ED. These datagrams are secured by redundancy created by the control computer CC A for branch A, as well as by redundancy created by the control computer CC B for branch B. The creation methods and the resulting redundancy created by the control computer CC A for branch A, and the redundancy created by the control computer CC B for branch B, are different. The redundancy created by the control computer CC A for branch A is passed to the control computer CC B for branch B, by an internal data link IDLCC control computers.
  • The branch's B control computer CC B receives datagrams (which contain requests for issuing the outputs for the executive part EP for the executive device ED) from the vital computer VC B or the stand-by vital computer VC B1 for the signalling equipment's control level CONL through an external communication interface ECI A and data link EDL A for respective branches A,B. After the identity and authenticity for the received datagrams are controlled by the branch B control computer CC B they are sent by an internal data link IDLCC control computers to the branch A control computer CC A for branch B. The control computer CC E for branch A also controls the identity and authenticity for these datagrams sent by the internal data link IDLCC control computers, according to its algorithms.
  • The control computer CC B for branch B responds to the vital computer VC B or stand-by vital computer VC B1 for branch B for the interlocking equipment's control level CONL by datagrams, containing indications read by the executive part EP for the executive device ED. These datagrams are secured by redundancy created by the control computer CC B for branch B, as well as by redundancy created by the control computer CC A for branch A. The creation methods and the resulting redundancy created by the branch A control computer CC A for branch A and the redundancy created by the control computer CC B for branch B, are different.
  • The redundancy created by the control computer CC A for branch A is passed to the control computer CC B for branch B by an internal data link IDLCC control computers.
  • The control computer CC A for branch A processes the datagrams received from the control level CONL, according to the given algorithms, and creates datagrams for the individual executive components EC for the executive part EP. These datagrams are secured by redundancy created by the control computer CC A for branch A, as well as by redundancy created by the control computer CC B for branch B. The creation method and the incurred redundancy created by the control computer CC A for branch A and the redundancy created by the control computer CC B for branch B, are different. The redundancy created by the control computer CC B for branch B is passed to the control computer CC A for branch A, by an internal data link IDLCC control computers.
  • The control computer CC B for branch B processes the datagrams received from the control level CONL according to the given algorithms and creates datagrams for the individual executive components EC for the executive part EP. These datagrams are secured by redundancy created by the control computer CC B for branch B, as well as by redundancy created by the control computer CC A for branch A. The creation method and the incurred redundancy created by the control computer CC A for branch A and the redundancy created by the control computer CC B for branch B, are different. The redundancy created by the control computer CC A for branch A is passed to the control computer CC B for branch B, by an internal data link IDLCC control computer.
  • After sending the datagram through the internal communication interface ICI A and data link IDL A for branch A to the individual executive components EC for the executive part EP the control computer CC A for branch A receives the datagrams containing the indications read by the executive components EC. The control computer CC A for branch A processes the datagrams received from all the executive components EC for the executive part EP according to the algorithms into a consequent datagram meant for the vital computer VC A for branch A or for the stand-by vital computer VC A1 for branch A for the control level CONL. During the creation for these datagrams the mutual exchange for data through an internal data link IDLCC control computers, between the control computer CC A for-branch A and the control computer CC B for branch B takes place. These datagrams are secured by redundancy created by the control computer CC A for branch A, as well as by redundancy created by the control computer CC B for branch B. The creation method and the incurred redundancy created by the control computer CC A for branch A and the redundancy created by the control computer CC B for branch B, are different. The redundancy, created by the control computer CC B for branch B, is passed to the control computer CC A for branch A, by an internal data link IDLCC control computers.
  • After sending the datagram through the internal communication interface ICI B and data link IDL B for branch B to the individual executive components EC for the executive part EP the control computer CC B for branch B, receives the datagrams containing the indications read by the executive components EC. The control computer CC B for branch B processes the datagrams received from all the executive components EC for the executive part EP according to the algorithms into a consequent datagram meant for the vital computer VC B for branch B or for the stand-by vital computer VC B1 for branch B for the control level CONL. During the creation for these datagrams the mutual exchange for data through an internal data link IDLCC control computers between the control computer CC A for branch a and the control computer CCA for branch B takes place. These datagrams are secured by redundancy created by the control computer CC B for branch B, as well as by redundancy created by the control computer CC A for branch A. The creation method and the incurred redundancy created by the control computer CC A for branch a and the redundancy created by the control computer CC B for branch B, are different. The redundancy created by the control computer CC A for branch a, is passed to the control computer CC B for branch B, by an internal data link IDLCC control computers.
  • The backup for the control part CP for the executive device ED is carried out as follows:
  • The control part CP for the executive device ED provides communication between the interlocking equipment's control level CONL and the executive device (Fig. 1) and also assures the control for the activities for the executive part EP for the executive device ED (Fig. 2). A failure for the control part CP for the executive device ED means the failure for the entire executive device ED. It is therefore very advantageous to back up the control part CP for the executive device ED. The principle for backing up is based on the characteristics for the watch interface WI.. The active control computer CC and stand-by control computer CC 1 have a mutually-connected watch interface WI by an internal data link IDLCP control part (Fig. 2). During a failure-free state the vital source VS for the control computer CC and the vital source VS for the stand by control computer CC 1 generate power in a safe manner, which is then provided to the watch interface WI. By connecting the watch interface WI for the control computer CC with the watch interface WI for the stand-by control computer CC 1, the control computer CC has information on the existence for the stand-by control computer CC 1 and the stand-by control computer CC 1 has information on me existence for the control computer CC.
  • The activation for me control computer CC and stand-by control computer CC 1 is carried out in steps. If, during the activation for the control computer CC, no other control computer CC is detected by the watch interface WI, the control computer CC converts to active status. Subsequently after the activation for the stand-by control computer CC 1 the existence for another control computer CC is detected by its watch interface WI and the stand-by control computer CC 1 goes into hot-stand-by mode, where it waits from the necessary data from the control computer CC. The control computer CC detects the existence for a stand-by control computer CC 1 through its watch interface W1, and the sends it the necessary data for the proper hit stand-by activity. In other activities, the stand-by control computer CC 1 monitors the operation on the internal data links IDL A , IDL B for respective branches A,B on the external data links EDL A , EDL B for respective branches A,B and it performs all activities according to the compatible with the control computer's CC algorithms, except for sending datagrams to the executive device ED and to the control level CONL. In the event for a failure for the control computer CC the supply from its, vital source VS is terminated and the watch interface WI for the stand-by control computer CC 1 evaluates this termination, and the stand-by control computer CC 1 switches to active status, i.e, it becomes the control computer CC.
  • The security for the control computer CC is ensured as follows:
  • The security for the control computer CC is based on the circuit for the vital source VS, which is designed as a circuit with internal security and an anti-packing function. If no failure is detected by the control computer CC A for branch A, the control computer CC A for branch A creates a dynamic signal for the vital source VS. If no failure is detected by the control computer CC B for branch B, the control computer CC B for branch B creates a dynamic signal for the vital source VS. The vital source VS only creates the vital power supply for the external communication interface ECI A , external communication interface ECI B , internal communication interface ICI A , internal communication interface ICI B for the respective branches A and B, and the watch interface WI during the activation for the control computer CC, i.e. during the controlled switching to voltage VA, VB for respective branches A,B (voltage for source S), under the simultaneous dynamic signal for control computer CC A for branch A and the dynamic signal for control computer CC B for branch B. When detecting the first failure, the control computer CC A for branch A stops executing its program, and thus also generating the dynamic signal for the vital source VS, with the results that the vital source VS stops generating the vital supply for the external communication interface ECI A , external communication interface ECI B , internal communication interface ICI A , internal communication interface ICI B for the branches A and B and the watch interface WI. The control computer CC A for branch A stops communicating with control computer CC B for branch B, via the link IDLCC control computers. As a result for the interrupted communication via the internal data link IDLCC control computers, the control computer CC B for branch B also stops executing its program, and thus also generating the dynamic signal for the vital source VS. The vital source VS will no longer react to any subsequent failure, during which the dynamic signal could be restored, and the vital supply is not restored. The control computer CC is in a secure state and irreversibly disengaged from its surroundings. When detecting the first failure, the control computer CC B for branch B. stops executing its program, and thus also generating the dynamic signal for the vital source VS, with the result that the vital source VS stops generating the vital supply for the external communication interface ECI A , external communication interface ECI B , internal communication interface ICI A , internal communication interface ICI B for the branches A and B and the watch interface WI. The control computer CC B for branch B stops communicating with control computer CC A for branch A, via the link IDLCC. As a result for the interrupted communication via the internal data link IDLCC control computers, the control computer CC A for branch A also stops executing its program, and thus also generating the dynamic signal for the vital source VS. The vital source VS will no longer react to any subsequent failure, during which the dynamic signal could be restored, and the vital supply is not restored. The control computer CC is in a secure state and is irreversibly disengaged from its surroundings.
  • The mutual backup for external data links EDL A and EDL B is carried out as follows:
  • The user data stored in the datagrams submitted between the control level CONL and executive device ED have an identical value in branch A and in branch B obtained by the relevant algorithms for harmonising data between the branches A,B.
  • The datagrams submitted by the vital computer VC A for branch A to the executive device ED are given redundancy created by the vital computer VC A for branch A, as well as by redundancy created by the vital computer VC B for branch B The creation method and resulting redundancy created by the vital computer VC A for branch A and the redundancy created by the vital computer VC B for branch B, are different. After receiving these datagrams the control computer CC A for branch A checks their identity and authenticity according to security algorithms, both for branch A and branch B. After being successfully inspected/the datagrams are sent to the control computer CC B for branch B over the internal data link IDLCC control computers. The control computer CC B for branch B also checks the identity and authenticity for these datagrams according to security algorithms, both for branch A and branch B. The datagrams sent by the vital computer VC B for branch B to the executive device ED are given redundancy created by the branch B vital computer VC B for branch B, as well as by redundancy created by the vital computer VC A for branch A. The creation method and resulting redundancy created by the vital computer VC B for branch B, and the redundancy created by the vital computer VC A for branch A, are different. After receiving these datagrams the control computer CC B for branch B checks their identity and authenticity according to security algorithms, both for branch B and branch A. After being successfully inspected, the datagrams are sent to the control computer CC A for branch A over the internal data link IDLCC. The control computer CC A for branch B also checks the identity and authenticity for these datagrams according to the security algorithms, both for branch A and for branch B. If a failure or damaged datagram occurs in branch A, both control computer CC A for branch A and control computer CC B for branch B, have the datagram from branch B available. If a failure or damaged datagram occurs in branch B, both control computer CC B for branch B and control computer CC A for branch A, have the datagram from branch A available.
  • The situation is analogous in the opposite direction for sending the datagram, i.e. sending the datagrams from the executive device ED to the control level CONL. The datagrams submitted by control computer CC A for branch A to the control level CONL are given redundancy created by both the branch A control computer CC A for branch A, as well as by redundancy created by control computer CC B for branch B. The creation method and resulting redundancy created by the control computer CC A for branch A, and the redundancy created by the control computer CC B for branch B, are different. After receiving these datagrams the vital computer VCA for branch A checks their identity and authenticity according to security algorithms, both for branch A and branch B. After being successfully inspected, the datagrams are sent to the vital computer VC B for branch B over the internal data link IDLCL. The vital computer VC B for branch B also checks the identity and authenticity for these datagrams according to security algorithms, both for branch A and branch B. The datagrams sent by the control computer CC B for branch B to the control level CONL are given redundancy created by both the control computer CC B for branch B as well as by redundancy created by the branch A control computer CC A for branch A. The creation method and resulting redundancy created by the control computer CC B for branch B, and the redundancy created by the branch A control computer CC A are different. After receiving these datagrams the vital computer VC B for branch B checks their identity and authenticity, according to security algorithm both for branch A and branch B. After being successfully inspected, the datagrams are sent to the vital computer VC A for branch A over the internal data link IDLCL control level. The vital computer VC A for branch A also checks the identity and authenticity for these datagrams according to the security algorithms, both for branch A and for branch B. If a failure or damaged datagram occurs in branch A, both vital computer VC A and vital computer VC B for branch B have the datagram from branch B available. If a failure or damaged datagram occurs in branch B, both vital computer VC B for branch B and vital computer VC A for branch A, have the datagram from branch A available.
  • It is possible to use one common medium for transmission since the creation method and subsequent redundancy for branch A and branch B are independent.
  • The diagnostic computer DC, which gathers, stores and sorts the operational and functional statuses for the executive device ED that are sent from the control computer CC A for branch A and control computer CC B for branch B is used to ensure the transfer for the diagnostic data.
  • The fail-safe effect in the sense for
    Figure imgb0008
    SN 34 2600 and the proposed EN 50 129 is contained both by the use for the 2 for 2 system as a system with redundant safety with a sufficiently timely detection for the "1st error," which cannot in and for itself cause an unsafe effect, though could cause an unsafe effect in combination with another error. After detecting the 1st error there follows a vital reaction, which demonstrably prevents the occurrence or manifestation for other failures. The detection for the 1st error and the vital reaction demonstrably occurs in a time shorter than the occurrence for a 2nd error (which could, in combination with the 1st error, cause an unsafe effect) can be expected with the prescribed probability. In order to ensure the fail-safe effect the vital computer VC A for branch A and stand-by vital computer VC A1 for branch A, are also equipped with different sfortware in comparison with the vital computer VC B for branch B and stand-by vital computer VC B1 for branch B, though the sfortware for both the vital computer VC A for branch A and stand-by vital computer VC A1 for branch A, and the vital computer VC B for branch B and stand-by vital computer VC B1 for branch A, is processed according to a joint assignment.
    • Example 4 (Fig. 4)
  • The configuration for the executive component EC, from which the executive part EP is created, is illustrated in Fig. 4.
  • The executive component EC is comprised for nine function parts FP1, FP2 to FP9. The first function part FP1 and any for the second FP2 to the ninth function parts FP9 or their combination is always necessary for the proper activity for the executive component EC.
  • The executive component EC thus always contains the first function part FP1, connected with at least one other function part FP2 - FP9, always through the executive computer EC A for branch A and the executive computer EC B branch B, or also through the vital source VS.
  • The first function part FP1 is comprised for two executive computers EC A , EC B, which are mutually connected by an internal data link IDLEC executive computers. The executive computer EC A for branch A is connected in both directions with the internal communication interface ICI A for branch A, and is also connected to the vital source VS. The executive computer EC B for branch B is connected in both directions with the internal communication interface ICI B for branch B and is also connected to the vital source VS. The vital source VS is connected to the two internal communication interfaces ICI A , ICI B , connected to the internal data links IDL A , IDL B for the executive device ED.
  • The second function part FP2 is comprised for vital contact outputs VCO, watch WVCO A vital contact outputs for branch A, and watch WVCO B vital contact outputs for branch B. The vital contact outputs VCO are connected to the watch WVCO A , WVCO B vital contact outputs for the respective branch A or B, as well as to the vital source VS and also with the executive computers EC A EC B for the respective branch A or B. the watch WVCO A , WVCO B vital contact outputs for the respective branch A or B are also connected to the executive computers ECA, EC B for the respective branch A or B.
  • The third function part FP3 is comprised for vital logical outputs VLO, watch WVLO A vital logical outputs for branch A, and watch WVLO B vital logical output for branch B. The vital logical outputs VLO are connected to the watch WVLO A , WVLO B vital logical outputs for the respective branch A or B, as well as to the vital source VS and also with the executive computers EC A , EC B for the respective branch A or B. The watch WVLO A , WVLO B vital logical outputs forfor the respective branch A or B are also connected to the executive computers EC A , EC B for the respective branch A or B.
  • The fourth function part FP4 is comprised for vital coded logical outputs VCLO, watch WVCLO A vital coded logical outputs for branch A, and watch WVCLO B vital coded logical outputs for branch B. The vital coded logical outputs VCLO are connected to the watches WVCL A , WVCLO B vital coded logical outputs for the respective branch A or B, as well as to the vital source VS and also with the executive computers EC A EC B for the respective branch A or B. The watches WVCLO A , WVCLO B vital coded logical outputs forfor the respective branch A or B are also connected to the executive computer EC A , EC B for the respective branch A or B.
  • The fifth function part FP5 is comprised for vital analogue outputs VAO, watch WVAO A vital analogue outputs for branch A, and watch WVAO B vital analogue outputs for branch B. The vital analogue outputs VCO are connected to the watch WVAO A , WVAO B vital analogue outputs for the respective branch A or B, as well as to the vital source VS and also with the executive computers EC A , EC B for the respective branch A or B. The watch WVAO A , WVAO B vital analogue outputs for the respective branch A or B are also connected to the executive computers EC A , EC B for the respective branch A or B.
  • The sixth function part FP6 is comprised for non-vital outputs NO, which are connected with the executive computers EC A , EC B for the respective branch A or B.
  • The seventh function part FP7 is comprised for logical inputs LI, which are connected with the executive computers EC A , EC B for the respective branch A or B.
  • The eighth function part FP8 is comprised for analogue inputs AI, which are connected with the executive computers EC A , EC B for the respective branch A or B.
  • The ninth function part FP9 is comprised for the vital data interface VDI, which is connected to the vital source VS and also to the executive computers EC A , EC B for the respective branch A or B.
  • The executive computer EC A for branch A communicates with the control part CP through the internal communication database ICI A and via the internal data link IDL A for branch A (Fig.2).
  • The executive computer EC B for branch B communicates with control part CP through the internal communication database ICI B and via the internal data link IDL B for branch B (Fig.2).
  • Both the executive computer EC A and executive computer EC B for respective branches A,B, mutually communicate with each other together, by an internal data link IDLEC executive computers between these executive computers EC A and EC B . The vital source VS is connected to the executive computers EC A and EC B , to the internal communication interfaces ICI A and ICI B , to the vital contact outputs VCO, vital logical outputs VLO, vital coded logical outputs VCLO. vital analogue outputs VAO and vital data interface VDI. The vital source VS is a circuit with internal security and with a anti-packing function generating the vital power supply for the supply for internal communication interface ICI A for branch A, internal communication interface ICI B for branch B, vital contact outputs VC O , vital, logical outputs VLO, vital coded logical output VCLO, vital analogue outputs VAO and vital data interface VDI. The activity for the vital source VS is controlled by the dynamic signals for the executive computers EC A and EC B .
  • The executive component EC for the executive part EP for the executive device ED works as follows:
  • The executive computer EC A for branch A and executive computer EC B for branch B communicate with the control part CP for the executive device ED, through the internal data link IDL A for branch A and the internal data link IDL B for branch B.
  • The executive computer EC A for branch A receives datagrams from the branch A control computer CC or from the branch A stand-by control computer CC A1 for the control part CP for the executive device ED (Fig. 2), which contain requests for issuing outputs or requests for the transmission for scanned indications by the executive component EC through the internal communication interface ICI A and internal data link IDL A for branch A. After the identity and authenticity for the datagrams received by the executive computer EC A for branch A are checked, they are transmitted to the executive computer EC B for branch B, by an internal data link IDLEC executive computers. The executive computer EC B for branch B also controls these diagrams, submitted by an internal data link IDLEC executive computers, for identity authenticity pursuant to its algorithms.
  • The executive computer EC A for branch A responds via branch A for the control computer CC and via branch A for the stand-by control computer CC A1 (if the stand-by control computer CC 1 is used) with datagrams containing indications read by the executive component EC. These datagrams are secured by redundancy created by the executive computer EC A for branch A, as well as by redundancy created by the executive computer EC B for branch B. The creation method and the incurred redundancy created by the executive computer EC A for branch A and the redundancy created by the executive computer EC B for branch B, are different. The redundancy created by the executive computer EC A for branch A, is passed to the executive computer EC B for branch B, by an internal data link IDLEC executive computers.
  • The executive computer EC B for branch B receives the datagrams from branch B for the control computer CC or from branch B for the stand-by control computer CC B1 for the control part for the executive device CP through the internal communication interface ICI B and internal data link IDL B for branch B. The datagrams contain requests for issuing outputs or requests for the transfer for indications scanned by the executive part EP. After the identity and authenticity for the datagrams received by the executive computer EC B for branch B are checked, they are transmitted to the executive computer EC A for branch A by an internal data link IDLEC executive computers. The executive computer EC A for branch A also controls these diagrams, submitted by a data link IDLEC executive computers, for identity and authenticity pursuant to its algorithms.
  • The executive computer EC B for branch B responds via branch B for the control computer CC and via branch B for the stand-by control computer CC B1 (if the stand-by control computer CC 1 is used) with datagrams containing indications read by the executive component EC. These datagrams are secured by redundancy created by the executive computer EC B for branch B, as well as by redundancy created by the executive computer EC A for branch A. The creation method and the incurred redundancy created by the executive computer EC B for branch B and the redundancy created by the executive computer EC A for branch A, are different. The redundancy created by the executive computer EC B for branch B, is passed to the executive computer EC A for branch A, by an internal data link IDLEC executive computers.
  • The executive computer EC A for branch A processes the datagram received from the control part CP for the executive device ED pursuant to the given algorithms and the executive computer EC A for branch A, controls vital contact outputs VCQ for issuing vital contact commands, the executive computer EC A for branch A controls vital logical outputs VLO for issuing vital logical commands, the executive computer EC A for branch A controls vital coded logical outputs VCLO for issuing vital coded logical commands, the executive computer EC A for branch A controls vital analogue outputs VAO for issuing vital analogue commands, the executive computer EC A for branch A controls non-vital outputs NO for issuing non-vital commands. The executive computer EC A for branch A performs the control activities for the vital contact outputs VCO, through watch WVCO A vital contact outputs for branch A. The executive computer EC A for branch A performs the control activities for the vital logical outputs VLO through watch WVLO A vital logical outputs for branch A: The executive computer EC A for branch A performs the control activities for the vital coded logical outputs VCLO through watch WVCLO A vital coded logical outputs for branch A. The executive computer EC A for branch A performs the control activities for the vital analogue outputs VAO through watch WVAO A vital analogue outputs for branch A.
  • The executive computer EC B for branch B processes the datagram received from the control part CP for the executive device ED pursuant to the given algorithms and the executive computer EC B for branch B controls vital contact outputs VCO for issuing vital contact commands. The executive computer EC B for branch B controls vital logical outputs VLO for issuing vital logical commands. The executive computer EC B for branch B controls vital coded logical outputs VCLO for issuing vital coded logical commands. The executive computer EC B for branch B controls vital analogue outputs VAO for issuing vital analogue commands. The executive computer EC B for branch B controls non-vital outputs NO for issuing non-vital commands. The executive computer EC B performs the control activities for the vital contact outputs VCO through watch WVCO B vital contact outputs for branch B. The executive computer EC B for branch B performs the control activities for the vital logical outputs VLO through watch WVLO B vital logical outputs for branch B. The executive computer EC B for branch B performs the control activities for the vital coded logical outputs VCLO through watch WVCLO B vital coded logical outputs for branch B. The executive computer EC B for branch B performs the control activities for the vital analogue outputs VAO through watch WVAO B vital analogue outputs for branch B.
  • In order to achieve the required security for the vital contact commands, they are only issued in the event that the executive computer EC A for branch A and executive computer EC B for branch B carry out the identical commanding for vital contact outputs VCO. The watch WCO A vital contact outputs for branch A is used by the executive computer EC A for branch A to control the vital contact outputs VCO issued by the executive computer EC A for branch A, and to control the vital contact outputs VCO issued by the executive computer EC B for branch B. The watch WVCO B vital contact outputs for branch B is used by the executive computer EC B for branch B to control the vital contact outputs issued by the executive computer EC B for branch B and to control the vital contact outputs issued by the executive computer EC A for branch A. Any detected discrepancy during the controls for the issued vital contact outputs calls a vital reaction.
  • In order to achieve the required security for the vital logical commands, they are only issued in the event that the executive computer EC A for branch A and executive computer EC B for branch B carry out the identical commanding for vital logical outputs VLO. The watch WVLO A vital logical outputs for branch A is used by the executive computer EC A for branch A to control the vital logical outputs issued by the executive computer EC A for branch A, and to control the vital logical outputs issued by the executive computer EC B for branch B. The watchs WVLO B vital logical outputs for branch B is used by the executive computer EC B for branch B, to control the vital logical outputs issued by the executive computer EC B for branch B, and to control the vital logical outputs issued by the executive computer EC A for branch A. Any detected discrepancy during the controls for the issued vital contact outputs calls a vital reaction.
  • In order to achieve the required security for the vital coded logical commands, they are only issued in the event that the executive computer EC A for branch A and executive computer EC B for branch B carry out the identical commanding for vital coded logical outputs VCLO. The watch WVCLO A vital coded logical outputs for branch A is used by the executive computer EC A for branch A, to control this vital coded logical outputs ,issued by the executive computer EC A for branch A, and to control the vital coded logical outputs issued by the executive computer EC B for branch B. The watch WVCLO B vital coded logical outputs for branch B, is used by the executive computer EC B for branch B to control the vital coded logical outputs, issued by the executive computer EC B for branch B, and to control the vital coded logical outputs issued by the executive computer EC A for branch A. Any detected discrepancy during the controls for the issued vital contact outputs calls a vital reaction.
  • In order to achieve the required security for the vital analogue commands, they are only issued in the event that the executive computer EC A for branch A and executive computer EC B for branch B carry out the identical commanding for vital analogue outputs VAO. The watch WVAO A vital analogue outputs for branch A is used by the executive computer EC A for branch A to control the vital analogue outputs issued by the executive computer EC A for branch A, and to control the vital analogue outputs issued by the executive computer EC B for branch B. The watch WVAOB vital analogue outputs for branch B is used by the executive computer EC B for branch B to control the vital analogue outputs issued by the executive computer EC B for branch B and to control the vital analogue outputs issued by the executive computer EC A for branch A. Any detected discrepancy during the controls for the issued vital contact outputs calls a vital reaction.
  • In order to achieve the required security for the vital reading for logical indications, the executive computer EC A for branch A and executive computer EC B for branch B compare each other's values for the logical inputs LI. An internal data link IDLEC executive computers is used in order to transfer the read indications between the executive computer EC A for branch A and executive computer EC B for branch B. Moreover all for the inputs are tested for the ability for their controlled switch to basic status. A discrepancy calls a vital reaction.
  • In order to achieve the required security for the vital reading for analogue indications, the executive computer EC A for branch A and executive computer EC B for branch B compare each other's values for the analogue inputs AI. An internal data link IDLEC executive computers is used in order to transfer the read indications between the executive computer EC A for branch A and executive computer EC B for branch A A discrepancy calls a vital reaction.
  • The ninth function part comprised for a vital data interface VDI is used for the vital or non-vital data connection for some interlocking equipment and, in cooperation with the executive computer EC A for branch A and the executive computer ECB for branch B, performs the transformation for the data from/to the connected interlocking equipment into a suitable structure and performs the relevant algorithms.
  • The security for the executive component EC is ensured as follows:
  • The security for the executive component EC is based on the circuit for the vital source VS, which is designed as a circuit with internal security and an anti-packing function. If no failure is detected by the executive computer EC A for branch A, the executive computer EC A for branch A creates a dynamic signal for the vital source VS. If no failure is detected by the executive computer EC B for branch B, the executive computer EC B for branch B creates a dynamic signal for the vital source VS. Only during the activation for the executive component, i.e. for the controlled switching to voltage VA, VB for source S and for the dynamic signal for the executive computer EC A for branch A, and for the dynamic signal for the executive computer EC B for branch B, does the vital source VS create the vital power supple for the internal communication interface ICI A . for branch A, internal communication interface ICI B for branch B, vital contact outputs VCO, vital logical outputs VLO, vital coded logical outputs VCLO, vital analogue outputs VAO and vital data interface VDI. When detecting the first failure, the executive computer EC A for branch A stops executing its program, and thus also generating the dynamic signal for the vital source VS, with the result that the vital source VS stops generating the vital supply for the internal communication interface ICI A for branch A, internal communication interface ICI B for branch B vital contact outputs VCO, vital logical outputs VLO, vital coded logical outputs VCLO, vital analogue outputs VAO and vital data interface VDI, which switch to the vital state. The executive computer EC A for branch A stops communicating with executive computer EC B for branch B, via the internal data link IDLEC executive computers. As a result for the interrupted communication via the internal data link IDLEC executive computers, the executive computer EC B for branch B also stops executing its program, and thus also generating the dynamic signal for the vital source VS. The vital source VS will no longer react to any subsequent failure, during which the dynamic signal would be restored, and the vital supply is not restored. The executive component EC is in a secure state and irreversibly disengaged from its surroundings. When detecting the first failure, the executive computer EC B for branch B stops executing its program, and thus also generating the dynamic signal for the vital source VS, with the result that the vital source VS stops generating the vital supply for the internal communication interface ICI A for branch A, internal communication interface ICI B for branch B, vital contact outputs ECO vital logical outputs VLO, vital coded logical outputs VCLO, vital analogue outputs VAO and vital data interface VDI, which switch to the vital state. The executive computer EC B for branch B stops communicating with executive computer EC A for branch A, via the internal-data link IDLEC executive computers. As a result for the interrupted communication via the internal data link IDLEC executive computer, the executive computer EC A for to branch A also stop executing is program and thus also generating the dynamic signal for the vital source VS. The vital source VS will no longer react to any subsequent failure, during which the dynamic signal would be restored, and the vital supply is not restored. The executive component EC is in a secure state and irreversibly disengaged from its surroundings.
  • The mutual backup for internal data links IDL A and IDL B for executive device's ED is executed by following procedure:
  • The user data stored in the datagrams submitted between the control part CP and executive part EP have an identical value in branch A and in branch B obtained by the relevant algorithms for harmonising data between the branches.
  • The datagrams submitted by control computer CC A for branch A to executive part EP are given redundancy created by both control computer CC A for branch A, as well by redundancy created by control computer CC B for branch B.The creation method and resulting redundancy created by the control computer CC A for branch A and the redundancy created by the branch B control computer CC B for branch B, are different. After receiving these datagrams the executive computer EC A for branch A checks their identity and authenticity, according to security algorithms, both for branch A and branch B. After being successfully inspected, the datagrams are sent to the executive computer EC B for branch B over the internal data link IDLEC executive computers. The executive computer EC B for branch B also checks the identity and authenticity for these datagrams, according to security algorithms, both for branch A and branch B. The datagrams sent by the control computer CC B for branch B to the executive part EP are given redundancy created by both the control computer CC B for branch B, as well as by redundancy created by the control computer CC A for branch A. The creation method and resulting redundancy created by the control computer CC B for branch B, and the redundancy created by the control computer CC A for branch A, are different. After receiving these datagrams the executive computer EC B for branch B checks their identity and authenticity according to security algorithms, both for branch B and branch A. After being successfully inspected, the datagrams are sent to the executive computer EC A for branch A over the internal data link IDLEC r_executive computers. The executive computer EC A for branch A also checks the identity and authenticity for these datagrams, according to the security algorithms, both for branch A and for branch B. If a failure or-damaged datagram occurs in branch A, both executive computer EC A for branch A and executive computer EC B for branch B have the datagram from branch B available. If a failure or damaged datagram occurs in branch B, both executive computer EC B for branch A and executive computer EC RB for branch B, have the datagram from branch A available.
  • The situation is analogous in the opposite direction for sending the datagrams, i.e. sending the datagrams from the executive part EP to the control part CP. The datagrams submitted by executive computer EC A for branch A to the control part CP are given redundancy created by both the executive computer EC A for branch A as well as by redundancy created by executive computer EC B for branch B. The creation method and resulting redundancy created by the executive computer EC A for branch A and the redundancy created by the executive computer EC B for branch B, are different. After receiving these datagrams the control computer CC A for branch A checks their identity and authenticity according to security algorithms, both for branch A and branch B. After being successfully inspected, the datagrams are sent to the control computer CC B for branch B over the internal data link IDLCC control computers. The control computer CC B for branch B also checks the identity and authenticity for these datagrams according to security algorithms, both for branch A and branch B. The datagrams sent by the executive computer EC B for branch B to the control part CP are given redundancy created by both the executive computer EC B for branch B, as well as by redundancy created by the executive computer EC A for branch A. The creation method and resulting redundancy created by the branch B executive computer EC B for branch B and the redundancy created by the executive computer EC A for branch A, are different. After receiving these datagrams the control computer CC B for branch B checks their identity and authenticity according to security algorithms, both for branch A and branch B. After being successfully inspected, the datagrams are sent to the control computer CC A for branch A over the internal data link IDLCC control computers. The control computer CC A for branch A also checks the identity and authenticity for these datagrams according to the security algorithms, both for branch A and for branch B. If a failure or damaged datagram occurs in branch A, both control computer CC A for branch A and control computer CC B for branch B, have the datagram from branch B available. If a failure or damaged datagram occurs in branch B, both control computer CC B for branch B and control computer CC A for branch A, have the datagram from branch A available.
  • It is possible to use one common medium for transmission since the creation method and subsequent redundancy for branch A and branch B are independent.
  • The fail-safe effect in the sense for CSN 34 2600 and the proposed EN 50 129 is contained both by the use for the 2 for 2 system as a system with redundant safety and with a sufficiently timely detection for the "1st error," which cannot in and for itself cause an unsafe effect, though could cause an unsafe effect in combination with another error. After detecting the 1st error there follows a vital reaction, which demonstrably prevents the occurrence or manifestation for other failures. The detection for the 1st error and the vital reaction demonstrably occurs in a time shorter than the occurrence for a 2nd error (which could, in combination with the 1st error, cause an unsafe effect) can be expected with the prescribed probability. In order to ensure the vital effect executive computer EC A for branch A is also equipped with different software in comparison with the executive computer EC B for branch B, though the software for both the executive computer EC A for branch A and executive computer EC B for branch B, is processed according to a joint assignment.
    • Example 5 (Fig. 5)
  • The configuration for source S for the supply part SP for the executive device ED is illustrated in Fig. 5, from which it is evident that it is put together from the following basic parts: the source SA, source SB , measurement circuits MC, control circuits CONC and internal communication interface ICI.
  • The source SA generates voltage VA meant for the supply for branch A for the control part CP for the executive device ED and branch A for the executive part EP for the executive device ED as its output, The source SB generates voltage VB meant for the supply for branch B for the control part CP for the executive device ED and branch A for the executive part EP for the executive device ED. The control circuits CONC are used to control the level for the voltage supply VA for source SA and to control the level for the voltage supply VB for source SB. The measurement circuits MC are used to measure the voltage and current for the source SA and to measure the voltage and current for the source SB. The internal communication interface ICI is used for the source's S communication with the control part CP for the executive device ED.
  • The source SA and source SB are mutually independent and are supplied with supply voltage SV. The output circuits for sources SA and SB are supplemented with circuits to prevent back current for the purpose for allowing back-ups.
  • The backup for the supply part SP for the executive device ED is carried out as follows:
  • One for the most stressed parts for the executive device is its supply part SP. It is very advantageous to back up the supply part SP. The principle for backing up the supply part SP is based on one for the basic characteristics for the control part CP and executive part EP for the executive device ED , which consist in the extended tolerance for their voltage VA and VB and is also based on the circuit design for the source S. Both for the source's S mutually independent sources SA and SB are capable for delivering an output for two voltage levels, i.e. the basic voltage or decreased voltage, on the basis for the activities for the control circuits. These two possible voltage levels are in the range for the voltages VA and VB for the control part CP and executive part EP for the executive device ED.
  • In the back-up mode for the supply part SP for the executive device ED (Fig. 2) one source S (i.e. both for its sources SA and SB) works with the basic voltage VA and VB, and the second source S 1 (i.e. both for its sources SA and SB) works with the decreased voltage VA and VB. The control part CP for the executive device ED obtains information on the current load for source S and stand-by source S 1 through the measurement circuits MC for the source S and stand-by source S 1 , internal communications interface ICI for the source S and stand-by source S 1 . In this state the supply is provided by the source S, since its voltages VA and VB are higher than the voltages for the stand-by source S 1 . The output current for source S. and thus for its partial sources SA and SB, is not zero and the output current for the stand-by source S 1 , and thus for both for its partial sources SA 1 and SB 1 , is zero or close to zero. In the case for a failure for the active source S the stand-by source S 1 ensures the supply for energy and the current delivered to it is increased. In such a situation the control part CP for the executive device ED issues a command through the internal data interface ICI A or ICI B , the internal data link IDL A or IDL B and internal communication interface ICI for the source to the control circuits for the stand-by source S 1 to switch from the decreased output level for voltage VA and VB to the basic output level for voltage VA and VB. The information on the failure for source S is recorded in the diagnostic computer DC for the control part for the executive device ED. The aforementioned solution enables the stand-by mode to be mutually alternated on both sources for the backed-up supply part SP for the executive device over time, thereby uncovering a failure for source S 1 , which is in stand-by mode.
    • Example 6 (Fig. 6)
  • The alternative configuration for the electronic interlocking equipment pursuant to Fig. 6 differs from the first example configuration pursuant to Fig. 1 in that the commanding level for the signalling equipment COML is connected to a watch remote commanding level RCL so that the bridge B for the watch part is connected by a data link to the vital data network's hub HUB, another data link with the vital data network's stand-by hub HUB 1 and another data link with the supervision system SS.
  • This configuration used for the remote control and management for traffic.
  • The connection for bridge B via a data link to the vital data network's stand by hub HUB 1 take place unless the stand-by connection for the remote command level RCL is requested.
    • Example 7 (Fig. 7)
  • The alternative configuration for the electronic interlocking equipment with a remote executive device pursuant to Fig. 7 differs from the 1st example configuration pursuant to Fig. 1 in that a communication level CL comprised for communication equipment CE is inserted between the control level CONL and the executive level EL. The vital computer VC A and stand-by vital computer VC Al for branch A are connected by an external data link EDL A for branch A to the communication equipment CE for the communication level CL. The vital computer VC A and stand-by vital computer VC Al are connected by an external data link EDL A for branch A to the communication equipment CE for the communication level CL. The communication equipment CE for the communication level CL is both connected by another external data link EDL A ' for branch A and another external data link EDL B ' for branch B to the executive device ED for the executive level EL. This alternative configuration is used in the event when it is necessary to withdraw the executive level EL or its part from the control level CONL.
    • Example 8 (Fig. 8)
  • The display for an alternative configuration for the executive component EC designated as SII, which is meant for reading input logical information. This specific alternative configuration with the designation SII contains the first function part FP1, connected to the seventh function part FP7. The first function part FP1 and seventh function part FP7 are described in detail in configuration example 4.
  • Fig. 8 differs from the 4th configuration example illustrated in Fig. 4 in that it does not contain the second function part FP2, third function part FP3, fourth function part FP4, fifth function part FP5, sixth function part FP6, eighth function part FP8 and ninth function part FP9.
    • Example 9 (Fig. 9)
  • The display for an alternative configuration for the executive component EC designated as SCI, which is meant for issuing vital contact commands. This specific alternative configuration with the designation SCI contains the first function part FP1 and second function part FP2, both described in more detail in configuration example 4. Fig. 9 differs from the 4th configuration example in that it does not contain the third function part FP3 and other function parts, the fourth function part FP4 to the ninth function part FP9.
    • Example 10 (Fig. 10)
  • The display for an alternative configuration for the executive component EC designated as SOI, which is meant for issuing vital and non-vital logical commands. This other specific alternative configuration represents a combination for the first function part FP1, third function part FP3 and sixth function part FP6, both described in more detail in configuration example 4.
  • Fig. 10 differs from the 4th configuration example illustrated in Fig. 4 in that it does not contain the second function part FP2, fourth function part FP4, fifth function part FP5, and other seventh function part FP7 to ninth function part FP9.
    • Example 11 (Fig. 11)
  • The display for an alternative configuration for the executive component EC designated as TCI, which is meant for determining the occupancy for the track circuits, switching the track circuit equipment and for generating the frequency for additional coding. This alternative configuration with the designation TCI contains the first function part FP1 in combination with the third function part FP3, fourth function part FP4 and seventh function part FP7.
  • Fig. 11 differs from the 4th configuration example illustrated in Fig. 4 in that it does not contain the second function part FP2, fifth function part FP5, sixth function part FP6, eighth function part FP8 and ninth function part FP9.
    • Example 12 (Fig. 12)
  • The display for an alternative configuration for the executive component EC designated as SLI, which is used for controlling signal or point machine lights. The alternative configuration under the designation SLI contains the first function part FP1 in combination with the fifth function part FP5 and eighth function part FP8.
  • Fig. 11 differs from the 4th configuration example illustrated in Fig. 4 in that it does not contain the second function part FP2 to fourth function part FP4, sixth function part FP6, seventh function part FP7 and ninth function part FP9.
    • Example 13 (Fig. 13)
  • The display for an alternative configuration for the executive component EC designated as SDI, which is used for vital communication and the control for the interlocking equipment, such as the crossing control stations, axle counters, etc. The alternative configuration under the designation SDI contains the first function part FP1 connected to the ninth function part FP9.
  • Fig. 13 differs from the 4th configuration example illustrated in Fig. 4 in that it does not contain the second function part FP2 to eighth function part FP8.
  • The specified configurations are example configurations and their scope is not comprehensive. Other example configurations and their combinations are possible in the framework for the patent claims for this invention.
    • Industrial Applicability
  • The solution is meant for controlling adjacent equipment, e.g. signal equipment, points, level crossings, axle counters, track circuits, etc., which contribute to ensuring the traffic routes for railway vehicles.
    • List for Abbreviations
    • ACC -
    Active Commanding Computer
    AI-
    Analogue Input
    AOC1-
    1st Arrangement AOC1 for Operating Computers
    AOC2-
    2nd Arrangement AOC2 for Operating Computers
    B -
    Bridge
    CC -
    Control Computer
    CC1 -
    Stand-By Control Computer
    CCA -
    Control Computer CCA for Branch A
    CCB -
    Control Computer CCB for Branch B
    CE -
    Communication Equipment
    CL -
    Communication Level
    COML -
    Commanding Level COML
    CONC -
    Control Circuits
    CONL -
    Control Level
    CP -
    Control Part
    DC -
    Diagnostic Computer
    EC -
    Executive Component
    ECA -
    Executive Computer ECA for Branch A
    ECB -
    Executive Computer ECB for Branch B
    ECIA -
    External Communication Interface ECIA for Branch A
    ECIB -
    External Communication Interface ECIB for Branch B
    ED -
    Executive Device
    EDLA -
    External Data Link EDLA for Branch A
    EDLB -
    External Data Link EDLB forBranch B
    EDL'A -
    External-Data Link EDL'A forBranch A
    EDL'B -
    External Data Link EDL'B for Branch B
    EL -
    Executive Level
    EP -
    Executive Part
    FP1-
    First Function Part
    FP2 -
    Second Function Part
    FP3 -
    Third Function Part
    FP4 -
    Fourth Function Part
    FP5 -
    Fifth Function Part
    FP6 -
    Sixth Function Part
    FP7 -
    Seventh Function Part
    FP8 -
    Eighth Function Part
    FP9 -
    Ninth Function Part
    HUB -
    Hub
    HUB1 -
    Stand-By Hub
    ICI -
    Internal Communication Interface
    ICIA
    Internal Communication Interface ICIA for Branch A
    ICIB -
    Internal Communication Interface ICIB forBranch B
    IDLA -
    Internal Data Link IDLA for Branch A
    IDLB -
    Internal Data Link IDLB for Branch B
    IDLCC -
    Internal Data Link IDLCC Control Computer
    IDLCL -
    Internal Data Link IDLCLControl Level
    IDLCLA -
    Internal Data Link IDLCLA Control Level for Branch A
    IDLCLB -
    Internal Data Link IDLCLB for Control Level for Branch B
    IDLCL1 -
    Stand-By Internal Data Link IDLCL1 Control Level
    IDLEC -
    Internal Data Link IDLEC Executive Computer
    IDLCP -
    Internal Data Link IDLCP Control Part
    LI -
    Logical Input
    MC -
    Measurement Circuits
    NO -
    Non-Vital Output
    PCC -
    Passive Commanding Computer
    RCL -
    Remote Commanding Level
    S -
    Source for Supply Part
    S1 -
    Stand-By Source for Supply Part
    SA -
    Source SA for Branch A
    SB -
    Source SB for Branch B
    SCI -
    Safety Contact Interface
    SDI -
    Safety Data Interface
    SII -
    Safety Input Interface
    SLI -
    Signal Light Interface
    SOI -
    Safety Output Interface
    SP -
    Supply Part for Executive Device
    SS -
    Supervision System
    SV -
    Supply Voltage
    TCI -
    Track Circuit Interface Element
    VA -
    Voltage VA for Branch A
    VAO -
    VitalAnalogue Outputs
    VB -
    Voltage VB for Branch B
    VCA -
    Vital Computer VB for Branch A
    VCB -
    Vital Computer VCB for Branch B
    VGAl -
    Stand-By Vital Computer VCAl for Branch A
    VCBl -
    Stand-by Vital Computer VCBl for Branch B
    VCLO -
    Vital Coded Logical Outputs
    VCO -
    Vital Contact Outputs
    VCO -
    Vital Interface
    VLO -
    Vital Logical Outputs
    VS -
    Vital Source
    WI -
    Watch Interface
    WVAOA -
    Watch WVAOA Vital Analogue Outputs for Branch A
    WVAOB -
    Watch WVAOB Vital Analogue Outputs for Branch B
    WVCOA -
    Watch WVCOA Vital Contact Outputs for Branch A
    WVCOB -
    Watch WVOB Vital Contact Outputs for Branch B
    WVCLOA -
    Watch WVCLOA Vital Coded Logical Outputs for Branch A
    WVCLOB -
    Watch WVCLOB Vital Coded Logical Outputs for Branch B
    WVLOA -
    Watch WVLOA Vital Logical Outputs for Branch A
    WVLOB -
    Watch WVLOB Vital Logical Outputs for Branch B

Claims (19)

  1. An electronic railway interlocking equipment system comprising three essential levels, being the commanding level (COML), control level (CONL), and executive level (EL), where the commanding level (COML) is comprised for at least one arrangement (AOC1, AOC2) for operating computers, which contain an active commanding computer (ACC) and no or at least one passive commanding computer (PCC) for displaying only non-vital information, which each arrangement (AOC1, AOC2) for operating computers is data connected to the control level (CONL) through hubs (HUB, HUB1) connected to vital computers (VCA, VCB) for the respective branch A, B for creating a vital core for the control level (CONL), and for increasing the availability for the electronic interlocking equipment system the control level (CONL) contains other stand-by vital computers (VCA1,VCB1) for the respective branch A, B while the executive level (EL) is comprised for at least one executive device (ED), wherein
    - the control level (CONL) contains mutually data connected hubs (HUB, HUB1), which are data directly connected to the commanding level (COML) through their arrangements (AOC1, AOC2) of the active commanding computers (ACC) and also to the executive level (EL) through data connected technologic vital computers (VCA VCB) and data connected stand-by vital computers (VCA1. VCB1) for the respective branch A,B, while
    - the control level (CONL) is connected to the executive level (EL) by at least one external data link (EDLA, EDLB) for the respective branches A, B, characterised in that,
    - the executive level (EL) containing at least one executive device (ED), each executive device (led) have the three basic parts,
    the control part (CP) with for at least one control computer (CC),
    the executive part (EP) with at least one executive component (EC) and
    the supply part (SP) with for at least one source (S),
    which are mutually data connected by at least one internal data link (IDLA, IDLB) for the respective branches AB of the executive device (ED), whereas
    - the control level (CONL) comprising of four vital technology computers (VCA, VCB, VCA1, VCB1), that are mutually connected to two networks, being the vital data network and the control network, where
    - the first vital data network of control level (CONL) includes the *direct data connection of vital computers (VCA, VCB) for branches A, B with the hub (HUB) of vital data network,
    - the second vital data network of control level (CONL) includes the direct data connection of vital computers (VCA1,VCB1) for branches A, B with stand-by hub (HUB.) of vital data network,
    - the first control network of control level (CONL) includes the direct data connection of vital computers (VCA) for branch A with stand-by vital computers (VCA1), through internal data link (IDCLA) of control level (CONL/ for branch A,
    - the second control network of control level (CONL) includes the direct data connection of vital computers (VCB) for branch B with stand-by vital computers (VCB), through internal data link (IDCLB) of control level (CONL/ for branch B.
  2. The electronic railway interlocking equipment system of claim 1, is characterised in that, the control level (CONL) has the following direct two-way data links
    - each vital computer (VCA) for branch A with the vital computer (VCB) for branch B by an internal data link (IDLCL), and also with the branch A stand-by vital computer (VCA1) by an internal data link (IDCLA) for branch A;
    - each vital computer (VCB) for branch B with the vital computer (VCA) for branch A by an internal data link (IDCL), and also with the branch B stand-by vital computer (VCB1) by an internal data link (IDCLB) for the branch B;
    - each stand-by vital computer (VCA1) for branch A with the branch A vital computer (VCA) by an internal data link (IDCLA), and also with stand-by vital computer (VCB1) an stand-by internal data link (IDC1), for the branch B;
    - each stand-by vital computer (VCB1) for branch B with the vital computer (VCB) by an internal data link (IDCLB) for branch B, and also with the stand-by vital computer (VCA1) by an stand-by internal data link (MCL1) for branch A.
  3. The electronic railway interlocking equipment system of claim 1, is characterised in that,
    - the vital computer (VCA) for branch A and stand-by vital computer (VCA1) for branch A are directly connected by a external data link (EDLA) for branch A to the executive device (ED) for the executive level (EL) and
    - the vital computer (VCB) for branch B and stand-by vital computer (VCB1) for branch B are directly connected by a external data link (EDLB) for branch B to the executive device (ED) of the executive level (EL).
  4. The electronic railway interlocking equipment system of claim 1, is characterised in that, the control computer (CC) for the control part (CP) is connected with at least one standby control computer (CC1), and also with at least one internal data link (TDLA, IDLB) for branch A,B, and also with at least one internal data link (IDLCP) control parts .
  5. The electronic railway interlocking equipment system of claim 5, is characterised in that, each executive component (EC) for the executive part (EP) is connected through at least one data link (IDLA,DLB) to the control computer (CC), or to at least one stand-by control computer (CC1).
  6. The electronic railway interlocking equipment system of claim 1, is characterised in that, each source (S) for the supply part (SP) is connected by at least one internal data link (IDLA, IDLB) to the controls computer (CC), or to at least one stand-by control computer (CC1).
  7. The electronic railway interlocking equipment system of claim 1, is characterised in that,
    - the control computer (CC) is comprised for two control computers (CCA, CCB), which are mutually connected by an internal data link (IDLCC) control computers, where
    - the control computer (CCA) for branch A is connected both ways to external communication interface (ECIA) for a branch A, to a internal communication interface (ICIA for branch A and it is also connected to a vital source (VS) and to a watch interface (WI) connected to an internal data link (IDLCP) control part (CP) for the executive device (ED) and
    - the control computer (CCB) for branch B is connected both ways to a external communication interface (ECIB) for branch B, to a Internal communication interface (ICIB) for branch B, and it is also connected to a vital source (VS) and to a watch interface (WI), connected to an internal data link (IDLCP) control part (CP) for the executive device (ED),
    - while the vital source (VS) is connected by the watch interface (WT) and to All four interfaces (ECIA, ECIB ICIA, ICIB), connected to the data links (EDLA, EDLB, IDLA, IDLB), and eventually
    - the control computer (CCA) for branch A and control computer (CCB) for branch B are connected to the diagnostic computer (DC).
  8. The electronic railway interlocking equipment system of claim 1, is characterised in that,
    - the executive component (EC) contains the first function part (FPI) connected with at least one other function part (FPI - FP9), numely with the second function part (FP2), with the third function part (FP3), with the fourth function part (FP4), with the fifth function part (FP5), with the sixth function part (FP6), with the seventh function part (FP7) , with the eighth function part (FPB) and with the ninth function part (FP9), always through the executive computer (ECA) for branch A and executive computer (ECB) for branch B, or additionally through a vital source (VS),
    - while the first function part (FP1) is comprised for two executive computers (ECA), ECB), which are mutually connected by an internal data link (IDLEC) executive computers.
    - white the executive computer (ECA) for branch A is connected in both directions with the internal communication interface (ICIA) for branch A, and is also connected to the vital source (VS),
    - and the executive computer (ECB) for branch B is connected in both directions with the internal communication interface (ICIB) for branch B and is also connected to the vital source (VS).
    - while the vital source (VS) is connected to the two internal communication interfaces (ICIA, ICID) connected to the internal data links (IDLA, IDLB) for the executive device (ED).
  9. The electronic railway interlocking equipment system of claim 8, is chararacterised in that,
    - the second function part (FP2) comprises for the vital contact outputs (VCO), the watch (WVCOA) vital contact outputs for branch A and the watches (WVCOB) vital contact outputs for branch B,
    - where the vital contact outputs (VCO) are connected with the watches (WVCOA, WVCOB) vital contact outputs for the respective branches A, B, furthermore with a vital source (VS) and also with the executive computers (ECA, ECB) for the respective branches A,B,
    - while the watches (WVCOA, WVCOB) vital contact outputs for the respective branches (A, B) are also connected with the executive computers (ECA, ECB) for the respective banches A, B.
  10. The electronic railway interlocking equipment system of claim 8 is characterised in that,
    - the third function part (FP3) comprises for the vital logical outputs (VLO), the watches (WVLOA,) vital logical outputs for branch A and the watches (WVLOB) vital logical outputs for branch B,
    - where the vital logical outputs (VLO) are connected with the watches (WVLOA, WVLOB) vital logical outputs for the respective branches A, B, furthermore with a vital source (VS) and also with the executive computer(ECA, ECD) for the respective branches A, B,
    - while the watches (WVLOA, WVLOB) vital logical outputs for the respective branches (A, B) are also connected with the executive computers (ECA, ECB) for the respective branches A, B.
  11. The electronic railway interlocking equipment system of claim 8, is characterised in that,
    - the fourth function part (FP4) is comprised for vital coded logical outputs (VCLO), the watches (WVCLOA) vital coded logical outputs for branch A and the watches (WVCLOB) vital coded logical outputs for branch B.
    - where the vital coded logical outputs (VCLO) are connected with the watches (WVLOA, WVLOB) vital coded logical outputs for the respective branches A, B, furthermore with a vital source (VS) and also with the executive computers (ECA and ECB) for the respective branches A, B,
    - while the watches (WVCLOA, WVCLOB) vital coded logical outputs for the respective branches A, B are also connected with the executive computers (ECA, ECB ) for the respective branches A, B.
  12. The electronic railway interlocking equipment system of claim 8, is characterised in that,
    - the fifth function part (FP5) is comprised for vital analogue outputs (VAO), the watches (WVAOA) vital analogue outputs for branch A and the watches (WVAOB) vital analogue outputs for branch B
    - where the vital analogue outputs (VAO) are connected with the watches (WVAOA, WVAOB) vital analogue outputs for the respective branches A, B, furthermore with a vital source (VS) and also with the executive computers (ECA and ECB) for the respective branches A, B,
    - while the watches (WVAOA, WVAOB) vital analogue outputs for the respective branches A, B are also connected with the executive computers (ECA, ECB) for the respective branches A, B.
  13. The electronic railway interlocking equipment system of claim 8, is characterised in that, the sixth function part (FP6) is comprised for non-vital outputs (NO), which are connected with the executive computers (ECA and ECB) for the respective branches A, B.
  14. The electronic railway interlocking equipment system of claim 8, is characterised in that, the seventh function part (FP7) is comprised for logical inputs (LI), which are connected with the executive computers (ECA and ECB) for the respective branches A, B.
  15. The electronic railway interlocking equipment system of claim 8, is characterised in that, the eighth function part (FP8) is comprised for analogue inputs (AI), which are connected with the executive computers (ECA and ECB) for the respective branches A, B.
  16. The electronic railway interlocking equipment system of claim 8, is characterised in that, the ninth function part (FP9) is comprised for the vital data interface (VD1), which is connected to the vital source (VS) and also to the executive computers (ECA and ECB) for the respective branch A, B.
  17. The electronic railway interlocking equipment system of claim1, is characterised in that,
    - the source (S) is comprised for two sources, namely for the source (SA) for the supply for branch A for the control part (CP) and executive part (EP), and also for the source (SB) for the supply for branch B for the control part (CP) and executive part (EP),
    - where both sources (SA, SB) are connected with the control circuits (CONC) and measurement circuits (MC) and
    - while the control circuits (CONC) and measurement circuits (MC) arc connected with an internal communication interface (ICI), connected to at least one internal data link (IDLA, IDLB) for the executive device (ED).
  18. The electronic railway interlocking equipment system of claim 1, is characterised in that,
    - at least one supervision remote control level (RCL), comprised for a bridge (B) and supervision system (SS) is connected to the control level (CONL),
    - while the bridge (B) is connected both to a hub (HUB) and to the control level's (CONL) stand-by hub (HUB1).
  19. The electronic railway interlocking equipment system of claim 1, is characterised in that,
    - a communication level (CL), comprised for communication equipment (CE), is inserted between the control level (CONL) and the executive level (EL),
    - while the communication level (CL) is connected both to the control level (CONL) by at least one external data link (EDLA, EDLB), as well as to the executive level (EL) by at least one external data link (EDL'A, EDL'B).
EP08734294A 2007-03-26 2008-03-26 Electronic railway interlocking equipment system Active EP2139745B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CZ20070224A CZ2007224A3 (en) 2007-03-26 2007-03-26 Electronic sysdtem of railway interlocked installation
PCT/CZ2008/000035 WO2008116429A1 (en) 2007-03-26 2008-03-26 Electronic railway interlocking equipment system

Publications (2)

Publication Number Publication Date
EP2139745A1 EP2139745A1 (en) 2010-01-06
EP2139745B1 true EP2139745B1 (en) 2011-02-02

Family

ID=39673355

Family Applications (1)

Application Number Title Priority Date Filing Date
EP08734294A Active EP2139745B1 (en) 2007-03-26 2008-03-26 Electronic railway interlocking equipment system

Country Status (5)

Country Link
EP (1) EP2139745B1 (en)
AT (1) ATE497462T1 (en)
CZ (1) CZ2007224A3 (en)
DE (1) DE602008004830D1 (en)
WO (1) WO2008116429A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3947102A4 (en) * 2019-03-29 2023-01-11 L & T Technology Services Limited System for setting up communication between a signal equipment room (ser) and wayside devices

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8515697B2 (en) 2010-05-06 2013-08-20 Ansaldo Sts Usa, Inc. Apparatus and method for vital signal state detection in overlay rail signal monitoring
CN104914816A (en) * 2015-04-16 2015-09-16 潘小胜 LINUX platform-based railway interlocking cabinet group automation control device
JP6435256B2 (en) * 2015-12-03 2018-12-05 株式会社日立製作所 Railway security system
DE102016225424A1 (en) * 2016-12-19 2018-06-21 Siemens Aktiengesellschaft Railway system and method for its operation
CN108306989B (en) * 2018-04-20 2020-02-14 北京全路通信信号研究设计院集团有限公司 Main and standby machine data synchronization method for railway dispatching centralized system
CN111010258B (en) * 2019-12-23 2022-01-28 卡斯柯信号有限公司 Computer interlocking system communication method based on coding

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6556898B2 (en) * 2001-05-18 2003-04-29 Bombardier Transportation Gmbh Distributed track network control system
ITSV20020009A1 (en) * 2002-02-22 2003-08-22 Alstom Transp Spa METHOD FOR THE GENERATION OF LOGICAL CONTROL UNITS OF THE VITAL COMPUTER STATION EQUIPMENT, THAT IS IN THE CENTRAL CONTROL UNITS
CZ2003601A3 (en) * 2003-02-28 2004-06-16 AŽD Praha s.r.o. Electronic alarm device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3947102A4 (en) * 2019-03-29 2023-01-11 L & T Technology Services Limited System for setting up communication between a signal equipment room (ser) and wayside devices

Also Published As

Publication number Publication date
DE602008004830D1 (en) 2011-03-17
CZ2007224A3 (en) 2009-02-11
WO2008116429A1 (en) 2008-10-02
ATE497462T1 (en) 2011-02-15
EP2139745A1 (en) 2010-01-06

Similar Documents

Publication Publication Date Title
EP2139745B1 (en) Electronic railway interlocking equipment system
CN110361979B (en) Safety computer platform in railway signal field
CN102238231B (en) CTCS (China train contrl system)-3 level radio blocking center device and system
Song et al. A STAMP analysis on the China-Yongwen railway accident
CN101592948B (en) Regional computer interlocking control method with local control
CN110758489A (en) Automatic protection system of train
CN101700783A (en) Train control center system platform
CN101643074A (en) Hot-standby system for primary and standby control center
CN111831507A (en) TCMS-RIOM control unit with safety level design
CN201415689Y (en) Hot-standby system structure of active standby control center
CN209879319U (en) Data acquisition and transmission system in smoke on-line continuous monitoring process
EP3817961A1 (en) Method for securely exchanging and for securely displaying status data of safety-related components
EP3713127B1 (en) Method and apparatus for hot backup of master control unit, and computer storage medium
EP2990296B1 (en) A decommissioning system for decommissioning a railway track section, as well as interface means for connecting a decommissioning system to a train safety system of the railway track
CN107959586A (en) A kind of ship end Integrated navigation system network architecture based on cloud platform
Wang High-speed railway train operation control system
CN102981777B (en) A kind of control method of data access and system
EP3598701B1 (en) Method and system for processing critical logic state
CN109677454B (en) State monitoring method for safety computer platform in urban rail transit signal system
CN217305726U (en) Hot standby safety module, local control device and electrical control system
CN202879526U (en) Fault handling device of cab signal loop line code sending box
Kunifuji et al. A proposal of autonomous online expansion technology for real-time system and its application to railway signalling system
JPH04259042A (en) Train operation control system
Cseh et al. Fall-Back Mode Operation on Remotely Controlled Railway Lines
Stover CITYFLO 650 system overview

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20091026

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: RS

RIN1 Information on inventor provided before grant (corrected)

Inventor name: DOUBEK, PAVEL

Inventor name: VLCEK, MILOSLAV

Inventor name: MACHACEK, LUBOMIR

Inventor name: FUCHS, PAVEL

Inventor name: KIML, ALES

Inventor name: JELINEK, PETR

Inventor name: TEPLY, JIRI

Inventor name: BURDA, MARTIN

Inventor name: VEVERKOVA, ZDENKA

Inventor name: MARTINEC, JOSEF

RAX Requested extension states of the european patent have changed

Extension state: RS

Payment date: 20091021

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: RS

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REF Corresponds to:

Ref document number: 602008004830

Country of ref document: DE

Date of ref document: 20110317

Kind code of ref document: P

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602008004830

Country of ref document: DE

Effective date: 20110317

REG Reference to a national code

Ref country code: NL

Ref legal event code: VDEP

Effective date: 20110202

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110513

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110503

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110502

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110602

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110602

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

REG Reference to a national code

Ref country code: SK

Ref legal event code: T3

Ref document number: E 9319

Country of ref document: SK

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: BE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110502

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110331

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

REG Reference to a national code

Ref country code: FR

Ref legal event code: ST

Effective date: 20111130

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

REG Reference to a national code

Ref country code: IE

Ref legal event code: MM4A

26N No opposition filed

Effective date: 20111103

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110404

Ref country code: DE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20111001

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110326

REG Reference to a national code

Ref country code: DE

Ref legal event code: R119

Ref document number: 602008004830

Country of ref document: DE

Effective date: 20111001

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

GBPC Gb: european patent ceased through non-payment of renewal fee

Effective date: 20120326

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GB

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20120326

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20120331

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20120331

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110326

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110202

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: LT

Payment date: 20230127

Year of fee payment: 16

Ref country code: CZ

Payment date: 20230316

Year of fee payment: 16

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230523

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: LT

Payment date: 20240305

Year of fee payment: 17

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: CZ

Payment date: 20240229

Year of fee payment: 17

Ref country code: SK

Payment date: 20240301

Year of fee payment: 17