EP2643198A1 - Verfahren zur sicherung eines steuersystems eines neukonfigurierbaren fahrzeugs aus mehreren einheiten sowie gesichertes steuersystem - Google Patents
Verfahren zur sicherung eines steuersystems eines neukonfigurierbaren fahrzeugs aus mehreren einheiten sowie gesichertes steuersystemInfo
- Publication number
- EP2643198A1 EP2643198A1 EP11757325.3A EP11757325A EP2643198A1 EP 2643198 A1 EP2643198 A1 EP 2643198A1 EP 11757325 A EP11757325 A EP 11757325A EP 2643198 A1 EP2643198 A1 EP 2643198A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- unit
- computer
- identity
- unit vehicle
- vehicle
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 239000000203 mixture Substances 0.000 claims abstract description 125
- 230000002596 correlated effect Effects 0.000 claims abstract description 8
- 230000008878 coupling Effects 0.000 claims description 29
- 238000010168 coupling process Methods 0.000 claims description 29
- 238000005859 coupling reaction Methods 0.000 claims description 29
- 230000005540 biological transmission Effects 0.000 claims description 13
- 230000007246 mechanism Effects 0.000 claims description 11
- 238000012913 prioritisation Methods 0.000 claims description 8
- 230000001276 controlling effect Effects 0.000 claims description 5
- 125000004122 cyclic group Chemical group 0.000 claims description 5
- 238000005538 encapsulation Methods 0.000 claims description 3
- 230000010287 polarization Effects 0.000 claims description 2
- 238000012795 verification Methods 0.000 claims description 2
- 239000003981 vehicle Substances 0.000 description 274
- 238000012790 confirmation Methods 0.000 description 21
- 230000008859 change Effects 0.000 description 9
- 238000001514 detection method Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 241000347881 Kadua laxiflora Species 0.000 description 5
- 101000879675 Streptomyces lavendulae Subtilisin inhibitor-like protein 4 Proteins 0.000 description 5
- 238000013475 authorization Methods 0.000 description 4
- 230000015572 biosynthetic process Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000005755 formation reaction Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000004913 activation Effects 0.000 description 3
- 230000009467 reduction Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 229910052729 chemical element Inorganic materials 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000009987 spinning Methods 0.000 description 2
- 230000002123 temporal effect Effects 0.000 description 2
- YSGQGNQWBLYHPE-CFUSNLFHSA-N (7r,8r,9s,10r,13s,14s,17s)-17-hydroxy-7,13-dimethyl-2,6,7,8,9,10,11,12,14,15,16,17-dodecahydro-1h-cyclopenta[a]phenanthren-3-one Chemical compound C1C[C@]2(C)[C@@H](O)CC[C@H]2[C@@H]2[C@H](C)CC3=CC(=O)CC[C@@H]3[C@H]21 YSGQGNQWBLYHPE-CFUSNLFHSA-N 0.000 description 1
- 235000001418 Echinochloa stagnina Nutrition 0.000 description 1
- 240000001327 Echinochloa stagnina Species 0.000 description 1
- 101000836873 Homo sapiens Nucleotide exchange factor SIL1 Proteins 0.000 description 1
- 235000001797 Lavandula macra Nutrition 0.000 description 1
- 235000001803 Lavandula setifera Nutrition 0.000 description 1
- 102100027096 Nucleotide exchange factor SIL1 Human genes 0.000 description 1
- 101000880156 Streptomyces cacaoi Subtilisin inhibitor-like protein 1 Proteins 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 244000309466 calf Species 0.000 description 1
- 230000009089 cytolysis Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000010304 firing Methods 0.000 description 1
- 230000003137 locomotive effect Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000013643 reference control Substances 0.000 description 1
- 238000011282 treatment Methods 0.000 description 1
- 238000010977 unit operation Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L15/00—Indicators provided on the vehicle or train for signalling purposes
- B61L15/0072—On-board train data handling
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L15/00—Indicators provided on the vehicle or train for signalling purposes
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L15/00—Indicators provided on the vehicle or train for signalling purposes
- B61L15/0018—Communication with or on the vehicle or train
- B61L15/0036—Conductor-based, e.g. using CAN-Bus, train-line or optical fibres
Definitions
- the present invention relates to a method of securing a steering system of a multi-unit vehicle and a sys tem ⁇ safety control of said multi-unit vehicle, according to the preambles of claims 1 and 7.
- the present invention relates to the field of multi-unit reconfigurable vehicles, ie able to be composed of several units and whose configuration or composition of said units of said multi-unit vehicle is variable, or in other words likely to be modified or re ⁇ configured.
- the present invention relates to multi-unit vehicles whose operation of a control system, in particular automatic, is correlated to the composition of the multi-unit vehicle.
- Said multi-unit vehicle belongs especially to do ⁇ maine rail.
- a train can be formed of several units, e.g. several motorcyc ⁇ res and / or locomotives coupled or coupled to each other and successively forming a first train of said train.
- the composition of said train, and therefore of said first train can then vary, e.g. by scindage or coupling said first string to form a second train compo ⁇ EDC to at least part of the units of said first train, which can be hitched to other units.
- composition of a multi-unit vehicle can vary according to a change of a disposition or a distribution of said units forming said multi-unit vehicle, as well as by addition, and / or respectively withdrawal, of at least one audit unit, and / or respectively said multi-unit vehicle.
- composition data from said multi-unit vehicle eg the number of units the component, the characteristics of said units, the relations between these units, their coupling or coupling to one or two other units, are known pilo ⁇ stage system for driving said multi-unit vehicle.
- This control system generally comprises a computer connected to the I / O modules for a particular acqui ⁇ sition and a transmission operation of data ⁇ rela tive to the steering of multi-unit vehicle.
- the computer is thus capable pilot, via inputs / outputs of modules, ⁇ the said multi-unit vehicle, in particular according to an automated that mode, or according to a manual mode wherein the control system, and thus the computer, is able to be controlled by a driver or control center.
- the operating data is in particular exchanged, via the input / output modules, between said computer and devices included in at least a part of the units com ⁇ posing said multi-unit vehicle to ensure its func ⁇ tioning.
- Said exchange of operating data can for example be implemented by means of a bidi ⁇ rectional connection between the computer and said devices via said input / output modules.
- the calculator and mo ⁇ dules / O are thus designed to enable and ensure the control of the multi-unit vehicle, or otherwise work correctly (move, stop, door openings, ...), based on the composition data of said multi-unit vehicle and on operating data ⁇ relating to control exchangeable with said disposi ⁇ tifs of at least a portion of said units.
- said composition data must be updated so that the control system, in particular its computer, is informed of said configuration change and is able to correlate the change composition of said multi-unit vehicle with a change of operating data relating pilo ⁇ tage.
- the computer may misinterpret the operating data of the units which have been uncoupled from the multi-unit vehicle.
- the driving system of the multi-unit vehicle must in particular be characterized by a high degree of functional safety in order to prevent any event that may affect said multi-unit vehicle or passengers or goods transported by said multi-unit vehicle.
- the safety of such control systems can be characterized by means of safety standards.
- IEC 61508 SIL challenge ⁇ nes (Security Integrity Level), that is to say the level of safety integrity that should have a system to ensure adequate protection against the risks that may arise during operation of said system.
- a SIL4 security system provides a risk reduction of between 10 8 to 10 9 in the continuous mode of operation, whereas for an SIL1 system, this reduction is between 10 5 to 10 6 only.
- control system computer knows exactly the composition and configuration of said multi-unit vehicle (for example, which units make up a train and according to what order of formation are they ordered, or in other words, in what order they are coupled or coupled) so that it can exchange with the units of multi-unit vehicle all the operating data necessary for piloting said vehi ⁇ multi-unit cule.
- the control system computer in the case of a change in the composition of a multi-unit vehicle, for example, when a train is divided into several parts, the control system computer must be promptly informed of said composition change by example in order to allow oneself to no longer take into account operating data of units that have been detached from the train during its splitting, and so as not to fall into a state of safety resulting in a warning of a center for monitoring a vehicle network multi-unit or even activation of a secu rity ⁇ formatting process, as an emergency braking of said multi-unit vehicle.
- steering systems whether in or ⁇ tomatiques manuals and safety (SIL 4), known to the art are essentially based on calculated ⁇ tors "closed" for which the perimeter / O is not reconfigurable, ie the computer is connected to a fixed set of I / O modules of in ⁇ Trees / outputs, these I / O fixedly connecting the computer devices to certain functional units managed by said computer, and thus not being reconfigu ⁇ rable when changing the configuration of the vehicle mul ⁇ ti-unit.
- functional device reference is made to any device interacting with the control system so as to enable said multi-unit vehicle to be piloted. This is for example of braking, opening doors, or devices for monitoring the moving ⁇ said multi-unit vehicle, etc.
- the management of a multi-unit vehicle generally implements several computers each managing a part of the multi-unit vehicle, each computer being connected to subscribers. trés / Outputs connecting them in a fixed manner to certain functional dis ⁇ positive or the unit it manages.
- the composition of the multi-unit vehicle is well known by overlapping information from each computer, the design of the steering system has the structuriavan ⁇ duty floor manage functions spread over the dif ⁇ ent calculators, including requiring algorithms synchronization of said computers, whose complexity aug ⁇ mente with the number of units constituting the multi-unit vehicle.
- composition or constitution of a multi-unit vehicle is thus generally deduced from cross-checks of several application information exchanged between the different computers of said vehicle.
- This information app ⁇ cant is information from other devices of the multi-unit vehicle not having all task for pre ⁇ Mière determining the composition of said multi-guided vehicle.
- This is, for example, the location data of the head and the tail of the multi-unit vehicle transmitted to the computer by on-board or ground locating devices, or the state of the equipment of the units, or multi-unit vehicles transmitted to the calculated ⁇ tor by an autopilot ground not embedded in said multi-unit vehicle.
- An object of the present invention is to propose a method of securing a system for driving a reconfigurable multi-unit vehicle and a secure control system that are simple, safe, reliable and efficient, capable of automatic updating and autonomous of a composition of the multi-unit vehicle, while having a security SIL4 ⁇ tion.
- the present invention aims to automatically determine and update the composition of the multi-unit vehicle, independently of application information, in order to safely guarantee the multi-unit vehicle control system.
- the present invention provides a steering system of a security method for fitting and control a vee ⁇ vehicle reconfigurable multi-unit comprising in particular at least two attelables units one after the other, said method being characterized in that it comprises: - an autonomous determination, and preferably cyclic and automatic, of a composition of the multi-unit vehicle by a device for determining the composition of said multi-unit vehicle correlated to a generation, preferably ⁇ by said determination device, a composition data of said multi-unit vehicle;
- the present invention also provides a secure, and preferably automatic, pilo ⁇ system for a reconfigurable multi-unit vehicle, comprising for example at least two towable units one after the other, ca ⁇ characterized in that said system comprises:
- a device for determining a composition of the multi-unit vehicle capable of determining autonomous manner the composition of the multi-unit vehicle and ⁇ gen erate a given composition correlatable to said compo sition ⁇ said multi-unit vehicle said determination being in particular autonomous in that it is independent of any application information;
- At least one computer comprising at least a security module
- said computer being designed to equip at least one unit of the multi-unit vehicle, each calculated ⁇ tor being connectable by means of at least one connection and via a network, of a part to a set of En- I / O module outputs / outputs intended to equip one or more units, and secondly to said device for determining the composition of the multi-unit vehicle, in order to exchange via each input / output module data unit operation and / or multi-unit vehicle, and to acquire said determining device, a composition of the ⁇ given said multi-unit vehicle, said network being in particular intended to permit communication between each identity generating device and each computer, between each computer and each input / output module, and between each computer between them;
- each computer may include a security module according to the invention.
- the method according to the invention is a formula ⁇ securing method, preferably automatically and particularly SIL4 securing, of a steering system of a multi-unit vehicle able to determine at any ⁇ ins as and reliably, the composition of the multi-unit vehicle, and to ensure, at all times, a coherence between the composition of the multi-unit vehicle and data func ⁇ steering system tioning of the multi-unit vehicle, the combination of at least one computer with said set of inputs / outputs correlated to said composition vee ⁇ vehicle multi-unit.
- the method according to the invention is characterized in particular by a cyclic check, in particular of random or fixed frequency, but in all cases a sufficiently frequent check (for example, at least one verification per time interval less than or equal to 100 milliseconds), particularly by means of the security module, a coherence between the connection of each element of said set of elements with said set of inputs / outputs and said composition data.
- the present invention is characterized in that said set of elements comprises or is a group of computers that can be distributed in each unit of said multi-unit vehicle.
- the steering system according to the invention preferably comprises said group of computers that can be composed of several identical cal ⁇ culados, each computer may in particular be distributed in a unit of the multi-unit vehicle, so that each unit is likely to be equipped by at least one computer.
- the sécurisa- tion module is in particular able to assign exclusively to connection to said set of trees In ⁇ / outputs, including at each entrance / exit of said ensem ⁇ ble / O, to a single computer of said group of computers, the other computers of said group of computers being excluded from said connection or in other words, prohibited access to said set of Inputs / Outputs.
- the method according to the invention may include a securing mechanism and prioritization of connecting at least one computer of said calculators tors group with said set of I / O capable of attri ⁇ exclusively to said computer said connection to said set of Inputs / Outputs.
- the elected computer ie having the exclusive access to the set of inputs / outputs is called the master computer.
- at least one other computer of said group calculator is in particular associable to the master computer as cal ⁇ culateur said redundant master computer.
- the control system according to the invention is particularly capable not only ⁇ to select a master computer from the calculator group but also to appoint a redundant computer of said computer group.
- the redundant computer is able to perform the same operations as the master computer, to acquire the same composition and operating data as the master computer for the purposes of verifying and securing the control system. In the event of failure of the master computer, the redundant computer is able to replace said master computer and to name a new redundant computer.
- said security and prioritization mechanism comprises a generation of an encoded association token able to lock said connection of at least one computer of said group of computers with said set of Inputs / Outputs, and a generation of a key déverrouil- spinning adapted to unlock said connection of at least one of said computers cal ⁇ culateur group with said set of inputs / outputs.
- at least one control system of the computer may in particular be equipped with a mo dule ⁇ securing ca- pable comprising a locking module for locking each computer connection with each of the Inputs / Outputs of said set of Inputs / Outputs.
- This locking module comprises in particular a combination ⁇ genera tor encoded token capable of generating, in particular cyclically, first said encoded combination token to lock each connection of said computer with each of the inputs / outputs of said set 'Inputs / Outputs, and secondly said unlocking key able to unlock ⁇ ler at least one connection of said computer with at least one of the inputs / outputs of said set of inputs / outputs.
- the method according to the invention is characterized in that said autonomous determination comprises a successive and ordered addition to a list, according to a composition order of said multi-unit vehicle, of at least one piece of identity data of each unit.
- said multi-unit vehicle fa ⁇ con that a sequence of the identity data comprised in said list is correlated to the order of com ⁇ units digit of said multi-unit vehicle, each identity data being specific to a single unit of the multi-unit vehicle, and said list being able to be encapsulated in said composition datum.
- the identity data includes at least a time data, a iden tifying ⁇ unit, constant coding and at least one identifier of an appliance of said unit.
- the steering system according to the in vention ⁇ is especially characterized in that its device for determining a composition of the multi-unit vehicle comprises at least an ID generation device, each generating device identity détermi ⁇ nation device being designed to equip a unit of the vehicle multi-unit, so that each unit can be equipped with a single identity Generator device, each identity generation device being capable of generating the identity of the unit it is intended to equip.
- the method according to the invention is thus characterized in particular by equipping each unit of said multi-unit vehicle with said identical identity generating device capable of generating said identity data for determining the composition.
- each unit of the multi-unit vehicle may comprise a device genera ⁇ identical identity, each identity Generator device being connectable or couplable to at least one other identification generating device, so as to form a chain of identity generation devices equipping cha ⁇ cun a unit of said multi-unit vehicle and coupled one after the other.
- said identity generation device which is on the one hand intended to allow the determination of a composition of the multi-unit vehicle comprising at least one unit, and secondly capable of equipping said control system. of said multi-unit vehicle, is characterized in that it comprises:
- an identity data generator able to gen erate ⁇ said identity data of the unit that the Identity Generator device is intended to equip, the said identity data being intended to allow an identification of said unit;
- connection detector adapted to detect a presence or absence of said coupling Identity Generator device with at least one other available ⁇ ID generation operative part
- a list generator capable of creating a list of elements intended to include elements able to be ordered and added successively;
- serialization component capable of adding another element to said list, either following a last element of a list of controllable elements successively intended to be received by the ⁇ said identity generating device, either as the first element of the list of elements that can be created by the list generator, said other element comprising said identity data;
- a list of transmitter capable of transmitting ⁇ said list of elements comprising the other element or to another identification generating device, or at least one computer, comprising said particular security module of the control system of the multi vehicle -unity, after encapsulation of the ⁇ said list in a given composition of said vee ⁇ vehicle multi-unit.
- said determination of the composition of the multi-unit vehicle is carried out by means of said identity generating device according to the following steps:
- each Identity Generator device of each unit of the multi-unit vehicle of said identity data to enable an identification of the unit as said team generating device, said generating being above ⁇ ceptible to be carried out by said identity data generator;
- connection detector for each identity generating device, a presence or absence of coupling of said identity generating device with at least one other identity generating device
- com ⁇ takes the following substeps:
- said method comprises a design, by the list generator genera said device Identity ⁇ characterized by said absence of coupling with another identity generating device, a list of elements for com ⁇ to take successively ordered elements, ⁇ said list comprising a first element, said pre ⁇ first element comprising said identity data of the unit intended to be equipped by said identity generating device characterized by said ab ⁇ sence of coupling with another device for gené ⁇ ration of identity, said first element being the first element of the list created by the list generator, said creation being followed by a encap ⁇ sulation of said list in said data of
- the determination of the composition of the multi-unit vehicle can be achieved by means of a device internal to the system.
- Steering tem ie by means of or devices ⁇ gen eration identity determination device of com ⁇ position of the multi-unit vehicle, independently of other external devices to the control system that would acquire des- Tines said application information.
- Each identity generation device equipping each uni ⁇ t of the multi-unit vehicle is thus connectable to one or two identical identity generation devices so as to form a chain of identity generation devices capable of being transmitted successively. said list.
- each identity generation device com ⁇ takes at least two connectors, respectively a first and a second connector, each intended for coupling said identity generating device ⁇ with the other identity generation device, ie one of its neighbors in said chain of identity generation devices.
- Said list can be created by the list generator of one of the two, see two, ID generation devices located at the end of said chain when the vehicle ⁇ mul ti-unit comprises more than two units.
- the die device ⁇ termination of said composition thus comprises as many Identity Generator device of the multi-unit vehicle comprises units.
- Each generation identity tion devices is capable of generating the identity data of the unit it is fitted and to transmit to the one or respecti vely ⁇ any of its neighbors, said list after the latter transmitted to him by the other, respectively one of his neighbors.
- said list generator is in particular able to cyclically create said list.
- said list generator is capable of creating said list when said connection detector detects said coupling presence of said identity generating device with only one other identity generating device or with no other generation device. identity.
- identity the creation of said list by the list generator of at least one of the identity generation devices located at the end of the chain, allows a control and a continual update of the composition of the multi-unit vehicle when the latter is composed of at least two units, since the list may be continuously transmitted to the calculated ⁇ tor via said given composition when said list has passed through the whole chain of iden- tity generating devices.
- each unit comprising said steering system is capable of being autonomous, ie it is able to move, to manage its movement and its operation independently of any other steering system external to said unit.
- control system that can be associated with an autonomous unit is able to control and manage the movement of other units that can be coupled or coupled to it, that these other units comprise at least one other autonomous unit and / or at least one other unit.
- non-autonomous unit is a unit which comprises only a part of the control system, in particular at least one identity generating device, each of these devices being connectable to the network of said unit, it being even connectable to the network of other units that are likely to be coupled or hitched to form the network of the multi-unit vehicle.
- an ⁇ ton unit will be able to embark said control system according to the invention, and a non-autonomous unit will refer to a unit that does not have the entirety of said em ⁇ barking control system. .
- a multi-unit vehicle is then likely to be formed of at least one autonomous unit that can be coupled, or not, to one or more autonomous or non-autonomous units.
- a computer of one of the autonomous units will be in particular responsible for the management of the control and operation of the multi-unit vehicle.
- the master calcu ⁇ tor of one of the autonomous units is intended to control the multi-unit vehicle.
- An automatic designation of the master computer for controlling said multi-unit vehicle is feasible as a function, for example, of the formation order of the multi-unit vehicle deductible from said composition datum that can be acquired by each calculator of each unit. .
- the security module of the control system is on the one hand able to connect each computer to said set of inputs / outputs to allow an exchange operating data between each computer and the functional devices of the units of the multi-unit vehicle, but also, and secondly, to prioritize the connection of said automatically designated master computer to said set of inputs / outputs and to associate a calculator redundant.
- priority it is in particular referred to the attributed exclusive ⁇ tion of the connection with said set of trees In ⁇ / output to a computer, preferably a single cal ⁇ culateur, for example said master computer, or the - says master calculator with redundant sound.
- the set of trees In ⁇ / O modules I / O of the pi system ⁇ secure lotage connects each computer vee ⁇ vehicle multi-functional unit devices of said vehi ⁇ cule multi-unit via the network multi-unit vehicle, said network being common to all calculators of the vehicle mul ⁇ ti-unit.
- the control system is able to choose at least one computer from all the computers distributed on the network of said vehicle so that it acts as master computer to be directly associated, by connection to said set of trees in ⁇ / outputs, the inputs / outputs of said modules to drive the vehicle, for example automatically.
- the computer acting as a master computer driver said vehicle the other computers of said vehicle ⁇ wind in particular be in a standby state, so that only the computer chosen as master computer by the security module controls the steering of said vehicle. Examples of embodiments and applications provided with the aid of the following figures will help to better understand this invention.
- FIG. 2 exemplary embodiment according to the invention of an identity generation device.
- FIG. 3 example of a mechanism for securing a security and prioritization mo ⁇ module according to the invention.
- Figure 1 shows a safety controller adapted for controlling a multi-unit vehicle re ⁇ configurable comprising three units 1, 2, 3.
- the control system comprises at least one device for generating identity 4, each identity generation device 4 is designed to equip a unit 1, 2, 3.
- each uni ⁇ tee 1, 2, 3 is adapted to include said device genera ⁇ ID 4.
- Each identity generation device 4 is connectable to its neighbors in order to form a chain of identity generation devices. Said chain of identity generation devices connectable one after the other form said device for determining a com ⁇ position of the multi-unit vehicle according to the invention.
- Said secure control system further comprises at least one computer 5 intended to equip each autonomous unit 1, 2 of the multi-unit vehicle, at least one input / output module 91, and at least one of said computers 5 of the pilosebaceous system ⁇ secure floor comprising at least one security module 6, optionally included in the computer 5.
- at least one computer 5 intended to equip each autonomous unit 1, 2 of the multi-unit vehicle, at least one input / output module 91, and at least one of said computers 5 of the pilosebaceous system ⁇ secure floor comprising at least one security module 6, optionally included in the computer 5.
- particu ⁇ bind several computers 5 are distributed in several independent units 1, 2, and several modules / O 91 are distributed in several units, whether or not the ⁇ tonomes autonomous.
- a network 8 of the multi-unit vehicle is used to connect the computers 5, the secu ⁇ authorization modules 6, the device for determining the composition of the multi-unit vehicle, modules I / O 91, and the functional devices 7 from each unit to each other so that they can communicate and exchange information, such as composition data and operating data, with each other.
- the I / O modules 91 of the control system allow the connection, via the network 8, of the calcu ⁇ latters to a set of inputs / outputs, each input / output being able to connect at least one functional device 7 to at least one computer 5.
- Each computer 5 is in particular dynamically reconfigurable on the basis of the composition data supplied by the device for determining the composition of the multi-unit vehicle, in order to maintain in real time a connection with said I / O coher ⁇ annuity with the composition of said multi-unit vehicle.
- Each identity generation device 4 is connectable, in particular by means of a bidirectional differential connection at low speed serial to at least one other genera device ⁇ identity 4a, 4b identical, especially two ⁇ identical identity generation devices 4a, 4b as shown in FIG. 2.
- Each identity generating device 4, 4a, 4b comprises an identical data generator 41, a connection detector 42, a signal generator list 43, a serialization component 44, a list transmitter 45, and at least two connectors, respectively a first connector 46a and a second connector 46b, for the acquisition and transmission of the list.
- a third connector 47 may in particular connect the identity generating device to the network of the unit or the multi-unit vehicle.
- connection detector of the identity generation device is particularly characterized in that it is able to guarantee in safety that a list has an input on the first connector 46a or the se ⁇ cond connector respectively. 46b and intended to be acquired by said identity generating dis ⁇ positive, can not be found by crosstalk or any other coupling on the second 46b or respec ⁇ tively the first connector 46a.
- connection detector connectable to said connectors 46b, 46a, may in particular comprise at least one electrically isolated differential buffer, in particular a first buffer 422 connectable to the first connector and a second buffer connectable to the second connector, as well as receivers opto-couplers, in particular a first optocoupler receiver connectable to the first connector and a second opto-coupler receiver 421 connectable to the second connector.
- protection components against disturbances and surten ⁇ ⁇ tions can be added to said detection device, as well as filters to ensure safe isola ⁇ tion between the first and second connector 46a, 46b.
- said serialization component 44 may comprise two separate digital components 441, 442, for example FPGAs, capable of performing functions sé ⁇ Serialization and de-serialization of an item in said list, and the add function another element after the last element of that list, in particular in order to safe firing a list can not cross the dispo ⁇ ID generation operative part of the connector 46a to the connector 46b, or vice versa, without having been enriched with the identity data of said identification generating device.
- two separate digital components 441, 442 for example FPGAs
- the identity data generator 41 is partly ⁇ ticular, to generate a polarization information, said bias information to, optionally to propagate the list comprising said identity data only to one and only one of said first or second 46a connectors or 46b.
- said identity data can advantageously comprise various information allows ⁇ as an identification of the unit which it is fitted, such as a device number or a unit number of the uni ⁇ ty it equips.
- the list of transmitter 45 is able to act as an interface between the network, eg an IP Ethernet network, the multi-unit vehicle and the gen ⁇ eration identity device. To this end, it may possibly under- stand a digital component such as a logic circuit ⁇ grammable FPGA.
- ⁇ is a coding constant of sufficiently large value, expressed on, for example, 48 bits of information, in order to guarantee the security objective SIL4 such that the sequence of ⁇ 1 presents a pseudo-random distribution;
- I di is the identity data of the unit i of the multi-unit vehicle
- Data ⁇ is a data characterizing at least one equipment of the unit i or an identification number of the unit
- the control system according to the invention is thus able to ensure that at least one computer, preferably the master computer is associated consistently seems to ⁇ functional devices of the multi-unit vehicle to ensure driving said multi-unit vehicle.
- the security module associates, preferably exclusively, a connection to a set of distributed I / O on the network of said multi-unit vehicle with a computer. in particular with a master computer, said inputs / outputs being intended to connect said calculator to the functional devices of the units that make up said multi-unit vehicle.
- each cal ⁇ culateur is coupled to a security module according to the invention, and each security module according to the invention is adapted, in dependence on said data to composition ⁇ trate into an idle mode or in a active mode, so that a single securing module is active for the multi-unit vehicle.
- at least one condition pre ⁇ definable in each of said secure modules per- makes each of security modules to determine its own operating mode, ie either said active mode or said inactive mode.
- Said predefinable condition can for example be correlated to a position within the multi-unit vehicle of the unit equipped with a computer comprising said security module.
- FIG. 3 shows an exemplary mechanism for securing the association of at least one computer of a control system according to the invention with a set of inputs / outputs of input / output modules intended to equip the vehicle. multi-unit.
- the secu ⁇ authorization module comprises in particular an encoded association token generator capable of generating an encoded association token comprising in particular a unique identification code of the computer or computers group allowed to be connected to inputs / outputs of said modules ⁇ Trees In / Out.
- the locking module of the security module is capable of transmitting said token to all inputs / outputs of modules whose I / O must be connected to said computer or group of calcu ⁇ freezer in order to be consistent with said data composi ⁇ multi-unit vehicle, and to allow
- Don ⁇ born composition allows particularly security module to determine which I / O modules to which Inputs / Outputs must be controlled by the computer or computer group to operate the multi-unit vehicle, therefore determine which trees in ⁇ / O must be connected to said computer or computer group.
- Each I / O module receiving said asso ciation ⁇ encoded token is in particular able, during a response phase, periodically transmitting or sufficiently frequently a confirmation message capable of confirming the connection of said computer with I / O said module In- puts / outputs, and to transmit said message confirmed ⁇ said computer, in particular to said security module of said computer of the safety controller.
- Said confirmation message may for example be transmitted periodically to pe ⁇ a transmission period whose value temporal links, ie its length, may be predefined.
- the response phase may be preceded by a phase of ini ⁇ tialisation 1 allowing generation and initialization of the confirmation message.
- the duration of this phase initiali sation ⁇ is in particular greater than the duration of said pe- transmission period to ensure that the safe securing mechanism has time to detect that a calculated ⁇ tor or a group of computers previously connected to an input / output of an input / output module a or have per ⁇ said connection with said input / output before another calculator or another group of calculator has had the time to connect to said Input / Output.
- This duration of the initialization phase greater than the transmission period may be for example guaranteed by a pseudo random generator ⁇ toire to operate continuously during said initialization phase of the confirmation message.
- a confirmation message initialized 2 is generated by the module ⁇ Trees In / Out.
- the input / output module is able to associate, during an association phase 4, said token of coded association to said initialized confirmation message.
- said 5 confirmation message is ready to be sent periodically to secu ⁇ authorization module.
- this confirmation message following said step of association, comprises firstly said donation ⁇ born identification of the computer or computer group, but also on the other hand, identification of In- puts / Outputs input / output module connected to said computer or group of computers, and a tempo ⁇ real data to verify a freshness of the confirmation message ⁇ tion.
- the confirmation message is then sent, in particular ⁇ cyclically during the response phase 6, at least au said security module that issued the coded token combination.
- the locking module said security module is in particular able to decode the message confirmed ⁇ order to control the inputs / outputs of said module I / O are connected to said computer or said computer group, and not of other calculators.
- the I / O module As long as an I / O module is connected to a computer or computer group via its inputs / outputs, said I / O module generates, in particular cyclically, said transmission period confirmation message and no other calculator can be connected to it.
- the Association token generating said verrouil- spinning module is capable of generating a desti unlocking key ⁇ born to be transmitted by the locking module to ensem ⁇ ble modules I / O whose connections with the computer or the computer group are to be cut.
- the I / O module Upon receipt of such an unlocking key 7, the I / O module is particularly adapted to disassociate the coded association token from the initial confirmation message in order to restore said initialized confirmation message 2.
- the I / O module is able to reset by returning to the initialization phase of the confirmation message in order to allow, for example, a combination of encoded token from another computer is capable of being associated with said initiali confirmation message ⁇ sé.
- the response phase 6 for sending, in particular cyclically, in the security module confirmation via said confirmation message that the inputs / outputs of said module I / O are connected and controlled by the calcu ⁇ freezer, for example the master computer, or by a group of computers, for example the master computer and its redundant.
- Said security module is thus able to bind particu ⁇ continuously check consistency of the computer connection with each module I / O for which it has received said confirmation message and said given composition, thereby ensuring the safe connecting a calculator to said set of Inputs / Outputs.
- Figure 4 discloses an automatic coupling a first vehi ⁇ cule multi-unit 1 with a second multi-unit vehicle 2 com- each taking a safety control system according to the inven ⁇ to form a new vehicle multi- unit.
- the two multi-unit vehicle such as a first train with three cars and a second train with two cars each include a distributed safety control of their own, said secure control sys ⁇ tems of each multi-unit vehicles being independent of one another.
- the first vehi ⁇ cule multi-unit 1 comprises in particular three units
- the second multi-unit vehicle 2 comprises in turn two units.
- the control system of the first multi-unit vehicle 1 com ⁇ takes in particular at least three computers 51, 52, 53 and at least three I / O modules 91, 92, 93, linked by a first network 81, for example Ethernet, PLC, Wi-Fi.
- the second multi-unit vehicle 2 comprises in particular at least two computers 54, 55, and at least two I / O modules 94, 95, connected by a second network 82.
- at least one computer and at least one module I / O of the safety controller are designed to equip a unit, so that each unit comprises at least one calcu ⁇ freezer and at least one I / O module. So, in this example, each unit is an autonomous unit.
- the first and second multi-unit vehicle could equally comprise one or more non-autonomous units, each non-autonomous unit comprising for example at least one module / O device and a gen ⁇ eration identity .
- One of the computers 51, 52, 53 of the first multi-unit vehicle 1 is chosen to be the master computer of the first multi-unit vehicle 1, for example the computer 51 capable of being positioned at one end of said first multi-unit vehicle 1, and possibly another of the computers 51, 52, 53 of the first multi-unit vehicle 1 is chosen to be its redundant, for example the computer 53 positionable at the other end of the first multi-unit vehicle 1.
- one of the computers 54, 55 of the second multi-unit vehicle 2 is chosen to be the master computer of the second multi-unit vehicle 2, for example the computer 54 posi ⁇ tionable at one end of the second multi-unit vehicle 2, and possibly another of ECUs 54, 55 of the second multi-unit vehicle 2 is selected to be its redundant, for example the computer 55 positionable other Extremists ⁇ mite second multi-unit vehicle 2.
- the Sécuri control system ⁇ comprises in particular a master computer positioned itself ⁇ ble, particularly in a self-contained unit, to one end of the multi-unit and a computer vehicle placed in redundancy ⁇ said master computer , ie its redundant, positionable, especially in an autonomous unit, at the other end of said multi-unit vehicle, to allow efficient splitting of said multi-unit vehicle.
- the other computers of the first multi-unit vehicle 1, respectively of the second multi-unit vehicle 2 are in an inactive state, such as, for example, the computer 52 of the first multi-unit vehicle 1.
- the choice the master computer and its redundant may be based on a choice algorithm using a numbering, such as an IP address or a computer number, or a determination of a position of the computers in the multi-unit vehicle, said position being for example a po- central position, a position at the head or tail of multi-unit vehicle, the position of a calculator being deductible from said composition data.
- At least one securing mechanism and priorisa ⁇ a security module of a steering system of the computer is adapted to select said master computer and its redundant, and therefore allows a prioritization calcu ⁇ freezer master, or in other words, an exclusive connection of the master computer with I / O modules of in ⁇ Trees / outputs of the multi-unit vehicle, so that only the master computer is able to control the inputs / outputs of the modules I / O for providing said vehi ⁇ multi-unit cule.
- the redundant computer is able to take control of said inputs / outputs in the event of failure of the master computer.
- said security module capable of performing said securing and prioritization mechanism can optionally be selected automatically according to said given composition for each of said multi-unit vehicles.
- the security module is able to choose as master computer via its mechanism of securing and prioritizing the computer that it is intended to equip.
- the security module is preferably able to prioritize the computer that it equips.
- a security module 6 of the first multi-unit vehicle 1 is able to select said computer 51 as master computer to enable the master computer to control the inputs / outputs of the I / O modules 91, 92 93, of the first multi-unit vehicle 1 via the first network 81.
- a security module 6 of the se ⁇ multi-unit vehicle 2 is able to choose said calculator 54 ⁇ as master computer to him to control the inputs / outputs of the modules of En- 94, 95 of the second multi-unit vehicle 2 via the second network 82.
- each computer according to the invention when it is the redundant computer of a master computer, is particularly capable of checking a state of synchronization of its context with a context of said master computer.
- the master computer and its re ⁇ dondant when the context of the latter is checked synchro to that of the master computer, are able to be connected to the input / output of the input / output modules that are associable.
- the module sé ⁇ curisation 6 of the master computer is able to Lock ⁇ l, by means of an association encoded token, the du- connection said master computer and its redundant with said ⁇ Trees in / outputs.
- the steering system of the first multi-unit vehicle 1 is further characterized in that it comprises at least one provi ⁇ tif Identity Generator, in particular three provisions ⁇ tive of Identity Generator 41, 42, 43, each of which is intended to equip a unit of the first multi-unit vehicle 1.
- the control system of the second multi-unit vehicle comprises two identity generation devices intended to equip, each, a unit of said second multi-unit vehicle. 2.
- a first identity generation device 41, a second identity generation device 42 and a third identity generation device 43 equip each of them.
- a unit of the first multi-unit vehicle 1 and a first identification generating device 44 and a second provi ⁇ tif Identity Generator equip said second multi-unit vehicle.
- the identity generating devices 41, 42, 43 of the first multi-unit vehicle 1, respectively those of the second multi-unit vehicle 2, are connectable one after the other in order to form a first dispo chain.
- Each identity generation device is capable of communicating and exchanging data, including said list according to the invention, with its neighbor (s).
- communication may be established from one end of the chain of identity generating devices to another, or in other words one end to the other of the multi-unit vehicle, either in a first direction of the head to the tail of the multi-unit vehicle, for example the genera device ⁇ identity 41 located at the head of the vehicle multi- unit identity Generator device 43 located at the tail of said multi-unit vehicle, or conversely, from the tail to the head of the multi-unit vehicle, for example the genera device ⁇ identity 43 queue at the identity generation device 41 at the head, or even in both directions at the same time.
- the identity generating devices 44, 45 of the second multi-unit vehicle are examples of the second multi-unit vehicle.
- At least one of the identity generation devices 41, 42, 43 of the first multi-unit vehicle 1, res ⁇ respectively of the second multi-unit vehicle 2, in particular located at the end of the first chain, respectively of the second string, is able to initialize said list according to the invention, for example a first list for the control system of the first multi-unit vehicle 1, and a second list for the second multi-unit vehicle 2.
- Each of these lists preferably comprises a time data, for example a date , and allows an encoding of the composition of the multi-unit vehicle for which it was generated.
- the first list is adapted to be initialized for the pre ⁇ Mier multi-vehicle unit 1 by one of its devices ⁇ gen eration of identity and enable an encoding of the composition of said first multi-unit vehicle 1, and a second list will be able to be initialized for the second multi-unit vehicle 2 by one of its iden ⁇ tite generation devices, and will also allow encoding of its composition.
- Each identity generation device 41, 42, 43 of the first multi-unit vehicle 1, respectively each Identity Generator device 44, 45 of the second vehicle ⁇ mul ti-unit 2, is able to accumulate or add an identity datum in said first list, respectively is ⁇ list after the last element (for example following the last identity data) added in said first, respectively second list by the preceding identity generation device .
- the identity generation device located at the other end of said first chain, or second chain, ie located at the end of the chain, is in particular able to transmit, in particular cyclically, said first list, respectively second list, encapsulated in a given composition, the calculated ⁇ tor master 51 and its redundant 53 via said first network 81 in the case of the first multi-unit vehicle 1, and the cal ⁇ culateur master 54 and its redundant 55, via said second network 82 in the case of the second multi-unit vehicle 2.
- the identity Generator device capable of receiving the first list by one of its connectors and the second list by another of its connec ⁇ tors is in particular able to create a new list comprising the elements of the first list, which is added first the identity data created by said device - generation tif capable of receiving the first and ⁇ count list, and then the second list elements.
- the new list thus includes the identity data of all the units comprising the multi-unit vehicle.
- the Identity Generator device capable of receiving the first list by one of its connectors and the second list by another of its connectors is capable of selecting either the first list or the second list, ie only one of the two lists, in order to transmit it to an identity generation device located at the end of the chain.
- one and only one of the two lists is adapted to propagate towards one and only one Identity Generator device located extremi ⁇ side chain, intended to support the creation of the list complete identity data of all the units composing the multi-unit vehicle.
- the Identity Generator device that created said nou ⁇ velle list is further capable of encapsulating said new list in said given composition so that it is transmitted, in particular cyclically, with at least one computer, for example to all the computers equipping each of the vehi cles ⁇ multi-unit or preferably to the master computer 51 and its redundant 53.
- the first network 81 and second network 82 are connectable to one another to form a new network 83, said new network 83 being a meeting of the first network 81 and the second network 82.
- the new device for determining the composition of the new multi-unit vehicle 3, consisting of devices ⁇ gen eration identity of the first and second multi-unit vehicle, is able to transmit via said new network 83, said data composition the new multi-vehicle unit 3, to all computers of the new multi-unit vehicle 3, in particular to at least one secu ⁇ authorization module receives said given composition.
- each pilo ⁇ tage system is capable, by means of said unlocking key transmitted by their respective security modules, to cut the connection of at least one of its cal ⁇ culators, especially all its calculators, auditing ⁇ appear I / O as soon as detection of a variation of ⁇ said composition data.
- the security module of the control system according to the invention is able to detect said variation of the composition data and to cut the connection of at least one computer with said set of inputs / outputs, in particular the connection of the master computer and its redundant, to allow a new master computer and its redundant to take control of said inputs / outputs by connecting.
- a new security module 6, chosen for example according to the composition data of the new multi-unit vehicle 3, determines said new master computer and its redundant.
- the new master computer is located at one end of the new vehi ⁇ cule multi-unit 3, for example the computer 51, and re ⁇ dondant at the other end, for example the computer 55.
- the other computers 52, 53, 54 of the new multi-unit vehicle 3 are preferably in an inactive state.
- the new security module 6 of the control system of the new multi-unit vehicle 3 is then able, on the basis of said composition data, to connect at least one computer, in particular said new master computer and its redundant, to the set of inputs / outputs of the I / O modules 91 to 95 of the new multi-unit vehicle 3.
- the security module 6 is able to validate a coherence between the inputs / outputs associated with the computers and the composition data
- the pilo system ⁇ floor of the new multi-vehicle unit 3 is adapted to take control of said I / O for controlling the said functional ⁇ positive the new multi-unit vehicle allows ⁇ as his driving.
- Figure 4 also helps explain a scindage a vehi ⁇ cule multi-unit equipped with a safety control system ⁇ lon the invention.
- a multi-unit vehicle for example of said new multi-unit vehicle 3, into two or more other multi-unit vehicles, for example into a first multi-unit vehicle 1 and a second multi-unit vehicle 2
- said new identity generation device chain of said new multi-unit vehicle formed of the identity generating dis ⁇ positives 41 to 45 is broken, separated into two parts, for example into said first chain of identity generation devices 41 to 43 of the first multi-unit vehi ⁇ cule 1, and said second chain provi ⁇ tive Identity Generator 44, 45 of the second vehicle ⁇ mul ti-unit 2.
- the network 83 of the new multi-unit vehicle 3 is separated into a first network 81 of the first multi-unit vehicle 1 and into a second network 82 of said second multi-unit vehicle 2.
- each of the two parts of the positive dis- chain identity of the new multi-unit vehicle 3 is ca pable ⁇ generate independently and automatically a given nou ⁇ velle composition respectively characterizing the first multi-unit vehicle 1, and the second multi-unit vehicle 2.
- the new composition data is in particular able to cause generation by at least one security module of the unlocking key allows ⁇ as a disconnection of each of the computers, with the inputs / outputs to which they were previously connected in the configuration of said new multi-unit vehicle 3.
- said release key is likely to be transmitted to each security module via a safety control system according to the invention, so that each security ⁇ mo dule is able to disconnect a calculators tor its connection with the least one entrance / exit when ⁇ scindage said.
- the connection of the master computer 51 and its redundant 55 with the inputs / outputs of their I / O modules 91 to 95 is able to be cou ⁇ pe by means of said unlocking key adapted to be provided by the security module, either during said detection of the variation of the composition data during the splitting, or during a prior process of notification of the splitting to said control system of said new multi-unit vehicle.
- connection loss can be construed ⁇ ted by said module securing and the Entry / Exit module as a failure which may in particular result in a reset of the confirmation message.
- This reset of the confirmation message will make it possible to connect a new master computer chosen after splitting for each of the first and second multi-unit vehicles to the inputs / outputs of the input / output modules equipping their units.
- the present invention makes it possible, during a splitting or a coupling, to automatically correlate the new composition of the multi-unit vehicle with all the inputs / outputs to be taken into consideration by the master computer, so that a loss of a connection of the master computer with a part of its inputs / outputs does not result in an activation of an emergency procedure of the control system.
- At least one calculator among all the calculators distributed on the network of said vehicle is suitable for act as a master computer to control said vehicle and to be directly associated, by connection to said ⁇ I / O set, to the input / output modules of said vehicle.
- the computer acting as said vehicle driver master computer other calculated ⁇ tors said vehicle can in particular be in the standby state, so that only the computer identified as cal ⁇ culateur master by the security module controls the pi ⁇ preferably, the security module identifies the computer that it equips as the master computer.
- the present invention allowed to describe a safety control sys- tem able to discover so ⁇ tonome the composition of a multi-unit vehicle such as a train, and verify proper connection the safety of at least one the computer control system with a set of trees in ⁇ / modules outputs I / O distributed on the network of said multi-unit vehicle.
- composition data from said multi-unit vehicle capable ⁇ describe a set of characteristics of the units that compose said multi-unit vehicle, and a set of possible configurations of said multi-unit vehicle may be used as reference control, particularly cyclic, coherence between all the inputs / outputs able to be connected and locked with said computer and the composition of the multi-unit vehicle.
- the present invention allows a validation of the integrity of a free multi-unit vehicle from the use of application-level information, such as located it ⁇ for example, and providing greater genericity treatment with direct access to all the trees ⁇ in / out multi-unit vehicle and the ability to centralize software treatments related to the security of the control system on a single computer.
- the method and securing a sys tem control system ⁇ according to the invention have several advan ⁇ tages compared to exis control methods and systems ⁇ as in that:
- the securing and prioritization mechanism allows an exclusive assignment of the connection of a set of I / O with at least one computer, in par ticular ⁇ a single computer, and is used to associate security, directly a master computer with safe exits. This allows the realization of a dynamically reconfigurable distributed architecture, and thus a centralization of operating data and greater flexibility of deployment;
- composition data is compa ⁇ tible with the transmission period of the confirmation message ⁇ tion to refresh the inputs / outputs connected to the master computer;
- centralizing information to a computer simplifies the complexity of the pilosebaceous system ⁇ automatic floor and reduces the complexity of the security ana ⁇ lysis.
- the control of the multi-unit vehicle by a computer via the I / O modules is thus secure;
Landscapes
- Engineering & Computer Science (AREA)
- Mechanical Engineering (AREA)
- Small-Scale Networks (AREA)
- Traffic Control Systems (AREA)
- Lock And Its Accessories (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| EP11757325.3A EP2643198B1 (de) | 2010-11-23 | 2011-09-15 | Verfahren zur sicherung eines steuersystems eines neukonfigurierbaren fahrzeugs aus mehreren einheiten sowie gesichertes steuersystem |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| EP10290624 | 2010-11-23 | ||
| PCT/EP2011/066032 WO2012069223A1 (fr) | 2010-11-23 | 2011-09-15 | Méthode de sécurisation d'un système de pilotage d'un véhicule multi-unité reconfigurable et système de pilotage sécurisé |
| EP11757325.3A EP2643198B1 (de) | 2010-11-23 | 2011-09-15 | Verfahren zur sicherung eines steuersystems eines neukonfigurierbaren fahrzeugs aus mehreren einheiten sowie gesichertes steuersystem |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| EP2643198A1 true EP2643198A1 (de) | 2013-10-02 |
| EP2643198B1 EP2643198B1 (de) | 2017-11-01 |
Family
ID=44651808
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| EP11757325.3A Active EP2643198B1 (de) | 2010-11-23 | 2011-09-15 | Verfahren zur sicherung eines steuersystems eines neukonfigurierbaren fahrzeugs aus mehreren einheiten sowie gesichertes steuersystem |
Country Status (9)
| Country | Link |
|---|---|
| US (1) | US8755957B2 (de) |
| EP (1) | EP2643198B1 (de) |
| KR (1) | KR20130140743A (de) |
| CN (1) | CN103313902A (de) |
| BR (1) | BR112013012848B1 (de) |
| CA (1) | CA2818605A1 (de) |
| ES (1) | ES2658184T3 (de) |
| HU (1) | HUE037885T2 (de) |
| WO (1) | WO2012069223A1 (de) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2992620B1 (fr) * | 2012-06-27 | 2014-08-15 | Alstom Transport Sa | Train et procede de determination de la composition d'un tel train en securite |
| AT515454A3 (de) * | 2013-03-14 | 2018-07-15 | Fts Computertechnik Gmbh | Verfahren zur Behandlung von Fehlern in einem zentralen Steuergerät sowie Steuergerät |
| CN108163012B (zh) * | 2017-12-27 | 2019-12-03 | 卡斯柯信号有限公司 | 一种支持列车动态连挂和解编的控制方法 |
| CN109441280B (zh) * | 2018-09-12 | 2020-07-14 | 南京康尼机电股份有限公司 | 一种sil4安全级轨道车辆门控器的安全电路及其控制方法 |
| CN113194472B (zh) * | 2021-03-31 | 2023-03-31 | 新华三技术有限公司成都分公司 | Agv无线接入方法及车载设备、网络设备、存储介质 |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6144900A (en) * | 1998-04-17 | 2000-11-07 | General Electric Company | Automatic serialization of an array of wireless nodes based on coupled oscillator model |
| DE19929644C2 (de) | 1999-06-28 | 2002-02-21 | Deutsche Bahn Ag | System zur Initialisierung von Zügen auf Basis eines Datenkommunikationssystems, bei dem allen Kommunikationsteilnehmern die Informationen in der Initialisierungsphase zugänglich sind |
| US8037204B2 (en) * | 2005-02-11 | 2011-10-11 | Cisco Technology, Inc. | Method and system for IP train inauguration |
| DE102006018163B4 (de) | 2006-04-19 | 2008-12-24 | Siemens Ag | Verfahren zur automatischen Adressvergabe |
| CA2706087C (en) | 2007-11-30 | 2013-11-26 | Mitsubishi Electric Corporation | Train configuration recognition system and train configuration recognition apparatus |
| GB2461386B (en) * | 2007-12-21 | 2010-06-09 | Nomad Spectrum Ltd | Establishing a wireless connection between component vehicles where order/orientation information is used to issue instructions to components |
-
2011
- 2011-09-15 CA CA2818605A patent/CA2818605A1/en not_active Abandoned
- 2011-09-15 ES ES11757325.3T patent/ES2658184T3/es active Active
- 2011-09-15 US US13/989,300 patent/US8755957B2/en active Active
- 2011-09-15 WO PCT/EP2011/066032 patent/WO2012069223A1/fr active Application Filing
- 2011-09-15 CN CN2011800495719A patent/CN103313902A/zh active Pending
- 2011-09-15 KR KR1020137013107A patent/KR20130140743A/ko not_active Application Discontinuation
- 2011-09-15 HU HUE11757325A patent/HUE037885T2/hu unknown
- 2011-09-15 EP EP11757325.3A patent/EP2643198B1/de active Active
- 2011-09-15 BR BR112013012848-8A patent/BR112013012848B1/pt active IP Right Grant
Non-Patent Citations (2)
| Title |
|---|
| None * |
| See also references of WO2012069223A1 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103313902A (zh) | 2013-09-18 |
| US8755957B2 (en) | 2014-06-17 |
| EP2643198B1 (de) | 2017-11-01 |
| CA2818605A1 (en) | 2012-05-31 |
| WO2012069223A1 (fr) | 2012-05-31 |
| US20130245865A1 (en) | 2013-09-19 |
| HUE037885T2 (hu) | 2018-09-28 |
| BR112013012848A2 (pt) | 2016-08-23 |
| BR112013012848B1 (pt) | 2020-10-20 |
| KR20130140743A (ko) | 2013-12-24 |
| ES2658184T3 (es) | 2018-03-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2012069223A1 (fr) | Méthode de sécurisation d'un système de pilotage d'un véhicule multi-unité reconfigurable et système de pilotage sécurisé | |
| EP2679466B2 (de) | Sicheres Verfahren zu Bestimmung der Zusammenstellung eines Zugs | |
| EP0520877B1 (de) | Verfahren und Vorrichtung zur Nachrichtenübertragungsverwaltung über ein Stromversorgungsnetz in einem Hausnetz | |
| FR2986881A1 (fr) | Procede d'election de l'equipement maitre actif parmi deux equipements maitres redondants | |
| EP1349078B1 (de) | Einrichtung, Gateway und Verfahren zum Laden von Information zwischen on-board Ausrüstungen eines Flugzeugs und off-board Ladeeinrichtung | |
| FR2990784A1 (fr) | Organe de communication d'un reseau de communication de type can fd a etats multiples compatibles avec des organes de communication de type can hs | |
| EP1304836B1 (de) | Deterministisches Feldbus und Verwaltungsverfahren dafür | |
| CN112217634B (zh) | 一种应用于智能车的认证方法、设备和系统 | |
| EP1647112B1 (de) | Verfahren und vorrichtung zur übertragung von daten | |
| US20030187994A1 (en) | Methods, systems, and computer program products for communicating using a hybrid physical network | |
| FR3030162A1 (fr) | Procede d'echange de trames de donnees numeriques et systeme de communication associe | |
| EP3198462B1 (de) | Übertragung von synchronen daten über einen seriellen datenbus, insbesondere einen spi-bus | |
| FR3067192B1 (fr) | Appareil electronique comportant deux memoires et procede d'appairage associe | |
| WO2013076044A1 (fr) | Réseau de transmission d'informations et noeud de réseau programmable | |
| FR3082960A1 (fr) | Architecture electronique de vehicule automobile avec redondance des reseaux d’alimentation electrique et de communication inter-calculateurs. | |
| FR3093831A1 (fr) | Dispositif pour et procédé de transmission de données | |
| FR3102269A1 (fr) | Procédé et dispositif de détection d’une intrusion sur un bus de données d’un véhicule | |
| WO2014124882A1 (fr) | Architecture de transmission d'informations à pont notamment pour application à l'avionique embarquée | |
| US20220263662A1 (en) | Techniques for updating a software component | |
| WO2021043830A1 (fr) | Systeme de transfert unidirectionnel de donnees et procede correspondant | |
| EP4057190A1 (de) | Vereinfachter client und zugehörige architekturen für die übertragung von quantenberechnungen an einen quantenserver | |
| WO2014124923A1 (fr) | Architecture de transmission d'informations notamment pour application à l'avionique embarquée | |
| FR2753551A1 (fr) | Procede et dispositif de synchronisation du fonctionnement d'au moins deux calculateurs d'un systeme electronique embarque a bord d'un vehicule automobile | |
| KR20200055450A (ko) | 차량 사이버 보안을 위한 키관리 시스템 및 방법 | |
| WO2023118035A1 (fr) | Système pour la transmission de données entre dispositifs clients, procédé de mise en oeuvre d'un tel système |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
| 17P | Request for examination filed |
Effective date: 20130408 |
|
| AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
| DAX | Request for extension of the european patent (deleted) | ||
| RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: SIEMENS S.A.S. |
|
| RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: SIEMENS S.A.S. |
|
| GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
| STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: GRANT OF PATENT IS INTENDED |
|
| INTG | Intention to grant announced |
Effective date: 20170502 |
|
| RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: CHENU, ERIC |
|
| GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
| GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
| STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE PATENT HAS BEEN GRANTED |
|
| AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
| REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D Free format text: NOT ENGLISH |
|
| REG | Reference to a national code |
Ref country code: CH Ref legal event code: EP Ref country code: AT Ref legal event code: REF Ref document number: 941725 Country of ref document: AT Kind code of ref document: T Effective date: 20171115 |
|
| REG | Reference to a national code |
Ref country code: IE Ref legal event code: FG4D Free format text: LANGUAGE OF EP DOCUMENT: FRENCH |
|
| REG | Reference to a national code |
Ref country code: DE Ref legal event code: R096 Ref document number: 602011042929 Country of ref document: DE |
|
| REG | Reference to a national code |
Ref country code: NL Ref legal event code: MP Effective date: 20171101 |
|
| REG | Reference to a national code |
Ref country code: ES Ref legal event code: FG2A Ref document number: 2658184 Country of ref document: ES Kind code of ref document: T3 Effective date: 20180308 |
|
| REG | Reference to a national code |
Ref country code: LT Ref legal event code: MG4D |
|
| REG | Reference to a national code |
Ref country code: AT Ref legal event code: MK05 Ref document number: 941725 Country of ref document: AT Kind code of ref document: T Effective date: 20171101 |
|
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 Ref country code: LT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 Ref country code: NO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180201 Ref country code: NL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 |
|
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: AT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 Ref country code: LV Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 Ref country code: RS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 Ref country code: BG Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180201 Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180202 Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20180301 Ref country code: HR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 |
|
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: EE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 Ref country code: DK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 Ref country code: CY Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 Ref country code: CZ Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 Ref country code: SK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 |
|
| REG | Reference to a national code |
Ref country code: DE Ref legal event code: R097 Ref document number: 602011042929 Country of ref document: DE |
|
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: PL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 Ref country code: SM Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 Ref country code: IT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 Ref country code: RO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 |
|
| PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
| STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
| REG | Reference to a national code |
Ref country code: FR Ref legal event code: PLFP Year of fee payment: 8 |
|
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 |
|
| REG | Reference to a national code |
Ref country code: HU Ref legal event code: AG4A Ref document number: E037885 Country of ref document: HU |
|
| 26N | No opposition filed |
Effective date: 20180802 |
|
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 |
|
| REG | Reference to a national code |
Ref country code: DE Ref legal event code: R119 Ref document number: 602011042929 Country of ref document: DE |
|
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MC Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 |
|
| REG | Reference to a national code |
Ref country code: CH Ref legal event code: PL |
|
| GBPC | Gb: european patent ceased through non-payment of renewal fee |
Effective date: 20180915 |
|
| REG | Reference to a national code |
Ref country code: BE Ref legal event code: MM Effective date: 20180930 |
|
| REG | Reference to a national code |
Ref country code: IE Ref legal event code: MM4A |
|
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LU Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20180915 |
|
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20180915 Ref country code: DE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20190402 |
|
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: CH Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20180930 Ref country code: LI Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20180930 Ref country code: BE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20180930 |
|
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: GB Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20180915 |
|
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: TR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 |
|
| REG | Reference to a national code |
Ref country code: ES Ref legal event code: PC2A Owner name: SIEMENS MOBILITY SAS Effective date: 20200507 |
|
| REG | Reference to a national code |
Ref country code: HU Ref legal event code: FH1C Free format text: FORMER REPRESENTATIVE(S): SBGK SZABADALMI UEGYVIVOEI IRODA, HU Representative=s name: SBGK SZABADALMI UEGYVIVOEI IRODA, HU Ref country code: HU Ref legal event code: GB9C Owner name: SIEMENS MOBILITY SAS, FR Free format text: FORMER OWNER(S): SIEMENS S.A.S., FR |
|
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: PT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 |
|
| REG | Reference to a national code |
Ref country code: FI Ref legal event code: PCE Owner name: SIEMENS MOBILITY SAS |
|
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MK Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20171101 |
|
| PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: AL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20171101 |
|
| PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: FI Payment date: 20230920 Year of fee payment: 13 |
|
| PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: FR Payment date: 20230918 Year of fee payment: 13 |
|
| PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: ES Payment date: 20231218 Year of fee payment: 13 |
|
| PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: HU Payment date: 20231122 Year of fee payment: 13 |