EP2643198A1

EP2643198A1 - Method for securing a control system of a reconfigurable multi-unit vehicle, and secured control system

Info

Publication number: EP2643198A1
Application number: EP11757325.3A
Authority: EP
Inventors: Eric Chenu
Original assignee: Siemens SAS
Current assignee: Siemens SAS
Priority date: 2010-11-23
Filing date: 2011-09-15
Publication date: 2013-10-02
Anticipated expiration: 2031-09-15
Also published as: CA2818605A1; ES2658184T3; KR20130140743A; CN103313902A; US8755957B2; HUE037885T2; BR112013012848B1; WO2012069223A1; EP2643198B1; US20130245865A1; BR112013012848A2

Abstract

The invention relates to a method for securing a control system of a multi-unit vehicle, and to a secured control system of said multi-unit vehicle, said control system being characterised in that it comprises: a device for determining a composition of the multi-unit vehicle, that can autonomously determine the composition of the multi-unit vehicle and generate composition data that can be correlated with the composition of the multi-unit vehicle; at least one calculator for at least one unit (1, 2, 3) of the multi-unit vehicle, each calculator (5) being connectable, by means of at least one connection and via a network, to an inlet/outlet set of inlet/outlet modules (91) for at least one unit, and to said device for determining the composition of the multi-unit vehicle, in order to exchange operating data of the unit (1, 2, 3) and/or the multi-unit vehicle with each inlet/outlet module (91), and in order to acquire data relating to the composition of the multi-unit vehicle from said determination device; and at least one module (6) for dynamically securing said exclusive connection of each calculator to the inlet/outlet set, provided for at least one calculator (5), said securing module (6) being able to determine, from said composition data, the validity of said inlet/outlet set, and to control, cyclically or sufficiently frequently, a coherence between each connection of each calculator (5) to said inlet/outlet set.

Description

Method for securing a control system of a reconfigurable multi-unit vehicle and secure steering system.

The present invention relates to a method of securing a steering system of a multi-unit vehicle and a sys tem ^¬ safety control of said multi-unit vehicle, according to the preambles of claims 1 and 7.

In particular, the present invention relates to the field of multi-unit reconfigurable vehicles, ie able to be composed of several units and whose configuration or composition of said units of said multi-unit vehicle is variable, or in other words likely to be modified or re ^¬ configured. Preferably, the present invention relates to multi-unit vehicles whose operation of a control system, in particular automatic, is correlated to the composition of the multi-unit vehicle.

Said multi-unit vehicle belongs especially to do ^¬ maine rail. This is for example a train can be formed of several units, e.g. several motorcyc ^¬ res and / or locomotives coupled or coupled to each other and successively forming a first train of said train. The composition of said train, and therefore of said first train, can then vary, e.g. by scindage or coupling said first string to form a second train compo ^¬ EDC to at least part of the units of said first train, which can be hitched to other units. Thus, the composition of a multi-unit vehicle can vary according to a change of a disposition or a distribution of said units forming said multi-unit vehicle, as well as by addition, and / or respectively withdrawal, of at least one audit unit, and / or respectively said multi-unit vehicle. In order to guarantee security of such multi-unit vehicles consisting of several units arranged in an order of for ^¬ mation, it is particularly necessary that composition data from said multi-unit vehicle, eg the number of units the component, the characteristics of said units, the relations between these units, their coupling or coupling to one or two other units, are known pilo ^{¬ stage} system for driving said multi-unit vehicle. This control system generally comprises a computer connected to the I / O modules for a particular acqui ^¬ sition and a transmission operation of data ^¬ rela tive to the steering of multi-unit vehicle. The computer is thus capable pilot, via inputs / outputs of modules, ^¬ the said multi-unit vehicle, in particular according to an automated that mode, or according to a manual mode wherein the control system, and thus the computer, is able to be controlled by a driver or control center. Indeed, the operating data is in particular exchanged, via the input / output modules, between said computer and devices included in at least a part of the units com ^¬ posing said multi-unit vehicle to ensure its func ^¬ tioning. Said exchange of operating data can for example be implemented by means of a bidi ^¬ rectional connection between the computer and said devices via said input / output modules. The calculator and mo ^¬ dules / O are thus designed to enable and ensure the control of the multi-unit vehicle, or otherwise work correctly (move, stop, door openings, ...), based on the composition data of said multi-unit vehicle and on operating data ^¬ relating to control exchangeable with said disposi ^¬ tifs of at least a portion of said units. During a change ^¬ tion of the configuration of said multi-unit vehicle (scintillation, coupling with other units), said composition data must be updated so that the control system, in particular its computer, is informed of said configuration change and is able to correlate the change composition of said multi-unit vehicle with a change of operating data relating pilo ^¬ tage. In fact, if the computer is not informed of a change in the composition of the multi-unit vehicle, it may misinterpret the operating data of the units which have been uncoupled from the multi-unit vehicle. (and which therefore can no longer transmit operating data relating to the piloting) as a risk in se ^¬ curity for said multi-unit vehicle, which may result in an activation of a procedure for securing the multi-unit vehicle , such as a braking ur ^¬ gence.

The driving system of the multi-unit vehicle must in particular be characterized by a high degree of functional safety in order to prevent any event that may affect said multi-unit vehicle or passengers or goods transported by said multi-unit vehicle. The safety of such control systems can be characterized by means of safety standards. In particular, IEC 61508 SIL challenge ^¬ nes (Security Integrity Level), that is to say the level of safety integrity that should have a system to ensure adequate protection against the risks that may arise during operation of said system. The higher the SIL has a high value, the higher the risk reduction is impor ^¬ aunt. For example, a SIL4 security system provides a risk reduction of between 10 ⁸ to 10 ⁹ in the continuous mode of operation, whereas for an SIL1 system, this reduction is between 10 ⁵ to 10 ⁶ only.

In order to guarantee the safe operation of the multi-guided vehicle, it must be ensured that the control system computer knows exactly the composition and configuration of said multi-unit vehicle (for example, which units make up a train and according to what order of formation are they ordered, or in other words, in what order they are coupled or coupled) so that it can exchange with the units of multi-unit vehicle all the operating data necessary for piloting said vehi ^¬ multi-unit cule.

Moreover, in the case of a change in the composition of a multi-unit vehicle, for example, when a train is divided into several parts, the control system computer must be promptly informed of said composition change by example in order to allow oneself to no longer take into account operating data of units that have been detached from the train during its splitting, and so as not to fall into a state of safety resulting in a warning of a center for monitoring a vehicle network multi-unit or even activation of a secu rity ^¬ formatting process, as an emergency braking of said multi-unit vehicle.

Unfortunately, steering systems, whether in or ^¬ tomatiques manuals and safety (SIL 4), known to the art are essentially based on calculated ^¬ tors "closed" for which the perimeter / O is not reconfigurable, ie the computer is connected to a fixed set of I / O modules of in ^¬ Trees / outputs, these I / O fixedly connecting the computer devices to certain functional units managed by said computer, and thus not being reconfigu ^¬ rable when changing the configuration of the vehicle mul ^¬ ti-unit. By functional device, reference is made to any device interacting with the control system so as to enable said multi-unit vehicle to be piloted. This is for example of braking, opening doors, or devices for monitoring the moving ^¬ said multi-unit vehicle, etc. Therefore, the management of a multi-unit vehicle generally implements several computers each managing a part of the multi-unit vehicle, each computer being connected to subscribers. trés / Outputs connecting them in a fixed manner to certain functional dis ^¬ positive or the unit it manages. Although the composition of the multi-unit vehicle is well known by overlapping information from each computer, the design of the steering system has the désavan ^¬ duty floor manage functions spread over the dif ^¬ ent calculators, including requiring algorithms synchronization of said computers, whose complexity aug ^¬ mente with the number of units constituting the multi-unit vehicle.

Currently, the composition or constitution of a multi-unit vehicle is thus generally deduced from cross-checks of several application information exchanged between the different computers of said vehicle. This information app ^¬ cant is information from other devices of the multi-unit vehicle not having all task for pre ^¬ Mière determining the composition of said multi-guided vehicle. This is, for example, the location data of the head and the tail of the multi-unit vehicle transmitted to the computer by on-board or ground locating devices, or the state of the equipment of the units, or multi-unit vehicles transmitted to the calculated ^¬ tor by an autopilot ground not embedded in said multi-unit vehicle. The overlapping of this information ap ^¬ plicative has the disadvantage of being complicated and slow, and di ^¬ minue and driving performance of said vehicle mul ^¬ ti-unit. Indeed, the complexity of the exchange of application information between the computers introduces a loss of performance of the control system, as well as a greater complexity of implementation of said control system, and consequently, a greater difficulty to demonstrate. ^¬ hand and hold the safety of such control system. In addition, these application ^in¬¬ formations may be different from one project to another which affects the genericity of the algorithms. An object of the present invention is to propose a method of securing a system for driving a reconfigurable multi-unit vehicle and a secure control system that are simple, safe, reliable and efficient, capable of automatic updating and autonomous of a composition of the multi-unit vehicle, while having a security SIL4 ^¬ tion. Indeed, the present invention aims to automatically determine and update the composition of the multi-unit vehicle, independently of application information, in order to safely guarantee the multi-unit vehicle control system.

For this purpose, a method of securing a system of pi ^¬ lotage, a safety controller and a device for assisting in determining the composition of a multi-unit vehicle are proposed by the content of Claims 1, 7 and 12. A set of subclaims Ega present ^¬ LEMENT advantages of the invention. The present invention provides a steering system of a security method for fitting and control a vee ^¬ vehicle reconfigurable multi-unit comprising in particular at least two attelables units one after the other, said method being characterized in that it comprises: - an autonomous determination, and preferably cyclic and automatic, of a composition of the multi-unit vehicle by a device for determining the composition of said multi-unit vehicle correlated to a generation, preferably ^¬ by said determination device, a composition data of said multi-unit vehicle;

- a transmission cyclically and preferably automatic, of said given composition to a set of steering system components, at least one element of said ele ments ^¬ said set of elements being a computer of said control system; a determination, preferably cyclic and automatic, by said computer and by means of said com ^¬ position data, of a set of inputs / outputs of at least one input / output module intended to equip the vehicle - ti-unit, said module I / O equipping e.g. a unit of said multi-unit vehicle and allowing communication and data exchange between the calcu ^¬ freezer and functional devices of said unit, in particular to control and to ensure their correct operation;

- a connection of each element of said set of elements, and therefore said calculator, said set of trees ^¬ In / Out, especially each element of said ensem ^¬ ble elements is connectable to each input / output of said set 'Entries exits.

The present invention also provides a secure, and preferably automatic, pilo ^¬ system for a reconfigurable multi-unit vehicle, comprising for example at least two towable units one after the other, ca ^¬ characterized in that said system comprises:

- a device for determining a composition of the multi-unit vehicle, capable of determining autonomous manner the composition of the multi-unit vehicle and ^¬ gen erate a given composition correlatable to said compo sition ^¬ said multi-unit vehicle said determination being in particular autonomous in that it is independent of any application information;

- at least one computer comprising at least a security module, said computer being designed to equip at least one unit of the multi-unit vehicle, each calculated ^¬ tor being connectable by means of at least one connection and via a network, of a part to a set of En- I / O module outputs / outputs intended to equip one or more units, and secondly to said device for determining the composition of the multi-unit vehicle, in order to exchange via each input / output module data unit operation and / or multi-unit vehicle, and to acquire said determining device, a composition of the ^¬ given said multi-unit vehicle, said network being in particular intended to permit communication between each identity generating device and each computer, between each computer and each input / output module, and between each computer between them;

- said dynamic security module of said connecting each computer with said set of In- puts / outputs, said security module being intended to equip at least one computer, and being capable of de ^¬ conclusion, from said data composition, said set of inputs / outputs may be connected to each computer, to connect each computer au said set of inputs and outputs, including in each tree ^¬ / output of said set of inputs / outputs, and control cyclically or sufficiently frequently (e.g., at least one time interval by control in ^¬ férieur or equal to 100 milliseconds), a consistency between each connection calculator each said set of inputs / outputs, in particular a consistency between each connection each computer with each of said trees in ^¬ / outputs of said set of inputs / outputs and said given composition. In particular, each computer may include a security module according to the invention.

In other words, the method according to the invention is a mé ^¬ securing method, preferably automatically and particularly SIL4 securing, of a steering system of a multi-unit vehicle able to determine at any ^¬ ins as and reliably, the composition of the multi-unit vehicle, and to ensure, at all times, a coherence between the composition of the multi-unit vehicle and data func ^¬ steering system tioning of the multi-unit vehicle, the combination of at least one computer with said set of inputs / outputs correlated to said composition vee ^¬ vehicle multi-unit. Advantageously, the method according to the invention is characterized in particular by a cyclic check, in particular of random or fixed frequency, but in all cases a sufficiently frequent check (for example, at least one verification per time interval less than or equal to 100 milliseconds), particularly by means of the security module, a coherence between the connection of each element of said set of elements with said set of inputs / outputs and said composition data.

In particular, the present invention is characterized in that said set of elements comprises or is a group of computers that can be distributed in each unit of said multi-unit vehicle. In other words, the steering system according to the invention preferably comprises said group of computers that can be composed of several identical cal ^¬ culateurs, each computer may in particular be distributed in a unit of the multi-unit vehicle, so that each unit is likely to be equipped by at least one computer. Advantageously, the sécurisa- tion module according to the invention is in particular able to assign exclusively to connection to said set of trees In ^¬ / outputs, including at each entrance / exit of said ensem ^¬ ble / O, to a single computer of said group of computers, the other computers of said group of computers being excluded from said connection or in other words, prohibited access to said set of Inputs / Outputs. To this end, the method according to the invention may include a securing mechanism and prioritization of connecting at least one computer of said calculators tors group with said set of I / O capable of attri ^¬ exclusively to said computer said connection to said set of Inputs / Outputs. The elected computer, ie having the exclusive access to the set of inputs / outputs is called the master computer. Advantageously, at least one other computer of said group calculator is in particular associable to the master computer as cal ^¬ culateur said redundant master computer. The control system according to the invention is particularly capable not only ^¬ to select a master computer from the calculator group but also to appoint a redundant computer of said computer group. The redundant computer is able to perform the same operations as the master computer, to acquire the same composition and operating data as the master computer for the purposes of verifying and securing the control system. In the event of failure of the master computer, the redundant computer is able to replace said master computer and to name a new redundant computer. Preferably, said security and prioritization mechanism comprises a generation of an encoded association token able to lock said connection of at least one computer of said group of computers with said set of Inputs / Outputs, and a generation of a key déverrouil- spinning adapted to unlock said connection of at least one of said computers cal ^¬ culateur group with said set of inputs / outputs. To this end, at least one control system of the computer may in particular be equipped with a mo dule ^¬ securing ca- pable comprising a locking module for locking each computer connection with each of the Inputs / Outputs of said set of Inputs / Outputs. This locking module comprises in particular a combination ^¬ genera tor encoded token capable of generating, in particular cyclically, first said encoded combination token to lock each connection of said computer with each of the inputs / outputs of said set 'Inputs / Outputs, and secondly said unlocking key able to unlock ^¬ ler at least one connection of said computer with at least one of the inputs / outputs of said set of inputs / outputs.

In addition, the method according to the invention is characterized in that said autonomous determination comprises a successive and ordered addition to a list, according to a composition order of said multi-unit vehicle, of at least one piece of identity data of each unit. said multi-unit vehicle fa ^¬ con that a sequence of the identity data comprised in said list is correlated to the order of com ^¬ units digit of said multi-unit vehicle, each identity data being specific to a single unit of the multi-unit vehicle, and said list being able to be encapsulated in said composition datum. In particular, the identity data includes at least a time data, a iden tifying ^¬ unit, constant coding and at least one identifier of an appliance of said unit.

Preferably, the steering system according to the in vention ^¬ is especially characterized in that its device for determining a composition of the multi-unit vehicle comprises at least an ID generation device, each generating device identity détermi ^¬ nation device being designed to equip a unit of the vehicle multi-unit, so that each unit can be equipped with a single identity Generator device, each identity generation device being capable of generating the identity of the unit it is intended to equip. Equal- Accordingly, the method according to the invention is thus characterized in particular by equipping each unit of said multi-unit vehicle with said identical identity generating device capable of generating said identity data for determining the composition. said vehicle ^¬ mul ti-unit, so that each unit of the multi-unit vehicle may comprise a device genera ^¬ identical identity, each identity Generator device being connectable or couplable to at least one other identification generating device, so as to form a chain of identity generation devices equipping cha ^¬ cun a unit of said multi-unit vehicle and coupled one after the other. In particular, said identity generation device, which is on the one hand intended to allow the determination of a composition of the multi-unit vehicle comprising at least one unit, and secondly capable of equipping said control system. of said multi-unit vehicle, is characterized in that it comprises:

- an identity data generator able to gen erate ^¬ said identity data of the unit that the Identity Generator device is intended to equip, the said identity data being intended to allow an identification of said unit;

- a connection detector adapted to detect a presence or absence of said coupling Identity Generator device with at least one other available ^¬ ID generation operative part;

a list generator capable of creating a list of elements intended to include elements able to be ordered and added successively;

a serialization component capable of adding another element to said list, either following a last element of a list of controllable elements successively intended to be received by the ^¬ said identity generating device, either as the first element of the list of elements that can be created by the list generator, said other element comprising said identity data;

- a list of transmitter capable of transmitting ^¬ said list of elements comprising the other element or to another identification generating device, or at least one computer, comprising said particular security module of the control system of the multi vehicle -unity, after encapsulation of the ^¬ said list in a given composition of said vee ^¬ vehicle multi-unit.

Preferably, said determination of the composition of the multi-unit vehicle is carried out by means of said identity generating device according to the following steps:

- generation by each Identity Generator device of each unit of the multi-unit vehicle of said identity data to enable an identification of the unit as said team generating device, said generating being above ^¬ ceptible to be carried out by said identity data generator;

detecting, by said connection detector, for each identity generating device, a presence or absence of coupling of said identity generating device with at least one other identity generating device;

in case of detection for at least one device for generating identity of said multi-unit vehicle of said coupling presence with a single other identity generating dis ^¬ positive capable of it to be coupled, said method according to the invention com ^¬ takes the following substeps:

at. creation, by said list generator of the Identity Generator device characterized by said presence of coupling with one ^¬ be Identity Generator device of a list of elements intended to include ele ments ^¬ orderable successively , said list including a first member, said first ele ^¬ comprising said identity data of the unit to be fitted by said dispo ^¬ ID generation operative part characterized by said presence of coupling with one another generating device identity, said pre ^¬ Mier element being the first element of the list created by the list generator, said generating being followed by a transmission of said list by the identity generator device charac terized by said ^¬ presence of coupling with an only another identity generating device to said other identity generation device; b. for each identity generation device for which said detection is capable of detecting said presence of coupling with two other identity generation devices, reception of said transmittable list by one of the two other iden generating devices ^¬ tite, an addition to said list of another element following the last element of said list and a transmission of said list to the other of the two other identity generation devices, said other element comprising the data identi ^¬ silent of the unit to be equipped by the ^¬ said identity Generator device for ^¬ which said detection is capable of detecting said presence of coupling with said two to ^¬ very identity generating devices; vs. and for each receiving said list by an Identity Generator device for which said detection is capable of detecting the presence of said ^¬ coupling with a single other identity generation device, said re ^¬ reception is followed of said addition to said list of a final element after the last element of said list, and an encapsulation of the ^¬ said list in said given composition; upon detection, for genera device ^¬ identity, said absence of coupling with another Identity Generator device, said method according to the invention comprises a design, by the list generator genera said device Identity ^¬ characterized by said absence of coupling with another identity generating device, a list of elements for com ^{¬ to} take successively ordered elements, ^¬ said list comprising a first element, said pre ^¬ first element comprising said identity data of the unit intended to be equipped by said identity generating device characterized by said ab ^¬ sence of coupling with another device for gené ^¬ ration of identity, said first element being the first element of the list created by the list generator, said creation being followed by a encap ^¬ sulation of said list in said data of co m ^¬ position.

Thus, the determination of the composition of the multi-unit vehicle can be achieved by means of a device internal to the system. Steering tem, ie by means of or devices ^¬ gen eration identity determination device of com ^¬ position of the multi-unit vehicle, independently of other external devices to the control system that would acquire des- Tines said application information. Each identity generation device equipping each uni ^¬ t of the multi-unit vehicle is thus connectable to one or two identical identity generation devices so as to form a chain of identity generation devices capable of being transmitted successively. said list. In particular, each identity generation device com ^¬ takes at least two connectors, respectively a first and a second connector, each intended for coupling said identity generating device ^¬ with the other identity generation device, ie one of its neighbors in said chain of identity generation devices.

Said list can be created by the list generator of one of the two, see two, ID generation devices located at the end of said chain when the vehicle ^¬ mul ti-unit comprises more than two units. The die device ^¬ termination of said composition thus comprises as many Identity Generator device of the multi-unit vehicle comprises units. Each generation identity tion devices is capable of generating the identity data of the unit it is fitted and to transmit to the one or respecti vely ^¬ any of its neighbors, said list after the latter transmitted to him by the other, respectively one of his neighbors. Only the identity generation devices located at the chain end and having a single voi ^¬ sin, ie identity generating devices for ^¬ which is detected the presence of coupling with one another Identity Generator device, are allowed to generate the list and / or to encapsulate a list received from their unique neighbor in said identity data, so that said list is transmitted, the end of the chain, at least one module sé ^¬ curisation of at least one computer of the control system by means of said given composition.

Advantageously, said list generator is in particular able to cyclically create said list. Preferably, said list generator is capable of creating said list when said connection detector detects said coupling presence of said identity generating device with only one other identity generating device or with no other generation device. identity. Thus, the creation of said list by the list generator of at least one of the identity generation devices located at the end of the chain, allows a control and a continual update of the composition of the multi-unit vehicle when the latter is composed of at least two units, since the list may be continuously transmitted to the calculated ^¬ tor via said given composition when said list has passed through the whole chain of iden- tity generating devices. Also, creating said list by the genera tor ^¬ list of identity generation device coupled with any other Identity Generator device allows said control and continual updating of the composi ^¬ multi-unit vehicle when the latter is composed of a single unit. In addition, said data generator iden ^¬ titaires is in particular capable of generating a bias data capable of allowing the transmission of said list of members by means of one of the two connectors ^¬ said Identity Generator device , such that said list traverses said chain of identity generation devices according to a priority sense definable by said po ^¬ larization. According to the present invention, each unit comprising said steering system is capable of being autonomous, ie it is able to move, to manage its movement and its operation independently of any other steering system external to said unit. In addition, the control system that can be associated with an autonomous unit is able to control and manage the movement of other units that can be coupled or coupled to it, that these other units comprise at least one other autonomous unit and / or at least one other unit. non-autonomous unit. A non-autonomous unit, as opposed to said autonomous unit, is a unit which comprises only a part of the control system, in particular at least one identity generating device, each of these devices being connectable to the network of said unit, it being even connectable to the network of other units that are likely to be coupled or hitched to form the network of the multi-unit vehicle. Thus, in the rest of the document, an ^¬ ton unit will be able to embark said control system according to the invention, and a non-autonomous unit will refer to a unit that does not have the entirety of said em ^¬ barking control system. .

A multi-unit vehicle is then likely to be formed of at least one autonomous unit that can be coupled, or not, to one or more autonomous or non-autonomous units. In any case, a computer of one of the autonomous units will be in particular responsible for the management of the control and operation of the multi-unit vehicle. Preferably, the master calcu ^¬ tor of one of the autonomous units is intended to control the multi-unit vehicle. An automatic designation of the master computer for controlling said multi-unit vehicle is feasible as a function, for example, of the formation order of the multi-unit vehicle deductible from said composition datum that can be acquired by each calculator of each unit. . The security module of the control system is on the one hand able to connect each computer to said set of inputs / outputs to allow an exchange operating data between each computer and the functional devices of the units of the multi-unit vehicle, but also, and secondly, to prioritize the connection of said automatically designated master computer to said set of inputs / outputs and to associate a calculator redundant. By priority, it is in particular referred to the attributed exclusive ^¬ tion of the connection with said set of trees In ^¬ / output to a computer, preferably a single cal ^¬ culateur, for example said master computer, or the - says master calculator with redundant sound. The set of trees In ^¬ / O modules I / O of the pi system ^¬ secure lotage connects each computer vee ^¬ vehicle multi-functional unit devices of said vehi ^¬ cule multi-unit via the network multi-unit vehicle, said network being common to all calculators of the vehicle mul ^¬ ti-unit. Thus, the data of compositions and function ^¬ events can be easily and quickly centralized to the same computer, ie said master computer, via said network, to be processed, which has the advantage of guaranteeing a processing speed.

Thus, for a multi-unit vehicle comprising several uni ^¬ tés autonomous, the control system according to the invention is able to choose at least one computer from all the computers distributed on the network of said vehicle so that it acts as master computer to be directly associated, by connection to said set of trees in ^¬ / outputs, the inputs / outputs of said modules to drive the vehicle, for example automatically. When the computer acting as a master computer driver said vehicle, the other computers of said vehicle ^¬ wind in particular be in a standby state, so that only the computer chosen as master computer by the security module controls the steering of said vehicle. Examples of embodiments and applications provided with the aid of the following figures will help to better understand this invention. FIG. 1 embodiment according to the invention

secure steering system.

FIG. 2 exemplary embodiment according to the invention of an identity generation device.

FIG. 3 example of a mechanism for securing a security and prioritization mo ^¬ module according to the invention. Figure 4 embodiment according to the invention of an automatic coupling / splitting of units of a multi-unit vehicle.

For example, Figure 1 shows a safety controller adapted for controlling a multi-unit vehicle re ^¬ configurable comprising three units 1, 2, 3. The control system comprises at least one device for generating identity 4, each identity generation device 4 is designed to equip a unit 1, 2, 3. Thus, each uni ^¬ tee 1, 2, 3 is adapted to include said device genera ^¬ ID 4. Each identity generation device 4 is connectable to its neighbors in order to form a chain of identity generation devices. Said chain of identity generation devices connectable one after the other form said device for determining a com ^¬ position of the multi-unit vehicle according to the invention. Said secure control system further comprises at least one computer 5 intended to equip each autonomous unit 1, 2 of the multi-unit vehicle, at least one input / output module 91, and at least one of said computers 5 of the pilosebaceous system ^¬ secure floor comprising at least one security module 6, optionally included in the computer 5. In particu ^¬ bind several computers 5 are distributed in several independent units 1, 2, and several modules / O 91 are distributed in several units, whether or not the ^¬ tonomes autonomous. A network 8 of the multi-unit vehicle is used to connect the computers 5, the secu ^¬ authorization modules 6, the device for determining the composition of the multi-unit vehicle, modules I / O 91, and the functional devices 7 from each unit to each other so that they can communicate and exchange information, such as composition data and operating data, with each other. In particular, the I / O modules 91 of the control system allow the connection, via the network 8, of the calcu ^¬ latters to a set of inputs / outputs, each input / output being able to connect at least one functional device 7 to at least one computer 5. Each computer 5 is in particular dynamically reconfigurable on the basis of the composition data supplied by the device for determining the composition of the multi-unit vehicle, in order to maintain in real time a connection with said I / O coher ^¬ annuity with the composition of said multi-unit vehicle.

2 shows an embodiment of a provi ^¬ ID generation tif 4 according to the invention. Each identity generation device 4 is connectable, in particular by means of a bidirectional differential connection at low speed serial to at least one other genera device ^¬ identity 4a, 4b identical, especially two ^¬ identical identity generation devices 4a, 4b as shown in FIG. 2. Each identity generating device 4, 4a, 4b comprises an identical data generator 41, a connection detector 42, a signal generator list 43, a serialization component 44, a list transmitter 45, and at least two connectors, respectively a first connector 46a and a second connector 46b, for the acquisition and transmission of the list. A third connector 47 may in particular connect the identity generating device to the network of the unit or the multi-unit vehicle.

In addition, the connection detector of the identity generation device is particularly characterized in that it is able to guarantee in safety that a list has an input on the first connector 46a or the se ^¬ cond connector respectively. 46b and intended to be acquired by said identity generating dis ^¬ positive, can not be found by crosstalk or any other coupling on the second 46b or respec ^¬ tively the first connector 46a. To this end, the connection detector, connectable to said connectors 46b, 46a, may in particular comprise at least one electrically isolated differential buffer, in particular a first buffer 422 connectable to the first connector and a second buffer connectable to the second connector, as well as receivers opto-couplers, in particular a first optocoupler receiver connectable to the first connector and a second opto-coupler receiver 421 connectable to the second connector. Optionally, protection components against disturbances and surten¬ ^¬ tions can be added to said detection device, as well as filters to ensure safe isola ^¬ tion between the first and second connector 46a, 46b. Preferably, said serialization component 44 may comprise two separate digital components 441, 442, for example FPGAs, capable of performing functions sé ^¬ Serialization and de-serialization of an item in said list, and the add function another element after the last element of that list, in particular in order to safe firing a list can not cross the dispo ^¬ ID generation operative part of the connector 46a to the connector 46b, or vice versa, without having been enriched with the identity data of said identification generating device.

Furthermore, the identity data generator 41 is partly ^¬ ticular, to generate a polarization information, said bias information to, optionally to propagate the list comprising said identity data only to one and only one of said first or second 46a connectors or 46b. Finally, said identity data can advantageously comprise various information allows ^¬ as an identification of the unit which it is fitted, such as a device number or a unit number of the uni ^¬ ty it equips. The list of transmitter 45 is able to act as an interface between the network, eg an IP Ethernet network, the multi-unit vehicle and the gen ^¬ eration identity device. To this end, it may possibly under- stand a digital component such as a logic circuit ^¬ grammable FPGA.

In the case of a multi-unit vehicle comprising n units, numbered successively according to the order of formation of said multi-unit vehicle from 1 to n, the index 1 characterizing the unit positioned at one end of the multi-unit vehicle and the index n the unit positioned at the other end, an example of list likely to be created by successive addition of the identity data characterizing each unit of said multi-unit vehicle is given by:

List = Η1 · τ ^{2η + 1} + τ ^2η - I di + τ ^2η_1 -Id ₂ + ... + _τ ^{2 (η} - ^{1 + 1)} -idi + ... + τ ² -Id _n with Idi = pol _± + Data _± A for i = 1, ..., n and or

There is a temporal data characterizing the creation of the list;

τ is a coding constant of sufficiently large value, expressed on, for example, 48 bits of information, in order to guarantee the security objective SIL4 such that the sequence of τ ¹ presents a pseudo-random distribution;

I di is the identity data of the unit i of the multi-unit vehicle;

polishes a data characterizing the polarity of the unit the polarity simply indicating whether the unit i is hitched forward or backward to the unit i-1;

Data _± is a data characterizing at least one equipment of the unit i or an identification number of the unit

The control system according to the invention is thus able to ensure that at least one computer, preferably the master computer is associated consistently seems to ^¬ functional devices of the multi-unit vehicle to ensure driving said multi-unit vehicle. The device for determining the composition of the multi-unit vehicle to discover said composition propa gation ^¬ said list from one unit to another unit compo ^¬ sant said multi-unit vehicle. On the basis of the composition datum able to encapsulate said list, the security module associates, preferably exclusively, a connection to a set of distributed I / O on the network of said multi-unit vehicle with a computer. in particular with a master computer, said inputs / outputs being intended to connect said calculator to the functional devices of the units that make up said multi-unit vehicle. Preferably, each cal ^¬ culateur is coupled to a security module according to the invention, and each security module according to the invention is adapted, in dependence on said data to composition ^¬ trate into an idle mode or in a active mode, so that a single securing module is active for the multi-unit vehicle. In particular, at least one condition pre ^¬ definable in each of said secure modules per- makes each of security modules to determine its own operating mode, ie either said active mode or said inactive mode. Said predefinable condition can for example be correlated to a position within the multi-unit vehicle of the unit equipped with a computer comprising said security module.

FIG. 3 shows an exemplary mechanism for securing the association of at least one computer of a control system according to the invention with a set of inputs / outputs of input / output modules intended to equip the vehicle. multi-unit. Once the vehi composition data ^¬ multi-unit cule was created, the method according to the invention is characterized in that a security module is choi ^¬ if, for example as a function of said given composition, to to secure the connection of a computer or a computer group, for example a master computer and its redundant computer, with a set of inputs / outputs of input / output modules. To this end, the secu ^¬ authorization module comprises in particular an encoded association token generator capable of generating an encoded association token comprising in particular a unique identification code of the computer or computers group allowed to be connected to inputs / outputs of said modules ^¬ Trees In / Out. In particular, the locking module of the security module is capable of transmitting said token to all inputs / outputs of modules whose I / O must be connected to said computer or group of calcu ^¬ freezer in order to be consistent with said data composi ^¬ multi-unit vehicle, and to allow

control, by the computer or the computer group, of the functional devices of the multi-unit vehicle. Said Don ^¬ born composition allows particularly security module to determine which I / O modules to which Inputs / Outputs must be controlled by the computer or computer group to operate the multi-unit vehicle, therefore determine which trees in ^¬ / O must be connected to said computer or computer group. Each I / O module receiving said asso ciation ^¬ encoded token is in particular able, during a response phase, periodically transmitting or sufficiently frequently a confirmation message capable of confirming the connection of said computer with I / O said module In- puts / outputs, and to transmit said message confirmed ^¬ said computer, in particular to said security module of said computer of the safety controller. Said confirmation message may for example be transmitted periodically to pe ^¬ a transmission period whose value temporal links, ie its length, may be predefined. Advantageously, the response phase may be preceded by a phase of ini ^¬ tialisation 1 allowing generation and initialization of the confirmation message. The duration of this phase initiali sation ^¬ is in particular greater than the duration of said pe- transmission period to ensure that the safe securing mechanism has time to detect that a calculated ^¬ tor or a group of computers previously connected to an input / output of an input / output module a or have per ^¬ said connection with said input / output before another calculator or another group of calculator has had the time to connect to said Input / Output. This duration of the initialization phase greater than the transmission period may be for example guaranteed by a pseudo random generator ^¬ toire to operate continuously during said initialization phase of the confirmation message.

Thus, at the end of the initialization phase 1, a confirmation message initialized 2 is generated by the module ^¬ Trees In / Out. Upon receipt of a coded association token transmitted by the security module of the control system, the input / output module is able to associate, during an association phase 4, said token of coded association to said initialized confirmation message. At the end of this phase of association, said 5 confirmation message is ready to be sent periodically to secu ^¬ authorization module. Advantageously, this confirmation message, following said step of association, comprises firstly said donation ^¬ born identification of the computer or computer group, but also on the other hand, identification of In- puts / Outputs input / output module connected to said computer or group of computers, and a tempo ^¬ real data to verify a freshness of the confirmation message ^¬ tion. The confirmation message is then sent, in particular ^¬ cyclically during the response phase 6, at least au said security module that issued the coded token combination. The locking module said security module is in particular able to decode the message confirmed ^¬ order to control the inputs / outputs of said module I / O are connected to said computer or said computer group, and not of other calculators.

Advantageously, as long as an I / O module is connected to a computer or computer group via its inputs / outputs, said I / O module generates, in particular cyclically, said transmission period confirmation message and no other calculator can be connected to it. In order to release the module I / O of its connection with a computer or computer group, the Association token generating said verrouil- spinning module is capable of generating a desti unlocking key ^¬ born to be transmitted by the locking module to ensem ^¬ ble modules I / O whose connections with the computer or the computer group are to be cut. Upon receipt of such an unlocking key 7, the I / O module is particularly adapted to disassociate the coded association token from the initial confirmation message in order to restore said initialized confirmation message 2. In case 9, for example in case of loss of connection or communication with the security module or the computer, the I / O module is able to reset by returning to the initialization phase of the confirmation message in order to allow, for example, a combination of encoded token from another computer is capable of being associated with said initiali confirmation message ^¬ sé.

The response phase 6 for sending, in particular cyclically, in the security module confirmation via said confirmation message that the inputs / outputs of said module I / O are connected and controlled by the calcu ^¬ freezer, for example the master computer, or by a group of computers, for example the master computer and its redundant. Said security module is thus able to bind particu ^¬ continuously check consistency of the computer connection with each module I / O for which it has received said confirmation message and said given composition, thereby ensuring the safe connecting a calculator to said set of Inputs / Outputs. Figure 4 discloses an automatic coupling a first vehi ^¬ cule multi-unit 1 with a second multi-unit vehicle 2 com- each taking a safety control system according to the inven ^¬ to form a new vehicle multi- unit. Prior to coupling, the two multi-unit vehicle, such as a first train with three cars and a second train with two cars each include a distributed safety control of their own, said secure control sys ^¬ tems of each multi-unit vehicles being independent of one another. The first vehi ^¬ cule multi-unit 1 comprises in particular three units, and the second multi-unit vehicle 2 comprises in turn two units.

The control system of the first multi-unit vehicle 1 com ^¬ takes in particular at least three computers 51, 52, 53 and at least three I / O modules 91, 92, 93, linked by a first network 81, for example Ethernet, PLC, Wi-Fi. Similarly, the second multi-unit vehicle 2 comprises in particular at least two computers 54, 55, and at least two I / O modules 94, 95, connected by a second network 82. For each of the two multi-unit vehicles, at least one computer and at least one module I / O of the safety controller are designed to equip a unit, so that each unit comprises at least one calcu ^¬ freezer and at least one I / O module. So, in this example, each unit is an autonomous unit. However, the first and second multi-unit vehicle could equally comprise one or more non-autonomous units, each non-autonomous unit comprising for example at least one module / O device and a gen ^¬ eration identity . One of the computers 51, 52, 53 of the first multi-unit vehicle 1 is chosen to be the master computer of the first multi-unit vehicle 1, for example the computer 51 capable of being positioned at one end of said first multi-unit vehicle 1, and possibly another of the computers 51, 52, 53 of the first multi-unit vehicle 1 is chosen to be its redundant, for example the computer 53 positionable at the other end of the first multi-unit vehicle 1. Similarly, one of the computers 54, 55 of the second multi-unit vehicle 2 is chosen to be the master computer of the second multi-unit vehicle 2, for example the computer 54 posi ^¬ tionable at one end of the second multi-unit vehicle 2, and possibly another of ECUs 54, 55 of the second multi-unit vehicle 2 is selected to be its redundant, for example the computer 55 positionable other Extremists ^¬ mite second multi-unit vehicle 2. man General st, it is still preferable that the Sécuri control system ^¬ comprises in particular a master computer positioned itself ^¬ ble, particularly in a self-contained unit, to one end of the multi-unit and a computer vehicle placed in redundancy ^¬ said master computer , ie its redundant, positionable, especially in an autonomous unit, at the other end of said multi-unit vehicle, to allow efficient splitting of said multi-unit vehicle.

The other computers of the first multi-unit vehicle 1, respectively of the second multi-unit vehicle 2, are in an inactive state, such as, for example, the computer 52 of the first multi-unit vehicle 1. In general, the choice the master computer and its redundant may be based on a choice algorithm using a numbering, such as an IP address or a computer number, or a determination of a position of the computers in the multi-unit vehicle, said position being for example a po- central position, a position at the head or tail of multi-unit vehicle, the position of a calculator being deductible from said composition data. Preferably, for each of the control systems of the first and second multi-unit vehicle, at least one securing mechanism and priorisa ^¬ a security module of a steering system of the computer is adapted to select said master computer and its redundant, and therefore allows a prioritization calcu ^¬ freezer master, or in other words, an exclusive connection of the master computer with I / O modules of in ^¬ Trees / outputs of the multi-unit vehicle, so that only the master computer is able to control the inputs / outputs of the modules I / O for providing said vehi ^¬ multi-unit cule. The redundant computer is able to take control of said inputs / outputs in the event of failure of the master computer. For each vehicle ^¬ mul ti-unit, said security module capable of performing said securing and prioritization mechanism can optionally be selected automatically according to said given composition for each of said multi-unit vehicles. Preferably, the security module is able to choose as master computer via its mechanism of securing and prioritizing the computer that it is intended to equip. Thus, the security module is preferably able to prioritize the computer that it equips.

Thus, a security module 6 of the first multi-unit vehicle 1 is able to select said computer 51 as master computer to enable the master computer to control the inputs / outputs of the I / O modules 91, 92 93, of the first multi-unit vehicle 1 via the first network 81. Similarly, a security module 6 of the se ^¬ multi-unit vehicle 2 is able to choose said calculator 54 ^¬ as master computer to him to control the inputs / outputs of the modules of En- 94, 95 of the second multi-unit vehicle 2 via the second network 82.

Advantageously, each computer according to the invention, when it is the redundant computer of a master computer, is particularly capable of checking a state of synchronization of its context with a context of said master computer. Preferably, the master computer and its re ^¬ dondant, when the context of the latter is checked synchro to that of the master computer, are able to be connected to the input / output of the input / output modules that are associable. In particular, the module sé ^¬ curisation 6 of the master computer is able to Lock ^¬ l, by means of an association encoded token, the du- connection said master computer and its redundant with said ^¬ Trees in / outputs. Preferably, when a computer Maî ^¬ be redundant and are connected via a connection worm ^¬ rusty to a set of I / O, only the master computer is permitted to control the functional devices of the multi-unit vehicle, so that the computer redundant is able to verify operations performed by the master calculator ^¬ and to replace said master computer in case of failure of the latter. The steering system of the first multi-unit vehicle 1 is further characterized in that it comprises at least one provi ^¬ tif Identity Generator, in particular three provisions ^¬ tive of Identity Generator 41, 42, 43, each of which is intended to equip a unit of the first multi-unit vehicle 1. Equally, the control system of the second multi-unit vehicle comprises two identity generation devices intended to equip, each, a unit of said second multi-unit vehicle. 2. Thus, a first identity generation device 41, a second identity generation device 42 and a third identity generation device 43 equip each of them. a unit of the first multi-unit vehicle 1, and a first identification generating device 44 and a second provi ^¬ tif Identity Generator equip said second multi-unit vehicle. The identity generating devices 41, 42, 43 of the first multi-unit vehicle 1, respectively those of the second multi-unit vehicle 2, are connectable one after the other in order to form a first dispo chain. ^¬ ID generation operative part, respectively a second chain of identity generation devices, each des- said chains being in other words a first, respecti vely ^¬ second device for determining the composition of the multi-unit vehicle according to the invention. Each identity generation device is capable of communicating and exchanging data, including said list according to the invention, with its neighbor (s). Similarly for the control system of the first or second multi-unit vehicle, communication may be established from one end of the chain of identity generating devices to another, or in other words one end to the other of the multi-unit vehicle, either in a first direction of the head to the tail of the multi-unit vehicle, for example the genera device ^¬ identity 41 located at the head of the vehicle multi- unit identity Generator device 43 located at the tail of said multi-unit vehicle, or conversely, from the tail to the head of the multi-unit vehicle, for example the genera device ^¬ identity 43 queue at the identity generation device 41 at the head, or even in both directions at the same time. The same is true for the identity generating devices 44, 45 of the second multi-unit vehicle.

Advantageously, at least one of the identity generation devices 41, 42, 43 of the first multi-unit vehicle 1, res ^¬ respectively of the second multi-unit vehicle 2, in particular located at the end of the first chain, respectively of the second string, is able to initialize said list according to the invention, for example a first list for the control system of the first multi-unit vehicle 1, and a second list for the second multi-unit vehicle 2. Each of these lists preferably comprises a time data, for example a date , and allows an encoding of the composition of the multi-unit vehicle for which it was generated. Thus, the first list is adapted to be initialized for the pre ^¬ Mier multi-vehicle unit 1 by one of its devices ^¬ gen eration of identity and enable an encoding of the composition of said first multi-unit vehicle 1, and a second list will be able to be initialized for the second multi-unit vehicle 2 by one of its iden ^¬ tite generation devices, and will also allow encoding of its composition. For each of the control systems of the first and second multi-unit vehi- cule, once the first, respectively when ^¬ count, list initialized at one end of said first channel, second channel respectively, said first list, respectively second list, is transmitted to another available ^¬ operative part direction identity Generator each other extré- moth said first respectively second string so that it travels throughout said first, respecti vely ^¬ second chain of devices generating identity ^¬ té. Each identity generation device 41, 42, 43 of the first multi-unit vehicle 1, respectively each Identity Generator device 44, 45 of the second vehicle ^¬ mul ti-unit 2, is able to accumulate or add an identity datum in said first list, respectively is ^¬ list after the last element (for example following the last identity data) added in said first, respectively second list by the preceding identity generation device . The identity generation device located at the other end of said first chain, or second chain, ie located at the end of the chain, is in particular able to transmit, in particular cyclically, said first list, respectively second list, encapsulated in a given composition, the calculated ^¬ tor master 51 and its redundant 53 via said first network 81 in the case of the first multi-unit vehicle 1, and the cal ^¬ culateur master 54 and its redundant 55, via said second network 82 in the case of the second multi-unit vehicle 2.

In particular, in the case of an initialization of said list by each of the identity generation devices if ^¬ killed at the end of the chain, ie a first initialization of a first list at one end of the string and a se ^¬ initializing a second list at the other end of the chain, and a propagation of each of the two lists in an opposite direction in said string of Ge devices ^¬ eration of identity, the identity Generator device capable of receiving the first list by one of its connectors and the second list by another of its connec ^¬ tors is in particular able to create a new list comprising the elements of the first list, which is added first the identity data created by said device - generation tif capable of receiving the first and ^¬ count list, and then the second list elements. The new list thus includes the identity data of all the units comprising the multi-unit vehicle. Alterna tively ^¬, the Identity Generator device capable of receiving the first list by one of its connectors and the second list by another of its connectors is capable of selecting either the first list or the second list, ie only one of the two lists, in order to transmit it to an identity generation device located at the end of the chain. Thus, despite a generation of two lists, one and only one of the two lists is adapted to propagate towards one and only one Identity Generator device located extremi ^¬ side chain, intended to support the creation of the list complete identity data of all the units composing the multi-unit vehicle. Preferably, the Identity Generator device that created said nou ^¬ velle list is further capable of encapsulating said new list in said given composition so that it is transmitted, in particular cyclically, with at least one computer, for example to all the computers equipping each of the vehi cles ^¬ multi-unit or preferably to the master computer 51 and its redundant 53.

When the first multi-unit vehicle 1 and the second multi-vehicle unit 2 are coupled to each other to form a new multi-unit vehicle 3 comprising the units are ^¬ cond multi-unit vehicle 2 coupled to following the units of the first multi-unit vehicle 1, a reconfigured procedure ^¬ tion automatic steering system for the new multi-unit vehicle 3 is automatically feasible.

Indeed, when a coupling of two multi-unit vehicles with each other, the identity generation devices being all identical and connectable to each other, it follows that the generation devices of ID 41, 42, 43 of the first multi-unit vehicle 1 can be connected to the ID generating devices 44, 45 of the second multi-vehi ^¬ cule unit 2 to form a new channel of said positive ^¬ composed identity Generator of the first channel connected to the second chain, thereby forming a new device for determining the composition of nou ^¬ calf multi-unit vehicle 3. This new device deter ^¬ mination of the composition of the new multi-unit vehicle 3 is capable automatically determining the composition of the new multi-unit vehicle 3 and generating a composition data encoding said composition of the new multi-unit vehicle 3. Similarly, when coupling a Emier vehi ^¬ multi-cule unit 1 with a second multi-unit vehicle 2, the first network 81 and second network 82 are connectable to one another to form a new network 83, said new network 83 being a meeting of the first network 81 and the second network 82.

The new device for determining the composition of the new multi-unit vehicle 3, consisting of devices ^¬ gen eration identity of the first and second multi-unit vehicle, is able to transmit via said new network 83, said data composition the new multi-vehicle unit 3, to all computers of the new multi-unit vehicle 3, in particular to at least one secu ^¬ authorization module receives said given composition. In particu ^¬ link, once this composition data acquired by the computers 41 to 45 of new multi-vehicle unit 3 and by the modules / O 91-95 via said new net- work 83, the master computer 51 and its redundant 53 pre ^¬ Mier multi-unit vehicle 1, and the master computer 54 and its redundant 55 of the second multi-unit vehicle 2 are able, by their security module, to ^¬ connect / O of I / O modules to which they were connected when the first and is ^¬ cond mutli-unit vehicle were not coupled to each other, ie independent. Advantageously, each pilo ^¬ tage system according to the invention is capable, by means of said unlocking key transmitted by their respective security modules, to cut the connection of at least one of its cal ^¬ culators, especially all its calculators, auditing ^¬ appear I / O as soon as detection of a variation of ^¬ said composition data. In particular, the security module of the control system according to the invention is able to detect said variation of the composition data and to cut the connection of at least one computer with said set of inputs / outputs, in particular the connection of the master computer and its redundant, to allow a new master computer and its redundant to take control of said inputs / outputs by connecting. Preferably, a new security module 6, chosen for example according to the composition data of the new multi-unit vehicle 3, determines said new master computer and its redundant. Preferably, the new master computer is located at one end of the new vehi ^¬ cule multi-unit 3, for example the computer 51, and re ^¬ dondant at the other end, for example the computer 55. The other computers 52, 53, 54 of the new multi-unit vehicle 3 are preferably in an inactive state.

The new security module 6 of the control system of the new multi-unit vehicle 3 is then able, on the basis of said composition data, to connect at least one computer, in particular said new master computer and its redundant, to the set of inputs / outputs of the I / O modules 91 to 95 of the new multi-unit vehicle 3. As soon as the security module 6 is able to validate a coherence between the inputs / outputs associated with the computers and the composition data the pilo system ^¬ floor of the new multi-vehicle unit 3 is adapted to take control of said I / O for controlling the said functional ^¬ positive the new multi-unit vehicle allows ^¬ as his driving.

Figure 4 also helps explain a scindage a vehi ^¬ cule multi-unit equipped with a safety control system ^¬ lon the invention. When splitting a multi-unit vehicle, for example of said new multi-unit vehicle 3, into two or more other multi-unit vehicles, for example into a first multi-unit vehicle 1 and a second multi-unit vehicle 2, said new identity generation device chain of said new multi-unit vehicle formed of the identity generating dis ^¬ positives 41 to 45 is broken, separated into two parts, for example into said first chain of identity generation devices 41 to 43 of the first multi-unit vehi ^¬ cule 1, and said second chain provi ^¬ tive Identity Generator 44, 45 of the second vehicle ^¬ mul ti-unit 2. Similarly, the network 83 of the new multi-unit vehicle 3 is separated into a first network 81 of the first multi-unit vehicle 1 and into a second network 82 of said second multi-unit vehicle 2.

After scindage, each of the two parts of the positive dis- chain identity of the new multi-unit vehicle 3 is ca pable ^¬ generate independently and automatically a given nou ^¬ velle composition respectively characterizing the first multi-unit vehicle 1, and the second multi-unit vehicle 2. As previously with the coupling of two multi-unit vehicles, the new composition data is in particular able to cause generation by at least one security module of the unlocking key allows ^¬ as a disconnection of each of the computers, with the inputs / outputs to which they were previously connected in the configuration of said new multi-unit vehicle 3.

Advantageously, said release key is likely to be transmitted to each security module via a safety control system according to the invention, so that each security ^¬ mo dule is able to disconnect a calculators tor its connection with the least one entrance / exit when ^¬ scindage said. In particular, the connection of the master computer 51 and its redundant 55 with the inputs / outputs of their I / O modules 91 to 95 is able to be cou ^¬ pe by means of said unlocking key adapted to be provided by the security module, either during said detection of the variation of the composition data during the splitting, or during a prior process of notification of the splitting to said control system of said new multi-unit vehicle. In another case, in particular when said scindage is not notified to said control system said new vee ^¬ multi-vehicle unit 3, and if the security module 6 ^¬ detects, before said detected change in said Don-born composition master computer the connection loss with the inputs / outputs of the modules or of in ^¬ Trees / O to which it was previously connected before scindage, the connection loss can be construed ^¬ ted by said module securing and the Entry / Exit module as a failure which may in particular result in a reset of the confirmation message. This reset of the confirmation message will make it possible to connect a new master computer chosen after splitting for each of the first and second multi-unit vehicles to the inputs / outputs of the input / output modules equipping their units.

With respect to the prior art for which the master computer is likely to fall into a safety sink state when detecting a loss of connection with a portion of the inputs / outputs of the input / output modules of the units having been uncoupled, the present invention makes it possible, during a splitting or a coupling, to automatically correlate the new composition of the multi-unit vehicle with all the inputs / outputs to be taken into consideration by the master computer, so that a loss of a connection of the master computer with a part of its inputs / outputs does not result in an activation of an emergency procedure of the control system.

For a multi-unit vehicle comprising several units with ^¬ tonomes, at least one calculator among all the calculators distributed on the network of said vehicle is suitable for act as a master computer to control said vehicle and to be directly associated, by connection to said ^¬ I / O set, to the input / output modules of said vehicle. When the computer acting as said vehicle driver master computer, other calculated ^¬ tors said vehicle can in particular be in the standby state, so that only the computer identified as cal ^¬ culateur master by the security module controls the pi ^¬ preferably, the security module identifies the computer that it equips as the master computer.

Finally, the present invention allowed to describe a safety control sys- tem able to discover so ^¬ tonome the composition of a multi-unit vehicle such as a train, and verify proper connection the safety of at least one the computer control system with a set of trees in ^¬ / modules outputs I / O distributed on the network of said multi-unit vehicle.

Making safe the safety control system is no ^¬ MENT achieved by controlling, in particular cyclically, the coherence between all input / output adapted to be connected and locked with said computer and com- position of the multi-unit vehicle deducted com ^-¬ position data provided by said device for determining the composition of the multi-unit vehicle. In particular, composition data from said multi-unit vehicle capable ^¬ describe a set of characteristics of the units that compose said multi-unit vehicle, and a set of possible configurations of said multi-unit vehicle may be used as reference control, particularly cyclic, coherence between all the inputs / outputs able to be connected and locked with said computer and the composition of the multi-unit vehicle. Advantageously, the present invention allows a validation of the integrity of a free multi-unit vehicle from the use of application-level information, such as located it ^¬ for example, and providing greater genericity treatment with direct access to all the trees ^¬ in / out multi-unit vehicle and the ability to centralize software treatments related to the security of the control system on a single computer. In summary, the method and securing a sys tem control system ^¬ according to the invention have several advan ^¬ tages compared to exis control methods and systems ^¬ as in that:

- they allow independence of securing the determination of the composition of a multi-unit vehicle, the determination of the composition is independent of application software carried by calculated ^¬ tors for the autopilot;

they allow a dynamic modification of the composition of a train without interruption of the control in security of the composition of said multi-unit vehicle;

- they allow SIL4 safe use of the sys ^¬ tem safety control, distributed and dynamically reconfigurable;

- the securing and prioritization mechanism allows an exclusive assignment of the connection of a set of I / O with at least one computer, in par ticular ^¬ a single computer, and is used to associate security, directly a master computer with safe exits. This allows the realization of a dynamically reconfigurable distributed architecture, and thus a centralization of operating data and greater flexibility of deployment;

- they make it possible to constantly know the composition of the multi-unit vehicle and a locking state of Inputs / Outputs with the master computer. In particular, an update of the composition data is compa ^¬ tible with the transmission period of the confirmation message ^¬ tion to refresh the inputs / outputs connected to the master computer;

centralizing information to a computer simplifies the complexity of the pilosebaceous system ^¬ automatic floor and reduces the complexity of the security ana ^¬ lysis. The control of the multi-unit vehicle by a computer via the I / O modules is thus secure;

they allow the addition or respectively the automatic deletion of a unit or respectively a vehi ^¬ multi-unit cule.

Claims

claims

Method for securing a control system for equipping and controlling a multi-unit vehicle characterized in that said method comprises:

- an autonomous determination of a composition of a multi-unit vehicle determined by a device ^¬ the composition of said multi-unit vehicle correlated to a generation of a given composi ^¬ said multi-unit vehicle;

a transmission of said composition datum to a set of elements of the control system, at least one element of said set of elements being a calculator (5) of said control system;

- a determination, by said computer (5) and by means of said data composition of a set of inputs / outputs of at least one module tree ^¬ / output (91) for equipping the vehicle mul ^¬ ti-unit;

a connection of each element of said set of elements to said set of Inputs / Outputs.

Method according to Claim 1, characterized in that said assembly of elements comprises a group of calculated ^¬ tors.

Method according to claim 2, characterized by a securing mechanism and prioritization of connecting at least one computer (5) of said calculated group ^¬ tors with said set of inputs / outputs.

Method according to claim 3, characterized in that said security and prioritization mechanism comprises a generation of an encoded association token capable of locking said connection of at least one computer (5) said computers of said set of group ^¬ Trees In / Out, and generating a key Dever ^¬ rusting adapted to unlock said connection of at least one computer (5) of said calculators group with said set of inputs /Exits.

Method according to one of claims 1 to 4, characterized by a cyclic or sufficiently frequent verification of consistency between the connection of each element of said set of elements ^¬ with said set of trees ^¬ In / Out and said given composition.

Method according to one of claims 1 to 5, characterized in that said autonomous determination comprises a successive and ordered addition to a list, according to a composition order of said multi-unit vehicle, of at least one piece of identity data of each unit (1, 2, 3) of said multi-unit vehicle so that an order of suc ^¬ transfer of identity data included in said list is correlatable to the order of composition uni ^¬ tees (1, 2, 3) of said multi vehicle unit, each identity datum being specific to a single unit (1, 2, 3) of the multi-unit vehicle, and said list being able to be encapsulated in said composition datum.

Secure driving system of a multi-unit vehicle, characterized in that said system comprises:

- a device for determining a composition of the multi-unit vehicle, capable of determining autonomously the composition of the multi-unit vehicle and generate a data composi ^¬ correlated to said composition of said multi-unit vehi ^¬ cule;

at least one computer (5) comprising at least one security module (6), said computer (5) being intended to equip at least one unit (1, 2, 3) of the multi-unit vehicle, each computer being connectable by means of at least one

connection and via a network (8), on the one hand to a set of inputs / outputs of modules In ^¬ Trees / outputs (91) intended to equip one or rained ^¬ eral units (1, 2, 3), and secondly to said device for determining the composition of the multi-unit vehicle, in order to exchange via each Input / Output module (91) data ^¬ func tioning of the unit (1, 2, 3) and / or the multi-unit vehicle, and in order to acquire from said determination device, a composition data of said multi-unit vehicle;

- said security module (6) dynamics ^¬ said connecting each computer (5) with said set of inputs / outputs, said security module (6) being capable of determining, from said given composition, said in ^¬ appear of Inputs / Outputs likely to be connected to each computer (5), to connect each calculator (5) to said set of Inputs outlets, and to control a coherence between cha ^¬ that connection of each calculator (5) auditing set of Inputs / Outputs.

Control system according to claim 7, characterized in that it comprises a group of computers, and in that the security module (6) is capable of prioritizing the connection of a single computer (5) of said group of computers auditing set of Inputs / Outputs.

Control system according to one of claims 7 or 8, characterized in that the security module (6) com ^¬ takes a locking module capable of locking each computer connection (5) with each of the inputs / outputs of said set of inputs / outputs.

Control system according to Claim 8, characterized in that the said locking module comprises an encoded association token generator capable of generating an encoded association token in order to lock each connection of the said computer (5) with each of the inputs / outputs. said set of Inputs / Outputs and an unlocking key adapted to unlock at least one connection of said computer (5) with at least one of the inputs / outputs of said set of inputs / outputs.

Steering system according to one of claims 7 to 10, characterized in that the device for determining a composition of the multi-unit vehicle comprises at least one identity generating device (4), each identity generating device ( 4) of the determination device being intended to equip a unit of the multi-unit vehicle, each identity generation device (4) being able to generate data iden ^¬ titular unit (1, 2, 3) that it is intended to equi ^¬ per.

Identity Generator device (4) for per ^¬ to determining a composition of a multi-unit vehicle, comprising at least one unit (1, 2, 3), the Identity Generator device (4) intended to equi ^¬ a unit (1, 2, 3) of the multi-unit vehicle being characterized in that it comprises:

- an identity data generator able to gen erate ^¬ an identity data of the unit (1, 2, 3) that the Identity Generator device of ^¬ Tine equip said identity data being des- designed to allow identification of said unit (1, 2, 3);

a connection detector capable of detecting a presence or absence of coupling of said identity generating device (4) with at least one other identity generating device (4);

- a serialization component capable of adding another element to said list, or as a result of a last item in a list of orderable elements successively to be received by the said ^¬ ID generation device or as the first element of the list of elements that can be created by the list generator, said other element comprising said identity data item;

- a list of transmitter capable of transmitting ^¬ said list of items comprising said other member is another Identity Generator device (4) or at least one computer (5) of the multi-unit vehicle after encapsulation said list in a composition data of said multi-unit vehicle.

Apparatus according to claim 12, characterized in that said list generator is capable of cyclically or frequently creating said list.

Device according to one of claims 12 to 13, characterized ^¬ in that the identity generation device (4) comprises at least two connectors, respectively a first and a second connector, each intended for coupling said identity generating device (4) with another identity generating device (4).

Device according to claim 14, characterized in that said identity data generator is capable of generating polarization data capable of authorizing transmission of said list of elements by means of only one of the two connectors.