EP3428037A1 - Steuerungssystem für einen bahnübergang - Google Patents

Steuerungssystem für einen bahnübergang Download PDF

Info

Publication number
EP3428037A1
EP3428037A1 EP18182560.5A EP18182560A EP3428037A1 EP 3428037 A1 EP3428037 A1 EP 3428037A1 EP 18182560 A EP18182560 A EP 18182560A EP 3428037 A1 EP3428037 A1 EP 3428037A1
Authority
EP
European Patent Office
Prior art keywords
channel
signal
control system
railway crossing
logic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP18182560.5A
Other languages
English (en)
French (fr)
Inventor
Robert Edwin van Wissen
Carolus Wilhelmus van Maarschalkerweerd
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Volkerwessels Intellectuele Eigendom BV
Original Assignee
Vialis BV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vialis BV filed Critical Vialis BV
Publication of EP3428037A1 publication Critical patent/EP3428037A1/de
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L29/00Safety means for rail/road crossing traffic
    • B61L29/24Means for warning road traffic that a gate is closed or closing, or that rail traffic is approaching, e.g. for visible or audible warning

Definitions

  • the present invention relates to a control system for a railway crossing, wherein the control system comprises a plurality of signal inputs and a plurality of signal outputs, and processing logic connected to the plurality of signal inputs and plurality of signal outputs,
  • Control systems for railway crossings are still mostly based on hard-wired circuitry and logic, separate for each railway crossing function. As in other technical application areas, system integration is attempted, but difficult to achieve in view of the very high safety, reliability and availability levels now required.
  • the present invention seeks to provide an improved control system for a railway crossing, which is provided as an integrated and flexible system.
  • a control system as defined above is provided, wherein the processing logic comprises a channel A part and a channel B part for each railway crossing logic function, wherein the plurality of signal inputs are each connected to both the channel A part and the channel B part of the processing logic to input a channel A signal and channel B-signal, each of the channel A part and the channel B part comprising an AND logic gate receiving a direct signal and a cross check signal and outputting an internal data signal, the cross check signal being provided by a first data exchange channel between the channel A part and the channel B part.
  • an output signal associated with each railway crossing logic function is arranged in either a redundant availability implementation or a redundant implementation with diagnostics.
  • the invention embodiments allow the processing logic to be implemented in a flexible manner, in order to provide the control system with a sufficient high availability and reliability depending on the requirements of the specific railway crossing logic function.
  • railway crossings are nowadays guarded and monitored using warning devices (light, sound) and physical blocking devices (moving barrier), and controlled remotely and fully automatic.
  • warning devices light, sound
  • physical blocking devices moving barrier
  • various sensors and data exchange to a central rail surveillance center are used.
  • the implementation is such that safety can be guaranteed to a high as possible level (e.g. using fail-safe design of equipment), but also the availability of systems (often expressed as mean time between failure MTBF) is required to be high.
  • MTBF mean time between failure
  • the design of a control system for a railway crossing allows a flexible allocation of the system resources allowing to obtain a predetermined degree of safety and availability for each and every function associated with operation of a railway crossing.
  • Functions associated with a control system of a railway crossing may include, but are not limited to actuation of the railway gate (closing actuation and opening actuation may be seen as separate functions), actuation of the red warning lights, actuation of warning sounds, actuation of white lights, actuation of a radar device, reception of sensor signals, reception of signal post signals, generation of signal post signals.
  • the railway crossing functions may be implemented as logic functions, using one or more input parameters and providing one or more output signals.
  • the availability for the operation of barriers of a railway crossing may be less stringent than the availability for the operation of the white lights (which indicate to users that it is safe to cross the railway crossing).
  • the threshold value for operation of the white lights may be orders of magnitude smaller (e.g. around 1E-10 failures/hour) compared to the function of operation of the barrier (e.g. around 1E-7 failures/hour).
  • the present invention embodiments relate to a control system for a railway crossing, wherein the control system comprises a plurality of signal inputs (S) and a plurality of signal outputs (AC), and processing logic (P) connected to the plurality of signal inputs (S) and plurality of signal outputs (AC).
  • the processing logic comprising a channel A part (PA) and a channel B part (PB) for each railway crossing logic function. This is shown in the schematic view of an exemplary implementation in Fig. 1 .
  • the plurality of signal inputs S e.g. comprise control input signals and/or sensor input signals
  • the plurality of signal outputs AC e.g. comprises signalling output signals and/or actuator drive signals.
  • the plurality of signal inputs (S) are each connected to both the channel A part (PA) and the channel B part (PB) of the processing logic (P) to input a channel A signal (DI-A) and channel B-signal (DI-B).
  • This allows two independent executions of logic functions for the railway crossing functions by a first logic server LA in the channel A part PA and a second logic server LB in the channel B part PB, resulting in an increased (redundancy based) safety level.
  • the channel A part PA and channel B part PB are arranged to cross check the input signals.
  • the logic servers LA, LB each provide an independent output signal DO-A and DO-B, respectively.
  • this cross check is implemented by each of the channel A part (PA) and the channel B part (PB) comprising an AND logic gate (AA; AB) receiving a direct signal (DI-A; DI-B) and a cross check signal (DI-A; DI-B) and outputting an internal data signal (DII).
  • the cross check signal (DI-A; DI-B) is provided by a first data exchange channel (SEA) between the channel A part (PA) and the channel B part (PB).
  • SEA first data exchange channel
  • the AND logic gates AA, AB ensure that the first channel A cannot unsafely influence the other channel B, and vice versa.
  • the first data exchange channel SEA is e.g. a safe-Ethernet channel as available in many present day processing logic modules, e.g. in the form of a Programmable Logic Control (PLC) unit.
  • PLC Programmable Logic Control
  • the signal input S (e.g. a sensor signal) is split in the two paths, and for each path a signal adaptation unit (TA; TB) is provided, which e.g. is used to convert an AC signal to a DC signal which can be input to the processing logic P.
  • the signal adaptation unit may be implemented as a transformer-rectifier unit.
  • the plurality of signal inputs (S) are each connected to both the channel A part (PA) and the channel B part (PB) of the processing logic (P) via a separate signal adaptation unit (TA; TB). If the signal input S is already compatible with the processing logic, such signal adaptation units TA, TB need not be present, or are implemented as signal converters, e.g. DC-DC converters.
  • an output signal (DO) associated with each railway crossing logic is arranged in either a redundant availability implementation (2-out-of-2, or 2oo2) or a redundant implementation with diagnostics (2-out-of-2 with diagnostics, or 2oo2d).
  • the exemplary embodiment of Fig. 1 is an example of a redundant availability implementation (2oo2).
  • the output part of the processing logic P comprises an OR logic gate (OR) receiving the railway crossing logic function output signals of the channel A part (DO-A) and of the channel B part (DO-B) for a specific railway crossing logic function, and providing an associated output signal (DO).
  • the redundant channel architecture and output combination logic will thus ensure that if one channel A, B fails, the specific railway crossing function will still be available and function properly.
  • Each channel A, B is arranged to provide a fail-safe implementation of the specific railway crossing function, and the output combination logic ensures that the output signal AC can have an 'unsafe' value if one of both channels A, B has an unsafe value.
  • the specific railway crossing logic function comprises one or more of actuation of railway crossing barrier closing; actuation of railway crossing barrier opening; actuation of red lights; actuation of a warning sound; actuation of a traffic radar device. These functions can then be provided with a desired level of safety in combination with a desired availability (e.g. a threshold value of less than 1E-9 failures per hour).
  • a different implementation of the processing logic P is used, of which an exemplary embodiment is shown in the schematic diagram of Fig. 2 .
  • an additional process logic unit is used in the form of diagnostic unit D.
  • the control system as shown further comprises a diagnostic unit (D), and the redundant implementation with diagnostics comprises an OR logic gate (OR) receiving the railway crossing logic function output signals of the channel A part (DO-A) and the channel B part (DO-B) for a specific railway crossing logic function.
  • the diagnostic unit (D) is arranged to receive the railway crossing logic function output signals of the channel A part (DO-A), the channel B part (DO-B), and to bring the signal output (DO) of the associated specific railway crossing logic function to a safe state if the railway crossing logic function output signals of the channel A part (DO-A) and the channel B part (DO-B) are different.
  • This embodiment allows to reach a higher degree of availability than the implementation shown in Fig. 1 , and thus combines a high safety level (redundancy) and high availability. It is noted that the diagnostic unit D is not executing the specific railway crossing function as executed in both channels A, B, again, but only checks whether a discrepancy exists between the channel A output part signal DO-A and channel B output part signal DO-B.
  • the output signal DO is then brought to a safe state, enhancing the safety level of this implementation.
  • the output signal DO can only have an unsafe state if the logic servers LA, LB in both channels A, B have calculated that the output should be in an unsafe state.
  • this implementation allows two independent executions of logic functions for the railway crossing functions by a first logic server LA in the channel A part PA and a second logic server LB in the channel B part PB, resulting in an increased (redundancy based) safety level.
  • the additional control of the output signals by the diagnostic unit D allows an even further increased safety level, as well as an even better availability (i.e. a lower threshold value of 1E-10 or even 1E-11 failures per hour).
  • the diagnostic unit (D) is connected to railway crossing logic function output signals of the channel A part (DO-A) and of the channel B part (DO-B) via a respective second data exchange channel (SD-A; SD-B). Again this data exchange channel SD-A, SD-B may be implemented as a safe Ethernet channel.
  • the diagnostic unit (D) is further arranged to provide an alert signal if the signal outputs of the channel A part (DO-A) and the channel B part (DO-B) are different.
  • This alert signal may be provided locally, but can also be logged, or communicated to a remote location (e.g. a central railway monitoring station).
  • the specific railway crossing logic function implemented in this type of processing logic P comprises one or more of: actuation of white lights; output signals to a signal post.
  • control signal for railway crossing DA control signal indicating that railway crossing is safely closed KFX
  • control signal for deactivating railway crossing annunciation RHS control signal for activating railway crossing annunciation
  • NRHS control signal for white lights for traffic CLP
  • control signal for red lights for traffic CLR control signal for barriers NCB, CB
  • control signal for alarm bells CSB remote alarm signal RA/Ra
  • control signal for red light monitoring of traffic Radar control signal for railway crossing DA, control signal indicating that railway crossing is safely closed KFX
  • control signal for deactivating railway crossing annunciation RHS control signal for activating railway crossing annunciation
  • NRHS control signal for white lights for traffic CLP
  • control signal for red lights for traffic CLR control signal for barriers NCB, CB
  • control signal for alarm bells CSB control signal for alarm bells CSB
  • remote alarm signal RA/Ra remote alarm signal for red light monitoring of traffic Radar.
  • the processing logic for that specific railway crossing logic function is still operable, however, the diagnostic unit D can then no longer execute the monitoring function of both channels, but only of the remaining channel A, B. If the diagnostic unit D would become unavailable, the specific railway crossing logic function is still operative.
  • the diagnostic unit (D) is further arranged to execute a self-test, e.g. using an output of the OR logic gate as shown in Fig. 2 as an additional input. This fail-operational conditions should however not last too long, in order to meet prescribed safety levels.
  • the processing logic (P) is arranged to generate a warning signal if the diagnostic unit (D) is non-functional for more than a predetermined time period.
  • the processing logic P may further comprise a switch (R) (e.g. a solid state switch such as a relais) connected to the diagnostic unit (D), wherein the switch (R) is arranged to bring the signal output (DO) of the associated specific railway crossing logic function to a safe state.
  • a switch e.g. a solid state switch such as a relais
  • the diagnostic unit D may be arranged to periodically check the switch for proper functioning.
  • Fig. 3 shows an exemplary implementation of the output combinatory logic for the sound warning system S of a railway crossing.
  • the channel A part PA of the processing logic P provides an output signal DO-A
  • the channel B part PB of the processing logic P provides an output signal DO-B, both of which are input to an OR gate, which then provides the output signal AC for the sound warning system S.
  • the warning sound will thus be generated in one of the channels A, B or both channels A, B have established that a warning sound must be generated.
  • Fig. 4 shows an exemplary implementation of the output combinatory logic for the barrier operation CB, NCB of a railway crossing, which is a complementary function (close barrier signal, or a not close barrier (open barrier) signal.
  • the channel A part PA of the processing logic P in this case provides an output signal DO-A+ and an inverted output signal DO-A-
  • the channel B part PB of the processing logic P provides an output signal DO-B+ and an inverted output signal DO-B-.
  • the inverted output signals DO-A- and DO-B- are combined in an OR gate
  • the output signals DO-A+ and DO-B+ are combined in an OR gate.
  • the respective signals CB, NCB are then provided to the barrier actuators.
  • Fig. 5 shows an exemplary implementation of the output combinatory (and diagnostic) logic for the output of signals to a (remote) signal post, which requires the highest level of safety and availability.
  • the output signal AC is eventually provided as an actuation of a relais DA.
  • the channel A part PA of the processing logic P provides an output signal DO-A
  • the channel B part PB of the processing logic P provides an output signal DO-B, both of which are input to an OR gate and to the diagnostic unit D via safe Ethernet channels SD-A, SD-B.
  • an output of the diagnostic unit D is connected to relais R, which would allow the diagnostic unit to bring the output signal AC to a safe state.
  • the output signal AC is also fed back to the diagnostic unit D, as indicated here via a transformer TO.
  • the processing logic comprises a programmable logic control (PLC) unit having a reliability level in accordance with a safety integrity level SIL-4.
  • PLC programmable logic control
  • each of the channel A part PA, channel B part PB, and the diagnostic unit D are implemented in a separate SIL-4 PLC unit.
  • Each PLC unit may be connected to one or more remote I/O units, if the available number of I/O ports on the PLC unit are not sufficient to implement all needed railway crossing functions and associated signal inputs S and signal outputs AC.
  • the interconnection between a PLC unit and remote I/O unit can be bus based, e.g. using a safe Ethernet connection.
  • the PLC units may also be connected to a (local) data logging module via a separate local network connection.

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Train Traffic Observation, Control, And Security (AREA)
  • Electric Propulsion And Braking For Vehicles (AREA)
EP18182560.5A 2017-07-10 2018-07-10 Steuerungssystem für einen bahnübergang Withdrawn EP3428037A1 (de)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
NL2019206A NL2019206B1 (en) 2017-07-10 2017-07-10 Control system for a railway crossing

Publications (1)

Publication Number Publication Date
EP3428037A1 true EP3428037A1 (de) 2019-01-16

Family

ID=60923848

Family Applications (1)

Application Number Title Priority Date Filing Date
EP18182560.5A Withdrawn EP3428037A1 (de) 2017-07-10 2018-07-10 Steuerungssystem für einen bahnübergang

Country Status (2)

Country Link
EP (1) EP3428037A1 (de)
NL (1) NL2019206B1 (de)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19832060A1 (de) * 1998-07-16 2000-01-20 Siemens Ag Doppelbare Prozessoreinrichtung
DE102012201803A1 (de) * 2012-02-07 2013-08-08 Siemens Aktiengesellschaft Sicherheitsrelevantes System
EP2824572A1 (de) * 2013-07-12 2015-01-14 Thales Deutschland GmbH Ausfallsichere Vorrichtung und Verfahren zum Betreiben der ausfallsicheren Vorrichtung
WO2016142159A1 (de) * 2015-03-11 2016-09-15 Siemens Aktiengesellschaft Sicherheitsrelevantes computersystem

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19832060A1 (de) * 1998-07-16 2000-01-20 Siemens Ag Doppelbare Prozessoreinrichtung
DE102012201803A1 (de) * 2012-02-07 2013-08-08 Siemens Aktiengesellschaft Sicherheitsrelevantes System
EP2824572A1 (de) * 2013-07-12 2015-01-14 Thales Deutschland GmbH Ausfallsichere Vorrichtung und Verfahren zum Betreiben der ausfallsicheren Vorrichtung
WO2016142159A1 (de) * 2015-03-11 2016-09-15 Siemens Aktiengesellschaft Sicherheitsrelevantes computersystem

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
BRENNER K ET AL: "SIRES - Sicheres Rechnersystem als Plattform für die BÜ-Sicherungstechnik der Zukunft", SIGNAL + DRAHT, DVV, vol. 101, no. 11, 1 November 2009 (2009-11-01), pages 30 - 34, XP001549362, ISSN: 0037-4997 *
EUE W ET AL: "SIMIS-C - DIE KOMPAKTVERSION DES SICHEREN MIKROCOMPUTER-SYSTEMS SIMIS", SIGNAL + DRAHT, DVV, vol. 79, no. 4, 1 April 1987 (1987-04-01), pages 81 - 85, XP000744323, ISSN: 0037-4997 *

Also Published As

Publication number Publication date
NL2019206B1 (en) 2019-01-16

Similar Documents

Publication Publication Date Title
ES2230314T3 (es) Sistema de control para accionamientos en un avion.
RU2495778C2 (ru) Микропроцессорная система централизации стрелок и сигналов
US4305556A (en) Railway control signal dynamic output interlocking systems
WO2006051355A1 (en) A control system, a method to operate a control system, a computer data signal and a graphical user interface for rail-borne vehicles
AU2015208353C1 (en) Redundancy switching of detection points
CN107885695B (zh) 基于轨道交通的计算机平台
CN102955903A (zh) 一种轨道交通计算机控制系统安全苛求信息的处理方法
EP3428037A1 (de) Steuerungssystem für einen bahnübergang
US4897640A (en) Method and electrical circuit for the reliable detection of process states within freely couplable units
WO1990008092A1 (en) Detector systems
CN109195855B (zh) 特别是用于控制铁路交通中的集控站的系统
DURMUŞ et al. A new bitwise voting strategy for safety-critical systems with binary decisions
RU2692739C1 (ru) Микропроцессорная система централизации МПЦ-ЭЛ
Kantz et al. Communication in train control
RU2709068C1 (ru) Микропроцессорная система централизации мпц-эл
BR102019009428A2 (pt) sistema para controle, regulagem e/ou monitoramento de uma aeronave
RU2765395C1 (ru) Способ предотвращения деактивации недопустимого количества одинаковых компонентов рельсового транспортного средства
JP6634701B2 (ja) 配電盤制御システムおよびそれを用いた受配電設備
KR101808618B1 (ko) 철도시스템 기반의 고 안전성 이중화 시스템
US5671348A (en) Non-vital turn off of vital output circuit
DK3131192T3 (en) Control device and method for controlling a safety-relevant component
Akita et al. Safety and fault-tolerance in computer-controlled railway signalling systems
CZ256295A3 (en) Programmable safety device for a crossing
RU190668U1 (ru) Устройство для контроля и управления переездной автоматикой
Anik et al. The functional safety calculation of a real interlocking system in Turkey

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20190716

RBV Designated contracting states (corrected)

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20210625

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: VOLKERWESSELS INTELLECTUELE EIGENDOM B.V.

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTG Intention to grant announced

Effective date: 20220831

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20230111