EP3428037A1 - Control system for a railway crossing - Google Patents
Control system for a railway crossing Download PDFInfo
- Publication number
- EP3428037A1 EP3428037A1 EP18182560.5A EP18182560A EP3428037A1 EP 3428037 A1 EP3428037 A1 EP 3428037A1 EP 18182560 A EP18182560 A EP 18182560A EP 3428037 A1 EP3428037 A1 EP 3428037A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- channel
- signal
- control system
- railway crossing
- logic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L29/00—Safety means for rail/road crossing traffic
- B61L29/24—Means for warning road traffic that a gate is closed or closing, or that rail traffic is approaching, e.g. for visible or audible warning
Definitions
- the present invention relates to a control system for a railway crossing, wherein the control system comprises a plurality of signal inputs and a plurality of signal outputs, and processing logic connected to the plurality of signal inputs and plurality of signal outputs,
- Control systems for railway crossings are still mostly based on hard-wired circuitry and logic, separate for each railway crossing function. As in other technical application areas, system integration is attempted, but difficult to achieve in view of the very high safety, reliability and availability levels now required.
- the present invention seeks to provide an improved control system for a railway crossing, which is provided as an integrated and flexible system.
- a control system as defined above is provided, wherein the processing logic comprises a channel A part and a channel B part for each railway crossing logic function, wherein the plurality of signal inputs are each connected to both the channel A part and the channel B part of the processing logic to input a channel A signal and channel B-signal, each of the channel A part and the channel B part comprising an AND logic gate receiving a direct signal and a cross check signal and outputting an internal data signal, the cross check signal being provided by a first data exchange channel between the channel A part and the channel B part.
- an output signal associated with each railway crossing logic function is arranged in either a redundant availability implementation or a redundant implementation with diagnostics.
- the invention embodiments allow the processing logic to be implemented in a flexible manner, in order to provide the control system with a sufficient high availability and reliability depending on the requirements of the specific railway crossing logic function.
- railway crossings are nowadays guarded and monitored using warning devices (light, sound) and physical blocking devices (moving barrier), and controlled remotely and fully automatic.
- warning devices light, sound
- physical blocking devices moving barrier
- various sensors and data exchange to a central rail surveillance center are used.
- the implementation is such that safety can be guaranteed to a high as possible level (e.g. using fail-safe design of equipment), but also the availability of systems (often expressed as mean time between failure MTBF) is required to be high.
- MTBF mean time between failure
- the design of a control system for a railway crossing allows a flexible allocation of the system resources allowing to obtain a predetermined degree of safety and availability for each and every function associated with operation of a railway crossing.
- Functions associated with a control system of a railway crossing may include, but are not limited to actuation of the railway gate (closing actuation and opening actuation may be seen as separate functions), actuation of the red warning lights, actuation of warning sounds, actuation of white lights, actuation of a radar device, reception of sensor signals, reception of signal post signals, generation of signal post signals.
- the railway crossing functions may be implemented as logic functions, using one or more input parameters and providing one or more output signals.
- the availability for the operation of barriers of a railway crossing may be less stringent than the availability for the operation of the white lights (which indicate to users that it is safe to cross the railway crossing).
- the threshold value for operation of the white lights may be orders of magnitude smaller (e.g. around 1E-10 failures/hour) compared to the function of operation of the barrier (e.g. around 1E-7 failures/hour).
- the present invention embodiments relate to a control system for a railway crossing, wherein the control system comprises a plurality of signal inputs (S) and a plurality of signal outputs (AC), and processing logic (P) connected to the plurality of signal inputs (S) and plurality of signal outputs (AC).
- the processing logic comprising a channel A part (PA) and a channel B part (PB) for each railway crossing logic function. This is shown in the schematic view of an exemplary implementation in Fig. 1 .
- the plurality of signal inputs S e.g. comprise control input signals and/or sensor input signals
- the plurality of signal outputs AC e.g. comprises signalling output signals and/or actuator drive signals.
- the plurality of signal inputs (S) are each connected to both the channel A part (PA) and the channel B part (PB) of the processing logic (P) to input a channel A signal (DI-A) and channel B-signal (DI-B).
- This allows two independent executions of logic functions for the railway crossing functions by a first logic server LA in the channel A part PA and a second logic server LB in the channel B part PB, resulting in an increased (redundancy based) safety level.
- the channel A part PA and channel B part PB are arranged to cross check the input signals.
- the logic servers LA, LB each provide an independent output signal DO-A and DO-B, respectively.
- this cross check is implemented by each of the channel A part (PA) and the channel B part (PB) comprising an AND logic gate (AA; AB) receiving a direct signal (DI-A; DI-B) and a cross check signal (DI-A; DI-B) and outputting an internal data signal (DII).
- the cross check signal (DI-A; DI-B) is provided by a first data exchange channel (SEA) between the channel A part (PA) and the channel B part (PB).
- SEA first data exchange channel
- the AND logic gates AA, AB ensure that the first channel A cannot unsafely influence the other channel B, and vice versa.
- the first data exchange channel SEA is e.g. a safe-Ethernet channel as available in many present day processing logic modules, e.g. in the form of a Programmable Logic Control (PLC) unit.
- PLC Programmable Logic Control
- the signal input S (e.g. a sensor signal) is split in the two paths, and for each path a signal adaptation unit (TA; TB) is provided, which e.g. is used to convert an AC signal to a DC signal which can be input to the processing logic P.
- the signal adaptation unit may be implemented as a transformer-rectifier unit.
- the plurality of signal inputs (S) are each connected to both the channel A part (PA) and the channel B part (PB) of the processing logic (P) via a separate signal adaptation unit (TA; TB). If the signal input S is already compatible with the processing logic, such signal adaptation units TA, TB need not be present, or are implemented as signal converters, e.g. DC-DC converters.
- an output signal (DO) associated with each railway crossing logic is arranged in either a redundant availability implementation (2-out-of-2, or 2oo2) or a redundant implementation with diagnostics (2-out-of-2 with diagnostics, or 2oo2d).
- the exemplary embodiment of Fig. 1 is an example of a redundant availability implementation (2oo2).
- the output part of the processing logic P comprises an OR logic gate (OR) receiving the railway crossing logic function output signals of the channel A part (DO-A) and of the channel B part (DO-B) for a specific railway crossing logic function, and providing an associated output signal (DO).
- the redundant channel architecture and output combination logic will thus ensure that if one channel A, B fails, the specific railway crossing function will still be available and function properly.
- Each channel A, B is arranged to provide a fail-safe implementation of the specific railway crossing function, and the output combination logic ensures that the output signal AC can have an 'unsafe' value if one of both channels A, B has an unsafe value.
- the specific railway crossing logic function comprises one or more of actuation of railway crossing barrier closing; actuation of railway crossing barrier opening; actuation of red lights; actuation of a warning sound; actuation of a traffic radar device. These functions can then be provided with a desired level of safety in combination with a desired availability (e.g. a threshold value of less than 1E-9 failures per hour).
- a different implementation of the processing logic P is used, of which an exemplary embodiment is shown in the schematic diagram of Fig. 2 .
- an additional process logic unit is used in the form of diagnostic unit D.
- the control system as shown further comprises a diagnostic unit (D), and the redundant implementation with diagnostics comprises an OR logic gate (OR) receiving the railway crossing logic function output signals of the channel A part (DO-A) and the channel B part (DO-B) for a specific railway crossing logic function.
- the diagnostic unit (D) is arranged to receive the railway crossing logic function output signals of the channel A part (DO-A), the channel B part (DO-B), and to bring the signal output (DO) of the associated specific railway crossing logic function to a safe state if the railway crossing logic function output signals of the channel A part (DO-A) and the channel B part (DO-B) are different.
- This embodiment allows to reach a higher degree of availability than the implementation shown in Fig. 1 , and thus combines a high safety level (redundancy) and high availability. It is noted that the diagnostic unit D is not executing the specific railway crossing function as executed in both channels A, B, again, but only checks whether a discrepancy exists between the channel A output part signal DO-A and channel B output part signal DO-B.
- the output signal DO is then brought to a safe state, enhancing the safety level of this implementation.
- the output signal DO can only have an unsafe state if the logic servers LA, LB in both channels A, B have calculated that the output should be in an unsafe state.
- this implementation allows two independent executions of logic functions for the railway crossing functions by a first logic server LA in the channel A part PA and a second logic server LB in the channel B part PB, resulting in an increased (redundancy based) safety level.
- the additional control of the output signals by the diagnostic unit D allows an even further increased safety level, as well as an even better availability (i.e. a lower threshold value of 1E-10 or even 1E-11 failures per hour).
- the diagnostic unit (D) is connected to railway crossing logic function output signals of the channel A part (DO-A) and of the channel B part (DO-B) via a respective second data exchange channel (SD-A; SD-B). Again this data exchange channel SD-A, SD-B may be implemented as a safe Ethernet channel.
- the diagnostic unit (D) is further arranged to provide an alert signal if the signal outputs of the channel A part (DO-A) and the channel B part (DO-B) are different.
- This alert signal may be provided locally, but can also be logged, or communicated to a remote location (e.g. a central railway monitoring station).
- the specific railway crossing logic function implemented in this type of processing logic P comprises one or more of: actuation of white lights; output signals to a signal post.
- control signal for railway crossing DA control signal indicating that railway crossing is safely closed KFX
- control signal for deactivating railway crossing annunciation RHS control signal for activating railway crossing annunciation
- NRHS control signal for white lights for traffic CLP
- control signal for red lights for traffic CLR control signal for barriers NCB, CB
- control signal for alarm bells CSB remote alarm signal RA/Ra
- control signal for red light monitoring of traffic Radar control signal for railway crossing DA, control signal indicating that railway crossing is safely closed KFX
- control signal for deactivating railway crossing annunciation RHS control signal for activating railway crossing annunciation
- NRHS control signal for white lights for traffic CLP
- control signal for red lights for traffic CLR control signal for barriers NCB, CB
- control signal for alarm bells CSB control signal for alarm bells CSB
- remote alarm signal RA/Ra remote alarm signal for red light monitoring of traffic Radar.
- the processing logic for that specific railway crossing logic function is still operable, however, the diagnostic unit D can then no longer execute the monitoring function of both channels, but only of the remaining channel A, B. If the diagnostic unit D would become unavailable, the specific railway crossing logic function is still operative.
- the diagnostic unit (D) is further arranged to execute a self-test, e.g. using an output of the OR logic gate as shown in Fig. 2 as an additional input. This fail-operational conditions should however not last too long, in order to meet prescribed safety levels.
- the processing logic (P) is arranged to generate a warning signal if the diagnostic unit (D) is non-functional for more than a predetermined time period.
- the processing logic P may further comprise a switch (R) (e.g. a solid state switch such as a relais) connected to the diagnostic unit (D), wherein the switch (R) is arranged to bring the signal output (DO) of the associated specific railway crossing logic function to a safe state.
- a switch e.g. a solid state switch such as a relais
- the diagnostic unit D may be arranged to periodically check the switch for proper functioning.
- Fig. 3 shows an exemplary implementation of the output combinatory logic for the sound warning system S of a railway crossing.
- the channel A part PA of the processing logic P provides an output signal DO-A
- the channel B part PB of the processing logic P provides an output signal DO-B, both of which are input to an OR gate, which then provides the output signal AC for the sound warning system S.
- the warning sound will thus be generated in one of the channels A, B or both channels A, B have established that a warning sound must be generated.
- Fig. 4 shows an exemplary implementation of the output combinatory logic for the barrier operation CB, NCB of a railway crossing, which is a complementary function (close barrier signal, or a not close barrier (open barrier) signal.
- the channel A part PA of the processing logic P in this case provides an output signal DO-A+ and an inverted output signal DO-A-
- the channel B part PB of the processing logic P provides an output signal DO-B+ and an inverted output signal DO-B-.
- the inverted output signals DO-A- and DO-B- are combined in an OR gate
- the output signals DO-A+ and DO-B+ are combined in an OR gate.
- the respective signals CB, NCB are then provided to the barrier actuators.
- Fig. 5 shows an exemplary implementation of the output combinatory (and diagnostic) logic for the output of signals to a (remote) signal post, which requires the highest level of safety and availability.
- the output signal AC is eventually provided as an actuation of a relais DA.
- the channel A part PA of the processing logic P provides an output signal DO-A
- the channel B part PB of the processing logic P provides an output signal DO-B, both of which are input to an OR gate and to the diagnostic unit D via safe Ethernet channels SD-A, SD-B.
- an output of the diagnostic unit D is connected to relais R, which would allow the diagnostic unit to bring the output signal AC to a safe state.
- the output signal AC is also fed back to the diagnostic unit D, as indicated here via a transformer TO.
- the processing logic comprises a programmable logic control (PLC) unit having a reliability level in accordance with a safety integrity level SIL-4.
- PLC programmable logic control
- each of the channel A part PA, channel B part PB, and the diagnostic unit D are implemented in a separate SIL-4 PLC unit.
- Each PLC unit may be connected to one or more remote I/O units, if the available number of I/O ports on the PLC unit are not sufficient to implement all needed railway crossing functions and associated signal inputs S and signal outputs AC.
- the interconnection between a PLC unit and remote I/O unit can be bus based, e.g. using a safe Ethernet connection.
- the PLC units may also be connected to a (local) data logging module via a separate local network connection.
Landscapes
- Engineering & Computer Science (AREA)
- Mechanical Engineering (AREA)
- Train Traffic Observation, Control, And Security (AREA)
- Electric Propulsion And Braking For Vehicles (AREA)
Abstract
Description
- The present invention relates to a control system for a railway crossing, wherein the control system comprises a plurality of signal inputs and a plurality of signal outputs, and processing logic connected to the plurality of signal inputs and plurality of signal outputs,
- Control systems for railway crossings are still mostly based on hard-wired circuitry and logic, separate for each railway crossing function. As in other technical application areas, system integration is attempted, but difficult to achieve in view of the very high safety, reliability and availability levels now required.
- International patent publication
WO2016/142159 discloses a safety relevant computer system for railway applications. Two hardware channels are used, of which data is fed to a comparator. If the comparison fails, an error response is generated. Similarly, two different software programs may be used, for which data checks are implemented. Note that the embodiments described use a SIL4 level processing system. - The article by W. Eue et al. entitled 'SIMIS-C - Die Kompaktversion des sicheren Microcomputer-systems SIMIS', Signal+Draht, DVV, part 79, nr. 4, pages 30-34, discloses a railway processing unit having two similar processing units VAU, of which processing outputs are compared using a comparator VGL).
- The present invention seeks to provide an improved control system for a railway crossing, which is provided as an integrated and flexible system.
- According to the present invention, a control system as defined above is provided, wherein the processing logic comprises a channel A part and a channel B part for each railway crossing logic function, wherein the plurality of signal inputs are each connected to both the channel A part and the channel B part of the processing logic to input a channel A signal and channel B-signal, each of the channel A part and the channel B part comprising an AND logic gate receiving a direct signal and a cross check signal and outputting an internal data signal, the cross check signal being provided by a first data exchange channel between the channel A part and the channel B part. In a further embodiment, an output signal associated with each railway crossing logic function is arranged in either a redundant availability implementation or a redundant implementation with diagnostics.
- The invention embodiments allow the processing logic to be implemented in a flexible manner, in order to provide the control system with a sufficient high availability and reliability depending on the requirements of the specific railway crossing logic function.
- The present invention will be discussed in more detail below, with reference to the attached drawings, in which
-
Fig. 1 shows a schematic diagram of a processing logic implementation for a railway crossing function according to an embodiment of the present invention; -
Fig. 2 shows a schematic diagram of a processing logic implementation for a railway crossing function according to a further embodiment of the present invention; -
Fig. 3 shows a schematic diagram of an output part of a processing logic implementation for a railway crossing function according to an embodiment of the present invention; -
Fig. 4 shows a schematic diagram of an output part of a processing logic implementation for a further railway crossing function according to a further embodiment of the present invention; -
Fig. 5 shows a schematic diagram of an output part of a processing logic implementation for an even further railway crossing function according to an even further embodiment of the present invention. - Railway crossings are nowadays guarded and monitored using warning devices (light, sound) and physical blocking devices (moving barrier), and controlled remotely and fully automatic. To allow the remote and automatic control of railway crossing devices, various sensors and data exchange to a central rail surveillance center are used. Also, for the various railway crossing related functions, the implementation is such that safety can be guaranteed to a high as possible level (e.g. using fail-safe design of equipment), but also the availability of systems (often expressed as mean time between failure MTBF) is required to be high. Using conventional control systems, it is possible that some requirements related to safety and availability cannot be met.
- According to the present invention embodiments, the design of a control system for a railway crossing allows a flexible allocation of the system resources allowing to obtain a predetermined degree of safety and availability for each and every function associated with operation of a railway crossing. Functions associated with a control system of a railway crossing may include, but are not limited to actuation of the railway gate (closing actuation and opening actuation may be seen as separate functions), actuation of the red warning lights, actuation of warning sounds, actuation of white lights, actuation of a radar device, reception of sensor signals, reception of signal post signals, generation of signal post signals. The railway crossing functions may be implemented as logic functions, using one or more input parameters and providing one or more output signals.
- Depending on requirements, especially the availability of different functions for the control system may vary significantly. For example, the availability for the operation of barriers of a railway crossing may be less stringent than the availability for the operation of the white lights (which indicate to users that it is safe to cross the railway crossing). If the availability is measured in mean time between failure (MTBF) figures in failures per hour, the threshold value for operation of the white lights may be orders of magnitude smaller (e.g. around 1E-10 failures/hour) compared to the function of operation of the barrier (e.g. around 1E-7 failures/hour).
- The present invention embodiments relate to a control system for a railway crossing, wherein the control system comprises a plurality of signal inputs (S) and a plurality of signal outputs (AC), and processing logic (P) connected to the plurality of signal inputs (S) and plurality of signal outputs (AC). The processing logic comprising a channel A part (PA) and a channel B part (PB) for each railway crossing logic function. This is shown in the schematic view of an exemplary implementation in
Fig. 1 . The plurality of signal inputs S e.g. comprise control input signals and/or sensor input signals, and the plurality of signal outputs AC e.g. comprises signalling output signals and/or actuator drive signals. The plurality of signal inputs (S) are each connected to both the channel A part (PA) and the channel B part (PB) of the processing logic (P) to input a channel A signal (DI-A) and channel B-signal (DI-B). This allows two independent executions of logic functions for the railway crossing functions by a first logic server LA in the channel A part PA and a second logic server LB in the channel B part PB, resulting in an increased (redundancy based) safety level. To prevent an unwanted system behaviour if a failure would occur in the input part of the control system, the channel A part PA and channel B part PB are arranged to cross check the input signals. In each channel A, B, the logic servers LA, LB each provide an independent output signal DO-A and DO-B, respectively. - In the embodiment as shown in
Fig. 1 , this cross check is implemented by each of the channel A part (PA) and the channel B part (PB) comprising an AND logic gate (AA; AB) receiving a direct signal (DI-A; DI-B) and a cross check signal (DI-A; DI-B) and outputting an internal data signal (DII). The cross check signal (DI-A; DI-B) is provided by a first data exchange channel (SEA) between the channel A part (PA) and the channel B part (PB). The AND logic gates AA, AB ensure that the first channel A cannot unsafely influence the other channel B, and vice versa. In other words, a failure in an input part of one of the channels A, B can never result in using an unsafe value of the input signal DI-A, DI-B in the other channel B, A. The first data exchange channel SEA is e.g. a safe-Ethernet channel as available in many present day processing logic modules, e.g. in the form of a Programmable Logic Control (PLC) unit. - As shown in the embodiment of
Fig. 1 , the signal input S (e.g. a sensor signal) is split in the two paths, and for each path a signal adaptation unit (TA; TB) is provided, which e.g. is used to convert an AC signal to a DC signal which can be input to the processing logic P. The signal adaptation unit may be implemented as a transformer-rectifier unit. In other words, the plurality of signal inputs (S) are each connected to both the channel A part (PA) and the channel B part (PB) of the processing logic (P) via a separate signal adaptation unit (TA; TB). If the signal input S is already compatible with the processing logic, such signal adaptation units TA, TB need not be present, or are implemented as signal converters, e.g. DC-DC converters. - In a generic group of embodiments, an output signal (DO) associated with each railway crossing logic is arranged in either a redundant availability implementation (2-out-of-2, or 2oo2) or a redundant implementation with diagnostics (2-out-of-2 with diagnostics, or 2oo2d).
- The exemplary embodiment of
Fig. 1 is an example of a redundant availability implementation (2oo2). The output part of the processing logic P comprises an OR logic gate (OR) receiving the railway crossing logic function output signals of the channel A part (DO-A) and of the channel B part (DO-B) for a specific railway crossing logic function, and providing an associated output signal (DO). The redundant channel architecture and output combination logic, will thus ensure that if one channel A, B fails, the specific railway crossing function will still be available and function properly. Each channel A, B is arranged to provide a fail-safe implementation of the specific railway crossing function, and the output combination logic ensures that the output signal AC can have an 'unsafe' value if one of both channels A, B has an unsafe value. - The specific railway crossing logic function comprises one or more of actuation of railway crossing barrier closing; actuation of railway crossing barrier opening; actuation of red lights; actuation of a warning sound; actuation of a traffic radar device. These functions can then be provided with a desired level of safety in combination with a desired availability (e.g. a threshold value of less than 1E-9 failures per hour).
- For railway crossing functions requiring a more stringent availability (e.g. a threshold value of less than 1E-10 failures per hour), a different implementation of the processing logic P is used, of which an exemplary embodiment is shown in the schematic diagram of
Fig. 2 . In this embodiment, an additional process logic unit is used in the form of diagnostic unit D. The control system as shown further comprises a diagnostic unit (D), and the redundant implementation with diagnostics comprises an OR logic gate (OR) receiving the railway crossing logic function output signals of the channel A part (DO-A) and the channel B part (DO-B) for a specific railway crossing logic function. The diagnostic unit (D) is arranged to receive the railway crossing logic function output signals of the channel A part (DO-A), the channel B part (DO-B), and to bring the signal output (DO) of the associated specific railway crossing logic function to a safe state if the railway crossing logic function output signals of the channel A part (DO-A) and the channel B part (DO-B) are different. This embodiment allows to reach a higher degree of availability than the implementation shown inFig. 1 , and thus combines a high safety level (redundancy) and high availability. It is noted that the diagnostic unit D is not executing the specific railway crossing function as executed in both channels A, B, again, but only checks whether a discrepancy exists between the channel A output part signal DO-A and channel B output part signal DO-B. In case of a detected discrepancy, the output signal DO is then brought to a safe state, enhancing the safety level of this implementation. During normal operation, the output signal DO can only have an unsafe state if the logic servers LA, LB in both channels A, B have calculated that the output should be in an unsafe state. - Similar as the embodiment shown in
Fig. 1 and described above, this implementation allows two independent executions of logic functions for the railway crossing functions by a first logic server LA in the channel A part PA and a second logic server LB in the channel B part PB, resulting in an increased (redundancy based) safety level. The additional control of the output signals by the diagnostic unit D allows an even further increased safety level, as well as an even better availability (i.e. a lower threshold value of 1E-10 or even 1E-11 failures per hour). - In the embodiment shown in
Fig. 2 , the diagnostic unit (D) is connected to railway crossing logic function output signals of the channel A part (DO-A) and of the channel B part (DO-B) via a respective second data exchange channel (SD-A; SD-B). Again this data exchange channel SD-A, SD-B may be implemented as a safe Ethernet channel. - In a further embodiment, the diagnostic unit (D) is further arranged to provide an alert signal if the signal outputs of the channel A part (DO-A) and the channel B part (DO-B) are different. This alert signal may be provided locally, but can also be logged, or communicated to a remote location (e.g. a central railway monitoring station).
- The specific railway crossing logic function implemented in this type of processing logic P comprises one or more of: actuation of white lights; output signals to a signal post.
- The related signals as used in an exemplary embodiment of the present invention, and related to the specific railway crossing logic functions include: control signal for railway crossing DA, control signal indicating that railway crossing is safely closed KFX, control signal for deactivating railway crossing annunciation RHS, control signal for activating railway crossing annunciation, NRHS, control signal for white lights for traffic CLP, control signal for red lights for traffic CLR, control signal for barriers NCB, CB, control signal for alarm bells CSB, remote alarm signal RA/Ra, and control signal for red light monitoring of traffic Radar.
- If one channel A, B would become unavailable (e.g. due to a malfunction), the processing logic for that specific railway crossing logic function is still operable, however, the diagnostic unit D can then no longer execute the monitoring function of both channels, but only of the remaining channel A, B. If the diagnostic unit D would become unavailable, the specific railway crossing logic function is still operative. In a further embodiment, the diagnostic unit (D) is further arranged to execute a self-test, e.g. using an output of the OR logic gate as shown in
Fig. 2 as an additional input. This fail-operational conditions should however not last too long, in order to meet prescribed safety levels. In a further embodiment, the processing logic (P) is arranged to generate a warning signal if the diagnostic unit (D) is non-functional for more than a predetermined time period. - As shown in the exemplary embodiment of
Fig. 2 , the processing logic P may further comprise a switch (R) (e.g. a solid state switch such as a relais) connected to the diagnostic unit (D), wherein the switch (R) is arranged to bring the signal output (DO) of the associated specific railway crossing logic function to a safe state. To further enhance reliability (and safety), the diagnostic unit D may be arranged to periodically check the switch for proper functioning. -
Fig. 3 shows an exemplary implementation of the output combinatory logic for the sound warning system S of a railway crossing. The channel A part PA of the processing logic P provides an output signal DO-A, and the channel B part PB of the processing logic P provides an output signal DO-B, both of which are input to an OR gate, which then provides the output signal AC for the sound warning system S. The warning sound will thus be generated in one of the channels A, B or both channels A, B have established that a warning sound must be generated. -
Fig. 4 shows an exemplary implementation of the output combinatory logic for the barrier operation CB, NCB of a railway crossing, which is a complementary function (close barrier signal, or a not close barrier (open barrier) signal. The channel A part PA of the processing logic P in this case provides an output signal DO-A+ and an inverted output signal DO-A-, and the channel B part PB of the processing logic P provides an output signal DO-B+ and an inverted output signal DO-B-. For the closing barrier function CB, the inverted output signals DO-A- and DO-B- are combined in an OR gate, and for the open barrier function NCB, the output signals DO-A+ and DO-B+ are combined in an OR gate. The respective signals CB, NCB are then provided to the barrier actuators. -
Fig. 5 shows an exemplary implementation of the output combinatory (and diagnostic) logic for the output of signals to a (remote) signal post, which requires the highest level of safety and availability. The output signal AC is eventually provided as an actuation of a relais DA. The channel A part PA of the processing logic P provides an output signal DO-A, and the channel B part PB of the processing logic P provides an output signal DO-B, both of which are input to an OR gate and to the diagnostic unit D via safe Ethernet channels SD-A, SD-B. Furthermore, an output of the diagnostic unit D is connected to relais R, which would allow the diagnostic unit to bring the output signal AC to a safe state. Furthermore, the output signal AC is also fed back to the diagnostic unit D, as indicated here via a transformer TO. - To be able to have sufficiently high reliability of the control system for the railway crossing, the processing logic (P) comprises a programmable logic control (PLC) unit having a reliability level in accordance with a safety integrity level SIL-4. In an embodiment, each of the channel A part PA, channel B part PB, and the diagnostic unit D are implemented in a separate SIL-4 PLC unit. Each PLC unit may be connected to one or more remote I/O units, if the available number of I/O ports on the PLC unit are not sufficient to implement all needed railway crossing functions and associated signal inputs S and signal outputs AC. The interconnection between a PLC unit and remote I/O unit can be bus based, e.g. using a safe Ethernet connection. In a further embodiment the PLC units may also be connected to a (local) data logging module via a separate local network connection.
- The present invention has been described above with reference to a number of exemplary embodiments as shown in the drawings. Modifications and alternative implementations of some parts or elements are possible, and are included in the scope of protection as defined in the appended claims.
Claims (14)
- Control system for a railway crossing,
wherein the control system comprises a plurality of signal inputs (S) and a plurality of signal outputs (AC), and processing logic (P) connected to the plurality of signal inputs (S) and plurality of signal outputs (AC), the processing logic comprising a channel A part (PA) and a channel B part (PB) for each railway crossing logic function,
wherein the plurality of signal inputs (S) are each connected to both the channel A part (PA) and the channel B part (PB) of the processing logic (P) to input a channel A signal (DI-A) and channel B signal (DI-B),
each of the channel A part (PA) and the channel B part (PB) comprising an AND logic gate (AA; AB) receiving a direct signal (DI-A; DI-B) and a cross check signal (DI-AtoB; DI-BtoA) and outputting an internal data signal (DII),
the cross check signal (DI-AtoB; DI-BtoA) being provided by a first data exchange channel (SE-A) between the channel A part (PA) and the channel B part (PB). - Control system according to claim 1, wherein an output signal (DO) associated with each railway crossing logic function is arranged in either a redundant availability implementation, 2oo2, or a redundant implementation with diagnostics, 2oo2d.
- Control system according to claim 2, wherein the redundant availability implementation, 2oo2, comprises an OR logic gate (OR) receiving the output signals of the channel A part (DO-A) and the channel B part (DO-B) for a specific railway crossing logic function, and providing an associated output signal (DO).
- Control system according to claim 3, wherein the specific railway crossing logic function comprises one or more of:
actuation of railway crossing barrier closing; actuation of railway crossing barrier opening; actuation of red lights; actuation of warning sound; actuation of traffic radar device. - Control system according to claim 2, wherein the control system further comprises a diagnostic unit (D), and the redundant implementation with diagnostics comprises
an OR logic gate (OR) receiving the output signals of the channel A part (DO-A) and the channel B part (DO-B) for a specific railway crossing logic function, and
wherein the diagnostic unit (D) is arranged to receive the railway crossing logic function output signals of the channel A part (DO-A) and the channel B part (DO-B), and to bring the signal output (DO) of the associated specific railway crossing logic function to a safe state if the railway crossing logic function output signals of the channel A part (DO-A) and the channel B part (DO-B) are different. - Control system according to claim 5, wherein the diagnostic unit (D) is connected to railway crossing logic function output signals of the channel A part (DO-A) and of the channel B part (DO-B) via a respective second data exchange channel (SD-A; SD-B).
- Control system according to claim 5 or 6, wherein the diagnostic unit (D) is further arranged to provide an alert signal if the signal outputs of the channel A part (DO-A) and the channel B part (DO-B) are different.
- Control system according to any one of claims 5-7, wherein the specific railway crossing logic function comprises one or more of:
actuation of white lights; output signals to a signal post. - Control system according to any one of claims 5-8, wherein the diagnostic unit (D) is further arranged to execute a self-test.
- Control system according to any one of claims 5-9, wherein the processing logic (P) is arranged to generate a warning signal if the diagnostic unit (D) is non-functional for more than a predetermined time period.
- Control system according to any one of claims 5-10, further comprising a switch(R) connected to the diagnostic unit (D), wherein the switch (R) is arranged to bring the signal output (DO) of the associated specific railway crossing logic function to a safe state.
- Control system according to any one of claims 1-11, wherein the plurality of signal inputs (S) are each connected to both the channel A part (PA) and the channel B part (PB) of the processing logic (P) via a separate signal adaptation unit (TA; TB).
- Control system according to any one of claims 1-12, wherein the processing logic (P) comprises a programmable logic control (PLC) unit having a reliability level in accordance with SIL-4.
- Control system according to claim 13, wherein a PLC unit is connected to one of more remote I/O units.
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
NL2019206A NL2019206B1 (en) | 2017-07-10 | 2017-07-10 | Control system for a railway crossing |
Publications (1)
Publication Number | Publication Date |
---|---|
EP3428037A1 true EP3428037A1 (en) | 2019-01-16 |
Family
ID=60923848
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP18182560.5A Withdrawn EP3428037A1 (en) | 2017-07-10 | 2018-07-10 | Control system for a railway crossing |
Country Status (2)
Country | Link |
---|---|
EP (1) | EP3428037A1 (en) |
NL (1) | NL2019206B1 (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE19832060A1 (en) * | 1998-07-16 | 2000-01-20 | Siemens Ag | Double processing unit |
DE102012201803A1 (en) * | 2012-02-07 | 2013-08-08 | Siemens Aktiengesellschaft | Security relevant system |
EP2824572A1 (en) * | 2013-07-12 | 2015-01-14 | Thales Deutschland GmbH | Fail safe device and method for operating the fail safe device |
WO2016142159A1 (en) * | 2015-03-11 | 2016-09-15 | Siemens Aktiengesellschaft | Safety-relevant computer system |
-
2017
- 2017-07-10 NL NL2019206A patent/NL2019206B1/en active
-
2018
- 2018-07-10 EP EP18182560.5A patent/EP3428037A1/en not_active Withdrawn
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE19832060A1 (en) * | 1998-07-16 | 2000-01-20 | Siemens Ag | Double processing unit |
DE102012201803A1 (en) * | 2012-02-07 | 2013-08-08 | Siemens Aktiengesellschaft | Security relevant system |
EP2824572A1 (en) * | 2013-07-12 | 2015-01-14 | Thales Deutschland GmbH | Fail safe device and method for operating the fail safe device |
WO2016142159A1 (en) * | 2015-03-11 | 2016-09-15 | Siemens Aktiengesellschaft | Safety-relevant computer system |
Non-Patent Citations (2)
Title |
---|
BRENNER K ET AL: "SIRES - Sicheres Rechnersystem als Plattform für die BÜ-Sicherungstechnik der Zukunft", SIGNAL + DRAHT, DVV, vol. 101, no. 11, 1 November 2009 (2009-11-01), pages 30 - 34, XP001549362, ISSN: 0037-4997 * |
EUE W ET AL: "SIMIS-C - DIE KOMPAKTVERSION DES SICHEREN MIKROCOMPUTER-SYSTEMS SIMIS", SIGNAL + DRAHT, DVV, vol. 79, no. 4, 1 April 1987 (1987-04-01), pages 81 - 85, XP000744323, ISSN: 0037-4997 * |
Also Published As
Publication number | Publication date |
---|---|
NL2019206B1 (en) | 2019-01-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
ES2230314T3 (en) | CONTROL SYSTEM FOR DRIVES IN AN AIRCRAFT. | |
US4305556A (en) | Railway control signal dynamic output interlocking systems | |
BRPI1102364A2 (en) | aircraft and aircraft flight control system | |
RU133798U1 (en) | MICROPROCESSOR CENTRALIZATION OF ARROWS AND SIGNALS | |
AU2015208353C1 (en) | Redundancy switching of detection points | |
CN102955903A (en) | Method for processing safety critical information of rail transit computer control system | |
EP3428037A1 (en) | Control system for a railway crossing | |
US4897640A (en) | Method and electrical circuit for the reliable detection of process states within freely couplable units | |
WO1990008092A1 (en) | Detector systems | |
WO2015071169A1 (en) | Level crossing safety system | |
CN109195855B (en) | System, in particular for controlling a central control station in railway traffic | |
DURMUŞ et al. | A new bitwise voting strategy for safety-critical systems with binary decisions | |
RU2692739C1 (en) | Microprocessor centralization system mpc-el | |
Kantz et al. | Communication in train control | |
RU2709068C1 (en) | Microprocessor centralization system of mpc-el | |
BR102019009428A2 (en) | system for control, regulation and / or monitoring of an aircraft | |
RU2765395C1 (en) | Method for preventing deactivation of unacceptable quantity of same rail vehicle components | |
KR20210051239A (en) | Multiplexing control system of railwawy control device | |
KR101899892B1 (en) | Nuclear power plant safety system | |
JP6634701B2 (en) | Switchboard control system and power receiving and distribution equipment using it | |
KR101808618B1 (en) | High safety double structure system based railroad system | |
US5671348A (en) | Non-vital turn off of vital output circuit | |
DK3131192T3 (en) | Control device and method for controlling a safety-relevant component | |
RU2319213C1 (en) | Multiple-unit power source | |
CZ256295A3 (en) | Programmable safety device for a crossing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20190716 |
|
RBV | Designated contracting states (corrected) |
Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
17Q | First examination report despatched |
Effective date: 20210625 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: VOLKERWESSELS INTELLECTUELE EIGENDOM B.V. |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: GRANT OF PATENT IS INTENDED |
|
INTG | Intention to grant announced |
Effective date: 20220831 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20230111 |