EP3549842A1 - Train traffic control system and method for safe displaying a state indication of a route and train control system - Google Patents

Train traffic control system and method for safe displaying a state indication of a route and train control system Download PDF

Info

Publication number
EP3549842A1
EP3549842A1 EP18177217.9A EP18177217A EP3549842A1 EP 3549842 A1 EP3549842 A1 EP 3549842A1 EP 18177217 A EP18177217 A EP 18177217A EP 3549842 A1 EP3549842 A1 EP 3549842A1
Authority
EP
European Patent Office
Prior art keywords
control system
indication
safe
train
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP18177217.9A
Other languages
German (de)
French (fr)
Other versions
EP3549842B9 (en
EP3549842B1 (en
Inventor
Michael Schäfer
Abhay TIPLÉ
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
GTS Deutschland GmbH
Original Assignee
Thales Management and Services Deutschland GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=62620726&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=EP3549842(A1) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Priority claimed from EP18166202.4A external-priority patent/EP3549841B1/en
Application filed by Thales Management and Services Deutschland GmbH filed Critical Thales Management and Services Deutschland GmbH
Priority to HRP20220827TT priority Critical patent/HRP20220827T1/en
Priority to SI201830714T priority patent/SI3549842T1/en
Priority to RS20220616A priority patent/RS63339B9/en
Publication of EP3549842A1 publication Critical patent/EP3549842A1/en
Application granted granted Critical
Publication of EP3549842B1 publication Critical patent/EP3549842B1/en
Publication of EP3549842B9 publication Critical patent/EP3549842B9/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L19/00Arrangements for interlocking between points and signals by means of a single interlocking device, e.g. central control
    • B61L19/06Interlocking devices having electrical operation
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L21/00Station blocking between signal boxes in one yard
    • B61L21/06Vehicle-on-line indication; Monitoring locking and release of the route
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L25/00Recording or indicating positions or identities of vehicles or trains or setting of track apparatus
    • B61L25/06Indicating or recording the setting of track apparatus, e.g. of points, of signals
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/20Trackside control of safe travel of vehicle or train, e.g. braking curve calculation
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/30Trackside multiple control systems, e.g. switch-over between different systems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/50Trackside diagnosis or maintenance, e.g. software upgrades
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L19/00Arrangements for interlocking between points and signals by means of a single interlocking device, e.g. central control
    • B61L19/06Interlocking devices having electrical operation
    • B61L2019/065Interlocking devices having electrical operation with electronic means

Definitions

  • the invention concerns a train traffic control system comprising a route and train control system, an operator workstation with a display, and a safe state indication component with safety level SIL>0, in particular SIL4, for indicating safety-related information concerning the state of elements of the route and train control system on the display of the operator workstation.
  • the invention further concerns a method for safe displaying a state indication of a route and train control system.
  • Route and train control systems are adapted to manage safely routes and movement-authorities in railway networks for running trains and to control protect and protect trains from running to fast or beyond their end of movement-authority.
  • Typical route and train control systems are for example interlocking systems, radio-block-centers or similar systems.
  • Traffic management systems comprise human machine interfaces for operating route and train control systems by a human operator.
  • the route and train control system receives commands from the traffic management system concerning regular operation as well as concerning safety critical operations.
  • Safety critical operations are carried out by using the route and train control system in special operational situations or in case of disturbances.
  • safety critical operations are instructed by the operator while bypassing elements of the route and train control system (e.g. the radio block center or the interlocking system).
  • safety critical operations are operator actions, e.g. safety critical route clearing, safety critical point change, etc. with which the operator can circumvent a safe setting of the system.
  • a method for secure transmission of data is disclosed in [2].
  • a method for verifying correct data transfer is disclosed in [3].
  • the operator workstation comprises at least one basic integrity indication component with safety level SILO for indicating information with a basic integrity on the display.
  • An indication server is provided comprising a safe state indication component with safety level SIL>0, in particular SIL4, for indicating safety-related information concerning the state of elements of the route and train control system on the display of the operator workstation, wherein the safe state indication component is functionally independent of the operator workstation.
  • a safe channel is provided connecting the safe state indication server and the display for safe transmission of safety-related information about the state of elements of the route train control system.
  • the basic integrity indication components and the safe state indication component are software components, i.e. encapsulated building blocks of software.
  • the basic integrity indication component indicates any type of information with basic integrity, such as delay of a train or the weather conditions, of a train traffic control system on a display to inform an operator about the respective conditions of the train traffic control system, the controlled route and train control system and their elements with a safety-integrity-level SILO.
  • Elements of the route and train control system can be e.g. field elements (points, signals, track vacancy detection systems, level crossings, etc.), logical elements (routes, movement authorities, line block systems, etc.), train related elements (train parameters like speed or length of a train, etc.) or area related elements (zones for temporary speed restrictions, working areas of maintenance staff, responsibility areas of a specific operator etc.).
  • the safe state indication component generates graphical data (indication data) in order to indicate safety related states of the train traffic control system, the controlled route and train control system and their elements with a safety-integrity-level SIL>0, in particular SIL4 to inform an operator reliably about these states. Safety related operations can be executed based on these indications.
  • the basic integrity indication component is integrated in the operator workstation, whereas the safe state indication component is functionally independent of the operator workstation.
  • the function for generating indication data of safety-related information concerning the state of elements of the route train control system (state data) is outsourced from the operator workstation, i.e. the safe state indication component is functionally separated from the basic integrity indication component and can (but doesn't have to) be installed in separate locations.
  • the SILO basic integrity indication components on the safe state indication component can be ensured more easily.
  • the operator workstation comprises only low safety components the operator workstation can be designed with basic integrity (in particular SILO), which is much cheaper compared to the high safety operator workstation known from the state of the art.
  • the inventive traffic control system enables safe indication of states of elements of the route and train control system on the display of the operator workstation at low cost.
  • the transmission of safety-related information about the state of elements of the route train control system between the safe state indication component and the display is realized by providing a safe channel (communication channel between the indication server and the display) that transmits graphical indication data to the display and checksum information to the safe state indication component.
  • a safe channel communication channel between the indication server and the display
  • the procedures to ensure safe communications via this channel are implemented according the relevant standards (e.g. EN 50159) and the required safety integrity level.
  • the safe state indication component is integrated in the route and train control system, i.e. in a sub-center of the train traffic control system. No further computer is required in this case, which makes this embodiment cost effective. Yet, an additional function has to be integrated in all route and train control systems, which are to be controlled by the train traffic, control system.
  • the safe state indication component can be integrated in an indication server.
  • the indication server can be part of the route and train control system. This is in particular advantageous in case no overall Control Centre exists and only one (small) route and train control system has to be controlled.
  • the system comprises a control center, wherein the indication server is integrated in the control center.
  • This embodiment is advantageous in cases where existing route and train control system (for example from different suppliers) shall be controlled, since no further functions have to be integrated in the route and train control system.
  • Control centers are known e.g. from DB "Betriebswin” or “Steuerdog” respectively and handle the tasks of controlling, securing and dispositioning of railway operations.
  • the indication server is integrated in a remote computer center (remote from the display). This allows the usage of thin-clients for the operator workstation (to reduce the amount of needed energy, noise and space in the control center).
  • the remote computer center can be part of the control center.
  • the indication server is procedure-protected, i.e. the necessary safety integrity level is achieved by a procedure that, on the one hand, integrates the human user (operator) and, on the other hand, is controlled by a component of the route and train control system.
  • Common industrial computer can be used as indication server.
  • the indication server can be a composite fail-safety server.
  • the indication server is a multi-channel server having a 2002 or 2003 architecture.
  • Safety level SIL4 can be achieved with this embodiment.
  • the operator workstation is integrated in a traffic management system.
  • the traffic management system may comprise further functions for managing train operation, e.g. delay detection, detection of train occupancy conflicts, (automatic) conflict resolution, management of resources such as maintenance area staff along the route, integration of telecommunications and video surveillance.
  • the safe channel is routed through the operator workstation.
  • no further computer is required for transmission of the safety-related information.
  • state data are transmitted and processed in the workstation leading to an overall safety integrity SIL>0 for the workstation itself
  • the present invention uses the workstation only as a "grey channel" which is secured by a procedure leading to no additional safety integrity needs for the workstation itself. This reduces the development costs.
  • the safe state indication component is adapted to calculate a first checksum of the indication data generated by the safe state indication component and is further adapted to carry out a checksum comparison and/or a pixel comparison of pixmap data.
  • the safe state indication component is preferably adapted to download a read back component from a browser of the operator workstation.
  • the invention also concerns a method for safe displaying safety-related information concerning the state indication of a route and train control system at an operator workstation of a train traffic control system as described above, wherein state data comprising the safety relevant information is transformed into graphical indication data within the state indication component with safety level SIL>0 which is independent (functionally separated) from the basic integrity indication components with safety level SILO of the operator workstation, and wherein the indication data are transmitted to a display by via the safe channel.
  • Safety-related information is transmitted from the route and train control system to the indication server.
  • the indication server generates graphical data (indication data) from the safety-related information, which are then sent to the display of the operator workstation via the safe channel.
  • Graphical data of information with basic integrity are generated within the operator workstation.
  • the graphical data of information with basic integrity are then transmitted within the operator workstation to the display.
  • the safe channel is routed through operator workstation.
  • the safe channel is at least partially part of the operator workstation.
  • the state data is transformed to pixmap indication data and the pixmap indication data are transmitted to the display by using a method for verifying correct transfer of pixmap data.
  • the method for verifying correct transfer of pixmap data preferably comprises:
  • the indication data generated by the safe state component is displayed in a web-browser of the operator workstation to provide the necessary flexibility.
  • a preferred variant provides that the displayed indication data are read back, in particular by generating pixmap data.
  • the safe state indication component generates a first checksum of the indication data
  • the browser generates a second checksum of the read back data and transmits the second checksum to the safe state indication component via the safe channel
  • the safe state indication component compares the first checksum and the second checksum.
  • the checksum comparison is carried out remote from the operator workstation to separate the safety related comparison from the SILO operator workstation.
  • the browser transmits the read back data to the safe state indication component via the safe channel and the safe state indication component compares the read back data with the indication data (pixel comparison).
  • the present invention realizes a procedure based safe graphical indication of a route and train control system state in a SILO traffic management system.
  • safety related route and train control systems e.g. interlockings, signaling systems can be controlled from SILO traffic management systems.
  • the inventive traffic control system enables execution of safety critical operations in a safety critical system with reduced cost, in particular the execution of safety critical operations which require a safe display of the state of the route and train control system, e.g. because the route and train control system is bypassed by executing the respective safety critical operation.
  • Fig. 1 shows an architecture of a traffic control system according to the state of the art.
  • the traffic control system comprises a route and train control system RTCS and an operator workstation OW' with a display D.
  • the operator workstation OW' comprises basic integrity indication components BIC with safety level SILO for indicating information on the display D with a basic integrity (railway traffic management data).
  • the operator workstation OW' further comprises a safe state indication component SSC with safety level SIL>0 for processing state data (safety relevant information concerning states of elements of the route and train control system RTCS).
  • the state data are transmitted from the route and train control system RTCS to the safe state indication component SSC of the operator workstation OW'.
  • the safe state indication component SSC transforms the state data into graphical data and thus generates indication data, which is then displayed at the display D.
  • Information with basic integrity is transmitted from the route and train control system RTCS to the operator workstation OW via channel C1.
  • Safety relevant information (state data) however is transmitted to the safe state indication component SSC via a separate channel C2 in order to generate according graphical indication data.
  • the transmission channel C2 is a secured channel, e.g. secured by means of a security gateway in order to avoid manipulation of the state data.
  • the indication data is transferred from the safe state indication component SSC to the display D of the operator workstation. In order to avoid falsification of indication data due to malfunction of hardware or software, the data transfer is carried out via a safe channel C3.
  • the safe state indication component SSC can either be executed by an indication server IS as shown in Fig. 2 , Fig. 3 and Fig. 5 (i.e. an additional computer is provided for executing the safe state indication component SSC) or by a secured partition of an already existing computer of the traffic control system, as shown in Fig. 4 .
  • the safe state indication component SSC is integrated in a control center CC together with the operator workstation OW. Non-intrusiveness between operator workstation OW and safe state indication component SSC is ensured by providing a separate computer (indication server IS) for executing the safe state indication component SSC.
  • the safe state indication component SSC in the control center CC it is also possible to integrate the safe state indication component SSC in the route and train control system RTCS, either executable by the indication server ( Fig. 3 ) or by an existing computer of the RTCS itself ( Fig. 4 ). If several route and train control systems RTCS are operated by the traffic control system, each of the route and train control systems RTCS has to be equipped with an according safe state indication component SCC.
  • the indication server IS with the safe state indication component SSC is integrated in a computer center RZ, which can be located remote from the operator workstation OW.
  • Fig. 6 shows the architecture of a traffic control system using a web-based operator workstation.
  • the operator workstation comprises a browser B and a read back component R.
  • the safe state indication component SSC is adapted to download the read back component R from the operator workstation OW.
  • the displayed indication data are read back (read back data) and transmitted to the safe state indication component SSC.
  • the steps below describe the realization of a highly preferred variant of the inventive method by means of the traffic control system shown in Fig. 6 .
  • the according method steps are preferably executed anytime the operator uses the browser to execute safety critical commands.
  • the safety critical commands might also be executed explicitly on demand through a dedicated user interaction mechanism (button, drop down button etc.).
  • the preferred method steps are as follows:
  • the inventive solution is based on the idea of outsourcing the SIL>0 safe state indication component SSC from the operator workstation OW and to set-up a safe channel C3 (e.g. by applying remote desktop protocols) enhanced with safety measures, in particular according to EN50159.
  • This safe channel C3 is preferably routed through the operator workstation OW wherein a method for verifying correct data transfer is used.
  • the invention realizes safe graphical indication of states of elements of the railway control system (e.g. interlocking, RBC,...) in an operator workstation OW, in particular within a traffic management system TMS that provides (only) a SILO environment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Train Traffic Observation, Control, And Security (AREA)
  • Electric Propulsion And Braking For Vehicles (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The inventive train traffic control system comprises a route and train control system (RTCS), an operator workstation (OW) with a display (D), wherein the operator workstation (OW) comprises at least one basic integrity indication component (BIC) with safety level SIL0 for indicating information with a basic integrity on the display (D), and a safe state indication component (SSC) with safety level SIL>0, in particular SIL4, for indicating safety-related information concerning the state of elements of the route and train control system (RTCS) on the display of the operator workstation (OW), wherein the safe state indication component (SSC) is functionally independent of the operator workstation (OW), and a safe channel (C) connecting the safe state indication component (SSC) and the display (D) for safe transmission of safety-related information about the state of elements of the route train control system (RTCS). The inventive train traffic control system realizes the required high safety level for safe state indication and allows considerable cost reduction and flexibility.

Description

    Background of the invention
  • The invention concerns a train traffic control system comprising a route and train control system, an operator workstation with a display, and a safe state indication component with safety level SIL>0, in particular SIL4, for indicating safety-related information concerning the state of elements of the route and train control system on the display of the operator workstation. The invention further concerns a method for safe displaying a state indication of a route and train control system.
  • An according train traffic control system is known from [1]
  • Route and train control systems are adapted to manage safely routes and movement-authorities in railway networks for running trains and to control protect and protect trains from running to fast or beyond their end of movement-authority. Typical route and train control systems are for example interlocking systems, radio-block-centers or similar systems.
  • Remote control for controlling interlocking systems and other route and train control systems via traffic management systems getting increasingly important. Traffic management systems comprise human machine interfaces for operating route and train control systems by a human operator. The route and train control system receives commands from the traffic management system concerning regular operation as well as concerning safety critical operations. Safety critical operations are carried out by using the route and train control system in special operational situations or in case of disturbances. In contrast to regular operations for which the admissibility can be checked at any time by the route and train control system, safety critical operations are instructed by the operator while bypassing elements of the route and train control system (e.g. the radio block center or the interlocking system). I.e. safety critical operations are operator actions, e.g. safety critical route clearing, safety critical point change, etc. with which the operator can circumvent a safe setting of the system.
  • For controlling safety critical operations, high safety requirements have to be fulfilled. In some cases customers require not only a safety critical operation of a route and train control system, but also a safe state indication of the states of the route and train control system, e.g. in case of safety critical operations which bypass the interlocking system, such as "schriftlicher Befehl" and operation of a "Ersatzsignal". "Schriftlicher Befehl" is an order from the operator to bypass a route and train control system manually, which has to be given to the train staff or recorded in written form in case of e.g. an operational failure. "Ersatzsignal" is an additional signal, which replaces the order for passing a stop sign. By executing such safety critical operations, the operator can circumvent a safe setting of the system. The basis for decision of the operator whether to execute such a safety critical operation is the state of the route and train control system indicated at the display of the operator workstation. It is therefore an essential requirement that the state of the route and train control system is displayed correctly. According operator workstations, which fulfill the required safety integrity level (typically SIL2, sometimes even SIL4), have been developed [1], [2], [3].
  • Customers now require more and more the integration of additional non-safety related functionality or SILO functions in operator workstations [4]. Yet, this results in large efforts, because it must be ensured that the SILO components are non-intrusive ("rückwirkungsfrei") to the SIL>0 environment of the operator workstation. This however results in high hardware costs for this dedicated computer and also in high costs for software development, integration and test, because all these components have to developed according a high safety integrity level (typically SIL4) according the standard EN 50128 [5].
  • Existing solutions provide only low flexibility and do not meet the customer's requirements. In particular customers request for a flexible operation web-based user interfaces. Users should have the possibility not only to operate the RTCS from central operator workstation but also from mobile devices. A web-based user interface is an adaptable solution that provides the necessary flexibility.
  • A method for secure transmission of data is disclosed in [2]. A method for verifying correct data transfer is disclosed in [3].
    • Object of the invention
  • It is an object of the invention to suggest a train traffic control system, which on the one hand realizes the required high safety level for safe state indication and on the other hand allows considerable cost reduction and flexibility.
    • Description of the invention
  • This object is solved by a train traffic control system according to claim 1 and a method according to claim 10.
  • According to the invention, the operator workstation comprises at least one basic integrity indication component with safety level SILO for indicating information with a basic integrity on the display. An indication server is provided comprising a safe state indication component with safety level SIL>0, in particular SIL4, for indicating safety-related information concerning the state of elements of the route and train control system on the display of the operator workstation, wherein the safe state indication component is functionally independent of the operator workstation. Further, a safe channel is provided connecting the safe state indication server and the display for safe transmission of safety-related information about the state of elements of the route train control system.
  • The basic integrity indication components and the safe state indication component are software components, i.e. encapsulated building blocks of software.
  • The basic integrity indication component indicates any type of information with basic integrity, such as delay of a train or the weather conditions, of a train traffic control system on a display to inform an operator about the respective conditions of the train traffic control system, the controlled route and train control system and their elements with a safety-integrity-level SILO. Elements of the route and train control system can be e.g. field elements (points, signals, track vacancy detection systems, level crossings, etc.), logical elements (routes, movement authorities, line block systems, etc.), train related elements (train parameters like speed or length of a train, etc.) or area related elements (zones for temporary speed restrictions, working areas of maintenance staff, responsibility areas of a specific operator etc.).
  • The safe state indication component generates graphical data (indication data) in order to indicate safety related states of the train traffic control system, the controlled route and train control system and their elements with a safety-integrity-level SIL>0, in particular SIL4 to inform an operator reliably about these states. Safety related operations can be executed based on these indications.
  • According to the invention, the basic integrity indication component is integrated in the operator workstation, whereas the safe state indication component is functionally independent of the operator workstation. In other words, the function for generating indication data of safety-related information concerning the state of elements of the route train control system (state data) is outsourced from the operator workstation, i.e. the safe state indication component is functionally separated from the basic integrity indication component and can (but doesn't have to) be installed in separate locations. Thus, non-intrusiveness of the SILO basic integrity indication components on the safe state indication component can be ensured more easily. Since the operator workstation comprises only low safety components the operator workstation can be designed with basic integrity (in particular SILO), which is much cheaper compared to the high safety operator workstation known from the state of the art. Thus, the inventive traffic control system enables safe indication of states of elements of the route and train control system on the display of the operator workstation at low cost.
  • The transmission of safety-related information about the state of elements of the route train control system between the safe state indication component and the display is realized by providing a safe channel (communication channel between the indication server and the display) that transmits graphical indication data to the display and checksum information to the safe state indication component. The procedures to ensure safe communications via this channel are implemented according the relevant standards (e.g. EN 50159) and the required safety integrity level.
  • At the display of the operator workstation both, information with basic integrity as well as safety-related information, in particular safe state indication of the route and train control system is displayed to the operator.
  • In a special embodiment of the inventive train traffic control system the safe state indication component is integrated in the route and train control system, i.e. in a sub-center of the train traffic control system. No further computer is required in this case, which makes this embodiment cost effective. Yet, an additional function has to be integrated in all route and train control systems, which are to be controlled by the train traffic, control system.
  • The safe state indication component can be integrated in an indication server. The indication server can be part of the route and train control system. This is in particular advantageous in case no overall Control Centre exists and only one (small) route and train control system has to be controlled.
  • In an alternative embodiment, the system comprises a control center, wherein the indication server is integrated in the control center. This embodiment is advantageous in cases where existing route and train control system (for example from different suppliers) shall be controlled, since no further functions have to be integrated in the route and train control system. Control centers are known e.g. from DB "Betriebszentrale" or "Steuerzentrale" respectively and handle the tasks of controlling, securing and dispositioning of railway operations.
  • In a further alternative embodiment, the indication server is integrated in a remote computer center (remote from the display). This allows the usage of thin-clients for the operator workstation (to reduce the amount of needed energy, noise and space in the control center). The remote computer center can be part of the control center.
  • Preferably, the indication server is procedure-protected, i.e. the necessary safety integrity level is achieved by a procedure that, on the one hand, integrates the human user (operator) and, on the other hand, is controlled by a component of the route and train control system. Common industrial computer can be used as indication server.
  • Alternatively, the indication server can be a composite fail-safety server. I.e. the indication server is a multi-channel server having a 2002 or 2003 architecture. Safety level SIL4 can be achieved with this embodiment.
  • Preferably, the operator workstation is integrated in a traffic management system. The traffic management system may comprise further functions for managing train operation, e.g. delay detection, detection of train occupancy conflicts, (automatic) conflict resolution, management of resources such as maintenance area staff along the route, integration of telecommunications and video surveillance. By integrating the operator workstation in a traffic management system, only one set of input devices (mouse, keyboard etc.) is required for controlling the train traffic. So one operator is able to manage the top-level train operation as well as perform the safety critical operations that require the safe indication.
  • In a highly preferred embodiment, the safe channel is routed through the operator workstation. In this case, no further computer is required for transmission of the safety-related information. While, according to the state of the art, state data are transmitted and processed in the workstation leading to an overall safety integrity SIL>0 for the workstation itself, the present invention uses the workstation only as a "grey channel" which is secured by a procedure leading to no additional safety integrity needs for the workstation itself. This reduces the development costs.
  • In a highly preferred embodiment the safe state indication component is adapted to calculate a first checksum of the indication data generated by the safe state indication component and is further adapted to carry out a checksum comparison and/or a pixel comparison of pixmap data.
  • The safe state indication component is preferably adapted to download a read back component from a browser of the operator workstation.
  • The invention also concerns a method for safe displaying safety-related information concerning the state indication of a route and train control system at an operator workstation of a train traffic control system as described above, wherein state data comprising the safety relevant information is transformed into graphical indication data within the state indication component with safety level SIL>0 which is independent (functionally separated) from the basic integrity indication components with safety level SILO of the operator workstation, and wherein the indication data are transmitted to a display by via the safe channel.
  • Safety-related information is transmitted from the route and train control system to the indication server. The indication server generates graphical data (indication data) from the safety-related information, which are then sent to the display of the operator workstation via the safe channel.
  • Graphical data of information with basic integrity however are generated within the operator workstation. The graphical data of information with basic integrity are then transmitted within the operator workstation to the display.
  • In a highly preferred variant, the safe channel is routed through operator workstation. In this case, the safe channel is at least partially part of the operator workstation.
  • Preferably, the state data is transformed to pixmap indication data and the pixmap indication data are transmitted to the display by using a method for verifying correct transfer of pixmap data. The method for verifying correct transfer of pixmap data preferably comprises:
    1. a) modifying at least one property of a fixed number of pixels selected from the pixmap indication data in a first memory, the selection being performed in a random way,
    2. b) transferring the pixmap indication data comprising the modified pixels from the first memory to a second memory,
    3. c) reading back the modified pixels from the second memory, and
    4. d) comparing the read-back modified pixels to the modified pixels of the first memory for verifying the correct transfer of the pixmap indication data, wherein the at least one property is modified in such a way that the modification is not observable when displaying the modified pixels on the graphical display. An according method is described in [3].
  • In a highly preferred variant the indication data generated by the safe state component is displayed in a web-browser of the operator workstation to provide the necessary flexibility.
  • In order to verify that the visualization of the indication data in the browser is indeed what was intended to be displayed, a preferred variant provides that the displayed indication data are read back, in particular by generating pixmap data.
  • In a highly preferred variant the safe state indication component generates a first checksum of the indication data, the browser generates a second checksum of the read back data and transmits the second checksum to the safe state indication component via the safe channel, and the safe state indication component compares the first checksum and the second checksum. Thus, it can be checked whether the transmission of the indication data to the browser and the displaying of the transmitted indication data has been correct. According to this embodiment the checksum comparison is carried out remote from the operator workstation to separate the safety related comparison from the SILO operator workstation.
  • Alternatively or in addition the browser transmits the read back data to the safe state indication component via the safe channel and the safe state indication component compares the read back data with the indication data (pixel comparison).
  • To avoid a false-positive error comparison, algorithms that check only a few pixels (e.g. according to [3]) or morphological comparison algorithms (e.g. according to [6]) are used.
  • The present invention realizes a procedure based safe graphical indication of a route and train control system state in a SILO traffic management system. Thus, safety related route and train control systems, e.g. interlockings, signaling systems can be controlled from SILO traffic management systems.
  • The inventive traffic control system enables execution of safety critical operations in a safety critical system with reduced cost, in particular the execution of safety critical operations which require a safe display of the state of the route and train control system, e.g. because the route and train control system is bypassed by executing the respective safety critical operation.
  • Further advantages can be extracted from the description and the enclosed drawing. The features mentioned above and below can be used in accordance with the invention either individually or collectively in any combination. The embodiments mentioned are not to be understood as exhaustive enumeration but rather have exemplary character for the description of the invention.
    • Drawings
  • The invention is shown in the drawing.
    • Fig. 1
    shows the architecture of a traffic control system according to the state of the art.
    Fig. 2
    shows the architecture of a traffic control system according to the invention with an indication server integrated in a control center.
    Fig. 3
    shows the architecture of a traffic control system according to the invention with an indication server integrated in the route and train control system.
    Fig. 4
    shows the architecture of a traffic control system according to the invention, wherein a safe state indication component is integrated in the route and train control system without indication server.
    Fig. 5
    shows the architecture of a traffic control system according to the invention with an indication server integrated in a remote computer center.
    Fig. 6
    shows the architecture of a traffic control system according to the invention with a safe state integration component adapted to reveal error in transmission and/or display of the indication data and a web-based operator workstation.
  • Fig. 1 shows an architecture of a traffic control system according to the state of the art. The traffic control system comprises a route and train control system RTCS and an operator workstation OW' with a display D. The operator workstation OW' comprises basic integrity indication components BIC with safety level SILO for indicating information on the display D with a basic integrity (railway traffic management data). The operator workstation OW' further comprises a safe state indication component SSC with safety level SIL>0 for processing state data (safety relevant information concerning states of elements of the route and train control system RTCS). The state data are transmitted from the route and train control system RTCS to the safe state indication component SSC of the operator workstation OW'. The safe state indication component SSC transforms the state data into graphical data and thus generates indication data, which is then displayed at the display D.
  • According to the invention, the traffic control system comprises an operator workstation OW which does not involve any components with safety level SIL>0, i.e. operator workstation only comprises components with safety level SILO or less, such as the basic integrity indication components BIC. Since the safe state indication component SSC is swapped out of the operator workstation OW and is functionally independent of the operator workstation OW, i.e. implemented in a different way, non-intrusiveness of the SIL=0 operator workstation to the SIL>0 safe state indication component SSC can be ensured.
  • Information with basic integrity is transmitted from the route and train control system RTCS to the operator workstation OW via channel C1. Safety relevant information (state data) however is transmitted to the safe state indication component SSC via a separate channel C2 in order to generate according graphical indication data. The transmission channel C2 is a secured channel, e.g. secured by means of a security gateway in order to avoid manipulation of the state data. The indication data is transferred from the safe state indication component SSC to the display D of the operator workstation. In order to avoid falsification of indication data due to malfunction of hardware or software, the data transfer is carried out via a safe channel C3.
  • The safe state indication component SSC can either be executed by an indication server IS as shown in Fig. 2, Fig. 3 and Fig. 5 (i.e. an additional computer is provided for executing the safe state indication component SSC) or by a secured partition of an already existing computer of the traffic control system, as shown in Fig. 4 .
  • In a first embodiment, shown in Fig. 2 , the safe state indication component SSC is integrated in a control center CC together with the operator workstation OW. Non-intrusiveness between operator workstation OW and safe state indication component SSC is ensured by providing a separate computer (indication server IS) for executing the safe state indication component SSC.
  • Instead of integrating the safe state indication component SSC in the control center CC it is also possible to integrate the safe state indication component SSC in the route and train control system RTCS, either executable by the indication server ( Fig. 3 ) or by an existing computer of the RTCS itself ( Fig. 4 ). If several route and train control systems RTCS are operated by the traffic control system, each of the route and train control systems RTCS has to be equipped with an according safe state indication component SCC.
  • In an alternative embodiment, which is shown in Fig. 5 , the indication server IS with the safe state indication component SSC is integrated in a computer center RZ, which can be located remote from the operator workstation OW.
  • Fig. 6 shows the architecture of a traffic control system using a web-based operator workstation. The operator workstation comprises a browser B and a read back component R. The safe state indication component SSC is adapted to download the read back component R from the operator workstation OW. By executing the read back component R the displayed indication data are read back (read back data) and transmitted to the safe state indication component SSC.
  • The steps below describe the realization of a highly preferred variant of the inventive method by means of the traffic control system shown in Fig. 6. The according method steps are preferably executed anytime the operator uses the browser to execute safety critical commands. The safety critical commands might also be executed explicitly on demand through a dedicated user interaction mechanism (button, drop down button etc.). The preferred method steps are as follows:
    1. 1. The safe state indication component has the functionality to convert the state data into graphical indication data. The safe state indication component sends this indication data via the safe channel to the browser of the operator workstation. The browser displays this indication data on the display. The displayed data are read back and the browser calculates a first checksum of the read back data.
    2. 2. The read back data (pixmap data) along with the first checksum is sent to the safe state indication component through the safe channel.
    3. 3. The safe state indication component then compares the first checksum generated by the browser with a second checksum calculated by the safe state indication component. The second checksum is the checksum of the indications data generated by the safe state indication component. Thereby, it is verified that the indication data sent to the browser and the resulting read back pixmap data sent from the browser through the safe channel were not corrupted in anyway en route.
    4. 4. The safe state indication component then does checksum comparison and (if applicable, in particular if the chesum comparison is successful) a pixel comparison between the read back data sent by the browser and the indication data the safe state indication component itself generated based on the state data. If the comparison is successful it sends a success notification to the operator workstation via the safe channel. If it is not, it will send a failure notification.
    5. 5. Based on the reply of the safe state indication component, the critical command that was initiated by the operator will be either continued or terminated.
  • The inventive solution is based on the idea of outsourcing the SIL>0 safe state indication component SSC from the operator workstation OW and to set-up a safe channel C3 (e.g. by applying remote desktop protocols) enhanced with safety measures, in particular according to EN50159. This safe channel C3 is preferably routed through the operator workstation OW wherein a method for verifying correct data transfer is used. Thus, the invention realizes safe graphical indication of states of elements of the railway control system (e.g. interlocking, RBC,...) in an operator workstation OW, in particular within a traffic management system TMS that provides (only) a SILO environment.
    • Cited Documents
    1. [1] EP 0 443 377 A2 (Lorenz )
    2. [2] EP 2 683 589 B1 (Siemens )
    3. [3] EP 2 244 188 A1 (Thales )
    4. [4] Antweiler: "Bahn-Betriebsleitsystem ILTIS" Signal & Draht , 87 (1995) 10, Seiten 337 - 340
    5. [5] EN 50128
      "Telekommunikationstechnik, Signaltechnik und Datenverarbeitungssysteme" Ausgabe: 2012-03
    6. [6] Mantere, Timo: "Electronic Imaging & Signal Processing - Image comparison based on morphological transforms" 29 November 2007, SPIE Newsroom. DOI: 10.1117/2.1200711.0926
    List of Reference Signs
    • BIC
    basic integrity indication component
    C1
    transmission channel for information with basic integrity
    C2
    transmission channel for safety relevant information (state data)
    C3
    safe transmission channel for graphical indication data
    CC
    control center
    D
    display
    IS
    indication server
    OW
    operator workstation
    RTCS
    route and train control system
    RZ
    computer center
    SSC
    safe state indication component
    TMS
    traffic management system

Claims (16)

  1. Train traffic control system comprising
    a route and train control system (RTCS),
    an operator workstation (OW) with a display (D), wherein the operator workstation (OW) comprises at least one basic integrity indication component (BIC) with safety level SILO for indicating information with a basic integrity on the display (D), and
    a safe state indication component (SSC) with safety level SIL>0, in particular SIL4, for indicating safety-related information concerning the state of elements of the route and train control system (RTCS) on the display of the operator workstation (OW), wherein the safe state indication component (SSC) is functionally independent of the operator workstation (OW), and
    a safe channel (C) connecting the safe state indication component (SSC) and the display (D) for safe transmission of safety-related information about the state of elements of the route train control system (RTCS).
  2. Train traffic control system according to claim 1 characterized in that the safe state indication component (SSC) is integrated in the route and train control system (RTCS).
  3. Train traffic control system according to claim 1 or 2 characterized in that the safe state indication component (SSC) is integrated in an indication server (IS).
  4. Train traffic control system according to claim 3 characterized in that the system comprises a control center (CC), wherein the indication server (IS) is integrated in the control center.
  5. Train traffic control system according to claim 3 or 4 characterized in that the indication server (IS) is integrated in a remote computer center (RZ).
  6. Train traffic control system according to any one of the claims 3 through 5, characterized in that the indication server (IS) is procedure-protected.
  7. Train traffic control system according to any one of the claims 3 through 5, characterized in that the indication server (IS) is a composite fail-safety server.
  8. Train traffic control system according to one of the preceding claims, characterized in that the operator workstation (OW) is integrated in a traffic management system (TMS).
  9. Train traffic control system according to one of the preceding claims, characterized in that the safe channel (C) is routed through the operator workstation (OW).
  10. Method for safe displaying safety-related information concerning the state of a route and train control system (RTCS) at an operator workstation (OW) of a train traffic control system according to one of the preceding claims,
    wherein state data comprising the safety relevant information is transformed into graphical indication data within the state indication component (SSC) with safety level SIL>0 which is independent from the basic integrity indication components (BIC) with safety level SILO of the operator workstation (OW), and
    wherein the indication data are transmitted to a display (D) by via the safe channel (C).
  11. Method according to claim 10, characterized in that the safe channel is routed through the operator workstation (OW).
  12. Method according to claim 10 or 11, characterized in that indication data are pixmap data and wherein the indication data are transmitted to the display (D) by using a method for verifying correct transfer of pixmap data.
  13. Method according to any one of the claims 10 through 12, characterized in that indication data are displayed in a web browser of the operator workstation.
  14. Method according to claim 13, characterized in that the displayed indication data are read back.
  15. Method according to claim 14, characterized in
    that the safe state indication component generates a first checksum of the indication data;
    that the browser generates a second checksum of the read back data and transmits the second checksum to the safe state indication component via the safe channel; and
    that the safe state indication component compares the first checksum and the second checksum.
  16. Method according to claim 14 or 15, characterized in
    that the browser transmits the read back data to the safe state indication component via the safe channel; and
    that the safe state indication component compares the read back data with the indication data.
EP18177217.9A 2018-04-06 2018-06-12 Train traffic control system and method for safe displaying a state indication of a route and train control system Active EP3549842B9 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
HRP20220827TT HRP20220827T1 (en) 2018-04-06 2018-06-12 Train traffic control system and method for safe displaying a state indication of a route and train control system
SI201830714T SI3549842T1 (en) 2018-04-06 2018-06-12 Train traffic control system and method for safe displaying a state indication of a route and train control system
RS20220616A RS63339B9 (en) 2018-04-06 2018-06-12 Train traffic control system and method for safe displaying a state indication of a route and train control system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102018205235 2018-04-06
EP18166202.4A EP3549841B1 (en) 2018-04-06 2018-04-06 Train traffic control system and method for carrying out safety critical operations within a train traffic control system

Publications (3)

Publication Number Publication Date
EP3549842A1 true EP3549842A1 (en) 2019-10-09
EP3549842B1 EP3549842B1 (en) 2022-05-11
EP3549842B9 EP3549842B9 (en) 2022-09-28

Family

ID=62620726

Family Applications (1)

Application Number Title Priority Date Filing Date
EP18177217.9A Active EP3549842B9 (en) 2018-04-06 2018-06-12 Train traffic control system and method for safe displaying a state indication of a route and train control system

Country Status (13)

Country Link
EP (1) EP3549842B9 (en)
KR (1) KR102536023B1 (en)
AU (1) AU2019249938B2 (en)
DK (1) DK3549842T5 (en)
ES (1) ES2923182T3 (en)
HR (1) HRP20220827T1 (en)
HU (1) HUE059058T3 (en)
LT (1) LT3549842T (en)
PL (1) PL3549842T3 (en)
RS (1) RS63339B9 (en)
SA (1) SA520420235B1 (en)
SI (1) SI3549842T1 (en)
WO (1) WO2019193145A1 (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0443377A2 (en) 1990-02-21 1991-08-28 Alcatel SEL Aktiengesellschaft Arrangement for the fail-safe displaying, in a reliable manner as regards to signalling techniques, of a signalling picture
WO2003093999A2 (en) * 2002-05-03 2003-11-13 Alstom Ferroviaria S.P.A Inherently fail safe processing or control apparatus
EP1942041A2 (en) * 2007-01-04 2008-07-09 Westinghouse Brake and Signal Holdings Limited Signalling system
EP1750988B1 (en) * 2004-05-20 2008-12-17 Balfour Beatty plc Railway signalling system, method and interlocking
US20090254986A1 (en) * 2008-04-08 2009-10-08 Peter William Harris Method and apparatus for processing and displaying secure and non-secure data
EP2244188A1 (en) 2009-04-25 2010-10-27 Thales Deutschland Holding GmbH Method for verifying correct data transfer to a video memory
EP2551787A1 (en) * 2011-07-25 2013-01-30 Deuta-Werke GmbH Dispositif et procédé pour une saisie relevant de la sécurité au moyen d'un appareil d'affichage avec saisie tactile
DE102014201551A1 (en) * 2014-01-29 2015-07-30 Siemens Aktiengesellschaft Method for error disclosure in a interlocking computer system and interlocking computer system
EP3040862A1 (en) * 2014-12-30 2016-07-06 Matthias Auchmann Method and system for the safe visualization of safety-relevant information
EP2683589B1 (en) 2011-03-07 2017-06-28 Siemens Aktiengesellschaft Railway control system

Family Cites Families (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CH683953A5 (en) 1992-04-30 1994-06-15 Siemens Integra Verkehrstechni Procedure to improve the signal-related safety of the user interface of a data processing system.
DE202005020802U1 (en) * 2004-11-15 2007-03-15 Abb As Control system for rail vehicles
US8094003B2 (en) 2006-11-22 2012-01-10 Sharp Kabushiki Kaisha Display control unit, on-vehicle display system, display controller, and on-vehicle display
FR2919951B1 (en) 2007-08-08 2012-12-21 Airbus France SYSTEM FOR PROCESSING AND DISPLAYING DATA
US8328143B2 (en) * 2008-01-17 2012-12-11 Lockheed Martin Corporation Method for isolation of vital functions in a centralized train control system
US9061589B2 (en) 2008-05-20 2015-06-23 Freescale Semiconductor, Inc. Display controller, image processing system, display system, apparatus and computer program product
US8605044B2 (en) 2010-02-12 2013-12-10 Maxim Integrated Products, Inc. Trusted display based on display device emulation
DE102012207439A1 (en) 2012-05-04 2013-11-07 Cassidian Airborne Solutions Gmbh Method for displaying safety-critical data by a display unit; display unit
US20140088802A1 (en) 2012-09-27 2014-03-27 Siemens Industry, Inc. Railway train control system having multipurpose display
ES2915262T3 (en) 2012-11-22 2022-06-21 Bombardier Transp Gmbh Computation of color discrimination checksum in a human-machine interface
DE102012221714A1 (en) * 2012-11-28 2014-05-28 Siemens Aktiengesellschaft Method for fault disclosure in interlocking computer system with control channel, involves comparing pixel data of display with process data of process image of state information of reference system for display-protection
PT2879008T (en) * 2013-11-28 2018-10-29 Thales Man & Services Deutschland Gmbh Method for handling a safety critical command in a computer network
DE102015002973B4 (en) 2015-03-10 2020-09-24 Airbus Defence and Space GmbH Method for the joint representation of safety-critical and non-safety-critical information and display device
US9811932B2 (en) 2015-04-17 2017-11-07 Nxp Usa, Inc. Display controller, heads-up image display system and method thereof
DE102015209448A1 (en) 2015-05-22 2016-11-24 Bayerische Motoren Werke Aktiengesellschaft Method for displaying safety-relevant display elements
US20160379331A1 (en) 2015-06-23 2016-12-29 Freescale Semiconductor, Inc. Apparatus and method for verifying the integrity of transformed vertex data in graphics pipeline processing
US20160379381A1 (en) 2015-06-23 2016-12-29 Freescale Semiconductor, Inc. Apparatus and method for verifying the origin of texture map in graphics pipeline processing

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0443377A2 (en) 1990-02-21 1991-08-28 Alcatel SEL Aktiengesellschaft Arrangement for the fail-safe displaying, in a reliable manner as regards to signalling techniques, of a signalling picture
WO2003093999A2 (en) * 2002-05-03 2003-11-13 Alstom Ferroviaria S.P.A Inherently fail safe processing or control apparatus
EP1750988B1 (en) * 2004-05-20 2008-12-17 Balfour Beatty plc Railway signalling system, method and interlocking
EP1942041A2 (en) * 2007-01-04 2008-07-09 Westinghouse Brake and Signal Holdings Limited Signalling system
US20090254986A1 (en) * 2008-04-08 2009-10-08 Peter William Harris Method and apparatus for processing and displaying secure and non-secure data
EP2244188A1 (en) 2009-04-25 2010-10-27 Thales Deutschland Holding GmbH Method for verifying correct data transfer to a video memory
EP2683589B1 (en) 2011-03-07 2017-06-28 Siemens Aktiengesellschaft Railway control system
EP2551787A1 (en) * 2011-07-25 2013-01-30 Deuta-Werke GmbH Dispositif et procédé pour une saisie relevant de la sécurité au moyen d'un appareil d'affichage avec saisie tactile
DE102014201551A1 (en) * 2014-01-29 2015-07-30 Siemens Aktiengesellschaft Method for error disclosure in a interlocking computer system and interlocking computer system
EP3040862A1 (en) * 2014-12-30 2016-07-06 Matthias Auchmann Method and system for the safe visualization of safety-relevant information

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ANTWEILER: "Bahn-Betriebsleitsystem ILTIS", SIGNAL & DRAHT, vol. 87, no. 10, 1995, pages 337 - 340

Also Published As

Publication number Publication date
LT3549842T (en) 2022-07-25
HRP20220827T1 (en) 2022-10-14
SA520420235B1 (en) 2022-11-25
ES2923182T3 (en) 2022-09-26
PL3549842T3 (en) 2022-08-22
RS63339B1 (en) 2022-07-29
AU2019249938B2 (en) 2022-11-24
WO2019193145A1 (en) 2019-10-10
KR102536023B1 (en) 2023-05-23
SI3549842T1 (en) 2022-08-31
HUE059058T3 (en) 2023-01-28
DK3549842T3 (en) 2022-07-18
KR20200140860A (en) 2020-12-16
HUE059058T2 (en) 2022-10-28
AU2019249938A1 (en) 2020-10-01
EP3549842B9 (en) 2022-09-28
RS63339B9 (en) 2022-11-30
EP3549842B1 (en) 2022-05-11
DK3549842T5 (en) 2022-10-31

Similar Documents

Publication Publication Date Title
EP1769996A2 (en) Railway control and protection system
US20150225003A1 (en) Control of a rail vehicle
US9925994B2 (en) Cutout systems and methods
KR101164767B1 (en) A railway interlocking device and radio block center of interface system and operating method thereof
EP2409892A1 (en) Data input support device and data input support method
KR20220044842A (en) A method of controlling a train within a train control system, and a train control system
EP3549842B1 (en) Train traffic control system and method for safe displaying a state indication of a route and train control system
Neil On board train control and monitoring systems
SK500272011A3 (en) System for controlled transmission of train numbers for support of railway traffic control and manner in which this system operates
WO2020012937A1 (en) Train control apparatus and train control method
EP3549841B1 (en) Train traffic control system and method for carrying out safety critical operations within a train traffic control system
JP6630254B2 (en) Electronic interlocking device
EP2998185A1 (en) System and method for remotely and centrally controlling guided vehicles and trackside devices
CN106686106B (en) Mobile unit data processing system and method, data processing system
DK2804798T3 (en) A method for controlling, securing and / or monitor the rail-traffic and operations management
CN113393162A (en) Comprehensive scheduling method, device, system, electronic equipment and storage medium
KR102498293B1 (en) Method and System for Controlling Platform Safety Door
Goikoetxea et al. Remote driving and command of trains: The Shift2Rail approach.
CN115366954B (en) TACS and CBTC compatible operation system and method
Zeng et al. Tolerable Hazard Rate Allocation for Urban Rail Automatic Train Control System
JP2004230957A (en) Train service control system
JP6713357B2 (en) On-board equipment, train, and signal security system
Padberg et al. Interoperability in train control systems: Specification of scenarios using open nets
Preston Greater standardisation paves the way for rolling out ERTMS across Europe.
KR101772529B1 (en) Display system for train system based geographic information

Legal Events

Date Code Title Description
REG Reference to a national code

Ref country code: HR

Ref legal event code: TUEP

Ref document number: P20220827T

Country of ref document: HR

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20200402

RBV Designated contracting states (corrected)

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20201126

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTG Intention to grant announced

Effective date: 20211020

GRAJ Information related to disapproval of communication of intention to grant by the applicant or resumption of examination proceedings by the epo deleted

Free format text: ORIGINAL CODE: EPIDOSDIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

INTC Intention to grant announced (deleted)
INTG Intention to grant announced

Effective date: 20220310

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1491191

Country of ref document: AT

Kind code of ref document: T

Effective date: 20220515

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602018035282

Country of ref document: DE

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: RO

Ref legal event code: EPE

REG Reference to a national code

Ref country code: DK

Ref legal event code: T3

Effective date: 20220713

REG Reference to a national code

Ref country code: PT

Ref legal event code: SC4A

Ref document number: 3549842

Country of ref document: PT

Date of ref document: 20220720

Kind code of ref document: T

Free format text: AVAILABILITY OF NATIONAL TRANSLATION

Effective date: 20220713

REG Reference to a national code

Ref country code: FI

Ref legal event code: FGE

REG Reference to a national code

Ref country code: NL

Ref legal event code: FP

REG Reference to a national code

Ref country code: SE

Ref legal event code: TRGR

REG Reference to a national code

Ref country code: NO

Ref legal event code: T2

Effective date: 20220511

REG Reference to a national code

Ref country code: CH

Ref legal event code: PK

Free format text: BERICHTIGUNG B9

REG Reference to a national code

Ref country code: EE

Ref legal event code: FG4A

Ref document number: E022492

Country of ref document: EE

Effective date: 20220720

REG Reference to a national code

Ref country code: ES

Ref legal event code: FG2A

Ref document number: 2923182

Country of ref document: ES

Kind code of ref document: T3

Effective date: 20220926

REG Reference to a national code

Ref country code: HR

Ref legal event code: ODRP

Ref document number: P20220827T

Country of ref document: HR

Payment date: 20220701

Year of fee payment: 5

REG Reference to a national code

Ref country code: HR

Ref legal event code: T1PR

Ref document number: P20220827

Country of ref document: HR

REG Reference to a national code

Ref country code: GR

Ref legal event code: EP

Ref document number: 20220401500

Country of ref document: GR

Effective date: 20221010

REG Reference to a national code

Ref country code: HU

Ref legal event code: AG4A

Ref document number: E059058

Country of ref document: HU

REG Reference to a national code

Ref country code: DK

Ref legal event code: T5

Effective date: 20221028

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20220911

REG Reference to a national code

Ref country code: NO

Ref legal event code: T2

Effective date: 20220511

REG Reference to a national code

Ref country code: EE

Ref legal event code: LD4A

Ref document number: E022492

Country of ref document: EE

REG Reference to a national code

Ref country code: HU

Ref legal event code: AG9B

Ref document number: E059058

Country of ref document: HU

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20220511

REG Reference to a national code

Ref country code: DE

Ref legal event code: R026

Ref document number: 602018035282

Country of ref document: DE

PLBI Opposition filed

Free format text: ORIGINAL CODE: 0009260

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20220511

PLAX Notice of opposition and request to file observation + time limit sent

Free format text: ORIGINAL CODE: EPIDOSNOBS2

26 Opposition filed

Opponent name: SIEMENS MOBILITY GMBH

Effective date: 20230210

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20220511

PLAB Opposition data, opponent's data or that of the opponent's representative modified

Free format text: ORIGINAL CODE: 0009299OPPO

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220612

R26 Opposition filed (corrected)

Opponent name: SIEMENS MOBILITY GMBH

Effective date: 20230210

RAP2 Party data changed (patent owner data changed or rights of a patent transferred)

Owner name: GTS DEUTSCHLAND GMBH

REG Reference to a national code

Ref country code: HR

Ref legal event code: ODRP

Ref document number: P20220827

Country of ref document: HR

Payment date: 20230524

Year of fee payment: 6

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: LU

Payment date: 20230526

Year of fee payment: 6

PLBB Reply of patent proprietor to notice(s) of opposition received

Free format text: ORIGINAL CODE: EPIDOSNOBS3

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220612

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: RS

Payment date: 20230606

Year of fee payment: 6

Ref country code: RO

Payment date: 20230530

Year of fee payment: 6

Ref country code: PT

Payment date: 20230606

Year of fee payment: 6

Ref country code: NO

Payment date: 20230608

Year of fee payment: 6

Ref country code: NL

Payment date: 20230525

Year of fee payment: 6

Ref country code: LT

Payment date: 20230605

Year of fee payment: 6

Ref country code: IT

Payment date: 20230526

Year of fee payment: 6

Ref country code: FR

Payment date: 20230523

Year of fee payment: 6

Ref country code: EE

Payment date: 20230522

Year of fee payment: 6

Ref country code: DK

Payment date: 20230613

Year of fee payment: 6

Ref country code: DE

Payment date: 20230516

Year of fee payment: 6

Ref country code: CZ

Payment date: 20230517

Year of fee payment: 6

Ref country code: BG

Payment date: 20230531

Year of fee payment: 6

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: TR

Payment date: 20230609

Year of fee payment: 6

Ref country code: SK

Payment date: 20230512

Year of fee payment: 6

Ref country code: SI

Payment date: 20230515

Year of fee payment: 6

Ref country code: SE

Payment date: 20230526

Year of fee payment: 6

Ref country code: PL

Payment date: 20230530

Year of fee payment: 6

Ref country code: LV

Payment date: 20230519

Year of fee payment: 6

Ref country code: HU

Payment date: 20230531

Year of fee payment: 6

Ref country code: HR

Payment date: 20230524

Year of fee payment: 6

Ref country code: GR

Payment date: 20230526

Year of fee payment: 6

Ref country code: FI

Payment date: 20230615

Year of fee payment: 6

Ref country code: AT

Payment date: 20230525

Year of fee payment: 6

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: BE

Payment date: 20230517

Year of fee payment: 6

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20230518

Year of fee payment: 6

Ref country code: ES

Payment date: 20230711

Year of fee payment: 6

Ref country code: CH

Payment date: 20230702

Year of fee payment: 6

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: MK

Payment date: 20230529

Year of fee payment: 6

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20220511