EP4018300A1 - Procédé de configuration pour un système de signalisation ferroviaire et système de mise à jour - Google Patents

Procédé de configuration pour un système de signalisation ferroviaire et système de mise à jour

Info

Publication number
EP4018300A1
EP4018300A1 EP20771472.6A EP20771472A EP4018300A1 EP 4018300 A1 EP4018300 A1 EP 4018300A1 EP 20771472 A EP20771472 A EP 20771472A EP 4018300 A1 EP4018300 A1 EP 4018300A1
Authority
EP
European Patent Office
Prior art keywords
components
component
computer unit
central computer
configuration
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP20771472.6A
Other languages
German (de)
English (en)
Inventor
Benjamin SCHILLING
Christian FIGURA
Matthias Lorenz
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens Mobility GmbH
Original Assignee
Siemens Mobility GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Mobility GmbH filed Critical Siemens Mobility GmbH
Publication of EP4018300A1 publication Critical patent/EP4018300A1/fr
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/547Remote procedure calls [RPC]; Web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Definitions

  • a method for the configuration of components of a railway signal system is given.
  • an update system is specified that is set up for such a method.
  • the document EP 2121 409 B1 relates to a method for transmitting data to a route element for lane-bound traffic.
  • One problem to be solved is to provide a method with which components of a railway signal system can be configured efficiently.
  • Another problem to be solved is to provide an update system for such a method.
  • the method is used to configure components of a railway signal system.
  • the components are, for example, point controllers, axle counters, interlockings and / or line control centers.
  • the procedure includes:
  • route element controls also referred to as components for short
  • components are typically arranged in a widely distributed manner. Due to this wide distribution of the line element controls, manual configuration changes take a lot of time and effort.
  • the components can still have their ID plug, but the ID plug is preferably only used to store an address of the server storing the configuration and a unique identifier for the component in question.
  • the ID plug itself is not absolutely necessary, but rather only that the component contains a unique ID and the at least one address of the server that stores and distributes the configuration.
  • This identifier, or ID for short, is sent to the server in particular together with a checksum, such as a hash value, of the current configuration of the component, the server being accessible via one of the addresses provided.
  • the server processes the request and uses the ID and the checksum to check whether a more up-to-date device configuration for the component nent is available. If so, the server will send the new configuration to the relevant component. Otherwise the server will preferentially indicate in a response that no new configuration is available for the component.
  • the component checks this configuration preferably using a cryptographic method, for example using a signature.
  • the new configuration is only used when the signature is valid.
  • This process is preferably carried out every time the component restarts, which is also referred to as "booting". If the configuration of a certain component is to be changed, the configuration is only changed in the central repository of the configuration server and no longer on of each individual component A restart of the component can optionally be triggered remotely, in order to trigger the retrieval of the new configuration on the corresponding component.
  • a secure mechanism for configuration distribution can be provided.
  • This approach enables a user to save costs through the central management of the widely distributed, decentralized components, instead of locally reconfiguring each component individually.
  • this approach can be used to build railway systems that automatically pick up their latest configuration data when booting.
  • every incorrect configuration is removed and automatically replaced by the correct configuration.
  • a manipulation of the configuration files for example through a hacker attack or through a corrupted memory, would be detected and corrected.
  • a central server which stores the configurations of all components, is on site as opposed to individually configuring components can be handled more efficiently.
  • Each configuration file can be cryptographically signed and thus protected against malicious or accidental falsification.
  • a hash value is preferably created via the corresponding configuration and sent to the server together with the associated unique identifier. If the hash value matches the configuration specified for this ID, the configuration is valid and does not need to be updated.
  • the configuration of the relevant component is updated.
  • a system can be provided that configures itself autonomously so that a customer can be offered a solution that saves the effort of manual configuration updates. It is also made possible to use components without an initial configuration check and to install them in the railway signal system.
  • services can be offered to keep the configurations of the components of a railway signaling system constantly up to date by means of a centralized configuration server.
  • the configuration server can also be cloud-based due to the use of IT security technology.
  • each device address of the components must also be stored.
  • railway signal system is understood here in particular as a collective term for all signaling facilities for carrying out and securing railway operations. These include, in particular, interlocking systems, block control systems, remote control systems, Stromthesesein directions, signal cables, switch controllers, axle counters or route control centers, also known as radio block centers or RBC for short.
  • Process steps A), B) and C) can be carried out in the order specified, but this is not absolutely necessary.
  • the railway signal system can be built up and / or continuously expanded so that step A), providing a large number of components, can take place over a long period of time, with updates according to step C) already being able to be carried out, if not all Components are installed.
  • the updating of the components is requested from the central computer unit. This means that the initiative for updating lies with the individual components and not with the central processing unit.
  • the cryptographic security is carried out during the update using signatures or also by using a MAC-based security attachment which, however, in contrast to a signature, is only based on a symmetrical key.
  • the central computer unit is a server. It is possible that different servers are used for different groups of components.
  • the central processing unit can be designed redundantly. It is also possible that the central computer unit during the operating the duration of the railway signal system is replaced and / or renewed. If the address of the central computer unit changes, the components can be instructed or informed accordingly in advance, for example by means of the central computer unit.
  • the unique identifiers are implemented in hardware. This means that the identifiers are preferably not overwritable or changeable in terms of the program and are therefore permanent.
  • the unique identifiers are each linked to a carrier body.
  • the carrier body is a token stick, a dongle, a hardware key, a hardlock, a chip or a chip card, such as a subscriber identity module, or SIM for short.
  • the carrier bodies can each be attached reversibly to the assigned component. That is, for example by operating personnel, the carrier body can be removed from a certain component and assigned to another component, for example a spare part. Since the identifier is linked to the carrier body, the identifier remains unique.
  • the carrier bodies each contain access data for the relevant component for the central computer unit.
  • an address of the central computer unit is stored in the respective carrier body.
  • further information can be clearly assigned to the components by means of the carrier body.
  • the identifiers are each assigned to a specific installation location of the railway signal system.
  • the installation location is, for example, a slot, a compartment or a rack.
  • the identifiers are preferably each permanently and uniquely linked to the relevant installation location. This means that with the identifier a position and load ge of the associated components located in the installation location within the railway signal system clearly and permanently. It is possible that the components will only function if they are correctly located in the intended installation location and have the correct, unambiguous identification.
  • the method comprises the following step:
  • the identifier is preferably transferred from the component that was previously available to the other component that serves as a replacement part.
  • the central processing unit does not have to be informed of the replacement of the component. Simplified maintenance is thus possible.
  • the carrier bodies each contain an initial configuration for the relevant component. That is to say, at least one, preferably exactly one, configuration for the assigned component and / or for the assigned installation location can be stored permanently and permanently on the carrier bodies.
  • the initial configuration is loaded each time the relevant component is restarted. This means that the components always revert to the initial configuration when they are restarted. Alternatively, it is possible for the components to retain the configuration last received, at least in the event that the identifier has not been interrupted in the meantime, that is to say in particular that the associated carrier body has not been removed or damaged.
  • the components ask the central computer unit whether step C) is to be carried out, that is to say whether the configurations are to be updated.
  • the components only start their function when they have received feedback from the central processing unit, either in the form of a confirmation that the associated configuration is still up-to-date, or in the form of a current configuration.
  • a configuration of a specific component is compared with a configuration stored in the central computer unit for the relevant component on the basis of at least one checksum or on the basis of a cryptographic measure. This means that when comparing, it is not necessary to exchange the complete values of the configurations, but only checksums or equivalent data. A data volume to be transmitted can thus be reduced.
  • a configuration transmitted by the central processing unit in step C) is validated and / or checked for authenticity in the relevant component before this configuration is actually used in the assigned component.
  • This validation and / or authentication only uses data that is stored in the component. In particular, it may be necessary for successful validation and / or authentication to access data from the assigned components and also from the relevant carrier body.
  • the central computer unit provides individual, different configurations from one another in step C). That is, at least some of the components or all of the components Components are configured differently in accordance with their intended use.
  • An update system is also specified.
  • the update system is set up for a method as specified in connection with one or more of the embodiments described above. Features of the update system are therefore also disclosed for the method and vice versa.
  • the update system comprises a multiplicity of components of a railway signal system, a central computer unit and at least one data connection between the components and the central computer unit.
  • the data connection can be wired or wireless or a mixture of wired and wireless partial connections.
  • the data connection can be a cellular connection.
  • Figure 1 shows a schematic representation of an exemplary embodiment of an update system for a method described here
  • Figure 2 shows a schematic block diagram of a railway signal system and a central computer unit for a method described here, and the
  • FIGS. 3 and 4 show schematic representations of process steps of a process described here.
  • An exemplary embodiment of an update system 10 is illustrated in FIG.
  • the update system 10 comprises a railway signal system 1 and a central computer unit 3.
  • the central computer unit 3 for example a server, is connected in terms of data technology via a data link 7 to individual components 2 of the railway signal system 1.
  • the data connection 7 is a cellular connection, but can also be a wired connection.
  • the data connection 7 and / or the central computer unit 3 are themselves part of the railway signal system 1.
  • the data connection 7 and / or the central computer unit 3 are not part of the railway signal system 1, but are separate, independent assemblies.
  • the individual components 2 are, for example, point controllers, axle counters, signal boxes and / or route control centers, or RBCs for short, so that the railway signal system 1 preferably contains different types of components 2.
  • traffic on a railway line 6 can be regulated and / or controlled.
  • the individual components 2 are preferably each located on installation locations 5 of the railway signal system 1.
  • the installation locations 5 and the respective components 2 are each uniquely assigned an identifier 4.
  • the identifier 4 is preferably linked to the installation location 5 in question. This link is achieved, for example, with the aid of identifier safeguards 8.
  • the identification fuses 8 can be implemented mechanically, for example by a chain, or electronically, for example by a sensor unit.
  • the components 2 and the building sites 5 can be clearly identified.
  • the identifiers 4 are identifiers, or IDs for short, such as an alphanumeric character string.
  • the identifiers 4 are preferably each firmly bound to a carrier body 41.
  • the carrier bodies 41 are realized for example by a token stick, a dongle, a hardware key, a hardlock, a chip or a chip card.
  • the carrier bodies 41 are preferably coupled to the respective installation locations 5 by means of the identification fuses 8. It is also possible that the carrier bodies 41 and / or the identifiers 4 are each part of the associated installation location 5.
  • identifiers 4 which are permanently and inseparably linked to hardware
  • programmable identifiers 4 can in principle also be used.
  • Such identifiers 4 can preferably only be programmed in a decentralized manner and who, in particular, do not give ver from the central computer unit 3.
  • FIG 2 a block diagram of the computer unit 3 and the components 2 of the railway signal system 1 is shown schematically.
  • Current configurations 22 for components 2 are stored in computer unit 3.
  • An individual configuration 22 is preferably present in the computer unit 3 for each of the components 2, so that there is a one-to-one relationship between the components 2 and the configuration 22.
  • the configurations 22 are transmitted from the computing unit 3 to the components 2 via the data connection 7, upon request from the components 2.
  • a centrally organized update of components 2 can thus be achieved. This saves an operator of the railway signal system 1 and / or the railway line 6 from updating the components 2 that are potentially widely scattered on site.
  • each component 2 preferably the carrier bodies 41, each have access data 43 for the central computer unit 3 in addition to the identifier 4 are provided. Together with the identifier 4, it can thus be determined which central computer unit 3 or which central computer units 3 the relevant component 2 has to contact in order to update the configuration 2.
  • the access data 43 contain server addresses.
  • each component preferably the carrier bodies 41, each contain an initial configuration 42.
  • the initial configuration 42 is that configuration 22 which the relevant component 2 accesses after a restart.
  • the update method described here is further illustrated with reference to FIG.
  • several of the components 2 are provided and provided with the identifiers 4, only one of the components 2 with the associated identifier 4 being shown in FIG. 3 to simplify the illustration.
  • the central computer unit 3 is also provided.
  • the data connection is not specifically shown in FIG.
  • step S1 the component 2 is started. After or during the start, the component 2 is configured in step S2 according to the initial configuration 42, which is preferably stored in the carrier body 41.
  • step S3 the configuration carried out is verified, for example using signatures, checksums and / or hash values. If verification is not carried out properly, an error message can be output.
  • step S4 the component 2 initializes the configuration.
  • a request is sent to the central computer unit 3, for example on the basis of the access data stored in the carrier body 41.
  • the request can include a checksum and / or a hash value or another identifier, so that it is possible for the central computer unit 3 to assess whether the component 2 is currently available.
  • the current configuration is the current, intended configuration 22. If this is not the case, the configuration 22 is sent from the central computer unit 3 to the component 2.
  • the central computer unit 3 merely confirms that no update is currently required.
  • step S5 a verification takes place as to whether the configuration from the central computer unit 3 is a valid, permissible and / or possible configuration. If this is confirmed, configuration 22 can be used by component 2. Otherwise, step S4 is repeated or the method begins again with step S1.
  • Communication between the central computer unit 3 and the component 2 is preferably cryptographically secured.
  • FIG. 4 A further, optional additional process sequence is shown in FIG. According to FIG. 4, on the left, there is a component 2 with the associated identifier 4 in an installation location 5. In FIG. 4, middle, it is shown that the component 2 has been removed, the identifier 4 still being tied to the installation location . The component 2 is replaced, for example, in the event of a defect or in the case of a newer device version available.
  • a new component 2 ' is inserted into the installation location 5 as a replacement part or as a replacement part.
  • the identifier 4 is also used for the new component 2 '.
  • the new component 2 ' can therefore fall back on the same initial configuration as the previously existing component 2, and can be configured correctly in the same way without the central computer unit 3 having to separately replace the Component 2 must be informed or that the new component 2 'needs to be specially configured by operating personnel already during installation.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Train Traffic Observation, Control, And Security (AREA)

Abstract

Dans un mode de réalisation, un procédé est utilisé pour configurer des éléments (2) d'un système de signalisation ferroviaire (1) et comprend les étapes consistant à : A) fournir une pluralité d'éléments (2), B) fournir une unité informatique centrale (3) et C) mettre à jour des configurations (22) des éléments (2) au moyen de l'unité informatique centrale (3), un identifiant unique (4) étant attribué à chacun des éléments (2), les identifiants (4) pouvant être déterminés et la mise à jour des éléments (2) étant demandée à partir de l'unité informatique centrale (3) et étant réalisée de manière sécurisée par cryptographie.
EP20771472.6A 2019-09-27 2020-09-02 Procédé de configuration pour un système de signalisation ferroviaire et système de mise à jour Pending EP4018300A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102019214922.7A DE102019214922A1 (de) 2019-09-27 2019-09-27 Konfigurationsverfahren für eine Eisenbahnsignalanlage und Aktualisierungssystem
PCT/EP2020/074389 WO2021058244A1 (fr) 2019-09-27 2020-09-02 Procédé de configuration pour un système de signalisation ferroviaire et système de mise à jour

Publications (1)

Publication Number Publication Date
EP4018300A1 true EP4018300A1 (fr) 2022-06-29

Family

ID=72473516

Family Applications (1)

Application Number Title Priority Date Filing Date
EP20771472.6A Pending EP4018300A1 (fr) 2019-09-27 2020-09-02 Procédé de configuration pour un système de signalisation ferroviaire et système de mise à jour

Country Status (4)

Country Link
EP (1) EP4018300A1 (fr)
CN (1) CN114503079A (fr)
DE (1) DE102019214922A1 (fr)
WO (1) WO2021058244A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102022206329A1 (de) * 2022-06-23 2023-12-28 Siemens Mobility GmbH Betriebsverfahren und Netzwerk

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7469279B1 (en) * 2003-08-05 2008-12-23 Cisco Technology, Inc. Automatic re-provisioning of network elements to adapt to failures
US9489496B2 (en) * 2004-11-12 2016-11-08 Apple Inc. Secure software updates
DE102007006130A1 (de) * 2007-02-02 2008-08-07 Siemens Ag Verfahren, mobiles Bediengerät und Anordnung zum Übertragen von Daten an ein Streckenelement des spurgebundenen Verkehrs
DE102007010763A1 (de) * 2007-03-06 2008-09-11 Zf Friedrichshafen Ag Verfahren zur adaptiven Konfigurationserkennung
US20140059534A1 (en) * 2012-08-22 2014-02-27 General Electric Company Method and system for software management
KR20140106991A (ko) * 2013-02-27 2014-09-04 삼성전자주식회사 휴대 단말기에서 애플리케이션을 제공하는 장치 및 방법
US20140282470A1 (en) * 2013-03-13 2014-09-18 Arynga Inc. Remote transfer of electronic images to a vehicle

Also Published As

Publication number Publication date
DE102019214922A1 (de) 2021-04-01
CN114503079A (zh) 2022-05-13
WO2021058244A1 (fr) 2021-04-01

Similar Documents

Publication Publication Date Title
DE112012003795B4 (de) Verfahren und system für eine fahrzeug-information-integritätsverifikation
EP2705410B1 (fr) Procédé et système pour fournir des données d'exploitant, spécifiques d'un appareil, pour un appareil d'automatisation d'une installation d'automatisation
WO2017008953A1 (fr) Procédé et système pour l'échange sécurisé de données de configuration d'un dispositif
WO2015155093A1 (fr) Procédé et système d'auto-configuration déterministe d'un appareil
EP4018300A1 (fr) Procédé de configuration pour un système de signalisation ferroviaire et système de mise à jour
WO2019137773A1 (fr) Protection d'une actualisation de logiciel d'un appareil de commande d'un moyen de locomotion
DE102015115855A1 (de) System und Verfahren zur Verteilung und/oder Aktualisierung von Software in vernetzten Steuereinrichtungen eines Fahrzeugs
DE102017220526A1 (de) Verfahren und Vorrichtung zur Aktualisierung von Software
EP4268070A1 (fr) Procédé de configuration d'un logiciel de commande pour un véhicule ferroviaire
DE102016116168A1 (de) Fahrzeug, System und Verfahren zur Aktualisierung der Firmware einer Fahrzeugkomponente
EP3306514B1 (fr) Procédé et dispositif de certification d'une chaîne de fonctions critique pour la sécurité
EP3997531A1 (fr) Appareil de terrain
DE102009047974B4 (de) Verfahren zur Programmierung eines Steuergeräts
WO2004017182A2 (fr) Procede pour transferer un enregistrement dans une unite de calcul
DE102022107393A1 (de) Center, verteilungssteuerungsverfahren undnicht-transitorisches speichermedium
EP3306507B1 (fr) Composants pour une chaîne fonctionnelle critique pour la sécurité
EP3306856B1 (fr) Procédé de fourniture d'une liaison de communication sécurisée entre les composants d'une chaîne de fonctions à sécurité critique
DE102022207549A1 (de) Verfahren zur Verwaltung von ausführbaren Softwaremodulen durch Zertifikate
DE102006029263A1 (de) Verfahren zur Aktualisierung von in Mauterfassungsgeräten gespeicherten Daten und/oder Programmen
EP3942766A1 (fr) Procédé et dispositifs pour l'affectation de charges et la surveillance d'une ressource critique pour la sécurité d'approvisionnement à affecter dans un réseau
DE112022006234T5 (de) Sicherheitsvorrichtung, Verwaltungsvorrichtung, Kommunikationssystem und Sicherheitsverwaltungsverfahren
WO2021244868A1 (fr) Système de transmission d'au moins un paquet de mise à jour, et procédé
WO2022180073A1 (fr) Procédé de configuration d'un logiciel de commande pour un véhicule ferroviaire
DE102019135158A1 (de) Verfahren zur sicheren Übertragung von Daten zwischen einem Server und einem Steuergerät und Vorrichtung zum Durchführen des Verfahrens
EP3583741A1 (fr) Procédé permettant d'assurer une authenticité d'au moins une valeur de propriété d'appareil, programme informatique, support d'enregistrement lisible par ordinateur et dispositif

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20220325

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20240625