EP4101728A1 - System zur lokalen verwaltung des bahnverkehrs in bahnhöfen - Google Patents

System zur lokalen verwaltung des bahnverkehrs in bahnhöfen Download PDF

Info

Publication number
EP4101728A1
EP4101728A1 EP21305805.0A EP21305805A EP4101728A1 EP 4101728 A1 EP4101728 A1 EP 4101728A1 EP 21305805 A EP21305805 A EP 21305805A EP 4101728 A1 EP4101728 A1 EP 4101728A1
Authority
EP
European Patent Office
Prior art keywords
interface
signal
control
human
field device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP21305805.0A
Other languages
English (en)
French (fr)
Inventor
Gianluca Schettini
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alstom Holdings SA
Original Assignee
Alstom Transport Technologies SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alstom Transport Technologies SAS filed Critical Alstom Transport Technologies SAS
Priority to EP21305805.0A priority Critical patent/EP4101728A1/de
Publication of EP4101728A1 publication Critical patent/EP4101728A1/de
Pending legal-status Critical Current

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/02Manual systems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/30Trackside multiple control systems, e.g. switch-over between different systems

Definitions

  • the present invention concerns a system for locally managing railway traffic in railway stations, in particular in minor or local area railway stations.
  • railways stations are equipped with different types of field devices, such as point machines, track circuits, level crossings, light signals, et cetera, which should be properly managed in order to guarantee the proper functioning of the station and of the railway line along which the station is installed.
  • field devices such as point machines, track circuits, level crossings, light signals, et cetera
  • CLC central logic computer
  • known CLCs are configured to operate as a redundant reactive fail-safe machine, namely the components devised to manage the field devices are duplicated to form a normally operating machine and a second substantially identical back-up machine which is used only if there is any failure of the normally operating machine.
  • small stations e.g. stations installed along secondary or local railways lines or locations, includes a reduced number of tracks, e.g. up to a very few units, and the number of field devices used is correspondingly very limited when compared with that of large or main stations which include several main and parallel tracks, e.g. up to some tens.
  • a system for managing traffic at a railway station characterized in that it comprises at least:
  • system for managing traffic at a railway station may comprise one or more of the following features, which may be combined in any technical feasible combination:
  • any component as a whole, or to any part of a component, or to a combination of components, it has to be understood that it means and encompasses correspondingly either the structure, and/or configuration and/or form and/or positioning of the related component or part thereof, or combinations, such term refers to.
  • each of the above listed terms means and encompasses electronic circuits or parts thereof, as well as stored, embedded or running software codes and/or routines, algorithms, or complete programs, suitably designed for achieving the technical result and/or the functional performances for which such means are devised.
  • FIGS 1 and 2 schematically illustrate a system, indicated by the overall reference number 100, which is locally installed at and is suitable for managing railway traffic in an associated railway station, notably a local area or small railway station, schematically represented in figures 1 and 2 with the reference number 200.
  • the local managing system 100 comprises at least one field device, schematically represented by the reference number 1, which is installed in or is operatively associated with the railway station 200 and is under the control of the local managing system 100 itself.
  • the railway station 200 is a local or small one and therefore comprises a number of field devices substantially reduced with respect to main or bigger stations, it can comprise anyhow a certain number of field devices 1, such as point machines, track circuits, level crossings, light signals, et cetera; therefore, what described in the following about one field device 1 has to be understood as applicable in the same way to all field devices 1 installed in or operatively associated with the railway station 200 which are under the control of the local managing system 100.
  • field devices 1 such as point machines, track circuits, level crossings, light signals, et cetera
  • the system 100 further comprises a human-machine interface, indicated in figures 1 and 2 by the overall reference number 10, hereinafter referred to also as the "HMI" 10, which is configured for displaying to an operator at least fail-safe information indicative of the current operative status of the at least one field device 1 and for outputting an instruction signal S IN indicative of one or more fail-safe instructions, inputted by an operator, to be transmitted to and executed by the at least one field device 1.
  • HMI human-machine interface
  • fail-safe information or instructions it has to be understood hereby a type of displayed information or inputted instruction that if erroneous or failing would cause unsafe or harmful conditions to people or equipment once accepted or executed; against this type of potential error or failure, and in the way that will result more in details in the following description, the system 100 or part thereof is designed to inherently prevent or mitigate unsafe consequences, for example by timely identifying such potential error or failure, and then properly warning an operator and/or maintaining the relevant operative status at least as safe as it was before accepting the potentially erroneous information or before executing a potentially erroneous instruction.
  • the HMI 10 comprises for example an operator console and one or more video displays, schematically illustrated in the exemplary embodiments of figures 1 and 2 by the reference numbers 12 and 14, respectively.
  • system 100 further comprises at least a first control interface 20 which is configured at least:
  • system 100 comprises at least:
  • the first control system 30 comprises at least a first elaboration unit 32 and a first software module 34, wherein the first software module 34 includes coded instructions that, when executed by the first elaboration unit 32 cause the first elaboration unit 32 to execute said predefined first control logic and generate a first check signal S CK1 based on the first output signal S out outputted by the first control interface 20 towards the HMI 10, or a second check signal S CK2 based on said instruction signal S IN outputted by the HMI 10;
  • the second control system 40 comprises at least a second elaboration unit 42 and a second software module 44, wherein the second software module 44 includes coded instructions that, when executed by the second elaboration unit 42 cause the second elaboration unit 42 to execute said predefined second control logic and generate a third check signal S CK3 based on the first output signal S out outputted by the first control interface 20 towards the HMI 10, or a fourth check signal S CK4 based on said
  • the two control systems 30 and 40 are operatively linked to each other via a link 35, namely a link internal to the system 100.
  • the first control system 30 and the second control system 40 are for example constituted by or comprise each a corresponding server 30 and respectively 40, such servers being for example servers already installed in the railway station 200 and used for purposes other than those foreseen within the frame of the present invention.
  • first and second elaboration units 32 and 42 are formed or comprise each a corresponding processor device of such servers, and the first and second software modules 34 and 44 can be stored in memory or equivalent storage units of the servers 30, 40 themselves.
  • the system 100 comprises a communication interface 50 which is configured:
  • first and third check signals S CK1 and S CK3 consistent to each other or correspondingly of “second and fourth check signals S CK2 and S CK4 consistent to each other”
  • the information or informative content carried by such check signals should not be incoherent to each other, i.e. not substantially differing or even in contrast; in particular, such content should be in one possible embodiment identical to each other.
  • a first check signal S CK1 generated by the first control system 30 indicating that a certain light signal S1 is in a green status would be coherent with a third check signal S CK3 generated by the second control system 40 also indicating that the same light signal S1 is in a green status.
  • the third check signal S CK3 generated by the second control system 40 following the same first output signal S out emitted by the first control interface 20 would indicate that the light signal S1 is in a red status or that a different light signal S2 is in a green status, then the first and third check signals S CK1 and S CK3 would be inconsistent.
  • a second check signal S CK2 generated by the first control system 30 would be coherent with a fourth check signal S CK4 generated by the second control system 40 based on the same instruction signal S IN received also by the second control system 40, if such fourth check signal S CK4 would also indicate that the level crossing L1 should pass from "closed” to "opened”.
  • the communication interface 50 is further configured:
  • the communication interface 50 can output a signal resulting in a corrupted image displayed on one of the monitors 14, thus visually and clearly highlighting to an operator the occurrence of such erroneous condition.
  • a light signal such image can be constituted by a stain or patch of a color and/or form clearly unrelated to the usual or standard colors and/or forms used for displaying the current status of such light signal.
  • control signal Sc can be invalidated by the communication interface 50, for example by sending to the first control interface 20 an inhibiting signal which remains valid until the erroneous condition is not solved after a certain number of iterations, or if such erroneous condition continues, until when this erroneous condition is otherwise solved by a maintenance intervention on the equipment of the system 100 causing it.
  • the communication interface 50 is further configured to submit to an operator, who has inputted into the HMI 10 an instruction to be confirmed and executed using a safe device for confirmation 400, thus causing the generation of the corresponding signal S IN indicative of one or more fail-safe instructions to be transmitted to and executed by the at least one field device 1, a verification check requesting the operator to reconfirm if the inputted instruction, using the safe device for confirmation 400, reflects the true intention of the operator and should be effectively processed and in case executed.
  • the communication interface 50 can allow the instruction signal S IN to be routed ahead and be properly processed first by the control systems 30 and 40 in the manner and for the scope previously described, and thereafter finally elaborated and outputted by the first control interface 20, in the elaborated form of the Boolean command signal S c towards the relevant field device 1.
  • the verification check can be realized for instance via a simple question displayed on one of the video displays 14 to the attention of the operator.
  • the first control interface 20 is configured to generate the first output signal S out or the command signal Sc by executing one or more predetermined elaboration steps, following the reception in input from the communication interface 50 of the first confirmation signal S EN1 , or respectively following the acquisition in input of the first input signal S st indicative of the current operative status of the at least one field device 1.
  • connections means 105 Communications between the first control interface 20 and the various field devices 1, as well as between the communication interface 50 and the first control interface 20 is realized by connections means 105 using for example a vital or fail-safe field bus.
  • the communication network realized by the connections means 105 is external to the components/parts of the system 100.
  • system 100 further comprises a second control interface 60, operatively linked with the first control interface 20, which is adapted to verify if the first control interface 20 executed correctly the one or more predetermined elaboration steps, i.e. it followed the exact and predetermined sequence of elaboration steps.
  • the first and second control interfaces 20 and 60 are operatively linked to each other via a link 25, namely a link internal to the system 100 itself.
  • the first control interface 20 informs, via the link 25, the second control interface 60 that it has completed the sequence of elaboration steps and thus the second control interface 60 is triggered to check if the first control interface 20 operated correctly and in particular followed exactly the predetermined sequence.
  • the first control interface 20 is embedded into the first control system 30.
  • the first control interface 20 is constituted by or comprises a software module 22 which is embedded for example into a memory or storage unit of the first control system 30, e.g. in its server, and contains coded instructions which are executed by the first processing unit 32.
  • the software module 22 of the first control interface 20 comprises a software Boolean engine 22 configured to generate the first output signal S out and the command signal Sc in the form of Boolean logic signals.
  • the second control interface 60 is embedded into the second control system 40.
  • the second control interface 60 is constituted by or comprises a software module 62 which is embedded for example into a memory or storage unit of the second control system 40, e.g. in its server, and contains coded instructions which are executed by the second processing unit 42.
  • the software module 62 of the second control interface 60 comprises a software Boolean engine 22 configured to generate signals in the form of Boolean logic signals.
  • the communication interface 50 is embedded into one of the first and second control system 30, 40.
  • the communication interface 50 is constituted by or comprises a software module 52 which includes coded instructions executed by the first processing unit 32 or by the second processing unit 42.
  • the communication interface 50 is embedded into the second control system 40, e.g. it is stored in a storage or memory unit of the server 40, and the coded instructions of its software module 52 are executed by the second processing unit 42.
  • the communication interface 50 receives directly the signals to be transmitted from the HMI 10 or from the first control interface 20, which signals are shared, via the internal link 35, by the first and second control systems 30 and 40 which process them in order to generate the corresponding check signals.
  • the communication interface 50 outputs towards the first control interface 20 the first enabling signal S EN1 or towards the human machine interface 10 the second enabling signal SEN2.
  • the system 100 comprises a third control interface 70, which is operatively linked to the first and second control interfaces 20, 60 and to the communication interface 50.
  • the control interface 70 is used in order to provide the system 100 with an adequate redundancy, for example to replace at least the first control interface 20 if it does not function properly.
  • control interface 70 is configured, likewise the first control interface 20, at least:
  • the third control interface 70 is an entity separated from the first and second control interfaces 20 and 60 and comprises an own further processing unit 72 and at least a further software module 74 which includes coded instructions executed by said further processing unit 72.
  • the further software module 74 of the third control interface 70 comprises a software Boolean engine 74 configured to generate the further output signal S out and said further command signal Sc in the form of Boolean logic signals.
  • the third control interface 70 is further configured to verify, in the same manner as done by the second control interface 60, if the first control interface 20 executed correctly the one or more predetermined elaboration steps; to this end, the control interface 70 can be provided with the same software module 62 of the second control interface 60.
  • the third control interface 70 is in a sleeping mode, while it can replace either the first control interface 20 or the second control interface 60 if any of them malfunctions.
  • the communications between the third control interface 70 with the first control interface 20, the communication interface 50, and the various field devices 1, is also realized by connections means 105 using for example a vital or fail-safe field bus, which are external to the components/parts of the system 100.
  • the third control interface 70 is operatively linked with the first and second control interfaces 20 via a respective link 75, 76, namely two corresponding links internal to the system 100 itself.
  • the system 100 comprises an additional control system 80 which includes for example a server 82, a workstation 84 and a monitor 86.
  • the control system 80 is configured to exchange with said communication interface 50, for example some basic or non fail-safe data related to the railway traffic in the station 200 to be displayed by the HMI 10.
  • non-fail-safe data can include for instance information about the identification number and routes of trains going to transit from the station 200, et cetera.
  • the control system 80 can be in operative communication with the first control interface 20, in order for example to send to it non fail-safe or non safety-related command or control signals.
  • the communication between the system 80 and the communication interface 50 and/or the first communication interface 20 is realized by connections 110 using for example a non-vital field bus.
  • this type of basic information can be conveyed by the communication interface 50 to the first and second control system 30 and 40 in order for them to elaborate the information received and output each a corresponding further checking signal. Also in this case, the information received from the control system 80 can be displayed on the HMI 10 only if such two further checking signals are consistent to each other.
  • the HMI 10 can be configured to integrate also the functionalities executed by the additional control system 80, thus allowing to input and visualize directly on one of its video display 14, also these basic or non-fail safe data or information, as well as any other non-fail safe related commands or controls.
  • the system 100 achieves the intended aim and objects since it allows to manage traffic, and in particular to control field devices, especially at small stations, according to a simplified architecture.
  • the system 100 allows sparing in particular hardware parts and also connections with a remote central logic computer, thus reducing at the same time the burden of the logic motor executed by the remote central logic computer itself; in particular, where available, the system 100 can additionally exploit hardware components/parts already installed in small stations for other purposes, such as the servers 30 and 40 which can be properly configured, via the use of the described software modules, to implement the functionalities foreseen within the frame of the present invention for the limited environment of a small station.
  • the two control systems 30, 40 realize a "composite fail-safe" two-out-of-two (2oo2) protection architecture by verifying the consistency of the outputs provided by the HMI 10 and the first control interface 20.
  • the second control interface 60 adds a further margin of safety by checking the correctness of the elaborations executed by the first control interface 20 and, when implemented, the third control interface 70 provides redundancy.
  • the system 100 thus conceived is susceptible of modifications and variations, all of which are within the scope of the inventive concept as defined in particular by the appended claims, and contemplates any possible combination of the embodiments or parts thereof hereinbefore described; for example, it is possible to use the third control interface 70 also in the embodiment of figure 1 , and in such a case the additional control system 80 can be operatively connected also to it via a further connection 110 using for example a vital or fail-safe field bus.
  • the components or parts described can be shaped or positioned differently from what described, or there could be a number of components different from that described; for example one or more of the first control interface 20, the second control interface 60 and the communication interface 50 can be realized as an entity separated from the respective first control system 30 and second control system 40 and can include an own processor for executing the coded instruction of the own software module 22, 52, 62.
  • the described servers and/or elaboration or processing units can be constituted by, or comprise, any suitable server or processorbased device, e.g. a processor of a type commercially available, suitably programmed and provided to the extent necessary with circuitry, in order to perform the innovative functionalities devised for the system 100 according to the present invention, et cetera.

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Safety Devices In Control Systems (AREA)
EP21305805.0A 2021-06-11 2021-06-11 System zur lokalen verwaltung des bahnverkehrs in bahnhöfen Pending EP4101728A1 (de)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP21305805.0A EP4101728A1 (de) 2021-06-11 2021-06-11 System zur lokalen verwaltung des bahnverkehrs in bahnhöfen

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
EP21305805.0A EP4101728A1 (de) 2021-06-11 2021-06-11 System zur lokalen verwaltung des bahnverkehrs in bahnhöfen

Publications (1)

Publication Number Publication Date
EP4101728A1 true EP4101728A1 (de) 2022-12-14

Family

ID=76708167

Family Applications (1)

Application Number Title Priority Date Filing Date
EP21305805.0A Pending EP4101728A1 (de) 2021-06-11 2021-06-11 System zur lokalen verwaltung des bahnverkehrs in bahnhöfen

Country Status (1)

Country Link
EP (1) EP4101728A1 (de)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140229040A1 (en) * 2012-09-10 2014-08-14 Siemens Industry, Inc. Railway safety critical systems with task redundancy and asymmetric communications capability
EP3608200A1 (de) * 2017-11-13 2020-02-12 Crsc Research & Design Institute Group Co., Ltd. Verfahren und system zur abfertigung eines schienenstationstransports

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140229040A1 (en) * 2012-09-10 2014-08-14 Siemens Industry, Inc. Railway safety critical systems with task redundancy and asymmetric communications capability
EP3608200A1 (de) * 2017-11-13 2020-02-12 Crsc Research & Design Institute Group Co., Ltd. Verfahren und system zur abfertigung eines schienenstationstransports

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ANDREAS LINHARDT: "Ein Konzept, viele Anwendungen – Der Doppelrechner A212 als sicheres Modul / One concept, multiple applications – the A212 double controller as a safe module", SIGNAL UND DRAHT: SIGNALLING & DATACOMMUNICATION, vol. 108, no. 1+2, 9 February 2016 (2016-02-09), DE, pages 36 - 43, XP055249254, ISSN: 0037-4997 *

Similar Documents

Publication Publication Date Title
US10589765B2 (en) Railway safety critical systems with task redundancy and asymmetric communications capability
US7328369B2 (en) Inherently fail safe processing or control apparatus
US20140074327A1 (en) Railway train critical systems having control system redundancy and asymmetric communications capability
CN102238231B (zh) Ctcs-3级无线闭塞中心设备及系统
US20210349443A1 (en) Method and apparatus for the computer-aided creation and execution of a control function
US11420662B2 (en) Device and method for the safe management of vital communications in the railway environment
CN112714173B (zh) 一种站台门控制器云平台系统及控制方法
JP7263675B2 (ja) ヒューマンマシンインタフェースのリモート制御のための方法およびヒューマンマシンインタフェース
EP4101728A1 (de) System zur lokalen verwaltung des bahnverkehrs in bahnhöfen
CN113791937A (zh) 一种数据同步冗余系统及其控制方法
AU2018202939A1 (en) Railway safety critical systems with task redundancy and asymmetric communications capability
CN107864204B (zh) 一种自适应的车辆参数自动识别和共享方法
CN113836127B (zh) 一种应用于区域控制器的数据校核方法
CN103144657B (zh) 带校验板的通用轨旁安全平台主处理子系统
CN110406562A (zh) 检测道岔位置信号的装置和方法以及道岔控制系统
CN114940195A (zh) 列车运行安全防护方法及系统
JP5612995B2 (ja) 入力バイパス型のフェイルセーフ装置及びフェイルセーフ用プログラム
JP6356325B1 (ja) リレー制御装置
CN111124418A (zh) 一种基于vcp冗余代码的通信数据超时判断方法
KR100835383B1 (ko) 시간여분을 이용한 철도신호용 이중계구조 결함허용 제어기
CN105184171B (zh) 安全计算机平台文件系统的组件、运行方法及信息处理装置
JP2005511386A (ja) 安全性の要求される鉄道運転プロセスの制御方法およびこの方法を実施するための装置
Kantz et al. Communication in train control
CN116279693A (zh) 一种双系冗余的列车运行控制系统
CN117349106A (zh) 一种针对列控中心接口数据安全性的软件检查方法及装置

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

17P Request for examination filed

Effective date: 20221122

RBV Designated contracting states (corrected)

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230823

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: ALSTOM HOLDINGS