EP4234359A1 - System und verfahren zur anzeige des zustands einer eisenbahntransportanlage - Google Patents

System und verfahren zur anzeige des zustands einer eisenbahntransportanlage Download PDF

Info

Publication number
EP4234359A1
EP4234359A1 EP23158266.9A EP23158266A EP4234359A1 EP 4234359 A1 EP4234359 A1 EP 4234359A1 EP 23158266 A EP23158266 A EP 23158266A EP 4234359 A1 EP4234359 A1 EP 4234359A1
Authority
EP
European Patent Office
Prior art keywords
images
stream
processor
terminal
cots
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP23158266.9A
Other languages
English (en)
French (fr)
Inventor
Mario BARBARESCHI
Salvatore De Simone
Innocenzo Mungiello
Tommaso Zoppi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Rete Ferroviaria Italiana SpA
Original Assignee
Rete Ferroviaria Italiana SpA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Rete Ferroviaria Italiana SpA filed Critical Rete Ferroviaria Italiana SpA
Publication of EP4234359A1 publication Critical patent/EP4234359A1/de
Pending legal-status Critical Current

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L25/00Recording or indicating positions or identities of vehicles or vehicle trains or setting of track apparatus
    • B61L25/06Indicating or recording the setting of track apparatus, e.g. of points, of signals
    • B61L25/08Diagrammatic displays
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/30Trackside multiple control systems, e.g. switch-over between different systems

Definitions

  • This invention relates to a system and a method for displaying a status of a railway transportation plant on a terminal of a commercial type connected on an open network.
  • open network means, as defined in CENELEC EN 50159, an "open transmission system - a transmission system with an unknown number of participants, with unknown, variable and unreliable properties, used for unknown telecommunications services and with potential for unauthorised access”.
  • the invention relates to the sector of safely displaying the status of a railway transportation plant or parts of it, that is to say, railway bodies such as, for example, signals, switches, track circuits, level crossings and others;
  • the invention also relates to the sector of safely forwarding commands for managing the status of a railway transportation plant or parts of it, by an operator through an operator terminal of a commercial type connected on an open network.
  • user interfaces that is, display and control systems
  • luminous panel and operator terminal which allow an operator to understand the status of the railway transportation plant and to impart commands for managing the plant.
  • mobile user interfaces such as, for example, tablet devices, comprising a display screen and a system for imparting commands.
  • the safety of the railway signalling is managed by a command and control platform, also called the safety nucleus or central apparatus, which is, for an example of the railway sector, designed to safely execute the routing logics or the spacing of the trains, control the compatibility between the commands sent by an operator and the status of the railway transportation plant, in such a way that it is not possible to perform movements which are in conflict with each other; therefore, in order to guarantee the correct operation of the system, the command and control platform must meet certain safety requirements; in particular, in the rail sector, these systems are developed in accordance with the European safety standard CENELEC, and must meet the requirements of the SIL4 level ( Safety Integrity Level 4) defined in EN 50126, EN 50128 and EN 50129.
  • SIL4 level Safety Integrity Level 4
  • the display and control systems for the management of the plant that is to say, the user interfaces, comply with a sufficiently high safety standard, so that the actions of the operator are performed in a safe manner and in a manner consistent with the status of the railway transportation plant.
  • display systems which use procedures for checking the correctness and integrity of information and images regarding the status of the plant to be displayed.
  • patent document EP3438828B1 describes a system where the correct display of the image is checked by means of a feedback control between an image to be displayed, generated by a COTS device, and the data, acquired from a safety nucleus, that is to say, a control and drive platform, and starting from which the image was generated. Since the image is generated inside a COTS device, the measures adopted to achieve a sufficiently high safety standard - and which include the adoption of feedback mechanisms - in this case make the system complex and its performance levels potentially critical.
  • patent document ITGE2011000034 describes a system in which a first processor generates an image and sends it to a screen, from which a frame grabber device captures the image and sending it to a second processor; the second processor generates a second image and compares the image captured by the frame grabber ; thus, in this case, too, the control is performed by feedback.
  • the presence of the frame grabber device and feedback control make the system complex.
  • this system is difficult to make on portable devices, that is, mobile devices, connected on an open network and cannot use terminals of the commercial type.
  • Patent document IL72348A describes two processors which generate each of the graphical information (that is, symbols) in parallel and transfer, to two display controllers, which transform the information into images. These images are sent, as well as to a display (denoted in the drawings by BS), to the two processors by means of a feedback channel which uses a shift register. The two processors compare the information received byte-to-byte and if the comparison fails, then the transmission is interrupted.
  • the method described by patent document IL72348A can be used efficiently because the images they generate have a low resolution (approximately 500x500 pixels).
  • the display on which the image is displayed is a display which may be controlled completely by the operator, and therefore not COTS; therefore, this system is not very suitable for processing high resolution images and also when you want to display them on COTS type displays.
  • the aim of the invention is to provide a system and a method for displaying the status of a railway transportation plant by means of a COTS operator terminal connected on an open network which overcome the drawbacks of the above-mentioned prior art techniques and which is simple to construct.
  • the system comprises a command and control platform, configured to provide a flow of input data.
  • the flow of input data represents the status of the railway transportation plant or parts of the railway transportation plant, that is to say, railway bodies such as, for example, signals, points, track circuits, level crossings and others.
  • the system comprises a calculation terminal, configured for receiving a flow of input data.
  • the computer terminal is in compliance with the requirements for the maximum levels of safety integrity as specified for safety-critical applications and defined by CENELEC EN 50128 and EN 50129.
  • the calculation terminal is configured for receiving the flow of input data from the command and control platform.
  • the calculation terminal is configured for generating a flow of first images and a flow of second images starting from the flow of input data.
  • the images of the flow of first images and of the flow of second images are in a raw format and the calculation terminal is configured for converting the images of the flow of first images and of the flow of second images from the raw format to a standard format.
  • raw format means that the image generated is stored by saving, for each pixel of the image, the R, G and B components (preferably without other additional information and/or without processing said R, G and B components). Therefore, the images of the flow of first images may be in a raw format, that is to say, the images of the flow of first images may be generated by saving, for each pixel of said images, the R, G and B components.
  • the images of the flow of second images may be in a raw format, that is to say, the images of the flow of second images may be generated by saving, for each pixel of the images, the R, G and B components.
  • the flow of input data includes a plurality of data series, each data series of the plurality of data series representing the status of the railway transportation plant or parts of the railway transportation plant at a same instant.
  • Each image of the flow of first images is generated starting from a respective data series of the plurality of data series.
  • each image of the flow of second images is generated starting from a respective data series of the plurality of data series.
  • the calculation terminal includes a first processor.
  • the first processor is programmed to generate a flow of first images.
  • the first processor is programmed to generate, starting from the flow of input data, a flow of first images.
  • the calculation terminal includes a second processor.
  • the second processor is programmed to generate a flow of second images.
  • the second processor is programmed to generate, starting from the flow of input data, a flow of second images.
  • the first processor and the second processor receive as input the same flow of input data for generating, in a parallel fashion, the flow of first images and the flow of second images, respectively.
  • the first processor is programmed for generating an image, in this way forming a corresponding flow of first images.
  • the second processor is programmed for generating an image, in this way forming a corresponding flow of second images.
  • the first processor is programmed to generate images of the flow of first images in raw format.
  • the first processor is also programmed for converting each image from the raw format to a predetermined standard format, for example, to the jpeg, gif, png or bitmap formats.
  • the second processor is programmed to generate images of the flow of second images in raw format.
  • the second processor is also programmed for converting each image from the raw format to a predetermined standard format, for example, to the jpeg, gif, png or bitmap formats.
  • the first processor and the second processor are programmed for generating the respective images (that is, the first images of the flow of first images and the second images of the flow of second images, respectively) in a raw format and to convert each image from the raw format to a predetermined standard format, for example, to the jpeg, gif, png or bitmap formats.
  • a first image of the flow of first images generated starting from a data series of the plurality of input data series and a corresponding second image of the flow of second images, generated starting from the same data series of the plurality of data series, forms a pair of images.
  • each image of the flow of first images and of the flow of second images, generated starting from the same data series of the plurality of data series forms a pair of images.
  • the calculation terminal starts from the flow of first images and the flow of second images, the calculation terminal generates a flow of pairs of images.
  • the first processor and the second processor can be programmed to generate the respective images in a raw format, by executing applications (that is to say, software) in accordance with the requirements specified for the maximum levels of safety integrity for safety-critical applications (for example, applications that comply with SIL4 requirements according to CENELEC EN 50128) without the need to use commercial graphics libraries.
  • applications that is to say, software
  • a commercial graphics library can be provided free of charge or upon payment of a license.
  • non-commercial graphics library means a graphics library which has a certification (for example, a certification for a certain SIL safety level) and/or whose source code is possessed and the term "commercial graphics library” means a graphics library which does not have safety certifications and/or the source code is unavailable.
  • the calculation terminal is configured for generating a flow of output images, for example, starting from the flow of first or second images.
  • the flow of output images may be intended to be displayed, for example by an operator terminal.
  • the operator terminal may be formed by a COTS device.
  • the COTS device may be connected to the calculation terminal via an open network.
  • the open network may comprise one of the 3G, 4G, LTE or 5G mobile networks.
  • the calculation terminal is configured for checking that, for each pair of images formed by a first image of the flow of first images and a corresponding second image of the flow of second images, the first and the second images are consistent with each other.
  • the computer terminal may be configured, in response to a positive outcome of said check, for enabling an output transmission of the stream of output images.
  • the calculation terminal checks that, for each pair of images formed by a first image of the flow of first images and a second image of the flow of second images, the first image is consistent with the second image and vice versa, that is, it checks that the first image coincides with the second image and vice versa.
  • the calculation terminal may be configured to check that the first and the second image of the pair of images are consistent with each other, wherein the first and the second image are in raw format or in a standard format.
  • the software that is run on the first processor and on the second processor, including the image generating software, complies with the requirements specified for the maximum levels of safety integrity for safety-critical applications (for example, SIL4 according to the railway standard CENELEC EN 50128), and thus does not use commercial off-the-shelf (COTS) libraries, and in particular does not use COTS graphics libraries.
  • SIL4 according to the railway standard CENELEC EN 50128
  • COTS commercial off-the-shelf
  • the system is protected against errors in the process for generating the image by one between the first processor and the second processor.
  • the pair of images is not controlled according to a feedback logic; in fact, the flow of output images intended to be displayed is only generated after receiving a response to checking the consistency between the images of a pair. This fact contributes to rendering the display on the COTS operator terminal secure.
  • the first processor and the second processor are programmed to generate, respectively, a flow of first images and a flow of second images starting from the flow of input data, by applications which comply with the requirements specified for maximum safety levels.
  • An output image of the flow of output images preferably shows to the operator, through a screen, a graphical view which shows the status of a railway transportation plant or the status of parts of the railway transportation plant, such as, for example, the position of a points device, the aspect of a high signal, and others.
  • the system comprises a memory, in which a graphical data structure is loaded.
  • the graphical data structure includes a plurality of graphical data records wherein the graphical data records represent the symbols included in a reference image of the railway transportation plant and represent the position of the symbols inside the reference image.
  • the graphical data structure conforms to a predetermined level of safety integrity.
  • the memory comprises instructions for managing the output image.
  • the management instructions comply with predetermined safety integrity requirements;
  • the calculation terminal may be programmed to perform the management instructions of the image representing the status of a railway transportation plant and generate the output image.
  • the computer terminal includes a bi-directional communication channel.
  • the bi-directional channel connects together the first processor and the second processor.
  • the bi-directional channel may be configured for sharing information between the first processor and the second processor.
  • the first and the second processors are programmed to check the correspondence of a respective pair of images, formed by a first image of the flow of first images and a corresponding second image of the flow of second images.
  • the first processor and the second processor exchange, that is to say, share information, which may include, for example, a first and a second image.
  • share information which may include, for example, a first and a second image.
  • the first processor is programmed to generate a first check signal, representing the consistency of the respective pair of images.
  • the second processor is programmed to generate a second check signal, representing the consistency of the respective pair of images.
  • each processor of the pair consisting of the first and second processors is programmed to check a respective pair of images, to generate a first check signal and a second check signal, respectively, each first and second check signal representing the consistency of the respective pair of images.
  • each processor of the pair consisting of the first and second processor is programmed to check each pair of the flow of pairs of images. Consequently, the first processor and the second processor, generate, respectively, a flow of first check signals and a flow of second check signals.
  • the first processor is programmed to derive, starting from the first image, a first signature and the information shared between the first and the second processor includes the first signature. In this way, the first processor derives a flow of first signatures, starting from the corresponding flow of first images.
  • the second processor is programmed to derive, starting from the second image, a second signature and the information shared between the first and the second processor includes the second signature. In this way, the second processor derives a flow of second signatures, starting from the corresponding flow of second images.
  • the first and the second processor are programmed to derive, starting from the first image and from the second image, respectively, a corresponding first and second signature, and the information shared between the first and the second processor includes the first and the second signature, for each pair of images.
  • the first processor and the second processor exchange their respective signatures between each other, this means that the checking of the consistency between the images does not occur by checking the images, but by checking the consistency of the signatures derived from the images, making the checking faster.
  • the signature of an image may be derived by applying to the image a function which uniquely identifies the image.
  • the function may be a HASH function.
  • the calculation terminal is equipped with an operating system.
  • the operating system is a real-time operating system.
  • the real-time operating system ensures the determinism of operations carried out under its supervision.
  • the real-time operating system can comply with the requirements specified for the maximum levels of safety integrity as required for safety-critical applications by CENELEC EN 50128 and EN 50129 (that is, SIL4).
  • the calculation terminal may be configured to perform, under the supervision of the real-time operating system, some operations for which the first processor and the second processor, that is, the calculation terminal, are programmed. These functions can include, for example:
  • the system comprises an operator terminal, that is to say, an operator terminal which can be used, for example, by a railway operator.
  • the operator terminal may include a fixed terminal, such as, for example, a COTS computer, or a COTS mobile terminal, such as a tablet or smartphone.
  • the operator terminal includes a screen for displaying a flow of output images.
  • the system comprises a transfer server.
  • the aim of the transfer server is to transfer data, for example the flow of output images, to an operator terminal, preferably a COTS operator terminal.
  • the aim of the transfer server is to provide a protected workspace, that is to say, a working environment in which communications to the operator terminal and starting from the operator terminal are carried out in a secure manner and protected from intrusion, especially if the operator terminal is a COTS device.
  • the transfer server complies with the applicable security requirements as specified by NIS-2016/1148.
  • the calculation terminal may be configured for encrypting or, in addition, for compressing each image of the flow of output images.
  • the calculation terminal may also be configured for transmitting each image of the flow of output images encrypted, or in addition, compressed, to the transfer server.
  • the transfer server may be configured to decrypt, or in addition decompress, each image of the flow of output images.
  • the transfer server may be configured to make the flow of output images available to a COTS operator terminal.
  • the transfer server may be configured to provide a flow of output images to a COTS operator terminal, operatively connected to the transfer server, through a communication connection, for example available at least temporarily, that is, available at least for the time necessary for completion of a work session.
  • the COTS operator terminal may be configured to connect to the transfer server by means of a network authentication procedure, by which an operator enters its own access credentials, that is to say, a user name and a password.
  • the system may include a management server, configured to receive the access credentials from the operator terminal and manage the network authentication procedure, enabling the communication connection between the operator terminal and the transfer server for the time necessary for the completion of a work session.
  • the transfer server is a network server.
  • the network server is designed to transfer the flow of output images to the COTS operator terminal, through a web page.
  • the network server may be configured to receive the flow of output images from the calculation terminal, to decipher and decompress each image of the flow of output images and to create a web page containing an image of the flow of output images corresponding to the updated status of the plant.
  • the network server may be configured to transmit the web page to the COTS operator terminal, for example by means of a connection on an open network.
  • the transfer server is designed to transfer a flow of output images to a COTS device, so as to increase the security and protection of the flow of output images.
  • the transfer server transmits each image of the flow of output images to the COTS operator terminal, the COTS operator terminal being configured to decompress and decrypt each image of the flow of output images.
  • the operator terminal may include a control system, configured for controlling the railway transportation plant or parts of the railway transportation plant.
  • the control system may include a touch screen monitor, and in addition or alternatively include a mouse, and in addition or alternatively, a keyboard, which allow the operator to interact with the operator terminal to impart commands.
  • the operator terminal may be connected to the calculation terminal and may comprise a control system, for sending a control signal to the calculation terminal, for controlling the railway transportation plant or parts of the railway transportation plant.
  • the system may comprise an authorisation system, in order to check and authorise the control signals generated by the operator terminal.
  • the calculation terminal may be configured for receiving a control signal from the operator terminal and generating, in response to the control signal, a one-time password.
  • the calculation terminal may also be configured to generate a request signal for the operator terminal, that is to say, a signal requesting an insertion of the one-time password by the operator.
  • the operator terminal may be configured to receive the one-time password from the calculation terminal.
  • the operator terminal may be configured to receive from the calculation terminal the signal requesting insertion of the one-time password.
  • the operator terminal may be configured to return the one-time password to the calculation terminal.
  • the transmission of the one-time password from the calculation terminal to the operator terminal takes place using a communication channel different from the communication channel used for returning the one-time password from the operator terminal to the calculation terminal.
  • the transmission of the one-time-password from the calculation terminal to the operator terminal is performed using SMS technology, whilst the return of the one-time-password to the calculation terminal from the operator terminal is performed using a data connection.
  • the transmission and the return of the one-time-password occur on two different channels which use the same technology, for example which use a data connection, but on different connections.
  • the transmission of the one-time password from the computer terminal to the operator terminal occurs using a communication channel different from the communication channel in which there is the transmission of the stream of output images from the computer terminal to the operator terminal.
  • the system may comprise a personal mobile device, for example a smartphone supplied to the operator, connected to the calculation terminal for the transmission, using a communication channel, of the one-time password, whilst the return of the one-time password occurs through a communication channel between the operator terminal, for example a tablet or an computer, and the calculation terminal.
  • the transmission of the one-time password from the calculation terminal to the operator terminal and from the operator terminal to the calculation terminal is performed inside a protected workspace wherein all the data is transmitted to and from the operator terminal, including images, commands, user authentication data, encryption data.
  • the terminal is configured to check that the one-time password generated by the calculation terminal, that is to say the one-time password transmitted from the calculation terminal to the operator terminal and the one-time password returned from the operator terminal to the calculation terminal are consistent with each other. If the control has a positive outcome, the calculation terminal is configured for transmitting the control signal to the command and control platform in response to said control, in such a way that only the commands positively checked are sent to the command and control platform.
  • the COTS operator terminal is programmed for generating and transmitting to the calculation terminal, in addition to the control signal, a signal confirming the command by the operator.
  • the calculation terminal may be programmed for receiving the command confirmation signal from the operator and for transmitting the command signal to the command and control platform, upon receiving the command confirmation signal.
  • the calculation terminal includes a watchdog circuit.
  • the watchdog circuit is connected to the first processor and to the second processor.
  • the watchdog circuit can comply with the requirements specified for the maximum levels of safety integrity as required for safety-critical applications by CENELEC EN 50128 and EN 50129 (that is, SIL4).
  • the watchdog circuit is configured to disable the transmission of the flow of output images, in response to a negative outcome of the consistency check of each pair of images of the flow of pairs of images generated by the first and by the second processor.
  • the watchdog circuit may be connected to the first processor to receive the first check signal from the first processor and disable the transmission of the output image , in response to a negative outcome of the check of the pair of images.
  • the watchdog circuit may also be connected to the second processor to receive the second check signal from the second processor and disable the transmission of the output image.
  • the watchdog circuit is connected to the first processor and to the second processor to receive, respectively, the first check signal and the second check signal and to disable the transmission of the output image from the calculation terminal upon a negative outcome of the check of the pair of images, that is to say, in response to the first check signal and to the second check signal, wherein at least one of the check signals represents a negative outcome of the check of the pair of images.
  • the watchdog circuit is programmed to disable the transmission of the output image and prevent potentially dangerous decisions from being taken by the operator, as a result of a display which is inconsistent with the status of the system.
  • the invention also provides a method for displaying a status of a railway transportation plant.
  • the method comprises a step of preparing, by a command and control platform, a flow of input data representing the status of the railway transportation plant.
  • the method comprises a step of receiving, at a calculation terminal, a flow of input data.
  • the computer terminal is in compliance with the requirements for the maximum levels of safety integrity as specified for safety-critical applications and defined by CENELEC EN 50128 and EN 50129 (that is, SIL4).
  • the method comprises a step of generating, by the calculating terminal starting from a flow of input data, a flow of first images.
  • the images of the flow of first images are, for example, in raw format.
  • the method comprises a step of generating, by the calculating terminal, starting from a flow of input data, a flow of second images.
  • the images of the flow of second images are, for example, in raw format.
  • the method comprises a step of converting, by the calculation terminal, the images of the flow of first images from the raw format to a standard format
  • the method may comprise a step of converting, by the calculation terminal, a flow of second images from the raw format to a standard format.
  • the method comprises a step of checking, by the calculation terminal, for each pair of images formed by a first image of a flow of first images and by a corresponding second image of the flow of second images, that the first and the second images are consistent with each other.
  • the method comprises a step of transmitting, by the computer terminal, that is to say, enabling the computer terminal for the transmission, the stream of output images, for example obtained starting from the stream of first or second images.
  • the calculation terminal includes a first processor and a second processor.
  • the method comprises a step of receiving, at the calculation terminal, the flow of input data.
  • the method comprises a step of generating, by the first processor, starting from the flow of input data, a flow of first images.
  • the images of the flow of first images are in a raw format.
  • the method comprises a further step of generating, by the second processor, starting from the flow of input data, a flow of second images.
  • the images of the flow of second images are in a raw format.
  • the method comprises a step of converting, by the first processor and the second processor, the respective images from the raw format to a standard format.
  • the method may comprise a step of checking, by the first processor and the second processor, for each pair of images formed by a first image of the flow of first images and by a corresponding second image of the flow of second images, that the first and the second images are consistent with each other.
  • the method may comprise a step of enabling the transmission of a flow of output images, by the calculation terminal, obtained starting from the flow of first or second images.
  • the step of checking the first and second images of each pair of images may be performed on the images in raw format or in standard format.
  • the first and second processors execute applications which comply with the requirements specified for the maximum levels of safety integrity for safety-critical applications and defined by CENELEC EN 50128 (that is, SIL4) without the need to use commercial graphics libraries for generation of the images.
  • the first processor and the second processor generate (that is, the method comprises a step of generating, by the first processor and the second processor), respectively, a flow of first images and a flow of second images starting from the flow of input data, by applications which comply with the requirements specified for maximum safety levels (that is, SIL4).
  • the computer terminal includes a bi-directional communication channel between the first processor and the second processor, and the method may comprise a step of sharing information between the first processor and the second processor, through the bi-directional channel.
  • the method may comprise a step of checking, by the first and the second processors, a respective pair of images.
  • the method may also comprise a step of generating, by the first and the second processor, a first check signal and a second check signal, respectively, each check signal representing a consistency of the respective pair of images.
  • the method comprises a step of preparing management instructions, the step of preparing instructions including a step of preparing a graphical data structure.
  • the step of preparing the graphical data structure may comprise a step of providing a reference image for the railway transportation plant.
  • the reference image includes symbols positioned according to a configuration of the railway transportation plant, the symbols belonging to a plurality of predetermined symbols.
  • the step of preparing the graphical data structure may comprise a step of scanning a reference image to identify the symbols included.
  • the step of preparing the graphical data structure may comprise a step of generating the graphical data structure including a plurality of graphical data records, as a function of the symbols identified by the scanning and of an arrangement of the symbols identified in the reference image.
  • the method may comprise a step of checking the correctness of the structure of the graphical data to guarantee a predetermined level of security integrity.
  • the method may include a step of loading management instructions and the graphical data structure in a calculation terminal, the calculation terminal being a component compliant with predetermined safety integrity requirements.
  • the method comprises a step of deriving, by the first and the second processor, starting from the first image and from the second image, respectively, a corresponding first signature and second signature.
  • the method comprises a step of sharing information between the first and the second processor, the step including the sharing of the first and the second signature, for each pair of images.
  • the method comprises a step of interrupting, by a watchdog circuit, for example in accordance with the requirements specified for the maximum levels of safety integrity as required for safety-critical applications by CENELEC EN 50128 and EN 50129 (that is, SIL4), the transmission of the flow of output images.
  • the method comprises a step of interrupting, by a watchdog circuit, the transmission of the flow of output images in response to a negative outcome of the check.
  • the method may comprise a step for receiving, at the watchdog circuit, a first check signal and a second check signal and a step of interrupting the transmission of the flow of output images in response to a negative outcome of the check of the pair of images, that is, in response to at least one between the first check signal and the second check signal being negative, that is to say, displaying a negative outcome of the check of the pair of images by the first processor or by the second processor.
  • the method comprises preparing a transfer server, the transfer server providing a protected workspace, preferably, if the operator terminal includes a COTS device, that is to say, an environment in which communications to the operator terminal and starting from the operator terminal are carried out in a secure manner and protected from intrusions.
  • the transfer server is made in accordance with the security requirements that ensure the security characteristics required by the NIS-2016/1148 regulations, for example by the NIS-2016/1148 regulations.
  • the method may comprise a step of encrypting, or in addition, compressing, for example by the calculation terminal, each image of the flow of output images.
  • the method may comprise a step of transferring, by the calculation terminal, the flow of output images, for example to the transfer server.
  • the method may comprise a step of decrypting, or in addition of decompressing, by the transfer server, each image of the flow of output images.
  • the method may comprise preparing a COTS operator terminal, for example operatively connected to the transfer server, through a communication connection, available at least temporarily, that is, available at least for a time necessary for completion of a working session.
  • the COTS operator terminal may be configured to connect to the transfer server by means of a network authentication procedure, by which an operator enters access credentials, that is to say, a user name and a password.
  • the method may comprise a step of network authentication, by a management server.
  • the network authentication may comprise a step of receiving access credentials coming from the operator terminal and a step of checking the credentials for enabling the communication connection between the operator terminal and the transfer server at least for the time necessary for completion of a work session.
  • the method may comprise a step of feeding the flow of output images to the COTS operator terminal, by the transfer server.
  • the method may comprise a step of displaying, by the COTS operator terminal, each image of the flow of output images.
  • the method comprises a step, executed by an operator terminal, for controlling the plant or parts of the railway transportation plant.
  • the method may comprise a step of sending a control signal by the operator terminal.
  • the operator terminal may be a COTS operator terminal, for example a tablet or a computer.
  • the method may comprise a step of receiving, by the calculation terminal, a control signal from a COTS operator terminal.
  • the method may include a step of generating a one-time password by the calculation terminal, in response to the control signal.
  • the method may comprise a further step of generating a request signal for the COTS operator terminal, by the calculation terminal, that is to say, a signal requesting an insertion of the one-time password by an operator.
  • the method may comprise a step of receiving the one-time password by the COTS operator terminal. Moreover, the method may include a step of returning the one-time password to the calculation terminal in response to the request signal for insertion of the one-time password by the calculation terminal. Preferably, the method may comprise a further step, by the calculation terminal, of checking that the one-time password generated by the terminal, that is to say the one-time password transmitted from the calculation terminal to the COTS operator terminal and the one-time password returned by the COTS operator terminal are consistent with each other. The method may also comprise a step, executed by the calculation terminal, of transmitting the control signal to the command and control platform, in the case of a positive outcome of said control.
  • the method comprises a step, by means of the calculation terminal, for receiving a control signal from the COTS operator terminal.
  • the method may comprise steps, by means of the COTS operator terminal, for generating and transmitting the control signal to the calculation terminal, for generating and transmitting, to the calculation terminal, a signal for confirming the command by an operator, and, by means of the calculation terminal, the steps of receiving the signal for confirming the command by the operator and transmitting the control signal to the command and control platform, upon receiving said confirmation signal.
  • the transmission of the signal confirming the control signal occurs by means of the transfer server, based on the security functions of offered by the protected workspace.
  • the system according to the invention complies with the most stringent safety requirements for safety-critical and security applications, and allows the following aims to be achieved:
  • a secure platform which preferably complies with NIS-2016/1148, for controlling access and directing towards the control platform of the railway transportation plant, for decoding (decrypting) and decompressing images and for any other type of communication from and to the terminal.
  • the Safety Integrity Level is particularly high, thanks also to the architecture of the calculation terminal, which preferably conforms to the requirements specified by the CENELEC EN 50128 and EN 50129 standards; another aspect which contributes to maintaining a high Level of Safety Integrity is represented by the decoding (decrypting) on the operator terminal of the coded image (encrypted) from the calculation terminal before the transmission.
  • system according to the invention may also be used in all the industrial applications different from railway applications, in which it is necessary to safely control remotely a generic operator interface terminal.
  • the numeral 1 in the accompanying drawings denotes a system for displaying a status of a railway transportation plant.
  • the system 1 comprises a command and control platform 10 and a calculation terminal 2.
  • the computer terminal 2 complies with the requirements specified for the maximum levels of safety integrity as required for safety-critical applications, according to CENELEC EN 50128 and EN 50129 regulations.
  • the command and control platform 10 is configured to provide a flow of input data 100 to the calculation terminal 2.
  • the command and control platform 10 is connected to the calculation terminal 2 for example by a closed network, for example a LAN network.
  • the flow of input data 100 represents the status of the railway transportation plant or parts of the railway transportation plant, that is to say, railway bodies such as, for example, signals, points, track circuits, level crossings and others.
  • the flow of input data 100 includes a plurality of data series. Each data series of the plurality of data series represents the status of the railway transportation plant or parts of it at the same instant.
  • the calculation terminal 2 is configured for receiving the flow of input data 100 from the command and control platform 10.
  • the calculation terminal 2 is configured for generating, starting from the flow of input data 100, a flow of first images 201A.
  • each first image 201A of the flow of first images 201A is generated starting from a respective data series of the plurality of data series.
  • the calculation terminal 2 is also configured for generating, starting from the flow of input data 100, a flow of second images 201B.
  • each second image 201B of the flow of second images 201B is generated starting from a respective data series of the plurality of data series. Therefore, starting from each data series of the plurality of data series, the calculation terminal 2 is programmed for generating a first image 201A, forming, in this way, a corresponding flow of first images 201A. Similarly, starting from each data series of the plurality of data series, the calculation terminal 2 is programmed for generating a second image 201B, forming, in this way, a corresponding flow of second images 201B.
  • the calculation terminal 2 includes a first processor 200A and a second processor 200B.
  • the first processor 200A is programmed for generating, starting from the flow of input data 100 to the calculation terminal 2, a flow of first images 201A.
  • the second processor 200B is programmed for generating, starting from the flow of input data 100 to the calculation terminal 2, a flow of second images 201B.
  • the first processor 200A and the second processor 200B are programmed for generating, in parallel, the flow of first images 201A and the flow of second images 201B, respectively.
  • the first processor 200A is programmed for generating an image starting from a data series of the plurality of the data series of the flow of input data 100, forming, in this way, the corresponding flow of first images 201A.
  • the second processor 201B is programmed for generating an image starting from a data series of the plurality of data series of the flow of input data 100, forming, in this way, the corresponding flow of second images 201B.
  • the first processor 200A and the second processor 200B are programmed to execute applications which comply with the requirements specified for the maximum levels of safety integrity for safety-critical applications, according to CENELEC EN 50128 without the need to use commercial graphics libraries. and, preferably, under the supervision of a real time operating system.
  • the real-time operating system may comply with the requirements specified for the maximum levels of safety integrity for safety-critical applications according to CENELEC EN 50128 regulations.
  • the first processor 200A and the second processor 200B are programmed for generating the respective images (that is, the first images 201A of the flow of first images 201A and the second images 201B of the flow of second images 201B, respectively) in a raw format and to convert each image from the raw format to a predetermined standard format, for example, to the jpeg, gif, png or bitmap formats.
  • the first processor 200A is programmed to derive, starting from each image of the flow of first images 201A, a corresponding flow of first signatures 202A.
  • the second processor 200B is programmed for deriving, starting from each image of the flow of second images 201B, a corresponding flow of second signatures 202B.
  • each signature of the flow of first signatures 202A and of the flow of second signatures 202B is derived by applying, to each image of the flow of first images 201A and of the flow of second images 201B, a same function, for example a HASH function.
  • the computer terminal 2 includes a bi-directional channel 203, which connects together the first processor 200A and the second processor 200B.
  • the bi-directional channel 203 forms an inter-process communication: (IPC) to allow the sharing of information between the first processor 200A and the second processor 200B.
  • IPC inter-process communication
  • the first processor 200A and the second processor 200B exchange, that is, share with each other, respectively, the stream of first signatures 202A and the stream of second signatures 202B.
  • Each processor of the pair consisting of the first processor 200A and the second processor 200B is programmed to check the consistency of each pair of images, comparing each first signature 202A of the flow of first signatures 202A with a corresponding second signature 202B of the flow of second signatures 202B.
  • the first processor 200A is programmed to generate a first check signal 204A, representing the consistency of a first signature 202A with a corresponding second signature 202B, that is to say, a first signature 202A derived starting from a first image 201A of the flow of first images 201A and a corresponding second signature 202B derived starting from a second image 201B of the flow of second images 201B.
  • the first processor 200A is programmed for generating a first check signal 204A for each pair of images of the flow of pairs of images, in such a way as to generate a corresponding flow of first check signals 204A.
  • the second processor 200B is programmed to generate a second check signal 204B, representing the consistency of a first signature 202A with a corresponding second signature 202B, that is to say, a first signature 202A derived starting from a first image 201A of the flow of first images 201A and a corresponding second signature 202B derived starting from a second image 201B of the flow of second images 201B.
  • the second processor 200B is programmed to generate a second check signal 204B for each pair of images of the flow of pairs of images, in such a way as to generate a corresponding flow of second check signals 204B.
  • the calculation terminal 2 includes a watchdog circuit 205.
  • the watchdog circuit 205 is preferably made according to the requirements specified for the maximum levels of safety integrity, as required for safety-critical applications according to CENELEC EN 50128 and EN 50129 regulations.
  • the watchdog circuit 205 is connected to the first processor 200A and to the second processor 200B for receiving each first check signal 204A of the flow of first check signals 204A from the first processor 200A and the second check signal 204B of the flow of second check signals 204B from the second processor 200B.
  • each check signal of the first check signal 204A and of the second check signal 204B may have a positive outcome, in response to a positive outcome of the consistency of a pair of images, that is, in response to a positive outcome of the consistency of a pair of signatures, the pair of signatures being formed by a first signature 202A and a corresponding second signature 202B.
  • each check signal of the first check signal 204A and of the second check signal 204B may have a negative outcome, in response to a negative outcome of the coherence of the pair of images.
  • the calculation terminal 2 is configured for transmitting, starting from the flow of first images 201A or from the flow of second images 201B, a flow of output images 206. If at least one check signal between the first check signal 204A generated by the first processor 200A and the second check signal 204B generated by the second processor 200B has a negative outcome, the watchdog circuit 205 is programmed to interrupt the transmission of the flow of output images 206 by the calculation terminal 2.
  • the system 1 comprises an operator terminal 3.
  • the operator terminal 3 may be a fixed terminal, such as, for example, a computer, or a mobile terminal, that is to say a mobile device, such as, for example, a tablet.
  • the operator terminal includes a screen 300, for transmitting the flow of output images 206.
  • the operator terminal 3 may be a COTS operator terminal.
  • the system 1 comprises a transfer server 4.
  • the transfer server 4 is connected to the calculation terminal 2 and to the COTS operator terminal 3.
  • the transfer server 4 is designed to provide a protected workspace, that is to say, an environment in which the communications between the calculation terminal 2 and the COTS operator terminal 3 are carried out in a secure manner and protected from intrusion.
  • the protected workspace that is to say, the reference server, according to an example complies with the security requirements specified by NIS-2016/1148.
  • the transfer server 4 is a network server.
  • the calculation terminal 2 is configured for encrypting and for compressing each image of the flow of output images 206; the calculation terminal 2 is configured for transmitting the flow of encrypted and compressed output images 206 to the transfer server 4.
  • the transfer server 4 is configured for decrypting and decompressing the flow of output images 206 received from the computer terminal 2.
  • the transfer server 4 is configured to make the flow of output images 206 available to the COTS operator terminal 3.
  • the transfer server 4 is a network server.
  • the network server is configured for decrypting and decompressing the stream of output images 206 and generating a web page containing each image of the output images 206.
  • the network server is also configured for transmitting the web page to the COTS operator terminal 3 to be displayed on the screen 300 of the COTS operator terminal 3.
  • the operator terminal 3 includes a control system 301, configured for controlling the railway transportation plant or parts of the railway transportation plant.
  • the operator terminal 3 is a mobile operator terminal, for example a tablet, and the control system 301 can include a keyboard 302, through which the operator can interact to generate a control signal.
  • the operator terminal 3 may be a fixed operator terminal, for example a computer, and the control system 301 can include a keyboard 302 and a mouse 303, through which the operator can interact to communicate with the operator terminal 3.
  • the operator terminal 3 is connected to the calculation terminal 2 and comprises a control system 301 for sending a control signal 304 to the calculation terminal 2.
  • the terminal 2 may be configured for receiving the control signal 304 from the operator terminal 3 and generating, in response to the control signal 304, a one-time password 306.
  • the calculation terminal 2 may also be configured to generate a signal 307 requesting an insertion of the one-time password 306 for the operator terminal 3, that is to say, a signal requesting an insertion of the one-time password 306 by an operator to the operator terminal 3.
  • the operator terminal 3 is configured to receive from the calculation terminal 2 the one-time password 306 is the signal 307 requesting the insertion of the one-time password 306.
  • the operator terminal 3 is configured to return the one-time password to the calculation terminal 2, in response to the request signal 307 for inserting the one-time password 306 by the calculation terminal 2.
  • the transmission of the one-time password 306 from the calculation terminal 2 to the operator terminal 3 occurs using a communication channel different from the communication channel in which there is the transmission of the flow of output images 206 from the calculation terminal 2 to the operator terminal 3.
  • the system 1 may comprise a personal mobile device 308, for example a smartphone supplied to the operator.
  • the personal mobile device 308 is connected to the calculation terminal 2 for transmitting the one-time password 306.
  • the return of the one-time password 306 from the operator terminal 3 to the calculation terminal 2 occurs by means of a communication channel between the operator terminal 3 and the calculation terminal 2.
  • the calculation terminal 2 is configured to control that the one-time password 306 generated by the calculation terminal 2, that is to say, the one-time password 306 transmitted by the calculation terminal 2 to the personal mobile device 308, on which the operator reads the one-time password, and one-time password 306 entered by the operator and then returned by the operator terminal 3 to the calculation terminal 2 are consistent with each other. If the control has a positive outcome, or the password transmitted and the password returned are consistent with each other, the calculation terminal 2 is configured for transmitting, that is to say, forwarding, the control signal 304 to the control and drive platform 10 in response to said control.
  • the COTS operator terminal 3 is programmed for generating and transmitting to the calculation terminal 2, in addition to the control signal 304, a signal for confirmation of the command by the operator and the calculation terminal 2 is further programmed for receiving the control confirmation signal from the operator and for transmitting the control signal 304 to the command and control platform 10, upon receiving the control confirmation signal.
  • the command and control platform 10 comprises a stage of:
  • the calculation terminal 2 comprises the following stages:
  • the operator terminal 3 comprises the following stages:
  • the system 1 comprises a transfer server 4, the calculation terminal 2 comprises a further stage of:
  • the invention also provides a method for displaying a status of a railway transportation plant. This method is preferably implemented in a system 1 to represent the status of a railway transportation plant, according to one or more features described above.
  • the method for displaying the status of a railway transportation plant comprises the following steps, which can be performed in sequence (illustrated by way of example in Figures 5-7 ).
  • a command and control platform 10 and a computer terminal 2 in accordance with the requirements for the maximum levels of safety integrity for safety-critical applications and defined by CENELEC EN 50128 and EN 50129, the computer terminal 2 including a first processor 200A and a second processor 200B.
  • a flow of input data 100 representing the status of the railway transportation plant and transmission, preferably through a closed network, for example a LAN network, of the flow of input data 100, by the command and control platform 10.
  • A1 Receiving, by the calculation terminal 2, the flow of input data 100 and receiving, by each first processor 200A and second processor 200B the flow of input data 100. Generating, in parallel, by the first processor 200A and the second processor 200B, starting from the flow of input data 100, a flow of first images 201A and a flow of second images 201B, respectively, in raw format. Conversion, by the processor 200A and the second processor 200B of the respective images from the raw format to a standard format, such as jpeg, gif, png or bitmap.
  • the flow of first signatures 202A and the flow of second signatures 202B is derived by applying, to each image of the flow of first images 201A and of the flow of second images 201B, a same function, for example a HASH function.
  • A3 Exchanging, that is to say, sharing, between the first processor 200A and the second processor 200B, through a bi-directional communication channel 203, respectively, the stream of first signatures 202A and the stream of second signatures 202B.
  • A4 Checking the consistency, by the first processor 200A and the second processor 200B, of each pair of images by comparing each first signature 202A of the first flow of first signatures 202A with a corresponding second signature 202B of the flow of second signatures 202B. Generating, respectively, by the first processor 200A and the second processor 200B, a first check signal 204A and a second check signal 204B, respectively, for each pair of images of the flow of pairs of images, in such a way as to generate a corresponding flow of first check signals 204A and second check signals 204B.
  • the first check signal 204A and the second check signal 204B each represent the consistency of a first signature 202A with a corresponding second signature 202B, that is to say, a first signature 202A derived from a first image 201A of the flow of first images 201A and a second signature 202B derived from a corresponding second image 201B of the flow of second images 201B.
  • the method comprises the following further steps:
  • the method comprises the following steps:
  • the method includes a step of receiving, at the calculation terminal (2), the control signal (304) generated and transmitted by the COTS operator terminal (3); the method also comprises a step of generating and transmitting, to the calculation terminal (2), a signal confirming the command from an operator; the calculation terminal (2) receives the control confirmation signal and transmits the control signal (304), upon receiving the control confirmation signal.
EP23158266.9A 2022-02-24 2023-02-23 System und verfahren zur anzeige des zustands einer eisenbahntransportanlage Pending EP4234359A1 (de)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
IT202200003482 2022-02-24

Publications (1)

Publication Number Publication Date
EP4234359A1 true EP4234359A1 (de) 2023-08-30

Family

ID=81648662

Family Applications (1)

Application Number Title Priority Date Filing Date
EP23158266.9A Pending EP4234359A1 (de) 2022-02-24 2023-02-23 System und verfahren zur anzeige des zustands einer eisenbahntransportanlage

Country Status (1)

Country Link
EP (1) EP4234359A1 (de)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IL72348A (en) * 1983-07-06 1987-10-20 Int Standard Electric Corp Fail-safe controller for a visual display unit
DE4432419A1 (de) 1994-09-02 1996-03-07 Siemens Ag Verfahren zum Behandeln freigabepflichtiger Kommandos und Einrichtung zur Durchführung des Verfahrens
EP0970869B1 (de) 1998-07-10 2006-03-22 Alcatel Verfahren zur sicheren Anzeige des Zustandes einer signaltechnischen Anlage
WO2012025406A1 (de) * 2010-08-27 2012-03-01 Siemens Aktiengesellschaft Vorrichtung zur graphischen visualisierung von systemzuständen
EP3438828B1 (de) 2017-08-03 2019-12-11 Hitachi Rail Sts S.P.A. Verfahren und system zur fernsteuerung von mensch-maschine-schnittstellen

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IL72348A (en) * 1983-07-06 1987-10-20 Int Standard Electric Corp Fail-safe controller for a visual display unit
DE4432419A1 (de) 1994-09-02 1996-03-07 Siemens Ag Verfahren zum Behandeln freigabepflichtiger Kommandos und Einrichtung zur Durchführung des Verfahrens
EP0970869B1 (de) 1998-07-10 2006-03-22 Alcatel Verfahren zur sicheren Anzeige des Zustandes einer signaltechnischen Anlage
WO2012025406A1 (de) * 2010-08-27 2012-03-01 Siemens Aktiengesellschaft Vorrichtung zur graphischen visualisierung von systemzuständen
EP3438828B1 (de) 2017-08-03 2019-12-11 Hitachi Rail Sts S.P.A. Verfahren und system zur fernsteuerung von mensch-maschine-schnittstellen

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Railway applications - Communication, signalling and processing systems - Safety related communication in transmission systems", IEC 62280:2014, IEC, 3, RUE DE VAREMBÉ, PO BOX 131, CH-1211 GENEVA 20, SWITZERLAND, 6 February 2014 (2014-02-06), pages 1 - 132, XP082001126 *

Similar Documents

Publication Publication Date Title
CN101901318B (zh) 一种可信硬件设备及其使用方法
CN100504740C (zh) 远程控制方法、装置以及计算机切换器
US11088997B2 (en) Secure communication method and apparatus for vehicle, multimedia system for vehicle, and vehicle
CN107430657A (zh) 通过代理的认证
CN102769846A (zh) 一种用户终端及支付系统
US11159329B2 (en) Collaborative operating system
CN105659646A (zh) 移动设备验证
US11652640B2 (en) Systems and methods for out-of-band authenticity verification of mobile applications
CN110225038B (zh) 用于工业信息安全的方法、装置及系统
CN111586021A (zh) 一种远程办公业务授权方法、终端及系统
CN113904856B (zh) 认证方法、交换机和认证系统
CN109214166A (zh) 智能设备授权控制方法及系统
CN104899500A (zh) 一种电梯用户权限管理系统和方法
KR20180096887A (ko) 주기적으로 변경되는 동적 코드 생성 방법과 그러한 동적 코드의 인증 방법
EP4234359A1 (de) System und verfahren zur anzeige des zustands einer eisenbahntransportanlage
CN110349316A (zh) 一种访客门禁控制系统及控制方法
CN104834874A (zh) 建立安全执行环境之间的物理局部性
CN112217636B (zh) 基于区块链的数据处理方法、装置、计算机设备及介质
CN103824014A (zh) 一种局域网内的usb端口设备的隔离认证及监控方法
KR102613714B1 (ko) 통신암호화 및 사이버 탐지엔진을 적용한 원자력발전소 안전계통연계 계측제어 장치, 방법 및 시스템
CN116881936A (zh) 可信计算方法及相关设备
EP2879008B1 (de) Verfahren zur Handhabung eines sicherheitskritischen Befehls in einem Computernetzwerk
CN113949728B (zh) 不同平台设备同步的方法、第一平台和第二平台
CN116032546A (zh) 一种资源访问方法、装置及电子设备
CN105374088A (zh) 变电站防主动误操作设备的控制方法及装置

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC ME MK MT NL NO PL PT RO RS SE SI SK SM TR

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20240222

RBV Designated contracting states (corrected)

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC ME MK MT NL NO PL PT RO RS SE SI SK SM TR