ES2795015T3 - Server device that operates a software for controlling a function of a rail transport protection system - Google Patents

Abstract

Server device (1; 30) that operates a software for the control of a function of a rail transport protection system, operating the software (11, 12, 13; 31, 32, 33) physically separated from each other at least two processes (11a-11b; 12a-12b; 13a-13b; 31a-31c; 32a-32c; 33a-33c) whose results are compared with each other to control the function, characterized in that the software (11 , 12, 13; 31, 32, 33) is operated at a virtual operating level of the server device (1; 30), because the server device (1; 30) comprises at least two server clusters (SC1, SC2 , SC3) physically separated from each other, each of the server clusters (SC1, SC2, SC3) of the server device (1; 30) comprising at least two individual servers (SRV-1-1, SRV-1-2, SRV-2-1, SRV-2-2, SRV-3-1, SRV-3-2) that allow process migration (11a-11b; 12a-12b; 13a-13b; 31a-31c; 32a-32c ; 33a-33c) to each other in the event of an indi server failure vidual (SRV-1-1, SRV-1-2, SRV-2-1, SRV-2-2, SRV-3-1, SRV-3-2), executing the at least two processes (11a-11b; 12a-12b; 13a-13b; 31a-31c; 32a-32c; 33a-33c) in virtual machines (VMs), and because the software (11, 12, 13; 31, 32, 33) comprises at least two parts that are installed in different server clusters of the at least two server clusters (SC1, SC2, SC3) so that the at least two processes (11a-11b; 12a-12b; 13a-13b; 31a-31c; 32a-32c; 33a-33c) are operated on clusters of servers different from the al least two server clusters (SC1, SC2, SC3).

Description

DESCRIPTION

Server device that operates a software for controlling a function of a rail transport protection system

The invention relates to a server device that operates a software for controlling a function of a rail transport protection system,

operating the software at least two processes physically separated from each other whose results are compared with each other to perform the function control.

Rail transport protection systems, in particular interlocking posts and train protection systems, are increasingly being automated by computers. In this regard, a high level of reliability, availability, ease of maintenance and personal safety (the so-called RAMS requirements; Reliability Availability Maintainability Safety) must be guaranteed. Whereas, as a rule, software errors (programming errors) can be discovered and eliminated by proper planning and review of test scenarios up to commissioning, hardware errors (in particular the failure of individual constructional components, for example example, transistors) can be produced in principle at any time during operation. Hardware errors of this type must be discovered in time so that there is no risk for persons (locomotive drivers, passengers) in the protection of rail transport and preferably also for valuable equipment (locomotives, wagons) or cargo .

Therefore, in safety-relevant applications in transport protection systems, multi-channel processing and a review of safety-relevant components is usually carried out, see, for example, M. Schafer, F. Schneider, "Standardisierte Bedienoberflachen für Bahnsteuerungssysteme ", Signal Draht (98), 9-2006, pages 50-52.

In multi-channel processing, several processes of the same type are operated in parallel physically separated from each other, that is, with different hardware, and the results are compared with each other. If the results coincide, it can be assumed that the hardware involved is working correctly. In the event of an error in the hardware involved, a divergence of the results occurs, which can be detected by comparing them. The application can then take appropriate safety measures, for example, preventively put signals on "stop".

Software in the field of rail transport protection systems is usually installed in individual devices where the physical separation of processes can be well ensured. For this, the software and the device architecture are appropriately matched to each other.

In the case of computers with so-called multi-core processors it is possible to cause a fixed allocation of individual processors to computer resources by suitable scheduling. With regard to programming in Linux, the use of so-called "cgroups" has proven to be efficient, see the English Wikipedia entry "cgroups" of 3/31/2016. Correspondingly, for processes whose results are to be compared, different processor cores can be assigned (the so-called "core binding"), whereby the physical separation of the processes can be ensured.

By means of application virtualization, you can forego providing individual appliances in many cases. Also, software development and integration are simplified. For example, the virtualization of a train control system has been proposed in WO 2015/126529 A1.

Furthermore, by virtualizing a server cluster from several individual servers, it is possible to migrate processes to another individual server in the event of a single server failure, thereby improving the availability of an application.

However, in the case of a software operation on a virtualized operational level of a server cluster, individual processes operated by the software can no longer be assigned to certain computer resources; in particular, the individual processes are assigned in a fundamentally random way to one of the individual computers. Then there is the risk (statistically relevant) that several processes, whose results must be compared with each other, are executed on the same hardware so that a hardware error of this hardware generates the same erroneous calculations in these various processes and, in such a way corresponding, the hardware error can no longer be found by comparing the process results. In this case, operational safety in the rail transport protection system is no longer guaranteed.

Document EP 1085415 A2, which is considered the closest state of the art, discloses a program module and a method to increase the security of a software-controlled system, in particular of an electronic interlocking station for the technique of railway signaling. In the exemplary embodiment of FIG. 4 thereof, a set of computers is used, made up of computers R8, R9, R10, R11 and a comparator V3. Computers R8 and R9 are connected in series and computers R10 and R11 are connected in series. In this regard, computers R10 and R11 are connected in parallel to computers R8 and R9. In computers R8 and R10, the first program part of a program module is installed in each case, and in computers R9 and R11 the second program part of the program module is installed in each case. Both R8 and R10 computers receive the same input data. The output data from computers R9 and R11 is checked by comparator V3; only if the output data from computers R9 and R11 match is a travel path released.

US 2003/0018927 A1 describes a high availability cluster server system. The cluster comprises multiple physical servers / individual servers referred to as "nodes". Each node runs one or more software programs referred to as "virtual server". If a node fails, an affected virtual server is transferred to another node.

Object of the invention

The invention is based on the aim of providing a server device in which an improved availability of a software application can be guaranteed with a high operational safety of rail traffic at the same time.

Brief description of the invention

This objective is achieved by means of a server device of the type mentioned at the beginning with the characteristics of claim 1 which is characterized in that the software is operated at a virtual operating level of the server device,

because the server device comprises at least two clusters of servers physically separated from each other, each of the server clusters of the server device comprising at least two individual servers that allow a migration of processes between them in the event of a failure of an individual server, with at least two processes running on virtual machines,

and because the software comprises at least two parts that are installed on different server clusters of the at least two server clusters so that the at least two processes are operated on different server clusters of the at least two server clusters.

On the one hand, the invention allows a software application to access increased availability in server clusters. However, on the other hand, it ensures that processes, whose results must be compared with each other to maintain operational safety, are executed physically separated from each other. To do this, the server appliance, which is used for software operation, is configured with at least two server clusters. Each of the server clusters of the server device comprises at least two individual servers that allow a migration of processes between them in the event of a failure of an individual server (High Availability Cluster). This ensures high availability (operational availability). On the other hand, the software is divided into at least two parts that are spread over the at least two server clusters. In each case a part of the software, and thus one of the processes, is permanently assigned to one of the server clusters. This ensures that the processes, the results of which must be compared with each other, are executed on different server clusters and, therefore, on different hardware. This physical separation of processes ensures that an individual hardware error, causing a wrong result of a process, can be discovered by a comparison with the result of a process of the same type calculated with other hardware (flawless).

The processes, the results of which are compared with each other, can be special verification processes that run in addition to the control function of the software application (for example, calculation of check digits / checksums), or also main processes which are used by themselves for the control function (for example, the calculation of a layout of the tracks). The processes to be compared with each other carry out the same calculation operations in the same order (processes of the same type) to obtain the respective process result. In general, the same process results indicate correct operation of the server device; in general, different process results indicate a failure.

For example, one of the processes, whose results must be compared with each other, is a master process, and a second process is a slave process. If the result of the slave process differs from the previously determined result of the master process, the status of the software application is set to "unsafe" (for example, by the software part of the master process and / or the slave process software and / or an additional piece of software for the comparison process) and no longer trust any of the process results. For example, in an interlocking station application, all affected signals can then be preemptively put to "stop".

By comparing the process results, a safe operation of the server device or the software application and thus also of the controlled function of the rail transport protection system, for example, can be reliably ensured in an electronic interlocking station. Since the processes are assigned in each case strictly to the individual server clusters, the physical separation of the verification mechanisms is ensured at any time. In this regard, The expression "physically separated from each other" refers to a separation of the calculation processes with respect to the hardware used.

Through virtualization it is possible to operate software largely independently of available local hardware. In particular, individual components (such as individual servers within one of the server clusters) can be easily replaced.

Preferred embodiments of the invention

In a preferred embodiment of the server device according to the invention, the software is an interlocking station application. Due to the architecture according to the invention of the server device a high level of security can be ensured, as is usually required for interlocking station applications. Likewise, high availability is advantageous to avoid or minimize delays in the operation of rail traffic.

An improvement in which the software is an application for operating the user interface of a computer controlled interlocking station is especially preferable, in particular with a functionality for connecting mobile operating terminals. For example, the software can be a HIS server application (HIS = human machine interface for interlocking systems), in particular with MPT and / or HHT function (MPT = mobile possession terminal; HHT = hand held terminal). In this application the server architecture according to the invention has proven to be particularly efficient. As processes to be compared or their results can be used in this case calculated schemes of the paths that are indicated in operating terminals, in particular mobile operating terminals (such as tablet computers). Since the user can temporarily take care of the clearance of track sections, in this case a high safety standard should be available that the invention can provide.

An embodiment in which the software is a train protection application is also preferable. Due to the architecture according to the invention of the server device a high level of security can be ensured, as is usually required for interlocking station applications. Train protection applications may include, for example, emergency braking systems when passing "stop" signals.

Furthermore, an embodiment is advantageous in which the software is configured according to Safety Integrity Level 2 (SIL2) or higher. This SIL2 safety level is sufficient for many applications of rail transport protection systems and can be achieved well with the server architecture according to the invention, while increasing availability can be made possible at the same time. The safety integrity level (SIL) is determined according to the EN 61508 standard (in particular the EN 50128 and EN 50129 standards) in the current version of 4/4/2016. The software can be, for example, a HIS server application.

An embodiment in which the software is configured in accordance with safety integrity level 4 (SIL4) is particularly advantageous. In doing so, the software meets the highest security requirements. The SIL4 security level can also be achieved well with the server architecture according to the invention, while an increased availability can be made possible at the same time. The safety integrity level (SIL) is determined according to the EN 61508 standard (in particular the EN 50128 and EN 50129 standards) in the current version of 4/4/2016. For example, the software can be an application of a central radio block (RBC = Radio Block Center) or of an electronic interlocking module (interlocking module), in addition also an application SCM (SCM = safe communication module) or an application FEC (FEC = field element controller).

Furthermore, an embodiment is advantageous in which the software operates exactly two processes that are physically separated from each other on exactly two different server clusters. The configuration of two server clusters for only two processes to be compared with each other (respectively in the case of a respective verification operation) is relatively easy, although it increases security considerably with high availability at the same time.

An alternative advantageous embodiment provides that the server device comprises three clusters of servers physically separated from each other, that the software comprises at least three parts that are installed in server clusters different from the server clusters so that the software operates three processes in different server clusters of the three server clusters and that the results of the processes are evaluated within the framework of a 2 out of 3 decision for the function control of the lane transport protection system. With the decision of 2 out of 3 it is possible to still identify correct process results also in the event of a hardware failure (in this case of a failure in one of the server clusters), which further increases availability.

Also preferable is an embodiment in which the server device operates at least one additional software for controlling an additional function of a rail transport protection system and that the at least one additional software is installed and operated solely on one of the server clusters. He respective additional software is not divided into different parts to be installed on different server clusters; this greatly facilitates the operation of the additional software. Typically, the additional software is configured according to SILO. Typically, in this embodiment, one or more additional software applications are installed and operated in each case on each of the server clusters.

In a preferred development of this embodiment, the at least one additional software comprises one or more of the following software applications:

- a scheduling system, in particular ARAMIS-D;

- a train number and train address management system, in particular ARAMIS-C;

- a data analysis and metric system (business intelligence);

- a system of maintenance of trains (maintenance center);

- a train data recording and control system (checkpoint master node);

- a system for registering and evaluating operational components (service management tool). In practice, these applications harmonize well with the software spread over different server clusters, in particular when it is configured for the operation of a user interface of an interlocking station, for example, with connection for mobile terminals.

Other advantages of the invention appear from the description and the drawing. Likewise, the characteristics mentioned above and developed still further can be used according to the invention in each case on their own or several of them in any combination. The embodiments shown and described are not to be construed as closed enumeration, but are rather exemplary in character for the description of the invention.

Detailed description of the invention and drawing

The invention is represented in the drawing and is explained in more detail by means of exemplary embodiments. They show: FIG. 1 a schematic general view of the structure of a first embodiment of a server device according to the invention with two server clusters;

Figure 2 is a schematic general view of the structure of a second embodiment of a server device according to the invention with three server clusters.

Summary of the invention

The present invention is based on the distribution of processes of a software control of a rail transport protection system at a virtual operational level by different clusters of servers. In this way, processes can be migrated across individual servers in your server cluster to ensure high availability in the event of individual server failure. The processes are of the same type and the results of the processes are compared with each other for security purposes. By dividing the processes across different server clusters, it is ensured that the processes always run on different individual servers, so that individual hardware errors lead to different process results that can be easily discovered in the framework of security checks.

HIS application within the framework of the invention

In the following, the invention is described in more detail by means of the example of the architecture of an HIS application, in particular with regard to process sharing.

The HIS application (HIS = Human machine interface for Interlocking Systems) is a SIL2 application (Safety Integrity Level 2) that is specially developed and authorized according to the CENELEC EN 50128 standard. It basically has the function of the user interface of an electronic interlocking station (ESTW) and can be configured for different markets or applications in different designs to take into account the respective particularities. All the designs have in common the basic architecture according to which a master process performs calculations that ultimately lead to the so-called lighting (= visual representation on a screen) of the states of the interlocking station elements. These calculations are also performed at the same time by one or more (depending on the design) slave process (s) and the calculation results are cross-compared with each other, that is, both the master process and the process (s) Slaves compare in each case their own calculation result with those of the other or the others. In the event that the calculation results do not match, the overall system is put into a so-called "unsafe state" that no longer allows certain safety-relevant operating actions.

A special design of the HIS application is the so-called HIS server, which basically serves to supply operating terminals connected to the lighting or calculated states of the elements of the control station. interlocking.

To meet the SIL2 requirements of EN 50128 the HIS architecture, according to one characteristic, has to be such that the master process and a slave process run on different (hardware) processors. In the case of multi-core processors, this can be achieved by binding processes firmly to certain processor cores (core binding; processor affinity). This ensures that a calculation error of a processor (or processor core) can never lead to the same false result in the master process and in the slave process (simultaneous double errors are excluded by the standard).

By porting the server applications to a common virtual operating level (virtual platform) it can no longer be easily guaranteed that the master process and the slave process do not run through the same computational error of a processor, since the allocation from a virtual processor to a physical processor (core) cannot just be given and demonstrated.

The inventors have found that several so-called server clusters can be formed from server computers (individual servers) that offer the advantages of a virtual operational level (high availability, redundancy) and, at the same time, guarantee a physical separation of processes. . With two server clusters of at least two server computers in each case, the master process can run on one server cluster and the slave process can run on the other server cluster. In this regard, it cannot be predicted which processor (core) is being used in the server cluster by a process, but it can be excluded that the processes in the different server clusters will use the same (core) at some point. processor.

In this way, it is also possible to realize the previously described characteristic of the HIS architecture in the case of using the HIS application on a virtual operating level.

Realization of a server appliance with two server clusters

In figure 1 a first embodiment of a server device 1 according to the invention with two server clusters SC1, SC2 is described in more detail. Server device 1 is also called a virtual cluster.

In this case, to the server device 1 belong a first cluster of servers SC1 and a second cluster of servers SC2 that are configured physically separated from each other, which is illustrated in figure 1 by a physical boundary 2. The expression "physically separated "refers to the fact that the server computers (SRV) of the two server clusters SC1, SC2 are not composed of the same hardware but are independent computers. With this, the local separation can be realized both by forming the server clusters SC1, SC2 in the same rack in a server room or in different racks in the same server room or in different server rooms and in different locations. with a distance of several kilometers. The limiting factor for the maximum distance between the SC1, SC2 server clusters is the speed and latency of the network between them for the synchronization of the SC1, SC2 server clusters. The network connections are represented in Figure 1 by simple connection lines.

In the first server cluster SC1, at least two server computers (individual servers) SRV-1 -1, SRV-1 -2 are grouped together so that they form a cluster. Also, in the second server cluster SC2, at least two server computers (individual servers) SRV-2-1, SRV-2-2 are grouped together so that they form a cluster.

In a cluster of servers SC1, SC2 different VM virtual machines are running in which, in turn, the most diverse applications or their processes are running. These can be applications whose processes are spread across individual server clusters, of which, however, only their joint action results in common functionality, as well as applications that run individually on a server cluster and result in a functionality independent of the other processes and applications. Examples of applications and processes of VM virtual machines are:

• HIS-Master 11 a (HIS application process)

• HIS-Slave 11 b (HIS application process)

• Interlocking station control process-1 12a (Interlocking station control application process)

(Interlocking-Control Process-1 = IL-Ctrl Proc-1)

• Interlocking station control process-2 12b (Interlocking station control application process)

(Interlocking-Control Process-2 = IL-Ctrl Proc-2)

• Train Protection Control Process-1 13a (Train Protection Control Application Process) (Train Control-Control Process-1 = TC-Ctrl Proc-1)

• Train Protection Control Process-213b (Train Protection Control Application Process) (Train Control-Control Process-2 = TC-Ctrl Proc-2)

• User interface A 14 (Human Machine Interface A = HMI A)

• Application B 15 (Application B = App B)

• User interface C 16 (Human Machine Interface C = HMI C)

• Application D 17 (Application D = App D).

The server device 1 has a common cluster control device 18 and a common storage control device 19 for both server clusters SC1, SC2. Each server cluster SC1, SC2 has its own high availability control (high availability = HA control) 20a, 20b with which application processes can be moved between the individual computers SRV-1-1, SRV-1-2 or SRV-2-1, SRV-2-2 within the respective SC1 or SC2 server cluster, in particular if a defect occurs in an individual computer. Furthermore, each cluster of servers SC1, SC2 has in each case its own memory (storage vol 1, storage vol 2) 21a, 21b that can be used by the individual servers of the respective cluster SC1, SC2.

In the exemplary embodiment shown, the HIS 11 server software is divided into two parts: The HIS 11a master process is implemented in the first server cluster SC1, and the HIS 11b slave process (of the same type with respect to the HIS master process 11a) is deployed on the second SC2 server cluster. Therefore, the HIS 11a master process will always run on one of the individual SRV-1 -1 or SRV-1 -2 servers in the first SC1 server cluster, but not on the individual servers in the second SC2 server cluster. Conversely, the HIS 11b slave process will always run on one of the individual SRV-2-1 or SRV-2-2 servers in the second SC2 server cluster, but not on the individual servers in the first SC1 server cluster. In this way it is ensured that the HIS master process 11a and the HIS slave process 11b are always physically separated from each other. If the process results match, the matching process result is reliable.

Also, in this case, the processes 12a and 12b of the same type of the interlocking station control software 12 are physically separated from each other, and the processes 13a and 13b of the same type of the train protection control software 13 are physically separated. each; in the case of matching process results, in turn, the matching process result is reliable in each case. The additional software applications 14, 15, 16, 17 or their processes exist here in each case without a complementary part of the same type in the respective other server cluster SC1, SC2, that is, they are only carried out in each case in a simple way on one of the server clusters SC1, SC2. This is primarily intended for non-safety-relevant applications.

Implementation with three server clusters

Figure 2 shows an embodiment of a server device according to the invention (virtual cluster) 30 that has three clusters of servers SC1, SC2, SC3. The structure of the server appliance 30 with three server clusters SC1, SC2, SC3 largely corresponds to the structure with two server clusters in Figure 1, so that only the fundamental differences are explained below. On the server device 30 with three server clusters SC1, SC2, SC3, applications that follow the so-called principle of 2 of 3 (2 out of 3 = 2oo3) can be run. In these applications, three processes of the same type perform the same calculation algorithms and, in this respect, respectively obtain a calculation result. These calculation results are compared with each other by a comparator. As long as at least two of the three calculation results match, this matching result is considered correct. If the comparator detects three different results, the system is marked as "not secure". According to this principle, for example, the interlocking station application or the train protection application work.

A criterion for authorization according to EN 50128 in 2oo3 systems is that the individual processes run on different hardware. This can be ensured by the server device 30 according to the invention (virtual cluster) which is based on three server clusters SC1, SC2, SC3 separated by physical boundaries 2. For example, the interlocking post application processes they run embedded in each case in a virtual machine VM spread over the three server clusters and therefore never use the same processors or processor cores. With 2oo3 systems, the safety standard according to SIL4 can also be achieved. Typical applications of 2oo3 systems or their processes are:

Operation Process-1 31a (User Interface Process) (Operation Control Process-1 = OC Proc-1)

Operation Process-231b (User Interface Process) (Operation Control Process-2 = OC Proc-2)

Operation Process-331c (User Interface Process) (Operation Control Process-3 = OC Proc-3)

Interlocking Station-1 Process 32a (Interlocking Process-1 = IL Proc-1)

Interlocking Station Process-232b (Interlocking Process-2 = IL Proc-2)

Interlocking Station-332c Process (Interlocking Process-3 = IL Proc-3)

Train Protection Process-1 33a (Train Protection Application Process) (Train Control Process-1 = TC Proc-1)

Train Protection Process-233b (Train Control Process-2 = TC Proc-2)

Train Protection Process-333c (Train Control Process-3 = TC Proc-3)

In the present case, the processes 31a, 31b, 31c of the same type or associated parts of the operation software 31 are distributed among the three server clusters SC1, SC2, SC3 so that the processes 31a, 31b, 31c are never executed in the same processor or on the same hardware and thus your process results cannot be false in the same way due to an individual hardware error. The same is true for processes 32a, 32b, 32c of the interlocking station software 32 and, in addition, processes 33a, 33b, 33c of the train protection software 33. Also, in a virtual cluster or a server device 30 with three server clusters SC1, SC2, SC3 additional individual applications or additional processes that are independent of 2oo3 systems can be run, in this case the software applications HMI A 34, App B 35, HMI C 36, App D 37 , HMI E 38, App F 39 additional.

List of references

1 Server device

2 Physical limit

11a, 11b Processes of the same type

11 Software (HIS server)

12a, 12b Processes of the same type

12 Software (station control device

interlocking)

13a, 13b Processes of the same type

13 Software (protection control device

14-17 Additional software

18 Cluster control appliance

19 Memory control device

20a-20c High availability control device

21a-21c Report

30 Server device

31a-31c Processes of the same type

31 Software (operation)

32a-32c Processes of the same type

32 Software (interlocking station)

33a-33c Processes of the same type

33 Software (train protection)

34-39 Additional Software

SC1-SC3 Server cluster

SRV-1-1 Server computer (single server)

SRV-1-2 Server computer (single server)

SRV-2-1 Server computer (single server)

SRV-2-2 Server computer (single server) SRV-3-1 Server computer (single server) SRV-3-2 Server computer (single server)

Claims (10)

1. Server device (1; 30) that operates a software for the control of a function of a rail transport protection system, operating the software (11, 12, 13; 31, 32, 33) physically separately with each other at least two processes (11 a-11 b; 12a-12b; 13a-13b; 31a-31c; 32a-32c; 33a-33c) whose results are compared with each other to perform the function control, characterized because the software (11, 12, 13; 31, 32, 33) is operated at a virtual operating level of the server device (1; 30), because the server device (1; 30) comprises at least two clusters servers (SC1, SC2, SC3) physically separated from each other, each of the server clusters (SC1, SC2, SC3) of the server device (1; 30) comprising at least two individual servers (SRV-1-1, SRV-1-2, SRV-2-1, SRV- 2-2, SRV-3-1, s Rv -3-2) that allow a migration of processes (11 a-11 b; 12a-12b; 13a-13b; 31a-31c; 32a-32c; 33a-33c) each other in the event of a single server failure (SRV-1-1, SRV-1-2, SRV-2-1, SRV-2-2, SRV-3-1, SRV-3-2), running the at least two processes (11 a-11 b; 12a-12b; 13a-13b; 31a-31c; 32a-32c; 33a-33c) in virtual machines (VM), and because the software (11, 12, 13; 31, 32, 33) comprises at least two parts that are installed in different server clusters of the at least two server clusters (SC1, SC2, SC3) so that the at least two processes (11a-11b; 12a-12b; 13a-13b; 31a-31c; 32a-32c; 33a-33c) are operated on different server clusters from the at least two server clusters (SC1, SC2, SC3). Server device (1; 30) according to claim 1, characterized in that the software (11, 12, 13; 31.32, 33) is an interlocking station application. 3. Server device (1; 30) according to claim 2, characterized in that the software (11, 12, 13; 31, 32, 33) is an application to operate the user interface of a controlled interlocking station by computer, in particular with a functionality for connecting mobile operating terminals. 4. Server device (1; 30) according to claim 1, characterized in that the software (11, 12, 13; 31.32, 33) is a train protection application. Server device (1; 30) according to one of the preceding claims, characterized in that the software (11, 12, 13; 31, 32, 33) is configured in accordance with security integrity level 2 ( SIL2) or higher. Server device (1; 30) according to one of the preceding claims, characterized in that the software (11, 12, 13; 31, 32, 33) is configured according to security integrity level 4 ( SIL4). Server device (1; 30) according to one of claims 1 to 6, characterized in that the software (11, 12, 13) operates exactly two processes (11 a-11 b; 12a-12b; 13a- 13b) that are physically separated from each other in exactly two different server clusters (SC1, SC2). Server device (1; 30) according to one of claims 1 to 7, characterized in that the server device (30) comprises three server clusters (SC1, SC2, SC3) physically separated from each other, because the software (31, 32, 33) comprises at least three parts that are installed in server clusters different from the server clusters (SC1, SC2, SC3) so that the software (31, 32, 33) operates three processes ( 31a-31c; 32a-32c; 33a-33c) in different server clusters of the three server clusters (SC1, SC2; SC3), and why the results of the processes (31a-31c; 32a-32c; 33a- 33c) are evaluated within the framework of a 2 out of 3 decision for the control of the function of the rail transport protection system. Server device (1; 30) according to one of the preceding claims, characterized in that the server device (1; 30) operates at least one additional software (14-17; 34-39) for the control of an additional function of a rail transport protection system, and because the at least one additional software (14 17; 34-39) is installed and operated only on one of the server clusters (SC1, SC2, SC3) . Server device (1; 30) according to claim 9, characterized in that the at least one additional software (14-17; 34-39) comprises one or more of the following software applications: - a scheduling system, in particular ARAMIS-D; - a train number and train address management system, in particular ARAMIS-C; - a data analysis and metric system (business intelligence); - a system of maintenance of trains (maintenance center); - a train data recording and control system (checkpoint master node); - a system for registering and evaluating operational components (service management tool).