JP2008254556A - Fail-safe control system - Google Patents

Fail-safe control system Download PDF

Info

Publication number
JP2008254556A
JP2008254556A JP2007098238A JP2007098238A JP2008254556A JP 2008254556 A JP2008254556 A JP 2008254556A JP 2007098238 A JP2007098238 A JP 2007098238A JP 2007098238 A JP2007098238 A JP 2007098238A JP 2008254556 A JP2008254556 A JP 2008254556A
Authority
JP
Japan
Prior art keywords
result
computer
processing calculation
calculation result
train
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
JP2007098238A
Other languages
Japanese (ja)
Other versions
JP4961247B2 (en
Inventor
Nobuko Hamaguchi
伸子 濱口
Yasumasa Hida
飛田  安正
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Ltd
Original Assignee
Hitachi Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Ltd filed Critical Hitachi Ltd
Priority to JP2007098238A priority Critical patent/JP4961247B2/en
Publication of JP2008254556A publication Critical patent/JP2008254556A/en
Application granted granted Critical
Publication of JP4961247B2 publication Critical patent/JP4961247B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Train Traffic Observation, Control, And Security (AREA)

Abstract

<P>PROBLEM TO BE SOLVED: To provide a fail-safe control system for achieving the train control of the high responsiveness by performing the use acceptance/rejection control of an ATC telegram by the majority decision of the result of determination for normality/abnormality of a main system of a ground equipment by an onboard device receiving the transmission of the result of determination for the self system and the counter system executed by each ground equipment system. <P>SOLUTION: Computers 2A-2C of a multiple computer 1 of a ground equipment exchange and collate the processed computation results of the self system and the counter system with each other, and prepare the result of determination for soundness of the total system by determining the soundness of the self system and the counter system based on the result of collation. The multiple computer 1 outputs the result of determination of the soundness of the total system to an onboard device 5 together with the processed computation result. A control device as its reception control unit 7 performs the majority decision processing of the result of determination of the soundness of the total system to determine the acceptance/rejection of the use of the result of the processed computation. By using the logical fail-safe method, the size and the cost of the system can be reduced more compared with the hardware constitution, the interface can be expanded, and the high responsiveness can be realized in the train control. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

本発明は、自動列車制御装置(ATC)で行う列車制御について、多重系制御装置と車上装置との間での制御データの伝送を伴うときの安全性を保証するためのフェールセーフ制御方式に関する。   The present invention relates to a fail-safe control system for guaranteeing safety when control data is transmitted between a multiplex system control device and an on-board device for train control performed by an automatic train control device (ATC). .

列車制御において安全を確保するため、制御装置はフェールセーフに動作するよう構成されている。列車制御におけるフェールセーフとは、装置やシステムに異常が発生した場合、常に列車を安全側、即ち停止させる側に制御するという対処の仕方である。   In order to ensure safety in train control, the control device is configured to operate in a fail-safe manner. Fail-safe in train control is a method of coping with always controlling the train to the safe side, that is, the side to stop when an abnormality occurs in the device or system.

従来から列車制御装置は、フェールセーフに情報伝送を行うため、同一の論理を持つ多重系構成とし、出力結果を交換・照合することで各系計算機が判定した主系(データを出力する系)の正常/異常状態を専用のハードウェアに入力して多数決をとり、主系異常判定時には当該ハードウェア内のリレーによりデータ出力を制限するという手法を用いてきた。   Traditionally, train control devices have a multiple system configuration with the same logic to perform fail-safe information transmission, and the main system (system that outputs data) determined by each system computer by exchanging and collating the output results The normal / abnormal state is input to dedicated hardware and a majority decision is made, and when the main system abnormality is determined, the data output is limited by a relay in the hardware.

しかしながら、近年では当該ハードウェアを削除し、制御指示を出力する装置から、指示を受けて実際制御を行う装置までの情報伝送を行う各装置が有する論理を用いて、システム全体としてフェールセーフ性を確保する手法が提案されている。   In recent years, however, the entire system has been made fail-safe using the logic of each device that transmits information from the device that deletes the hardware and outputs a control instruction to the device that actually receives the instruction and performs control. Techniques to ensure have been proposed.

多重系装置の各系が出力結果を交換・照合して主系の正常/異常状態を判定した後、出力する制御指示情報に各系の判定結果を付加し、制御指示を受けた装置にて前記制御装置の各系が判定した主系状態の多数決をとり、主系を正常と判定した場合に受信情報を自身の制御に用いる多重系情報処理装置が提案されている(特許文献1)。
前記多重系装置において全系異常が発生した場合には一度は誤った電文を出力する可能性があるため、被制御装置にて2回同一の制御指示を受信した場合に当該電文を制御に用いることとしている。
特開2004−302708号公報 After each system of the multi-system device exchanges and collates the output result to determine the normal / abnormal state of the main system, the determination result of each system is added to the control instruction information to be output, and the device receiving the control instruction There has been proposed a multi-system information processing apparatus that takes the majority of the main system state determined by each system of the control apparatus and uses received information for its own control when the main system is determined to be normal (Patent Document 1).
If an error in the entire system occurs in the multi-system device, there is a possibility that an erroneous message is output once. Therefore, when the same control instruction is received twice by the controlled device, the message is used for control. I am going to do that.
JP 2004-302708 A

近年では自動列車制御装置(ATC)として、無線を用いて車上装置と直接通信を行い、列車検知、ATC電文の送信を行う列車制御システムである無線ATCが世界で広まりつつある。無線ATCは、従来の軌道回路方式に対し、設備費用、メンテナンスコストの低減の実現が可能とされる。そのため、無線ATCの論理部では、従来のATC論理部の構成に加え無線基地局とのインターフェースの増加が伴う。しかし装置のコスト、設置スペースを考え、制御装置を構成するハードウェアの増加を抑え、一方で列車制御装置としての安全性を維持することが求められている。   In recent years, as an automatic train control device (ATC), a wireless ATC, which is a train control system that directly communicates with an on-board device using radio, performs train detection, and transmits an ATC telegram, is spreading worldwide. The wireless ATC can realize a reduction in equipment cost and maintenance cost compared to a conventional track circuit system. For this reason, in the logic part of the radio ATC, the interface with the radio base station is increased in addition to the configuration of the conventional ATC logic part. However, considering the cost of the apparatus and the installation space, it is required to suppress the increase in hardware constituting the control apparatus while maintaining the safety as the train control apparatus.

そこで、情報伝送を行う論理部(地上装置)と車上装置のフェールセーフ電文伝送を前述したように専用のハードウェアを用いずに、双方の装置の論理を用いて実現する手法は非常に有益である。   Therefore, a technique that realizes fail-safe telegram transmission between the logic unit (ground device) for transmitting information and the on-board device using the logic of both devices without using dedicated hardware as described above is very useful. It is.

本発明の目的は、地上装置各系が実施した自系及び他系に対する正常/異常判定結果を全て車上装置に送信し、車上装置において地上装置の全系異常の可能性を判定した上で、地上装置の主系正常/異常判定結果の多数決によるATC電文の使用可否制御を行うことで、車上装置にて受信したATC電文を即時制御に用いることを可能とし、従来よりも高応答性の列車制御を実現できるフェールセーフ伝送方式を提供することである。   An object of the present invention is to transmit all normal / abnormal determination results for the own system and other systems performed by each system of the ground device to the on-board device, and determine the possibility of the entire system abnormality of the ground device in the on-vehicle device. By controlling the availability of ATC messages by majority decision of the main system normal / abnormal judgment result of ground equipment, it is possible to use the ATC messages received by the on-board device for immediate control and higher response than before It is to provide a fail-safe transmission system that can realize a reliable train control.

上記目的を達成するために本発明では、以下の手段を用いる。即ち、この発明によるフェールセーフ制御方式は、同一処理対象について同一処理計算を実行する複数の計算機から構成され当該処理計算結果を出力する多重系計算機と、出力された前記処理計算結果の入力を受けて当該処理計算結果に基づいて前記処理対象の制御を行う制御装置とを備え、前記多重系計算機の前記各計算機は、自系の前記処理計算結果と他系の前記処理計算結果とを相互に交換して照合し、当該照合結果に基づいて自系及び他系の前記計算機に対する健全性判定を行って全系の健全性判定結果を作成し、前記多重系計算機は、前記処理計算結果と共に前記全系の健全性判定結果を出力し、前記制御装置は、入力を受けた前記全系の健全性判定結果を多数決処理して前記処理計算結果の使用可否を判定することから成っている。   In order to achieve the above object, the present invention uses the following means. In other words, the fail-safe control method according to the present invention comprises a multi-system computer configured of a plurality of computers that execute the same processing calculation for the same processing target and outputs the processing calculation result, and receives the input of the output processing calculation result. A control device that controls the processing target based on the processing calculation result, and each of the computers of the multi-system computer mutually exchanges the processing calculation result of its own system and the processing calculation result of the other system. Exchanging and collating, making a soundness judgment for the computer of the own system and other systems based on the matching result to create a soundness judgment result of the entire system, the multi-system computer, the processing calculation result together with the processing calculation result The whole system soundness judgment result is output, and the control device consists of majority processing the received whole system soundness judgment result and judging whether or not the processing calculation result can be used. .

列車制御に用いるATC電文を作成する地上の論理部は同じ論理を持つ複数の計算機を有し、各計算機は通信経路を介して相互にデータ交換を行うことができる。これにより計算機相互にデータ照合を行い、健全性を判定することが可能になる。また、論理部からは通信路を介して制御対象となる車上装置間にATC電文を伝送することができる。論理部の計算機が作成するATC電文は、制御対象列車が走行制御を行うために必要な情報と、前記複数の計算機が相互に判定した健全性情報を含む構成とすることができる。また車上装置は、論理部が出力したATC電文を受信して、各計算機の健全性情報から受信データの正当性を判定するので、フェールセーフな制御が可能になる。   The ground logic unit for creating an ATC telegram used for train control has a plurality of computers having the same logic, and each computer can exchange data with each other via a communication path. This makes it possible to perform data collation between computers and determine soundness. Further, the ATC telegram can be transmitted from the logic unit to the on-board device to be controlled via the communication path. The ATC telegram created by the computer of the logic unit can be configured to include information necessary for the control target train to perform traveling control and soundness information determined by the plurality of computers. Further, the on-board device receives the ATC message output from the logic unit and determines the validity of the received data from the soundness information of each computer, so that fail-safe control is possible.

以上のように、本発明によるフェールセーフ伝送方式によれば、情報伝達を行う制御装置の論理によるフェールセーフ手法を用いているので、ハードウェアによるフェールセーフ装置構成と比較して、装置の縮小化、コスト削減、インターフェースの拡張が可能となり、且つ車上装置にて制御装置の全系異常を判定することができる。また、常時制御電文が即時使用可能となるので、列車制御において高応答性を実現することができる。
論理によるフェールセーフな電文伝送方式において、地上装置が全系異常の場合にも、車上装置にてこれを検知し、誤った可能性のある制御情報を破棄することができるため、車上装置の常時制御において、制御電文を即時用いることを可能にする。 As described above, according to the fail-safe transmission method according to the present invention, since the fail-safe technique based on the logic of the control device that performs information transmission is used, the device can be reduced compared to the hardware fail-safe device configuration. In addition, the cost can be reduced and the interface can be expanded, and the on-board device can determine the entire system abnormality of the control device. Moreover, since a constant control message can be used immediately, high responsiveness can be realized in train control.
In the fail-safe telegram transmission method by logic, even if the ground device is abnormal in the entire system, the on-board device can detect this and discard the control information that may be erroneous. It is possible to use the control message immediately in the continuous control.

以下、本発明によるフェールセーフ伝送方式の実施形態を、図を用いて説明する。
図1は本発明によるフェールセーフ伝送方式の一実施形態の装置構成を示すブロック図である。地上装置としての論理部1は、3つの系の計算機2A,2B,2Cから構成されている。各系の計算機2A〜2Cは独立して動作しているが、同時に同じ処理を行う。各系のデータ交換は通信経路3を用いて行われる。 Hereinafter, embodiments of the fail-safe transmission system according to the present invention will be described with reference to the drawings.
FIG. 1 is a block diagram showing a device configuration of an embodiment of a fail-safe transmission system according to the present invention. The logic unit 1 as a ground device is composed of three systems of computers 2A, 2B, and 2C. The computers 2A to 2C in each system operate independently, but simultaneously perform the same processing. Data exchange of each system is performed using the communication path 3.

主系計算機(例として、図1では1系(計算機2A)とする。)は、各系が実施した全系に対する健全性判定結果を含むATC電文を通信経路(通常は、無線経路)4を介して制御対象である列車の車上装置5に送信する。車上装置5は、受信したATC電文をIF(インターフェース)装置6を介して受信制御部7に入力する。受信制御部7は、本発明におけるフェールセーフ(FS)機能を備えている。受信制御部7において、ATC電文に含まれる地上装置(論理部)1の全3系が実施した各系健全性判定結果の照合判定をするとともに、主系健全性判定結果の多数決から論理部1の主系の正常/異常を判定し、当該ATC電文を走行制御に用いるか否かを判断する。   The main computer (for example, system 1 (computer 2A) in FIG. 1) uses the communication path (usually a wireless path) 4 for ATC telegrams including the health judgment results for all systems implemented by each system. To the on-train device 5 of the train to be controlled. The on-board device 5 inputs the received ATC message to the reception control unit 7 via the IF (interface) device 6. The reception control unit 7 has a fail-safe (FS) function in the present invention. In the reception control unit 7, each system soundness determination result carried out by all three systems of the ground device (logic unit) 1 included in the ATC telegram is collated and determined from the majority of the main system soundness determination result. The main system is determined to be normal / abnormal, and it is determined whether or not the ATC message is to be used for travel control.

次に、本発明によるフェールセーフ制御システムにおける地上−車上装置間フェールセーフ伝送を実施する上での各装置の論理を説明する。図2は論理部1から車上装置5にATC電文を伝送する間の各装置での処理フローを示す。論理部1における処理フローとして、例として主系である1系2Aの処理フローを示す。主系2Aには、車上装置5からの列車検知情報、及び連動情報などの外部条件が入力される。列車検知情報は当該車上装置5を搭載した列車の線路上の位置の情報であり、外部条件としての連動情報は実際の走行線路の進行ルートに関する情報(例えば、どの線の上りと下りの区別、及び転轍機の切換え状態)である。主系2Aの論理部1は、これらの情報の入力を受けて、列車が停止すべき地点や許容される速度の情報、即ち、列車がどの地点までどれだけの速度で進行可能であるかという情報などの列車制御データを作成する(ステップ8)。主系2A以外の各系2B、2Cにおいても、同じように、列車検知情報及び外部条件が入力されて列車制御データが作成される。   Next, the logic of each device in performing fail-safe transmission between the ground and the on-vehicle device in the fail-safe control system according to the present invention will be described. FIG. 2 shows a processing flow in each device while the ATC telegram is transmitted from the logic unit 1 to the on-board device 5. As a processing flow in the logic unit 1, a processing flow of the main system 1A 2A is shown as an example. External conditions such as train detection information and interlocking information from the on-board device 5 are input to the main system 2A. The train detection information is information on the position of the train on which the on-board device 5 is mounted, and the linkage information as an external condition is information on the travel route of the actual travel line (for example, distinguishing which line is up or down) , And the switching state of the rotary machine). The logical unit 1 of the main system 2A receives the input of these pieces of information, and information on the point where the train should stop and the allowable speed, that is, how fast the train can travel to. Train control data such as information is created (step 8). In each of the systems 2B and 2C other than the main system 2A, similarly, the train detection information and the external conditions are input and train control data is created.

論理部1においては、その後、当該列車制御データを出力情報として再びデータ交換用通信経路3を用いて系間で互いに交換し、各系は自系データと他系データの照合を行い、各系間でデータに不一致があったか否かについての各系診断結果を作成する(ステップ9)。その結果から、少なくとも他1つ以上の系とデータが一致した場合の系を正常、他2つの系と一致しなかった系を異常として、自系及び他系の健全性を判定し、全系健全性判定結果を作成する(ステップ10)。   In the logic unit 1, the train control data is then exchanged between the systems again using the data exchange communication path 3 as output information, and each system collates its own system data with other system data. Each system diagnosis result as to whether or not there is a discrepancy between the data is created (step 9). Based on the results, the system when the data matches at least one other system is normal, the system that does not match the other two systems is abnormal, and the soundness of the own system and other systems is determined. A soundness determination result is created (step 10).

ステップ10で得られた各系の自系及び他系に対する健全性結果は、制御対象である列車の車上装置5へ送信する際の主系による誤り設定を考慮し、各系固有の記号を用いる。ステップ10で作成された全系健全性判定結果についても、列車制御データの場合と同様に、他の系へ出力するとともに他の系からの全系健全性判定結果の入力を受ける。各系の全系に対する健全性結果を前記の列車制御データに付加し(ステップ11)、車上装置5へ送信する。即ち、各系での全系健全性判定結果をいずれかの系で評価するということはせずに、すべて車上装置5に送信する。   The soundness result for each system of each system obtained in step 10 takes into account the error setting by the main system when it is transmitted to the on-board device 5 of the train to be controlled. Use. Similarly to the case of train control data, the overall system health determination result created in step 10 is output to another system and receives the entire system health determination result from the other system. The soundness result for the entire system of each system is added to the train control data (step 11) and transmitted to the on-board device 5. That is, all system soundness determination results in each system are transmitted to the on-board device 5 without being evaluated in any system.

ATC電文の構成の一例が図3に示されている。図3に示すように、ATC電文は、ステップ8で作成された制御データ(列車制御データ)19と主系選択情報21とから成る。主系選択情報21は、1系2Aによる全系の健全性判定結果22Aと、2系2Bによる全系の健全性判定結果22Bと、3系2Cによる全系の健全性判定結果22Cとから成っている。1系2Aによる全系の健全性判定結果22Aは、1系2Aによる1系2Aの健全性判定結果22A1(即ち、自分による自己の健全性判定結果)と、1系2Aによる2系2Bの健全性判定結果22A2と、1系2Aによる3系2Cの健全性判定結果22A3とから成っている。2系2Bによる全系の健全性判定結果22B及び3系2Cによる全系の健全性判定結果22Cについても、これと同様である。   An example of the configuration of the ATC message is shown in FIG. As shown in FIG. 3, the ATC telegram consists of control data (train control data) 19 and main system selection information 21 created in step 8. The main system selection information 21 is composed of an overall system health judgment result 22A by the 1 system 2A, an entire system health judgment result 22B by the 2 system 2B, and an entire system health judgment result 22C by the 3 system 2C. ing. The health judgment result 22A of the entire system by the 1 system 2A is the health judgment result 22A1 of the 1 system 2A by the 1 system 2A (that is, the self health judgment result by oneself) and the health of the 2 system 2B by the 1 system 2A. It consists of sex determination result 22A2 and soundness determination result 22A3 of 3 system 2C by 1 system 2A. The same applies to the whole system soundness determination result 22B by the 2 system 2B and the all system soundness determination result 22C by the 3 system 2C.

図2に示す処理フローでは更に、車上装置5側で、まず受信したATC電文に含まれる各系の論理部(地上装置)1が実施した全系に対する健全性判定結果の照合を行う(ステップ12)。全系の結果が不一致の場合、論理部(地上装置)1において全系異常が発生したものとし、当該ATC電文を破棄する。それ以外の場合は、論理部1の各系が実施した主系に対する健全性結果の多数決を実施し(ステップ13)、少なくとも2つの系が主系正常と判定した場合は、当該ATC電文を制御に用いる。   Further, in the processing flow shown in FIG. 2, on the on-board device 5 side, first, collation of the soundness determination results for all the systems performed by the logic unit (ground device) 1 of each system included in the received ATC telegram is performed (steps). 12). If the results of the entire system do not match, it is assumed that an abnormality of the entire system has occurred in the logic unit (ground device) 1, and the ATC message is discarded. Otherwise, the majority of the soundness results for the main system implemented by each system of the logic unit 1 is executed (step 13), and if the at least two systems are determined to be normal, the ATC message is controlled. Used for.

次に、多重系として3重系装置のフェールセーフ判定方式において、車上装置5側での各系の全系健全性判定結果の照合について、より具体的に詳説する。
(1)3重系動作時に主系が異常となった場合、即ち、1系が主系であり、2系と3系が従系であるとき、主系(1系)が異常となった場合
(a)地上装置1は、各系にて相互に系診断を実施すると、正常な2系と3系とは「1系異常・2系正常・3系正常」と判断する。なお、1系は異常であるため、全系に対し「異常」「正常」のいずれの判定もあり得る。判定結果が表1に示されている。

Figure 2008254556
(b)車上装置5は、列車制御データに各系の全系健全性判定結果が付加されたATC電文を受信したとき、地上装置である各系の全系健全性判定結果を照合する。照合は、ATC電文中の主系選択情報の多数決処理で行われる。全系健全性判定結果が少なくとも二つの系(2系と3系)で一致となるので、2系と3系の全系に対する健全性結果が採用される。続いて、2系と3系の主系(1系)に対する健全性結果が取得される。この健全性結果は「異常」となる。そのため、当該電文は不正として破棄されることになる。 Next, in the fail-safe determination method of the triple system device as a multiplex system, the verification of the entire system soundness determination result of each system on the on-board device 5 side will be described in more detail.
(1) When the main system becomes abnormal during triple operation, that is, when the first system is the main system and the second and third systems are subordinate systems, the main system (1 system) becomes abnormal. Case (a) The ground device 1 determines that the normal system 2 and system 3 are “system 1 abnormality / system 2 normal / system 3 normal” when system diagnosis is performed in each system. Since system 1 is abnormal, it can be judged as “abnormal” or “normal” for the entire system. The determination results are shown in Table 1.
Figure 2008254556
 (B) When the on-board device 5 receives the ATC telegram in which the whole system health judgment result of each system is added to the train control data, the on-board device 5 collates the whole system health judgment result of each system that is a ground device. The collation is performed by majority processing of the main system selection information in the ATC message. Since the whole system soundness determination result is the same in at least two systems (2 system and 3 system), the soundness result for the 2 system and 3 system is adopted. Subsequently, soundness results for the main system (system 1) of systems 2 and 3 are acquired. This soundness result is “abnormal”. Therefore, the message is discarded as illegal.

(2)3重系動作時に一つの従系が異常となった場合(例えば、2系が異常となった場合)
(a)地上装置1は、各系にて相互に系診断を実施すると、正常な1系と3系とは「1系正常・2系異常・3系正常」と判断する。なお、2系は異常であるため、全系に対し「異常」「正常」のいずれの判定もあり得る。判定結果が表2に示されている。

Figure 2008254556
(b)車上装置5は、列車制御データに各系の全系健全性判定結果が付加されたATC電文を受信したとき、地上装置である各系の全系健全性判定結果を照合する。多数決処理で照合が行われると、全系健全性判定結果が少なくとも二つの系(1系と3系)で一致となるので、1系と3系の全系に対する健全性結果が採用される。続いて、1系と3系の主系(1系)に対する健全性結果が取得される。この健全性結果は「正常」となる。そのため、当該電文は正しいとして列車制御に用いられる。 (2) When one slave system becomes abnormal during triple system operation (for example, when 2 system becomes abnormal)
(A) When the system diagnosis is performed in each system, the ground device 1 determines that the normal system 1 and system 3 are “system 1 normal, system 2 abnormal, system 3 normal”. Since system 2 is abnormal, it can be judged as “abnormal” or “normal” for the entire system. The determination results are shown in Table 2.
Figure 2008254556
 (B) When the on-board device 5 receives the ATC telegram in which the whole system health judgment result of each system is added to the train control data, the on-board device 5 collates the whole system health judgment result of each system that is a ground device. When collation is performed in the majority process, the soundness determination results for the entire system are the same in at least two systems (1 system and 3 system), and therefore the soundness results for the 1 system and 3 systems are adopted. Subsequently, soundness results for the main system (system 1) of system 1 and system 3 are acquired. This health result is “normal”. Therefore, the said message is used for train control as correct.

(3)3重系動作時に二つ以上の系が異常となった場合(全系が異常となった場合)
(a)地上装置1は、各系にて相互に系診断を実施すると、異常な1系〜3系は各系に対する有意な診断結果を下さない。全系異常であるため、全系に対して「異常」「正常」のいずれの判定もあり得る。判定結果が表3に示されている。

Figure 2008254556
(b)車上装置5は、列車制御データに各系の全系健全性判定結果が付加されたATC電文を受信したとき、地上装置である各系の全系健全性判定結果を照合する。多数決処理で照合が行われると、全系健全性判定結果が不一致となるので、地上装置全系が異常であると判断し、当該電文は不正として破棄される。 (3) When two or more systems become abnormal during triple system operation (when all systems become abnormal)
(A) When the ground device 1 performs system diagnosis in each system, abnormal systems 1 to 3 do not give a significant diagnosis result for each system. Since the entire system is abnormal, any determination of “abnormal” or “normal” can be made for the entire system. The determination results are shown in Table 3.
Figure 2008254556
 (B) When the on-board device 5 receives the ATC telegram in which the whole system health judgment result of each system is added to the train control data, the on-board device 5 collates the whole system health judgment result of each system that is a ground device. When collation is performed in the majority process, the whole system soundness determination result is inconsistent. Therefore, it is determined that the entire ground system is abnormal, and the message is discarded as illegal.

本発明によるフェールセーフ制御方式の一実施例の装置構成を示す図である。It is a figure which shows the apparatus structure of one Example of the fail safe control system by this invention. 本発明によるフェールセーフ制御方式の一実施例の各装置の処理の流れを示すフローチャートである。It is a flowchart which shows the flow of a process of each apparatus of one Example of the fail safe control system by this invention. 本発明によるフェールセーフ制御方式の一実施例で用いられる制御電文の構成図である。It is a block diagram of the control message | telegram used in one Example of the fail safe control system by this invention.

符号の説明Explanation of symbols

1…論理部、2A,2B,2C…各系計算機、3…系間データ交換用通信経路、4…地上装置〜車上装置間データ通信経路、5…車上装置、6…IF装置、7…受信制御部 DESCRIPTION OF SYMBOLS 1 ... Logic part, 2A, 2B, 2C ... Each system computer, 3 ... Communication path for data exchange between systems, 4 ... Data communication path between ground apparatus-onboard apparatus, 5 ... Onboard apparatus, 6 ... IF apparatus, 7 ... Reception controller

Claims (5)

同一処理対象について同一処理計算を実行する複数の計算機から構成され当該処理計算結果を出力する多重系計算機と、出力された前記処理計算結果の入力を受けて当該処理計算結果に基づいて前記処理対象の制御を行う制御装置とを備え、
前記多重系計算機の前記各計算機は、自系の前記処理計算結果と他系の前記処理計算結果とを相互に交換して照合し、当該照合結果に基づいて自系及び他系の前記計算機に対する健全性判定を行って全系の健全性判定結果を作成し、
前記多重系計算機は、前記処理計算結果と共に前記全系の健全性判定結果を出力し、
前記制御装置は、入力を受けた前記全系の健全性判定結果を多数決処理して前記処理計算結果の使用可否を判定する
ことから成るフェールセーフ制御方式。 A multi-system computer composed of a plurality of computers executing the same processing calculation for the same processing target and outputting the processing calculation result, and receiving the input of the processing calculation result, the processing target based on the processing calculation result And a control device for controlling
Each of the computers of the multi-system computer exchanges and verifies the processing calculation result of the own system and the processing calculation result of the other system, and with respect to the computer of the own system and the other system based on the matching result Make a soundness judgment to create a wholeness soundness judgment result,
The multi-system computer outputs the whole system soundness determination result together with the processing calculation result,
The control device is a fail-safe control system comprising a majority process of the whole system soundness determination result received and determining whether or not the processing calculation result can be used. 請求項1に記載のフェールセーフ制御方式において、
前記制御対象は軌道を走行する列車であり、
前記多重系計算機は地上装置として配備されており、
前記制御装置は前記列車に搭載されており、
前記処理計算結果は前記列車の運行を制御する列車制御データである
ことから成るフェールセーフ制御方式。 In the fail safe control system according to claim 1,
The control object is a train traveling on a track,
The multisystem computer is deployed as a ground device,
The control device is mounted on the train,
A fail-safe control method in which the processing calculation result is train control data for controlling the operation of the train. 請求項1に記載のフェールセーフ制御方式において、
前記多重系計算機の前記各計算機は、
前記列車の現在位置を含む列車検知情報と前記列車の走行すべき軌道を含む連動情報との入力を受けて前記処理計算結果としての前記列車制御データを作成する列車制御データ作成手段、
他系の前記計算機から交換された前記列車制御データをも合わせて照合して各系の前記計算機の診断結果を作成する診断結果作成手段、
前記各系の診断結果を合わせて全系健全性判定結果を作成する全系健全性判定結果作成手段、及び
前記列車制御データと前記全系健全性判定結果とを他系の前記計算機と交換する入出力手段
を備えていることから成るフェールセーフ制御方式。 In the fail safe control system according to claim 1,
Each computer of the multisystem computer is
Train control data creating means for receiving the input of train detection information including the current position of the train and interlocking information including a track on which the train should travel, and creating the train control data as the processing calculation result,
A diagnostic result creating means for creating a diagnostic result of the computer of each system by collating the train control data exchanged from the computer of another system together;
Whole system health judgment result creating means for creating a whole system health judgment result by combining the diagnosis results of each system, and exchanging the train control data and the whole system health judgment result with the other system computer Fail-safe control system consisting of input / output means. 請求項1に記載のフェールセーフ制御方式において、
前記多重系計算機のうち主系となる前記計算機は、自系及び他系の前記計算機が作成した前記全系健全性判定結果を前記処理計算結果と合わせて出力し、
前記制御装置は、前記多重系計算機の前記各計算機が実施した自系及び他系に対する正常/異常判定結果の照合と前記多重系計算機の各計算機が実施した前記主系の計算機に対する正常/異常判定結果の多数決処理により前記処理計算結果の使用可否を制御する計算機を有する
ことから成るフェールセーフ制御方式。 In the fail safe control system according to claim 1,
The computer that is the main system among the multi-system computer outputs the overall system health judgment result created by the local computer and the other system computer together with the processing calculation result,
The control device compares normal / abnormal determination results for the own system and other systems performed by the computers of the multi-system computer and normal / abnormal determination for the main computer performed by the computers of the multi-system computer. A fail-safe control system comprising a computer for controlling availability of the processing calculation result by majority processing of results. 同一処理対象について同一処理計算を実行する複数の計算機から構成された多重系計算機が当該処理計算結果を出力し、出力された前記処理計算結果の入力を受けた制御装置が当該処理計算結果に基づいて前記処理対象の制御を行い、
前記多重系計算機の前記各計算機は、自系の前記処理計算結果と他系の前記処理計算結果とを相互に交換して照合し、当該照合結果に基づいて自系及び他系の前記計算機に対する健全性判定を行って全系の健全性判定結果を作成し、
前記多重系計算機は、前記処理計算結果と共に前記全系の健全性判定結果を出力し、
前記制御装置は、入力を受けた前記全系の健全性判定結果を多数決処理して前記処理計算結果の使用可否を判定する
ことから成るフェールセーフ制御方法。 A multi-system computer composed of a plurality of computers that execute the same processing calculation for the same processing target outputs the processing calculation result, and the control device that receives the output of the processing calculation result is based on the processing calculation result To control the processing target,
Each of the computers of the multi-system computer exchanges and verifies the processing calculation result of the own system and the processing calculation result of the other system, and with respect to the computer of the own system and the other system based on the matching result Make a soundness judgment to create a wholeness soundness judgment result,
The multi-system computer outputs the whole system soundness determination result together with the processing calculation result,
The control device is a fail-safe control method comprising a majority process of the soundness determination result of the whole system that has received an input and determining whether or not the processing calculation result can be used.
JP2007098238A 2007-04-04 2007-04-04 Fail-safe control method Active JP4961247B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2007098238A JP4961247B2 (en) 2007-04-04 2007-04-04 Fail-safe control method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2007098238A JP4961247B2 (en) 2007-04-04 2007-04-04 Fail-safe control method

Publications (2)

Publication Number Publication Date
JP2008254556A true JP2008254556A (en) 2008-10-23
JP4961247B2 JP4961247B2 (en) 2012-06-27

Family

ID=39978584

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2007098238A Active JP4961247B2 (en) 2007-04-04 2007-04-04 Fail-safe control method

Country Status (1)

Country Link
JP (1) JP4961247B2 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011198038A (en) * 2010-03-19 2011-10-06 Mitsubishi Electric Corp Fail-safe control apparatus
JP2014080141A (en) * 2012-10-18 2014-05-08 Hitachi Ltd Railway signal system
JP2019026025A (en) * 2017-07-28 2019-02-21 日本信号株式会社 Track relay
JPWO2020152829A1 (en) * 2019-01-24 2021-09-09 三菱電機株式会社 Ground radio and train control system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0710000A (en) * 1993-06-22 1995-01-13 Chubu H S S T Kaihatsu Kk Speed control pattern generator
JPH11249703A (en) * 1998-03-03 1999-09-17 Hitachi Ltd Fail safe system and railroad operation managing system
JP2000010940A (en) * 1998-06-19 2000-01-14 Hitachi Ltd Multisystem processor, controller connected to multisystem processor, and multisystem processing system
JP2004302708A (en) * 2003-03-31 2004-10-28 Hitachi Ltd Multiple-system information processor

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0710000A (en) * 1993-06-22 1995-01-13 Chubu H S S T Kaihatsu Kk Speed control pattern generator
JPH11249703A (en) * 1998-03-03 1999-09-17 Hitachi Ltd Fail safe system and railroad operation managing system
JP2000010940A (en) * 1998-06-19 2000-01-14 Hitachi Ltd Multisystem processor, controller connected to multisystem processor, and multisystem processing system
JP2004302708A (en) * 2003-03-31 2004-10-28 Hitachi Ltd Multiple-system information processor

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011198038A (en) * 2010-03-19 2011-10-06 Mitsubishi Electric Corp Fail-safe control apparatus
JP2014080141A (en) * 2012-10-18 2014-05-08 Hitachi Ltd Railway signal system
JP2019026025A (en) * 2017-07-28 2019-02-21 日本信号株式会社 Track relay
JP7182357B2 (en) 2017-07-28 2022-12-02 日本信号株式会社 track relay
JPWO2020152829A1 (en) * 2019-01-24 2021-09-09 三菱電機株式会社 Ground radio and train control system
JP7062093B2 (en) 2019-01-24 2022-05-02 三菱電機株式会社 Ground radio and train control system

Also Published As

Publication number Publication date
JP4961247B2 (en) 2012-06-27

Similar Documents

Publication Publication Date Title
US20190302753A1 (en) Communications interruption system, communications interruption method, and recording medium
CN105103061B (en) The method of control and data transmission set, processing unit and the process control for redundancy with dispersion redundancy
US10069709B2 (en) Communication apparatus and vehicle transmission system
CN107229534A (en) Mix dual duplexed failure mode of operation and the general introduction to any number of failure
JP4961247B2 (en) Fail-safe control method
CN105438151B (en) Brake control system and fault-oriented safety processing method thereof
CA2952045C (en) System, method, and apparatus for generating vital messages on an on-board system of a vehicle
CN103057567A (en) Security platform beside common rail in field of railway signal
CN106059725A (en) Vehicle-mounted dual hot standby system for rail tram
CN105637811B (en) Semanteme disappears again
JP2016060413A (en) Vehicular electronic control unit and control method
CN113474230A (en) Security system and method for operating a security system
CN114228789A (en) Full-automatic train dual-channel remote control method, device, equipment and medium
US10404416B2 (en) Redundant transmission system with PRP and fault prediction
CN110696879B (en) Train speed control system based on air-to-air vehicle-ground integrated network
CN103917961B (en) Method for operating control network, and control network
JP6071673B2 (en) Automatic ticket gate system and master ticket updating method for automatic ticket gate system
JP5887289B2 (en) Passenger conveyor equipment
JP2006080595A (en) Mobile communication system
EP1104735A1 (en) Multiple system processor, controller connected to multiple system processor, and multiple system processing system
JP6441380B2 (en) In-vehicle transmission control device
JP2012222405A (en) Vehicle information controller
JP6059652B2 (en) Signal security control device
JP2011146965A (en) Telegram message transmitting apparatus and method
JP6830407B2 (en) Vehicle control device

Legal Events

Date Code Title Description
A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20090420

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20110201

A977 Report on retrieval

Free format text: JAPANESE INTERMEDIATE CODE: A971007

Effective date: 20110203

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20110817

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20120228

A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20120326

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20150330

Year of fee payment: 3

R150 Certificate of patent or registration of utility model

Ref document number: 4961247

Country of ref document: JP

Free format text: JAPANESE INTERMEDIATE CODE: R150

Free format text: JAPANESE INTERMEDIATE CODE: R150