JP5470200B2 - Failure detector and failure detection method, brake computing unit and railway vehicle control system using the same - Google Patents

Description

  The present invention relates to a failure detection apparatus, for example, failure detection of a railway vehicle brake control system.

  In general systems related to safety functions, in particular, systems such as vehicle safety brake control, prevention of danger due to malfunction is required. As a means for taking appropriate preventive measures, device failures that may cause malfunctions need to be detected.

  As a method for detecting a fixed output failure of a device, a method is known in which the devices are made redundant and the output match / mismatch is checked (for example, Patent Document 1).

  In a safety system to prevent overspeed, for example, in a railway vehicle security system, the current vehicle speed obtained from the speed sensor is compared with the allowable speed obtained from the distance to the stop point, etc. A control system is used that outputs a brake when the speed is exceeded.

JP 2006-11576 A

  Thus, for example, in a control device that controls the brake based on the speed acquired by the speed sensor, when the power supply of the speed sensor or the power supply to the circuit that relays the output signal of the speed sensor is cut off, The output signal from the speed sensor becomes zero, and there is a problem that the control device cannot distinguish between a power failure of the speed sensor or the like and a vehicle stop state (speed zero).

  In the case of the power failure described above, even if the speed detection circuit is made redundant as in Patent Document 1, if the power supply of each redundant speed detection circuit is cut off, the output from each speed detection circuit is zero. Since they match, a power supply abnormality cannot be detected.

  An object of the present invention is to prevent speed misidentification due to power failure.

  In the embodiment of the present invention, the same signal is input, the same processing is performed and the logic value corresponding to the input value is output, the logic inversion of the output of the first circuit, A conversion circuit having a logical sum of a logical inversion of an output of the second circuit as a first output and a logical sum of an output of the first circuit and an output of the second circuit as a second output; And an arithmetic unit for detecting a failure based on the second output.

  Alternatively, a first process that outputs a logical value corresponding to the input value, a second process that receives the same signal as the first process, and performs the same process as the first process, and the first process A third process for calculating the logical sum of the logical inversion of the output of the first process and the logical inversion of the output of the second process, and a fourth process for calculating the logical sum of the output of the first process and the output of the second process. And a failure detection process for detecting a failure based on the output of the third process and the output of the fourth process.

  Or, a speed sensor that detects the speed, a first circuit that outputs a logical value corresponding to the output value of the speed sensor, and input / output characteristics similar to those of the first circuit, and corresponding to the output value of the speed sensor The logical sum of the second circuit that outputs a logical value, the logical inversion of the output of the first circuit, and the logical inversion of the output of the second circuit is defined as the first output, and the output of the first circuit and the second circuit A conversion circuit having a logical OR with the output of the circuit as a second output, a calculator that detects a failure based on the first output and the second output, and generates a brake command according to the failure detection result; Is provided.

  According to the present invention, speed misidentification due to power failure such as a speed detection circuit can be prevented.

The figure which shows the structure of a security brake calculator. The figure which shows the structure of the vehicle control system using a security brake computing unit. The figure which shows the relationship between the output (A, B) of a phase detection circuit, and the detection value (X, Y) after conversion. The figure which shows the processing flow of CPU. The figure which shows the processing flow of a failure determination process. The figure which shows the processing flow of a failure 2 o'clock process. The figure which shows the processing flow of failure 1 time processing. The figure which shows the processing flow of a process at the time of normal. The figure which shows the relationship between detection value (X, Y) and failure mode. The figure which shows the scenario corresponding to the specific example of the failure 2. FIG. The figure which shows the scenario corresponding to the specific example of the failure 1. FIG.

  Hereinafter, embodiments will be described with reference to the drawings. In the embodiments described below, a railway vehicle control system will be described, but the present invention can be applied to any system that detects an apparatus failure in addition to a railway vehicle control system.

  FIG. 2 shows the configuration of the railway vehicle control system of this embodiment.

  The speed generator 201 functions as a speed sensor and outputs a pulse corresponding to the rotation of the wheel. It is a specification in which no pulse is output when the vehicle speed is zero. In this embodiment, two speed generators 201 are made redundant, and two pulses are output. The speed generator 201 is configured such that the relative phase relationship (advance / delay) is determined according to the movement direction of the vehicle.

  The safety brake calculator 101 detects a pulse from the speed generator 201, converts it to a vehicle speed, calculates a brake command based on the vehicle speed, and outputs it to the brake device 202.

  The brake device 202 brakes the rotation of the wheel with a braking force according to a given brake command.

  Hereinafter, the configuration of the safety brake computing unit 101 will be described with reference to FIG.

  The safety brake calculator 101 includes an input board 103 and a calculation board 104. These power supplies are supplied from separate power supply lines.

  First, the input board 103 will be described. The input board 103 includes duplex phase detection circuits 105 and 106, a conversion circuit 107, and a speed detection circuit 108.

  The phase detection circuit 105 receives two pulses from the speed generator 201 and inputs a logical value of 1 or 0 according to the phase advance / delay (difference) between the two (ie, depending on the direction of movement of the vehicle). It is a circuit to output. Hereinafter, the logical value output corresponding to the movement direction of the vehicle is referred to as A. For convenience, A = 0 is assigned to the upstream direction and A = 1 is assigned to the downstream direction.

  The phase detection circuit 106 has characteristics similar to those of the phase detection circuit 105, and also receives two systems of pulses from the speed generator 201 and outputs a logical value corresponding to the direction of movement. Hereinafter, this output is referred to as B. For convenience, as in A, B = 0 is assigned to the upstream direction and B = 1 is assigned to the downstream direction.

  The conversion circuit 107 is a logic circuit configured to receive two logical values A and B and output [NOT (A)] ∪ [NOT (B)] and [A] ∪ [B]. is there. Here, the symbol NOT represents a logical inversion, and ∪ represents a logical sum. Hereinafter, [NOT (A)] ∪ [NOT (B)] is referred to as X, and [A] ∪ [B] is referred to as Y. X and Y are detected by the CPU 109, which will be described later, but are converted into appropriate signals that can be detected by the CPU 109 as necessary (for example, when the CPU 109 detects a 5V signal, X and Y are 0V ( Value 0) or 5V (value 1)).

  The speed detection circuit 108 converts two systems of pulses from the speed generator 201 into signals that can be detected by the CPU 109 described later, and outputs two systems of speed pulses V1 and V2.

  Next, the calculation board 104 will be described. The arithmetic board 104 includes a CPU 109.

  The CPU 109 calculates the vehicle speed by counting the speed pulse V1 or V2, compares the calculated vehicle speed with the separately determined allowable speed, and outputs a brake command according to the comparison result. Specifically, if the vehicle speed is greater than the allowable speed, the brake device 202 is caused to output a braking force. Which of the speed pulses V1 and V2 is to be adopted follows a predetermined rule. Further, the CPU 109 detects the logical values X and Y, and obtains the vehicle movement direction D from these. Details will be described later with reference to FIGS. The moving direction of the vehicle is used for, for example, detection of a backward movement of a train, and is not specifically obtained by a method different from the conventional method for carrying out the present invention.

  With the above-described configurations of the phase detection circuits 105 and 106, the conversion circuit 107, and the CPU 109, the CPU 109 can detect a circuit failure or power supply failure of the input board 103 (these are referred to as a failure detector 102). Hereinafter, the mechanism of the failure detector 102 will be described with reference to FIG.

  FIG. 3 shows combinations of (X, Y) values corresponding to combinations of (A, B) values. Usually, A and B have the same value. That is, when the vehicle is in the upward direction (A, B) = (1, 1), (X, Y) = (0, 1) is detected at this time. When the vehicle is in the downward direction (A, B) = (0, 0), (X, Y) = (1, 0) is detected at this time. The CPU 109 can detect the movement direction of the vehicle based on the Y value.

  As a failure mode of the phase detection circuits 105 and 106, the output value can be fixed. When the output value is fixed, A and B may be different values in the following four ways. <1> When A is fixed to 1 and in the downward direction, (A, B) = (1, 0). <2> When B is fixed to 1 and in the downward direction, (A, B) = (0, 1). <3> When A is fixed to 0 and in the upward direction, (A, B) = (0, 1). <4> When B is fixed at 0 and in the upward direction, (A, B) = (1, 0). In all four failure modes, (X, Y) = (1, 1) is detected.

  Here, with reference to <1> as an example, the potential of failure and the failure detection interval will be described. If the vehicle is traveling in the down direction, even if A is fixed to 0, (A, B) = (0, 0), and (X, Y) = (1, 0) Thus, it cannot be distinguished from the normal downward direction. That is, a fixed fault of A = 0 is latent while proceeding in the downward direction. However, once the traveling direction is reversed, (A, B) = (0, 1), and (X, Y) = (1, 1) is detected. In general, if a failure is latent for a long time, the probability that another failure is superimposed increases, and detection may not be possible depending on the combination of failure modes. For this reason, it is desirable that the failure detection interval is short. In this example, the period until the vehicle changes its direction is the potential failure period. However, the potential railway failure period can be suppressed to a few hours at most in a railway vehicle that can be expected to return at least several times a day.

  As another failure mode, let us consider a case where the values of X and Y are fixed due to the failure of the conversion circuit 107 or the failure of the CPU 109. <5> When X is fixed at 1, in the upward direction, (X, Y) = (1, 1) is detected. <6> When Y is fixed at 1, if (X, Y) = (1, 1) is detected in the upward direction. <7> When X is fixed at 0, (X, Y) = (0, 0) is detected in the downward direction. <8> When Y is fixed at 0, (X, Y) = (0, 0) is detected in the downward direction.

  Finally, consider a power failure. <9> When the power supply of the input board 103 is shut down, all the outputs of the conversion circuit 107 are fixed to zero, and (X, Y) = (0, 0) is detected. At this time, the output of the speed detection circuit 108 is also fixed to zero.

  FIG. 9 summarizes the relationship between the value of (X, Y) shown above and the failure mode. <1> to <6> are detected as (X, Y) = (1, 1), and <7> to <9> are detected as (X, Y) = (0, 0).

  The processing flow of the CPU 109 described below uses this relationship.

  A processing flow of the CPU 109 will be described with reference to FIG. The CPU 109 repeats the processing from START to END at a cycle T. The process starts from START, and first proceeds to process 407.

  The process 407 is a speed detection process, and vehicle speeds obtained by counting the speed pulses V1 and V2 (for convenience, these are also referred to as V1 and V2. Hereinafter, the meaning of the speed pulse or the meaning of the vehicle speed is not clear. The vehicle speed V to be used for the control is determined, and the process proceeds to processing 401. In this embodiment, in process 407, the larger of V1 and V2 is set to V. At this time, even if one of the pulses V1 and V2 stops due to a failure of the speed detection circuit 108, V does not become zero, but when both stop due to a power failure or the like, V becomes zero. The method for obtaining V from V1 and V2 is not limited to this method.

  A process 401 is a failure determination process, and details thereof will be described later. After the failure determination process, a value of normal, failure 1 or failure 2 is set in the variable F indicating whether or not there is a failure. Next, the processing 402 is started.

  A process 402 is a process for determining whether F is failure 2. If it is failure 2, the process proceeds to process 403. Otherwise, the process proceeds to process 404.

  The process 403 is a fault 2 time process corresponding to the occurrence of the fault 2, and details thereof will be described later. After completion, move to END.

  A process 404 is a process for determining whether F is failure 1. If it is failure 1, the process proceeds to process 405, and if not, the process proceeds to process 406.

  The process 405 is a fault 1 time process corresponding to the occurrence of the fault 1, and details thereof will be described later. After completion, move to END.

  A process 406 is a process (normal process) corresponding to a case where it is determined as normal as a result of the failure determination process 401, and details thereof will be described later. After completion, move to END.

  As described above, according to the result of the failure determination process 401, the CPU 109 executes any one of the normal process 406, the failure 1 process 405, and the failure 2 process 403. The contents of each of these processes will be described below.

  The flow of the failure determination process 401 will be described with reference to FIG. The failure determination process starts from START, and first proceeds to process 501.

  A process 501 is a process for determining whether (X, Y) = (1, 1). If YES, the process proceeds to process 502, and if NO, the process proceeds to process 503.

  A process 502 is a process for setting the failure 2 in the variable F. After completion, move to END.

  A process 503 is a process for determining whether (X, Y) = (0, 0). If YES, the process proceeds to process 504, and if NO, the process proceeds to process 505.

  A process 504 is a process for setting the failure 1 to the variable F. After completion, move to END.

  A process 505 is a process for setting the variable F to normal. After completion, move to END.

  As described above, in the failure determination process, one of {normal, failure 1, failure 2} is set in the variable F. Failure 1 corresponds to the above-described failure modes <1> to <6>, and failure 2 corresponds to the above-described failure modes <7> to <9>. That is, in the failure determination process, if the values of X and Y do not match, it is determined that the system is normal.

  The flow of the failure 2 time process 403 will be described with reference to FIG. The failure 2:00 process corresponds to the failure modes <7> to <9>, and is a process considering the possibility of the power supply failure <9> of the input board 103. In the case of a power failure, the operation of the speed detection circuit 108 stops, and the CPU 109 detects V1 = zero and V2 = zero regardless of the speed of the vehicle. Performing safety brake control using this information leads to erroneous control. In this embodiment, in such a case, it is determined that traveling cannot be continued, and control is performed to stop the vehicle immediately. The failure 2 o'clock processing is processing for realizing such control. Hereinafter, the vehicle speed recognized by the CPU 109 is represented by a variable V, and the movement direction of the vehicle is represented by a variable D. Fault 2 o'clock processing starts from START, and first proceeds to processing 601.

  The process 601 is a process for making V undefined and D undefined. After completion, the process proceeds to process 602.

  Process 602 is a process for setting the safety brake command to the emergency brake. After completion, move to END.

  The flow of the failure 1 time process 405 will be described with reference to FIG. The failure 1 time process corresponds to the failure modes <1> to <6>, and there is no possibility of the power supply failure <9> of the input board 103. That is, the vehicle movement direction information cannot be trusted, but the vehicle speed V can be expected to be correct. The failure 1 o'clock process starts from START, and first proceeds to process 701.

  A process 701 is a process for setting the direction D to be indefinite. After the end, the process proceeds to processing 702.

  Process 702 is a process for checking whether or not the vehicle speed V is zero. If it is zero (that is, the vehicle is in a stopped state), the process proceeds to process 703;

  A process 703 is a recovery process for detecting a failure, temporarily stopping the operation of the vehicle, specifying a failure location, and repairing the failure. As this detailed inspection method, an input / output check using a test signal is conceivable. However, in the present embodiment, it is not necessary to specifically limit the method, and thus the detailed inspection is not performed. Depending on the method, recovery may take some time. After completion, move to END.

  A process 704 is a speed check process. In this process, the vehicle speed V is compared with the allowable speed P, and if V> P, a predetermined safety brake command (for example, a regular maximum brake command) is output. The allowable speed P is determined in consideration of the distance to the stop point and the brake speed of the vehicle. The speed check process described above may be a known method used in a railway signal security system. After completion, move to END.

  When failure 1 is detected by the above process, the vehicle continues to run until the train stops (the safety brake control until the vehicle stops is the same as the normal process described later). become.

  The normal processing flow will be described with reference to FIG. The process starts from START, and first proceeds to process 801.

  The process 801 is a process for determining whether (X, Y) = (0, 1). If YES, the process proceeds to process 802, and if NO, the process proceeds to process 803.

  The process 802 sets the direction D to the upstream direction. After the end, the process proceeds to processing 804.

  The process 803 sets the direction D to the down direction. After the end, the process proceeds to processing 804.

  Process 804 is similar to process 704 described above. After completion, move to END.

  As described above, in the normal process, the correct value is set in the direction D, and then the safety brake command is calculated by the speed check process.

  Through the processing described above, the CPU 109 detects a failure of the circuit that detects the train movement direction from the value of (X, Y), and performs corresponding processing. Further, the case where the failure state may be a power failure of the input board 103 (fault 2) and the other case (fault 1) can be distinguished, and corresponding processing can be performed according to each. Hereinafter, a scenario when failure 2 “<9> power is shut off” and a scenario when failure 1 “<1> A is fixed to 1” occur will be described with specific examples.

  FIG. 10 shows a scenario when failure 2 “<9> Power is shut off” occurs. Various signals (speed pulse V1, speed pulse V2, A, B, X, Y), safety brake command, direction detection value D are written on the vertical axis, and time is shown on the horizontal axis. Yes. On the horizontal axis, the timing at which the CPU 109 executes the flow of FIG. 4 (that is, the timing of the failure detection process) is indicated by Δ. The interval T is a processing cycle (detection cycle). It is assumed that the vehicle is traveling in the upward direction.

  At time t0 to t1, no failure has occurred. At this time, the speed pulses V1, V2 take a rectangular wave having a frequency corresponding to the vehicle speed. Since the vehicle is traveling in the upward direction, (A, B) = (1, 1) and (X, Y) = (0, 1). The safety brake command does not particularly require a brake output under the assumption that vehicle speed V <allowable speed P. The direction detection value D is correctly set as the upward direction from the Y value.

  At time t1, a failure occurs and the input board 103 is powered off. Thereby, thereafter, the speed pulses V1, V2 become zero, and (A, B), (X, Y) all become zero.

  Time t2 is the latest detection time after the occurrence of the failure. At this time, the CPU 109 detects (X, Y) = (0, 0) to perform the failure 2 o'clock processing. As a result, the safety brake command becomes an emergency brake request. Further, the direction detection value D is indefinite.

  After time t2, the emergency brake continues to be output, and the vehicle eventually stops.

  As in this scenario, when the power interruption of the input board 103 occurs, it is detected soon and the vehicle stops with an emergency brake. In this way, danger due to erroneous control when the speed cannot be detected correctly is prevented.

  FIG. 11 shows a scenario when failure 1 “<1> A is fixed at 1” occurs. In the lower diagram, various signals (A, B, X, Y) and the direction detection value D are plotted on the vertical axis, and time is plotted on the horizontal axis, showing these time transitions. In the upper diagram, the vertical axis indicates the vehicle speed V, the horizontal axis indicates the time, and the horizontal axis indicates the time when the vehicle stops at the station. The time scale on the horizontal axis in FIG. 11 is an order that the vehicle only travels over several stations, and is considered to be much larger than the time scale on the horizontal axis in FIG. Good.

  From time t3 to t4, no failure has occurred. At this time, under the assumption that the direction is the upstream direction, (A, B) = (1, 1) and (X, Y) = (0, 1). The direction detection value D is set in the upward direction. The vehicle at the S1 station at the time t3 passes the S2 station during this period and is on the way to the S3 station at the time t4.

  At time t4, the phase detection circuit 105 fails and its output A is fixed at 1. At this point, A is essentially 1, so no detectable change appears.

  Time t5 is the time when the vehicle arrives at the terminal station S4 via the station S3 and starts toward the station S3 for the return operation. At this time, B changes to zero. A should originally change to 0, but because of a fixed failure at 1, (A, B) = (1, 0), and accordingly (X, Y) = (1, 1), Fault 1 is detected. As a result, the failure 1 o'clock process is executed, and the direction detection value D becomes indefinite. Security brakes are not specifically required.

  Time t6 is the time when the recovery procedure is executed when the vehicle arrives at the station S3 and stops. Here, the contents of the recovery procedure are the identification and repair of the failure location, and the vehicle has stopped at the station S3 for a while for the processing and work. During this time, since the direction detection value D used for reverse detection is usually indefinite, it is assumed that a special means for preventing the vehicle from moving backward or another reverse detection means is enabled.

  In this scenario, the failure is latent in the sense that the failure has not been detected during the time (t5-t4) from the occurrence of the failure. However, railroad vehicles can be expected to return at least after arrival at the end station, and because it can detect a failure at that timing, it can be said that an unlimited potential can be prevented. Can expect). After detecting the failure, in this scenario, after traveling for a while (t6 to t5), an appropriate recovery procedure is performed. Depending on the vehicle operation policy, it may be possible to stop the train immediately after detecting the failure and perform the recovery procedure, or to perform the recovery procedure after arriving at the terminal station in the traveling direction. This can be realized by changing the flow of time processing.

  As described above, according to the present embodiment, in the safety brake arithmetic unit having the function of detecting the vehicle speed V and the function of detecting the vehicle movement direction D, the logical value corresponding to the movement direction of the vehicle while the vehicle is operating. A failure can be detected using A and B, and an appropriate response process can be executed according to the result. In particular, by appropriately detecting a power supply failure that is a common cause of failure of each circuit, it is possible to execute an appropriate response process for preventing erroneous control due to speed misidentification. In addition, since the failure can be detected at the timing of the regular turn-back operation that can be expected from the railway vehicle at the latest, it is possible to prevent the time that is latent without being detected from being limited.

  According to the above embodiment, when the output of each redundant device is A and B, [NOT (A)] ∪ [NOT (B)] and [A] ∪ [B] Since it is used as an input, it is also possible to detect power supply abnormalities that could not be detected by the conventional method of determining normality / abnormality based on the coincidence / non-coincidence of the outputs of redundant devices.

DESCRIPTION OF SYMBOLS 101 Security brake calculator 102 Fault detector 103 Input board 104 Calculation boards 105 and 106 Phase detection circuit 107 Conversion circuit 108 Speed detection circuit 109 CPU
201 Speed generator 202 Brake device 401-407, 501-505, 601-602, 701-704, 801-804 CPU processing

Claims (15)

A first circuit that outputs a logical value according to an input value;
A second circuit having the same signal as that of the first circuit as an input and having input / output characteristics similar to those of the first circuit;
The first output is a logical sum of the logical inversion of the output of the first circuit and the logical inversion of the output of the second circuit,
A conversion circuit having a second output that is a logical sum of the output of the first circuit and the output of the second circuit;
A detection circuit for detecting the input value;
A substrate on which the first circuit, the second circuit, the conversion circuit, and the detection circuit are disposed;
Supplied with power from different power supply lines and said substrate, said first output, before Symbol second output, and the failure of the converter circuit based on the output of the detection circuit, or the substrate of the power line An arithmetic unit for detecting a failure;
A failure detector comprising: The fault detector according to claim 1,
When the first output and the second output are values that are output when the power line of the substrate is cut off,
The arithmetic unit based on the output value of the detection circuit, fault detector characterized that you detect any failure or malfunction of the power supply line of the substrate the conversion circuit. The fault detector according to claim 1 or 2,
The computing unit is
When the first output and the second output match, it is determined as a failure,
The failure detector, wherein the first output and the second output are determined to be normal when they are different . A first process for outputting a logical value according to an input value;
A second process that receives the same signal as the first process and performs the same process as the first process;
A third process for calculating a logical sum of the logical inversion of the output of the first process and the logical inversion of the output of the second process;
A fourth process for calculating a logical sum of the output of the first process and the output of the second process;
A fifth process for detecting the input value;
Receiving power supply from a power line different from the power line for the first process to the fifth process,
Said There third based output and the output of the fourth processing the output of the fifth process of the process, the third process and the failure of the fourth process, or to not the first treatment fault detection method characterized in that the failure detection process for detecting a malfunction of the power supply line for the fifth process. The failure detection method according to claim 4,
When the output of the third process and the output of the fourth process are values that are output when the power supply line for the first process to the fifth process is shut off,
Based on the output of the fifth process, either the failure of the output of the third process and the output of the fourth process, or the failure of the power supply line for the first process to the fifth process Detecting a fault. In the failure detection method according to claim 4 or 5,
The failure detection process is
When the output of the third process and the output of the fourth process match, it is determined as a failure,
A failure detection method comprising: determining that the output is normal when the output of the third process is different from the output of the fourth process. A speed sensor for detecting the speed;
A first circuit that outputs a logical value corresponding to an output value of the speed sensor;
A second circuit that has the same input / output characteristics as the first circuit and outputs a logical value corresponding to the output value of the speed sensor;
The logical sum of the logical inversion of the output of the first circuit and the logical inversion of the output of the second circuit is a first output, and the logic of the output of the first circuit and the output of the second circuit A conversion circuit having the sum as a second output;
A speed detection circuit for detecting an output value of the speed sensor;
A substrate on which the first circuit, the second circuit, the conversion circuit, and the speed detection circuit are disposed;
Supplied with power from different power supply lines and said substrate, said first output, before Symbol second output, and a failure of the converter circuit have groups Dzu the output of the speed detection circuit or power of the substrate, detecting a malfunction of the line, the arithmetic unit for generating a brake command according to the failure detection result,
A brake computing unit comprising: The brake calculator according to claim 7,
When the first output and the second output are values that are output when the power line of the substrate is cut off,
The arithmetic unit based on the output value of the speed detection circuit, a brake operation unit, characterized that you detect either the failure of the converter, or malfunction of the power supply line of the substrate. In the brake computing unit according to claim 7 or 8 ,
The computing unit determines that a failure occurs when the first output matches the second output,
A brake arithmetic unit, wherein the first output and the second output are determined to be normal when the second output is different . The brake arithmetic unit according to any one of claims 7 to 9 ,
The speed detection circuit converts the output value of the speed sensor into a pulse signal that can be detected by the calculator.
The computing unit is
When the first output and the second output are 0 and the pulse signal is detected, a failure of the conversion circuit is detected,
A brake computing unit that detects a failure of a power supply line of the board when all of the first output, the second output, and the pulse signal are zero . The brake calculator according to claim 10 , wherein
The pulse signal is a rectangular wave having a frequency corresponding to a speed that is an output value of the speed sensor,
The computing unit is
When the first output and the second output coincide with 1 and the pulse signal is detected,
Compare the allowable speed with the speed calculated from the pulse signal,
If the speed calculated from the pulse signal is larger than the allowable speed, a brake command is generated,
A brake arithmetic unit that generates a brake command when all of the first output, the second output, and the pulse signal are zero . The brake calculator according to any one of claims 7 to 11,
The first circuit and the second circuit each receive two output values from the speed sensor,
The brake arithmetic unit, wherein the logical output of the first circuit and the second circuit is generated based on a difference between the two systems of output values . A railway vehicle comprising the brake arithmetic unit according to any one of claims 7 to 12,
The speed sensor for detecting a traveling speed of the railway vehicle;
A railroad vehicle control system comprising: a brake device that brakes the railcar based on a brake command generated by the computing unit. The railway vehicle control system according to claim 13,
The railway vehicle control system, wherein the speed sensor is a speed generator. The railway vehicle control system according to claim 13 to claim 14,
The railway vehicle control system, wherein the logic outputs of the first circuit and the second circuit correspond to the movement direction of the railway vehicle.

Images