JP6059652B2 - Signal security control device - Google Patents

Description

  The present invention relates to a signal security control device for realizing a safe output in a railway signal system.

  As a background art of the present invention, in a signal processing system that controls signal switching of a traffic light such as a station premises and switching of a switch in the railway field, the control device has a triple system configuration in order to ensure its fail-safety. And a technique relating to a single or double control device is disclosed in Japanese Patent Laid-Open No. 10-340102 (Patent Document 1).

  In this patent document 1, in paragraph No. 0008, a triple control device composed of three control devices and a triple control device are prepared when data is transmitted to a counterpart device for serial communication. A verification line for transmitting the received data to the other system control device, a verification unit for verifying data received from the other system control device via the verification line and the own system data, and a triple control device And a right to select a control device for transmitting data to the counterpart device based on a result of verification from the verification unit and a signal from the failure detection unit. An apparatus including a selection unit is disclosed.

  Also, in paragraph number 0009 of the same patent document 1, the data to be transmitted is transmitted to the other two control devices, and the data to be transmitted is compared with the data received from the other two control devices in the own system. Control of the own system when the data of the own system and the data from the other system match, and when the data of the other system also matches the data of the own system in the other system and the system of the own system is not faulty Transmitting data from a device is disclosed.

Japanese Patent Laid-Open No. 10-340102

  Patent Document 1 describes a control device that prevents erroneous data transmission due to device failure by collating processing results of a plurality of processing devices and transmitting data after confirming that the processing results are correct. Has been. However, the control device of Patent Document 1 cannot detect this when the collated data and the transmitted data are different.

  As a countermeasure against this, an error detection code that is provided based on the processing result of the second processing device is provided with a code replacement circuit and an error detection code added to the data transmitted based on the processing result of the first processing device. There is a method of transmitting by replacing the code.

  However, when the first processing apparatus operates correctly and the data that has been verified matches the transmitted data, the error detection code of the replaced data and the error detection code of the data before replacement match, Even if the replacement circuit fails and the error detection code is not replaced, it cannot be distinguished and detected. When the code replacement circuit fails, if the data that has been verified differs from the transmitted data, this cannot be detected, and malfunctions can be prevented if the transmitted data is incorrect. There was a problem that it was not possible.

  The signal security control device according to the present invention determines whether or not the confirmation code added to the processing result of the first processing device matches the error detection code generated from the processing result of the second processing device, and confirms the match. Sometimes this confirmation code is replaced with a matching error detection code and added to the processing result of the first processing device and transmitted, and data transmission is stopped when a mismatch is confirmed.

  According to the present invention, normal operation of the replacement unit that replaces the error detection code is guaranteed, and when the replacement unit fails and the error detection code of the data cannot be replaced, erroneous data is transmitted without performing replacement. To prevent.

It is an example of the block diagram of the signal security control apparatus and receiver in Example 1. FIG. It is an example of the flowchart explaining the code output for replacement by a diagnostic part, and switch control processing. It is an example of the flowchart explaining the switch diagnosis process by a diagnostic part. It is an example of the control apparatus for signal security which replaces the some error detection code (code) in the same data in Example 2. FIG. It is an example of the control apparatus for signal security which transmits test data from the calculating part A (10A) in Example 3, and diagnoses a switch (a receiving apparatus is included). It is an example of the control apparatus for signal security which diagnoses a replacement part using the test code with respect to test data in Example 4 (a receiving apparatus is included).

  Examples 1 to 4 will be described below with reference to the drawings as embodiments of the present invention.

  In the first embodiment, an example of a signal security control apparatus that determines whether or not data transmission is possible according to the content of an error detection code (code) of transmission data will be described.

FIG. 1 is an example of a configuration diagram of a signal security control device and a reception device according to the first embodiment.
The signal security control apparatus according to the first embodiment includes a first calculation unit A (10A), a second calculation unit B (10B), an extraction unit 21, a replacement unit 22, a switch 23, and a diagnosis unit 24. The transmission data 104 output from 23 is input to the receiving device 30.

The first calculation unit A (10A) and the second calculation unit B (10B) perform the same calculation process.
The extraction unit 21 extracts the confirmation code 102 from the transmission data 101 from the first calculation unit A (10A).

  The diagnosis unit 24 receives the confirmation code 102 extracted by the extraction unit 21 and the error detection code (code B) 103 from the second arithmetic unit B (10B), and when the coincidence is confirmed, the replacement unit 22 outputs the error detection code (code B) 103 from the second arithmetic unit B (10B), and outputs an ON instruction 105 or an OFF instruction 106 to the switch 23.

When the replacement unit 22 receives the error detection code (code B) 103 from the diagnosis unit 24, the replacement unit 22 replaces the confirmation code of the transmission data 101 received from the extraction unit 21 with the error detection code (code B) 103 from the diagnosis unit 24. .
When the switch 23 receives the ON instruction 105 from the diagnosis unit 24, the switch 23 outputs the transmission data 104 from the replacement unit 22 to the reception device 30.

  Next, the data flow (the flow of the solid line with an arrow in FIG. 1) in the error detection code (code) replacement and the accompanying data transmission will be described. Here, as the error detection code (code), a checksum, CRC, hash, or the like can be adopted, and any of them may be used.

The first calculation unit A (10A) and the second calculation unit B (10B) that perform the same calculation process exchange (100) each other's calculation results after performing the calculation process, and perform the matching process in each of them. To do.
If the verification does not match, it can be said that something is wrong, and the calculation is stopped.

  When the collation matches, the operation unit A (10A) extracts the transmission data (data A + confirmation code) 101 with the confirmation code added in place of the operation data (data A) and its error detection code (code). To 21. On the other hand, the calculation unit B (10B) transmits only the error detection code (code B) 103 of the calculation data (data B) to the diagnosis unit 24. Matching the matching means that the calculation results of the calculation unit A (10A) and the calculation unit B (10B) match, so the error detection codes (code A and code B) of both match as a matter of course. Therefore, in consideration of the confirmation judgment of coincidence / non-coincidence in the diagnosis unit 24 described later, the bit inversion code of the error detection code (code A) of the operation data (data A) is adopted as the confirmation code.

  The extraction unit 21 extracts the confirmation code 102 from the transmission data (data A + confirmation code) 101 from the calculation unit A (10A) and transmits it to the diagnosis unit 24, and also transmits the transmission data (data from the calculation unit A (10A)). (A + confirmation code) 101 is transmitted to the replacement unit 22 as it is.

  The diagnosis unit 24 uses a code (code) obtained by bit-inverting the error detection code (code B) 103 received from the calculation unit B (10B) by the confirmation code 102 (that is, the bit inverted code of the code A) received from the extraction unit 21. B bit inversion code) or not. Confirmation is made because the error detection code codes A and B of data A and data B are equal when the comparison of the calculation results of the first calculation unit A (10A) and the second calculation unit B (10B) matches. The bit inversion code of the error detection code (code A) adopted as the code 102 should be equal to the bit inversion code of the error detection code (code B) 103.

  Further, as the confirmation code, a fixed code may be adopted instead of the bit inversion code of the error detection code (code A) described above. That is, when the collation of the calculation results matches as described above, the calculation unit A (10A) adds a fixed code as a confirmation code to the calculation data (data A) and transmits it to the extraction unit 21. The confirmation code 102 extracted by the extraction unit 21 is transmitted to the diagnosis unit 24, and it is confirmed whether or not it matches with the fixed code. The fixed code used when the diagnosis unit 24 confirms the coincidence is transmitted from the calculation unit B to the diagnosis unit 24 together with the code B, or is set in the diagnosis unit 24 in advance.

  The diagnosis unit 24 transmits the error detection code (code B) 103 from the calculation unit B to the replacement unit 22 as a replacement code when the above confirmation code 102 matches, and also sends the switch 23 to the switch 23. An ON instruction 105 is transmitted. On the other hand, if the confirmation of the confirmation code 102 cannot be confirmed and does not match, only the switch OFF instruction 106 is transmitted to the switch 23.

  The replacement unit 22 replaces the confirmation code of the data (data A + confirmation code) 101 from the extraction unit 21 with the replacement code (code B) 103 from the diagnosis unit 24, and the replaced data (data A + code B) 104 Is transmitted to the switch 23. If the collation matches, the code A and the code B of the error detection code are equal, so even if the above replacement is performed, the transmission data is data equal to the data A + code A.

Here, it is assumed that data is not transmitted from the calculation unit A (10A) but as data A + code A, and the code A is replaced with code B in the replacement unit 22 through the code A and code B match confirmation. Since code A = code B, it cannot be determined whether or not the code replacement operation has actually been performed in the replacement unit 22, and therefore the operation of the replacement unit 22 is not necessarily guaranteed.
However, as described above, when the replacement unit 22 performs the replacement from the confirmation code to the code B, the operation of the replacement unit 22 can be confirmed and the operation is guaranteed.

  When the switch 23 receives the switch ON instruction 105 from the diagnosis unit 24, the switch 23 transmits the data (data A + code B) 104 from the replacement unit 22 to the receiving device 30, and the switch OFF instruction 106 from the diagnosis unit 24. Is received, data transmission to the receiving device 30 does not occur.

  Next, in the data flow described above, the replacement code output of the diagnosis unit 24 and the on / off processing of the switch associated therewith will be described with reference to a flowchart. FIG. 2 is a diagram showing the flowchart.

  The diagnosis unit 24 first receives the error detection code (code B) 103 from the calculation unit B (10B) (201). Thereafter, the extraction unit 21 receives the confirmation code 102 extracted from the transmission data 101 from the calculation unit A (10A) (202).

  After receiving the confirmation code 102, it is determined (203) whether the confirmation code 102 matches the bit inversion code (inverse of the code B) of the code B103. As described above with reference to FIG. 1, the confirmation code 102 is a bit inversion code (inverse of code A) of the error detection code (code A) of the operation data A of the operation unit A (10A).

If the bit inversion code (inverse of the code B) of the confirmation code 102 and the code B 103 matches in 203 (Yes), the code B is transmitted (204). The transmission destination of the code B is the replacement unit 22 as shown in FIG. After transmitting the code B, the switch ON instruction 105 is transmitted (205). The transmission destination of the switch ON instruction 105 is the switch 23 as shown in FIG.
If the bit inversion code (inverse of the code B) of the confirmation code 102 and the code B 103 does not match in 203 (No), the code B is not transmitted and the switch OFF instruction 106 is transmitted to the switch 23 (206). .

Next, a data flow (a broken line with an arrow in FIG. 1) in a switch failure diagnosis will be described.
Since the switch 23 has a function of stopping transmission of data when an abnormality is detected in the signal security control device, it is also important to perform a failure diagnosis of the switch 23.

  The diagnosis unit 24 transmits test data 111 to the switch 23. The test data 111 is data that causes a test abnormality for the receiving device 30 in order to prevent the receiving device 30 from malfunctioning if the switch 23 is turned on and output to the receiving device 30. For example, a message shorter than the minimum message length, a message having an error detection code that does not match the error detection code calculated from the detection target data, and the like.

  When the switch 23 operates normally, the diagnosis unit 24 receives the test data 111 as the test result 112 from the switch 23 when the switch ON instruction 105 is transmitted in a state where the test data 111 is transmitted. On the other hand, when the switch OFF instruction 106 is transmitted, the test data 111 cannot be received as the test result 112.

  However, if the test data 111 cannot be received while the switch ON instruction 105 is being transmitted, or if the test data 111 is received while the switch OFF instruction 106 is being transmitted, the diagnosis unit 24 causes the switch 23 to fail. Therefore, the stop instruction 110 is transmitted to the calculation unit A (10A) and the calculation unit B (10B) to prevent the operation of the control device in the failure state.

The test data 111 may be transmitted from the diagnosis unit 24 to the replacement unit 22 and transmitted to the switch 23 via the replacement unit 22.
The switch diagnosis may be performed before data transmission. In addition, when data transmission is performed periodically, it may be performed periodically after data transmission after being performed once in the initial diagnosis.

Next, switch failure diagnosis processing by the diagnosis unit 24 in the data flow will be described with reference to a flowchart. FIG. 3 is a diagram showing the flowchart.
When the diagnosis unit 24 starts the switch failure diagnosis, it transmits a switch OFF instruction 106 to the switch 23 (301).

  Next, transmission of the test data 111 is started (302). After transmitting the test data, the diagnosis unit 24 determines whether the test data 111 has been received (303). If it is received (Yes), it is detected as an ON failure of the switch (306). If not received (No), a switch ON instruction 105 is transmitted (304).

  After transmission of the switch ON instruction 105, the diagnosis unit 24 determines whether or not the test data 111 has been received (305). If not received (No), it is detected as an abnormal transmission of the test data 111 (307). In the case of an ON failure of the previous switch and when an abnormal transmission of this test data is detected, a stop instruction 110 is transmitted to the arithmetic unit A (10A) and the arithmetic unit B (10B) (309).

  When the test data is received (Yes), it is determined that the switch operation is normal (308). After the determination, in order to end the failure diagnosis of the switch, the switch OFF instruction 106 is transmitted to the switch (310), and the transmission of the test data is stopped (311).

  According to the present embodiment, only when the confirmation code generated from the calculation result of the calculation unit A (10A) matches the error detection code (code) generated from the calculation result of the calculation unit B (10B), the error detection code ( Code) is replaced and the operation data is transmitted. Therefore, even when the replacement unit 22 (symbol replacement function) fails and the data error detection code (code) cannot be replaced, it is possible to prevent malfunction of the receiving device due to transmission of erroneous data. Become.

In the second embodiment, when the data signal transmitted from the arithmetic unit A (10A) and the arithmetic unit B (10B) is a packet composed of a plurality of data, a plurality of error detection codes (codes) are replaced. An example of the signal security control device will be described.
FIG. 4 is an example of a configuration diagram illustrating the signal security control device according to the second embodiment.

  Description of the functions of the components having the same reference numerals shown in FIG. 1 described above in the signal security control device of FIG. 4 is omitted. In FIG. 4, the switch failure diagnosis function is the same as that described with reference to FIG. Hereinafter, an operation flow related to the replacement of the error detection code (code) and the accompanying data transmission will be described with reference to FIG.

  In FIG. 4, the arithmetic unit B (10B) sets the replacement position of the error detection code (code) to be replaced, the error detection code (code) for replacement, and the size of the error detection code (code) to be replaced to 1 Information 103a including a plurality of sets is transmitted to the diagnosis unit 24 as set information. The transmission data 101 from the arithmetic unit A (10A) is a plurality of sets of data A shown in the first embodiment and a confirmation code added thereto.

  The diagnosis unit 24 extracts the position and size of the error detection code (code) to be replaced for each set from the information 103a received from the calculation unit B (10B), and creates and extracts information 103b including a plurality of sets. To the unit 21. Further, the diagnosis unit 24 transmits the information 103a received from the calculation unit B (10B) to the replacement unit 22.

  Based on the position and size of the error detection code (code) to be replaced for each set indicated by the information 103b received from the diagnosis unit 24, the extraction unit 21 uses a plurality of pieces of transmission data 101 from the calculation unit A (10A). The confirmation code 102 to be replaced is extracted and transmitted to the diagnosis unit 24.

The diagnosis unit 24 confirms the coincidence / mismatch between the plurality of confirmation codes 102 received from the extraction unit 21 and the error detection codes (codes) from the corresponding operation unit B (10B). This confirmation of coincidence / non-coincidence is the same as the operation mode shown in the first embodiment.
If they do not match, the diagnosis unit 24 transmits a switch OFF instruction 106 to the switch 23 and stops data transmission.

  If they match, the diagnosis unit 24 gives the replacement unit 22 the position of the error detection code (code) to be replaced received from the calculation unit B (10B), the error detection code (code) for replacement, and Information 103 a composed of a plurality of sets in which the size of the error detection code (code) to be replaced is one set is transmitted, and a switch ON instruction 105 is transmitted to the switch 23.

The replacement unit 22 that has received the information 103a, the original data portion corresponding to the data A of the first embodiment, the position of the error detection code (code) to be replaced indicated by the received information 103a, and error detection for replacement Based on the size of the code (code) and the error detection code (code) to be replaced, data 104, which is a data portion obtained by replacing each of the plurality of confirmation codes with a plurality of corresponding error detection codes (codes), is transmitted to the switch 23. To do.
Since the switch 23 receives the switch ON instruction 105, the switch 23 transmits the data 104 to the receiving device 30 as it is.

The size of the confirmation code to be replaced (the bit inverted data of the error detection code (code) of data A shown in the first embodiment) is the size of the error to be replaced that is received by the diagnosis unit 24 from the calculation unit B (10B). The diagnosis unit 24 may obtain the detection code (code) or the extraction unit 21 may obtain it.
Further, the calculation unit A (10A) may calculate a pair of the position and size of the confirmation code to be replaced and transmit it to the extraction unit 21. The extraction unit 21 may extract the confirmation code 102 to be replaced based on the position and size received from the calculation unit A (10A) and transmit the confirmation code 102 to the diagnosis unit 24.

  According to this embodiment, even when a plurality of error detection codes (codes) are replaced in a transmitted packet (a plurality of data), the position and size of each error detection code (code) is obtained, and each error detection is performed. It is possible to extract a code. Then, when transmission data is incorrect, this is detected and transmission is stopped, so that it is possible to prevent malfunction of the receiving apparatus due to erroneous data.

In the third embodiment, an example of a signal security control device when the arithmetic unit A (10A) transmits the test data 101a in the failure diagnosis of the switch 23 will be described.
FIG. 5 is an example of a configuration diagram illustrating the signal security control device according to the third embodiment.

  In the signal security control device of FIG. 5, the description of the components having the same reference numerals shown in FIG. Hereinafter, operations related to the failure diagnosis of the switch 23 will be described with reference to FIG.

  In FIG. 5, the arithmetic unit A (10 </ b> A) transmits test data 101 a to the extraction unit 21 at the time of failure diagnosis of the switch 23. The test data 101a transmitted from the calculation unit A (10A) is transmitted to the switch 23 via the extraction unit 21 and the replacement unit 22.

  In addition, the calculation unit A (10A) uses the inter-system communication data 100 to notify the diagnosis unit 24 that the failure diagnosis of the switch 23 is started / finished, and the switch 23 via the calculation unit B (10B). Is notified to the diagnosis unit 24. The start / end of failure diagnosis of the switch 23 may be determined by the calculation unit B (10B), not the calculation unit A (10A), and may be notified to the calculation unit A (10A) and the diagnosis unit 24. The diagnosis unit 24 may determine and notify the calculation unit A (10A) and the calculation unit B (10B).

  The test data 101a is data that causes a detection error in the receiving device 30 so that the receiving device 30 does not malfunction even if the switch 23 is turned on and output to the receiving device 30. For example, a message shorter than the minimum message length, a message having an error detection code that does not match the error detection code calculated from the detection target data, and the like.

  When the switch 23 operates normally, the diagnosis unit 24 receives the test data 101a as the test result 112 via the switch 23 when the switch ON instruction 105 is transmitted in a state where the test data 101a is transmitted.

  When transmitting the switch OFF instruction 106, the diagnosis unit 24 cannot receive the test data 101 a as the test result 112 via the switch 23. However, if the test data 101a cannot be received while the switch ON instruction 105 is being transmitted, and if the test data 101a can be received while the switch OFF instruction 106 is being transmitted, the diagnosis unit 24 may cause a failure of the switch 23. Therefore, the stop instruction 110 is transmitted to the calculation unit A (10A) and the calculation unit B (10B) to prevent the operation of the control device in the failure state.

This switch failure diagnosis may be performed before data transmission. In addition, when data transmission is performed periodically, it may be performed periodically after data transmission after being performed once in the initial diagnosis.
According to the present embodiment, failure diagnosis of the switch 23 can be performed without providing a dedicated path for test data transmission from the diagnosis unit 24 to the switch 23 as in the first and second embodiments.

As a fourth embodiment, an example of a signal security control device when a test code for the test data 101a is transmitted to the replacement unit 22 will be described.
FIG. 5 is an example of a configuration diagram illustrating the signal security control device according to the fourth embodiment. The device configuration is the same as that of the third embodiment shown in FIG. 4, but there is a difference in signals transmitted and received.

  The transmission of the test data 101a from the calculation unit A (10A) to the extraction unit 21 is the same as in the third embodiment, but the point is that the test code 103c for the test data 101a is transmitted from the calculation unit B (10B). Different from 3.

  For the test data 101a received via the extraction unit 21, the replacement unit 22 replaces the test data 101a with the test code 103c received from the diagnosis unit 24 (data 104a). The replaced data 104a is returned to the diagnosis unit 24 as the test result 112 (= 104a) via the switch 23 turned on by the ON instruction 105 from the diagnosis unit 24.

  If the replacement by the test code 103c can be confirmed in the diagnosis unit 24, the normal operation of the replacement unit 22 has been confirmed. When the replacement by the test code 103c (= 104a) cannot be confirmed in the diagnosis unit 24, it is determined that the replacement unit 22 has failed, and the diagnosis unit 24 further calculates the calculation unit A (10A) and the calculation unit B (10B). A stop instruction 110 may be transmitted to

  According to the present embodiment, the normal operation of the replacement unit 22 can be diagnosed using test data without providing a dedicated route for transmitting test data from the diagnosis unit 24 to the switch 23 as in the first and second embodiments. It becomes.

10A, 10B Calculation unit 21 Extraction unit 22 Replacement unit 23 Switch 24 Diagnosis unit 30 Receiver 100 Exchange data 101 between calculation unit A and calculation unit B Transmission data 102 output from calculation unit A Calculation unit A extracted by extraction unit Confirmation code 103 from the error detection code (code B) calculated by the calculation unit B
104 Transmission data after replacement of error detection code 105 Switch ON instruction 106 Switch OFF instruction 110 Stop instruction to operation unit 111 Switch diagnosis test data 112 Switch diagnosis test result

Claims (7)

A first processing device;
A second processing device that executes the same processing as the first processing device;
In the signal security control device that compares the processing result of the first processing device and the processing result of the second processing device, stops the processing if they do not match, and continues the processing if they match ,
The first processing device outputs a data signal obtained by adding specific data to its processing result,
The second processing device generates an error detection code from its processing result,
The signal security control device is:
An extraction unit that receives the data signal and extracts the specific data;
A diagnostic unit that determines whether the extracted specific data and the generated error detection code match or not;
Receiving the data signal, replacing the specific data added to the data signal with an error detection code received from the diagnostic unit, and transmitting the data signal with the specific data replaced with the error detection code to the outside And a replacement part
The diagnostic unit
If the match is confirmed, the error detection code is transmitted to the replacement unit,
When the mismatch is confirmed, the signal security control device is characterized in that transmission of the data signal to the outside by the replacement unit is stopped. In the signal security control device according to claim 1,
The specific data is bit-inverted data of an error detection code generated from the processing result of the first processing device,
The signal security control device, wherein the diagnosis unit determines the coincidence mismatch from the specific data and data obtained by bit-inverting the error detection signal received from the second processing device. In the signal security control device according to claim 1,
The specific data is fixed data,
The diagnosis unit receives the fixed data together with the error detection code from the second processing device or sets the fixed data by itself, and determines the coincidence / inconsistency from the specific data and the fixed data. A control device for signal security. In the signal security control device according to any one of claims 1 to 3,
A switch means for turning on / off data transmission from the replacement unit to the outside is provided,
The signal security control device, wherein the diagnosis unit transmits an ON instruction to the switch unit when the match is determined, and transmits an OFF instruction to the switch unit when the mismatch is determined. In the signal security control device according to claim 4,
Providing a path for transmitting test data from the diagnostic unit to the switch means and a path for taking the transmission output from the switch means into the diagnostic unit;
The diagnosis unit transmits an off signal to the switch unit, subsequently transmits test data to determine a reception state of a transmission output from the switch unit, and subsequently transmits an on signal to the switch unit A control apparatus for signal security characterized by determining a reception state of a transmission output from a switch means and performing a failure diagnosis of the switch means. In the signal security control device according to claim 5,
When the diagnosis unit detects a failure of the switch unit, the diagnosis unit transmits a processing stop instruction to the first and second processing devices. In the signal security control device according to any one of claims 1 to 3,
The first and second processing devices transmit a plurality of processing results as a set,
The extraction unit performs the extraction of the specific data based on the position and size information of the error detection code for each set,
The diagnosis unit determines a match / mismatch between the specific data and the error detection code for each set,
The signal replacement control apparatus, wherein the replacement unit replaces the specific data with the error detection code for each set.

Images