RU2397902C1 - Method of controlling railway multilevel safety system and system to this end - Google Patents

Abstract

FIELD: transport.

SUBSTANCE: invention relates to railroad transport and can be used in safety control systems. Proposed method consists in continuous control over the state of safety systems and/or subsystems. For every change in current variables of actual state of safety system and/or subsystem as well as variables of current state at every preset current time interval, expected magnitudes are forecast via simulation of system/subsystem operation in nearly real time. Variables of real state are compared with expected magnitudes. In case difference in said parametres fall beyond tolerances, system/subsystem is changed over into safe state with minimum efficiency and set of operating functions. Then higher-hierarchy system/subsystem is addressed to receive permission for changing over into the state of higher efficiency and increased set of operating functions. Permission received, the state of system/subsystem is varied to allow maximum efficiency and set of operating functions. State of system/subsystem is varied by reconfiguring it with the help of appropriate hardware and software. Reconfiguration is performed via preset time interval and given positive results of system/subsystem diagnostics in maximum operating conditions in new configuration.

EFFECT: higher safety of control thanks to optimised control system.

4 cl, 1 dwg

Description

The invention relates to the field of railway transport and can be used to control safety systems in railway transport.

A known method of controlling a transport system by the criterion of minimum delays in the delivery of passengers and goods and a system for its use (see US 7219067 A1, 05/15/2007). The known method includes collecting the actual parameters of the functioning of many railway systems responsible for the delivery of passengers and goods, comparing the real parameters of the systems with acceptable boundaries and issuing recommendations to systems for carrying out work aimed at optimizing the transportation process in a complex railway system. The transport system control system used by the known method includes many railway transport systems responsible for delivering passengers and goods, each of which includes means for collecting real functioning parameters, means for setting standard functioning parameters, a unit for comparing real and standard system parameters, and means for forming an order of actions aimed at optimizing the process of transporting passengers and goods using the means available to the system. However, the known invention does not solve the problem of optimizing the management of railway safety.

The closest analogue is the invention on a method for optimizing the operation of railway transport and a multi-level system for its implementation (see RU 2006125429 A, January 27, 2008). The known method consists in the fact that during the operation of the system they collect real parameters of the functioning of the systems and subsystems responsible for managing the railway infrastructure, compare the real parameters of the systems and subsystems with acceptable boundaries, and when the real parameters of the system and / or its subsystems exit allowable boundaries produce almost real-time defined by simulation work on the restoration of the system and / or its subsystems, work is carried out in response to each case of change the state of the system and / or its subsystems and in each assigned current time interval of their operation.

A system using the known method contains systems and subsystems responsible for managing the railway infrastructure, each of which includes means for collecting and real functioning parameters, means for setting standard functioning parameters and a unit for comparing real and standard system parameters, means for restoring the system, wherein each of the blocks and means of each system and / or subsystem are interconnected by a software and hardware module configured to set and control Ravilov operation of the corresponding system and / or subsystem.

The known method and device provide optimization of the transportation process in a complex hierarchical railway system, but do not sufficiently detail the principles of controlling the security system, which limits its scope.

The proposed technical solution is aimed at obtaining a technical result, which consists in increasing the efficiency of managing a multi-level safety system in railway transport by optimizing management to achieve maximum system performance while maintaining the required level of safety.

In terms of the method, the indicated technical result is achieved by the fact that in the method of controlling a multilevel safety system for railway transport, the state of the systems and / or subsystems responsible for railway safety is constantly monitored for each change in the values of the parameters of the real state variables of each system and / or subsystem , as well as the values of the parameters of the real state in each assigned current time interval, the expected values of the variables are predicted conditions of the system and / or subsystem by stimulating its work in almost real time, compare the values of the variables of the real state of each subsystem with the expected values and, if differences are unacceptable under the safety conditions of railway transport, the system and / or subsystem is transferred to a safe state with minimal performance and completeness performed functions, then at a given frequency they request from a system or subsystem of a higher level in its control vertical e to transition to a state with greater acceptable performance and completeness of the functions performed, and upon obtaining permission, change the state of the system and / or subsystem in the direction of achieving the maximum possible performance and completeness of the functions performed in the current conditions due to failures and malfunctions, while changing the state of the system and / or subsystems are carried out by transferring it to a new configuration using external hardware-software configuration tools, the transition of the system and / or subsystem to new second configuration is performed after a preset period of time after the positive results of diagnosing stability of its operation at a maximum permissible performance and completeness of their functions in this new configuration.

In accordance with the proposed method, permissions for the transition of a system and / or subsystem from one configuration to another are generated based on the priorities of the configurations, which are inversely related to the average risk of possible losses from work in the allowed configuration with the maximum allowed performance and completeness of the functions performed as in a vertical hierarchy of systems and / or subsystems belonging to different levels of control of a multi-level system, and in a horizontal hierarchy of priorities of a subsystem em related to the same control level of a multilevel system.

Moreover, the closest common system and / or subsystem in the vertical hierarchy of control of a multilevel security system is used as a control system for subsystems of one level.

In terms of the device, the technical result is achieved by the fact that the multi-level safety management system for railway transport includes at least two top-level systems of the safety management hierarchy, of which at each moment of time one system is the main one, and another similar system is a hot system or a cold reserve, a subsystem of a subordinate level of the hierarchy, and for each subsystem of a subordinate level of the hierarchy, an external configuration device for hardware-software on software, made in the form of a hardware-software automaton with a finite number of states, the priorities of which are distributed inversely with the probable average losses from failures and failures with the subsystem configurations corresponding to these automaton states, each system and subsystem containing a self-diagnosis and self-configuration module connected with a module of hardware-software control and for each of its subsystems of the nearest hierarchical level subordinate to it contains a module for predicting the operation of a subsystem we have a hierarchy level subordinate to it in almost real time and a comparison module whose output is connected to the corresponding input of the hardware-software control module, and the first input is connected to the output of the prediction module of the operation of the subsystem of the subordinate hierarchy level, and the systems and all subsystems are arranged in a hierarchy vertically and / or horizontally in terms of the degree of responsibility of the decisions they make on managing the safety of the transportation process in railway transport, and in each of the systems or subsystems the appar module The program control via the corresponding interface is connected to the input of the external configuration device of the hardware and software of the subsystem of the subordinate hierarchy, the input of the prediction module of the subsystem of the subordinate hierarchy and the second input of the comparison module are connected through the corresponding interface to the output of the subsystem hardware and software control, output each of the external hardware configuration devices is connected through the corresponding interface interface to the corresponding control input of the module of the hardware-software control of the subsystem.

The invention is illustrated by the drawing, which shows a structural diagram of one of the options for implementing a multi-level safety management system for railway transport.

The multilevel railway safety management system includes at least two systems 1, 2 of the top level of the safety management hierarchy, of which at each time one system 1 is the main, and the other 2, a similar system, is a hot or cold reserve system of the first system 1, subsystems 3, 4 of the subordinate level of the hierarchy, and for each subsystem 3 (4) of the subordinate level of the hierarchy, device 5 (6) for external configuration of the hardware and software. Devices 5 and 6 of the external configuration of the hardware and software are made in the form of a hardware-software machine with a finite number of states, the priorities of which are distributed in inverse proportion to the likely average losses from failures and failures with the subsystem configurations corresponding to these states of the machine.

Each system 1 (2) and subsystem 3 (4) contains a self-diagnosis and self-configuration module 7 (8), (9) connected to a hardware-software control module 10 (11), (12). In addition, for each of its subsystems 3 (4) of the nearest hierarchy level subordinate to it, each system 1, 2 and subsystem 3 contains a module 13 (14) for predicting the operation of the subsystem of the subordinate hierarchy level in almost real time and comparison module 15 (16), the output of which is connected to the corresponding input of the hardware-software control module 10 (11), and the first input is connected to the output of the module 13 (14) for predicting the operation of the subsystem of the hierarchy level subordinate to it.

The systems and all subsystems 3 (4) are arranged in a hierarchy vertically and / or horizontally according to the degree of responsibility of their decisions on managing the safety of the transportation process in rail transport.

In each of the systems 1, 2 or subsystems 3, the hardware-software control module 10 (11) is connected to the input of the external hardware configuration device 5 (6) of the subsystem 3 (4) of the subordinate hierarchy through the corresponding interface 17 (18) of the interface.

The input of the module 13 (14) for predicting the operation of the subsystem of the subordinate hierarchy level and the second input of the comparison module 15 (16) are connected to the output of the hardware and software control module 11 (12) of the subsystem 3 (4) through the corresponding interface 19 (20), and the output of each of devices 5 (6) of the external configuration of the firmware is connected via the corresponding interface 17 (18) of the interface to the corresponding control input of the module 11 (12) of the firmware of the subsystem 3 (4).

The multi-level safety management system for railway transport operates in accordance with the proposed method as follows.

As you know, a large number of factors affect the safety of railway transport. The proposed multilevel system for ensuring safety in railway transport solves the problem of automated control of ensuring safety and uninterrupted movement of trains by optimizing the management of individual safety subsystems combined into a single multilevel system.

In the proposed multi-level safety management system, when deviating from the normal functioning of technological systems 1, 2 and safety management subsystems 3, 4, they make decisions on the transition of these systems to configurations that reduce the risk of failure losses to acceptable values and introduce additional restrictions on the maximum permissible performance and functionality of controlled processes.

Security management system 1 is operational, and system 2, similar to system 1, operates in hot or cold reserve of system 1.

In system 1 and railway transport safety management subsystems 3, 4, self-diagnosis and self-configuration modules 7, 8 and 9, respectively, constantly monitor the state of their system or subsystem.

When failures and malfunctions are detected, each of the self-diagnosis and self-configuration modules 7, 8, 9 reconfigures its system or subsystem to work with lower performance and / or completeness of the functions performed.

Modules 7, 8, 9 do not have pronounced priority states. Any malfunction from a given list of malfunctions is classified by him as unacceptably dangerous. In this case, each of the modules 10, 11, 12 translates its system or subsystem into a configuration with the maximum level of security. In the event of failures and malfunctions in the normal operation of system 1 or subsystems 3 (4), respectively, module 7 or 8 (9) disconnects this system or subsystem from the control and keeps its system or subsystem disconnected from the controlled process until a decision is made by the parent in the security management hierarchy system, including with the participation of operators for the further use of the system or subsystem under consideration. In the extreme case, this decision may be decommissioning and overhaul in the conditions of the repair enterprise.

In the event of a failure, each of the modules 7, 8, 9 installs its system and subsystem in a configuration with minimum performance and completeness of the functions performed and periodically issues a request signal to the hardware-software control module 10, 11, 12, respectively, to obtain permission to work in the configuration with greater permissible performance and completeness of the functions performed. Module 10 (11) (12) of the hardware-software control process these requests to make decisions about the state of their system or subsystem.

With each change in the values of the variables of the real state of subsystems 3 (4), as well as in each assigned current time interval, the hardware-software control module 11 (12) sends data on the real state of subsystem 3 (4) to module 13 through the corresponding interface 19 (20) (14) predicting the state of a subsystem of a subordinate hierarchy level.

The modules 13 and 14 for predicting the state of the subsystem of the subordinate hierarchy level produce, by simulating in almost real time the operation of the subsystem, the expected values of variables characterizing normal operation in the corresponding configuration of subsystems 3 and 4. During the simulation, the blocks 13 and 14 for predicting the operation of the subsystem of the subordinate hierarchy perform risk recalculation to determine the priorities in the configuration, respectively, of subsystems 3 and 4.

The expected values of the variables characterizing the normal operation of the subsystem 3 are received at the first input of the comparison module 15, the second input of which comes from the output of the module 11 of the hardware-software control of the values of the variables of the real state of the subsystem 3 in this configuration.

The expected values of the variables characterizing the normal operation of the subsystem 4 are supplied to the first input of the comparison module 16, the second input of which from the output of the module 12 of the hardware-software control of the subordinate hierarchy level receives the parameter values of the variables of the real state of the subsystem 4.

Comparison modules 15 and 16 compare the expected values of the variables with the values of the real state variables, respectively, of subsystem 3 and 4 and give the results of comparison, respectively, to module 10 of the hardware-software control of system 1 and module 11 of the hardware-software control of subsystem 3. If the comparison shows that in this configuration with minimum performance and completeness of the functions performed subsystem 3 (4) is working properly, then, respectively, from the output of module 15 (16) comparison module 10 (11) hardware-software The corresponding control receives the corresponding information, and it issues a command through the corresponding interface 17 (18) to the external hardware configuration device 5 (6) to transfer the subsystem 3 (4) to the next configuration with a higher permissible performance and completeness of the functions performed.

The device 5 (6) for external configuration of the firmware 9 generates a command for transferring the subsystem 3 (4) to a new configuration, which is transmitted through the interface 17 (18) to the module 11 (12) of the hardware-software control of the level of the slave subsystem 3 (4) . Devices 5 and 6 of the external configuration have expressed priority states with priorities that are inversely dependent on the magnitude of possible losses from the functioning of the subsystems 3 and 4, respectively, in the corresponding configuration, i.e. from the rank of responsibility of its functions.

Module 11 (12) of the hardware-software control of subsystem 3 (4) after a certain period of time transfers its subsystem to a new configuration and conducts testing for a predetermined time to determine the ability to function reliably in this configuration.

If the test results show the possibility of switching to a configuration with even greater performance and completeness of functions, then again the module 11 (12) of the hardware-software control via the interface 19 (20) transfers the values of the parameters of the real state of the system 3 (4) to the forecasting module 13 (14) the state of the subsystems of the subordinate level of the hierarchy and the process is repeated until the configuration is reached with the maximum possible performance and completeness of the functions performed.

Thus, the main process for reconfiguring systems and control subsystems in case of failures is the process of sending commands for reconfiguration using devices 5 and 6 of the external configuration of the hardware and software of the subsystems 3 and 4 in order to at least partially restore the performance and / or completeness of the functions performed with achieving the highest possible performance in the current situation of failures and malfunctions. In the process of reconfiguring subsystems 3 and 4, respectively, changes are made to both the software and the hardware of these subsystems.

Reconfiguration of subsystem 4 can also then trigger a process of reconfiguration of subsystem 3 and / or system 1.

Devices 5 and 6 of external configuration of hardware and software are built on the principle of safe hardware and software machines with a finite number of states (see Methods of building safe microelectronic systems of railway automation. VV Sapozhnikov et al. M .: Transport, 1995) . Modules 7-14 can also be built on the principle of safe hardware-software automata with a finite number of states.

Interfaces 17-20 perform the functions of converting signal power levels, the functions of reliable mutual isolation and circuit protection from mutual influences and reliable physical disconnection of the necessary circuits when changing the configuration. In the proposed example, the interfaces 17-20 are formed by the CAN interface for the information interaction of processor modules, relay contact switches, and optocoupler and transformer galvanic isolation devices.

The presented implementation example is one of the possible options for the implementation of the proposed multi-level railway transport safety management system.

According to the proposed method, each system has its own level of responsibility and may contain more than one subsystem of the horizontal hierarchy level, which shares the responsibility area in other common technological systems with other subsystems of this level.

The areas of responsibility of subsystems of the same level may overlap and here the subsystems overlap, and in case of conflicts between them, the arbiter for them is a common top-level system for them, related to a technological system with a high level of awareness and responsibility.

An example of systems of neighboring hierarchical levels in the vertical direction is a supervisory control system (system 1) and a rail circuit control system (subsystem 3).

An example of subsystems 3 of the same hierarchy level for this case are the subsystems used in parallel, which correspond to the systems for monitoring the freedom and serviceability of the same sections of the track based on rail chains, based on axis counters, and based on satellite video surveillance and satellite communications. Here subsystems 3 are listed in the order of their main priorities for the safety of train traffic, assigned by a supervisory control system superior in the vertical hierarchy for the operational mode of operation of the mentioned systems.

In the event of a malfunction, the priorities of the systems mentioned may change with respect to them in general and / or with respect to their subsystems that perform certain functions. For example, with respect to the function of determining the exact coordinates of the location of a train during unreliable operation of satellite navigation and communications, higher priority is set for rail circuits. At the same time, accuracy is reduced, and to maintain an acceptable level of traffic safety, the supervisory control system reduces the maximum allowable productivity - the throughput of a section by increasing the spatial intervals of train travel along the way. As the work of satellite navigation and communication improves, for example, due to changes in the terrain, the degree of confidence in this system will increase until a decision is made in the supervisory control system to switch to coordinate regulation of intervals following along with gradually bringing intervals along the route to possible minimum values, thereby increasing the throughput of the site. Each of these steps is accompanied by corresponding changes in the configuration of the software and hardware of the supervisory control system and its subsystems.

When restoring performance, the dispatch control system may, due to remaining problems, sequentially request only some of the possible set of configurations and after passing through them remain in a state with not the highest allowed performance for a long time.

Another example of subsystem 3 can be a system of automatic braking of a train.

The automatic braking system of the train has a software and hardware control module, which contains the algorithm and hardware for stopping the train at a given point on the track. The specified module interact through an interface with an electro-pneumatic train braking control system, which is a subsystem of the lower hierarchy level for an electronic train movement control system. The braking process is constantly monitored. If any malfunctions and malfunctions occur in a subsystem that includes a firmware module, this leads to a change in the allowed configuration. These changes affect the choice of restrictions on the permissible train speed and algorithms for calculating the impact braking curve with the participation of the module for predicting the state of subsystems of the subordinate hierarchy level.

The above examples illustrate in detail the use of the proposed method, but do not exhaust all possible applications of the method.

For example, a train control system (system 1) may contain KLUB-U systems (first subsystem 3) supplementing and reserving each other, a number code ALSN system (second subsystem 3), and the Dome digital control system for the radio communication channel (third subsystem 3), which have priorities for the train braking control function in the order listed and interact with each other at the level of the control logic of the braking devices of the train as a whole.

In addition, the general administration is carried out by the locomotive team, which, on the basis of the data on the locomotive display from the self-diagnosis and self-configuration modules built into the mentioned systems, makes decisions on operational safety and, through the control logic, makes decisions on the degree of trust when using CLUB-U, ALSN and KUPOL in various operational situations.

As a module 13 for predicting the state of subsystems of a subordinate level of the system hierarchy for a system of an even higher hierarchy level, one can consider the GID-URAL system for predicting and monitoring the execution of the train schedule connected via the corresponding dispatch control subsystem (DC) with the locomotive train device mentioned in the example, involved in a specific executable timeline.

Thus, the proposed group of inventions allows you to combine in the vertical and horizontal control hierarchies all systems that are directly responsible for the safety of railway traffic, and increase system performance while comprehensively taking into account all the specific requirements for the safety of railway traffic in each specific condition for failures and malfunctions.

Claims (4)

1. A control method for a multilevel system for ensuring safety in railway transport, which consists in constantly monitoring the state of the systems and / or subsystems responsible for railway safety for each change in the values of the variables of the real state of each system and / or subsystem, as well as the values the variables of the real state in each assigned current time interval predict the expected values of the variables of the real states of the system and / or subsystem of means They simulate its work in almost real time, compare the values of the variables of the real state of each subsystem with the expected values and, if differences are unacceptable under the safety conditions of railway transport, the system and / or subsystem are transferred to a safe state with minimal performance and completeness of the functions performed, then with a given frequency request permission from the system or subsystem of a higher level in their control vertical to go into a state with a higher permissible productivity and completeness of the functions performed, and upon receipt of permission, change the state of the system and / or subsystem in the direction of achieving the maximum possible performance and completeness of the functions performed under the prevailing conditions of failures and malfunctions, while changing the state of the system and / or subsystem is carried out by translating it into the new configuration using the external hardware and software configuration devices, while the system and / or subsystem transition to the new configuration Without a specified period of time after the positive results of diagnosing the stability of its operation in the mode with the maximum allowed performance and completeness of the functions performed in this new configuration. 2. The method according to claim 1, characterized in that the permissions for the transition of the system and / or subsystem from one configuration to another are generated based on the priorities of the configurations, distributed inversely with respect to the average risk of possible losses from work in the allowed configuration with the maximum allowed performance and completeness of the functions performed both in the vertical hierarchy of systems and / or subsystems belonging to different levels of control of a multi-level system, and in the horizontal hierarchy of priorities of subsystems, related to one level of management of a multilevel system. 3. The method according to any one of claims 1, 2, characterized in that the closest common system and / or subsystem in the vertical hierarchy of control of a multilevel security system is used as a control system for subsystems of one level. 4. A multi-level safety management system for rail transport, including at least two top-level systems of the safety management hierarchy, of which at one time one system is the main, and the other, similar to it, is a hot or cold reserve system, subsystem subordinate level of the hierarchy, and for each subsystem of the subordinate level of the hierarchy, the device for external configuration of hardware and software, made in the form of hardware and software an automaton with a finite number of states whose priorities are inversely dependent on the probable average losses from failures and malfunctions with the subsystem configurations corresponding to these automaton states, each system and subsystem containing a self-diagnosis and self-configuration module connected to a hardware-software control module, and for each of its subsystems of the nearest subordinate hierarchy level contains a module for predicting the operation of the subsystem of the subordinate hierarchy level in almost real time a comparison module, the output of which is connected to the corresponding input of the hardware-software control module, and the first input is the output of the module for predicting the operation of the subsystem of the subordinate hierarchy level, with the systems and all subsystems arranged in a hierarchy vertically and / or horizontally according to the degree of responsibility their decisions on managing the safety of the transportation process in railway transport, and in each of the systems or subsystems, a hardware-software control module through the appropriate interface the interface of the interface is connected to the input of the device for external configuration of the hardware and software of the subsystem of the subordinate hierarchy, the input of the module for predicting the operation of the subsystem of the subordinate hierarchy and the second input of the comparison module through the corresponding interface are connected to the output of the module of the hardware and software control of the subsystem, the output of each of the devices of external configuration is hardware - the software is connected via the corresponding interface of the interface to the corresponding input of the control the appearance of the module of the hardware-software control of the subsystem.

Images