WO2003047937A1 - Verfahren zum steuern eines sicherheitskritischen bahnbetriebsprozesses und einrichtung zur durchführung dieses verfahrens - Google Patents

Verfahren zum steuern eines sicherheitskritischen bahnbetriebsprozesses und einrichtung zur durchführung dieses verfahrens Download PDF

Info

Publication number
WO2003047937A1
WO2003047937A1 PCT/DE2001/004485 DE0104485W WO03047937A1 WO 2003047937 A1 WO2003047937 A1 WO 2003047937A1 DE 0104485 W DE0104485 W DE 0104485W WO 03047937 A1 WO03047937 A1 WO 03047937A1
Authority
WO
WIPO (PCT)
Prior art keywords
computer
commercial
secure
computers
railway
Prior art date
Application number
PCT/DE2001/004485
Other languages
German (de)
English (en)
French (fr)
Inventor
Volker Goericke
Bernd Prade
Ralf Schiwasinske
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Priority to PCT/DE2001/004485 priority Critical patent/WO2003047937A1/de
Priority to JP2003549144A priority patent/JP4102306B2/ja
Priority to MXPA04004840A priority patent/MXPA04004840A/es
Priority to KR10-2004-7007825A priority patent/KR20040063935A/ko
Priority to AU2002224742A priority patent/AU2002224742A1/en
Priority to CA002467972A priority patent/CA2467972A1/en
Priority to CNB018238238A priority patent/CN1289345C/zh
Publication of WO2003047937A1 publication Critical patent/WO2003047937A1/de
Priority to HK05102045A priority patent/HK1069363A1/xx
Priority to US11/173,159 priority patent/US7209811B1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1497Details of time redundant execution on a single processing unit
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L21/00Station blocking between signal boxes in one yard
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1608Error detection by comparing the output signals of redundant hardware
    • G06F11/1625Error detection by comparing the output signals of redundant hardware in communications, e.g. transmission, interfaces
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1641Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1675Temporal synchronisation or re-synchronisation of redundant processing components
    • G06F11/1683Temporal synchronisation or re-synchronisation of redundant processing components at instruction level

Definitions

  • the invention relates to a method according to the preamble of patent claim 1 and to a device for carrying out this method according to the preamble of patent claim 12.
  • railway operating processes are part of the safety-critical processes, because any malfunctions, if they are not recognized in time and their effects on the process are prevented, can lead to considerable damage to property and possibly also to persons.
  • signaling-safe devices have been used for the control of such processes, the task of which is to detect malfunctions both within the process to be controlled and within the process control itself, and then to lead or leave the process in a safe state.
  • Such signal-safe controls can be implemented using different techniques, for example in relay technology or in electronic technology.
  • expensive special computers have been used for signal-safe process control via computers, which process the pending processing orders in two channels and continuously compare signal-wise with regard to processing sequences that match in terms of content.
  • Issued control commands are only output to the process elements of the process to be controlled if both processing channels have each reached the same result; otherwise the connection to the process will be broken unless it is gives at least one spare computer, which can take over the functions of the failed computer and actually takes over.
  • the secure computers also still contain the railway administration-specific software for the actual process control, e.g. interlocking operation.
  • the railway administration-specific software is determined by the operating regulations of the respective railway administration and describes e.g. B. the predefined dependencies of the route setting and the driving street resolution (Signal + Draht, 77 (1985) 12, p.259-265).
  • the railway administration-specific software not only differs from railway administration to railway administration, but at least partially also from installation to installation of the same railway administration.
  • the object of the present invention is to provide a method for
  • Controlling a safety-critical rail operating process according to the preamble of claim 1, which is less complex to prepare for the safe Process control required programs and that allows to react quickly and inexpensively to any changed requirements of a rail operator for process control. It is also an object of the invention to provide a device for performing this method.
  • the invention solves this problem by the features of claim 1 and claim 12.
  • the basic idea of the invention is to outsource the railway management-specific software from the computer or computers that are secure in terms of signal technology to commercial computers, to process the data there at least twice and before output to check the process in the signal-safe computers for consistency.
  • the signal-safe computers essentially also have the task of securely recording the incoming messages and commands and transmitting them to the commercial computers, as well as having a reliable effect on the process elements and, in the event of a malfunction, securely connecting the process elements interrupt.
  • FIG. 1 shows schematically in FIG. 1 the structure of the device according to the invention for controlling a safety-critical device
  • FIG. 2 shows a known, signal-technically secure computer SR for processing a process via preferably identical processing programs in two independent processing channels K1, K2.
  • the secure computer SR stands for any number of signal-technically secure computers; their number essentially depends on the size of the process to be controlled.
  • the process to be controlled is a railway operating process that is intended to act on a railway installation BA. Representing the process elements of
  • the signal-safe computer SR sends the messages M transmitted to it by the process via a communication bus
  • the commands K for controlling the railway operating process are also generated via the input and display computer EAR and transmitted to the signal-safe computer SR.
  • the input can be done by an operator, e.g. B. a dispatcher, or by an automatic z. B. for self-service or pass-through operation.
  • the messages and commands are processed on two channels in the signal-safe computer according to the conditions and dependencies specified in the respective operating regulations of a railway operator.
  • Test programs ensure that the input / output registers of the secure computer, as well as its program and work memory and its address register, are checked within a specified minimum period of time to determine whether their memory can be in one or the other state. Any malfunctions are detected in an event or time-controlled manner and lead to the safe shutdown of the outdoor facilities: control commands on turnouts can then no longer be issued and the signals stop.
  • the device according to the invention for controlling a railroad operating process shown in FIG. 1 there is also at least one signal-safe computer SR * with two processing channels K1 * and K2 * which are preferably constructed identically and operated identically. His job is it, similar to that of the signal-technically secure computer SR according to the state of the art, reliably detects all the messages M and commands K supplied to it and feeds them for processing. Furthermore, it is his task to issue control commands SB, which have been developed in a signal-safe manner, to the process elements W, S of the respective rail system BA, or to ensure that the output of such control commands in the event of a fault does not occur, in terms of signaling.
  • control commands SB which have been developed in a signal-safe manner, to the process elements W, S of the respective rail system BA, or to ensure that the output of such control commands in the event of a fault does not occur, in terms of signaling.
  • the processing of the conditions and dependencies for the control and monitoring of the railway operating process defined by the respective Railway Operating Regulations BO does not take place in or in the signal-safe computers SR *, but in commercial computers R1, R2, ... Rn , in which the system-specific data for controlling the railway operating process are also stored; the computers R1, R2 represent one or more pairs of computers, each computer also being able to belong to several pairs; three computers could be formed from three computers. They carry out processing orders A supplied to them by the secure computer SR *, each independently of the other according to the conditions and dependencies defined for the process control in the respective rail operating regulations BO.
  • the two computers of each commercial computer pair R1, R2 transmit their work results to the signal-technically secure computer SR *, the first computer R1 or R2 in time forcing a waiting point with time monitoring, at which the work result of the further computer or computers is waited for, or in the event of a timeout, fault handling is carried out.
  • Test mechanisms PM for the plausibility of the messages supplied to the commercial computer pairs R1, R2 and the signatures of the outputs and memory areas they have developed are indicated schematically in FIG. 1.
  • the input and display rights ner EAR commands K fed to the secure computer SR * are converted by the latter into processing orders A and transmitted in the form of telegrams to the commercial computers R1, R2; there they lead to processing according to the conditions and dependencies of the respective rail operating regulations BO.
  • the signal-technically secure computer ensures that the processing programs of the processing computers are synchronized on request of the commercial computers commercial computer for further processing of the programs after the waiting time.
  • the sensor message determined by the commercial computers should be read in and evaluated.
  • the processing results E determined by the commercial computer pair Rl, R2 are sent as telegrams to the signaling-safe computer SR *, where they are safely distributed over the two processing channels Kl *, K2 * and compared in terms of signaling to ensure they match.
  • the function block V in which the relevant programs are stored as system software is shown in the drawing for the secure distribution of messages and the reliable comparison of the results worked out by the commercial computers R1, R2.
  • the test mechanisms PMS of the computer which is secure in terms of signal technology are implemented in a signal-safe manner.
  • the particular advantage of the device according to the invention over a corresponding device designed according to the state of the art is that only the functions of safe input and output and safe data comparison can be implemented in the signal-technically safe computer, regardless of those by the operating rules of individual railway administrations each set requirements and conditions.
  • This not only makes the system software running in the secure computer or in the secure computers simple and clear; Rather, it is the same for all applications, so it no longer has to be developed from case to case and subjected to an approval test.
  • the railway administration-specific software which is determined by the different operating regulations of the individual railway administrations, runs on the commercial computers. Their interaction with the system software of the secure computers does not have to be checked.
  • the development of the railway management-specific software does not necessarily have to be carried out by the manufacturer responsible for the signaling security of the process for the signaling-safe computer. Rather, it is possible to place orders to develop the programs for the commercial computers to qualified engineering firms or the like, which the software they have developed with the respective railway administration and z. B. an approval authority such as the Federal Railway Authority. This makes it possible to adapt the programs for controlling and monitoring a safety-critical rail operating process much faster and cheaper than before, without having to accept any loss of safety.
  • the commercial computers R1, R2 stand for one or more double computer systems or computer systems provided with redundant computers, in the individual computers of which identical programs for processing the conditions and dependencies specified by the respective railway operating regulations are to run, of which individual commercial computers, preferably either only certain sub-functions of the operating regulations are to be implemented or only certain parts of the railway systems are to be affected.
  • the arrangement can also be such that the commercial computers R1, R2 are each individual computers, in which the programs of the railway administration-specific software determined by the operating regulations of a railway administration are processed independently several times, but at least twice in succession.
  • the railway management-specific software required for this can be designed in a diversified manner or the content can be the same for both processing operations.
  • a non-signal-safe computer is preferably used for the transmission of the results developed by the commercial computers to the computer-safe computer Data transmission in question, in which either the two-channel serial or parallel results are transmitted on two channels to the safe computer or computers, or in which they are transmitted twice in succession over only one channel.
  • a second or third redundant channel increases availability. Any data falsifications on the transmission path from the commercial computers to the signal-technically secure computers and vice versa can be recognized in the receiving computer by a signature entered by the sending computer, which codes the telegram content using a calculation rule.
  • the commercial computer can be designed as a so-called operator station computer, by means of which a railway operator or an automatic can issue commands for execution to the railway operating process and the feedback of the railway operating process can be visualized.
  • the programs for entering and visualizing commands and messages and the programs that control the process elements in accordance with the railway operating regulations then run independently of one another in the operator station computers.
  • the programs for the Command inputs and the visualization of the process can also be combined with the programs for process control as they are specified by the railway operating regulations.
  • the computer (s) that are secure in terms of signaling technology can also be designed as m of n computer systems, in which the decision as to whether and which control commands are to be issued to the process is made by a majority decision by at least two intact computers.
  • control commands are output to the process in two channels; every computer has the option of preventing the issuing of control commands when processing errors are detected.
  • the method according to the invention and the device according to the invention can be used with advantage for all safety-critical railway operating processes.
  • Such an application can e.g. B. the safe control of a railway operation through an interlocking but also z.
  • LZB regular train control

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mechanical Engineering (AREA)
  • Train Traffic Observation, Control, And Security (AREA)
  • Safety Devices In Control Systems (AREA)
  • Electric Propulsion And Braking For Vehicles (AREA)
PCT/DE2001/004485 2001-11-22 2001-11-22 Verfahren zum steuern eines sicherheitskritischen bahnbetriebsprozesses und einrichtung zur durchführung dieses verfahrens WO2003047937A1 (de)

Priority Applications (9)

Application Number Priority Date Filing Date Title
PCT/DE2001/004485 WO2003047937A1 (de) 2001-11-22 2001-11-22 Verfahren zum steuern eines sicherheitskritischen bahnbetriebsprozesses und einrichtung zur durchführung dieses verfahrens
JP2003549144A JP4102306B2 (ja) 2001-11-22 2001-11-22 安全性の要求される鉄道運転プロセスの制御方法およびこの方法を実施するための装置
MXPA04004840A MXPA04004840A (es) 2001-11-22 2001-11-22 Procedimiento para controlar un proceso de operacion de seguridad critica ferroviaria y dispositivo para realizar este procedimiento.
KR10-2004-7007825A KR20040063935A (ko) 2001-11-22 2001-11-22 안전 임계적 철도 운영 프로세스를 제어하기 위한 방법 및상기 방법을 수행하기 위한 장치
AU2002224742A AU2002224742A1 (en) 2001-11-22 2001-11-22 Method for controlling a safety-critical railway operating process and device for carrying out said method
CA002467972A CA2467972A1 (en) 2001-11-22 2001-11-22 Method for controlling a safety-critical railroad operating process and device for carrying out said method
CNB018238238A CN1289345C (zh) 2001-11-22 2001-11-22 控制安全苛刻的铁路运行过程的方法和实施该方法的装置
HK05102045A HK1069363A1 (en) 2001-11-22 2005-03-09 Method for controlling a safety-critical railway operating process and device for carrying out said method
US11/173,159 US7209811B1 (en) 2001-11-22 2005-07-05 System and method for controlling a safety-critical railroad operating process

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/DE2001/004485 WO2003047937A1 (de) 2001-11-22 2001-11-22 Verfahren zum steuern eines sicherheitskritischen bahnbetriebsprozesses und einrichtung zur durchführung dieses verfahrens

Related Child Applications (2)

Application Number Title Priority Date Filing Date
US10496082 A-371-Of-International 2001-11-22
US11/173,159 Continuation US7209811B1 (en) 2001-11-22 2005-07-05 System and method for controlling a safety-critical railroad operating process

Publications (1)

Publication Number Publication Date
WO2003047937A1 true WO2003047937A1 (de) 2003-06-12

Family

ID=5648319

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/DE2001/004485 WO2003047937A1 (de) 2001-11-22 2001-11-22 Verfahren zum steuern eines sicherheitskritischen bahnbetriebsprozesses und einrichtung zur durchführung dieses verfahrens

Country Status (8)

Country Link
JP (1) JP4102306B2 (ja)
KR (1) KR20040063935A (ja)
CN (1) CN1289345C (ja)
AU (1) AU2002224742A1 (ja)
CA (1) CA2467972A1 (ja)
HK (1) HK1069363A1 (ja)
MX (1) MXPA04004840A (ja)
WO (1) WO2003047937A1 (ja)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102013218814A1 (de) * 2013-09-19 2015-03-19 Siemens Aktiengesellschaft Verfahren zum Betreiben eines sicherheitskritischen Systems
EP4293957A1 (de) * 2022-06-16 2023-12-20 Siemens Mobility GmbH Verfahren und anordnung zum erzeugen eines steuersignals

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2929056B1 (fr) * 2008-03-19 2010-04-16 Alstom Transport Sa Dispositif de detection a seuil securitaire d'un systeme ferroviaire
DE102012211273A1 (de) * 2012-06-29 2014-01-02 Siemens Aktiengesellschaft Verfahren und Anordnung zum Steuern einer technischen Anlage
CN105822665A (zh) * 2016-06-02 2016-08-03 株洲时代新材料科技股份有限公司 一种低地板车固定铰中整体式金属关节轴承及其组装方法
CN112462731B (zh) * 2020-10-16 2022-06-24 北京西南交大盛阳科技股份有限公司 安全监督控制方法、安全监督控制装置、计算机设备及安全监督系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0132548A1 (de) * 1983-06-28 1985-02-13 Siemens Aktiengesellschaft Einrichtung zum Betrieb eines rechnergesteuerten Stellwerkes
WO1992003787A1 (de) * 1990-08-14 1992-03-05 Siemens Aktiengesellschaft Mehrrechnersystem hoher sicherheit mit drei rechnern
EP0503336A2 (de) * 1991-03-09 1992-09-16 Alcatel SEL Aktiengesellschaft Einrichtung zur signaltechnisch sicheren Fernsteuerung einer Unterstation in einer Eisenbahnanlage

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0132548A1 (de) * 1983-06-28 1985-02-13 Siemens Aktiengesellschaft Einrichtung zum Betrieb eines rechnergesteuerten Stellwerkes
WO1992003787A1 (de) * 1990-08-14 1992-03-05 Siemens Aktiengesellschaft Mehrrechnersystem hoher sicherheit mit drei rechnern
EP0503336A2 (de) * 1991-03-09 1992-09-16 Alcatel SEL Aktiengesellschaft Einrichtung zur signaltechnisch sicheren Fernsteuerung einer Unterstation in einer Eisenbahnanlage

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102013218814A1 (de) * 2013-09-19 2015-03-19 Siemens Aktiengesellschaft Verfahren zum Betreiben eines sicherheitskritischen Systems
WO2015039878A1 (de) * 2013-09-19 2015-03-26 Siemens Aktiengesellschaft Software aktualisierung von non-kritischen komponenten in dual sicherheitskritischen verteilten systemen
US10229036B2 (en) 2013-09-19 2019-03-12 Siemens Mobility GmbH Software update of non-critical components in dual safety-critical distributed systems
EP4293957A1 (de) * 2022-06-16 2023-12-20 Siemens Mobility GmbH Verfahren und anordnung zum erzeugen eines steuersignals

Also Published As

Publication number Publication date
KR20040063935A (ko) 2004-07-14
CN1289345C (zh) 2006-12-13
HK1069363A1 (en) 2005-05-20
JP2005511386A (ja) 2005-04-28
MXPA04004840A (es) 2004-08-02
CA2467972A1 (en) 2003-06-12
AU2002224742A1 (en) 2003-06-17
JP4102306B2 (ja) 2008-06-18
CN1558848A (zh) 2004-12-29

Similar Documents

Publication Publication Date Title
DE3706325C2 (ja)
DE102009054157B3 (de) Steuerungssystem zum Steuern von sicherheitskritischen und nichtsicherheitskritischen Prozessen
DE10030329C1 (de) Redundantes Steuerungssystem sowie Steuerrechner und Peripherieeinheit für ein derartiges Steuerungssystem
EP0742500A2 (de) Sichere Tipptasten- und Schalterfunktionen mit Fehleraufdeckung
DE4032033C2 (ja)
EP2445771B1 (de) Verfahren zum erstellen eines elektronischen stellwerks als ersatz eines bestehenden stellwerks
EP2731849B1 (de) Stellwerksrechner
EP0132548A1 (de) Einrichtung zum Betrieb eines rechnergesteuerten Stellwerkes
EP1197418B1 (de) Verfahren zum Steuern eines sicherheitskritischen Bahnbetriebsprozesses und Einrichtung zur Durchführung dieses Verfahrens
DE2701925C3 (de) Fahrzeugsteuerung mit zwei Bordrechnern
DE102005023296B4 (de) Zugbeeinflussungssystem
EP0424664B1 (de) Einrichtung zur Übertragung von Steuerungsinformation auf ein Schienenfahrzeug
WO2003047937A1 (de) Verfahren zum steuern eines sicherheitskritischen bahnbetriebsprozesses und einrichtung zur durchführung dieses verfahrens
WO1997008617A2 (de) Einrichtung zur einkanaligen übertragung von aus zwei datenquellen stammenden daten
DE102004035901B4 (de) Einrichtung zum Steuern eines sicherheitskritischen Prozesses
AT402909B (de) Verfahren zur gewährleistung der signaltechnischen sicherheit der benutzeroberfläche einer datenverarbeitungsanlage
EP2418580B1 (de) Verfahren zum Betreiben eines Netzwerkes und Netzwerk
EP2228723B1 (de) Verfahren zur Fehlerbehandlung eines Rechnersystems
EP0920391B1 (de) Verfahren zur steuerung und überwachung einer verkehrstechnischen anlage
EP2026147A1 (de) Verfahren zum Übermitteln von Telegrammen zwischen einer Steuereinrichtung und einem Peripherieelement über ein Zwischengerät
EP1702827A1 (de) Bedienplatzsystem
WO2004036324A1 (de) Verfahren und vorrichtung zur prozessautomatisierung mit redundanten steuergeräten zur ansteuerung von peripheriegeräten über ein bussystem
WO2018158039A1 (de) Umschaltung zwischen element-controllern im bahnbetrieb
WO2011113405A1 (de) Steuergeräteanordnung
DE10116244C2 (de) Verfahren zum Betreiben einer Bedienplatzeinrichtung

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AU BG BR CA CN CO CZ HU IN JP KR MA MX PH PL SK US ZA

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2003549144

Country of ref document: JP

Ref document number: 2467972

Country of ref document: CA

Ref document number: 00665/KOLNP/2004

Country of ref document: IN

Ref document number: 665/KOLNP/2004

Country of ref document: IN

WWE Wipo information: entry into national phase

Ref document number: PA/A/2004/004840

Country of ref document: MX

Ref document number: 1020047007825

Country of ref document: KR

WWE Wipo information: entry into national phase

Ref document number: 20018238238

Country of ref document: CN