WO2008116429A1

WO2008116429A1 - Electronic railway interlocking equipment system

Info

Publication number: WO2008116429A1
Application number: PCT/CZ2008/000035
Authority: WO
Inventors: Pavel Doubek; Martin Burda; Pavel Fuchs; Petr Jelinek; Ales Kiml; Lubomir Machacek; Josef Martinec; Jirí TEPLY; Zdenek Veverkova; Miloslav Vlcek
Original assignee: Azd Praha S.R.O.
Priority date: 2007-03-26
Filing date: 2008-03-26
Publication date: 2008-10-02
Also published as: EP2139745B1; EP2139745A1; ATE497462T1; DE602008004830D1; CZ2007224A3

Abstract

The control level (CONL) is connected by at least one external data link (EDLA, EDLB) to the executive level (EL), which contains at least one executive device (ED), which has three basic parts, being the control part (CP) made up for at least one control computer (CC), the executive part (EP) made up for at least one executive component (EC) and the supply part (SP) made up for at least one source (S). The control part (CP), executive part (EP) and supply part (SP) are mutually connected by at least one internal data link (IDLA, IDLB) for the executive device (ED).

Description

Electronic Railway Interlocking Equipment System

Technical Field

[0001] The invention concerns the electronic railway interlocking equipment system, which is comprised of three essential levels, being the commanding level, control level and executive level. The commanding level is comprised of at least one arrangement of operating computers, which contains one active commanding computer and zero or at least one passive commanding computer for displaying only information that is not relevant to signalling. Each commanding computer system is data connected to the control level through a hub, connected to the vital computer of the respective branch for creating the vital core of the control level. To increase the availability of the electronic interlocking equipment system, the control level can contain further stand-by vital computers for the respective branches, while the executive level is made up of at least one commanding device.

Background of the Invention

[0002] Both relay signalling equipment and electronic interlocking equipment with relay outputs are currently used in the Czech Republic for signalling traffic on railway lines and in railway stations. Relay interlocking equipment no longer fulfils all the required functions at the current time. The logical circuits of relay interlocking equipment are created by strictly specified circuit connections made up primarily of special signalling relays of the 1^st group of safety functions. This equipment is produced individually for each and every application and it is difficult to produce it separately for each application. It is also difficult to test this equipment for any production and design flaws in the production phase and when putting it into operation. Relay equipment cannot easily adapt to newly formulated requirements on the activity of interlocking equipment and changes in the railyard. This relay interlocking equipment takes up a large built-up space. It is also known that this interlocking equipment does not provide the^' required comfort for operators and maintenance personnel. Relay interlocking equipment cannot be easily connected to the remote control system and the possibility for connecting it to the higher systems used to support the control of traffic processes is also insufficient. [0003] There is some electronic interlocking equipment that eliminates some of the drawbacks of relay interlocking equipment.

[0004] There is, for example, the electronic interlocking with relay outputs known under the brand name K-2000 from the Czech company Starmon s.r.o., Choceή, CZ, which works as a system with redundant safety in the 2 of 2 architecture.

[0005] The programmable interlocking equipment for trains and shunting components, particularly for siding and mine railways, by Czech company C-MODUL, spol. s r.o., Sluδovice, CZ, which also works as a system with redundant safety in the 2 of 2 architecture and uses relay outputs, is also well known. [0006] Processor interlocking equipment for the remote control connecting railway interlocking relay and/or electronic equipment from the Czech company ARGO is also well known. This equipment also works in the 2 of 2 architecture.

[0007] Various implementations of both relay interlocking equipment and electronic signalling equipment are used' elsewhere in the world. [0008] For example the signalling equipment from SIEMENS AG, DE is composed of a special SIMIS processor kit meant for use in interlocking equipment. The equipment works in 2 of 2 or 2 of 3 architecture with identical HW channels equipped with identical SW. [0009] The interlocking equipment from Bombardier ATV, which works with backed up (duplicate) 2 of 2 architecture with identical HW channels and different software, is also well known.

[0010] The microprocessor interlocking equipment is also well known, primarily for the railway transport of the company CSEE-TRANSPORT. This equipment is comprised of two microprocessors arranged in parallel, the input of which is connected through an analogue- numerical converter to the output of analogue entry sensors. [0011] ALCATEL AT's interlocking equipment, which works in 2 of 2 architecture in some of its parts and in 2 of 3 architecture in some of its other parts.

[0012] The closest solution is the ESA 11 interlocking equipment from AZD Praha s.r.o., Prague, the Czech Republic, under Czech patent no. 293 635. This signalling equipment works in 2 of 2 architecture with a backup of some of its parts. The interlocking equipment is made up of control and executive parts.

[0013] The control part is made up of four vital computers, which are connected to a vital data network through the vital data network's hubs and to a control data network through the control data network's hubs. Meanwhile branch A's main vital computer and branch B's main vital computer are connected with the vital data network's main hub and the control data network's main hub. Meanwhile branch A's by-stand vital computer and branch B's by-stand vital computer are connected with the vital data network's stand-by hub and the control data network's stand-by hub. The vital data network's main hub is connected to the vital data network's stand-by hub and the control data network's main hub is connected to the control data network's stand-by hub. Branch A's main vital computer and branch A's stand-by vital computer are connected to the executive part, which is made up of at least one executing device. Branch B's main computer and branch B's stand-by computer are connected to the executive part. The vital data network's main hub is connected to at least one arrangement of operating computers, which is made up of at least one commanding computer and possibly at least one passive commanding computer. The vital data network's stand-by hub may be connected to at least one system of commanding computers, which is made up of at least one commanding computer and possibly at least one passive commanding computer. The control part can also be supplemented with a computer for maintenance, which can be connected through a redundant transceiver. In justified cases, the control part can be supplemented with a supervision system, connected by the main bridge or eventually by a stand-by bridge. The connected equipment controls in a secure manner on the basis of the connected equipment's input data on the basis of the operators' requirements.

The equipment displays selected information to the operators. This interlocking equipment was successfully implemented in several dozen installations in the Czech Republic and abroad.

[0014] The executive part is comprised of branch A's executive computer, branch B's executive computer, a block of non-vital outputs, a supply block, a block of vital relay outputs, a block of input indications, a block of vital electronic outputs, a block of branch A's analogue inputs, a block of branch B's analogue inputs, a block of branch A's input indication controls, a block of branch B's input indication controls, a block of branch A's secure electronic output controls and a block of branch B's secure electronic output controls. Branch A's executive computer is connected with the control part, the block of non-vital outputs, supply block, block of secure relay outputs, block of branch A's analogue inputs, block of branch A's input indication controls, block of branch A's secure electronic output controls and branch B's executive computer. Branch B's executive computer is also connected with the control part, the block of non-vital outputs, supply block, block of secure relay outputs, block of branch B's analogue inputs, block of branch B's input indication controls and block of the 2^nd branch's electronic output controls. The block of input indications is connected with the block of secure relay outputs, block of secure electronic outputs, a block of branch A's input indication controls and block of branch B's input indication controls. The block of secure electronic outputs is also connected with the block of branch A's vital electronic output controls and the block of branch B's vital electronic output controls. The block of branch A's analogue inputs is also connected with the block of branch B's analogue outputs. The executive level can be positioned for the use of the means of remote data transferral.

[0015] The strengths of this invention are the backup of the electronic configuration with the use of the possibility of remote control and positioning. The equipment enables the modification of its functions according to the operator's requirements. In its commanding and executive parts this interlocking equipment is backed up in such a manner so that any loss of functionality of the backed-up part does not cause a limitation of functions. [0016] During several operations of this interlocking equipment a few disadvantages have become apparent. The use of up to four hubs in the control part is a disadvantage. Thus if any of them break down, the control part can not work in stand-by mode. A breakdown of the executive part leads to a large part of the outer technological equipment being out of operation, which can lead to considerable limitations of railway traffic. Another disadvantage is the impossibility of backing up and merging communication lines connecting the control and executive parts, which is then shown particularly in the demands on the number of means of remote data transmission. The executive level's architectural concept used does not allow a subsequently fast reaction to demands for connecting other types of external technological equipment including adaptations to other railway operators' requirements. Last but not least, the considerable robustness of the executive level and the insufficient elimination of the type N relay (UIC) are disadvantages. [0017] The objective of this invention is to discover a processor electronic railway interlocking equipment system that fulfils all the functional requirements placed on this equipment in the Czech Republic and that can easily be modified for the requirements of other railway operators while eliminating the failings and specified disadvantages of the solution according to Czech patent no. 293 635.

Summary of the Invention

[0018] This goal is fulfilled by the electronic railway interlocking equipment system pursuant to this invention, including three main levels, being the commanding level, control level and executive level. The essence of this invention consists in the new composition of these levels, especially the executive and control levels and also in the alternative overall new connection of these levels. More details are provided below.

[0019] The executive level of the interlocking equipment is comprised of at least one executive device. In order to suitably configure the executive device, which is used: for issuing non-vital commands vital contact commands - vital logical commands - vital coded logical commands vital electronic commands for reading input logical indications analogue inputs - for secure communications with other signalling devices and which communicates with the control part's vital computer or with the control part's stand-by vital computer, the executive device is made up of three basic parts: the control part of the executive device the executive part of the executive device - the supply part of the executive device.

[0020] The control part of the executive device and the executive part of .the executive device are separately operating devices working in a secure manner pursuant to Czech standard CSN 34 2600 and also in accordance with valid European Standards EN 50 126, EN 50 128, 50 129, EN 159-1 and EN 159-2.

[0021] The control part of the executive device is connected to the control level of the interlocking equipment using two communication channels, the control part of the executive device is connected to the executive part of the executive device using other communication channels and the control part of the executive device is connected to the supply part of the executive device using at least one communication channel.

[0022] The control part of the executive device is made up of one or two mutually-connected control computers of the executive part, with one of them being a stand-by. [0023] The control computer of the executive device works in two of two regime and is made up of a branch A's control computer, branch B's control computer, branch A's external communication interface, branch B's external communication interface, branch A's internal communication interface, branch B's internal communication interface, vital power source and watch interface. In some cases it is useful to add a diagnostic computer to this configuration. The branch A's control computer is connected with the branch A's external communication interface, the branch A's control computer is connected with the branch A's internal communication interface, the branch A's control computer is connected with the diagnostic computer, the branch A control computer is connected with the branch B's control computer, the branch A's control computer is connected with the vital power source and the branch A's control computer is connected with the watch interface. The branch B's control computer is connected with the branch B's external communication interface, the branch B's control computer is connected with the branch B's internal communication interface, the branch B's control computer is connected with the diagnostic computer, the branch B's control computer is connected with the branch B's control computer, the branch B's control computer is connected with the vital power source and the branch B's control computer is connected with the watch interface. The vital power source is connected to the branch A's control computer, the branch B's control computer, the branch A's external communication interface, the branch B's external communication interface, the branch A's internal communication interface, the branch B's internal communication interface and the watch interface. The watch interface is connected to the branch A's control computer, the branch B's control computer, the vital power source and it is connected to the supervision interface of the executive part's stand-by control computer.

[0024] The executive part of the executive device is made up of at least one executive component. The executive component is made up of a total of nine function parts:

[0025] The 1^st function part works in two of two mode and is made up of the branch A's executive computer, the branch B's executive computer, branch A's internal communication interface, branch B internal communication interface and vital power source. The branch A's executive computer is connected with the branch A's internal communication interface, the branch A's executive computer is connected with the branch B's executive computer and the branch A's executive computer is connected with the vital power source. The branch B's executive computer is connected with the branch B's internal communication interface, the branch B's executive computer is connected with the branch A's executive computer and the branch B's executive computer is connected with the vital power source. [0026] The 2^nd function part is made up of vital contact outputs, branch A's watch vital contact outputs and branch B's watch vital contact outputs. The vital contact outputs are connected with the branch A's executive computer and with the branch B's executive computer of the 1^st function part. The branch A's watch vital contact outputs are connected with the vital contact outputs and with the branch A's executive computer of the 1^st function part. The branch B's watch vital contact outputs are connected with the vital contact outputs and with the branch B's executive computer of the 1^st function part. [0027] The 3^rd function part is made up of vital logical outputs, branch A's watch vital logical outputs and branch B's watch vital logical outputs. The vital logical outputs are connected with the branch A's executive computer and with the branch B's executive computer of the 1^st function part. The branch A's watch vital logical outputs are connected with the vital logical outputs and with the branch A executive computer of the 1^st function part. The branch B's watch vital logical outputs are connected with the vital logical outputs and with the branch B's executive computer of the 1^st function part.

[0028] The 4^th function part is made up of vital coded logical outputs, branch A's watch vital coded logical outputs and branch B's watch vital coded logical outputs. The vital coded logical outputs are connected with the branch A's executive computer and with the branch B's executive computer of the 1^st function part. The branch A's watch vital coded logical outputs are connected with the vital coded logical outputs and with the branch A's executive computer of the 1^st function part. The branch B's watch vital coded logical outputs are connected with the vital coded logical outputs and with the branch B's executive computer of the 1^st function part. [0029] The 5^th function part is made up of vital electronic outputs, branch A's watch vital electronic outputs and branch B's watch vital electronic outputs. The vital electronic outputs are connected with the branch A's executive computer and with the branch B's executive computer of the 1^st function part. The branch A's watch vital electronic outputs, are connected with the vital electronic outputs and with the branch A's executive computer of the 1^st function part. The branch B's watch vital electronic outputs are connected with the vital electronic outputs and with the branch B's executive computer of the 1^st function part.

[0030] The 6^th function part is made up of non-vital outputs. The non-vital outputs are connected to the branch A executive computer and to the branch B's executive computer of the 1^st function part. [0031] The 7^th function part is made up of logical inputs. The logical inputs are connected to the branch A's executive computer and to the branch B's executive computer of the 1^st function part.

[0032] The 8^th function part is made up of analogue inputs. The analogue inputs are connected to the branch A's executive computer and to the branch B's executive computer of the 1^st function part. [0033] The 9^th function part is made up of vital data interfaces. The vital data interfaces are connected to the branch A's executive computer and to the branch B's executive computer of the 1^st function part.

[0034] For the executive part of the executive device the 1^st function part is always mandatory and appropriate combination of the other function parts depends on the control of the external vital equipment. [0035] The supply part of the executive device is made up of one or two sources, with one of them being a stand-by.

[0036] Each source is made up of two partial sources, being the source for branch A, the source for branch B, control circuits, measurement circuits and an internal communication interface. The control circuits are connected to the source for branch A, the source for branch B and the internal communication interface. The measurement circuits are connected to the source for branch A, the source for branch B and the internal communication interface.

[0037] The control level of the interlocking equipment is comprised of four vital computers that are mutually connected to two networks, being the vital data network and the control network. The connection to the vital data network is achieved using hubs, and the connection to the control network is achieved by the vital computers' direct connection.

[0038] The branch A's vital'computer and the branch B's vital computer are 'connected with the vital data network hub. The branch A's stand-by vital computer and the branch B's stand- by vital computer are connected with the stand-by vital data network hub: The hub of the vital data network is connected to the stand-by hub of the vital data network. The branch A's vital computer is directly connected to the branch B's vital computer and the branch B's vital computer is also directly connected to stand-by branch B's vital computer. The branch A's vital computer and branch A's stand-by vital computer are connected to the executive part, which is made up of at least one executive device. The branch B's vital computer and branch B's stand-by vital computer are connected to the executive part. The hub of the vital data network is connected to at least one arrangement of operating computers, which is comprised of at least one active commanding computer and possibly by at least one passive commanding computer. The stand-by hub of the vital data network is potentially connected to at least one arrangement of operating computers, which is comprised of at least one active commanding computer and possibly by at least one passive commanding computer.

[0039] This electronic interlocking equipment enables the division of the signalling equipment's control level into two reliability parts and two vital branches in the following arrangement. The branch A's vital computer, branch B's vital computer, vital data network hub and the branch A's vital computer's direct connection to the branch B's vital computer make up the first reliability part of the control level. The stand-by branch A's vital computer, stand-by branch B's vital computer, vital data network stand-by hub and the stand-by branch A's vital computer's direct connection to the stand-by branch B's vital computer make up the second reliability part of the control level. The branch A's vital computer directly connected to the stand-by branch A's vital computer makes up the first vital branch of the control level. The branch B's vital computer directly connected to the stand-by branch B's vital computer makes up the second vital branch of the control level.

[0040)The commanding level of the interlocking equipment is comprised of at least one command workplace. The command workplace is made up of active and passive commanding computers, which are connected to the control level of the signalling equipment through the hub that is part of the control level of the signalling equipment.

[0041] The main advantage of this processor electronic railway interlocking equipment system according to this invention is achieving an economically-effective configuration with a decrease in the number of active elements (hubs), using the possibilities of its remote control and remote positioning. The electronic interlocking equipment according to this invention enables its functionality to be modified according to the requirements of any operator.

[0042] The electronic interlocking equipment system according to this invention is backed up in its decisive parts, including the back-up of the communication branch, in such a manner so that any loss of the backed up parts' functionality does not cause any functional limitations. The electronic interlocking equipment system operates safely in accordance with

Czech standard CSN 34 2600 and also in accordance with valid European standards EN 50

126, EN 50 128, 50 129, EN 159-1 and EN 159-2. [0043] The electronic interlocking equipment according to this invention enables cooperation with connected systems used for the support of controlled traffic.

Brief Description of the brawings

[0044] The invention and its other advantages will become apparent upon the following detailed description and ujion reference to the drawings, in which illustrates. Fig. 1 basic configuration of the electronic interlocking equipment system made up from three basic levels, being the executive, control and commanding levels, Fig. 2 basic configuration of the executive level's executive device made up of three parts, being the control, executive and supply parts; Fig. 3 basic configuration of the control computer of the executive device's controlpart, Fig. 4 basic configuration of the executive components of the executive part, made up of nine function parts; Fig. 5 basic configuration of source of the executive device's supply part; Fig. 6 alternative configuration of the electronic interlocking equipment from Fig. 1 with the connection of superior parts; Fig. 7 alternative configuration of the electronic interlocking equipment from Fig. 1 with a remote executive device; Fig. 8 alternative configuration of executive component from Fig. 4 for scanning logical inputs,

Fig. 9 alternative configuration of executive component from Fig. 4 for contact control; Fig. 10 alternative configuration of executive component from Fig. 4 for logical outputs; Fig. 11 alternative configuration of executive component from Fig. 4 for additional coding; Fig. 12 alternative configuration of executive component from Fig. 4 for controlling signal devices or point machine motors by scanning logical inputs; and Fig. 13 alternative configuration of executive component from Fig. 4 for the data control of the crossing control units, axle counters.

[0045] It is possible to divide the electronic signalling equipment system in the diagrams into two imaginary levels, being the reliability and vital levels. The reliability level includes the main part, the components of which are in the text below and in the diagrams without a numerical index, and the stand-by part, the components of which are marked with the lower index 1. The vital level is made up of two branches, which is differentiated by the lower index A and lower index B in the text below and in the diagrams.

Description of the Invention Preferred Embodiment

E x a m p l e 1 (Fig. 1)

[0046] The electronic railway interlocking/signalling equipment system is comprised of three essential levels, being the executive level EL, control level CONL and commanding level COML. [0047] The commanding level COML of the interlocking equipment is made up of two arrangements of operating computers, being the first arrangement AOC1 of the operating computers and the second arrangement AOC2 of the operating computers. Each arrangement of operating computers, therefore the first arrangement AOC1 of the operating computers and the second arrangement AOC2 of the operating computers, is made up of at least one active commanding computer ACC and zero, one or more passive commanding computers PCC. In this specific example the configuration of the first arrangement AOC1 of operating computers is made up of one active commanding computer ACC and one passive commanding computer PCC. If at least two active commanding computers ACC are used, they are divided as symmetrically as possible into two arrangements of operating computers, thus into the first arrangement AOC1 of the operating computers and into the second arrangement AOC2 of the operating computers. If at least two passive commanding computers PCC are used, they are divided as symmetrically as possible into two arrangements of operating computers, thus into the first arrangement AOC1 of the operating computers and into the second arrangement AOC2 of the operating computers. [0048] The passive commanding computer PCC only displays information that is not fail- safe relevant to operating personnel. This characteristic is made possible by communication in the vital data network in the control level CONL of the interlocking equipment, between the passive commanding computer PCC of the commanding level COML and the vital computer VC_A for branch A, vital computer VC_B for branch B, stand-by vital computer VCAl for branch A and stand-by vital computer VC_B1 for branch B. [0049] The vital computer VC_A for branch A and vital computer VC_B for branch B, are connected, to the vital data network's first reliability branch, through the vital data network's hub HUB. The vital data network's hub HUB is connected via a data link to the vital computer VC_A for branch A, and via another data link to vital computer VC_B for to the branch B, and via another data link with the vital data network's stand-by hub HUB₁. Moreover, the first arrangement AOC1 for operating computers Js connected to the vital data network's reliability branch A so, that the vital data network's hub HUB is connected via a data link with the active commanding computer ACC. and with the passive commanding computer PCC, which are the components of the first arrangement AOC1 of operating computers. [0050] The stand-by vital computer VC_A1 for branch A and stand-by vital computer VC_B1 for branch B are connected to the vital data network's 2^nd reliability branch through the vital data network's stand-by hub HUB₁ so, that the vital data network's stand-by hub HUB₁ is connected via a data link to the stand-by vital computer VC_A1 for branch A, and via another data link to the stand-by vital computer VC_B1 branch B. The second arrangement AOC2 of operating computers is connected to the vital data network's 2^nd reliability branch so, that the vital data network's stand-by hub HUB₁ is connected via a data link to the active commanding computer ACC. and to the passive commanding computer PCC. which are the components of the second arrangement AOC2 of the operating computers. [0051] The control data network is created, by a direct connection of the vital computer VC_A for branch A to the vital computer VC_B for branch B via an internal data link IDLCL control level, by a direct connection of the vital computer VC_A for branch A to the stand- by vital computer VC^ for branch A via an internal data line IDLCL_A control level for branch A, and by a direct connection of the vital computer VC_B for branch B to the standby vital computer VC_B1 for branch B via an internal data link.

[0052] The vital computer VC_A for branch A and stand-by vital computer VC_A1 for branch A are connected to the executive level EL for the signalling equipment by another external data link EDL_A for branch A. The vital computer VC_B for branch B and stand-by vital computer VC_B1 for branch B are connected to the executive level EL of the signalling equipment by another external data link EDL_B for branch B.

[0053] The control level CONL of the electronic railway signalling equipment system works as follows:

[0054] Each active commanding computer ACC receives instructions for non-vital operations from the operating personnel, it also displays non-vital information for the operating personnel, in prescribed cases it accepts vital operating instructions from the operating personnel and also displays vital information for the operating personnel. These characteristics are enabled by communication between the active commanding computer ACC of the first arrangement AOCl of operating computers and/or the second arrangement AOC2 of operating computers the commanding level COML. with the vital computer VC_A for branch A, with vital computer VC_B for branch B, with stand-by vital computer VC_{A 1} for branch A and with stand-by vital computer VC_{B 1} for branch B, on the other hand in the vital data network in the control level CONL.

[0055] The vital computer VC_A for branch A communicates with the executive device EJD of the executive level EL, through an external data link EDL_A in such a manner, that it transmits requests for issuing non-vital commands, for vital contact commands, for vital logical commands, for vital coded logical commands, for vital electronic commands to the executive device ED. and receives information from the executive device ED about the status of input logical indications and about analogue vital inputs, to the extent, allowed by the executive device ED. Before being submitted to the executive device ED. the submitted requests from the vital computer VC_A for branch A, are modified by a prescribed algorithm, according to the relevant values, that the vital computer VC_A for branch A, submits to the vital computer VC_B for branch B, through the internal data link IDLCL control level. Such modified requests are secured by redundancy created by the vital computer VC_A for branch A, as well as by redundancy created by the vital computer VC_B for branch B. The creation methods and the resulting redundancy created by the vital computer VC_A for branch A , and the redundancy created by the vital computer VC_B for branch B, are different. The redundancy, created by the vital computer VC_B for branch B, is submitted to the vital computer VC_A for branch A, through an internal data link IDLCL control level. [0056] The vital computer VC_A for branch A receives datagrams, which contains indications from the executive device ED, from the executive device's ED for branch A, through a external data link EDL_A for branch.A. After the vital computer VC_A for branch A checks the identity and authenticity of the datagrams received by the control computer CC, they are submitted to the vital computer VC_B by an internal data link IDLCL control level. The vital computer VC_B for branch B controls these diagrams, submitted by an internal data link IDLCL control level for identity and authenticity pursuant to its algorithms. [0057] The vital computer VC_A for branch A also processes the operation commands, through the vital data network, being both non-vital operations and vital operations from each active commanding computer ACC of the first arrangement AOCl of operating computers or from each commanding computer of the second arrangement AOC2 of operating computers. The vital computer VC_A for branch A communicates with the vital computer VC_B. for branch B, with which it mutually exchanges (via an internal data link IDLCL control level) the data necessary for the detection of the first failure of the vital computer VC_A for branch A or vital computer VC_B for branch B. In order to ensure reliable activities during the failure of the A vital computer VC_A for branch A or during the failure of the vital computer VC_B for branch B, the vital computer VC_A for branch A sends data, used for the repeated configuration of the variables, on the stand-by vital computer VC^ for branch A, through the control data network's internal data link IDLCL_A control level for branch A to the stand-by vital computer VC^for branch A, in certain time intervals so, that their values correspond to the values of the of the corresponding variables of the vital computer VC_A for branch A. [0058] The vital computer VC_B for branch B communicates with the executive device ED of the executive level EL, through a external data link EDL_B for branch B, in such a manner, that it transmits requests for issuing non-vital commands, for vital contact commands, for vital logical commands, for vital coded logical commands and for vital electronic commands, to the executive device ED. and receives information from the executive device ED about the status of input logical indications and about analogue vital inputs, to the extent, allowed by the executive device ED. Before being sent to the executive device ED, the submitted requests from the vital computer VC_B for branch B are modified by a prescribed algorithm, according to the relevant values, that the vital computer VC_B for branch B submits to the vital computer VC_A for branch A, through the internal data link IDLCL control level. Such modified requests are secured by redundancy, created by the vital computer VC_B for branch B, as well as by redundancy, created by the vital computer VC_A for branch A. The creation methods and the resulting redundancy, created by the vital computer VC_B for branch B, and the redundancy created by the vital computer VC_A for branch A, are different. The redundancy, created by the vital computer VC_A for branch A, is submitted to the vital computer VC_B branch B, through an internal data link IDLCL control level. [0059] The vital computer VC_B for branch B, receives datagrams, which contain indications from the executive device ED, from the executive device's ED through a external data link EDL_B for branch B. After the vital computer VC_B for branch B checks the identity and authenticity of the datagrams, received by the control computer CC, they are submitted to the vital computer VC_A for branch A, by an internal data link IDLCL control level. The vital computer VC_A for branch A also controls these diagrams, submitted by an internal data link

EDLCL control level for identity and authenticity pursuant to its algorithms.

[0060] The vital computer VC_B for branch B also processes the operation commands, through the vital data network, being both non-vital operations and vital operations fromeach active commanding computer ACC of the first arrangement AOCl of operatingcomputers or from each commanding computer of the second arrangement AOC2 of operating computers. The vital computer VC_B for branch B communicates with the vital computer VC_A for branch A, with which it mutually exchanges (via arr internal data link IDLCL control level) the data necessary for the detection of the first failure of the vital computer VC_B for branch B or vital computer VC_A for branch A., In order to ensure reliable activities during the failure of the vital computer VC_B for branch B or during the failure of the vital computer VC_A for branch A, the vital computer VC_B for branch B sends data used for the repeated configuration of the variables on the stand-by vital computer VC_B1 for branch B through the control data network's internal data link IDLCL_B control level for branch B to the stand-by vital computer VC_B1 for branch B, in certain time intervals' so, that their values correspond to the values of the of the corresponding variables of the vitall computer VC_B for branch B. [0061] The stand-by vital computer VC_A1 for branch A communicates with the stand-by vital computer VC_B1. branch B, with which it mutually exchanges the data necessary for the eventual detection of the 1^st failure of the stand-by vital computer VC_A1 for branch A or the stand-by vital computer VC_B1 for branch B through the control data network's stand-by internal data link EDLCL₁ control level.

[0062] Connecting at least one active commanding computer ACC of the first arrangement AOCl of operating computers, vital computer VC_A for branch A and vital computer VC_B for branch B to the vital data network's hub HUB, and also connecting at least one other active commanding computer ACC to the second arrangement AOC2 of operating computers, stand-by vital computer VC_A1 for branch A and stand-by vital computer VC_B1 for branch B to the vital data network's stand-by hub HUB₁. ensures the operability of the signalling equipment during any failure of the first active commanding computer ACC of the first arrangement AOCl of operating computers, and/or the other active commanding computer ACC to the second arrangement A0C2 of operating computers, and/or the vital computer VC_A for branch A. and/or the vital computer VC_B for branch B, and/or the standby vital computer VC_A1 for branch A, and/or the stand-by vital computer VC_B1 for branch B, and/or any of the data links mutually connecting the aforementioned elements. [0063] In order to ensure the full functionality of the control level CONL. i.e. the stand-by vital computer VC_A1 for branch A and the stand-by vital computer VC_B1 for branch B, during the failure of the vital computer VC_A branch A, and/or the failure of the vital computer VC_a for branch B, and/or the failure of the vital data network's hub HUB, the stand-by branch A vital computer VC_A1 copies the necessary internal variables to the branch A vital computer VC_A via the control data network's internal data link IDLCL_A control level for branch A, in prescribed time intervals, and the stand-by vital computer VC_B1 for branch B, copies the necessary internal variables to the vital computer VC_B for branch B via the control data network's internal data link IDLCLR control level for branch B.

[0064] Ensuring synchronisation is a necessary condition for ensuring the reliable activities of the electronic interlocking equipment. The synchronisation must be provided by the synchronised activity of the vital computers VC_A. VC_B. VC_A1. VC_B1_of the control level CONL and the executive device ED of the executive level EL and all of their communications.

[0065] The synchronisation is ensured by the realisation of a synchronous mode, where the vital computer VC_A for branch A is the source of synchronisation marks at prescribed time intervals in the vital data network and control data network for the vital computer VC_B for branch B, for the stand-by vital computer VC_A1 for branch A and for the stand-by vital computer VC_B1 for branch B, and also for the executive device ED of the executive level EL. [0066] During a failure of the vital computer VC_A for branch A, the stand-by vital computer VC_A1 for branch A takes over its function as the source of synchronisation marks for all the aforementioned data networks. [0067] The vital computer VC_A for branch A, or the stand-by vital computer VC_A1 for branch A in the event of its failure, carries out the appropriate functions that are invoked by the operating commands through any of the active commanding computers ACC and also automatically carries out all the relevant traffic functions and ensures the processing and transfer of the train numbers. [0068] The vital computer VC_B for branch B, or the stand-by vital computer VC_B1 for branch B, in the event of its failure, carries out the appropriate functions that are invoked by the operating commands through any of the active commanding computers ACC and also automatically carries out all the relevant traffic functions.

[0069] The fail-safe effect in the sense of CZ Standard CSN 34 2600 and the proposed EN 50 129 is contained both by the use of the 2 of 2 system as a system with redundant safety with a sufficiently timely detection of the 1^st error," which cannot in and of itself cause an unsafe effect, though could cause an unsafe effect in combination with another error. After detecting the 1st error there follows a vital reaction, which demonstrably prevents the occurrence or manifestation of other failures. The detection of the 1^st error and the vital reaction demonstrably occurs in a time shorter than the occurrence of a 2^nd error (which could, in combination with the 1^st error, cause an unsafe effect) can be expected with the prescribed probability. In order to ensure the vital effect the vital computer VC_A for branch A and stand-by vital computer VC_A1 for branch A , are also equipped with different softwarein comparison with the vital computer VC_B for branch B and stand-by vital computer VC_B1 for branch B, though the software for both vital computer VC_A for the branch A and stand- by Vital computer VC_A1 for branch A and the vital computer VC_B for branch B and stand-by vital computer VC_B1 for branch B, is processed according to a joint assignment.

E x a m p l e 2

(Fig. 2) [0070] The configuration of the executive device ED, from which the executive level EL of the interlocking equipment fs created, is illustrated in Fig. 2.

[0071] The executive device ED is comprised of a control part CP, executive part EP and supply part SP. [0072] The executive device ED is connected to the control level CONL by connecting the control part CP to the control level CONL by external data link EDL_A for branch A and with the control level CONL by external data link EDL_B for branch B (Fig 1).

[0073] The control part CP is comprised of a control computer CC and stand-by control. computer CC_J. The control computer CC is connected to the stand-by control computer CC_J by an internal data link JDLCP control part. The stand-by control computer CC_J is not essential and is used for increasing the reliability of the control part CP.

[0074] The executive part EP is made up of at least one executive component EC. [0075] The supply part SP is cbmprised of a source S and a stand-by source S₁. The stand-by source S₁ is not essential and is used for increasing the reliability of the supply part SP. [0076] The control computer CC, stand-by control computer CC₁ and executive component EC are connected by internal data links IDL_A and IDL_B for respective branches A,B. [0077] The control part CP and supply part SP are connected by external data link EDL^for branch A or by external data link EDL_E for branch B.

[0078] The control computers CC. stand-by control computer CC₁ and each executive component EC are separately operating devices working in a secure manner pursuant to Czech standard CSN 34 2600 and also in accordance with valid European standards EN 50 126, EN 50 128, EN 50 129, EN 159-1 and EN 159-2.

E x a m p l e 3 (Fig. 3) [0079] The configuration of the control computer CC of the control part CP of the executive device ED is specified in Fig. 3, from which it is evident that the basic configuration of the control computer CC of the control part CP of the executive device ED is put together from the following basic parts: the control computer CC^JOr branch A, control computer CC_β/or branch B, diagnostic computer DC. vital source VS. watch interface WL external communication interface ECI^for branch A, external communication interface ECI₅JOr branch B, internal communication interface ICI_A for branch A and internal communication interface ICIgfor branch B.

[0080] The control computer CC_A for branch A communicates through the external communication interface ECI_A for branch A and using an external data link EDL^for branch A with the control level CONL and also through the internal communication interface ICI_A for branch A and using an internal data link IDL_A for branch A with the executive component EC making up the executive part EP of the executive device ED (Fig. 2). [0081] The control computer CC_B for branch B communicates through the external communication interface ECIg for branch B and using an external data link EDLg for branch B with the control level CONL and also through the internal communication interface ICIg for branch B and using an internal data link IDLg for branch B with the executive component EC making up the executive part EP of the executive device ED (Fig. 2). [0082] Both the control computer CC_A for branch A and the control computer CC_B for branch B mutually communicate with each other together by an internal data link IDLCC control computer between these control computers CC_A and CC_B.

[0083] The vital source VS is connected to the control computer CC_A for branch A and the control computer CC_βJor branch B, the external communication interface ECI^for branch A, the external communication interface ECIgJOr branch B, the internal communication interface ICIgfor branch A, the internal communication interface ICIg for branch B and the watch interface WJL The vital source VS is a circuit with internal security and with a anti- packing function, generating the vital power supply for the supply of external communication interface ECI^for branch A, external communication interface ECI_gJbr branch B, internal communication interface ICL^. internal communication interface ICI^ of the respective branch A or B and for the watch interface WI. The activity of the vital source VS is controlled by the dynamic signals of the branch A control computer CC_A for branch A and branch B control computer CCn for branch B.

[0084] The watch interface WI is connected with the control computer CC^for branch A and with the control computer CC_B for_branch B. The direct connection of the control computer CC and stand-by control computer QC± according to Fig. 2 is carried out by connecting the watch interface WI of the control computer CC to the watch interface WJ of the stand-by control computer CC₁. This connection of the control computer's CC watch interface WJ to the stand-by control computer's CC₁ watch interface WJ enables the hot backup mode in the control part of the executive device CP.

[0085] The equipment can favourably contain a diagnostic computer DC. which is connected to the control computer CC_A for branch A via a data link and the diagnostic computer DC is also connected with the control computer CC_B for branch B, using a data link.

[0086] The control computer CC works as follows:

[0087] The control computer CC_A for branch A and control computer CC_B for branch B communicate with the control level CONL of the signalling equipment through external data link EDL_A and external data link EDLg_for respective branches A,B- [0088] The branchs A's control computer CC_A receives datagrams from the vital computer VC_A or the stand-by vital computer VC^₁ of the interlocking equipment's control level CONL. through an external communication interface ECI_A and external data link EDL_A. The datagrams contain requests for issuing outputs to the executive part EP of the executive device ED. After the identity and authenticity of the received datagrams are controlled by the control computer CC^ for branch A, they are sent by an internal data link IDLCC control computers to the control computer CC^ for branch B. The control computer CC_B for branch B also controls the identity and authenticity of these datagrams sent by the internal data link rjDLCC control computers, according to its algorithms.

[0089] The branch's A control computer CC_A responds to the vital computer VC_A or standby vital computer VC^ of the signalling equipment's control level CONL by datagrams containing indications read by the executive part EP of the executive device ED. These datagrams are secured by redundancy created by the control computer CC^for branch A, as well as by redundancy created by the control computer CCg_ for branch B. The creation methods and the resulting redundancy created by the control computer CC_Δ_for branch A, and the redundancy created by the control computer CC_B for branch B, are different. The redundancy created by the control computer CC_A for branch A is passed to the control computer CC_B for branch B, by an internal data link IDLCC control computers. [0090] The branch's B control computer CC_B receives datagrams (which contain requests for issuing the outputs for the executive part EP for the executive device ED) from the vital computer VC_B or the stand-by vital computer VC₅₁ for the signalling equipment's control level CONL through an external communication interface ECI_A and data link EDL_A for respective branches A,B- After the identity and authenticity for the received datagrams are controlled by the branch B control computer CC_B they are sent by an internal data link IDLCC control computers to the branch A control computer CC^ for branch B. The control computer CC_A for branch A also controls the identity and authenticity for these datagrams sent by the internal data link IDLCC control computers, according to its algorithms. [0091 J The control computer CC_B for branch B responds to the vital computer VC₅ or standby vital computer VC^ for branch B for the interlocking equipment's control level CONL by datagrams, containing indications read by the executive part EP for the executive device ED. These datagrams are secured by redundancy created by the control computer CC_&_for branch B, as well as by redundancy created by the control computer CC^ for branch A. The creation methods and the resulting redundancy created by the branch A control computer CC_A for branch A and the redundancy created by the control computer CC_B for branch B, are different.

[0092] The redundancy created by the control computer CC_& for branch A is passed to the control computer CC_B for branch B by an internal data link IDLCC control computers. [0093] The control computer CC_A for branch A processes the datagrams received from the control level CONL. according to the given algorithms, and creates datagrams for the individual executive components EC for the executive part EP. These datagrams are secured by redundancy created by the control computer CC_A for branch A, as well as by redundancy created by the control computer CjCg_for branch B. The creation method and the incurred redundancy created by the control computer CC_A for branch A and the redundancy created by the control computer CC_B for branch B, are different. The redundancy created by the control computer CC_B for branch B is passed to the control computer CC_A for branch A, by an internal data link IDLCC control computers.

[0094] The control computer CC_B for branch B processes the datagrams received from the control level CONL according to the given algorithms and creates datagrams for the individual executive components EC for the executive part EP. These datagrams are secured by redundancy created by the control computer CC^ for branch B, as well as by redundancy created by the control computer CC_Δ_for branch A. The creation method and the incurred redundancy created by the control computer CC_A for branch A and the redundancy created by the control computer CC_B for branch B, are different. The redundancy created by the control computer CC_A for branch A is passed to the control computer CC_B for branch B, by an internal data link IDLCC control computer. [0095] After sending the datagram through the internal communication interface ICI_A and data link EDL_A for branch A to the individual executive components EC for the executive part EP the control computer CC_A for branch A receives the datagrams containing the indications read by the executive components EC. The control computer CC_& for branch A processes the datagrams received from all the executive components EC for the executive part EP according to the algorithms into a consequent datagram meant for the vital computer VC_A for branch A or for the stand-by vital computer VC^ for branch A for the control level CONL. During the creation for these datagrams the mutual exchange for data through an internal data link IDLCC control computers, between the control computer CC_A' for-brahch A and the control computer CC_B for branch B takes place. These datagrams are seciifediby redundancy created by the control computer CC_A for branch A, as well as by redundancy created by the control computer CCg_for branch B. The creation method and the incurred redundancy created by the control computer CC_A for branch A and the redundancy created by the control computer CC^ for branch B, are different. The redundancy, created by the control computer CC_B for branch B, is passed to the control computer CC_A for brarich A, by an internal data link IDLCC control computers.

[0096] After sending the datagram through the internal communication interface ICIg and data link IDL₅ for branch B' to the individual executive components EC for the executive part EP the control computer CCg for branch B, receives the datagrams containing the indications read by the executive components EC. The control computer CC& for brarich B processes the datagrams received from all the executive components EC for the executive part EP, according to the algorithms into a consequent datagram meant for the vital computer VC_ftfor branch B or for the stand-by vital computer yea_! for branch B for the control level CONL. During the creation for these datagrams the mutual exchange for data through an internal data link IDLCC control computers between the control computer CC_A for branch a and the control computer CC₅ for branch B takes place. These datagrams are secured by redundancy created by the control computer CCn for branch B, as well as by redundancy created by the control computer CC^for branch A. The creation method and the incurred redundancy created by the control computer CC_A for branch a and the redundancy created by the control computer CC^ for branch B, are different. The redundancy created by the control computer CC_A for branch a, is passed to the control computer CC₅ for branch B, by an internal data link IDLCC control computers. [0097] The backup for the control part CP for the executive device ED is carried out as follows:

[0098 ] The control part CP for the executive device ED provides communication between the interlocking equipment's control level CONL and the executive device (Fig. 1) and also assures the control for the activities for the executive part EP for the executive device ED (Fig. 2). A failure for the control part CP for the executive device ED means the failure for the entire executive device ED. It is therefore very advantageous to back up the control part CP for the executive device ED. The principle for backing up is based on the characteristics for the watch interface WL . The active control computer CC and stand-by control computer CC₁ have a mutually-connected watch interface WI by an internal data link IDLCP control part (Fig. 2). During a failure-free state the vital source VS for the control computer CC and the vital source VS for the starid-by control computer CC₁ generate power m a Safe' manner, which is then provided to the watch interface WI. By connecting the watch interface WJ for the control computer CC with the watch interface WJ for the stand-by control computer CC₁. the control computer CC has information on the existence for the stand-by control dtfrhputor CC₁ and the stand-by control computer CC₁ has information on the existence for the'cόntrόl computer CC_,

[0099] The activation for the control computer CC and stand-by control computer CC₁ is carried out in steps. If, during the activation for the control computer CC, no other control computer CC is detected by the watch interface WL the control computer CC converts to active status. Subsequently after the activation for the stand-by control computer CC₁ the existence for another control computer CC is detected by its watch interface WJ and the stand-by control computer CC₁ goes into hot-stand-by mode, whefe it waits from the necessary data from the control computer CC. The control computer CC detects the existence for a stand-by control computer CC₁ through its watch interface Wl. and sends it the necessary data for the proper hit stand-by activity. In other activities, the stand-by control computer CC₁ monitors the operation on the internal data links IDL_A. IDL_B for respective branches A,B on the external data links EDL_A EDL_B_for respective branches A,B; and it performs all activities according to the compatible with the control computer's CC algorithms, except for sending datagrams to the executive device ED and to the control level CONL. In the event for a failure for the control computer CC the supply from its, vital source VS is terminated and the watch interface WJ for the stand-by control computer CC₁ evaluates this termination, and the stand-by control computer CC₁ switches to active status, i.e. it becomes the control computer CC.

[0100] The security for the control computer CC is ensured as follows: [0101] The security for the control computer CC is based on the circuit for the vital source VS, which is designed as a circuit with internal security and an anti-packing function. If no failure is detected by the control computer CC^for branch A, the control computer CC_A for branch A creates a dynamic signal for the vital source VS. If no failure is detected by the control computer CC₃JOr branch B, the control computer CC_B for branch B creates a dynamic signal for the vital source VS. The vital source VS only creates the vital power supply for the external communication interface ECI_A. external communication interface ECIn. internal communication interface ICI_A. internal communication interface ICI_B for the respective branches A and B, and the watch interface WI during the activation for the control computer CC, i.e. during the controlled switching to voltage VA, VB for respective branches A,B (voltage for source S), under the simultaneous dynamic signal for control computer CC_A for branch A and the dynamic signal for control computer CCgJbr branch B. When detecting the first failure, the control computer CC_A for branch A stops executing its program, and thus also generating the dynamic signal for the vital source VS, with the result that the vital source VS stops generating the vital supply for the external communication interface ECI_A. external communication interface ECI_B. internal communication interface ICJA, internal communication interface ICI_B for the branches A and B and, the watch interface WL The control computer CC_A for branch A stops communicating with control computer CC_B for branch B, via the link IDLCC control computers. As a result for the interrupted communication via the internal data link IDLCC control computers, the control computer CC_B for branch B also stops executing its program, and thus also generating the dynamic signal for the vital source VS. The vital source VS will no longer react to any subsequent failure, during which the dynamic signal could be restored, and the vital supply is not restored. The control computer CC is in a secure state and irreversibly disengaged from its surroundings. When detecting the first failure, the control computer CC_B for branch B stops executing its program, and thus also generating the dynamic signal for the vital source VS. with the result that the vital source VS stops generating the vital supply for the external communication interface ECU . external communication interface ECIg. internal communication interface ICI_A. internal communication interface ICI_B for the branches A and B and the watch interface Wj. The control computer CC_B for branch B stops communicating with control computer CC_A for branch A, via the link IDLCC. As a result for the interrupted communication via the internal data link IDLCC control computers, the control computer CC_A for branch A also stops executing its program, and thus also generating the dynamic signal for the vital source VS. The vital source VS will no longer react to any subsequent failure, during which the dynamic signal could be restored, and the vital supply is not restored. The control computer CC is in a secure state and is irreversibly disengaged from its surroundings.

[0102] The mutual backup for external data links EDL_A and EDL_B is carried out as follows:

[0103] The user data stored in the datagrams submitted between the control level CONL and executive device ED have an identical value in branch A and in branch B obtained by the relevant algorithms for harmonising data between the branches A,B. [0104] The datagrams submitted by the vital computer VC_A for branch A to the executive device ED are given redundancy created by the vital computer VC_A for branch A, as well as by redundancy created by the vital computer VC_B for branch B The creation method and resulting redundancy created by the vital computer VC_A for branch A and the redundancy created by the vital computer VC_B for branch B, are different. After receiving these datagrams the control computer CC_A for branch A checks their identity and authenticity according to security algorithms, both for branch A and branch B. After being successfully inspected, the datagrams are sent to the control computer CC_B for branch B over the internal data link IDLCC control computers. The control computer CCR for branch B also .checks the identity and authenticity for these datagrams according to security algorithms, both for branch A and branch B. The datagrams sent by the vital computer VC_B for branch B to the executive device ED are given redundancy created by the branch B vital computer VC_B for branch B, as well as by redundancy created by the vital computer VC_A for branch A. The creation method and resulting redundancy created by the vital computer VC_B for branch B, and the redundancy created by the vital computer VC_A for branch A, are different. After receiving these datagrams the control computer CC_B for branch B checks their identity and authenticity according to security algorithms, both for branch B and branch A. After being successfully inspected, the datagrams are sent to the control computer CC_A for branth A ovef the internal data link IDLCC. The control computer CC_A for branch B also checks- "the identity and authenticity for these datagrams according to the security algorithms, both for branch A and for branch B. If a failure or damaged datagram occurs in branch A, both control computer CC_A for branch A and control computer CC_B for branch B, have the datagram from branch B available. If a failure or damaged datagram occurs in branch B, both control computer CC_B for branch B and control computer CC_A for branch A; 'have the datagram from branch A available. [0105] The situation is analogous in the opposite direction for sending the datagrams, i.e. sending the datagrams from the executive device ED to the control level CONL. The datagrams submitted by control computer CC_A for branch A to the control level CONL are' given redundancy created by both the branch A control computer CC_A for branch A, as well as by redundancy created by control computer CC^for branch B. The creation method and resulting redundancy created by the control computer CC_A for branch A, and the redundancy created by the control computer CCg for branch B, are different. After receiving these datagrams the vital computer VC_A for branch A checks their identity and authenticity according to security algorithms, both for branch A and branch B. After being successfully inspected, the datagrams are sent to the vital computer VCB f°^r branch B over the internal data link IDLCL. The vital computer VC₅ for branch B also checks the identity and authenticity for these datagrams according to security algorithms, both for branch A and branch B. The datagrams sent by the control computer CCg/or branch B to the control level CONL are given redundancy created by both the control computer CC_E for branch B as well as by redundancy created by the branch A control computer CC^for branch A. The creation method and resulting redundancy created by the control computer CC_B for branch B , and the redundancy created by the branch A control computer CC_A are different. After receiving these datagrams the vital computer VC^ for branch B checks their identity and authenticity, according to security algorithms/ both for branch A and branch B. After being successfully inspected, the datagrams are sent to the vital computer VC_A for branch A over the internal data link IDLCL control level. The vital computer VC_A for branch A also checks the identity and authenticity for these datagrams according to the security algorithms, both for branch A and for branch B. If a failure or damaged datagram occurs in branch A, both vital computer VC_A and vital computer VC_B for branch B have the datagram from branch B available. If a failure or damaged datagram occurs in branch B, both vital computer VC_B for branch B and vital computer VC_A for branch A , have the datagram from branch A available. [0106] It is possible to use one common medium for transmission since the creation method and subsequent redundancy for branch A and branch B are independent.

[0107] The diagnostic computed DC. which gathers, stores and sorts the operational and functional statuses for the executive device ED that are sent from the control computer CC_A for branch A and control computer CC_B for branch B is used to ensure the transfer for the diagnostic data. [0108] The fail-safe effect in the sense for CSN 34 2600 and the proposed EN 50 129 is contained both by the use for the 2 for 2 system as a system with redundant safety with a sufficiently timely detection for the "1^st error," which cannot in and for itself cause an unsafe effect, though could cause an unsafe effect in combination with another error. After detecting the 1st error there follows a vital reaction, which demonstrably prevents the occurrence or manifestation for other failures. The detection for the 1^st error and the vital reaction demonstrably occurs in a time shorter than the occurrence for a 2^nd error (which could, in combination with the 1^st error, cause an unsafe effect) can be expected with the prescribed probability. In order to ensure the fail-safe effect the vital computer VC_A for branch A and stand-by vital computer VC^ for branch A, are also equipped with different sfortware in comparison with the vital computer VC_B for branch B and stand-by vital computer VC^for branch B, though the sfortware for both the vital computer VC_A for branch A and stand-by vital computer VC_M for branch A, and the vital computer VC_B for branch B and stand-by vital computer VC^i for branch A, is processed according to a joint assignment.

E x a m p l e 4 (Fig.4)

[0109] The configuration for the executive component EC, from which the executive part EP is created, is illustrated in Fig.4.

[0110] The executive component EC is comprised for nine function partø FPU¹FPZtO¹FP^. The first function part FPl' and any for the second FP2 to the ninth function parts' FP9 or their combination is always necessary for the proper activity for the executive component EC. ' ^< ' > .J

[0111] The executive component EC thus always contains the first function.' part" FPl. connected with at least one other function part FP2 - FP9. always through ^sthe^lexecutive computer EC_A for branch A and the executive computer EC^branch B, of also through the vital source VS.

[0112] The first function part FPl is comprised for two executive computers EC_A. EC_B. which are mutually connected by an internal data link IDLEC executive computers. The executive computer EC_A for branch A is connected in both directions with the internal communication interface ICI^ for branch A, and is also connected to the vital source VS. The executive computer EC_B for branch B is connected in both directions with the internal communication interface ICI_B for branch B and is also connected to the vital 'source VS.- The vital source VS is connected to the two internal communication interfaces ICΪ_A'.' ' ICIk.' connected to the internal data links IDL_A. EPL_B for the executive device ED. [0113] The second function part FP2 is comprised for vital contact outputs VC⁽D:" watch WVCO_A vital contact oiifiirtits for branch A, and watch WVCOg vital cbniacϊOuφutsTor branch B. The vital contact 'outputs VCO are connected to the watch WVCO_A. WV€0_B Vital contact outputs for the respective branch A or B, as well as to the vital source VS and also with the executive computers EC_A EC_B for the respective branch A or ¹B. The' watch WVC0_A. WVCO₃ vital Contact outputs for the respective branch A or B are also connected to the executive computers EC_A. EC^for the respective branch A or B. ^ ^{i <}-^> [0114] The third function part FP3 is comprised for vital logical outputs VLO. watch WVL0_A vital logical outputs for branch A, and watch WVLOg vital logical outputs for branch B. The vital logical outputs VLO are connected to the watch WVL0_A. WVLOB vital logical outputs for the respective branch A or B, as well as to the vital source VS and also with the executive computers EC^ EC_g for the respective branch A or B. The watch WVLQa, WVLOB vital logical outputs forfor the respective branch A or B are also connected to the executive computers EC_A. ECg/or the respective branch A or B. [0115] The fourth function part FP4 is comprised for vital coded logical outputs VCLO. watch WVCL0_A vital coded logical outputs for branch A, and watch WVCL0_B vital coded logical outputs for branch B. The vital coded logical outputs VCLO are connected to the watches WVCL0_A. WVCLOg vital coded logical outputs for the respective branch A or B, as well as to the vital source VS and also with the executive computers EQ₁ EC_B for the respective branch A or B. The watches WVCLO_A. WVCLOB vital coded logical outputs forfor the respective branch A or B are also connected to the executive computers EC_A. EC_B for the respective branch A or B.

[0116] The fifth function part FP5 is comprised for vital analogue outputs VAO. watch WVA0_A vital analogue outputs for branch A, and watch WVAOB vital analogue outputs for branch B. The vital analogue outputs VCO are connected to the watch WVAO_A. WVAOB vital analogue outputs for the respective branch A or B, as well as to the vital source VS and also with the executive computers EC^ EC_B for the respective branch A or B. The watch WVAO_A. WV AOB vital analogue outputs for the respective branch A or B are also connected to the executive computers EC_A. ECg/or the respective branch A or B. [0117] The sixth function part FP6 is comprised for non-vital outputs NO. which are connected with the executive computers EC_A. EC_B for the respective branch A or B. [0118] The seventh function part FP7 is comprised for logical inputs LL which are connected with the executive computers EC_A. EC_B for the respective branch A or B. [0119] The eighth function part FP8 is comprised for analogue inputs AL which are connected with the executive computers EC_A. EC_B for the respective branch A or B. [0120] The ninth function part FP9 is comprised for the vital data interface VDL which is connected to the vital source VS and also to the executive computers EC_A. ECR for the respective branch A or B.

[0121] The executive computer EC_A for branch A communicates with the control part CP through the internal communication database ICI_A and via the internal data link IDL_A for branch A (Fig.2). [0122] The executive computer EC_B for branch B communicates with control part CP through the internal communication database ICI_B and via the internal data link IDL_B for branch B (Fig.2).

[0123] Both the executive computer EC_A and executive computer EC_B for respective branches A,B, mutually communicate with each other together, by an internal data link EDLEC executive computers between these executive computers EC_A and EC_B.The vital source VS. is connected to the executive computers EC_A and EC_B. to the internal communication interfaces ICI_A and ICI_B. to the vital contact outputs VCO. vital logical outputs VLO, vital coded logical outputs VCLO. vital analogue outputs VAO and vital data interface VDI. The vital source VS is a circuit with internal security and with a anti-packing function generating the vital power supply for the supply for internal communication interface IC I_A for branch A, internal communication interface ICIB for branch B, vital contact outputs VCO. vital logical outputs VLO. vital coded logical outputs VCLO. Vital analogue outputs VAO and vital data interface VDI. The activity for the vital sOurce VS is controlled by the dynamic signals for the executive computers EC_A and ECg.

[0124] The executive component EC for the executive part EP for the executive device ED works as follows:

[0125] The executive computer EC_A for branch A and executive computer EC_B for branch B communicate with the control part CP for the executive device ED, through the internal data link IDL_A for branch A and the internal data link FDLg for branch B. [0126] The executive computer EC_A for branch A receives datagrams frorrt the branch A control computer CC or from the branch A stand-by control computer CC₆₁ for the control part CP for the executive device ED (Fig. 2), which contain requests for issuing -outputs or requests for the transmission for scanned indications by the executive corriponeni EC through the internal communication interface ICI_A and internal data link IDL_A for branch A. After the identity and authenticity for the datagrams received by the executive computer EC_A for branch A are checked, they are transmitted to the executive computer EC_B for branch B, by an internal data link IDLEC executive computers. The executive computer EC_B for branch B also controls these diagrams, submitted by an internal data link IDLEC executive computers, for identity and authenticity pursuant to its algorithms.

[0127] The executive computer EC_A for branch A responds via branch A for the control computer OC and via branch A for the stand-by control computer CC_A1 (if the stand-by control computer CC₁ is used) with datagrams containing indications read by the executive component EC. These datagrams are secured by redundancy created by the executive :\ ^;u;i - 28 - ^{' ■■}: computer EC_A for branch A, as well as by redundancy created by the executive computer EC_B_for branch B. The creation method and the incurred redundancy created by the executive computer EC^ for branch A and the redundancy created by the executive computer EC_B for branch B₁ are different. The redundancy created by the executive computer ECa/or branch A, is passed to the executive computer EC_B for branch B, by an internal data link IDLEC executive computers.

[0128] The executive computer EC_B for branch B receives the datagrams from branch B for the control computer CC or from branch B for the stand-by control computer CC₅₁ for the control part for the executive device CP through the internal communication interface ICI_B and internal data link IDItø for branch B. The datagrams contain requests for issuing outputs or requests for the transfer for indications scanned by the executive part EP. After the identity and authenticity for the datagrams received by the executive computer EC_B_for branch B are checked, they are transmitted to the executive computer EC_A for branch A by an internal data link IDLEC executive computers. The executive computer EC_A for branch A also controls these diagrams, submitted by a data link IDLEC executive computers, for identity and authenticity pursuant to its algorithms.

[0129] The executive computer EC_B for branch B responds via branch B for the control computer CC and via branch B for the stand-by control computer CCa₁ (if the stand-by control computer CC₁ is used) with datagrams containing indications read by the executive component EC. These datagrams are secured by redundancy created by the executive computer EC_B for branch B, as well as by redundancy created by the executive computer EC_Δ_for branch A. The 'creation method and the incurred redundancy created by the executive computer ECJ T for branch B and the redundancy created by the executive computer EC_A for branch¹¹A, are different. The redundancy created by the executive computer EC_B for branch tii is passed to the executive computer EC_A for branch A, by an internal data link IDLEC executive computers. : ^{, :; i} u -^:-.^\ ,

[0130] The executive cornptrter EC_A for branch A processes the datagram received from the control part CP for the executive device ED pursuant to the given algorithms and the executive computer EC^fόr branch A, controls vital contact outputs VCO for issuing vital contact commands, the executive computer EC_A for branch A controls Vital logical outputs VLO for issuing vital logical commands, the executive computer EC_A for branch A controls vital coded logical outputs VCLO for issuing vital coded logical commands, the executive computer EC_A for branch A controls vital analogue outputs VAO for issuing vital analogue commands, the executive computer EC_A for branch A controls non-vital outputs NO for issuing non-vital commands'. The executive computer EC_A for branch A performs the control activities for the vital contact outputs VCO, through watch WVC0_A vital contact outputs for branch A. The executive computer EC_A for branch A performs the control activities for the vital logical outputs VLO through watch WVLO_A vital logical outputs for branch A. The executive computer EC_A for branch A performs the control activities for the vital coded logical outputs VCLO through watch WVCL0_A vital coded logical outputs for branch A. The executive computer EC^Jbr branch A performs the control activities for the vital analogue outputs VAO through watch WVAO_A vital analogue outputs for branch A. [0131] The executive computer EC_B for branch B processes the datagram received from the control part CP for the executive device ED pursuant to the given algorithms and the executive computer EC_B for branch B controls vital contact outputs VCO for issuing vital contact commands. The executive computer EC_B for branch B controls vital logical outputs VLO for issuing vital logical commands. The executive computer EC_B for branch B controls vital coded logical outputs VCLO for issuing vital coded logical commands. The executive computer EC_B for branch B controls vital analogue outputs VAO for issuing vital analogue commands. The executive computer EC_B for branch B controls non-vital outputs NO for issuing non-vital commands. The executive computer ECp performs the control activities for the vital contact outputs VCO through watch WVCOg vital contact outputs for branch B. The executive computer EC_B for branch B performs the control activities for the vital logical outputs VLO through watch WVLOg vital logical outputs for branch B. The executive computer EC_B for branch B performs the control activities for the vital coded logical outputs VCLO through watch WVCLOR vital coded logical outputs for branch B. The executive computer EC_B for branch B performs the control activities for the vital analogue outputs VAO through watch WVAOg vital analogue outputs for branch B.

[0132] In order to achieve the required security for the vital contact commands, they are only issued in the event that the executive computer EC_A for branch A and executive computer EC_B for branch B carry out the identical commanding for vital contact outputs VCO. The watch WVC0_A vital contact outputs for branch A is used by the executive computer EC_A for branch A to control the vital contact outputs VCO issued by the executive computer EC_A for branch A, and to control the vital contact outputs VCO issued by the executive computer ECg for branch B. The watch WVCOg vital contact outputs for branch B is used by the executive computer EC_B for branch B to control the vital contact outputs issued by the executive computer EC_B for branch B and to control the vital contact outputs issued by the executive computer EC^for branch A. Any detected discrepancy during the controls for the issued vital contact outputs calls a vital reaction. [0133] In order to achieve the required security for the vital logical commands, they are only issued in the event that the executive computer EC_A for branch A and executive computer EC_B for branch B carry out the identical commanding for vital logical outputs VLO. The watch WVLO_A vital logical outputs for branch A is used by the executive computer EC^for branch A to control the vital logical outputs issued by the executive computer EC_A for branch A, and to control the vital logical outputs issued by the executive computer EC_B for branch B. The watchs WVLOg vital logical outputs for branch B is used by the executive computer EC_B for branch B, to control the vital logical outputs issued by the executive computer EC_B for branch B, and to control the vital logical outputs issued by the executive computer EC^for branch A. Any detected discrepancy during the controls for the issued vital contact outputs calls a vital reaction. [0134] In order to achieve the required security for the vital coded logical commands, they are only issued in the event that the executive computer EC_A for branch A and executive computer EC₅ for branch B carry out the identical commanding for vital coded logical outputs VCLO. The watch WVCL0_A vital coded logical outputs for branch A is used by the executive computer EC_A for branch A, to control this vital coded logical outputs .issued by the executive computer EC_A for branch A, and to control the vital coded logical outputs issued by the executive computer ECgJbr branch B. The watch WVCLOg vital coded logical outputs for branch B, is used by the executive computer EC_B for branch B to control the vital coded logical outputs, issued by the executive computer EC_a for branch B, and to control the vital coded logical outputs issued by the executive computer EC^for branch A. Any detected discrepancy during the controls for the issued vital contact outputs calls a vital reaction.

[0135] In order to achieve the required security for the vital analogue commands, they are only issued in the event that the executive computer EC_A for branch A and executive computer EC_B for branch B carry out the identical commanding for vital analogue outputs VAO. The watch WVA0_A vital analogue outputs for branch A is used by the executive computer EC_A for branch A to control the vital analogue outputs issued by the executive computer EC_A for branch A, and to control the vital analogue outputs issued by the executive computer ECg/or branch B. The watch WVAOg vital analogue outputs for branch B is used by the executive computer EC_B for branch B to control the vital analogue outputs issued by the executive computer EC_B for branch B and to control the vital analogue outputs issued by the executive computer EC^for branch A. Any detected discrepancy during the controls for the issued vital contact outputs calls a vital reaction.

[0136] In order to achieve the required security for the vital reading for logical indications, the executive computer EC_A for branch A and executive computer EC_B for branch B compare each other's values for the logical inputs LI. An internal data link IDLEC executive computers is used in order to transfer the read indications between the executive computer EC^for branch A and executive computer EC_B for branch B. Moreover all for the inputs are tested for the ability for their controlled switch to basic status. A discrepancy calls a vital reaction.

[0137] In order to achieve the required security for the vital reading for analogue indications, the executive computer EC_A for branch A and executive computer EC_B for branch B compare each other's values for the analogue inputs AI. An internal data link IDLEC executive computers is used in order to transfer the read indications between the executive computer EC_A for branch A and executive computer EC_B for branch A A discrepancy calls a vital reaction.

[013~8] The ninth function part comprised for a vital data interface VDI is used for the vital or non-vital data connection for some interlocking equipment and, in cooperation with the executive computer EC_A for branch A and the executive computer EC_B for branch B_t performs the transformation for the data from/to the connected interlocking equipment into a suitable structure and performs the relevant algorithms. ' ' ^■

[0139] The security for the executive component EC is ensured as follows: , 1 I .', i i

[0140] The security for the executive component EC is based on the circuit for the vital source VS. which is designed as a circuit with internal security and an anti-packing function. If no failure is detected by the executive computer EC^for branch A, the executive computer EC_A for branch A creates a dynamic signal for the vital source VS. If no failure is detected by the executive computer 'ECg for branch B, the executive computer EC₅ for branch B creates a dynamic signal for the vital source VS. Only during the activation for the executive component, i.e. for the controlled switching to voltage VA. VB for source S and for the dynamic signal for the executive computer EC_A for branch A, and for the dynamic; signal for the executive computer EC_B for branch B, does the vital source VS create the vital power supply for the internal communication interface ICI^for branch A, internal communication interface ICI_B for branch B, vital contact outputs VCO. vital logical outputs VLO. vital coded logical outputs VCLO. vital analogue outputs VAO and vital data interface VDI. When detecting the first failure, the executive computer EC_A for branch A stops executing its program, and thus also generating the dynamic signal for the vital source VS, with the result that the vital source VS stops generating the vital supply for the internal communication interface ICL^for branch A, internal communication interface ICI_B for branch B vital contact outputs VCO. vital logical outputs VLO. vital coded logical outputs VCLO. vital analogue outputs VAO and vital data interface VDI. which switch to the vital state. The executive computer EC_A for branch A stops communicating with executive computer EC_B for branch B, via the internal data link IDLEC executive computers. As a result for the interrupted communication via the internal data link IDLEC executive computers, the executive computer EC_B for branch B also stops executing its program, and thus also generating the dynamic signal for the vital source VS. The vital source VS will no longer react to any subsequent failure, during which the dynamic signal would be restored, and the vital supply is not restored. The executive component EC is in a secure state and irreversibly disengaged from its surroundings. When detecting the first failure, the executive computer EC_B for branch B stops executing its program, and thus also generating the dynamic signal for the vital source VS, with the result that the vital source VS stops generating the vital supply for the internal communication interface ICI^for branch A, internal communication interface ICI_B for branch B_α vital contact outputs VCO. vital logical outputs VLO. vital coded logical outputs VCLO. vital analogue outputs VAO and vital data interface VDI. which switch to the vital state. The executive computer EC_a for branch B stops communicating with ⁽executive computer EC^ for'branch A, via the internal data link IDLEC executive computers-. As a result for the interrupted communication via the internal data link ^■IDLEC_exe'έ^tive computers, the executive computer EC_A for branch A also stops executing its program, and thus also generating the dynamic Signal for the vital source VS. The vital source VS will no longer react to any subsequent failure, during which the dynamic signal would be restored, and the vital supply is not restored. The executive component EC is in a secure sltate and irreversibly disengaged from its surroundings. ' ' '

[0141] The mutual backup for internal data links IDL_A and IDL_g for executive device's ED is executed by following procedure:

[0142] The user data stored in the datagrams submitted between the control part CP and executive part EP have an ^"identical value in branch A and in branch B obtained by the relevant algorithms for harmonising data between the branches.

[0143] The datagrams submitted by control computer CC^ for branch A to the executive part EP are given redundancy created by both control computer CC_A for branch A, as well as by redundancy created by control computer CC_g for branch B. The creation method and resulting redundancy created by the control computer CC^ for branch A and the redundancy created by the branch B control computer CC_B for branch B,are different. After receiving these datagrams the executive computer EC^for branch A checks their identity and authenticity, according to security algorithms, both for branch A and branch B. After being successfully inspected, the datagrams are sent to the executive computer EC_B for branch B over the internal data link IDLEC executive computers. The executive computer EC_B for branch B also checks the identity and authenticity for these datagrams, according to security algorithms, both for branch A and branch B. The datagrams sent by the control computer CC_B for branch B to the executive part EP are given redundancy created by both the control computer CC_B for branch B, as, well as by redundancy created by the control computer CC_A for branch A. The creation method and resulting redundancy created by the control computer CC_B for branch B, and the redundancy created by the control computer CC_A for branch A, are different. After, receiving these datagrams the executive computer EC_B for branch B checks their identity and authenticity according to security algorithms, both for branch B and branch A. After being successfully inspected, the datagrams are sent to the executive computer EC_A for branch A over the internal data link EDLEC r executive computers. The executive computer EC_A for branch A also checks the identity and authenticity for these datagrams according to the security algorithms, both for branch A and for branch B. If a failure or damaged datagram occurs in branch A, both executive computer EC_A for branch A and executive computer EC_B for branch B have the datagram from branch B available. If a failure or damaged datagram occurs in branch B, both executive computer EC_A for branch A and executive computer EC_B for branch B, have the datagram from branch A available.

[0144] The situation is analogous in the opposite direction for sending the datagrams, i.e. sending the datagrams from the executive part EP to the control part CP. The datagrams submitted by executive computer EC_A for branch A to the control part CP are given redundancy created by both the executive computer EC^ for branch A as well as by redundancy created by executive computer EC_B for branch B. The creation method and resulting redundancy created by the executive computer EC_A for branch A and the redundancy created by the executive computer EC_B for branch B, are different. After receiving these datagrams the control computer CC_A for branch A checks their identity and authenticity according to security algorithms, both for branch A and branch B. After being successfully inspected, the datagrams are sent to the control computer CC_B for branch B over the internal data link IDLCC control computers. The control computer CC_B for branch B also checks the identity and authenticity for these datagrams according to security algorithms, both for branch A and branch B. The datagrams sent by the executive computer EC_B for branch B to the control part CP are given redundancy created by both the executive computer EC_B for branch B, as well as by redundancy created by the executive computer EC_A for branch A. The creation method and resulting redundancy created by the branch B executive computer EC_B for branch B and the redundancy created by the executive computer EC_A for branch A, are different. After receiving these datagrams the control computer CCg for branch B checks their identity and authenticity according to security algorithms, both for branch A and branch B. After being successfully inspected, the datagrams are sent to the control computer CC_A for branch A over the internal data link IDLCC control computers. The control computer CC_& for branch A also checks the identity and authenticity for these datagrams according to the security algorithms, both for branch A and for branch B. If a failure or damaged datagram occurs in branch A, both control computer CC_A for branch A and control computer CC_B for branch B, have the datagram from branch B available. If a failure or damaged datagram occurs in branch B, both control computer CC_B for branch B and control computer CC_A for branch A, have the datagram from branch A available. [0145] It is possible to use one common medium for transmission since the creation method and subsequent redundancy for branch A and branch B are independent.

[0146] The fail-safe effect in the sense for OSN 34 2600 and the proposed EN 50 129 is contained both by the use for the 2 for 2 system as a system with redundant safety and with a sufficiently timely detection for the "1^st error," which cannot in and for itself cause an unsafe effect, though could cause an unsafe effect in combination with another error. After detecting the 1st error there follows a vital reaction, which demonstrably prevents the occurrence or manifestation for other failures. The detection for the I^s* error and the vital reaction demonstrably occurs in a time shorter than the occurrence for a 2^nd error (which could, in combination with the 1^st error, cause an unsafe effect) can be expected with the prescribed probability. In order to ensure the vital effect executive computer EC^ for branch A is also equipped with different software in comparison with the executive computer EC^for branch B, though the software for both the executive computer EC_A for branch A and executive computer EC_B for branch B, is processed according to a joint assignment.

E x a m p l e 5 (Fig. 5)

[0147] The configuration for source S for the supply part SP for the executive device ED is illustrated in Fig. 5, from which it is evident that it is put together from the following basic parts: the source SA, source SB, measurement circuits MC. control circuits CONC and internal communication interface ICI. [0148] The source SA generates voltage VA meant for the supply for branch A for the control part CP for the executive device ED and branch A for the executive part EJP for the executive device ED as its output, The source SB generates voltage VB meant for the supply for branch B for the control part CP for the executive device ED and branch A for the executive part EP for the executive device ED. The control circuits CONC are used to control the level for the voltage supply VA for source SA and to control the level for the voltage supply VB for source SB. The measurement circuits MC are used to measure the voltage and current for the source SA_and to measure the voltage and current for the source SB. The internal communication interface ICI is used for the source's S communication with the control part CP for the executive device ED.

[0149] The source SA and source SB are mutually independent and are supplied with supply voltage SV. The output circuits for sources SA and SB are supplemented with circuits to prevent back current for the purpose for allowing back-ups.

[0150] The backup for the supply part SP for the executive device ED is carried out as follows:

[0151] One for the most stressed parts for the executive device is its supply part SP. It is very advantageous to back up the supply part SJP. The principle for backing up the supply part SP is based on one for the basic characteristics for the control part CP and executive part EP for the executive device ED, which consist in the extended tolerance for their voltage VA and VB and is also based on the circuit design for the source S. Both for the source's S mutually independent sources SA and SB are capable for delivering an output for two voltage levels, i.e. the basic voltage or decreased voltage, on the basis for the activities for .the control circuits. These two possible voltage levels are in the range for the voltages VA and VB for the control part CP and executive part EP for the executive device ED. [0152] In the back-up mode for the supply part SP for the executive device ED (Fig. 2) one source S (i.e. both for its sources SA and SB) works with the basic voltage VA and VB. and the second source S_j (i.e. both for its sources SA and SB) works with the decreased voltage VA and VB. The control part CP for the executive device ED obtains information on the current load for source S and stand-by source S₁ through the measurement circuits MC for the source S and stand-by source S₁, internal communications interface ICI for the source S and stand-by source S₁. In this state the supply is provided by the source S, since its voltages VA and VB are higher than the voltages for the stand-by source S₁. The output current for source S, and thus for its partial sources SA and SB, is not zero and the output current for the stand-by source S₁, and thus for both for its partial sources SA₁ and SB₁, is zero or close to zero. In the case for a failure for the active source S the stand-by source S₁ ensures the supply for energy and the current delivered to it is increased. In such a situation the control part CP for the executive device ED issues a command through the internal data interface ICI_A or ICI_B. the internal data link IDL_A or IDL_B and internal communication interface ICI for the source to the control circuits for the stand-by source S₁ to switch from the decreased output level for voltage VA and VB to the basic output level for voltage VA and VB. The information on the failure for source S is recorded in the diagnostic computer DC for the control part for the executive device ED. The aforementioned solution enables the stand-by mode to be mutually alternated on both sources for the backed-up supply part SP for the executive device over time, thereby uncovering a failure for source S₁, which is in stand-by mode.

E x a m p l e 6

(Fig. 6)

[0153] The alternative configuration for the electronic interlocking equipment pursuant to

Fig. 6 differs from the first example configuration pursuant to Fig. 1 in that the commanding level for the signalling equipment COML is connected to a watch remote commanding level RCL so that the bridge B for the watch part is connected by a data link to the vital data network's hub HUB, another data link with the vital data network's stand-by hub HUB₁ and another data link with the supervision system SS. ^{tK t!} "' ^AA - ^l ^

[0154] This configuration is Used for the remote control and management for traffic. '^■"'■< ^''-' [0155] The connection for bridge B via a data link to the vital data network's starid-% hut> HUB₁ does not take place unless the stand-by connection for the remote command level RCL is requested.

E x a m p l e 7 (Fig. 7)

[0156] The alternative configuration for the electronic interlocking equipment with a remote executive device pursuant to Fig. 7 differs from the I^st example configuration pursuant to Fig. 1 in that a communication level CL comprised for communication equipment CE is inserted between the control level CONL and the executive level EL. The vital "computer VC_A and stand-by vital computer VC^ for branch A are connected by an external data link EDL_A for branch A to the communication equipment CE for the communication level CL. The vital computer VC_A and stand-by vital computer VCA₁ are connected by an external data link EDL_Δ for branch A to the communication equipment CE for the communication level CL. The communication equipment CE for the communication level CL is both connected by another external data link EDL_A' for branch A and another external data link EDL₅' for branch B to the executive device ED for the executive level EL. This alternative configuration is used in the event when it is necessary to withdraw the executive level EL or its part from the control level CONL. E x a m p I e 8 (Fig. 8)

[0157] The display for an alternative configuration for the executive component EC designated as SH, which is meant for reading input logical information. This specific alternative configuration with the designation SH contains the first function part FPl, connected to the seventh function part FP7. The first function part FPJ_. and seventh function part FP7 are described in detail in configuration example 4.

[0158] Fig. 8 differs from the 4^th configuration example illustrated in Fig.4 in that it does not contain the second function part FP2. third function part FP3. fourth function part FP4, fifth function part FP5. sixth function part FP6. eighth function part FP8 and ninth function part FP9.

E x a m p l e 9 (Fig. 9) [0159] The display for an alternative configuration for the executive component EC designated as SCI. which is meant for issuing vital contact commands. This specific alternative configuration with the designation SCI contains the first function part FPl and second function part FP2. both described in more detail in configuration example 4. Fig. 9 differs from the 4^th configuration example in that it does not contain the third function part FP3 and other function parts, the fourth function part FP4 to the ninth function part FP9.

E x a m p l e 10

(Fig. 10)

[0160] The display for an alternative configuration for the executive component EC designated as SOI. which is meant for issuing vital and non-vital logical commands. This other specific alternative configuration represents a combination for the first function part

FPl. third function part FP3 and sixth function part FP6. both described in more detail in configuration example 4.

[0161] Fig. 10 differs from the 4* configuration example illustrated in Fig. 4 in that it does not contain the second function part FP2. fourth function part FP4, fifth function part FP5, and other seventh function part FP7 to ninth function part FP9.

E x a m p l e 11 (Fig. 11) [0162] The display for an alternative configuration for the executive component EC designated as TCI. which is meant for determining the occupancy for the track circuits, switching the track circuit equipment and for generating the frequency for additional coding. This alternative configuration with the designation TCI contains the first function part FPl in combination with the third function part FP3. fourth function part FP4 and seventh function part FP7. [0163] Fig. 11 differs from the 4^th configuration example illustrated in Fig. 4 in that it does not contain the second function part FP2, fifth function part FP5, sixth function part FP6. eighth function part FP8 and ninth function part FP9.

E x a m p l e 12 (Fig. 12)

[0164] The display for an alternative configuration for the executive component EC designated as SLI. which is used for controlling signal or point machine lights. The alternative configuration under the designation SLJ contains the first function part FPJ. in combination with the fifth function part FP5 and eighth function part FP8. [0165] Fig. 11 differs from the 4* configuration example illustrated in Fig. 4 in that it does not contain the second function part FP2 to fourth function part FP4. sixth function part FP6. seventh function part FP7 and ninth function part FP9.

E x a m p l e 13 (Fig. 13)

[0166] The display for an alternative configuration for the executive component EC designated as SDI. which is used for vital communication and the control for the interlocking equipment, such as the crossing control stations, axle counters, etc. The alternative configuration under the designation SDI contains the first function part FPl connected to the ninth function part FP9.

[0167] Fig. 13 differs from the 4^th configuration example illustrated in Fig. 4 in that it does not contain the second function part FP2 to eighth function part FP8. [0168] The specified configurations are example configurations and their scope is not comprehensive. Other example configurations and their combinations are possible in the framework for the patent claims for this invention.

Industrial Applicability

[0169] The solution is meant for controlling adjacent equipment, e.g. signal equipment, points, level crossings, axle counters, track circuits, etc., which contribute to ensuring the traffic routes for railway vehicles. List for Abbreviations

[0170] ACC - Active Commanding Computer AI - Analogue Input

AOCl - 1* Arrangement AOCl for Operating Computers AOC2 - 2^nd Arrangement AOC2 for Operating Computers

B - Bridge

CC - Control Computer CCi - Stand-By Control Computer

CCA -Control Computer CCA for Branch A

CC_B - Control Computer CCB for Branch B

CE - Communication Equipment

CL - Communication Level COML - Commanding Level COML

CONC - Control Circuits

CONL - Control Level

CP - Control Part DC - Diagnostic Computer

EC - Executive Component

EC_A -Executive Computer ECA for Branch A

EC_B -Executive Computer ECn for Branch B ECU -External Communication Interface ECIA for Branch A

ECI_B -External Communication Interface ECIn for Branch B

ED - Executive Device

EDLA -External Data Link EDLA for Branch A

EDLB -External Data Lmk EDL_B forBranch B EDL'_A -External Data Ljnk EDLΑ forBranch A

EDL'B -External Data Ljnk EDL'_B for Branch B

EL - Executive Level

EP - Executive Pah

FPl - First Function Part

FP2 - Second Function Part

FP3 - Third Function Part

FP4 - Fourth Function Part FP5 - Fifth Functipn Part

FP6 - Sixth Function Part

FP7 - Seventh Function Part

FP8 - Eighth Function Part

FP9 - Ninth Function Part

HUB - Hub

HUB, - Stand-By Hub

ICI - Internal Communication Interface ICIA Internal Communication Interface ICL for Branch A

ICI_B -Internal Communication Interface ICI_n forBranch B IDL_A -Internal Data Link IDLA for Branch A IDLB -Internal Data Link IDLB for Branch B IDLCC - Internal Data Link IDLCC Control Computer IDLCL - Internal Data LmkJDLCLControl Level IDLCL_A -Internal Data LmkJDLCL_A Control Level for Branch A IDLCL_B -Internal Data Link IDLCL_B for Control Level for Branch B IDLCL, - Stand-By Internal Data Link IDLCL, Control Level

IDLEC - Internal Data Link IDLEC Executive Computer IDLCP - Internal Data Link IDLCP Control Part

LI - Logical Input MC - Measurement Circuits

NO - Non-Vital Output PCC - Passive Commanding Computer RCL - Remote Commanding Level S - Source for Supply Part

S, - Stand-By Source for Supply Part

SA -Source SA for Branch A

SB -Source SB for.Branch B

SCI - Safetv'-Cδntact Interface SDI - Safety Data Interface

SH - Safety Input Merface ^{< J 1} ^

SLI - Signal Light Interface ' ' ^f

SOI - Safety Output Interface

SP - Supply Part for Executive Device ' SS - Supervision System

SV - Supply Voltage

TCI - Track Circuit Interface Element

Λ VA -Voltage VA for Branch A

VAO - Vital Analogue Outputs

VB -Voltage VB for Branch B

VC_A -Vital Computer VB for Branch A

VC_B -Vital Computer VC_n for Branch B VCA₁ - Stand-Bv Vital Computer VCAI for Branch A

VC_BI - Standby Vital Computer VCm for Branch B

VCLO - Vital Coded Logical Outputs .

VCO - Vital Contact Outputs

VDI - Vital Data Interface VLO - Vital Logical Outputs

VS - Vital Source

WI - Watch Interface

WVAO_A -Watch WVA0_A Vital Analogue Outputs for Branch A WVAOB -Watch WVAOR Vital Analogue Outputs for Branch B

WVCO_A -Watch WVC0_A Vital Contact Outputs for Branch A WVCO_B -Watch WVCO_B Vital Contact Outputs for Branch B WVCLO_A -Watch WVCL0_A Vital Coded Logical Outputs for Branch A WVCLOB -Watch WVCLO_B Vital Coded Logical Outputs for Branch B WVLO_A -Watch WVL0_A Vital Logical Outputs for Branch A

WVLO_B -Watch WVLO_B Vital Logical Outputs for Branch B

Claims

C I a i m s

1. The electronic railway interlocking equipment system is comprised for three essential levels, being the commanding level (COML), control level (CONL), and executive level

(EL), where the commanding level (COML) is comprised for at least one arrangement (AOCl, AOC2) for operating computers, which contain an active commanding computer (ACC) and no or at least one passive commanding computer (PCC) for displaying only non- vital information, which each arrangement (AOCl, A0C2) for operating computers is data connected to the control level (CONL) through hubs (HUB, HUBi) connected to vital computers (VC_A> VC_B) for the respective branch A, B for creating a vital core for the control level (CONL), and for increasing the availability for the electronic interlocking equipment system the control level (CONL) can contain other stand-by vital computers (VCAi,VC_Bi ) for the respective branch A, B while the executive level (EL) is comprised for at least one executive device (ED), is characterised in that,

- the control level (CONL) is connected to the executive level (EL) by at least one external data link (EDL_A, EDL_B),

- the executive level (EL) contains at least one executive device (ED), each executive device (ED) has three basic parts, being - the control part (CP) comprised for at least one control computer (CC),

- the executive part (EP) comprised for at least one executive component (EC) and

- the supply part (SP) comprised for at least one source (S),

- while the control part (CP), executive part (EP) and supply part (SP) are mutually connected by at least one internal data link (IDL_A, IDL_B) of the executive device (ED).

2. The electronic railway interlocking equipment system of claim 1, is characterised in that, the control level (CONL) has the following direct two-way data links

- each vital computer (VC_A) for branch A with the vital computer (VC_B) for branch B and with the branch A stand-by vital computer (VQu) for branch B, - each vital computer (VC₈) for branch B with the vital computer (VC_A) for branch A and with stand-by vital computer (VC_Bi) for the branch B,

- each stand-by vital computer (VC_Ai) for branch A with the branch A vital computer (VC_A) and with stand-by vital computer (VC_Bi) for the branch B,

- each stand-by vital computer (VC_Bi) for branch B with the vital computer (VC₈) for branch B and with the stand-by vital computer (VC_Ai) for branch A.

3. The electronic railway interlocking equipment system of claim 1, is characterised in that,

- the vital computer (VC_A) for branch A and stand-by vital computer (VC_Ai) for branch A are connected by a data link to the executive device (ED) for the executive level (EL) and

- the vital computer (VC₈) for branch B and stand-by vital computer (VC_Bi) for branch B are connected by a data link to the executive device (ED) of the executive level (EL).

4. The electronic railway interlocking equipment system of claim 1, is characterised in that, the control computer (CC) for the control part (CP) is connected with at least one standby control computer (CCi), and also with at least one internal data link (IDL_A, IDL₈ ) for branch A,B, and also with at least one internal data link (IDLCP) control parts .

5. The electronic railway interlocking equipment system of claim l,is characterised in that, each executive component (EC) for the executive part (EP) is connected through alt least one data link (DDL_A» IDL_B) to the control computer (CC), or to at least one stand-by control computer (CCi). ^{J :i}

~< '.

6. The electronic railway interlocking equipment system of claim 1, is characterised in that, each source (S) for the supply part (SP) is connected by at least one internal data link (IDL_A, IDL₈) to the control computer (CC), or to at least one stand-by control computer (CCi).

7. The electronic railway interlocking equipment system of claim 1, is characterised in that,

- the control computer (CC) is comprised for two control computers (CC _A, CC_B), which are mutually connected by an internal data link (IDLCC) control computers, where

- the control computer (CC_A) for branch A is connected both ways to external communi- cation interface (ECL^) for a branch A, to a internal communication interface (ICI_A) for branch A ,and it is also connected to a vital source (VS) and to a watch interface (WI), connected to an internal data link (IDLCP) control part (CP) for the executive device (ED) and

- the control computer (CC_B) for branch B is connected both ways to a external communication interface (ECI_B) for branch B, to a internal communication interface (ICI_B) for branch B, and it is also connected to a vital source (VS) and to a watch interface (WI), connected to an internal data link (IDLCP) control part (CP) for the executive device (ED),

- while the vital source (VS) is connected by the watch interface (WI) and to all four interfaces (ECIA, ECI_B, ICIA, ICI_B), connected to the data links (EDL_A , EDL_B , IDL_A ,

IDLB), and eventually - the control computer (CC_A) for branch A and control computer (CC_B) for branch B are connected to the diagnostic computer (DC).

8. The electronic railway interlocking equipment system of claim 1, is characterised in that,

- the executive component (EC) contains the first function part (FPl) connected with at least one other function part (FPl - FP9), namely with the second function part (FP2), with the third function part (FP3), with the fourth function part (FP4), with the fifth function part (FP5), with the sixth function part (FP6), with the seventh function part (FP7), with the eighth function part (FP8) and with the ninth function part (FP9), always through the executive computer (EC_A ) for branch A and executive computer (EC_B ) for branch B, or additionally through a vital source (VS),

- while the first function part (FPl) is comprised for two executive computers (EC_A, EC_B), which are mutually connected by an internal data link (EDLEC) executive computers,

- while the executive computer (EC_A) for branch A is connected in both directions with the internal communication interface (ICI_A) for branch A, and is also connected to the vital source (VS),

- and the executive computer (EC_B) for branch B is connected in both directions with the internal communication interface (ICI_B) for branch B and is also connected to the vital source (VS),

- while the vital source (VS) is connected to the two internal communication interfaces (ICI_A, ICI_B) connected to the internal data links (IDL_A, IDL_B) for the executive device (ED).

9. The electronic railway interlocking equipment system of claim 8, is characterised in that,

- the second function part (FP2) comprises for the vital contact outputs (VCO), the watch (WVCO_A) vital contact outputs for branch A and the watches (WVCOB) vital contact outputs for branch B, - where the vital contact outputs (VCO) are connected with the watches (WVCO_A,

WVCOB) vital contact outputs for the respective branches A, B, furthermore with a vital source (VS) and also with the executive computers (EC_A, EC_B) for the respective branches A, B,

- while the watches (WVCO_A, WVCO_B) vital contact outputs for the respective branches (A, B) are also connected with the executive computers (EC_A , EC₈ ) for the respective branches A, B.

lO.The electronic railway interlocking equipment system of claim 8, is characterised in that,

- the third function part (FP3) comprises for the vital logical outputs (VLO), the watches (WVLO_A) vital logical outputs for branch A and the watches (WVLO_B) vital logical outputs for branch B, - where the vital logical outputs (VLO) are connected with the watches (WVLO_A, WVLO_B) vital logical outputs for the respective branches A, B, furthermore with a vital source (VS) and also with the executive computers (EC_A, EC₈ ) for the respective branches A, B,

- while the watches (WVLO_A, WVLO_B) vital logical outputs for the respective branches (A, B) are also connected with the executive computers (EC_{A ,} EC_B ) for the respective branches A, B.

1 l.The electronic railway interlocking equipment system of claim 8, is characterised in that,

- the fourth function part (FP4) is comprised for vital coded logical outputs (VCLO), the watches (WVCL0_A) vital coded logical outputs for branch A and the watches

(WVCLO_B) vital coded logical outputs for branch B,

- where the vital coded logical outputs (VCLO) are connected with the watches (WVLO_A, WVLO_B) vital coded logical outputs for the respective branches A, B, furthermore with a vital source (VS) and also with the executive computers (EC_A and EC_B ) for the respective branches A, B,

- while the watches (WVCLO_A, WVCLO_B) vital coded logical outputs for the respective branches A, B are also connected with the executive computers (EC_{A 1} EC_B ) for the respective branches A, B.

12.The electronic railway interlocking equipment system of claim 8, is characterised in that,

- the fifth function part (FP5) is comprised for vital analogue outputs (VAO), the watches (WVAO_A) vital analogue outputs for branch A and the watches (WVAO_B) vital analogue outputs for branch B

- where the vital analogue outputs (VAO) are connected with the watches (WVAO_A, WVAO_B) vital analogue outputs for the respective branches A, B, furthermore with a vital source (VS) and also with the executive computers (EC_A and EC_B ) for the respective branches A, B,

- while the watches (WVAO_A, WVA0_B) vital analogue outputs for the respective branches A, B are also connected with the executive computers (EC_A , ECB ) for the respective branches A, B.

13. The electronic railway interlocking equipment system of claim 8, is characterised in that, the sixth function part (FP6) is comprised for non-vital outputs (NO), which are connected with the executive computers (EC_A and EC_B) for the respective branches A, B.

14.The electronic railway interlocking equipment system of claim 8, is characterised in that, the seventh function part (FP7) is comprised for logical inputs (LI), which are connected with the executive computers (EC_A and EC_B) for the respective branches A, B.

15.The electronic railway interlocking equipment system of claim 8, is characterised in that, the eighth function part (FP8) is comprised for analogue inputs (AI), which are connected with the executive computers (EC_A and EC_B) for the respective branches A, B.

lό.The electronic railway interlocking equipment system of claim 8, is characterised in that, the ninth function part (FP9) is comprised for the vital data interface (VDI), which is connected to the vital source (VS) and also to the executive computers (EC_A and EC_B) for the respective branch A, B.

17. The electronic railway interlocking equipment system of claim 1, is characterised in that, - the source (S) is comprised for two sources, namely for the source (SA) for the supply for branch A for the control part (CP) and executive part (EP), and also for the source (SB) for the supply for branch B for the control part (CP) and executive part (EP),

- where both sources (SA, SB) are connected with the control circuits (CONC) and measurement circuits (MC) and - while the control circuits (CONC) and measurement circuits (MC) are connected with an internal communication interface (ICI), connected to at least one internal data link (IDL_A, IDLB) for the executive device (ED).

18. The electronic railway interlocking equipment system of claim 1, is characterised in that, - at least one supervision remote control level (RCL), comprised for a bridge (B) and supervision system (SS) is connected to the control level (CONL),

- while the bridge (B) is connected both to a hub (HUB) and to the control level's (CONL) stand-by hub (HUB,).

19.The electronic railway interlocking equipment system of claim 1, is characterised in that,

- a communication level (CL), comprised for communication equipment (CE), is inserted between the control level (CONL) and the executive level (EL),

- while the communication level (CL) is connected both to the control level (CONL) by at least one external data link (EDL_A, EDL_B), as well as to the executive level (EL) by at least one external data link (EDL' _A , EDL'_B).