WO2019193145A1 - Train traffic control system and method for carrying out safety critical operations within a train traffic control system - Google Patents
Train traffic control system and method for carrying out safety critical operations within a train traffic control system Download PDFInfo
- Publication number
- WO2019193145A1 WO2019193145A1 PCT/EP2019/058618 EP2019058618W WO2019193145A1 WO 2019193145 A1 WO2019193145 A1 WO 2019193145A1 EP 2019058618 W EP2019058618 W EP 2019058618W WO 2019193145 A1 WO2019193145 A1 WO 2019193145A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- control system
- route
- command
- cost
- train
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims description 11
- 230000009467 reduction Effects 0.000 abstract description 2
- 238000007726 management method Methods 0.000 description 25
- 239000000306 component Substances 0.000 description 6
- 238000006243 chemical reaction Methods 0.000 description 5
- 230000010354 integration Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 101000879675 Streptomyces lavendulae Subtilisin inhibitor-like protein 4 Proteins 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013499 data model Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Classifications
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L19/00—Arrangements for interlocking between points and signals by means of a single interlocking device, e.g. central control
- B61L19/06—Interlocking devices having electrical operation
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L21/00—Station blocking between signal boxes in one yard
- B61L21/06—Vehicle-on-line indication; Monitoring locking and release of the route
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L25/00—Recording or indicating positions or identities of vehicles or trains or setting of track apparatus
- B61L25/06—Indicating or recording the setting of track apparatus, e.g. of points, of signals
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L27/00—Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
- B61L27/20—Trackside control of safe travel of vehicle or train, e.g. braking curve calculation
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L27/00—Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
- B61L27/30—Trackside multiple control systems, e.g. switch-over between different systems
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L27/00—Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
- B61L27/50—Trackside diagnosis or maintenance, e.g. software upgrades
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L19/00—Arrangements for interlocking between points and signals by means of a single interlocking device, e.g. central control
- B61L19/06—Interlocking devices having electrical operation
- B61L2019/065—Interlocking devices having electrical operation with electronic means
Definitions
- the invention concerns a train traffic control system comprising a traffic man- agement system for executing safety critical operations, a route and train control system, and a command and status adapter, wherein the train traffic control sys- tern is adapted to exchange information and commands between the traffic man agement system and the route and train control system via the command and status adapter, and wherein the command and status adapter comprises software components for carrying out functions with basic integrity, wherein the traffic control system further comprises at least one software component for carrying out a function for controlling safety critical operations.
- the invention also con- cerns a method for carrying out safety critical operations within a train traffic control system.
- An according train traffic control system is known from [1],
- Route and train control systems are adapted to manage safely the routes and movement-authorities in the railway network for running trains and to control protect and protect trains from running to fast or beyond their end of movement- authority.
- Route and train control systems can comprise an interlocking system, a radio-block-center or a similar system.
- the different route and train control systems which have to be controlled by the remote operator, transmit status information to the traffic management system in form of specific protocols.
- the command and status adapter (COST-adapter) converts the specific protocols to generic protocols and provides the status of the route and train control system for further processing by the traffic management system in a normalized form. Additionally it converts operational commands to the specific format of a specific route and train control system.
- the traffic management system comprises a human machine interface for oper- ating the route and train control system by a human operator.
- the route and train control system receives commands from the traffic management system concerning regular operation as well as concerning safety critical operations for supervision of an approval procedure.
- Safety critical operations are carried out in special operational situations or in case of disturbances by using the route and train control system.
- safety critical operations are instructed by the operator while bypassing elements of the route and train control system (e.g. the radio block center or the interlocking system).
- Safety critical operations are operator actions, e.g. safety critical route clearing, safety critical point change, etc., i.e. the operator can circumvent a safe setting of the system.
- COST-adapter are therefore developed based on fail-safe computer systems (for example as the SAM or SCM on basis of the Thales proprietary TAS-PLF Sys- tern). Yet, this results in high hardware costs for this dedicated computer and also in high costs for software development, integration and test, because all these components have to developed according a high Safety Integrity Level (typically SIL4) according the standard EN 50128 [4].
- SIL4 Safety Integrity Level
- the function for controlling safety critical operations is outsourced from the command and status adapter (COST-adapter).
- COST-adapter the command and status adapter
- the safe- ty related functions are func tional separated from the functions with basic integrity and can (but don't have to be installed in separate locations.
- the COST-adapter can then be developed according SILO, which is much cheaper compared to the high safety level COST- adapter known from the state of the art.
- the function for controlling safety critical operations is integrated in the route and train control system. No further computer is required. This makes this embodiment especially cost effective. Yet an additional function has to be integrated in all route and train control systems, which are to be man- aged by the traffic management system.
- the system further comprises a controller, which is separated from the command and status adapter (COST), wherein the function for controlling safety critical operations is integrated in the controller.
- the con- troller is adapted to control safety critical operations. No further functions have to be integrated in the route and train control system.
- command and status adapter of foreign companies can be used.
- the traffic control system comprises route and train control systems of different types, e.g. electronic interlocking systems and relay based interlocking systems or interlocking systems produced by different compa- nies.
- the software components for carrying out functions with basic mtegri- ty for the different types of route and train control system are provided within one (the same) computer. Due to the low safety level, which is required for the command and status adapter of the present invention, only little power is required for operating the command and status adapter. Thus, several functions with basic integrity for the different types of route and train control system can be supplied with power by the same computer.
- the controller is adapted to control safety critical operations for all types of route and train control systems of the traffic con- trol system.
- At least one of the functions with basic integrity is integrated in the traffic man- agement system .
- the according software components can be integrated in an operator workstation.
- the traffic management system then comprises at least parts of the COST-adapter.
- the command and status adapter comprises a decrypter. This allows transmission of encrypted messages comprising information concerning safety critical operations via the command and status adapter, thereby ensuring that the command and status adapter cannot modify the message unintendedly.
- the decryptor is preferably arranged at the output side.
- decryption of the messages can be carried out within the route and train control system.
- Encryption of the messages can be carried out within the controller (if applica- ble).
- the controller comprises an encryptor.
- the functions with basic integrity comprise the function of adaption of regular operations and/or the function of adaption a status of the route and train control system, and/or the function of converting protocols to be transmitted between the route and train control system, and the traffic management system.
- the invention also concerns a method for carrying out safety critical operations within a train traffic control system comprising a traffic management system a route and train control system, and a command and status adapter, wherein messages are transmitted between the traffic management system and the route and train control system.
- safety critical operations are controlled outside the command and status adapter, i.e. in a dedicated compo nent for carrying out a function for controlling safety critical operations.
- the messages are transmitted via the command and status adapter. Only one interface is required at the route and train control system.
- the safety critical operations are controlled within the route and train control system.
- the safety critical operations are controlled within a control- ler, which is separated from the command and status adapter.
- the inventive architectural principle of separation of basic integrity components (SILO) and safety related components (SIL>0) enables cost effective control of different types of route and train control systems.
- Fig. 1 shows the architecture of a traffic control system according to the state of the art.
- Fig. 2a shows the architecture of a traffic control system according to the inven- tion, wherein the function for controlling safety critical operations is integrated in the route and train control system.
- Fig. 3b shows the architecture of a traffic control system according to Fig. 2a with multiple types of route and train control systems.
- Fig. 3a shows the architecture of a traffic control system according to the inven- tion, wherein the function for controlling safety critical operations is integrated in a separate controller.
- Fig. 3b shows the architecture of a traffic control system according to Fig. 3a with multiple types of route and train control systems.
- Fig. 1 shows an architecture of a traffic control system for executing safety criti- cal operations according to the state of the art.
- a route and train control system RTCS is connected with a traffic management system TMS. Between traffic management system TMS and route and train control system TRCS status infor- mation and commands are exchanged. Since traffic management system TMS and route and train control system RTCS in general are not compatible concerning type of executable protocols, a command and status adapter COST' is pro vided which comprises functions for conversion of protocols, adaption of regular operations, adaption of status of the route and train control system RTCS and controlling safety critical operations. The command and status adapter COST'. In order to ensure the required safety the command and status adapter COST has to be developed on a high safety level (SIL>0).
- SIL high safety level
- the function for controlling safety critical operations is separated/outsourced from the command and status adapter COST and is pro- vided separately.
- safety related functions and functions with basic integrity are separated.
- the command and status adapter COST does not comprise safety related functions, but only comprises functions with basic integrity, and can thus be developed on a lower safety level SILO.
- Fig. 2a shows the architecture of a first embodiment of the inventive traffic con- trol system with a modified command and status adapter COST.
- the command and status adapter COST according to the invention comprises software components in order to carry out the function of adaption of regular operations of the route and train control system, the function of adaption of a status of the route and train control system to the internal data model of the traffic control system, and the function of converting protocols of information/commands to be sent from the traffic management system TMS to the route and train control system RTCS from a generic protocol to a specific protocol and converting protocols of information to be sent from the route and train control system RTCS to the traffic management system IMS from a specific protocol to a generic protocol respec tively.
- the function for controlling safety critical operations is integrated in the route and train control system RTCS (instead of the command and status adapter COST'). I.e. the software components that controls the safety critical operation is transferred to the RTCS.
- the remaining functionality of the command and status adapter COST is not safety related anymore. So, the command and status adapt- er COST can be developed according SILO, which reduces the cost drastically compared to the command and status adapter COST' known from the state of the art,
- Fig. 2b shows an according architecture for a traffic control system comprising multiple types of route and train control systems RTCS (type 1,..., type n). Only one command and status adapter COST is required which comprises the required software components (functions for adaption of regular operation, adaption of status and for conversion of protocols) for a multitude of types, preferably for all types of route and train control systems RTCS, which are connected to the respective traffic management system TMS.
- This first embodiment is particularly interesting for route and train control sys- tems RTCS which are built by the same manufacturer as the other components of the traffic control system.
- a second embodiment of the inventive traffic control system is preferable.
- an additional computer controller CTRL
- the software compo- nent that controls the safety critical operation is integrated in the controller CTRL.
- the controller CTRL is connected to the traffic management system TMS for exchanging commands/information in form of generic protocols.
- the proce- dure for exchanging information between controller CTRL and the traffic man agement system TMS checks that the correct safety critical operation will be exe- cuted. The result of this check, i.e.
- the correct safety critical operation is then sent from the controller CTRL through the command and status adapter COST to the route and train control system RTCS, typically in an encrypted format, so that an unintended modification by the command and status adapter COST (that is implemented only with SILO) can be detected by the route and train control system RTCS, although this does not reduce the hardware costs, it reduces the costs for software development, integration and test for the components of the command and status adapter COST,
- Fig. 3b shows an according architecture for a traffic control system comprising multiple types of route and train control systems RTCS (type 1, .., type n).
- RTCS route and train control systems
- COST command and status adapter
- a multitude of types preferably for all types of route and train control systems RTCS, which are connected to the respective traffic management system TMS.
- controller CTRL comprising the software component for controlling safety critical operations is required for the multitude of route and train control systems RTCS.
- the command and sta- tus adapter COST are adapted to only transmit the messages concerning the safety critical operation (instead of transmitting and processing).
- the command and status adapter COST according to the invention works like a "transparent channel”. Otherwise, the function "Control safety critical operation” could not detect any misbehavior with the required safety integrity.
- either multiple command and status adapters COST or a command and status adapter COST comprising multitudes of adaption and conversion functionalities as shown in Fig. 2b and Fig. 3b
- the effort savings (based on the inventive SILO development) will be enlarged by a factor depending on the number of types of route and train control systems RTCS, because for every type the adaptation of regular operation and status as well as the protocol conversion can now be developed according SILO.
Landscapes
- Engineering & Computer Science (AREA)
- Mechanical Engineering (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Train Traffic Observation, Control, And Security (AREA)
- Electric Propulsion And Braking For Vehicles (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
A train traffic control system comprising a traffic management system (IMS) for executing safety critical operations, a route and train control system (RTCS), and a command and status adapter (COST), wherein the train traffic control system is adapted to exchange information and commands between the traffic management system (TMS) and the route and train control system (RTCS), wherein the command and status adapter (COST) comprises software components for carrying out functions with basic integrity, wherein the traffic control system further comprises a software component for carrying out a function for controlling safety critical operations, is characterized in that the function for controlling safety critical operations is outsourced from the command and status adapter (COST). The inventive train traffic control system on the one hand realizes a high safety level and on the other hand allows considerable cost reduction.
Description
Train traffic control system and method for carrying out safety critical operations within a train traffic control system
Background of the invention
The invention concerns a train traffic control system comprising a traffic man- agement system for executing safety critical operations, a route and train control system, and a command and status adapter, wherein the train traffic control sys- tern is adapted to exchange information and commands between the traffic man agement system and the route and train control system via the command and status adapter, and wherein the command and status adapter comprises software components for carrying out functions with basic integrity, wherein the traffic control system further comprises at least one software component for carrying out a function for controlling safety critical operations. The invention also con- cerns a method for carrying out safety critical operations within a train traffic control system.
An according train traffic control system is known from [1],
Route and train control systems are adapted to manage safely the routes and movement-authorities in the railway network for running trains and to control protect and protect trains from running to fast or beyond their end of movement- authority. Route and train control systems can comprise an interlocking system, a radio-block-center or a similar system.
Remote control via Operational/T raffic Control Centers for controlling interlocking systems and other route and train control systems getting increasingly important. A long term known situation in traffic management systems in Opera- tional/T raffic Control centers is that several different (legacy) interlocking sys tems need to be controlled/supervised at one remote operator workplace. Exam- ples for this case are systems in Finland [1], for subway systems in Munich [2] or for German Main Line Railway DB [3]. Typically special adapter modules (command and status adapter) like the modules SAM or SCM in [1] or the product FL90 in [3] have been developed, which cover all needed functionality in one system.
The different route and train control systems, which have to be controlled by the remote operator, transmit status information to the traffic management system in form of specific protocols. The command and status adapter (COST-adapter) converts the specific protocols to generic protocols and provides the status of the route and train control system for further processing by the traffic management system in a normalized form. Additionally it converts operational commands to the specific format of a specific route and train control system.
The traffic management system comprises a human machine interface for oper- ating the route and train control system by a human operator. The route and train control system receives commands from the traffic management system concerning regular operation as well as concerning safety critical operations for supervision of an approval procedure. Safety critical operations are carried out in special operational situations or in case of disturbances by using the route and train control system. In contrast to regular operations for which the admissibility can be checked at any time by the train control system, safety critical operations
are instructed by the operator while bypassing elements of the route and train control system (e.g. the radio block center or the interlocking system). Safety critical operations are operator actions, e.g. safety critical route clearing, safety critical point change, etc., i.e. the operator can circumvent a safe setting of the system.
Since the control of safety critical operations is safety related, high safety requirements have to be fulfilled when developing the COST-adapter. According to [1] COST-adapter are therefore developed based on fail-safe computer systems (for example as the SAM or SCM on basis of the Thales proprietary TAS-PLF Sys- tern). Yet, this results in high hardware costs for this dedicated computer and also in high costs for software development, integration and test, because all these components have to developed according a high Safety Integrity Level (typically SIL4) according the standard EN 50128 [4].
Object of the invention
It is therefore an object of the invention to suggest a train traffic control system, which on the one hand realizes the required high safety level and on the other hand allows considerable cost reduction.
Description of the invention
This object is solved by a train traffic control system according to claim 1 and a method according to claim 11.
According to the invention, the function for controlling safety critical operations is outsourced from the command and status adapter (COST-adapter). I.e. the safe- ty related functions (function for controlling safety critical operations) are func tional separated from the functions with basic integrity and can (but don't have to be installed in separate locations. The COST-adapter can then be developed according SILO, which is much cheaper compared to the high safety level COST-
adapter known from the state of the art. Thus, the inventive traffic management system enables execution of safety critical operations for a safety critical system from an operator station with reduced cost,
In a special embodiment, the function for controlling safety critical operations is integrated in the route and train control system. No further computer is required. This makes this embodiment especially cost effective. Yet an additional function has to be integrated in all route and train control systems, which are to be man- aged by the traffic management system.
In an alternative embodiment, the system further comprises a controller, which is separated from the command and status adapter (COST), wherein the function for controlling safety critical operations is integrated in the controller. The con- troller is adapted to control safety critical operations. No further functions have to be integrated in the route and train control system. Thus, command and status adapter of foreign companies can be used. The command and status adapter can have safety level SIL<4, preferably SIL=0. Due to the low safety level, the command and status adapters (COST) can be provided at low cost,
In a highly preferred variant, the traffic control system comprises route and train control systems of different types, e.g. electronic interlocking systems and relay based interlocking systems or interlocking systems produced by different compa- nies.
Preferably, the software components for carrying out functions with basic mtegri- ty for the different types of route and train control system are provided within one (the same) computer. Due to the low safety level, which is required for the command and status adapter of the present invention, only little power is required for operating the command and status adapter. Thus, several functions with basic integrity for the different types of route and train control system can be supplied with power by the same computer.
In a highly preferred embodiment, the controller is adapted to control safety critical operations for all types of route and train control systems of the traffic con- trol system.
At least one of the functions with basic integrity is integrated in the traffic man- agement system . The according software components can be integrated in an operator workstation. The traffic management system then comprises at least parts of the COST-adapter. In case all functions with basic integrity are integrat ed in the traffic management system, no separate computer is required for the command and status adapter. It is preferred that the command and status adapter comprises a decrypter. This allows transmission of encrypted messages comprising information concerning safety critical operations via the command and status adapter, thereby ensuring that the command and status adapter cannot modify the message unintendedly. Within the command and status adapter the decryptor is preferably arranged at the output side.
Alternatively, decryption of the messages can be carried out within the route and train control system.
Encryption of the messages can be carried out within the controller (if applica- ble). In this case, the controller comprises an encryptor. In a preferred embodiment the functions with basic integrity comprise the function of adaption of regular operations and/or the function of adaption a status of the route and train control system, and/or the function of converting protocols to be transmitted between the route and train control system, and the traffic management system. The invention also concerns a method for carrying out safety critical operations within a train traffic control system comprising a traffic management system a route and train control system, and a command and status adapter, wherein messages are transmitted between the traffic management system and the route and train control system. According to the invention safety critical operations are
controlled outside the command and status adapter, i.e. in a dedicated compo nent for carrying out a function for controlling safety critical operations.
Preferably, the messages are transmitted via the command and status adapter. Only one interface is required at the route and train control system. In a first variant, the safety critical operations are controlled within the route and train control system.
In a second variant the safety critical operations are controlled within a control- ler, which is separated from the command and status adapter.
The inventive architectural principle of separation of basic integrity components (SILO) and safety related components (SIL>0) enables cost effective control of different types of route and train control systems.
Further advantages can be extracted from the description and the enclosed drawing. The features mentioned above and below can be used in accordance with the invention either individually or collectively in any combination. The embodiments mentioned are not to be understood as exhaustive enumeration but rather have exemplary character for the description of the invention.
Drawings
The invention is shown in the drawing. Fig. 1 shows the architecture of a traffic control system according to the state of the art.
Fig. 2a shows the architecture of a traffic control system according to the inven- tion, wherein the function for controlling safety critical operations is integrated in the route and train control system. Fig. 3b shows the architecture of a traffic control system according to Fig. 2a with multiple types of route and train control systems.
Fig. 3a shows the architecture of a traffic control system according to the inven- tion, wherein the function for controlling safety critical operations is integrated in a separate controller.
Fig. 3b shows the architecture of a traffic control system according to Fig. 3a with multiple types of route and train control systems.
Fig. 1 shows an architecture of a traffic control system for executing safety criti- cal operations according to the state of the art. A route and train control system RTCS is connected with a traffic management system TMS. Between traffic management system TMS and route and train control system TRCS status infor- mation and commands are exchanged. Since traffic management system TMS and route and train control system RTCS in general are not compatible concerning type of executable protocols, a command and status adapter COST' is pro vided which comprises functions for conversion of protocols, adaption of regular operations, adaption of status of the route and train control system RTCS and controlling safety critical operations. The command and status adapter COST'. In order to ensure the required safety the command and status adapter COST has to be developed on a high safety level (SIL>0).
According to the invention, the function for controlling safety critical operations is separated/outsourced from the command and status adapter COST and is pro- vided separately. Thus, safety related functions and functions with basic integrity are separated. According to the invention, the command and status adapter COST does not comprise safety related functions, but only comprises functions with basic integrity, and can thus be developed on a lower safety level SILO.
Fig. 2a shows the architecture of a first embodiment of the inventive traffic con- trol system with a modified command and status adapter COST. The command and status adapter COST according to the invention comprises software components in order to carry out the function of adaption of regular operations of the route and train control system, the function of adaption of a status of the route and train control system to the internal data model of the traffic control system, and the function of converting protocols of information/commands to be sent from the traffic management system TMS to the route and train control system
RTCS from a generic protocol to a specific protocol and converting protocols of information to be sent from the route and train control system RTCS to the traffic management system IMS from a specific protocol to a generic protocol respec tively. The function for controlling safety critical operations is integrated in the route and train control system RTCS (instead of the command and status adapter COST'). I.e. the software components that controls the safety critical operation is transferred to the RTCS. The remaining functionality of the command and status adapter COST is not safety related anymore. So, the command and status adapt- er COST can be developed according SILO, which reduces the cost drastically compared to the command and status adapter COST' known from the state of the art,
Fig. 2b shows an according architecture for a traffic control system comprising multiple types of route and train control systems RTCS (type 1,..., type n). Only one command and status adapter COST is required which comprises the required software components (functions for adaption of regular operation, adaption of status and for conversion of protocols) for a multitude of types, preferably for all types of route and train control systems RTCS, which are connected to the respective traffic management system TMS. This first embodiment is particularly interesting for route and train control sys- tems RTCS which are built by the same manufacturer as the other components of the traffic control system.
In case of existing route and train control system RTCS which cannot be modified (for example because it was built by a third party), a second embodiment of the inventive traffic control system, as shown in Fig. 3a, is preferable. In this case, an additional computer (controller CTRL) is provided and the software compo- nent that controls the safety critical operation is integrated in the controller CTRL. The controller CTRL is connected to the traffic management system TMS for exchanging commands/information in form of generic protocols. The proce- dure for exchanging information between controller CTRL and the traffic man agement system TMS checks that the correct safety critical operation will be exe-
cuted. The result of this check, i.e. the correct safety critical operation is then sent from the controller CTRL through the command and status adapter COST to the route and train control system RTCS, typically in an encrypted format, so that an unintended modification by the command and status adapter COST (that is implemented only with SILO) can be detected by the route and train control system RTCS, Although this does not reduce the hardware costs, it reduces the costs for software development, integration and test for the components of the command and status adapter COST,
Fig. 3b shows an according architecture for a traffic control system comprising multiple types of route and train control systems RTCS (type 1, .., type n). Ana- logue to Fig. 2b only one command and status adapter COST is required which comprises the required software components (functions for adaption of regular operation, adaption of status and for conversion of protocols) for a multitude of types, preferably for all types of route and train control systems RTCS, which are connected to the respective traffic management system TMS. Further only one controller CTRL comprising the software component for controlling safety critical operations is required for the multitude of route and train control systems RTCS.
In both embodiments the remaining functionalities inside the command and sta- tus adapter COST are adapted to only transmit the messages concerning the safety critical operation (instead of transmitting and processing). In other words concerning safety critical operation commands, the command and status adapter COST according to the invention works like a "transparent channel". Otherwise, the function "Control safety critical operation" could not detect any misbehavior with the required safety integrity. In case multiple types of route and train control systems RTCS, in particular multiple interlocking types, need to be connected, either multiple command and status adapters COST or a command and status adapter COST comprising multitudes of adaption and conversion functionalities (as shown in Fig. 2b and Fig. 3b) have to be developed and provided. Therefore, the effort savings (based on the inventive SILO development) will be enlarged by a factor depending on the number of types of route and train control systems RTCS, because for every type the
adaptation of regular operation and status as well as the protocol conversion can now be developed according SILO.
Cited Documents
[ 1] Meier et a!
Kompakte Mensch-Maschine-Schnittstelle (Compact HMI)
Signal & Draht (95) 7+8/2003 [2] We et al.
Innovative Fernsteuerung von Alcatel fiir die U-Bahn Munchen,
Signal & Draht (92) 7+8/2000
[3] Rahn et al.
Anschluss von Relaisstellwerken an Betriebszentralen
Signal & Draht (95) 10/2003
[4] Standard EN50128, 2011
List of Reference Signs
1, n types of route and train control systems
COST' command and status adapter according to the state of the art
COST command and status adapter according to the invention
CTRL controller
RTCS route and train control system
TMS traffic management system
Claims
1. Train traffic control system comprising
a traffic management system (TMS) for executing safety critical operations,
a route and train control system (RTCS), and
a command and status adapter (COST),
wherein the train traffic control system is adapted to exchange information and commands between the traffic management system (TMS) and the route and train control system (RTCS) via the command and status adapt- er (COST),
wherein the command and status adapter (COST) comprises software components for carrying out functions with basic integrity,
wherein the traffic control system further comprises at least one software component for carrying out a function for controlling safety critical opera- tions,
characterized in
that the function for controlling safety critical operations is outsourced from the command and status adapter (COST).
2. Traffic control system according to claim 1 characterized in that function for controlling safety critical operations is integrated in the route and train control system (RTCS)
3. Train control system according to claim 1 characterized in that the system further comprises a controller (CTRL) which is separated from the command and status adapter (COST), wherein the function for controlling safe- ty critical operations is integrated in the controller (CTRL).
4. Traffic control system according to any one of the preceding claims, characterized in that the command and status adapter (COST) has safety level SIL<4, preferably SIL=0.
5. Traffic control system according to any one of the preceding claims, char acterized in that the traffic control system comprises route and train con- trol systems of different types (1, n).
6. Traffic control system according to claim 5, characterized in that the soft- ware components for carrying out functions with basic integrity for the dif ferent types (1, .. , n) of route and train control system (RTCS) are provided within one computer.
7. Traffic control system according to claim 3 and one of the claims 5 or 6, characterized in that the controller is adapted to control safety critical op- erations for all types (1, .. , n) of route and train control systems (RTCS) of the traffic control system.
8. Traffic control system according to any one of the preceding claims, char- acterized in that at least one of the functions with basic integrity is inte- g rated in the traffic management system (TMS).
9. T raffic control system according to any one of the preceding claims, char- acterized in that the command and status adapter (COST) comprises a de- crypter.
10. Traffic control system according to any one of the preceding claims, characterized in that the functions with basic integrity comprise the function of adaption of regular operations and/or the function of adaption a status of the route and train control system (RTCS), and/or the function of convert - ing protocols to be transmitted between the route and train control system (RTCS) and the traffic management system (TMS).
11. Method for carrying out safety critical operations within a train traffic con- trol system comprising a traffic management system (TMS) a route and train control system (RTCS), and a command and status adapter (COST), wherein messages are transmitted between the traffic management sys- tern (TMS) and the route and train control system (RTCS), characterized in that safety critical operations are controlled outside the command and sta- tus adapter (COST).
12. Method according to claim 11 characterized in that the messages are transmitted via the command and status adapter (COST).
13. Method according to claim 11 or 12 characterized in that the safety critical operations are controlled within the route and train control system (RTCS).
14. Method according to claim 11 or 12 characterized in that the safety critical operations are controlled within a controller (CTRL) which is separated from the command and status adapter (COST).
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| AU2019249938A AU2019249938B2 (en) | 2018-04-06 | 2019-04-05 | Train traffic control system and method for carrying out safety critical operations within a train traffic control system |
| KR1020207031789A KR102536023B1 (en) | 2018-04-06 | 2019-04-05 | How to perform essential safety operations within the train operation control system and within the train operation control system |
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| DE102018205235.2 | 2018-04-06 | ||
| EP18166202.4 | 2018-04-06 | ||
| EP18166202.4A EP3549841B1 (en) | 2018-04-06 | 2018-04-06 | Train traffic control system and method for carrying out safety critical operations within a train traffic control system |
| DE102018205235 | 2018-04-06 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2019193145A1 true WO2019193145A1 (en) | 2019-10-10 |
Family
ID=62620726
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/EP2019/058618 WO2019193145A1 (en) | 2018-04-06 | 2019-04-05 | Train traffic control system and method for carrying out safety critical operations within a train traffic control system |
Country Status (13)
| Country | Link |
|---|---|
| EP (1) | EP3549842B9 (en) |
| KR (1) | KR102536023B1 (en) |
| AU (1) | AU2019249938B2 (en) |
| DK (1) | DK3549842T5 (en) |
| ES (1) | ES2923182T3 (en) |
| HR (1) | HRP20220827T1 (en) |
| HU (1) | HUE059058T3 (en) |
| LT (1) | LT3549842T (en) |
| PL (1) | PL3549842T3 (en) |
| RS (1) | RS63339B9 (en) |
| SA (1) | SA520420235B1 (en) |
| SI (1) | SI3549842T1 (en) |
| WO (1) | WO2019193145A1 (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006051355A1 (en) * | 2004-11-15 | 2006-05-18 | Abb As | A control system, a method to operate a control system, a computer data signal and a graphical user interface for rail-borne vehicles |
| WO2009092081A1 (en) * | 2008-01-17 | 2009-07-23 | Lockheed Martin Corporation | Method and centralized train control system for isolation of vital functions |
| EP2879008A1 (en) * | 2013-11-28 | 2015-06-03 | Thales Deutschland GmbH | Method for handling a safety critical command in a computer network |
| DE102014201551A1 (en) * | 2014-01-29 | 2015-07-30 | Siemens Aktiengesellschaft | Method for error disclosure in a interlocking computer system and interlocking computer system |
Family Cites Families (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE4005393A1 (en) | 1990-02-21 | 1991-08-22 | Standard Elektrik Lorenz Ag | DEVICE FOR SIGNAL-RELIABLE REPRESENTATION OF A REPORTING IMAGE |
| CH683953A5 (en) | 1992-04-30 | 1994-06-15 | Siemens Integra Verkehrstechni | Procedure to improve the signal-related safety of the user interface of a data processing system. |
| ITSV20020018A1 (en) | 2002-05-03 | 2003-11-03 | Alstom Transp Spa | DEVICE FOR PROCESSING OR COMMAND OPERATING IN INTRINSICALLY SAFE |
| GB0411277D0 (en) | 2004-05-20 | 2004-06-23 | Balfour Beatty Plc | Railway signalling systems |
| US8094003B2 (en) | 2006-11-22 | 2012-01-10 | Sharp Kabushiki Kaisha | Display control unit, on-vehicle display system, display controller, and on-vehicle display |
| GB2445374A (en) | 2007-01-04 | 2008-07-09 | Westinghouse Brake & Signal | A method for regulating the movement of a train through an area of railway fitted with trackside radio signaling equipment. |
| FR2919951B1 (en) | 2007-08-08 | 2012-12-21 | Airbus France | SYSTEM FOR PROCESSING AND DISPLAYING DATA |
| GB2459097B (en) | 2008-04-08 | 2012-03-28 | Advanced Risc Mach Ltd | A method and apparatus for processing and displaying secure and non-secure data |
| JP5311428B2 (en) | 2008-05-20 | 2013-10-09 | フリースケール セミコンダクター インコーポレイテッド | Display controller, image generation system, display system, apparatus, and computer program |
| ES2655478T3 (en) | 2009-04-25 | 2018-02-20 | Thales Management & Services Deutschland Gmbh | Method to verify the correct transfer of data to a video memory |
| US8605044B2 (en) | 2010-02-12 | 2013-12-10 | Maxim Integrated Products, Inc. | Trusted display based on display device emulation |
| DE102011005188A1 (en) | 2011-03-07 | 2012-09-13 | Siemens Aktiengesellschaft | Railway Control System |
| DE102011090135A1 (en) | 2011-07-25 | 2013-01-31 | Deuta-Werke Gmbh | Device and method for safety-relevant input via a display device with touch input |
| DE102012207439A1 (en) | 2012-05-04 | 2013-11-07 | Cassidian Airborne Solutions Gmbh | Method for displaying safety-critical data by a display unit; display unit |
| US20140088802A1 (en) | 2012-09-27 | 2014-03-27 | Siemens Industry, Inc. | Railway train control system having multipurpose display |
| EP2735962B1 (en) | 2012-11-22 | 2022-03-09 | Bombardier Transportation GmbH | Colour-discriminating checksum computation in a human-machine interface |
| DE102012221714A1 (en) * | 2012-11-28 | 2014-05-28 | Siemens Aktiengesellschaft | Method for fault disclosure in interlocking computer system with control channel, involves comparing pixel data of display with process data of process image of state information of reference system for display-protection |
| ES2619190T3 (en) | 2014-12-30 | 2017-06-23 | Matthias Auchmann | Method and system for the secure display of information relevant to security |
| DE102015002973B4 (en) | 2015-03-10 | 2020-09-24 | Airbus Defence and Space GmbH | Method for the joint representation of safety-critical and non-safety-critical information and display device |
| US9811932B2 (en) | 2015-04-17 | 2017-11-07 | Nxp Usa, Inc. | Display controller, heads-up image display system and method thereof |
| DE102015209448A1 (en) | 2015-05-22 | 2016-11-24 | Bayerische Motoren Werke Aktiengesellschaft | Method for displaying safety-relevant display elements |
| US20160379331A1 (en) | 2015-06-23 | 2016-12-29 | Freescale Semiconductor, Inc. | Apparatus and method for verifying the integrity of transformed vertex data in graphics pipeline processing |
| US20160379381A1 (en) | 2015-06-23 | 2016-12-29 | Freescale Semiconductor, Inc. | Apparatus and method for verifying the origin of texture map in graphics pipeline processing |
-
2018
- 2018-06-12 ES ES18177217T patent/ES2923182T3/en active Active
- 2018-06-12 SI SI201830714T patent/SI3549842T1/en unknown
- 2018-06-12 EP EP18177217.9A patent/EP3549842B9/en active Active
- 2018-06-12 DK DK18177217.9T patent/DK3549842T5/en active
- 2018-06-12 RS RS20220616A patent/RS63339B9/en unknown
- 2018-06-12 PL PL18177217.9T patent/PL3549842T3/en unknown
- 2018-06-12 HR HRP20220827TT patent/HRP20220827T1/en unknown
- 2018-06-12 LT LTEP18177217.9T patent/LT3549842T/en unknown
- 2018-06-12 HU HUE18177217A patent/HUE059058T3/en unknown
-
2019
- 2019-04-05 KR KR1020207031789A patent/KR102536023B1/en active IP Right Grant
- 2019-04-05 AU AU2019249938A patent/AU2019249938B2/en active Active
- 2019-04-05 WO PCT/EP2019/058618 patent/WO2019193145A1/en active Application Filing
-
2020
- 2020-09-28 SA SA520420235A patent/SA520420235B1/en unknown
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006051355A1 (en) * | 2004-11-15 | 2006-05-18 | Abb As | A control system, a method to operate a control system, a computer data signal and a graphical user interface for rail-borne vehicles |
| WO2009092081A1 (en) * | 2008-01-17 | 2009-07-23 | Lockheed Martin Corporation | Method and centralized train control system for isolation of vital functions |
| EP2879008A1 (en) * | 2013-11-28 | 2015-06-03 | Thales Deutschland GmbH | Method for handling a safety critical command in a computer network |
| DE102014201551A1 (en) * | 2014-01-29 | 2015-07-30 | Siemens Aktiengesellschaft | Method for error disclosure in a interlocking computer system and interlocking computer system |
Non-Patent Citations (3)
| Title |
|---|
| MEIER ET AL.: "Kompakte Mensch-Maschine-Schnittstelle (Compact HMI", SIGNAL & DRAHT, vol. 95, 2003 |
| RAHN ET AL.: "Anschiuss von Relaisstellwerken an Betriebszentralen", SIGNAL & DRAHT, vol. 95, 2003 |
| WEIB ET AL.: "Innovative Fernsteuerung von Alcatel fur die U-Bahn MCinchen", SIGNAL & DRAHT, vol. 92, 2000 |
Also Published As
| Publication number | Publication date |
|---|---|
| ES2923182T3 (en) | 2022-09-26 |
| HRP20220827T1 (en) | 2022-10-14 |
| SA520420235B1 (en) | 2022-11-25 |
| RS63339B9 (en) | 2022-11-30 |
| KR102536023B1 (en) | 2023-05-23 |
| EP3549842B1 (en) | 2022-05-11 |
| HUE059058T3 (en) | 2023-01-28 |
| HUE059058T2 (en) | 2022-10-28 |
| EP3549842A1 (en) | 2019-10-09 |
| PL3549842T3 (en) | 2022-08-22 |
| RS63339B1 (en) | 2022-07-29 |
| DK3549842T3 (en) | 2022-07-18 |
| EP3549842B9 (en) | 2022-09-28 |
| AU2019249938B2 (en) | 2022-11-24 |
| SI3549842T1 (en) | 2022-08-31 |
| AU2019249938A1 (en) | 2020-10-01 |
| LT3549842T (en) | 2022-07-25 |
| DK3549842T5 (en) | 2022-10-31 |
| KR20200140860A (en) | 2020-12-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100540379C (en) | Electronics locking system and experimental installation and experimental technique | |
| US10370016B2 (en) | Method and device for carrying out a test process relating to a rail vehicle | |
| CN102025582B (en) | Control system for safety critical processes | |
| US6308117B1 (en) | Interlocking for a railway system | |
| RU2658214C1 (en) | Rail vehicle | |
| WO2006051355A1 (en) | A control system, a method to operate a control system, a computer data signal and a graphical user interface for rail-borne vehicles | |
| CN100576790C (en) | The single signal transmission of safe handling information | |
| RU186187U1 (en) | VEHICLE CONTROL DEVICE | |
| CN111103824A (en) | Control system for controlling safety-critical and non-safety-critical processes | |
| AU2019249938B2 (en) | Train traffic control system and method for carrying out safety critical operations within a train traffic control system | |
| KR101272464B1 (en) | Control system of stage device | |
| CN106164787B (en) | Method and apparatus for safe shutdown electrical load | |
| EP3549841B1 (en) | Train traffic control system and method for carrying out safety critical operations within a train traffic control system | |
| CN108861911B (en) | Elevator data communication arrangement | |
| US20100036542A1 (en) | System for setting a positioning member | |
| US20070073453A1 (en) | System architecture for controlling and monitoring components of a railroad safety installation | |
| CA2621393A1 (en) | System architecture for controlling and monitoring components of a railroad safety installation | |
| CN107959586B (en) | Cloud platform-based ship-side integrated navigation system network architecture | |
| Vasel | One plant, one system: Benefits of integrating process and power automation | |
| US10601219B2 (en) | Method for controlling a drive | |
| US20180215397A1 (en) | Train control system integration into locomotives having distributed power | |
| CN114670902B (en) | Processing method and system for remote resetting and emergency braking remote relieving | |
| EP4393789A1 (en) | Monitoring system for monitoring one or more work zones within a rail track | |
| KR102624433B1 (en) | Integrated door control device for train doors | |
| Hänsel et al. | Reference Case Study “Traffic Control Systems” for Comparison and Validation of Formal Specifications Using a Railway Model Demonstrator |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19714447 Country of ref document: EP Kind code of ref document: A1 |
|
| ENP | Entry into the national phase |
Ref document number: 2019249938 Country of ref document: AU Date of ref document: 20190405 Kind code of ref document: A |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| ENP | Entry into the national phase |
Ref document number: 20207031789 Country of ref document: KR Kind code of ref document: A |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 19714447 Country of ref document: EP Kind code of ref document: A1 |