WO2020239437A1 - Composant de système, système de sécurité et procédé de fonctionnement - Google Patents

Composant de système, système de sécurité et procédé de fonctionnement Download PDF

Info

Publication number
WO2020239437A1
WO2020239437A1 PCT/EP2020/063251 EP2020063251W WO2020239437A1 WO 2020239437 A1 WO2020239437 A1 WO 2020239437A1 EP 2020063251 W EP2020063251 W EP 2020063251W WO 2020239437 A1 WO2020239437 A1 WO 2020239437A1
Authority
WO
WIPO (PCT)
Prior art keywords
operating
modules
monitoring
interface
control
Prior art date
Application number
PCT/EP2020/063251
Other languages
German (de)
English (en)
Inventor
Jens Braband
Original Assignee
Siemens Mobility GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Mobility GmbH filed Critical Siemens Mobility GmbH
Publication of WO2020239437A1 publication Critical patent/WO2020239437A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • H04L67/125Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]

Definitions

  • a system component for a safety-relevant system and a safety-relevant system with several such system components are specified.
  • an operating procedure for such a system is given.
  • the publication WO 2018/234039 A1 relates to a method for transmitting messages in a security-relevant system.
  • One task to be solved is to specify a safety-relevant system that is efficiently constructed.
  • the system component comprises a control unit and a service element to be controlled or a plurality of service elements to be controlled.
  • the at least one service element is, for example, a light source, a motor, an actuator, a barrier, a switch or a sensor, al so a control element or a switching element.
  • the control unit comprises an operating module and a monitoring module, which are preferably software modules that are independent of one another.
  • the control unit includes a control interface, a readback interface, an interrupter interface and a communication interface.
  • the control interface is set up for control of the assigned, at least one service element by the operating module.
  • the readback interface is used for this directs that an operating state of the at least one assigned service element is detected by the monitoring module.
  • the interrupt interface is set up to reset the at least one service element by the associated monitoring module.
  • the communication interface is used for external communication, in particular for communication between various system components.
  • COTS Connection Oriented Transport Service
  • DS3 Distributed Smart Safe System
  • Each atomic element preferably consists of a service element, in the simplest case binary, which is, for example, a control element or a switching element, such as a lamp or a switch or an actuator. There is a control interface, an interrupt interface and a readback interface for the service element.
  • a processor with communication interfaces is available for each atomic element.
  • a communication interface of the atomic element is implemented, for example, by a bus, by a WLAN connection or by a 5G connection.
  • the processors of the atomic elements run at least two software systems, i.e. at least the operating module and the monitoring module, which preferably differ in structure and data storage and work, for example, according to the coded processing principle or the watchdog principle.
  • Each processor has its own identity for each channel, if necessary also authentication mechanisms such as PKI (Public Key Infrastructure) if a relatively high level of security is required for data transmission. Furthermore, each individual atomic element preferably knows the functionality of the entire safety-relevant system, from which its own function is derived, for example exclusively through project planning.
  • PKI Public Key Infrastructure
  • each individual atomic element preferably knows the functionality of the entire safety-relevant system, from which its own function is derived, for example exclusively through project planning.
  • One example is finite state machines, since many security systems are state-based.
  • BFT Byzantine Fault Tolerance
  • Raft Raft
  • each atomic element determines its input values, if the atomic element in question is a sensor, or its state.
  • the communication takes place at least two channels with one operational and with at least one monitoring channel, but can alternatively also be single-channel.
  • the new overall status of the system is determined from the synchronization.
  • peripheral devices can have relatively intelligent components, for example control circuits for LEDs.
  • the intelligence of the peripheral devices is used to control and monitor the system, so that no or only a few additional components are required. This is achieved in particular through the division into the operating modules and monitoring modules as well as through the communication between the system components.
  • systems with more complex discrete input values and / or output values can also be managed using the concept described here. It must be ensured that the monitoring modules can directly trigger an operation-inhibiting state.
  • the safety-relevant system comprises several system components and a communication line.
  • the communication interfaces of the system components are interconnected by means of the communication line.
  • the communication line can be wired or wireless.
  • the system does not have a central computer for centralized control of the system components. That is, the system is set up for a decentralized control of the system components preferably exclusively by means of the control units.
  • control unit and the at least one are in each of the system components associated service element monolithically integrated.
  • system components are parts that can be installed as such without the need to assemble additional components.
  • control unit and the at least one associated service element are mechanically firmly connected to one another and / or are located in a common housing and / or on a common carrier such as a circuit board.
  • the operating modules and the monitoring modules are software modules that are independent of one another. It is possible for direct communication between the monitoring modules and the operating modules to be prevented within the control units.
  • the monitoring modules and the operating modules can preferably only communicate with one another directly via the communication line.
  • the operating modules and the monitoring modules can be implemented as hardware, for example in a user-specific circuit.
  • the monitoring modules and the operating modules are implemented within the respective control unit in a common microprocessor.
  • the modules can be located in different areas of the microprocessor and / or run in a multitasking mode.
  • the monitoring modules and the operating modules run in parallel.
  • the monitoring modules and the operating modules are each implemented in a separate microprocessor within the control units. This means that there are at least two separate microprocessors in each of the control units.
  • some or all of the system components include one or more operating status sensors.
  • the operating status sensors are each connected to the readback interface of the associated operating unit or are part of the readback interface.
  • the operating status sensors are formed by one or more of the following sensors: temperature sensor, color sensor, brightness sensor, current sensor, voltage sensor, resistance sensor, distance sensor, position sensor, acceleration sensor,
  • the interrupter interfaces of the system components can each have an interrupter unit, for example a switch, or be connected to an interrupter unit, the interrupter unit then being controlled by means of the associated interrupter interface.
  • the communication interfaces of some or all of the control units are structurally identical. In this way, efficient communication between the control units can be achieved.
  • some or all of the monitoring modules are structurally identical or structurally identical to one another. Identical in construction means in particular that the monitoring modules have the same basic structure and / or the same routines. A design adaptation between the monitoring modules, for example, only consists in the fact that different types of operating status sensors are connected.
  • the system comprises at least four or at least six of the system components.
  • the number of system components is at most 50 or at most 30 or at most 15.
  • the comparatively small number of system components enables rapid synchronization between the control units. For example, there is a cycle time for synchronizing the operating units with one another and / or a test time for monitoring the service elements ments a maximum of 0.5 s or a maximum of 0.2 s or a maximum of 0.05 s.
  • the test time is, in particular, the maximum time required by the monitoring modules to determine whether the assigned service element is in the correct state.
  • the operating procedure includes in particular that
  • At least one of the Divers elements is switched to a predefined basic state by at least one of the monitoring modules, and
  • the operating units are synchronized cyclically with each other via the communication line.
  • a correction time for switching back to the basic state is preferably a maximum of the test time.
  • the basic state is, for example, an off state of the relevant service element or a previously defined position of the service element, for example if the service element is a motor or a switch.
  • switching back to the basic state can mean that another service element is switched to a certain state.
  • the other service element such as a stop signal, is switched on permanently.
  • FIG. 6 shows a schematic representation of an operating method for the systems described here.
  • FIG. 1 an embodiment of a safety-relevant system 1 is shown.
  • the system 1 comprises several system components 2, only one of which is illustrated in more detail.
  • the system components 2 each include a service element 4, for example light sources.
  • each of the system components 2 has a control unit 3.
  • the system components 2 can be largely identical.
  • the system components 2 differ from one another only in their service elements 4.
  • the system components 2 are, for example, light signals
  • the system 1 is a traffic light system.
  • the system components 2 are spatially separated, separate components.
  • the control units 3 each include an operating module 31 and a monitoring module 32 as well as a control interface 33, a readback interface 34, an interrupt interface 35 and a communication interface 36.
  • the plant components 2 are connected to one another by means of a communication line 6.
  • the communication line 6 is in particular free of external access and finally connects the system components 2 with one another.
  • the operating modules 31, the monitoring modules 32 and the service elements 4 are preferably assigned one-to-one to one another.
  • the interfaces 33, 34, 35 can be cable connections. For each system component 2 there are two connections to the communication line 6 in FIG. These two connections can each be physically separated from one another or, alternatively, be physically combined, so that there is then only a programming separation of the connections.
  • the service element 4 of the system components 2 is controlled via their control interface 33 by the relevant operating module 31.
  • a current operating state of the service element 4 is recorded by the monitoring module 32 via the readback interface 34.
  • the monitoring module 32 checks whether the service element 4 assumes the state that is specified by the operating module 31. If this is not the case, then the service element 4 is switched to a previously established basic state via the interrupt interface 35 by the monitoring module 32. In particular, operation of the service element 4 is interrupted in the event of faulty states. This downshift preferably acts directly on the service element 4 without the associated operating module 31 being involved.
  • the operating module 31 and the monitoring module 32 are software modules that run on a common processor, where the modules 31, 32 do not communicate with one another directly, but rather form independent software systems. All modules 31, 32 are synchronized with one another via the communication line 6.
  • the installation 1 is part of a railroad operating system.
  • the system components 2a, 2b are light signals
  • the system component 2c is a barrier servomotor at a barrier on a road 71
  • the system component 2d is a sensor and / or a signal for a rail vehicle, not shown.
  • the system 1 optionally includes a switch on rails 72 as system component 2e.
  • Communication between the system components 2c, 2d, 2e and to the system components 2a, 2b is preferably wireless, for example by means of 5G, symbolized by a dashed line.
  • the system component 2 includes an optional operating state sensor 5, as is possible in all other exemplary embodiments.
  • the operating status sensor 5 is in particular a brightness sensor or a resistance sensor with which the operating status of the service elements 4 is determined.
  • the modules 31, 32 are housed in separate processors.
  • a common storage unit 37 is optionally available.
  • the service element 4 is an LED chip which, together with the control unit 3 and the optional operating state sensor 5, is housed in a housing 81, which is made, for example, of an injection-molded plastic. A connection to the communication line (not shown) takes place via electrical contact surfaces 82.
  • the service element 4 of the system component 2 is a motor.
  • a position or rotational speed, for example, is determined via the readback interface 34. If a signal at the readback interface 34 does not correspond to what is specified by the operating module 31, the monitoring module 32 sets the service element 4 into a certain state.
  • the interrupt interface 35 not to be connected to a supply line to the service element 4, but to send a signal directly to the operating module 31.
  • FIG 6 an operating method for a plant 1 is illustrated. The arrows symbolize the respective directions of communication and possible actions.
  • the operating modules 31 send operating data to the service elements 4.
  • the monitoring modules 32 the operating states of the service elements 4 are controlled.
  • the relevant monitoring module 32 intervenes and resets the operating status.
  • the intervention can, as shown, take place directly on the control interface 34 or on a control line, or, differently than shown, directly on the relevant service element 4 or directly on the relevant operating module 31.
  • the operating modules 31 are preferably identical in construction to one another, that is to say constructed according to the same concept and, as far as possible, implemented with the same components. This applies in the same way to the monitoring modules 32.
  • the system components 2 differ, in particular, only in their service elements 4 and, associated therewith, in the activation and control of the service elements 4.
  • a synchronization between all modules 31, 32 takes place bidirectionally via the communication line 6, for example with a periodicity of at most 0.5 s.
  • an access device 9 is connected to the communication line 6, via which, for example, maintenance and / or error analysis takes place. Otherwise, no communication with the system 1 is preferably provided.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Train Traffic Observation, Control, And Security (AREA)
  • Safety Devices In Control Systems (AREA)

Abstract

L'invention concerne un système (1) qui comprend, selon une mode de réalisation, plusieurs composants de système (2) et une ligne de communication (6), par l'intermédiaire de laquelle les composants de système (2) sont reliés les uns aux autres. Les composants de système (2) comprennent chacun un élément de service (4) à commander et une unité de commande (3) comportant un module de fonctionnement (31) et un module de surveillance (32). Les éléments de service (4) sont respectivement commandés par l'intermédiaire d'une interface de commande (33) au moyen des modules de fonctionnement (31). Une surveillance des états de fonctionnement des éléments de service (4) a lieu ensuite par les modules de surveillance (32) par l'intermédiaire d'interfaces de lecture (34). En cas de dysfonctionnement, des interfaces d'interruption (35) servent à effectuer un retour dudit élément de service (4) dans un état prédéfini par l'intermédiaire du module de surveillance associé (32). Le système (1) est conçu pour une commande décentralisée des composants de système (2) au moyen des unités de commande (3).
PCT/EP2020/063251 2019-05-28 2020-05-13 Composant de système, système de sécurité et procédé de fonctionnement WO2020239437A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102019207790.0A DE102019207790A1 (de) 2019-05-28 2019-05-28 Anlagenkomponente, sicherheitsrelevante Anlage und Betriebsverfahren
DE102019207790.0 2019-05-28

Publications (1)

Publication Number Publication Date
WO2020239437A1 true WO2020239437A1 (fr) 2020-12-03

Family

ID=70918389

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2020/063251 WO2020239437A1 (fr) 2019-05-28 2020-05-13 Composant de système, système de sécurité et procédé de fonctionnement

Country Status (2)

Country Link
DE (1) DE102019207790A1 (fr)
WO (1) WO2020239437A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102021001792B3 (de) 2021-04-07 2022-05-25 Sew-Eurodrive Gmbh & Co Kg Automatisierungssystem und Verfahren zum Betrieb eines Automatisierungssystems

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180284741A1 (en) * 2016-05-09 2018-10-04 StrongForce IoT Portfolio 2016, LLC Methods and systems for industrial internet of things data collection for a chemical production process
WO2018234039A1 (fr) 2017-06-22 2018-12-27 Siemens Aktiengesellschaft Procédés et dispositif destinés à transmettre des informations dans un système concernant la sécurité

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017064565A1 (fr) * 2015-10-13 2017-04-20 Schneider Electric Industries Sas Système et architecture d'automatisation definie par logiciel
EP3240356A1 (fr) * 2016-04-29 2017-11-01 Siemens Aktiengesellschaft Systeme de communication industriel pouvant fonctionner de maniere redondante, son procede de fonctionnement et poste d'abonné radio
US10348481B1 (en) * 2018-04-30 2019-07-09 Cisco Technology, Inc. Clock harmonization in deterministic networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180284741A1 (en) * 2016-05-09 2018-10-04 StrongForce IoT Portfolio 2016, LLC Methods and systems for industrial internet of things data collection for a chemical production process
WO2018234039A1 (fr) 2017-06-22 2018-12-27 Siemens Aktiengesellschaft Procédés et dispositif destinés à transmettre des informations dans un système concernant la sécurité

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
MASSONET PHILIPPE ET AL: "End-To-End Security Architecture for Federated Cloud and IoT Networks", 2017 IEEE INTERNATIONAL CONFERENCE ON SMART COMPUTING (SMARTCOMP), IEEE, 29 May 2017 (2017-05-29), pages 1 - 6, XP033106434, DOI: 10.1109/SMARTCOMP.2017.7947005 *
WIELAND SABINE ET AL: "Communication network using swarm intelligence to control electricity grids: Swarm intelligence against black out", 2015 26TH IRISH SIGNALS AND SYSTEMS CONFERENCE (ISSC), IEEE, 24 June 2015 (2015-06-24), pages 1 - 7, XP033179980, DOI: 10.1109/ISSC.2015.7163760 *

Also Published As

Publication number Publication date
DE102019207790A1 (de) 2020-12-03

Similar Documents

Publication Publication Date Title
EP2620820B1 (fr) Agencement de module
EP2445771B1 (fr) Procede de creation d'un poste d'aiguillage electronique pour remplacer un poste d'aiguillage existant
DE102011110184A1 (de) Modulare Steuervorrichtung
DE102011110182A1 (de) Modulare Steuerungsvorrichtung
EP2315088A1 (fr) Commande de sécurité
EP2302472A2 (fr) Système de contrôle de processus critiques pour la sécurité
DE4416795C2 (de) Redundant konfigurierbares Übertragungssystem zum Datenaustausch und Verfahren zu dessen Betrieb
DE102005014804A1 (de) Bordnetzsystem für ein Kraftfahrzeug sowie Steuergerät und intelligentes Energieversorgungsgerät für ein Bordnetzsystem eines Kraftfahrzeugs
DE102017123615B4 (de) Konfigurierbares Sicherheitsmodul zur Erfassung digitaler oder analoger Eingangs- oder Ausgangssignale
DE10035174A1 (de) Peripheriebaustein mit hoher Fehlersicherheit für speicherprogrammierbare Steuerungen
EP3100121B1 (fr) Procédé et dispositif pour déconnecter en toute sécurité une charge électrique
EP1672446B1 (fr) Module d'entrée/sortie sécurisé pour un controleur
WO2020239437A1 (fr) Composant de système, système de sécurité et procédé de fonctionnement
EP3415399B1 (fr) Système d'alimentation à sureté intégrée d'un consommateur électrique à l'aide d'un bus d'énergie redondant
DE19540069A1 (de) Anordnung zur Erfassung und/oder Verarbeitung von Signalen elektrischer Bauteile, die sicherheitstechnische Zwecke oder Auflagen für Geräte oder Anlagen erfüllen
DE19813389C2 (de) Sicherheitsgerichtete Ansteuerschaltung
WO2013153057A1 (fr) Procédé de transmission de données de processus de données dans une installation à commande automatique
DE102010038459A1 (de) Sicherheitssystem
DE2925169A1 (de) Rechnergesteuertes stellwerk
EP3977211A1 (fr) Système de commande et procédé pour faire fonctionner un système de commande
EP2769273B1 (fr) Module d'extension pour un système de sécurité
EP1134715B1 (fr) Circuit pour lampes de dispositif de signalisation de circulation
DE19805819B4 (de) Verfahren zur Überwachung von integrierten Schaltkreisen
DE102019109753A1 (de) Industrieanlage
DD265020A1 (de) Schaltungsanordnung zur signaltechnisch sicheren ansteuerung und ueberwachung von prozesselementen

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20728969

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20728969

Country of ref document: EP

Kind code of ref document: A1