[go: up one dir, main page]

CN1289345C - Method for controlling safety-critical railway operating process and device for carrying out said method - Google Patents

Method for controlling safety-critical railway operating process and device for carrying out said method Download PDF

Info

Publication number
CN1289345C
CN1289345C CNB018238238A CN01823823A CN1289345C CN 1289345 C CN1289345 C CN 1289345C CN B018238238 A CNB018238238 A CN B018238238A CN 01823823 A CN01823823 A CN 01823823A CN 1289345 C CN1289345 C CN 1289345C
Authority
CN
China
Prior art keywords
computer
reliable
railway
signal
commercial
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB018238238A
Other languages
Chinese (zh)
Other versions
CN1558848A (en
Inventor
沃尔克·戈里克
伯恩德·普拉德
拉尔夫·希瓦辛斯克
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens Corp
Original Assignee
Siemens Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Corp filed Critical Siemens Corp
Publication of CN1558848A publication Critical patent/CN1558848A/en
Application granted granted Critical
Publication of CN1289345C publication Critical patent/CN1289345C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1497Details of time redundant execution on a single processing unit
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L21/00Station blocking between signal boxes in one yard
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1608Error detection by comparing the output signals of redundant hardware
    • G06F11/1625Error detection by comparing the output signals of redundant hardware in communications, e.g. transmission, interfaces
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1641Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1675Temporal synchronisation or re-synchronisation of redundant processing components
    • G06F11/1683Temporal synchronisation or re-synchronisation of redundant processing components at instruction level

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mechanical Engineering (AREA)
  • Train Traffic Observation, Control, And Security (AREA)
  • Safety Devices In Control Systems (AREA)
  • Electric Propulsion And Braking For Vehicles (AREA)

Abstract

In a method of the present invention for controlling a safe and severe railway operation course, a program is divided into system software (V, PMS) and special software (BO) of railway administration. Through system software operated on a computer (SR*) with a reliable signal technique, instructions (K) influencing control and prompt (M) are collected from the outside and are sent to business computers (R1, R2), and actual process control which is given in advance according to the operating specifications of each railway is operated in the business computers. The parallel execution or the serial execution of two channels of the specific program of railway administration is realized, wherein the inspection of whether the business computers respectively obtain the same result or not is carried out on the computer with a reliable signal technique. As long as consistent treatment results supplied by the business computers by at least two times are reliably identified, the reliable computer supplies output (SB) towards a course (BA) to be controlled, or the connection of parts (W, S) of the course is reliably separated on the signal technique. The present invention has the advantages that the reliable computer on the signal technique can usually use the same system software, and the special software of railway administration can be separated, developed, and inspected in a mode without relationship with the system software. Thereby, compared with the prior art, a lot of expenses and time are saved, and safety is not influenced.

Description

Method for controlling safety-critical railway operations and device for carrying out said method
Technical Field
The invention relates to a method for controlling a safety-critical railway operation process using at least one signaling-technology-reliable computer, which processes input commands according to railway operation specifications in a signaling-technology-reliable manner and outputs the processed control command signals to process components in a signaling-technology-reliable manner, and uses the prompts generated by the process components for process state monitoring and process control, and to a device for carrying out the method.
Background
The railway operation process is a safety critical process, since possible functional failures, if not identified and prevented in a timely manner from affecting the process, can lead to significant property damage and possible injury to personnel. For this reason, signal-technology-reliable devices have been used for controlling such processes, the task of which is to detect internal functional faults within the process to be controlled and the process control itself, and to thus guide or maintain the process in a more safe state. Such a signal-technically reliable control can be realized by different techniques, for example by relay technology or by electronic technology. In the case of signal-technically reliable process control, expensive special-purpose computers have hitherto been used which process the current processing task two-channel and compare the consistency of the processing sequence in terms of content in a real-time signal-technically reliable manner. Outputting a processing control instruction to a process part of the process to be controlled only when the results obtained by the two processing channels are the same respectively; the connection to the process is interrupted unless there is at least one standby computer that can take over and actually take over the functions of the failed computer.
The above-described functions for reliably inputting and outputting data and for performing data comparison, including the function of reliably disconnecting process components if necessary, are implemented by the system software of a reliable computer. In addition, reliable computers have heretofore included railroad management specific software for actual process control (e.g., central control station control). The railway management software is determined by the respective railway management operation rules and describes, for example, the route sequence and route unlocking dependencies predefined by it (Signal + draw, 77(1985)12, page 259-265). Railway management specific software differs not only from one railway authority to another, but also at least in part from one facility to another of the same railway authority. This means that the software installed and running in a signally reliable computer varies from application to application, the correctness of the loaded software having to be proven by a proof of authenticity or convincing for each application. By mixing system software and railway management specific software in each computer, complex software packages are created that are difficult to see and time consuming and expensive to build and verify.
Disclosure of Invention
The object of the invention is to provide a method for controlling safety-critical railway operations, which requires little effort in the creation of the programs required for reliable process management and which can react quickly and inexpensively to the requirements of the railway operator for possible changes in the process control. The invention also provides a device for implementing the method.
The object of the invention is achieved by a method for controlling a safety-critical railway operation process using at least one signaling-technology-responsible computer, which processes input commands according to railway operation specifications in a signaling-technology-responsible manner and outputs the processed control command signals to process components in a technical-responsible manner and uses the prompts generated by the process components for process state monitoring and process control, wherein only system software is stored in the responsible computer, the program of which enables the responsible computer to perform signal-technology-reliable input/output and signal-technology-reliable data comparison, and railway management-specific software is stored in at least one non-signaling-technology-responsible computer, which contains the conditions and dependencies predefined for the railway operation process by the railway management department via its railway operation specifications The signal-technology-responsible computer generates a processing task on the basis of the instructions and prompts transmitted thereto and transmits it to the commercial computer, where the processing task is processed at least twice independently of one another, the processed and/or intermediate results are transmitted to the responsible computer and the content-consistency verification is reliably carried out by the signal-technology-responsible computer, wherein the responsible computer only accepts the results and/or intermediate results which are provided at least doubly consistently by the commercial computer and reliably outputs the control-instruction signal technology derived therefrom to the process component.
The object of the invention is also achieved by a device for carrying out a method for the safe and critical control of a railway operation process using at least one signaling-technology-responsible computer which processes input commands in accordance with railway operation specifications in a signaling-technology-responsible manner and outputs the processed control command signals to process components in a technical-responsible manner and uses the prompts generated by the process components for process state monitoring and process control, wherein only one system software is implemented in the signaling-technology-responsible computer, the program of which makes it possible for the responsible computer to input/output signals in a technical-responsible manner and to compare data in a technical-responsible manner, at least one non-signaling-responsible commercial computer is provided, in which a railway management-specific software is implemented, which contains a control specification for the railway operation process predefined by a railway management department via its railway operation specifications The reliable computer and the commercial computer are connected to a communication system, via which the signal technology reliable computer transmits processing tasks to the commercial computer and receives results and/or intermediate results from the commercial computer, wherein the commercial computer is provided for carrying out the processing tasks at least twice independently of one another, and the reliable computer verifies the content consistency of the results and/or intermediate results signal technology transmitted to it by the commercial computer in each case and derives control commands for the process component from the verification results and outputs them to the process component via a drive provided for this purpose.
The basic idea of the invention is to load the railway management software from a signal-technology-reliable computer into a commercial computer, in which the data are processed at least twice in each case and to carry out a consistency check in the signal-technology-reliable computer before being output to the process. Besides the task of data comparison, the computer with reliable signal technology mainly has the following tasks: input prompts and commands are reliably detected and transmitted to the commercial computer, and process components are reliably influenced and the connection to the process components is reliably interrupted by signaling technology in the event of a fault.
Preferred embodiments and developments of the inventive method and of the inventive device are given in the dependent claims.
Drawings
The present invention will be further described with reference to embodiments shown in the drawings. Wherein,
figure 1 schematically shows the structure of the apparatus for controlling a safety-critical railway operation process of the present invention,
fig. 2 shows the structure of a corresponding prior art implementation.
Detailed Description
Fig. 2 shows a known signal-technology-reliable computer SR for process processing in two separate processing channels K1, K2, preferably by the same processing program. The reliable computer SR represents any number of signal technology reliable computers; the number of which depends mainly on the scale of the process to be controlled. The process to be controlled is a railway operation process for acting on the railway equipment BA. In the figure, one switch W and one signal S represent process components of the railway system. The control and monitoring of the process elements is carried out by control and monitoring circuits, not explicitly shown in the figure, which are developed for this purpose, by means of which control commands are issued to the process elements by a reliable computer SR and from which prompts M are input to the reliable computer.
The signally reliable computer SR outputs the prompts M transmitted to it from the process to the input and display computer EAR via the communication bus KB. The input and display computer, among other functions, monitors the course of the railway operation in accordance with the presentation rules established in the respective railway operation regulations; it is preferably implemented as a computer that is signal-technology method reliable. Via this input and display computer EAR, commands K for controlling the railway operation process are also generated and transmitted to a signaling-technology-reliable computer SR. The input can be made by an operator, for example a driving service supervisor, or also by automation techniques, for example for automated job mode (selbsttillberieb) or continuous through-job (duchletberiib).
The prompts and commands are processed in a signal-technology-reliable computer in two channels according to the conditions and dependencies determined in the operating regulations of the respective railway operator. The data, address and control signals present on the buses of the two processing systems are reliably compared in real time by means of signal technology, in order to be able to immediately detect possible deviations. In this case, the checking program checks even the input/output registers of a reliable computer and its program and working memories and their address registers for a predetermined minimum time interval to see whether its memories can assume one state or the other. In this way, possible malfunctions can be identified event-or time-controlled and cause a reliable disconnection of the external device: the control command can no longer be output to the switch and the signal is off.
The storage of the predefined conditions and dependencies of the operational specifications of the railway management system, which are represented in the figure by the oval diagram BO, in the program memory of the reliable computer SR and the mixing with the system software makes the software stored in the reliable computer for controlling the railway operation process a software which is very complex and is extraordinarily expensive both in the set-up and in the testing.
In the device for controlling a railway operation according to the invention shown in fig. 1, there is also at least one computer SR whose signaling technology is reliable*With two preferably identically constructed and identically operating process channels K1*And K2*. Their task is, like the reliable signal technology computer SR according to the prior art, to reliably capture and process all the prompts M and commands K input to it. It is also the task of the signaling technology to reliably output the processed control commands SB to the process components W, S of the respective piece of railway equipment BA and to ensure that the output of the control commands is reliably halted in the event of a fault. In contrast to the prior art, the processing of conditions and dependencies defined by the individual railway operations BO for the control and monitoring of railway operations is not a signal-technology-reliable computer SR*But in commercial computers R1, R2.. Rn. Also stored in these commercial computers are equipment-specific data for controlling the course of railway operations; computers R1, R2 represent one or more computer pairs, wherein each computer may also belong to multiple computer pairs; that is, three computers can form three computer pairs. It is composed of a base, a cover and a coverThe reliable computers SR are executed independently of each other according to the conditions and dependencies determined for process control in the railway operations BO*Input to their processing task a. Two computers of each pair R1, R2 transmit their processing results to a signaling-technology-reliable computer SR*Wherein a waiting time with time monitoring must be set for the temporally preceding computer R1 or R2, at which time the processing result of the further computer is waited for, or fault handling takes place if the time is exceeded. The verification mechanism PM for the authenticity of the prompts input to the pair of commercial computers R1, R2 and the output processed thereby and the signature of the memory area is schematically shown in fig. 1. Input to a reliable computer SR by an input and display computer EAR*By the computer SR*Converted into processing task A and transmitted to commercial computers R1, R2 in the form of telegrams; this leads to a processing in the commercial computers R1, R2 according to the conditions and dependencies of the respective railway operations specifying BO.
In the case where the processing by the railway management dedicated software of the commercial computer reaches a program point where the continuation processing of the program is to be performed after a predetermined waiting time, a signal technology-reliable computer is used to ensure the synchronization of the commercial computer processing program in response to the requirements of the commercial computer in order to continue the processing of the program after the waiting time has elapsed. For example, certain sensor cues should be read in and processed by the commercial computer several seconds after the waiting time.
The processing result E determined by the commercial computer for R1, R2 is sent as a telegram to a signaling-technology-reliable computer SR*Where it is reliably distributed by signaling to two processing channels K1*And K2*And the signal technique reliably performs consistency comparisons. In order to reliably assign the prompts and to reliably compare the results of the processing by the commercial computers R1, R2, a functional block V is shown in which the relevant programs are stored as system software. Unlike the authentication mechanisms PM of commercial computers R1, R2, the authentication mechanism of a signal-technology-reliable computerPMS is a reliable implementation of signal technology.
In comparison with corresponding devices designed according to the prior art, the inventive device has the advantage that, in a signal-technology-reliable computer, only reliable inputs and outputs and reliable data comparison functions are always implemented, and that the requirements and conditions, which are respectively determined by the operating regulations of the individual railway authorities, are independent. Thus, not only is the system software running in a reliable computer simple and clear; it is rather the same for all application scenarios, i.e. no longer needs to be reprocessed and license verified as the situation changes. Railway management specific software, determined by the different operating specifications of the various railway authorities, is run in a commercial computer. Its co-operation with the system software of a reliable computer does not have to be verified. But only requires that a special interface between the computer and the commercial computer is reliable in respect of signal technology and that the functionality of the railway management-specific software implemented in the commercial computer is checked, i.e. that a particular input actually results in a particular output. The verification of this function is carried out separately from the verification of the system software and, unlike the prior art, is no longer combined with the system software of a reliable computer, as is also clear from the prior art.
The programming of the railway management specific software is not necessarily carried out by a computer for which the manufacturer responsible for the signal technology reliability of the process events is reliable. Rather, a contract programmed for a commercial computer may be given to a qualified engineer's office or the like, which coordinates its programmed software with various railroad administration and authorities such as the federal railway administration. The procedure for controlling and monitoring safety-critical railway operations can thus be adapted more quickly and more cost-effectively to the respective conditions than hitherto, without any safety-related impairment being associated therewith.
In the above-described embodiments, the commercial computers R1, R2 represent one or more dual-computer systems or computer systems with redundant computers, wherein the computers are intended to run the same programs for processing predetermined conditions and dependencies of the respective railway operations, wherein the commercial computers preferably either implement only specific partial functions of the operation specifications or respectively act only on specific parts of the railway system. However, provision can also be made for the commercial computers R1, R2 each to be a separate computer, in which the programs of the railway management-specific software determined by the operating provision of the railway management are processed several times (at least twice) in succession independently of one another. The railway management specific software required for this purpose can be designed in a versatile manner, but can also be identical in terms of content for both processes.
For the transmission of the results of the processing of the commercial computer to the signal-technology-reliable computer, a non-signal-technology-reliable data transmission can preferably be used, wherein the results of the serial or parallel processing on the two channels are either transmitted to the reliable computer on the two channels or transmitted twice in succession only over one channel. A second or third redundant channel improves availability. Possible data distortions in the transmission path from the commercial computer to the signal-technology-responsible computer and vice versa can be recognized in the receiving computer by the signature issued by the transmitting computer, which encodes the telegram content by means of a calculation specification. When serially transmitting data to a reliable computer, data markers are added, which enable the reliable computer to recognize whether the transmitted data are current and actually come from different computation channels of a commercial computer, and are the result of different processes; in the case of data transmission via separate buses, a signaling-capable computer can recognize from the data transmitted to it via one or the other of the buses whether the data is also actually from one or the other of the pair of commercial computers.
In a preferred embodiment of the invention, the commercial computer can be implemented as a so-called operator terminal computer, by means of which instructions for carrying out the railway operation process can be given by the railway workers or by automation and the response of the railway operation process can be visualized. In this way, programs for inputting and visualizing commands and prompts and programs for controlling process elements according to the railway operating regulations are run in the operator terminal computer independently of one another. The program for inputting commands and visualizing the process events can also be combined with a process control program, which is predefined, for example, by railway operating regulations.
The computer with reliable signaling can also be implemented as an m of n computer system, wherein the decision as to whether and which control commands should be output to the process is determined by a majority vote of at least two scatheless computers.
The control instruction is output to the process and is realized by two channels; each computer may block the output of control instructions when a processing fault is determined.
The inventive method and the inventive device can be advantageously applied to all safety-critical railway operations. Such applications can be, for example, the reliable control of railway operations by a controller, but also, for example, the reliable control of railway crossings, of the section equipment and of the train equipment of the axle counter equipment (achzaehlanlage) and of the continuous train automation (LZB).

Claims (20)

1.一种用于在使用至少一台信号技术可靠的计算机的条件下控制安全苛刻的铁路运行过程的方法,该信号技术可靠的计算机将输入指令按照铁路运行规定进行信号技术可靠地处理,并将处理后的控制指令信号技术可靠地输出到过程部件,并将过程部件产生的提示用于过程状态监视和过程控制,其特征在于,1. A method for controlling a safety-critical railway operation process using at least one signaling-technologically reliable computer which processes input commands in a signal-technically reliable manner according to railway operating regulations, and Reliably output the processed control instruction signal technology to the process components, and use the prompts generated by the process components for process state monitoring and process control, characterized in that, 在所述可靠的计算机(SR*)中仅存放系统软件(V,PMS),该系统软件的程序使该可靠的计算机可以信号技术可靠地进行输入/输出以及信号技术可靠地进行数据比较,Only system software (V, PMS) is stored in said reliable computer (SR * ), the programs of which system software enable the reliable computer to carry out signal-technical reliable input/output and signal-technical reliable data comparison, 将铁路管理专用软件(BO)存放在至少一台非信号技术可靠的商用计算机(R1,R2)中,该铁路管理专用软件包含由铁路管理部门通过其铁路运行规定为铁路运行过程预先给定的条件和依赖关系,Dedicated software for railway management (BO) is stored in at least one commercial computer (R1, R2) that is not reliable in signal technology, and the dedicated software for railway management contains information predetermined by the railway management department through its railway operation regulations for the railway operation process. conditions and dependencies, 所述信号技术可靠的计算机根据传送给它的指令(K)和提示(M)产生处理任务(A)并将其传送至所述商用计算机,said signal-technically reliable computer generates processing tasks (A) on the basis of instructions (K) and prompts (M) transmitted to it and transmits them to said business computer, 该处理任务在该商用计算机处至少被相互独立地处理两次,the processing task is processed at least twice at the business computer independently of each other, 将处理的结果(E)和/或中间结果传送到所述可靠的计算机,并由该可靠的计算机信号技术可靠地进行内容一致性验证,transmitting the processed results (E) and/or intermediate results to said reliable computer, and the content consistency verification is reliably performed by the reliable computer signal technology, 其中,所述可靠的计算机仅接受这样的结果和/或中间结果,即,其由所述商用计算机至少双重一致地提供,并将从中导出的控制指令(SB)信号技术可靠地输出至过程部件(BA)。wherein the reliable computer only accepts results and/or intermediate results which are at least doubly identically provided by the commercial computer and reliably outputs the control command (SB) signal technology derived therefrom to the process components (BA). 2.根据权利要求1所述的方法,其特征在于,对于在商用计算机中所述处理任务的至少两次处理使用相同的或不同的软件。2. The method according to claim 1, characterized in that the same or different software is used for at least two processings of said processing task in a commercial computer. 3.根据权利要求1或2所述的方法,其特征在于,在对铁路管理专用软件(BO)的处理中产生的时间结果由所述信号技术可靠的计算机(SR*)根据商用计算机的要求进行同步。3. The method according to claim 1 or 2, characterized in that the time results generated in the processing of the railway management special software (BO) are determined by the reliable computer (SR * ) of the signal technology according to the requirements of the commercial computer to sync. 4.根据权利要求1所述的方法,其特征在于,将由商用计算机确定的结果和/或中间结果通过非信号技术可靠的通信通道传送至所述可靠的计算机。4. The method according to claim 1, characterized in that the results determined by the commercial computer and/or intermediate results are transmitted to the reliable computer via a non-signal-technically reliable communication channel. 5.根据权利要求1所述的方法,其特征在于,设置了电报式的数据传送方式,并为该电报签名,各接收计算机根据该签名可以识别该电报是否未失真地传输。5. The method according to claim 1, characterized in that a telegram-type data transmission method is set, and the telegram is signed, and each receiving computer can identify whether the telegram is transmitted without distortion according to the signature. 6.根据权利要求1所述的方法,其特征在于,设置了电报式的数据传送方式,并为该电报签名,信号技术可靠的计算机根据该签名可以识别:在商用计算机的程序存储器和数据存储器中是否出现失真或者商用计算机的CPU不再正确地工作。6. The method according to claim 1, characterized in that, a telegram-type data transfer method is set, and the telegram is signed, and a computer with reliable signal technology can identify according to the signature: in the program memory and data memory of the commercial computer If there is distortion in the computer or if the CPU of the commercial computer is no longer working correctly. 7.根据权利要求1所述的方法,其特征在于,将所述处理任务分别在至少两台商用计算机(R1,R2)中基本上同时地进行处理,或者仅在一台计算机中时间上串行地处理,并将所确定的结果和/或中间结果分别成对地传送至所述可靠的计算机,以用于比较。7. The method according to claim 1, characterized in that the processing tasks are respectively processed substantially simultaneously in at least two commercial computers (R1, R2), or in a time-sequenced manner in only one computer The determined results and/or intermediate results are respectively transmitted in pairs to the reliable computer for comparison. 8.根据权利要求7所述的方法,其特征在于,为所述电报附加标记,所述可靠的计算机依据该标记可以识别,该电报是否实际上是被分开处理的。8 . The method as claimed in claim 7 , characterized in that the telegrams are provided with a signature, by means of which the secure computer can recognize whether the telegrams are actually processed separately. 9.根据权利要求7所述的方法,其特征在于,所述可靠的计算机根据通过不同的输入传送给它的商用计算机结果提示识别,所述电报是否来自不同的计算机。9. The method as claimed in claim 7, characterized in that the authentic computer prompts to recognize whether the telegrams originate from different computers on the basis of the results of the business computer transmitted to it via different inputs. 10.根据权利要求1所述的方法,其特征在于,所述铁路管理专用软件(BO)中的系统错误通过在有关计算机(R1至Rn)中采用多种操作系统而被排除。10. The method according to claim 1, characterized in that systematic errors in said special software for railway management (BO) are excluded by employing various operating systems in the computers concerned (R1 to Rn). 11.根据权利要求1所述的方法,其特征在于,所述商用计算机硬件中的系统错误通过在有关计算机(R1至Rn)中采用多种计算机部件而被排除。11. The method according to claim 1, characterized in that systematic errors in the commercial computer hardware are excluded by employing various computer components in the relevant computers (R1 to Rn). 12.一种用于实施使用至少一台信号技术可靠的计算机控制安全苛刻的铁路运行过程方法的装置,该信号技术可靠的计算机将输入指令按照铁路运行规定进行信号技术可靠地处理,并将处理后的控制指令信号技术可靠地输出到过程部件,并将过程部件产生的提示用于过程状态监视和过程控制,其特征在于,12. A device for implementing a method for controlling a safety-critical railway operation process using at least one signal-technically reliable computer, which signal-technically reliably processes input instructions in accordance with railway operation regulations, and processes The final control command signal technology is reliably output to the process components, and the prompts generated by the process components are used for process state monitoring and process control, and the characteristics are: 在所述信号技术可靠的计算机(SR*)中仅实现一种系统软件,其程序使得该可靠的计算机可以信号技术可靠地进行输入/输出(K,E,M,A,SB)以及信号技术可靠地进行数据比较,Only one system software is implemented in the signal-technically reliable computer (SR * ), the program of which enables the signal-technically reliable input/output (K, E, M, A, SB) and signal-technically reliable computer Reliably perform data comparisons, 设置了至少一台非信号技术可靠的商用计算机(R1,R2),其中实现了铁路管理专用软件,该铁路管理专用软件包含了由铁路管理部门通过其铁路运行规定为铁路运行过程的控制预先给定的条件和依赖关系,At least one non-signal technically reliable commercial computer (R1, R2) is provided, in which special software for railway management is implemented, the special software for railway management contains the control pre-given for the railway operation process specified by the railway management department through its railway operation given conditions and dependencies, 将所述可靠的计算机和商用计算机连接到一个通信系统上,通过该通信系统所述信号技术可靠的计算机向所述商用计算机传送处理任务(A),并从所述商用计算机接收结果(E)和/或中间结果,connecting said reliable computer and business computer to a communication system via which said signal technology reliable computer transmits processing tasks (A) to said business computer and receives results (E) from said business computer and/or intermediate results, 其中,所述商用计算机设置用来对所述处理任务至少相互独立地执行两次,wherein said commercial computer is configured to perform said processing task at least twice independently of each other, 所述可靠的计算机将由所述商用计算机分别成对传送给其的结果(E)和/或中间结果信号技术可靠地进行内容一致性验证,并根据验证结果从中导出对过程部件(W,S)的控制指令(SB),并通过为此设置的驱动器输出给该过程部件。The reliable computer reliably performs content consistency verification on the result (E) and/or intermediate result signal technology respectively transmitted to it by the commercial computer in pairs, and derives a pair of process components (W, S) therefrom according to the verification result The control commands (SB) for this are output to the process component via the drive provided for this. 13.根据权利要求12所述的装置,其特征在于,在所述商用计算机中也仅安装其功能得到证实的程序。13. The device according to claim 12, characterized in that only programs whose function has been verified are also installed in the commercial computer. 14.根据权利要求12或13所述的装置,其特征在于,所述商用计算机利用相同的或者不同的软件分别至少执行两次所述处理任务。14. The apparatus according to claim 12 or 13, characterized in that the commercial computer executes the processing task at least twice with the same or different software, respectively. 15.根据权利要求12所述的装置,其特征在于,至少设置两台将相同处理任务成对相互独立执行的商用计算机。15. The apparatus according to claim 12, characterized in that at least two commercial computers are provided which execute the same processing task in pairs independently of each other. 16.根据权利要求12所述的装置,其特征在于,为了执行不同的功能或者部分功能或者为了控制和监视不同的设备部件,分别在单计算机或者多计算机实施方式中设置多台商用计算机(R1,R2)。16. The device according to claim 12, characterized in that a plurality of business computers (R1 , R2). 17.根据权利要求12所述的装置,其特征在于,至少一台商用计算机是操作终端计算机,通过该操作终端计算机将指令(K)输入到所述可靠的计算机并显示提示(M)。17. The device according to claim 12, characterized in that at least one business computer is an operator terminal computer via which instructions (K) are entered into the reliable computer and instructions (M) are displayed. 18.根据权利要求12所述的装置,其特征在于,所述可靠的计算机是n中取m的计算机系统。18. The apparatus of claim 12, wherein the reliable computer is an m-out-of-n computer system. 19.根据权利要求12所述的装置,其特征在于,所述可靠的计算机设置用来,根据附加在由至少一台所述商用计算机传送的结果和/或中间结果中的标记来识别,该结果和/或中间结果是否来自于不同的处理过程。19. The apparatus according to claim 12, characterized in that said reliable computer is configured to identify, based on a flag attached to the results and/or intermediate results transmitted by at least one of said business computers, that Whether results and/or intermediate results come from different processes. 20.根据权利要求12所述的装置,其特征在于,所述可靠的计算机两个通道地向过程部件给出可能的控制指令。20. The device as claimed in claim 12, characterized in that the secure computer issues possible control commands to the process components over two channels.
CNB018238238A 2001-11-22 2001-11-22 Method for controlling safety-critical railway operating process and device for carrying out said method Expired - Fee Related CN1289345C (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/DE2001/004485 WO2003047937A1 (en) 2001-11-22 2001-11-22 Method for controlling a safety-critical railway operating process and device for carrying out said method

Publications (2)

Publication Number Publication Date
CN1558848A CN1558848A (en) 2004-12-29
CN1289345C true CN1289345C (en) 2006-12-13

Family

ID=5648319

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB018238238A Expired - Fee Related CN1289345C (en) 2001-11-22 2001-11-22 Method for controlling safety-critical railway operating process and device for carrying out said method

Country Status (7)

Country Link
JP (1) JP4102306B2 (en)
KR (1) KR20040063935A (en)
CN (1) CN1289345C (en)
AU (1) AU2002224742A1 (en)
CA (1) CA2467972A1 (en)
MX (1) MXPA04004840A (en)
WO (1) WO2003047937A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2929056B1 (en) * 2008-03-19 2010-04-16 Alstom Transport Sa DEVICE FOR DETECTING A SECURITY THRESHOLD OF A RAIL SYSTEM
DE102012211273A1 (en) * 2012-06-29 2014-01-02 Siemens Aktiengesellschaft Method and arrangement for controlling a technical installation
DE102013218814A1 (en) * 2013-09-19 2015-03-19 Siemens Aktiengesellschaft Method for operating a safety-critical system
CN105822665A (en) * 2016-06-02 2016-08-03 株洲时代新材料科技股份有限公司 Integrated metal joint bearing in low-floor vehicle fixed hinge and assembly method thereof
CN112462731B (en) * 2020-10-16 2022-06-24 北京西南交大盛阳科技股份有限公司 Safety supervision control method, safety supervision control device, computer equipment and safety supervision system
JP7524750B2 (en) * 2020-12-08 2024-07-30 トヨタ自動車株式会社 Vehicle control device, vehicle control method, and control program
EP4293957B1 (en) * 2022-06-16 2025-06-04 Siemens Mobility GmbH Method and assembly for creating a control signal

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE3323269A1 (en) * 1983-06-28 1985-01-10 Siemens AG, 1000 Berlin und 8000 München DEVICE FOR THE OPERATION OF A COMPUTER-CONTROLLED ACTUATOR
ATE110477T1 (en) * 1990-08-14 1994-09-15 Siemens Ag HIGH SECURITY MULTIPLE COMPUTER SYSTEM WITH THREE COMPUTERS.
DE4107639A1 (en) * 1991-03-09 1992-09-10 Standard Elektrik Lorenz Ag DEVICE FOR SIGNAL-SAFE REMOTE CONTROL OF A SUBSTATION IN A RAILWAY SYSTEM

Also Published As

Publication number Publication date
JP4102306B2 (en) 2008-06-18
HK1069363A1 (en) 2005-05-20
CN1558848A (en) 2004-12-29
JP2005511386A (en) 2005-04-28
WO2003047937A1 (en) 2003-06-12
MXPA04004840A (en) 2004-08-02
CA2467972A1 (en) 2003-06-12
KR20040063935A (en) 2004-07-14
AU2002224742A1 (en) 2003-06-17

Similar Documents

Publication Publication Date Title
US10589765B2 (en) Railway safety critical systems with task redundancy and asymmetric communications capability
US8714494B2 (en) Railway train critical systems having control system redundancy and asymmetric communications capability
CN1289345C (en) Method for controlling safety-critical railway operating process and device for carrying out said method
Mongardi Dependable computing for railway control systems
JP4475593B2 (en) Elevator control device
JP4277030B2 (en) Communication control system
EP3131804B1 (en) Railway safety critical systems with task redundancy and asymmetric communications capability
EP1197418B1 (en) Control method for a safety critical railway operation process and device for carrying out this method
US7209811B1 (en) System and method for controlling a safety-critical railroad operating process
HK1069363B (en) Method for controlling a safety-critical railway operating process and device for carrying out said method
CN118829865A (en) Method and diagnostic system for functional diagnosis of at least one vehicle component
Erb Safety Measures of the Electronic Interlocking System “Elektra”
JPH10338133A (en) Train signal security controller
EP4657265A1 (en) Safety testing system and method
JP2005343602A (en) Elevator control device
AU2020200952B2 (en) System and method for traffic management of railway networks
JP2000209236A (en) Interface equipment
JP3395288B2 (en) Information processing apparatus and information processing method
JP2007323190A (en) Computer control system for data communication and communication method thereof
JP4443206B2 (en) Software simulation equipment for train security control equipment
Moiseenko et al. Interactive approaches to the organization of staff interaction with automated control systems
KR20150115898A (en) Method and device for analyzing events in a system
JPS6234845A (en) Dispersion type train operation control method
AKITA et al. SAFETY AND FAULT-TOLERANCE
JPH01292441A (en) How to additionally register test command information

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 1069363

Country of ref document: HK

C14 Grant of patent or utility model
GR01 Patent grant
C19 Lapse of patent right due to non-payment of the annual fee
CF01 Termination of patent right due to non-payment of annual fee