JP2016060392A - Message recovery device and signal security system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a telegraphic message restoration device for performing processing, when a telegraphic message is eliminated by any factor, such as breakage of a device and abnormality of radio communication, in a signal security system.SOLUTION: A security telegraphic message 109 including exclusive right information of a track is circulated in the order, among trains 101 existing in the track formed of one or more blocks to which exclusive right information is set, for sharing the security telegraphic message 109 among the trains 101, and setting exclusive right of respective blocks of the track to the train 101, in the signal security system, and a telegraphic message restoration device 110 creates the security telegraphic message in the signal security system. When abnormality is detected in circulation of the security telegraphic message 109, information for requiring information related to the exclusive right of the respective blocks is sent to the trains 101 existing in the track by the telegraphic message restoration device, then, the telegraphic message restoration device receives information related to the exclusive right of the respective block of the track from the trains 101 existing in the track, and based on the received information, creates a new security telegraphic message and then sends the new telegraphic message to the trains 101 existing in the track.SELECTED DRAWING: Figure 1

Description

  The technical field relates to signal security systems.

  Patent Document 1 relates to a signal security system: “A track circuit device electrically isolates a rail, connects a power supply to one end, and connects a relay to the other end to detect a short circuit between the rails due to a train. As a solution to this problem, the safety of trains traveling in a predetermined section is ensured based on the telegram. In the signal security system, the telegram circulates trains and equipment along the predetermined section, and the block occupancy right can be set for each block divided into multiple sections. “It has a configuration having right information” (see Patent Document 1 [0010]) and the like.

JP 2006-232106 A

  However, in the signal security system of Patent Document 1, there is room for improvement in processing when a message is lost for some reason, such as device failure or wireless communication abnormality.

In order to solve the above problems, for example, the configuration described in the claims is adopted.
The present application includes a plurality of means for solving the above-described problems. To give an example, a security message including occupancy right information on a road is composed of one or more blocks in which occupancy information is set. It is a message recovery device that generates a security message in a signal security system that shares a safety message between trains by making it circulate in order between trains existing on the route, and sets the occupancy rights of each block on the route to the train. If an abnormality is detected in the circulation of the security telegram, information requesting information on the right to occupy each block is sent to the train on the route, and the block on the route is occupied from the train on the route. It is characterized by receiving information on the right, generating a new security message based on the received information, and transmitting it to a train on the road.

  According to the above means, it is possible to safely restore the signal security system even if the electronic message is lost for some reason, such as a device failure or wireless communication abnormality. Problems, configurations, and effects other than those described above will become apparent from the description of the following examples.

The conceptual diagram which shows the structure of the signal security system in Example 1. FIG. The figure which shows the format of the security message in Example 1. FIG. The figure which shows the state transition of the signal security system in Example 1. FIG. The figure which shows the behavior of the signal security system in Example 1. FIG. The figure which shows the behavior in the monitoring state of the signal security system in Example 1. FIG. The figure which shows the behavior in the recovery execution state of the signal security system in Example 1. FIG. The figure which shows the state transition of the train control calculating part in Example 1. FIG. The flowchart which shows the process of the monitoring state of the train control calculating part in Example 1. FIG. The flowchart which shows the process of the standby state of the train control calculating part in Example 1. FIG. The figure which shows the state transition of the central processing part of the recovery apparatus in Example 1. FIG. 3 is a flowchart illustrating processing in a recovery standby state of the central processing unit of the recovery device according to the first embodiment. 6 is a flowchart illustrating processing of a recovery execution state of a central processing unit of the recovery device according to the first embodiment. The time chart in case the signal security system in Example 1 reissues a security message. The conceptual diagram which shows the structure of the signal security system in Example 2. FIG. The figure which shows the format of the security message in Example 2. FIG. The figure which shows the state transition of the central processing part of the recovery apparatus in Example 2. FIG. 9 is a flowchart illustrating processing in a recovery standby state of the central processing unit of the recovery device according to the second embodiment. 10 is a flowchart showing processing in a recovery execution state of a central processing unit of a recovery device in Embodiment 2.

  In a railway signal security system, messages are circulated between trains and switchboards that exist in a certain control area, and the occupancy rights for each block that divides the control area into multiple blocks, the state of the switchboard, and the switchboard. It has been devised to share information such as instructions to switch to a telescope to perform train interval control, exclusive control, and route configuration control in the control area.

  However, if a message circulated between trains and switches is lost due to equipment failure or radio abnormality, information such as block occupancy rights shared between trains and switches The system stops because it cannot be updated. In that case, it may be possible to restore the system by re-issuing the system reflecting the current situation, where the commander and station staff grasp all the train positions in the section, but this involves manpower and time. As a result, the operating rate falls.

  On the other hand, if the message is reissued without grasping the current situation, there is a risk that the train interval control, exclusive control, and route configuration control realized by one security message may be lost.

  Therefore, in this embodiment, when it is detected that an abnormality has occurred in the circulation of the security message, member devices such as trains and switchboards stop changing the security information described in the security message, and the member devices Collects the security information stored in the network, composes new security information, generates a new security message describing the security information, and circulates it among the member devices.

  Hereinafter, embodiments of the present invention will be described in more detail with reference to the drawings.

  FIG. 1 is a diagram showing a signal security system according to the present embodiment, and is a conceptual diagram showing a system configuration including an alignment of a target line section (area), devices existing there, and a control part thereof. In this line section, an iron track is laid in a form including a branch by the switch device 103, 105, 107. The iron track is composed of a plurality of blocks including the block 118. Each block functions as a basic unit (blocking) into which a train train can enter exclusively.

  In FIG. 1, a train 101 is present in this line section. In this line section, not only the train 101 but also a plurality of trains can be present, but for the sake of simplicity, the situation where only the train 101 is present will be described. When other trains enter, when the train 101 travels on the main line so that it does not collide with other entering trains, the block on which the train 101 enters / exists is exclusively occupied. In addition, it must be ensured for safety that the switch that controls the branch existing in the traveling route is turned and fixed (locked) in the correct direction.

  For the purpose of guaranteeing this, the signal security system of the present embodiment includes a member list in which information for identifying vehicles and switchboards existing in a line section is registered, block occupancy rights, switchboard switch directions, Security telegram 109 that describes information related to security including the locked state (hereinafter collectively referred to as “security information”), a train control calculation unit 102 provided in the train 101, and a switch device 103, 105, and 107 are provided with switch control operation units 104, 106, and 108, respectively, and the security telegram 109, the train control calculation unit 102, and the switch control operation units 104, 106, and 108 are provided. Circulate with and share.

  A signal security system that uses telegram circulation is a route that intends to travel by circulating telegrams between trains and switchboards and updating the information of the telegrams circulated by the train control calculation unit mounted on the train. It is a mechanism that secures the above occupancy rights and instructs the switch to change direction.

  The predetermined section in which the message is circulated is divided into a plurality of blocks, and the identification information of the train in which the occupation right is set for each of the plurality of blocks is written in the message. There is only one train for which an occupancy right is set for each block, and only a train for which the occupancy right for the block is set is allowed to travel on that block. The telegram may be configured to include information indicating the direction of the switch, and the switch controls the direction based on the received message information. Moreover, it is also possible to comprise so that the message | telegram may include the member list which shows the train which should circulate the message | telegram, and a switch. The train or switch that receives the message identifies the train or switch that transmits the message based on the member list of the received message.

  When receiving a message, a train that intends to travel a certain block updates the message so that the ownership of the block is set to its own train, and transmits the updated message to the next train or switch. However, if the occupancy right of the block is already set for another train in the received message, the message cannot be updated to set the occupancy right for the own train, and the block set for the other train You cannot drive the block until your right to occupy is released.

  When a train with a block occupancy right receives a message after passing through that block, it updates the message to release the block occupancy right set for its own train, and the next train or The updated message is sent to the device.

  With the above method, security using the circulation of electronic messages is realized. A more detailed description of the mechanism for realizing security by this method is described in Patent Document 1.

  In this embodiment, the member list is included in the security message. However, the member list may be managed by other methods.

  In the following description, the control unit of the device subject to signal security control using the security message 109 in the area of the present embodiment, that is, the train control calculation unit 102 and the switch control calculation unit 104, 106, 108 will be described. Collectively expressed as “Member Device”. When all or one of them needs to be specially distinguished, it shall be specified each time.

  The train control calculation unit 102 is a software program that implements processing of the message monitoring unit 113 described later in addition to the message processing unit 119 that performs processing for realizing a basic mechanism for security using message circulation. Execute. For this reason, the train control calculation part 102 is comprised with the element and apparatus generally required in order to run a software program including CPU and memory.

  The message monitoring unit 113 reports an event that the security message 109 is not circulated even after a specified time, an event that the data of the received security message 109 is broken, and an event that the security message 109 cannot be transmitted next. By confirming, it is confirmed whether or not the circulation of the security telegram 109 can be continued, and when the occurrence of such an event is detected, this is notified to the recovery device 110 described later. This notification is made in the form of communication information called “recovery request” as will be described later.

  The switch control unit 104, 106, 108 has the same configuration as the train control unit 102. That is, the same processing as the message monitoring unit 113 is provided. Hereinafter, in the description of this process, unless it is necessary to specify the member device that performs the process of the message monitoring unit 113, it is simply referred to as the message monitoring unit 113.

  The signal security system of this embodiment includes a recovery device 110. The recovery device 110 is a device different from the member device, and issues a new security message when the security message 109 cannot be normally circulated. The restoration device 110 includes a communication control unit 112 having a wireless communication function with member devices, and can transmit / receive data to / from each member device via the communication control unit 112.

  Note that wireless communication means for communicating with the recovery device 110 is also provided on the member device side. Although this means is not particularly specified, for example, if it is also used as a wireless communication means for circulating the security message 109, the number of devices for communication can be reduced. The protocol used for communication between the recovery device 110 and the member device is not particularly limited. For example, if it is used in a railway radio train control system (CBTC), it has a relatively reliable operation record. Alternatively, as long as communication quality sufficient for application is ensured, general-purpose radio may be used. In this case, it is relatively less necessary to allocate special resources for communication.

  Here, the installation position of the recovery device 110 is not particularly limited. If the communication control unit 112 is installed in an environment where communication quality can be ensured, or if the communication environment of the installation location is installed in a place where it can be easily improved later, it can be expected that the number of communication errors and retries can be reduced. It can be expected that a series of processes for reissuing the security message using the communication described will be performed in a short time with high reliability.

  If the recovery device 110 is installed in the command room, it is expected that access from the commander and engineer will be relatively easy, and recovery from a device failure can be implemented in a short time. In addition, if it is also used as an existing railway device such as an operation management device, it is not necessary to install a new device and it is physically easy to introduce.

  The recovery device 110 includes a central processing unit 111. The central processing unit 111 executes a software program that implements the processing of the recovery device 110 according to the present embodiment, including the processing of the information collection unit 115, the failure identification unit 116, and the message creation unit 117 described later. For this reason, the central processing unit 111 is composed of elements and devices generally required for executing a software program including a CPU and a memory.

  Here, the architecture of the central processing unit 111 will be described.

  In general, the signal security system for passenger railways is a safety-critical system related to human life. Therefore, even in the event of an accidental failure of an element, the arithmetic unit has a system that keeps the system safe. A safety computer with a special architecture that does not lose its control is used.

  Although a specific method will be described later, the central processing unit 111 reissues the security message that is also the purpose of the recovery device 110, and therefore, it is desirable to use a safety computer equivalent to that used for the member device. This is because if the central processing unit 111 issues a security message with incorrect security information, for example, the occupancy right information of the block where the train is already on is “vacant”, This is because the risk of a train collision at the block cannot be eliminated on the member device side that performs security control based on the block.

  In general, a control device of a signal security system may adopt a redundant configuration in order to ensure a desired operation rate. When considering this need for the central processing unit 111, it is of course possible to adopt a redundant configuration, but when using the same hardware as the control device of the member device, make the control device of the member device redundant. Compared to, the effect of improving the operating rate is small. This is because, as will be described later, the central processing unit 111 is a calculation unit that should perform processing operations after an abnormality is detected in the security message 109 and is restored, and the security message 109 is normal (normal operation). This is because even if a failure occurs, the normal operation of the signal security system is not affected.

  Therefore, for example, the central processing unit 111 is a single system (non-redundant system), and even if it fails during normal operation, it is repaired or replaced during normal operation as it is. Operation is possible without impairing the operation rate of the signal security system. Under such circumstances, as exemplified above, when the recovery device 110 is easily accessible from the commander or engineer, for example, in the command room, if it has the functions of self-fault diagnosis and fault notification The possibility that the technician who received the notification can complete the repair / replacement of the central processing unit 111 during the normal operation increases more and more.

  Returning to the description of the central processing unit 111. As described above, the central processing unit 111 includes an information collection unit 115, a failure identification unit 116, and a message creation unit 117 in the software program. Hereinafter, these will be described.

  When the information collecting unit 115 receives a recovery request from any of the member devices, the information collecting unit 115 sends a request (standby request) to transmit the security information stored in them to all the member devices. get. Here, the recovery request is communication information that notifies the recovery device 110 when the message monitoring unit 113 detects an abnormal event related to the security message as described in the description of the message monitoring unit 113 described above. . Each member device stores the security information included in the last processed security message in the storage area.

  The failure identifying unit 116 identifies a member device that cannot obtain a response to the above-described standby request as a failure. This failure information is obtained for the purpose of using the failed message generator 117 to remove the failed device from the new security message member list. For example, if a member device that does not get a response to a standby request after a predetermined time or a member device that does not get a response after sending a standby request a predetermined number of times is identified as a failed device, Good.

  The message creation unit 117 is a process performed after the information collection unit 115 and the failure identification unit 116, and forms new security information using the security information acquired by the information collection unit 115, and creates a new security message describing this. This is a process of creating and sending and issuing to any one of the members in the member list included in the new security information so that it can be circulated.

  Here, the member list included in the new security information is configured by excluding the member devices that have been identified as malfunctions by the malfunction identifying unit 116. It is possible to reissue the security message even if the member list is configured to include the device identified as malfunctioning, but the circulation of the security telegram will again stagnate at the device identified as malfunctioning, resulting in a signal security system. Depending on the way of failure, the operating rate may be reduced. On the other hand, it can be expected that the reduction of the operation rate is suppressed by removing the device identified as the failure from the member list.

  The format of the security message 109 will be described with reference to FIG. FIG. 2 shows a configuration example of information described in the security message 109. In addition, specific values of information described in the security message 109, such as area numbers, member identification information, block identification information, switch direction instructions and switch status information, which are shown as examples below, Does not clearly indicate where in the configuration of FIG.

  In the area identification information 201, an ID number for identifying an area managed by the security message 109 is written.

  In the member list 202, information for identifying devices participating in circulation of the security telegram 109 and the order of circulation are described.

  In the block occupation right information 203, identification information of each block constituting the line section of the area and the occupation right information of each block are described. In the configuration example of FIG. 2, at least blocks 1 to 6 exist in area 2, and blocks 1 and 2 are not occupied, and blocks 3 to 6 are occupied by train A. ing.

  In the switch direction instruction 204, information indicating the switching direction to each switch in the area is written. In the configuration example of FIG. 2, all are instructed to change to the localization. In addition, it is possible to instruct conversion to an inversion that is a position to be paired with this.

  In the switch state information 205, information indicating in which direction each of the switch devices in the area is fixed is written. In the configuration example of FIG. 2, it can be seen that all are fixed (locked) in the orientation direction. In addition, it is also possible to take a state in which the lock in the opposite direction and the state (bra) which is neither of them are paired with this.

  As described above, the information 201 to 205 is used in the method for realizing the signal security by circulating the above-described security message.

  In this embodiment, in addition to these pieces of information, the security message 109 has a message issue number 206 and a message update number 207.

  The value described in the message issue number 206 is incremented every time a security message is reissued from the recovery device 110 described in FIG. When a train or switch device receives a security message, if this value is greater than the value of the security message that has been circulated so far, it can be identified as a new security message. Also, if the received message number of the security message is less than the value of the message number of the security message that has been circulated so far, it can be used to identify the old security message and reject it. it can.

  The value described in the electronic message update number 207 is a value that is incremented each time a security message is circulated between devices. From this value, it is possible to know how many times a security message has been circulated in combination with the value described in the message issue number 206.

  The basic operation of the signal security system according to this embodiment will be described with reference to FIG. In FIG. 3, the operation of the system is indicated by a transition between two states of a monitoring state 302 and a recovery execution state 303. Note that in FIG. 3, distinction is made from state transitions of individual member devices and recovery devices. Each of these states will be described later.

  When the signal security by the circulation of the security message is started at the start point 301, first, the state shifts to the monitoring state 302.

  The monitoring state 302 is a state in which the soundness of the security message 109 is being monitored. This state is maintained while an abnormality of the security message 109 is not detected (that is, while being normally circulated). When an abnormality of the security message 109 is detected, the process proceeds to a recovery execution state 303 described later.

  Here, in this embodiment, the abnormality of the security message is defined as a situation in which the circulation of the security message stops midway. As will be described later, this can be detected when the communication for circulating the security message times out. The type of state that the security message is abnormal is not limited to this, and the method for detecting the abnormality is not limited to this. For example, when a check code is attached to the security message, an abnormality can be detected when a mismatch between the check code and data is detected.

  The recovery execution state 303 is a state in which a series of processing until a new security message is issued by the recovery device 110 is being executed. The contents of this series of processing will be described later. When the reissuance of the security message is completed, the monitoring state 302 is entered.

  From the above, it has been shown that the signal security system according to the present embodiment moves back and forth between the two states 302 and 303 related to the soundness status of the security message 109.

  An outline of a series of processes performed in the recovery state 303 will be described with reference to FIG. The start point 401 indicates the start point of processing. Subsequently, processing proceeds to processing 403 and processing 404. These do not require restrictions on the order of processing, and may be transferred to processing 405 after both are completed. Note that, as shown in FIG. 12 later, in this embodiment, for the sake of implementation, an example in which the process 404 is executed immediately before the process 405 is shown.

  Process 404 is a process for identifying a malfunctioning device among the member devices. The information on the failed device is used to determine the circulation destination (member list) when a new security message is generated in the subsequent process 405. In this embodiment, in this process, a state where communication is impossible is detected as a failure. In a state where communication is not possible, the security message cannot be circulated in the first place, and it cannot participate in the control of the signal security system of this embodiment. Therefore, in the process 405, it is set so that the failed device is excluded from the circulation destination of the new security message so that the security message can be circulated in a sound manner with the remaining devices.

  Note that the failure detected here is not limited to the inability to communicate. For example, a train in which a failure that is not self-propelled has occurred can only communicate and secure a new route in the area, but only prevent other member devices from securing a new route. Therefore, the type of failure such as the inability to self-run may be included in the detection target here. In such a case, the failure information may be transmitted as a response to the standby command.

  A process 403 is a process for invalidating the security message circulated to the member devices and collecting the stored security information in the recovery device. In this process, the security information is input to the process 405 for creating a new security message later.

  At this time, it is not necessary to simply bring the security information stored in any one of the member devices and input it to the processing 405. In principle, the security information from all the member devices has the security information. It is necessary to select information that can be realized. This is because the security information stored at a certain point in time for each member device does not necessarily match due to the nature of sharing the security information while circulating the security message between the member devices. For this purpose, for example, there is a method in which the security information of the security message having the largest number (that is, the latest security message) is adopted with reference to the message update number 207 in the format of the security message described with reference to FIG. Is possible.

  Alternatively, the current state (information on the locked state for the switch, information on the occupied block for the train) may be collected again from all member devices. Where there is insufficient security information, if the safety side can define the missing information, that information may be adopted. For example, unless the switch is locked in either the normal position or the inverted position, the bra is on the safe side because the route including the switch cannot be secured and the train cannot enter there. .

  The process 405 is a process for creating a new security message describing the security information acquired above and transmitting it to one of the member devices for a new circulation. At this time, the failed device identified in the process 404 is removed from the new member list. This process continues to process end point 406.

  The above is the outline of the process for reissuing the security message in the signal security system of the present embodiment. In the following, a description will be given while distinguishing the processing of the member device and the central processing unit 111 of the recovery device (hereinafter simply referred to as “recovery device”) for realizing this. First, each processing request is shown using FIG. 5 and FIG. FIG. 5 shows the contents of the processing in the monitoring state 302 among the states of the signal security system described with reference to FIG. 3 while distinguishing each member device from the recovery device. Although there are a plurality of member devices, processes 501 to 507 described below are performed on each of them. Of these, processing 507 is processing for transmitting a signal (recovery request) to the recovery device 110. The series of processes in the monitoring state 302 is terminated at the end point 509 after receiving a signal (recovery request) from the member device in the process 508 of the recovery device 110. This is a signal from any member device (recovery request). But it ’s okay.

  Processing 503 follows the starting point 501 of the monitoring state 302. A process 503 is a process for confirming reception of the security message. If it is “received”, the process continues to step 505. Here, even if a security message is received, as already described with respect to the message issue number 206 in FIG. 2, if the security message is identified as an old security message, it is rejected and referred to as “ "Received" is not treated. If not “received”, the process continues to step 506.

  A process 505 is a process for performing security control using the security message and circulation of the security message. This processing corresponds to the message processing unit 119 in FIG. After the process 505, the process returns to the process 503 to wait for the security message to be circulated again.

  A process 506 is a process for determining whether or not a state where no security message has been received has exceeded a specified time (timeout). If the specified time has not yet been exceeded (timeout has not occurred), the process returns to processing 503. If the specified time has been exceeded, the processing moves to step 507.

  The process 507 is a process for transmitting a signal (recovery request) to the recovery device 110 as described above. In the present embodiment, at this time, for the purpose of notifying all the member devices to the recovery device, the member list is transmitted.

  The process 508 of the recovery device 110 is a process for receiving the recovery request transmitted in the process 507. After reception, the process reaches an end point 509, and transitions from the monitoring state 302 to the recovery execution state 303 in FIG.

  A series of processes consisting of processes 503 and 506 corresponds to the process of the message monitoring unit 113 in FIG.

  Next, FIG. 6 will be described. FIG. 6 shows the contents of the process of the recovery execution state 303 among the states of the signal security system described with reference to FIG. 3 while distinguishing each member device and the recovery device. The start point 601 of the recovery execution state 303 continues from the end point 509 of the monitoring state shown in FIG.

  The starting point 601 of the recovery execution state 303 continues to process 604. The process 604 transmits a command (standby command) for notifying security information to all member devices.

  The member device process 605 receives the standby instruction and continues to process 606. A process 606 is a process for not accepting the security message that has been circulated so far. Specifically, a method of incrementing the value (latest issue number) of the received message issue number (see 206 in FIG. 2) is conceivable. At this time, every time a security message is received, the message issue number is compared with the latest issue number, and if the message issue number is smaller than the latest issue number, the security message is rejected so far. It is possible not to accept the security message again. The process continues to process 607.

  Process 607 is a process of transmitting the stored security information to the recovery device as a response to the standby command.

  The recovery device processing 608 is processing for receiving security information from the member devices. Here, in principle, the security information is received from all of the plurality of member devices, and the plurality of security information is passed to the subsequent 609. If any member device is out of order, you cannot expect to receive security information from all member devices. If it can be detected, a condition for ending this processing is set, such as obtaining the information and excluding the failed device. Thereafter, a process 609 for building one piece of security information from a plurality of pieces of security information and a process 610 for registering a device that has not responded to the standby instruction as a failed device are executed. Either of these processes 609 and 610 may precede the order. When both are completed, the process proceeds to process 611.

  Note that the processing 604, 608, and 609 from when the standby command is transmitted until the security information is collected and configured corresponds to the processing of the information collection unit 115 shown in FIG. The processing 610 corresponds to the processing of the information collection unit 115 and the failure identification unit 116 shown in FIG.

  A process 611 is a process for creating a new security message from the information obtained in the processes 609 and 610. The format is shown in FIG. At this time, the message issue number 206 is set to a value (incremented value) that is consistent with the latest issue number determined in the above-described processing 606. The message update number is set to an initial value (for example, 0). The member list 202 is configured excluding the failed device identified in the process 610.

  The process 612 is a process for transmitting the new security message created in the process 611 to one of the member devices in the member list. The transmission destination at this time may be any as long as it is not transmitted to two or more transmission destinations. Here, processes 611 and 612 correspond to the message creation unit 117 shown in FIG.

  After the process 612, the process moves to the end point 613 and transitions again to the monitoring state 302. That is, it continues to the start point 501 of FIG.

  The processing requests of the member device and the recovery device have been described above with reference to FIGS. 5 and 6. Next, how each processing request is implemented will be described with reference to FIGS. 7 to 9 describe member device processing, and FIGS. 10 to 12 describe recovery device processing.

  FIG. 7 defines the state of each member device related to the security message recovery means. There are two states 702 and 703, which are called a monitoring state and a standby state, respectively. When the signal security by the circulation of the security message is started at the start point 701, first, the state shifts to the monitoring state 702.

  In the monitoring state 702, when a standby command from the recovery device 110 is received, a standby response is returned and the process moves to the standby state 703. The standby state 703 moves to the monitoring state 702 when a security message (new security message) reissued by the recovery device 110 is received. That is, in the member device, the monitoring state 702 and the standby state 703 are repeated.

  FIG. 8 is a flowchart showing processing executed in the monitoring state 702. The process of this flowchart is repeatedly executed. That is, when starting from the start process 801 and reaching the end process 809, the process starts again from the start process 801. However, if the condition for transitioning to the standby state is satisfied midway, after the end process 809, the process proceeds to a process flow of standby state to be described later.

  The timing at which the processing is repeatedly executed from the start processing 801 in this processing flow is an implementation matter and may be periodic or may be after a certain time after reaching the end processing 809. In this embodiment, the latter is assumed for the sake of convenience. That is, it is assumed that a series of processing flows is not interrupted.

  A process 802 following the start point 801 is a process for determining whether or not a standby instruction has been received. The standby command is a command for the purpose of notifying the security information stored in the member device, which is transmitted from the recovery device, as described in the explanation of the processing 604 in FIG. If it is received, the process proceeds to process 803. If it is not received, the process proceeds to process 804. When the process proceeds to the process 803, a time-out counter described later in the process 807 is reset.

  A process 803 is a process executed when a standby command is received, increments the stored issue number (latest issue number) of the security message to be accepted, transmits the security information to the recovery device, and then enters the standby state. And migrate. In this flowchart, the process for confirming whether the security information sent here has arrived at the recovery device is not specified, but for confirmation, the confirmation response from the recovery device (hereinafter referred to as ACK) is awaited. If confirmation cannot be obtained, processing such as continuing retransmission may be added. After transitioning to the standby mode, the process proceeds to end processing 809. That is, the process moves to a flowchart of a standby state, which will be described later.

  Process 804 is a process for determining whether a security message has been received. If a security message has been received, the process proceeds to process 805, and if not received, the process proceeds to process 807. Here, in the description of the processing 503 in FIG. 5, when the received security message is old, it is not set as “received”, but here, it is different, and it is received regardless of whether the received security message is old or not. / None is judged. This is because whether or not the security message is old is specifically described as processing 805 again.

  The process 805 is a process to be performed when the security message is received in the process 804, and is a process for determining whether or not the received security message is old. Specifically, if the message issue number (see 206 in FIG. 2) of the received security message is greater than or equal to the latest issue number currently stored, it is determined as true.

  If the determination result is true, the process proceeds to process 806. At this time, a timeout counter described later in processing 807 is reset. If the determination result is not true (false), the security message is discarded and the process proceeds to processing 807. The reason for discarding the security message is that the message issue number is incremented every time the security message is issued, as described in the process 611 of FIG. This is because it is thought that an old security telegram that has already lost circulation and has been circulated somewhere has been circulated. If the message issue number is larger than the latest issue number, the true issue number is determined, and at the same time, the stored latest issue number is updated to the message issue number.

  A process 806 is a process for controlling the security message and circulating the security message. This corresponds to the message processing unit 119 in FIG. 1 and the process 505 in FIG. 5, and is a process for realizing signal security for circulation of the security message. After completing this process, the process proceeds to an end process 809.

  A process 807 is a process of incrementing the timeout counter and determining whether or not the value is larger than the “specified value”. The purpose of this decision is that the security message was lost during the circulation when it was longer than the specified time between the previous transmission of the security message and the next receipt. It is to detect this. The time-out counter is reset when a security message is received and processed and transmitted to the next member device, or once a time-out is detected. The “specified value” to be compared with this is a numerical value that determines the length until timeout, and the larger the value, the longer the time until timeout. This value can be determined, for example, by adding some margin to the average time required for the security telegram to circulate. When the time-out counter is larger than the “specified value”, that is, when time-out is detected, the time-out counter is reset and the process proceeds to processing 808. In other cases, the process proceeds to end processing 809.

  Here, it has been described that the “specified value” is determined based on the time that is normally considered for the safety message to circulate once, but the time that the security message circulates depends on the number of member devices. If there are more member devices in the area, the average time that the security message circulates will be longer. Therefore, it is possible to prevent the occurrence of unnecessary timeouts by increasing the “specified value” together. . Since the number of member devices existing in the area changes every moment, the “specified value” may be dynamically changed according to this.

  A process 808 is a process performed when a timeout is detected, and transmits a recovery request for starting reissuing of the security message to the recovery device. At this time, the member list is also transmitted for the purpose of informing the recovery device which train and which switch is currently involved in the circulation of the security message as the member device. After this processing, the process proceeds to end processing 809.

  The above is the processing of the monitoring state 702. Next, a processing flow in the standby state 703 will be described with reference to FIG.

  FIG. 9 is a flowchart showing processing in the standby state 703. The process from the start process 901 to the end process 906 is repeated unless a state transition occurs.

  A process 902 is a process following the start process 901 and is a process for determining whether or not a security message has been received. If a security message has been received, the process proceeds to step 903, and if not received, the process continues to end process 906. This is the same processing as the processing described in the processing 804 in FIG.

  Process 903 is a process of determining true when the message issue number (see 206 in FIG. 2) of the received security message is greater than or equal to the latest message issue number stored. If true, the process proceeds to process 904, and if false, the process proceeds to end process 906. This process is the same as the process described in the process 805 of FIG. When the message issue number is larger than the latest issue number, the true issue number is determined, and at the same time, the stored latest issue number is updated to the message issue number.

  A process 904 is a process for controlling and circulating a security message, and is the same as 804 in FIG.

  A process 905 is a process following the process 904 and is a process for making a transition to the monitoring state 702. This process continues to the end process 906, that is, the start process 801 of the flowchart of the monitoring state 702 already described.

  The two states of the member devices and the processing flow of each state have been described above. Hereinafter, the processing of the recovery device will be described.

  FIG. 10 defines the state of the recovery device related to the security message recovery means. There are two states 1002 and 1003, which are called a recovery standby state and a recovery execution state, respectively. When the signal security by the circulation of the security message is started at the start point 1001, first, the state shifts to the recovery standby state 1002.

The recovery standby state 1002 moves to the recovery execution state 1003 when receiving a recovery request from a member device. The recovery execution state 1003 moves to the recovery standby state 1002 when the issue of a new security message is completed. That is, in the recovery device, the recovery standby state 1002 and the recovery execution state 1003 are repeated.

  FIG. 11 is a flowchart showing processing executed in the recovery standby state 1002. The process of this flowchart is repeatedly executed. That is, when the start process 1101 is started and the end process 1105 is reached, the start process 1101 starts again. However, when the condition for transitioning to the recovery execution state is satisfied in the middle, the process proceeds to the processing flow of the recovery execution state to be described later after the end process 1105.

  A process 1102 following the start point 1101 is a process for determining whether a recovery request has been received. The recovery request is a request for the purpose of requesting to shift to the security message reissue procedure transmitted from the member device as described above in the description of the processing 602 in FIG. If this is received, the processing proceeds to processing 1103, and if it has not been received, the processing proceeds to termination processing 1105.

  Processing 1103 is processing for reading and storing the member list received together with the recovery request. This information is used in the recovery execution state process described later. The member list is sent together with the recovery request, as already described in the explanation of the processing 808 in FIG.

  A process 1104 is a process following the process 1103 and is a process of transitioning to a recovery execution state. This process continues to the end process 1105, that is, the process flow of the recovery execution state described later.

  The above is the processing in the recovery standby state 1002. Next, the processing flow in the recovery execution state 1003 will be described with reference to FIG.

  FIG. 12 is a flowchart showing the processing in the recovery execution state 1003. The process from the start process 1201 to the end process 1207 is repeated unless a state transition occurs.

  A process 1202 is a process following the start process 1201 and is a process of broadcasting a standby command to all member devices in the area. As described in the processes 802 and 803 of FIG. 8, the member device that has received the standby command transmits the security information. This process waits for this and also receives it.

  When all the member devices have returned the security information, the process proceeds to subsequent processing 1203. Whether or not the security information has been received from all the member devices can be known using the member list acquired in the processing 1103 described for the recovery standby state. However, considering the case where communication is permanently broken in any of the member devices, not all member devices respond and return security information. If time passes, a condition for unconditionally moving to the next processing 1203 is also provided. In this process, the number of times the standby command is transmitted is also managed and stored for use in later processes.

  A process 1203 is a process for determining whether or not a response to the standby command has been obtained from all devices in response to the standby command transmitted in the process 1202. If it is not obtained from all the devices, the process proceeds to process 1204. If it is obtained, the process proceeds to process 1206.

  A process 1204 is a process for determining whether or not the above-mentioned management / stored value of the number of standby command transmissions exceeds the “specified number”. If it exceeds, the process proceeds to process 1205, and if not, the process proceeds to process 1207. If not, after moving to the process 1207, the process proceeds to the execution of the start process 1201 again, so that the standby command is broadcast again in the process 1202.

  Here, the “specified number of times” is provided in order to give an opportunity of retransmission to the member devices that have not been able to deliver a response to the standby command to the recovery device due to accidental factors such as noise. The larger it is, the more times it will be retried, so the longer it takes to reissue the security message. On the other hand, if it is too small, a member device that could not deliver a response to the standby command due to an accidental event will be immediately determined to be out of order, and will be removed from the reissued security message member list, as described below. Become. In this embodiment, this value is 1, that is, retransmission is attempted only once, but a value other than 1 may be used.

  Process 1205 is a process that is executed when the number of standby command transmissions exceeds the “specified number”, and is a process of registering a member device that has not responded to the standby command as a failed device. This process continues to process 1206.

  The process 1206 is a process for creating and reissuing a new security message from the security information acquired in the process 1202 and, if necessary, the registration information of the failed device specified in the process 1205. Since a plurality of pieces of security information are obtained from a plurality of member devices, as in the example described in the explanation of the processing 403 in FIG. 4, the one having the largest message update number (see 207 in FIG. 2) is selected and determined. be able to. Further, as will be described later with reference to FIG. 13, when there is information that cannot be determined, information on the safe side can be temporarily described.

  A new security message is created using the security information thus determined and the new member list excluding the member devices registered in the failed device. As described in the process 611 of FIG. 6, the format of the security message at this time conforms to that described in FIG. 2, and the message issue number 206 includes the determination process in the above-described processes 805 and 903 on the member device side. Set the incremented value so that it can be used. The message update number 207 is set to an initial value (for example, 0). The new security message created in this way is transmitted to any device in the member list. The transmission destination here may be any device in the member list on condition that transmission to two or more devices is not performed. When the above is completed, the process shifts to the recovery standby state and shifts to the end process 1207.

  Heretofore, the two states of the recovery device and the processing flow of each state have been described. Next, an example of the behavior of the system when the security message cannot be circulated will be described with reference to FIG.

  FIG. 13 is a sequence diagram illustrating an example of a security message recovery process. From the left, the central processing unit 111 of the recovery device, the train control arithmetic device 102, and the switch control arithmetic devices 104, 106, and 108 are arranged at the top of the figure as arithmetic units related to the restoration of the security message. The processing sequence of each part develops from top to bottom. For convenience of explanation, a specific time from t1 to t7 is shown in the leftmost part of the figure along with a time axis that proceeds from top to bottom. In addition, for the central processing unit 111 and the switch control processing unit 108 on behalf of member devices, the state names at that time are written beside the sequence. The sequence will be followed in order.

  The security message transmitted from the train control calculation unit 102 at time t1 is circulated to the switch control calculation units 104, 106, 108, and 102 again one after another. At this time, the central processing unit 111 is in a recovery standby state, and the switch control control unit 108 is in a monitoring state. It is assumed that a permanent failure has occurred in the communication function of the switch control operation unit 104 at time t2 during the circulation.

  As a result, the switch control calculation unit 106 continues to be in a state where the security message has not been circulated for a while, and at time t3, a time-out is first detected and a recovery request is transmitted to the central calculation unit 111. Upon receiving this, the central processing unit 111 makes a transition to the recovery execution state. At this time, the central processing unit 111 receives the member list together.

  In this embodiment, the train control calculation unit 102 and the switch control unit 108 are also provided with the same time-out time as the switch control calculation unit 106. The recovery request is received, but after transitioning to the recovery execution state, no processing is performed even if these are received.

  The central processing unit 111 that has entered the recovery execution state first broadcasts a standby command at time t4. The train control calculation unit 102 and the switch control control units 106 and 108 receive this standby instruction, increment the latest issue number so as not to accept the security message that has been circulated, and store the security information. Is returned to the standby state. However, the switch control operation unit 104 does not receive a standby instruction and returns security information because the communication function remains disabled. As a result, the central processing unit 111 detects that the security information of all member devices is not yet available in the reception buffer at time t5 when a predetermined time has elapsed, and broadcasts a standby command again.

  This standby command is delivered again to the train control calculation unit 102 and the switch control calculation units 106 and 108. However, since these member devices have already shifted to the standby state, even if this standby command is received, Do nothing. The switch control operation unit 104 cannot receive the standby command again because the communication function remains disabled. The central processing unit 111 detects that the standby command has not been obtained from all member devices again at the time t6 when the specified time has passed again, but the number of retransmissions of the standby command has reached the upper limit. Therefore, the switch control operation unit 104 that has not returned the security information is registered as a failed device.

  Subsequently, the central processing unit 111 selects the one with the largest message update number (see 207 in FIG. 2) from the security information obtained from the train control calculation unit 102 and the switch control calculation units 106 and 108. And used to create a new security message.

  Next, the member list is composed of the train control calculation unit 102 and the switch control calculation units 106 and 108 excluding the switch control calculation unit 104 registered in the failed device. The security information created in this way is described, and the security message in which the message issue number (see 206 in FIG. 2) is incremented is transmitted to the train control arithmetic device 102 as a new security message at time t7.

  When determining the security information of a new security message, the information on the switch 103 provided with the switch control arithmetic device 104 registered in the faulty device is information on the safety side when the lock state is unknown. "Bra" may be written and the switch direction indication information may be "failed". In this way, it is not possible to secure a new course including the block with the switch 103, and even if the switch is not locked, it can be expected to be safe. .

  Alternatively, if it is certain that the switch 103 is locked in the state of the loss of the security message, the position information of the switch is combined with the actual position or the inverted lock, If the block including the switch is not occupied, it is left as it is, but only in the locked direction, a new course including the switch can be secured. In this example, the failure of the control device of the switch was considered, but if the train control device fails, the block occupied by that train can be left in the “Occupied” state. Even if the train continues to run without communication, safety can be ensured.

  By sending a new security message at time t7, the central processing unit 111 returns to the recovery standby state. When the train control calculation unit 102 and the switch control calculation units 106 and 108 receive the circulation of the new security message, respectively, they resume the circulation and return to the monitoring state. As described above, the reissue of the security message is realized.

  Note that the switch control operation unit 104 has only failed in the communication function, and therefore, after the time-out period from time t2, the recovery request is repeatedly transmitted. For this reason, when the communication function is eventually recovered, a recovery request is delivered to the central processing unit 111, the central processing unit 111 enters the recovery execution state, and the process of reissuing the security message is started again. As a result, this time, a new security message with all member devices participating starts to circulate again.

  As described above, according to the signal security system of the present embodiment, in the signal security system that implements exclusive control by circulating the security message between the trains in the area and the switch, the failure of the communication function of the member device, etc. When the security message circulation is delayed due to the reason, the security message can be reissued. At this time, by identifying the device that caused the security message circulation to stagnate as a failed device, and causing the security message to be circulated only among member devices excluding the failed device, the failed device may interfere. If the route is made up of blocks without any gaps, it is possible to secure a new route, and operation can be continued within that range.

  In the present embodiment, the telegram monitoring unit 113 is provided to the train and the switch, but the restoration device 110 can also have this. In that case, the soundness of the security message 109 is abnormal, for example, if the central processing unit 111 periodically inquires one of the member devices and the message update number 207 recorded in the security message 109 is not increased. It can also be determined. In this case, the inquiry cycle may be relatively long regardless of the circulation cycle of the security message. Alternatively, if the member device is configured to always notify the recovery device when a security message is transmitted, the recovery device can detect an abnormality in the circulation of the security message by monitoring the interruption of the notification.

  In this embodiment, only a single area controlled using one security message 109 was considered, but if there are other areas that are performing similar control, such as areas adjacent to this area, The recovery device 110 may provide the processing shown in this embodiment to a plurality of areas. As long as the security message is circulated in a sound manner, the recovery device 110 only waits for a recovery request in the recovery standby state described in FIG. 11 and does not require a high processing load. It is relatively easy to control the area. At this time, if a recovery request is received from another area while the recovery device 110 is performing the recovery process in one area, the recovery process to the area from which the recovery request was sent later may be delayed. Good. Although the operating rate of train operation in the area is lowered, the cost of the entire system can be reduced without impairing the safety of which the signal security system is the first purpose.

  In the present embodiment, the installation location of the recovery device 110 has been described as a device installed along the line unlike the member device. However, for example, the member device may have the same function. In this case, the processing of the control calculation unit of the member device becomes more complicated and large-scale, however, no new device for restoration is installed along the line, and the hardware for that amount is reduced. As in the present embodiment, when the recovery device 110 is installed along the line separately from the member devices, the recovery device can be maintained and replaced relatively easily even while the train operation is in operation, as described above, and a plurality of areas It is an advantage that a plurality of areas can be controlled at the same time by being configured so as to be communicable with a train or a switch.

  The second embodiment will be described below. The second embodiment is greatly different from the first embodiment in that a dedicated means for managing a circulation destination of security messages and a member list for specifying the order is provided in the area.

  The configuration of the signal security system of the second embodiment will be described with reference to FIG. Train 1401, train control operation unit 1402, switch device 1403, 1405, 1407, switch device control operation unit 1404, 1406, 1408, message monitoring unit 1413, message processing unit 1419, recovery device 1410, central processing unit 1411 As for the information collection unit 1415 and the message creation unit 1417, the configuration and processing contents thereof are the train 101, the train control calculation unit 102, the switch 103, 105, 107, the switch in the first embodiment (FIG. 1). It is the same as the processing contents of the telescope control calculation units 104, 106, 108, the message monitoring unit 113, the message processing unit 119, the recovery device 110, the central processing unit 111, the information collection unit 115, and the message creation unit 117.

  However, the process for specifying the member list performed by the train control calculation unit 1402, the switch control calculation units 1404, 1406, 1408, and the central calculation unit 1411 is a security message in the first embodiment. In the present embodiment, each calculation unit has a memory area for storing a member list, and the member list is obtained from the operation management device 1420 described later. It is realized by receiving, writing the information in this memory area, and reading it. The member list storage unit 1423 included in each of the train control calculation unit 1402 and the switch control control units 1404, 1406, and 1408 corresponds to a part that performs this process.

  The member list storage unit 1423 receives a member list by communication from an operation management device 1420 described later, and holds the information. The message processing unit 1419 is a process that handles control using the security message 1409 and circulation of the security message 1409. At this time, the destination and the order for circulating the security message 1409 are information read from the member list storage unit 1423. Use to specify. The switch control calculation units 1404, 1406, and 1408 have the same configuration as the train control calculation unit 1402.

  In the present embodiment, the route relating to communication between the member device and the recovery device 1410 is different from that in the first embodiment. In this embodiment, the operation management device 1420 includes a communication control unit 1412 for wirelessly communicating with member devices, and includes a communication unit 1422 for communicating with the recovery device 1410. Therefore, communication between the member device and the recovery device 1410 is possible via the operation management device 1420. Here, the communication unit 1422 may be wireless or wired as long as it can transmit an amount of information about the security message 1409.

  The operation management device 1420, which is generally known in the railway system, grasps the linear information of the area, the position of the train and the switch that exists in the area, has an operation plan, and follows the route to the train accordingly. It is a device that constitutes an operation management system having a function of instructing.

  The operation management device 1420 of the present embodiment includes a central processing unit 1426 composed of a CPU and a memory capable of executing a software program for realizing an operation management operation, and one of functions realized thereon is as follows. A member list management unit 1421 is provided. The member list management unit 1421 is a processing unit that gives the above-described member list storage unit 1423 information on member devices existing in the area and information on the circulation order of security messages. The member list management unit 1421 has in advance the linear information of the area and information for specifying the switch in the area. In addition, by regularly communicating with the train in operation, it is possible to track and grasp which train is where.

  Therefore, the member list management unit 1421 knows the existence of the train 1401, the switch 1403, 1405, and 1407 in the area of FIG. 14 considered in the present embodiment, and between these devices. One order for circulating the security message 1409 can be determined. At this time, the order of circulating the security telegrams 1409 may be determined in any way.

  The operation management device 1420 also includes a failure specifying unit 1416 as another function realized on the central processing unit 1426. The failure identification unit 1416 registers member devices that do not respond to communication commands as a failure device, similar to the failure identification unit 116 in the first embodiment. However, the operation management device 1420 is not limited to this, and the operation management device 1420 performs operation management. If there is information about the device to be acquired for the purpose, the failed device may be specified using the information.

  When the member list management unit 1421 creates a member list to be given to the member list storage unit 1423, the member list management unit 1421 configures the member list so as to exclude the device registered as the failed device by the failure specifying unit 1416.

  The processing of the central processing unit 1411 will be described based on the communication configuration as described above. In the central processing unit 111 in the first embodiment, the standby instruction unit 114, the information collection unit 115, and the message creation unit 117 first receive a member device that is a communication destination together with a recovery request from the member device. It was specified by. On the other hand, the standby instruction unit 1414, the information collection unit 1415, and the message creation unit 1417 in the present embodiment do not manage the member devices that are the communication destinations, but on the communication path with the member devices. In a certain operation management apparatus 1420, the member list management unit 1421 appropriately controls the destination of communication between the central processing unit 1411 and the member device based on the member list held by the member list management unit 1421.

  In this embodiment, an area composed of a plurality of blocks including the block 118 considered in the first embodiment (hereinafter, this is particularly referred to as a reference area), and an area 1424 adjacent to the area 1424 Think about the relationship. A train 1425 in the adjacent area 1424 is about to enter the reference area. The train 1425 includes wireless communication means with the operation management device 1420. When the member list management unit 1421 receives an entry request from the train 1425 using this communication means, a new member device is added to the reference area. Train 1425 can be added. Or the operation management apparatus 1420 may estimate the approach of a train from the information of the apparatus acquired for the purpose of operation management, and may add the train to a member list, regardless of whether the entry request is received.

  In addition, in FIG. 14, although the case where the operation management apparatus 1420 and the recovery apparatus 1410 are different apparatuses was demonstrated, you may comprise by one apparatus. For example, the processing according to this embodiment can be performed by a central processing unit that can execute the processing of the member list management unit 1421, the failure identification unit 1416, the information collection unit 1415, and the message creation unit 1417, and the recovery device including the communication control unit 1412. It is feasible.

  As described above, the devices and processes other than the security message 1409 have been described in the configuration of FIG. Hereinafter, the configuration of the security message 1409 will be described with reference to FIG.

  FIG. 15 shows the format of the security message 1409. The format of the security message 1409 is obtained by removing the member list 202 from the format of FIG. 2 describing the security message 109 of the first embodiment. Instead, the information corresponding to the member list 202 is realized by the member list management unit 1421 and the member list storage unit 1423 as already described with reference to FIG. Hereinafter, the state and processing of the central processing unit 1411 will be described.

  The state definition and transition conditions of the central processing unit 1411 are shown in FIG. This is the same as FIG. 10 showing that of the central processing unit 111 in the first embodiment. That is, when a recovery request is received in the recovery standby state 1602, the process proceeds to the recovery execution state 1603. When the issuance of a new security message is completed in the recovery execution state 1603, the process proceeds to the recovery standby state 1602.

  Processing in the recovery standby state 1602 will be described with reference to FIG. In the recovery standby state, a series of processes from a start process 1701 as a starting point to an end process 1705 as an end point are periodically executed.

  A process 1702 executed subsequent to the start process 1701 confirms whether or not a recovery request has been received from the operation management apparatus 1420 by checking the reception buffer of the communication unit 1422, and if a recovery request has been received, proceeds to a process 1704. If not received, the process proceeds to end processing 1705. Here, the recovery request is originally transmitted from the member device. When the operation management device 1420 receives the recovery request, the operation management device 1420 relays the request to the recovery device 1410 using the communication unit 1422.

  A process 1704 is a process for shifting to the recovery execution state. This processing continues to end processing 1705, and thereafter proceeds to the processing flow of the recovery execution state described in FIG.

  A processing flow of the recovery execution state 1603 will be described with reference to FIG. In FIG. 18, processes 1801 to 1805 are the processing contents of the recovery execution state 1603, but the processes in the operation management apparatus 1420 related to the processes 1801 to 1805 are also shown. The right side of the partition 1806 shows the processing of the central processing unit 1426. In FIG. 18, dotted arrows indicate the flow of data, which will be described together with explanations of related processing each time.

  In FIG. 18, the member list is stored in the member list management unit in order to clarify the flow of data related to the grasp and management of member devices in the processing of the central processing unit 1426. The memory area 1813 is specified. The memory area 1813 records at least information indicating the presence / absence of failure of the device specified by the member list in addition to the information of the member list, and provides means for reading and writing the information. When the member list is to be read by this means, if a device with a failure is included in the member list, a new member list configured by excluding the device is transferred to the reading-side device. hand over. In FIG. 18, an arrow output from the memory area 1813 indicates reading of the member list, and an arrow input to the memory area 1813 indicates writing of failure information of the device specified in the member list.

  Returning to the description of the process of the recovery execution state 1603, the description will be given step by step from the start process 1801. A process 1802 following the start process 1801 is a process of transmitting a standby command to the operation management device 1420. At this time, it is not necessary to specify the destination member device. After processing 1802, the process proceeds to processing 1803 and waits for receiving security information from the operation management device 1420.

  On the other hand, when the central processing unit 1426 of the operation management apparatus 1420 receives this standby command, in step 1807, the central processing unit 1426 broadcasts the standby command to all member devices in the area where the recovery request source device is located. Thereafter, the central processing unit 1426 checks whether or not the security information has been received from all the member devices in the process 1808. If not received, the central processing unit 1426 checks in the process 1809 whether or not the number of standby command transmissions exceeds the specified number. If not exceeded, the process returns to the process 1807 to resend the standby command. If it is determined in the process 1808 that standby responses have been received from all the member devices, the process proceeds to a process 1811.

  Alternatively, if the number of standby command transmissions exceeds the specified number in step 1809, a device that does not return a standby response in step 1810 is registered as a failed device, and the process proceeds to step 1811. Here, the process 1808 uses the member list read from the memory area 1813. In process 1810, information on the device determined to be faulty is written in the memory area 1813. The process 1811 transmits the security information received together with the confirmation response from the member device to the recovery device 1410.

  The processes 1807 to 1811 of the central processing unit 1426 described above correspond to the processes 1202 to 1205 described with reference to FIG. 12 in the first embodiment. The content realized by the processing 1206 corresponds to the content realized by the processing 1811, 1803, 1804, and 1812 of this embodiment.

  The process 1803 of the central processing unit 1411 of the recovery apparatus 1410 receives the security information from the operation management apparatus 1420 in this way, creates a new security message based on this in process 1804, and transmits it to the operation management apparatus 1420. Then, the process proceeds to end processing 1805.

  When the central processing unit 1411 of the operation management device 1420 receives a new security message in this way, it reads the member list from the memory area 1813 and distributes the member list to the member device specified by the member list. At this time, if an entry request has been received from the train 1425 in the adjacent area 1424 (this can be found by, for example, providing a reception buffer dedicated to the entry request and reading it), the train 1425 is newly added. The member list is updated, and the updated member list is distributed to the member device specified by the updated member list. Therefore, if a new security message is transmitted to the first device in the member list thereafter, the new security message starts to be circulated including the train 1425 about to enter from the adjacent area 1424.

  Here, when the train 1425 is added to reconstruct the member list, the train 1425 may be added in any order in the member list, for example, it may be added at the end. In this embodiment, the transmission destination of the new security message is the first device in the member list. However, the present invention is not limited to this, and it may be given to any device in the member list.

  According to the present embodiment, even when the security message disappears during circulation, the security message can be newly issued again, the control of the signal security can be continued, and the train operation can be continued. In addition, when there is a train entry request from an adjacent area during the process of reissuing a security message, including the equipment as a member of a newly issued security message will further increase the train entry from the adjacent area. Can be granted early.

101 Train 102 Train security device 201, 211, 221 Switch device 202, 212, 222 Switch device security device 301 Security message 401-404 Recovery message

Claims (8)

The security message including the occupancy right information of the travel route is circulated in turn between the trains existing in the travel route configured by one or more blocks in which the occupancy right information is set. And a message recovery device that generates a security message in a signal security system that sets the occupation right of each block of the travel path to the train,
When an abnormality is detected in the circulation of the security message, the message recovery device transmits information requesting information on the occupancy right of each block to the train existing on the travel route, and from the train existing on the travel route. An electronic message restoration apparatus that receives information related to the right to occupy each block of the travel route, generates a new security telegram based on the received information, and transmits it to a train on the travel route. The message recovery device according to claim 1,
The security message includes a message update number indicating the number of times the message has been updated,
The message recovery device receives information on a security message that the train has received or transmitted last as information on the right to occupy each block on the road from a train on the road, and receives the information on the received security message. Among these, the message recovery device is characterized in that a new security message is generated based on the information of the security message having the largest message update number. The message recovery device according to claim 1 or 2,
The security message includes a message issue number indicating the number of times a new security message has been generated,
The message recovery apparatus updates a message issue number included in a security message when a new security message is issued. The message recovery device according to any one of claims 1 to 3,
The security message includes a member list indicating trains circulating the security message,
When the message recovery device issues a new security message, the message recovery device excludes a train in which an abnormality is detected from the member list included in the new security message. The message recovery device according to any one of claims 1 to 3,
The message recovery device includes a member list management unit that manages a member list indicating a train that circulates a security message.
The message recovery device, when issuing a new security message, excludes a train in which an abnormality is detected from the member list managed by the member list management unit. The message recovery device according to claim 4 or 5,
The message recovery device responds even if a train that has not responded for a predetermined time to information requesting information on the occupancy right of each block, or information that requests information on the occupancy right of each block is transmitted a predetermined number of times A telegram recovery device characterized in that a train having no error is a train in which an abnormality is detected. The message recovery device according to claim 5,
The message recovery device has received a request to enter a road on which an occupation right is set by the security message from a train existing on another road adjacent to the road on which the occupation right is set by the security message. Or when it is predicted that a train existing on another travel route adjacent to the travel route for which the occupation right is set by the security message enters the travel route for which the occupation right is set by the security message, A message recovery device characterized by adding the train to the member list. The security message including the occupancy right information of the travel route is circulated in turn between the trains existing in the travel route configured by one or more blocks in which the occupancy right information is set. And a signal security system that sets the occupation right of each block of the travel route to the train,
A signal security system comprising the message recovery device according to claim 1.