[go: up one dir, main page]

WO2018206610A1 - A decentralised communications based train control system - Google Patents

A decentralised communications based train control system Download PDF

Info

Publication number
WO2018206610A1
WO2018206610A1 PCT/EP2018/061932 EP2018061932W WO2018206610A1 WO 2018206610 A1 WO2018206610 A1 WO 2018206610A1 EP 2018061932 W EP2018061932 W EP 2018061932W WO 2018206610 A1 WO2018206610 A1 WO 2018206610A1
Authority
WO
WIPO (PCT)
Prior art keywords
train
route
network
sub
hazards
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP2018/061932
Other languages
French (fr)
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Apollo Rail Ltd
Original Assignee
Apollo Rail Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Apollo Rail Ltd filed Critical Apollo Rail Ltd
Publication of WO2018206610A1 publication Critical patent/WO2018206610A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/20Trackside control of safe travel of vehicle or train, e.g. braking curve calculation
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L15/00Indicators provided on the vehicle or train for signalling purposes
    • B61L15/0062On-board target speed calculation or supervision
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/40Handling position reports or trackside vehicle data
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/20Trackside control of safe travel of vehicle or train, e.g. braking curve calculation
    • B61L2027/204Trackside control of safe travel of vehicle or train, e.g. braking curve calculation using Communication-based Train Control [CBTC]

Definitions

  • the present invention relates to a decentralised communications based train control system.
  • the invention relates to a system for preventing collisions and derailments of trains on a railway network whereby sub-systems for trains, junctions, level crossings and hazards publish their status to a network information system or service, which is subscribed to by other trains which systems are able to use the published status information to determine where it is safe to drive on that section of a railway network.
  • the invention relates to a decentralised communications based train control system that incorporates a number of independent systems and sub-systems that communicate and supplement each other to provide overall decentralised control.
  • the invention relates to a network information service or system which is able to communicate with a timetable management system or service interface, a hazards management system or service, a route monitoring system of service, a train control system, a level crossing controller and a junction controller in order to obtain and publish safety-critical status information.
  • the present invention provides a precise, decentralised train control system for ensuring safety of movement of autonomous railway vehicles through a railway network. Whilst the system described hereafter separately discusses a number inter-linked systems and sub-systems it is appreciated that all, or a selection of the systems and/or sub-systems are designed to interact with and complement each other to provide an overall network management system. Similarly, individual or selected combinations of the systems and/or sub-systems may be incorporated into otherwise alternative management and safety systems.
  • a safety system for trains travelling on a train network having means to communicate with a plurality of independent subsystems each relating to a specific control part of the train network; means to collate, categorise and publish information updates concerning a particular topic received from a subsystem; means to communicate with a train travelling on the network in such a way that the train is able subscribe to update information published by the system in respect of a selected topic; means to communicate with the train in order to receive periodic updates concerning the status of the train on the network; and means to publish information concerning the train status to any subscriber of said information.
  • a system for continuous control of trains over a train network comprising a network information system that is in continuous communication with an on-board communication system of a train travelling through said network; wherein the train-borne communication system transmits to the network information system data concerning the train identification, position, speed, direction of travel and status; and wherein the network information includes means to monitor routes and hazards within the network and transmits information concerning relevant routes and hazards to the train-borne communication system.
  • Figure 1 is simplified block diagram of the overall safety system according to a first embodiment of the invention
  • Figure 2 is detailed architecture of the system of figure 1 illustrating how the systems and subsystems interact;
  • Figure 3 shows the architecture of figure 2 divided into sections A to G;
  • Figure 4 is an enlarged view of section A of figure 3;
  • Figure 5 is an enlarged view of section B of figure 3;
  • Figure 6 is an enlarged view of section C of figure 3;
  • Figure 7 is an enlarged view of section D of figure 3;
  • Figure 8 is an enlarged view of section E of figure 3;
  • Figure 9 is an enlarged view of section F of figure 3;
  • Figure 10 is an enlarged view of section G of figure 3;
  • Figure 1 1 is a simplified block diagram of a decentralised autonomous system according to a second embodiment
  • Figure 12 is detailed architecture of the system of figure 1 1 illustrating how the systems and sub-systems interact;
  • Figure 13 shows the architecture of figure 12 divided into sections H to K;
  • Figure 14 is an enlarged view of section H of figure 12;
  • Figure 15 is an enlarged view of section I of figure 12;
  • Figure 16 is an enlarged view of section J of figure 12; and
  • Figure 17 is an enlarged view of section K of figure 12.
  • This system is primarily a safety system for a train network.
  • the system of figures 1 1 and 17, which will be described later, is a broader system including full automation (self-driving) of trains across a network.
  • Figure 1 illustrates a simplified block diagram of a safety system for trains on a network.
  • the dotted connection lines indicate a request/acknowledge protocol between the points connected.
  • the solid connection lines indicate a publish/subscribe protocol between the points connected.
  • a network information service or system 1 provides collation and publication of safety-critical information from any connected applications and to which the connected applications can subscribe, in order to receive updates from other selected connected applications of the system 1 .
  • a train travelling on the network, a trackside device or a hazard monitoring system or service 2 may communicate with the network information system ay any chosen time, to subscribe (or unsubscribe) to information and updates published by the network information system.
  • Subscription requests from a train, trackside device, hazard monitoring service or other application connected to the network information system 1 are sent via a telecommunications network to the network information system 1 to receive, through the subscription, a copy of any messages published by another train, trackside device, hazard management service or other connected application relating a specific requested topic.
  • the network information system On receipt of the subscription request, the network information system will carry out the following activities:
  • a train, trackside device, hazard management service 2, or other connected application may also communicate with the network information system 1 through a telecommunications network to provide a status update message in relation to a specific topic for publication to any subscriber of that topic information.
  • the message header will define the topic on to which the message will be published.
  • the topic references the train, trackside device or hazard in an information hierarchy to identify the publisher of the message.
  • the network information system 1 When the network information system 1 receives a message form a connected application or device for publication the system shall carry out the following activities:
  • a signaller interface is provided in a control centre to allow data within the network information system to be modified in the event of an emergency or degradation, and so that the signaller or dispatch is able to trigger an emergency stop for one or more trains on the route in which the emergency situation is applicable.
  • a route monitor system or service 3 grants authorisation to trains to travel along a route or routes, and collates and maintains a list of all trains and hazards currently on the route or routes.
  • a train may send a request to the route monitor system 3 to join a route.
  • the route monitor system 3 Upon receiving such a request, the route monitor system 3 performs the following activities or tasks:
  • the route monitor system 3 has a reconfigurable direction parameter in its meta-data which indicates the permitted direction of travel for trains on the route.
  • a train may send a request to change the permitted direction of travel to suit its pathing requirements.
  • the route monitor system 3 performs the following activities or tasks:
  • a train may send a request to the route monitor system 3 to notify it that it is leaving the route.
  • the route monitor system 3 Upon receiving such a request, the route monitor system 3 will perform the following activities or tasks:
  • a hazard management system 2 may send a request to the route monitor system 3 to add a hazard to the route. Upon receiving such a request, the route monitor system will perform the following activities:
  • a hazard management system 2 may send a request to the route monitor system to notify the route monitor system 3 that it is being removed from the route.
  • the route monitor system 3 Upon receiving such a request, the route monitor system 3 performs the following activities or tasks: (i) Remove the unique identifier of the hazard from the list of all hazards currently on the route; and
  • a route may have interdependencies with an adjacent route, wherein constraints on the infrastructure limit the number of rail vehicles on adjacent tracks, such as, for example, on bridges or in tunnels.
  • the route monitor system 3 will, itself, make a request to the route monitor system 3 for the adjacent route to inhibit another train from being authorised access.
  • the route monitor system 3 includes a parameter in its meta-data identifying the version number of the network map data that must be used by rail vehicles on the route. This parameter is configured during installation and cannot be changed with rail vehicles operating on the route.
  • the route monitor system within its meta-data has a reconfigurable parameter for "Emergency Stop All Trains". This parameter can be set by the signaller in an emergency.
  • a hazard management system 2 provides a service for a signaller to provide details about hazards to trains via the network information system 1 .
  • a hazard may include, without limitation, animals, debris, track workers, heritage trains, on track plant, failed trains and legacy signals.
  • a hazard may be applicable to multiple routes and junctions.
  • hazard For each route the hazard is applicable to, hazard has a starting location and end location.
  • Hazards that are passible shall have a non- zero speed limit that is lower than the permanent speed limit for that route.
  • a hazard is either "Active”, when it restricts the train, or "Clear”, when there is no restriction on the train.
  • An environmental hazard is a special type of hazard that warns the train of a need to take specific measures to achieve its required performance, for example without limitation, adhesion issues or visibility issues.
  • An environmental hazard may be created by the train and dynamically reported to the hazards management system 2 by publishing a message to the network information system 1 on the associated topic for hazards for that route. For subsequent trains in the hazard area, if the hazard has cleared, the train transmits a prompt to the signaller that the hazard can be cleared through updating the hazard management system 2.
  • Any train operating without an active control system must operate under verbal instruction from the signaller which creates a hazard in the hazard management system around the train within which the train is only permitted to move.
  • a hazard may be set to active/cleared dynamically by an external process interfacing with the hazard management system 2, for example in respect of the status of legacy lineside signals.
  • a timetable management system 4 provides an interface process for translating the timetable received from a third-party service and publishing the timetable to the network information system 1 to be viewed by trains on the network.
  • the timetable is managed through a third-party service such as a Timetable Management Service or Traffic Management Service.
  • This service will provide data concerning where trains should be on the network, and (optionally) at what time.
  • An interface is provided for the timetable management system 4 to which receives the appropriate timetable for each train on the network.
  • the interface process Upon receipt of an updated timetable for a train, the interface process publishes the data to the timetable topic on the network information system 1 providing a unique identifier for the train concerned.
  • a train control system 5 governs the safe movement of a train through the railway network.
  • the train control system 5 comprises a number of sub-systems that communicate and complement each other within the train control system. Each sub-system will be described below:
  • Trains determine their speed and position through a suite of relative and absolute sensors on board the train.
  • the sensors include for example without limitation, Global Navigation Satellite Systems receivers, Dead Reckoning, tachometers, doppler, radar, compass and track- mounted transponders.
  • the sensors are fully integrated using an algorithm, such as Extended Kalman Filter, to give a dependable latitude, longitude, and speed to a determinable degree of accuracy.
  • algorithm such as Extended Kalman Filter
  • the latitude and longitude position, and its degree of accuracy is integrated with train parameters for length and sensor configuration, and combined with a static error correction parameter, real-time position error, and timeliness and accuracy error factors, to determine the worst-case forward and rearward locations of the train against a map of the railway network, which is reported as a route identifier and distance along the route.
  • the train determines its direction of travel as "High” or “Low” based on the start and end distance values configured on the map of the railway network.
  • a high determination indicates a train travelling from a Low distance in the direction of a High distance.
  • a low determination indicates a train travelling from a High distance in the direction of a Low distance.
  • the train's position is reconciled with the knowledge that the junction was correctly set for the train to travel across the junction. Where required to meet safety acceptance requirements, this may be augmented with beacons located along the railway to give absolute confirmation of the train's position.
  • Each train travelling through the network subscribes to its timetable on the network information system 1 .
  • Each train also carries a map of the railway network
  • the train uses the outputs from its positioning and speed monitoring sub-system 6 and, using a map of the railway network and a suitable wayfinding algorithm, computes the optimum path to its next timetabled location.
  • Each train also subscribes to updates from the network information system 1 in respect of all the routes on its path.
  • the train sends a request to the route monitor system 3 for its direction to be changed. If the request is denied the train re-computes its optimum path again to exclude the route.
  • the network information system 1 publishes the train or signaller that is in control of the junction, and the direction that the junction is set in. If the train is not in control of the junction, and no other train or signaller is indicated as being in control of the junction, a request is sent to a junction controller for that train to be in control of the junction.
  • junction controller specifying an entry and exit route, to change the direction of the junction.
  • the train subscribes to updates about the level crossing from the network information system.
  • the network information system publishes the trains which are in control of the level crossing, and the open/close status of the level crossing.
  • a request is sent to a level crossing controller for that train to be in control of the level crossing.
  • the train sends a request to the level crossing controller to relinquish control.
  • Each train holds an electromechanical dynamics model which details how the train will accelerate and brake under idealised conditions using parameters such as for example without limitation train speed, position, track curvature, gradient and permanent speed restrictions.
  • Trains determine their limit of safe movement based on network map data and data received from the network information system.
  • the movement limit is taken to be the lesser of: • The limit of the last route for which: o the correct direction for the route is set; o the train is a member of the route; o the route isn't in an "all vehicles emergency stop" mode; o the train has received data from all other trains on the route; o up-to-date network map data is available on the train;
  • Each train also subscribes to itself on the network information system and will override any movement limit that has been generated, setting the distance to zero if:
  • the train protection sub-system may be used by the train protection sub-system to determine whether it is safe to move, such as for example without limitation: ⁇ Doors being locked and closed;
  • a safe speed profile is generated for the train from its current location up to its movement limit considering:
  • the train protection sub-system 8 calculates the emergency and service braking distances using the dynamics model and an appropriate error margin for processing time, actuation time and communications delay.
  • a warning is given to the driver (which may be an automatic/autonomous driving system) when the train is close to exceeding its speed or movement limit using the service brake, based on a configured warning limit which is less than the actual speed or movement limit.
  • An emergency stop will be initiated by the train protection sub-system 8 when the train is close to exceeding its speed profile or movement limit using the emergency brake.
  • Each Train publishes its status to the network information system 1 on each processing cycle which includes a minimum of the following:
  • the train discards the data and publishes only the most up-to-date data on the next processing cycle.
  • a junction controller 9 constrains the number of trains occupying a junction and sets the junction in the direction requested by the train by interfacing with the trackside junction operating and detection equipment 10. When a train requests control of a junction, control will be granted when:
  • junction controller 9 will then confirm that the requesting train is the next to proceed through the junction prior to granting it control of the junction.
  • the junction controller 9 publishes to the network information system the unique identifier of the train or signaller that is in control of the junction.
  • the junction controller 9 receives requests from the train in control of the junction, which specify the unique identifiers of the routes connected to the junction from which the rail vehicle wants to enter, and to which it wants to exit the junction.
  • the junction controller On receipt of such a request the junction controller will checks if the combination is valid. If valid, the junction controller 9 will interface with operating and detection equipment of trackside points 10 to request the movement of the junction into the requested configuration.
  • the junction controller 9 is in continuous receipt of the status of the junction from the trackside points operating and detection equipment 10. Once the junction is set in the requested configuration the junction controller 9 publishes the change of status to the network information system 1 .
  • the junction controller 9 subscribes to updates of the train from the network information system 1 to monitor the worst-case rearward position of the train in control of the junction. Once the worst-case rearward position of the train is on the exit route and has cleared the preconfigured "fouling point", control is revoked. In addition, the train will request that control is revoked if this hasn't been achieved automatically.
  • Ground-frame controlled junctions are a permanent hazard within the hazard monitoring system without any automatic supervision.
  • the ground frame hazard is "Clear" when set in its normal position. To operate the ground frame, the hazard must be set to "Active” within the control centre. The train may only be driven manually over the ground frame without any automatic protection.
  • the ground frame hazard may only be reset to "Clear" once it is confirmed by the control centre that the train has completely passed the ground frame and that it is locked in the normal position.
  • An override for the interface to the trackside points operating and detection equipment is provided for the signaller to manually confirm that the junction is set and locked for an authorised route.
  • a level crossing controller 1 1 governs the interface between the highway and the railway, ensuring the railway is clear of highway hazards before a train can proceed by interfacing with the trackside level crossing operating and detection equipment 12.
  • the level crossing controller 1 1 ensures that the level crossing is secured either open or closed, and to provide that information to the train.
  • a level crossing is "Open” when traffic and pedestrians are permitted to traverse across the level crossing at which point trains cannot traverse across the level crossing.
  • a level crossing is "Closed" when traffic and pedestrians are not permitted to traverse across the level crossing at which time trains are able to traverse across the level crossing.
  • the level crossing controller receives a request from a train to be in control of the crossing.
  • the level crossing controller adds the unique identifier of the train to the list of trains in control of the crossing and publishes this to the network information system.
  • the level crossing controller requests from the trackside level crossing operating and detection equipment that it commence its "Close” procedure.
  • the level crossing controller 1 1 is in continuous receipt of the status of the level crossing from the trackside level crossing operating and detection equipment 12. Once the level crossing is Closed the level crossing controller 1 1 publishes the change of status to the network information system.
  • the level crossing controller 1 1 subscribes to updates of the train from the network information system 1 to monitor the worst-case rearward position of the trains in control of the level crossing. Once the worst-case rearward position of the train is on the exit route and has cleared the preconfigured "fouling point", control is revoked, and the train is removed from the list of trains in control of the crossing. In addition, the train requests that control is revoked if this hasn't been achieved automatically.
  • the level crossing controller 1 1 with interface with the trackside level crossing operating and detection equipment 12 to open the crossing to highway traffic.
  • An inhibit timer is then activated within the level crossing controller 12 to ensure the level crossing remains open to road traffic for a pre-configured amount of time to avoid risks of level crossing misuse on highly utilised routes. Whilst the inhibit timer is active, no train will be permitted control of the level crossing.
  • a legacy signalling monitoring system 13 integrates legacy fixed-block signalling assets into a continuous moving-block train control system.
  • the legacy signalling system 13 uses Fixed Block signalling principals.
  • the status of whether a train can enter a route is communicated to the train via colour-light or mechanical semaphore signals that are positioned alongside the route.
  • the status of the colour-light or semaphore signals is interrogated via interlocking status, relay status, or lever position, and used to dynamically control a pre-configured hazard within the hazard management system 2
  • the Hazard is "Active”, when it is not permitted for a train to pass the signal, such as a Red signal aspect.
  • the Hazard is "Clear”, when a train is permitted to pass the signal, such as a Yellow or Green signal aspect.
  • the hazard has a start position along a route mapping onto to the entry point for the Fixed Block protected by the signal, and a nominal length of 1 m to act as a barrier across the railway.
  • the legacy signalling hazard will typically only apply to one direction, i.e. a train will ignore it if travelling in the opposite direction. This is to allow for interfacing with bi-directional signalling.
  • the status of trackside points operating and detection equipment 10, 12 is monitored and integrated into the junction controllers 9 and likewise for the level crossing controllers 1 1 , however no control inputs are connected from the controller to the trackside equipment whilst in overlay mode.
  • An interface 14 for permitting ERTMS Level 3 is fitted trains to be given movement-authorities based on the principles of decentralised train control, with the train control system operating in a centralised location at network-level, physically separate from the train.
  • the ERTMS Level 3 Interface Module 14 converts data between the train control system and protection sub-system into messages compliant with ERTMS Level 3 train-RBC interface specification.
  • the ERTMS Level 3 Interface Module 14 converts data received from an ERTMS Level 3 train, such as position given as Eurobalise ID plus offset, into a distance along a route for use by the train control sub-system 5, and status data for use by the protection sub-system 8.
  • the train control system and ERTMS Level 3 Interface Module 14 are not located on board a train but within a central location alongside the network information System 1 .
  • Figures 1 1 to 17 illustrate a second embodiment of a system for continuous monitoring of a railway network, including its trains and hazards, for informing safe data-centric decentralised moving-block train control systems.
  • This system has many of the same elements as the system of the first embodiment but includes further detail for a fully autonomous system.
  • the systems should be seen as complimentary rather than alternatives and the description below focuses on the different and additional components.
  • the network information system 20 provides for the monitoring of trains, hazards and routes. It ensures the correct operation of the system 20, communication of route status to trains and management systems, interfacing to other information systems and provision of a geospatial information model.
  • Any train travelling on the network transmits data indicating its current identification, position, speed, direction of travel, and status over a wireless data network to the network information system 20.
  • the network information system 20 includes within its architecture a train monitoring subsystem 21 which produces and maintains a replica copy of the data transmitted from a train and received by the network information system 21 .
  • the train monitoring sub-system 21 broadcasts train data within the network information system 1 at regular intervals using a messaging subscription service.
  • the train monitoring sub-system 21 raises alerts and/or alarms when a train has not transmitted data in a timely manner, or if that data has become corrupted or if it is implausible.
  • the train monitoring sub-system 21 transmits train data to a route monitoring sub-system 22 within the network information system 20.
  • the network information system 20 also provides for the monitoring of hazards on the network through a hazard monitoring sub-system 23 within the network information system 20.
  • Hazards may, for example, include level crossings, legacy blocks, animals, debris or track workers.
  • a hazard may be applicable to multiple routes and junctions. Each hazard as has a starting position and end position, for each route the hazard is applicable to. Each hazard occupies the entire junction in respect of every junction for which hazard is applicable.
  • a permanent hazard is one that is always present but is sometimes passable and sometimes blocked, such as a level crossing.
  • a temporary hazard is one that is not a permanent feature of the railway and is added manually by an operator in a control centre or automatically by reports from a train.
  • Hazards have a permissible speed associated with them. All hazards have a permitted direction associated with them to allow for hazards that are passable only in one direction. Hazards that are not passible shall be given permissible speed of zero. Hazards that are passible shall have a non-zero speed limit that is lower than the permanent speed limit for that route.
  • a hazard is either marked as ACTIVE, when it restricts the train, or CLEAR, when there is no restriction on the train.
  • An adhesion hazard is a special type of temporary hazard that triggers deployment of counter- measures on the train.
  • An adhesion hazard may be generated by the train and reported to the hazards monitoring sub-system 23.
  • the hazards monitoring sub-system 23 transmits data concerning any and all hazards within the network to the route monitoring sub-system 22.
  • the route monitoring sub-system 22 maintains a replica of the data of the trains and hazards on the route.
  • the route monitoring sub-system 22 broadcasts all route data over a communications network at a regular interval using a messaging subscription service within the network information system 20.
  • the route monitoring sub-system 22 receives date transmitted from the train monitoring subsystem 21 and the hazards monitoring sub-system 3.
  • the route monitoring sub-system 22 raises alerts and/or alarms when the train monitoring sub- system 21 and hazards monitoring sub-system 23 have not transmitted data in a timely manner, or if that data has become corrupted or implausible.
  • a train When a train is approaching a new route, it sends a request to the route monitoring sub-system 22 to request that it be monitored.
  • the route monitoring sub-system 22 then makes a subscription request to the train monitoring sub-system 21 after which it receives updates of that train's data.
  • the train monitoring sub-system 21 monitors which routes of the network are currently subscribed to its updates. When a train has exited the route, the train monitoring sub-system sends a notification to the route monitoring sub-system 22 indicating to the route monitoring sub-system 22 that said train is no longer present on that route and the route monitoring subsystem 22 accordingly unsubscribes from said train's data.
  • the presence of the train is calculated using the following train positioning: • if a route contains only a worst-case forward position or emergency stopping point of a train, the route behind this point is assumed to contain the rest of the train; and ⁇ if a route contains only the worst-case rearward location of a train, the route ahead of this point is assumed to contain the rest of the train.
  • the route monitoring sub-system 22 If the route monitoring sub-system 22 receives information or otherwise observes that a train is travelling faster than the permitted speed, or that a train passes a hazard that should not have been passed, it raises an alarm to control centre personnel and instructs the train to stop and for the train supervisor to intervene.
  • a governing or "watchdog" sub-system 24 included in the network information system 20 architecture which monitors for any sub-systems failing to perform effectively. This provides a further layer of protection against invalid or missing data.
  • External trains and traffic management systems subscribe to data from the route monitoring sub-system 22 in respect of specific routes of interest. This data is broadcast periodically from the network information system 20.
  • a secure gateway 25 ensures that only permitted trains and traffic management systems 26 can receive updates from the network information system 20.
  • the route data transmitted from the route monitoring sub-system 22 includes live data of all trains and hazards on that route including precise locations, speed, direction of travel and emergency stopping points.
  • a separate message broker system 27 is provided as an interface for other information systems. The message broker system 27 subscribes to all data available on trains, hazards and routes, in respect of the network information system 20.
  • the message broker system 27 manages subscription requests from other information systems and broadcasts data from the network information system 20 accordingly.
  • the network information system 20 provides a geospatial information model which has contextual information for each route including for example the route name, curvature, gradient, gauge, train compatibility classification, tilting sections, electrified sections, and features such as stations and platforms, tunnels. For characteristics that vary along the length of the route, the start and end kilometerage for each characteristic are defined.
  • a route is defined as a continuous section of track (a vertex) between two junctions (nodes), or to a physical end of a railway, which may be limited by buffer stops or another barrier (also a node).
  • a route may vary in length from several meters to several thousand kilometres.
  • a route is identified by a country code as two ASCII characters stored as two bytes, and a 4- byte integer route unique identifier. For specific locales using alphanumeric route identifiers, a lookup table is used for user presentation.
  • a route has a datum kilometerage at the start of the route, and at the end of the route, and the node which that route is connected to at each end of the route.
  • Permanent hazards are denoted within the geospatial information model with a starting position and end position for a route.
  • a master geospatial information model 28 is formed as part of the network information system 20 to provide a "single-source of truth".
  • a geospatial information model cache 29 is held on each train within the train protection and automation system 30 which provides information to the other sub-systems.
  • the geospatial information model has a version number for the network interconnections, i.e. the makeup of routes and junctions. A train cannot proceed without its version number for network interconnections matching that of the master geospatial information model 28.
  • Each route and junction itself has a version number within the geospatial information model.
  • a train cannot proceed to travel along a route or junction without its version number for that route or junction matching that of the master geospatial information model 28.
  • the train synchronises its geospatial information model cache 29 overnight whilst out-stabled or in the depot. However, if required a train may download updates to the geospatial information model whilst in service to allow for flexibility of trains and routes, for example for a train to take a diversionary route across a different network.
  • a train-borne system 31 provides a system for the automatic safe control of a train based on the status of trains and hazards on a network.
  • Trains monitor their own speed and position through a train position and speed control subsystem 32.
  • This consists of an integrated navigation system with an array of relative and absolute sensors, including for example without limitation, global navigation satellite systems receivers, communications-based assisted positioning, dead reckoning, tachometers, doppler radar, compass, and track-mounted transponders. These are integrated using an algorithm, such as Extended Kalman Filter, to give a dependable latitude, longitude, and speed to a determinable degree of accuracy.
  • the latitude and longitude position is integrated with train parameters for length and sensor configuration and combined with a static error correction parameter, real-time position error, and timeliness and accuracy error factors, to determine the worst-case forward and rearward locations of the train on the geospatial information model.
  • the train determines its direction of travel as HIGH or LOW.
  • a determination of HIGH is found when the train is travelling from a low kilometerage to a high kilometerage.
  • a determination of LOW is found when the train is travelling from a high kilometerage to a low kilometerage.
  • the train's position is found to be ambiguous, for example after the train has traversed a junction and is near other routes, its position is reconciled with the knowledge that the junction was correctly set for the train to travel across the junction. Where required to meet assurance cases, this may be augmented with beacons located along the railway to give absolute confirmation of the train's position.
  • the train position along a route is stored as a 32-bit (4-byte) fixed point number, scaled to three decimal places giving a resolution of 1 mm and maximum track length of 4,294.967296km sufficient to meet the needs of all known continuous lengths of track.
  • a train control sub-system 33 transmits data to the network information system 20 via radio communication.
  • the data includes a minimum of a unique train identifier, worst-case rearward position, worst-case forward position, service braking target position, emergency braking target position, speed, direction of travel, and status.
  • This real-time data is transmitted on a regular frequency.
  • the train discards the data and transmits only the most up-to-date data on the next cycle.
  • the train receives a schedule of calling points given as target times and positions along the routes of the geospatial information model from the network information system 20, which itself receives them from a traffic management system 26.
  • the train includes a local scheduling and wayfinding sub-system 34 which uses an algorithm to evaluate the routes and junctions that should be traversed to reach the next calling point in the shortest amount of time.
  • the local scheduling and wayfinding sub-system 34 provides the train control sub-system 33 with the routes and junctions that the train must travel across to reach its stopping points.
  • the local scheduling and wayfinding sub-system 34 manages messages subscription requests and cancellations for route and junctions that the train is required to traverse in a timely manner.
  • the local scheduling and wayfinding sub-system 34 also monitors the train's speed and position along a route and determines the appropriate time when it should request control of a junction and raises the request accordingly to the network information system 20.
  • the train holds an electromechanical system dynamics model which describes generically how the train will accelerate and brake under idealised conditions using parameters such as for example, train speed, position, track curvature, gradient, permanent speed restrictions.
  • the electromechanical system dynamics model is adjusted based on the following factors:
  • configuration data such as for example, length, load weight, and condition
  • Real-time sensor data such as for example, wheel slip/slide detection, environmental temperature, humidity;
  • Hazard data such as for example, temporary speed restrictions, adhesion levels, flooding. Trains determine their limit of safe movement across the routes and junctions defined by the local scheduling and wayfinding sub-system 34, based on the following data:
  • ⁇ route status including positions and braking distances of other trains, and hazard positions and associated speed restrictions
  • geospatial infrastructure model cache data, describing the characteristics of the route
  • ⁇ error factors including processing time, actuation time, and communications lag.
  • the train calculates its emergency and service braking distances using the current dynamics model and an appropriate error margin for processing time, actuation time, and communications lag.
  • the train only moves if its worst case rearward position correlates with that received in the network information system 20.
  • the network information system's worst case rearward position of the train must be in rear of the train's worst case rearward position.
  • Code Red scenarios include, without limitation:
  • Code Amber scenarios include, without limitation:
  • the traffic management system 26 defines which platform the train should stop at and the minimum length of time its doors should be open for. This is received by the train in the local scheduling and way-finding sub-system 34.
  • the stopping point plan is generated from the local scheduling and way-finding sub-system 34 and communicated to the train control subsystem 33.
  • the train control sub-system 33 detects that the train has arrived at the stopping point with a reasonable degree of accuracy, the train control sub-system 33 determines which doors to open based on the length of the train, the length of the associated platform within the geospatial information model cache 29, and the side of the train on which the doors should open.
  • the train control sub-system 31 communicates with a door controller interface within a train interface system 35 to open the doors.
  • the train control sub-system 31 continuously calculates its required driving profile to meet the next stopping point at the required time. If the train needs to depart from the station to comply with its stopping point timings, the train control sub-system 31 conducts checks to ensure the train has been at the station with the doors open for the required minimum amount of time and then either initiates its door-closure sequence, or waits for the remaining time to elapse before doing so.
  • the train supervisor receives a notification from the train control sub-system 31 when it is time to initiate the door closing sequence for the doors to be closed manually. If the train is operating without a train supervisor present, the train control subsystem 31 communicates with the door controller interface to close the doors. The door controller interface interacts with an obstacle detection system if one is present.
  • the train control sub-system 31 Once the train control sub-system 31 detects the doors are closed and locked, the train control sub-system 31 commences driving.
  • the train performs an emergency stop.
  • the train supervisor In the case of mechanical breakdown of the doors or door sensors, the train supervisor is permitted to override the door controller interface and manually confirm the doors are locked closed. If a train couples or uncouples the train consist information is changed within the train control system 31 to redefine the length of the train. This must be done by the train supervisor or the person in charge of the coupling/uncoupling operation.
  • the train will not proceed until the control centre has been contacted to agree the status of the coupled/uncoupled rail vehicles to consider whether to define this as a hazard that should be recorded.
  • the control centre generates a confirmation code that must be entered on the train to authorise its autonomous operation. This could be manually entered or remotely transmitted to the train from the control centre.
  • Coupling and uncoupling operations should only be carried out in areas protected by lineside train detection systems such as Axle Counters and Track Circuits to ensure any unpowered rail vehicles are treated as a hazard.
  • This Axle Counter or Track Circuit protected section shall be defined as a permanent hazard with a nominal, proceed on-sight, speed limit, circa 10mph, when the section is entered.
  • Coupling and uncoupling shall be carried out with visual supervision, either through forward- facing sensors or a competent person governing the operation.
  • Contextual information about the routes, included within the geospatial information model, is used by the train control sub-system 31 to determine in which areas special functions must be performed such as for example without limitation: • raising/lowering the pantograph;
  • Adhesion hazards are a special classification of hazard in the hazard monitoring sub-system 23 within the network information system 20.
  • the train control sub-system 31 In the event that the train control sub-system 31 is informed of the adhesion hazards by the network information system 20, the train control sub-system 31 requests sand/de-icer spreading where appropriate.
  • Traction and brake controllers inform the train control sub-system 31 when adhesion issues are encountered.
  • the hazard is reported to the network information system 1 and the train control sub-system 31 requests sand/de-icer spreading as appropriate.
  • the train control sub-system 31 informs the hazard monitoring sub-system 23.
  • the train position and speed monitoring sub-system 10 includes an impact detection system, to detect sudden vertical or lateral acceleration in conjunction with a rapid longitudinal deceleration.
  • the train position and speed monitoring sub-system 32 will inform the train control sub-system 21 that derailment has been detected and initiate and emergency stop which will trigger a Code Red alert to be sent to the control centre.
  • junction Controller A junction controller sub-system 36 within the network information system 20 provides a system for the control of railway junctions on a bi-directional moving-block train control system.
  • junction controller sub-system 36 When a train determines that it needs to traverse a junction, it subscribes to updates of that junction's status from the junction controller sub-system 36.
  • the train requests from the junction controller sub-system 36 that the junction is set for that train to the direction which it wishes to travel.
  • the junction controller sub-system 36 periodically receives a prioritised list of trains to traverse the junction from the traffic management system 26.
  • a message is sent from the junction controller sub-system 36 to the train advising the train that it now has control of the junction.
  • junction controller sub-system 36 If the junction controller sub-system 36 has no list from the traffic management system 26 then it permits control on a first-come-first-served basis.
  • the moving of the junction is forbidden if it creates a situation where two trains could be travelling head-on towards each other.
  • the train requests a route to be set with an IN route and an OUT route.
  • the junction controller sub-system 15 checks against a lookup table to ensure the IN and OUT combination is valid. This lookup table is preconfigured during installation.
  • the junction controller sub-system checks the direction of travel currently associated with the entry and exit routes to mitigate against head-on routing of trains. This is done by each route having a direction parameter within the route monitoring sub-system 22 of the network information system 20.
  • the direction parameter is mapped onto IN and OUT directions for that Junction.
  • the IN and OUT directions are checked in control tables to ensure that the route is allowed.
  • direction parameter for a route aligns with the IN and OUT directions mapped on to the lookup table, then there is no routing conflict to prevent the junction being set. If the direction parameter for a route does not align with the IN and OUT directions mapped on to the lookup table, then there is a routing conflict.
  • the junction controller sub-system 36 makes a request to the route monitoring sub-system 22 to reverse the route direction of the conflicting route direction.
  • the route monitoring sub-system 22 checks to make sure that all trains on that route are stationary and reverses its direction parameter.
  • the direction parameter is restricted for 60 seconds to give sufficient time for the junction to set using a direction restriction parameter recording the junction identification and time. 60 seconds is chosen as being deemed adequate time for the train to extend its braking distance into the route which gives permanence to the direction of travel parameter.
  • the junction controller sub-system 36 monitors the route monitoring sub-system 22 for the direction parameter to be updated and once it is updated the conflict checking takes place again to confirm there is no routing conflict.
  • setting the state of a junction may be dependent on another junction being set in a certain state. This dependency is configured within the lookup tables. Where this occurs, the junction, rather than the train, submits a request for that junction to be set to a preconfigured state. This may be done without conflict checking as it is not expected that the junction will be traversed by the original requesting train.
  • the junction controller sub-system 36 sends a request to the lineside equipment that the junction be set to a certain state - typically called NORMAL or REVERSE. Once the junction is confirmed to be set in the correct direction, the train is given a PROCEED message. The PROCEED message repeats on a regular interval for as long as the junction is set for the train.
  • the junction controller sub-system 36 subscribes to updates from the routes from the route monitoring sub-system 22 and through this it monitors the worst-case rearward position of the train in control of the junction. It may otherwise do this by subscribing to updates from the train monitoring sub-system 21.
  • junction controller sub-system 15 terminates the transmission of the periodic PROCEED message to the train and revokes the control status for that train over the junction.
  • the junction controller sub-system 36 notifies the route monitoring sub-system 22 that the direction restriction parameter may be released.
  • junction controller sub-system 36 then sets its status to be READY FOR REQUEST.
  • a train waiting to traverse the junction subscribes to updates from the junction controller sub- system and sees its status change to be READY FOR REQUEST and then submits its request for control.
  • Ground frame controlled junctions are a permanent hazard within the hazard monitoring system 23 without any automatic supervision.
  • the Ground frame hazard is CLEAR when set in its normal positon. To operate the ground frame, the hazard must be set to ACTIVE within the control centre. The train may only be manually driven over the Ground frame without any automatic protection.
  • the ground frame hazard may only be reset to CLEAR once it is confirmed by the control centre that the train has completely passed the ground frame and that it is locked in the normal position.
  • An override for the interface to lineside points operating and detection equipment 37 is provided for the control centre personnel to manually confirm that the junction is set and locked for an authorised route.
  • An override to the route direction parameter is also provided to support this.
  • a level crossing controller sub-system 38 within the network information system 20 provides a system for managing the interface between the highway and railway to make sure the railway is clear of hazards for trains to cross the highway.
  • the level crossing controller sub-system 38 ensures that the level crossing is secured either open or closed, to provide that information to the train.
  • a level crossing is OPEN when traffic and pedestrians are permitted to traverse across the level crossing and therefore trains cannot traverse across the level crossing.
  • a level crossing is CLOSED when traffic and pedestrians are not permitted to traverse across the level crossing and therefore trains are able to traverse across the level crossing.
  • a level crossing is a permanent hazard and has pre-configured start positions and end positions along the specific routes to which it is associated. This is defined within a configuration file for the level crossing controller sub-system 38.
  • the hazard status is ACTIVE and this is communicated to the hazards monitoring sub-system 23.
  • the level crossing controller sub-system 38 subscribes to updates from the route monitoring sub-system 22 for the routes which it is associated with.
  • the level crossing controller sub-system 38 has pre-defined activation distances for trains travelling at different speeds.
  • the level crossing controller sub-system 38 monitors for approaching trains along the routes and when a train at a speed crosses an activation distance it commences the level crossing operation procedure.
  • the level crossing controller sub-system is configured to request a check for obstacles in a variety of ways, depending upon the type of crossing and obstacle detection equipment available:
  • the level crossing hazard status is communicated to the hazards monitoring sub-system 23, clearing the hazard.
  • the hazard status for the level crossing is set to ACTIVE within the hazards monitoring sub-system 23.
  • the level crossing controller sub-system 38 monitors its hazard status within the route monitoring sub-system 22. Once it has observed that the route monitoring sub-system correctly represents the ACTIVE hazard status, the procedure to open the level crossing is initiated.
  • a delay timer is activated within the level crossing controller sub-system 38 to ensure the level crossing remains open to road traffic for a pre-determined amount of time to avoid risks of level crossing misuse on highly utilised routes.
  • a legacy signalling systems monitoring sub-system 39 the network information system 20 provides a system for integrating legacy fixed-block signalling assets into a continuous moving-block train control system.
  • Legacy signalling systems refer to fixed block signalling principals.
  • a fixed block signalling system the status of whether a train can enter a route is communicated via colour-light or mechanical semaphore signals.
  • the block which the signal controls is a permanent hazard.
  • the hazards monitoring subsystem 3 subscribes to updates about this hazard.
  • the hazard has a start position along a route mapping onto to the entry point for the fixed block protected by the signal, and a nominal length of 1 m to act as a barrier across the railway.
  • a legacy signalling hazard will typically only apply to one direction, such that a train will ignore it if travelling in the opposite direction. This is to allow for bi-directional signalling.

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Train Traffic Observation, Control, And Security (AREA)

Abstract

A decentralised communications based train control system for preventing collisions and derailments of trains on a railway network whereby sub-systems for trains, junctions, level crossings and hazards publish their status to a network information system or service, which is subscribed to by other trains which systems are able to use the published status information to determine where it is safe to drive on that section of a railway network.

Description

A DECENTRALISED COMMUNICATIONS BASED TRAIN CONTROL SYSTEM
Field of invention
The present invention relates to a decentralised communications based train control system.
More especially the invention relates to a system for preventing collisions and derailments of trains on a railway network whereby sub-systems for trains, junctions, level crossings and hazards publish their status to a network information system or service, which is subscribed to by other trains which systems are able to use the published status information to determine where it is safe to drive on that section of a railway network.
Moreover, the invention relates to a decentralised communications based train control system that incorporates a number of independent systems and sub-systems that communicate and supplement each other to provide overall decentralised control.
In particular the invention relates to a network information service or system which is able to communicate with a timetable management system or service interface, a hazards management system or service, a route monitoring system of service, a train control system, a level crossing controller and a junction controller in order to obtain and publish safety-critical status information.
Background to the invention
As rail networks in many countries continue to grow and become more complex there is a constant need to update control systems to ensure safety conditions and procedures and optimised across the entire network.
The present invention provides a precise, decentralised train control system for ensuring safety of movement of autonomous railway vehicles through a railway network. Whilst the system described hereafter separately discusses a number inter-linked systems and sub-systems it is appreciated that all, or a selection of the systems and/or sub-systems are designed to interact with and complement each other to provide an overall network management system. Similarly, individual or selected combinations of the systems and/or sub-systems may be incorporated into otherwise alternative management and safety systems.
Statements of invention
According to a first aspect there is provided a safety system for trains travelling on a train network, the system having means to communicate with a plurality of independent subsystems each relating to a specific control part of the train network; means to collate, categorise and publish information updates concerning a particular topic received from a subsystem; means to communicate with a train travelling on the network in such a way that the train is able subscribe to update information published by the system in respect of a selected topic; means to communicate with the train in order to receive periodic updates concerning the status of the train on the network; and means to publish information concerning the train status to any subscriber of said information.
According to a further aspect there is a provided a system for continuous control of trains over a train network, the system comprising a network information system that is in continuous communication with an on-board communication system of a train travelling through said network; wherein the train-borne communication system transmits to the network information system data concerning the train identification, position, speed, direction of travel and status; and wherein the network information includes means to monitor routes and hazards within the network and transmits information concerning relevant routes and hazards to the train-borne communication system.
Brief description of the drawings
Embodiments of the invention will be now be described with reference to the figures in which: Figure 1 is simplified block diagram of the overall safety system according to a first embodiment of the invention;
Figure 2 is detailed architecture of the system of figure 1 illustrating how the systems and subsystems interact; Figure 3 shows the architecture of figure 2 divided into sections A to G; Figure 4 is an enlarged view of section A of figure 3; Figure 5 is an enlarged view of section B of figure 3; Figure 6 is an enlarged view of section C of figure 3; Figure 7 is an enlarged view of section D of figure 3; Figure 8 is an enlarged view of section E of figure 3; Figure 9 is an enlarged view of section F of figure 3; Figure 10 is an enlarged view of section G of figure 3;
Figure 1 1 is a simplified block diagram of a decentralised autonomous system according to a second embodiment; Figure 12 is detailed architecture of the system of figure 1 1 illustrating how the systems and sub-systems interact;
Figure 13 shows the architecture of figure 12 divided into sections H to K; Figure 14 is an enlarged view of section H of figure 12; Figure 15 is an enlarged view of section I of figure 12; Figure 16 is an enlarged view of section J of figure 12; and Figure 17 is an enlarged view of section K of figure 12.
Detailed description of preferred embodiments
Individual components of the overall system of figures 1 to 10 will now be described. This system is primarily a safety system for a train network. The system of figures 1 1 and 17, which will be described later, is a broader system including full automation (self-driving) of trains across a network.
Figure 1 illustrates a simplified block diagram of a safety system for trains on a network. The dotted connection lines indicate a request/acknowledge protocol between the points connected. The solid connection lines indicate a publish/subscribe protocol between the points connected.
A. Network information system
A network information service or system 1 provides collation and publication of safety-critical information from any connected applications and to which the connected applications can subscribe, in order to receive updates from other selected connected applications of the system 1 .
A train travelling on the network, a trackside device or a hazard monitoring system or service 2 may communicate with the network information system ay any chosen time, to subscribe (or unsubscribe) to information and updates published by the network information system.
Subscription requests from a train, trackside device, hazard monitoring service or other application connected to the network information system 1 are sent via a telecommunications network to the network information system 1 to receive, through the subscription, a copy of any messages published by another train, trackside device, hazard management service or other connected application relating a specific requested topic.
On receipt of the subscription request, the network information system will carry out the following activities:
(i) Confirm the topic exists in the hierarchy;
(ii) Add the requesting device to the list of subscribers to the topic; and (iii) Send a copy of the last received message payload associated with that topic to the requesting device. A train, trackside device, hazard management service 2, or other connected application, may also communicate with the network information system 1 through a telecommunications network to provide a status update message in relation to a specific topic for publication to any subscriber of that topic information.
The message header will define the topic on to which the message will be published. The topic references the train, trackside device or hazard in an information hierarchy to identify the publisher of the message.
When the network information system 1 receives a message form a connected application or device for publication the system shall carry out the following activities:
(i) Interrogate the header of the message to determine which topic the message shall be published to;
(ii) Create a topic in its hierarchy;
(iii) Send a copy of the message payload to all subscribers to that topic, together with a reference to the topic identifier; and
(iv) Create a copy of the message payload and retain the copy until any further message on the topic is received.
A signaller interface is provided in a control centre to allow data within the network information system to be modified in the event of an emergency or degradation, and so that the signaller or dispatch is able to trigger an emergency stop for one or more trains on the route in which the emergency situation is applicable.
B. Route monitor service
A route monitor system or service 3 grants authorisation to trains to travel along a route or routes, and collates and maintains a list of all trains and hazards currently on the route or routes. A train may send a request to the route monitor system 3 to join a route. Upon receiving such a request, the route monitor system 3 performs the following activities or tasks:
(i) Check that the pre-configured limit of the number of trains on a route has not been exceeded;
(ii) Add the unique identifier of the train to the list of all trains authorised on the current route; and
(iii) Publish the list of all trains to a topic for that specific route within the network information system.
The route monitor system 3 has a reconfigurable direction parameter in its meta-data which indicates the permitted direction of travel for trains on the route. A train may send a request to change the permitted direction of travel to suit its pathing requirements. On receipt of such a request, the route monitor system 3 performs the following activities or tasks:
(i) Ensure that all trains on the route are stationary prior to the requesting train changing its direction parameter; and
(ii) Initiate a timerfor a pre-configured duration (for example, 60 seconds) to inhibit any further changes of direction until the train that has requested the direction change has entered the route.
A train may send a request to the route monitor system 3 to notify it that it is leaving the route. Upon receiving such a request, the route monitor system 3 will perform the following activities or tasks:
(i) Remove the unique identifier of the train from the list of all trains currently on the route; and
(ii) Publish the list of all trains to a topic for that specific route within the network information system 1 . A hazard management system 2 may send a request to the route monitor system 3 to add a hazard to the route. Upon receiving such a request, the route monitor system will perform the following activities:
(i) Add the unique identifier of the hazard to the list of all hazards currently on the route; and
(ii) Publish the list of all hazards on the route to a topic for that specific route within the network information system 1 .
A hazard management system 2 may send a request to the route monitor system to notify the route monitor system 3 that it is being removed from the route. Upon receiving such a request, the route monitor system 3 performs the following activities or tasks: (i) Remove the unique identifier of the hazard from the list of all hazards currently on the route; and
(ii) Publish the list of all hazards to a topic for that specific route within the network information system 1 .
A route may have interdependencies with an adjacent route, wherein constraints on the infrastructure limit the number of rail vehicles on adjacent tracks, such as, for example, on bridges or in tunnels. In this scenario the route monitor system 3 will, itself, make a request to the route monitor system 3 for the adjacent route to inhibit another train from being authorised access.
The route monitor system 3 includes a parameter in its meta-data identifying the version number of the network map data that must be used by rail vehicles on the route. This parameter is configured during installation and cannot be changed with rail vehicles operating on the route.
The route monitor system within its meta-data has a reconfigurable parameter for "Emergency Stop All Trains". This parameter can be set by the signaller in an emergency. C. Hazard management system
A hazard management system 2 provides a service for a signaller to provide details about hazards to trains via the network information system 1 .
A hazard may include, without limitation, animals, debris, track workers, heritage trains, on track plant, failed trains and legacy signals. A hazard may be applicable to multiple routes and junctions.
For each route the hazard is applicable to, hazard has a starting location and end location.
All hazards have a permissible speed associated with them and any hazards that are not passible shall be given permissible speed of zero. Hazards that are passible shall have a non- zero speed limit that is lower than the permanent speed limit for that route.
A hazard is either "Active", when it restricts the train, or "Clear", when there is no restriction on the train.
An environmental hazard is a special type of hazard that warns the train of a need to take specific measures to achieve its required performance, for example without limitation, adhesion issues or visibility issues.
An environmental hazard may be created by the train and dynamically reported to the hazards management system 2 by publishing a message to the network information system 1 on the associated topic for hazards for that route. For subsequent trains in the hazard area, if the hazard has cleared, the train transmits a prompt to the signaller that the hazard can be cleared through updating the hazard management system 2.
Any train operating without an active control system must operate under verbal instruction from the signaller which creates a hazard in the hazard management system around the train within which the train is only permitted to move.
A hazard may be set to active/cleared dynamically by an external process interfacing with the hazard management system 2, for example in respect of the status of legacy lineside signals.
D Timetable management system 4
A timetable management system 4 provides an interface process for translating the timetable received from a third-party service and publishing the timetable to the network information system 1 to be viewed by trains on the network.
The timetable is managed through a third-party service such as a Timetable Management Service or Traffic Management Service. This service will provide data concerning where trains should be on the network, and (optionally) at what time.
An interface is provided for the timetable management system 4 to which receives the appropriate timetable for each train on the network.
Upon receipt of an updated timetable for a train, the interface process publishes the data to the timetable topic on the network information system 1 providing a unique identifier for the train concerned.
E Train control system 5 A train control system 5 governs the safe movement of a train through the railway network. The train control system 5 comprises a number of sub-systems that communicate and complement each other within the train control system. Each sub-system will be described below:
1 . Position and speed monitoring sub-system 6
Trains determine their speed and position through a suite of relative and absolute sensors on board the train. The sensors include for example without limitation, Global Navigation Satellite Systems receivers, Dead Reckoning, tachometers, doppler, radar, compass and track- mounted transponders.
The sensors are fully integrated using an algorithm, such as Extended Kalman Filter, to give a dependable latitude, longitude, and speed to a determinable degree of accuracy.
The latitude and longitude position, and its degree of accuracy, is integrated with train parameters for length and sensor configuration, and combined with a static error correction parameter, real-time position error, and timeliness and accuracy error factors, to determine the worst-case forward and rearward locations of the train against a map of the railway network, which is reported as a route identifier and distance along the route.
The train determines its direction of travel as "High" or "Low" based on the start and end distance values configured on the map of the railway network.
A high determination indicates a train travelling from a Low distance in the direction of a High distance. A low determination indicates a train travelling from a High distance in the direction of a Low distance. In the event that the train's position is ambiguous, which may be the case, for example, immediately after the train has traversed a junction and is near other routes, the train's position is reconciled with the knowledge that the junction was correctly set for the train to travel across the junction. Where required to meet safety acceptance requirements, this may be augmented with beacons located along the railway to give absolute confirmation of the train's position.
2. Pathing sub-system 7
Each train travelling through the network subscribes to its timetable on the network information system 1 . Each train also carries a map of the railway network
The train uses the outputs from its positioning and speed monitoring sub-system 6 and, using a map of the railway network and a suitable wayfinding algorithm, computes the optimum path to its next timetabled location.
Each train also subscribes to updates from the network information system 1 in respect of all the routes on its path.
If a route on the train's path is configured in a direction that opposes the required direction, the train sends a request to the route monitor system 3 for its direction to be changed. If the request is denied the train re-computes its optimum path again to exclude the route.
As the train approaches its next route it sends a request to join that route to the route monitor system 3 and subscribes to updates about each train and hazard on that route from the network information system 1 .
As a train approaches a junction the train subscribes to updates about the junction from the network information system 1 . The network information system 1 publishes the train or signaller that is in control of the junction, and the direction that the junction is set in. If the train is not in control of the junction, and no other train or signaller is indicated as being in control of the junction, a request is sent to a junction controller for that train to be in control of the junction.
If the junction is not set in the correct direction for the train path, a request is sent to the junction controller, specifying an entry and exit route, to change the direction of the junction.
Once the train has transited through a junction, clearing the fouling point (the closest distance a train can be to a junction where tracks converge and where, if the train exceeds the distance it would obstruct another train passing no an adjacent track), it sends a request to the junction controller to relinquish control.
As a train approaches a level crossing, the train subscribes to updates about the level crossing from the network information system. The network information system publishes the trains which are in control of the level crossing, and the open/close status of the level crossing.
If the train is not in control of the level crossing, a request is sent to a level crossing controller for that train to be in control of the level crossing.
Once a train has transited through the level crossing, the train sends a request to the level crossing controller to relinquish control.
3. Train Protection sub-system 8
Each train holds an electromechanical dynamics model which details how the train will accelerate and brake under idealised conditions using parameters such as for example without limitation train speed, position, track curvature, gradient and permanent speed restrictions.
Trains determine their limit of safe movement based on network map data and data received from the network information system. The movement limit is taken to be the lesser of: • The limit of the last route for which: o the correct direction for the route is set; o the train is a member of the route; o the route isn't in an "all vehicles emergency stop" mode; o the train has received data from all other trains on the route; o up-to-date network map data is available on the train;
· The closest impassable hazard;
• The closest junction or level crossing for which the train is not in control and its direction is not set; for each junction and level crossing there is a safe distance that a train must not exceed when not in control and the direction is not set - this is configured in the network map data and prevents collisions with trains on adjacent routes where routes converge (the fouling point);
• The limit of the route in the network map; · Worst-case forward position, worst-case rearward position, and emergency braking distances of other trains; and
• The constraints of the route as defined in the network map and the configuration of the train, for example without limitation, gauge clearance, traction supply options and vehicle weight limits.
Each train also subscribes to itself on the network information system and will override any movement limit that has been generated, setting the distance to zero if:
• The network information system contains invalid data about the train; and • The emergency stop status for the train has been set by the signaller.
Several other factors specific to each train, may be used by the train protection sub-system to determine whether it is safe to move, such as for example without limitation: · Doors being locked and closed;
• Loss of key safety functions of the train;
• Emergency stop initiated by the train supervisor;
• Impact with object (debris, suicide, road vehicle);
• Correct tilt profile for route; · Correct power supply selected; and
• Derailment detected
A safe speed profile is generated for the train from its current location up to its movement limit considering:
• Speed limits in the network map;
• Dynamic model of the train; and · Speed limits of hazards.
The train protection sub-system 8 calculates the emergency and service braking distances using the dynamics model and an appropriate error margin for processing time, actuation time and communications delay.
A warning is given to the driver (which may be an automatic/autonomous driving system) when the train is close to exceeding its speed or movement limit using the service brake, based on a configured warning limit which is less than the actual speed or movement limit. An emergency stop will be initiated by the train protection sub-system 8 when the train is close to exceeding its speed profile or movement limit using the emergency brake.
Each Train publishes its status to the network information system 1 on each processing cycle which includes a minimum of the following:
• unique Train identifier;
• worst-case rearward position;
• worst-case forward position;
• service braking target forward position; · emergency braking target forward position,
• speed;
• direction of travel;
• status;
• timestamp.
If it has not been possible to transmit the data, the train discards the data and publishes only the most up-to-date data on the next processing cycle.
F. Junction controller 9
A junction controller 9 constrains the number of trains occupying a junction and sets the junction in the direction requested by the train by interfacing with the trackside junction operating and detection equipment 10. When a train requests control of a junction, control will be granted when:
There is no other train or signaller in control of the junction; and
If there is a traffic management system interfacing with the network information system 1 , it may have published an order of precedence for trains through the junction. Where this is the case the junction will be configured to subscribe to the junction precedence topic within the network information system. The junction controller 9 will then confirm that the requesting train is the next to proceed through the junction prior to granting it control of the junction.
The junction controller 9 publishes to the network information system the unique identifier of the train or signaller that is in control of the junction.
The junction controller 9 receives requests from the train in control of the junction, which specify the unique identifiers of the routes connected to the junction from which the rail vehicle wants to enter, and to which it wants to exit the junction.
On receipt of such a request the junction controller will checks if the combination is valid. If valid, the junction controller 9 will interface with operating and detection equipment of trackside points 10 to request the movement of the junction into the requested configuration.
The junction controller 9 is in continuous receipt of the status of the junction from the trackside points operating and detection equipment 10. Once the junction is set in the requested configuration the junction controller 9 publishes the change of status to the network information system 1 .
The junction controller 9 subscribes to updates of the train from the network information system 1 to monitor the worst-case rearward position of the train in control of the junction. Once the worst-case rearward position of the train is on the exit route and has cleared the preconfigured "fouling point", control is revoked. In addition, the train will request that control is revoked if this hasn't been achieved automatically.
Ground-frame controlled junctions are a permanent hazard within the hazard monitoring system without any automatic supervision.
The ground frame hazard is "Clear" when set in its normal position. To operate the ground frame, the hazard must be set to "Active" within the control centre. The train may only be driven manually over the ground frame without any automatic protection.
The ground frame hazard may only be reset to "Clear" once it is confirmed by the control centre that the train has completely passed the ground frame and that it is locked in the normal position.
Under scenarios where points operating equipment has failed, it may be necessary for trackside personnel to manually control and lock the points.
An override for the interface to the trackside points operating and detection equipment is provided for the signaller to manually confirm that the junction is set and locked for an authorised route.
G. Level Crossing Controller 1 1
A level crossing controller 1 1 governs the interface between the highway and the railway, ensuring the railway is clear of highway hazards before a train can proceed by interfacing with the trackside level crossing operating and detection equipment 12.
The level crossing controller 1 1 ensures that the level crossing is secured either open or closed, and to provide that information to the train. A level crossing is "Open" when traffic and pedestrians are permitted to traverse across the level crossing at which point trains cannot traverse across the level crossing.
A level crossing is "Closed" when traffic and pedestrians are not permitted to traverse across the level crossing at which time trains are able to traverse across the level crossing.
The level crossing controller receives a request from a train to be in control of the crossing. The level crossing controller adds the unique identifier of the train to the list of trains in control of the crossing and publishes this to the network information system.
If not already Closed, the level crossing controller requests from the trackside level crossing operating and detection equipment that it commence its "Close" procedure.
The level crossing controller 1 1 is in continuous receipt of the status of the level crossing from the trackside level crossing operating and detection equipment 12. Once the level crossing is Closed the level crossing controller 1 1 publishes the change of status to the network information system.
The level crossing controller 1 1 subscribes to updates of the train from the network information system 1 to monitor the worst-case rearward position of the trains in control of the level crossing. Once the worst-case rearward position of the train is on the exit route and has cleared the preconfigured "fouling point", control is revoked, and the train is removed from the list of trains in control of the crossing. In addition, the train requests that control is revoked if this hasn't been achieved automatically.
Once the list of trains in control of the level crossing is empty, the level crossing controller 1 1 with interface with the trackside level crossing operating and detection equipment 12 to open the crossing to highway traffic. An inhibit timer is then activated within the level crossing controller 12 to ensure the level crossing remains open to road traffic for a pre-configured amount of time to avoid risks of level crossing misuse on highly utilised routes. Whilst the inhibit timer is active, no train will be permitted control of the level crossing.
H. Legacy signalling monitoring system 13
A legacy signalling monitoring system 13 integrates legacy fixed-block signalling assets into a continuous moving-block train control system.
The legacy signalling system 13 uses Fixed Block signalling principals.
In a Fixed Block signalling system, the status of whether a train can enter a route is communicated to the train via colour-light or mechanical semaphore signals that are positioned alongside the route.
To interface these into the decentralised communications based train control system, the status of the colour-light or semaphore signals, is interrogated via interlocking status, relay status, or lever position, and used to dynamically control a pre-configured hazard within the hazard management system 2
The Hazard is "Active", when it is not permitted for a train to pass the signal, such as a Red signal aspect. The Hazard is "Clear", when a train is permitted to pass the signal, such as a Yellow or Green signal aspect.
The hazard has a start position along a route mapping onto to the entry point for the Fixed Block protected by the signal, and a nominal length of 1 m to act as a barrier across the railway.
The legacy signalling hazard will typically only apply to one direction, i.e. a train will ignore it if travelling in the opposite direction. This is to allow for interfacing with bi-directional signalling. The status of trackside points operating and detection equipment 10, 12 is monitored and integrated into the junction controllers 9 and likewise for the level crossing controllers 1 1 , however no control inputs are connected from the controller to the trackside equipment whilst in overlay mode.
I. ERTMS Level 3 Interface Module 14
An interface 14 for permitting ERTMS Level 3 is fitted trains to be given movement-authorities based on the principles of decentralised train control, with the train control system operating in a centralised location at network-level, physically separate from the train.
The ERTMS Level 3 Interface Module 14 converts data between the train control system and protection sub-system into messages compliant with ERTMS Level 3 train-RBC interface specification.
The ERTMS Level 3 Interface Module 14 converts data received from an ERTMS Level 3 train, such as position given as Eurobalise ID plus offset, into a distance along a route for use by the train control sub-system 5, and status data for use by the protection sub-system 8.
In this architecture the train control system and ERTMS Level 3 Interface Module 14 are not located on board a train but within a central location alongside the network information System 1 .
Figures 1 1 to 17 illustrate a second embodiment of a system for continuous monitoring of a railway network, including its trains and hazards, for informing safe data-centric decentralised moving-block train control systems.
This system has many of the same elements as the system of the first embodiment but includes further detail for a fully autonomous system. The systems should be seen as complimentary rather than alternatives and the description below focuses on the different and additional components.
The network information system 20 provides for the monitoring of trains, hazards and routes. It ensures the correct operation of the system 20, communication of route status to trains and management systems, interfacing to other information systems and provision of a geospatial information model.
Any train travelling on the network transmits data indicating its current identification, position, speed, direction of travel, and status over a wireless data network to the network information system 20.
The network information system 20 includes within its architecture a train monitoring subsystem 21 which produces and maintains a replica copy of the data transmitted from a train and received by the network information system 21 . The train monitoring sub-system 21 broadcasts train data within the network information system 1 at regular intervals using a messaging subscription service.
The train monitoring sub-system 21 raises alerts and/or alarms when a train has not transmitted data in a timely manner, or if that data has become corrupted or if it is implausible.
The train monitoring sub-system 21 transmits train data to a route monitoring sub-system 22 within the network information system 20.
The network information system 20 also provides for the monitoring of hazards on the network through a hazard monitoring sub-system 23 within the network information system 20.
Hazards may, for example, include level crossings, legacy blocks, animals, debris or track workers. A hazard may be applicable to multiple routes and junctions. Each hazard as has a starting position and end position, for each route the hazard is applicable to. Each hazard occupies the entire junction in respect of every junction for which hazard is applicable.
A permanent hazard is one that is always present but is sometimes passable and sometimes blocked, such as a level crossing. A temporary hazard is one that is not a permanent feature of the railway and is added manually by an operator in a control centre or automatically by reports from a train.
All Hazards have a permissible speed associated with them. All hazards have a permitted direction associated with them to allow for hazards that are passable only in one direction. Hazards that are not passible shall be given permissible speed of zero. Hazards that are passible shall have a non-zero speed limit that is lower than the permanent speed limit for that route.
A hazard is either marked as ACTIVE, when it restricts the train, or CLEAR, when there is no restriction on the train.
An adhesion hazard is a special type of temporary hazard that triggers deployment of counter- measures on the train. An adhesion hazard may be generated by the train and reported to the hazards monitoring sub-system 23.
For subsequent trains, if no adhesion issues are encountered, the train reports the hazard has cleared. Three trains must report that the hazard has cleared before it is removed from the hazards monitoring sub-system 23.
Any train operating without an active Train Protection and Automation System must operate under verbal instruction from control centre personnel. The unprotected train is treated as a hazard for the length of route which it is authorised to travel along. The hazards monitoring sub-system 23 transmits data concerning any and all hazards within the network to the route monitoring sub-system 22.
The route monitoring sub-system 22 maintains a replica of the data of the trains and hazards on the route.
The route monitoring sub-system 22 broadcasts all route data over a communications network at a regular interval using a messaging subscription service within the network information system 20.
The route monitoring sub-system 22 receives date transmitted from the train monitoring subsystem 21 and the hazards monitoring sub-system 3.
The route monitoring sub-system 22 raises alerts and/or alarms when the train monitoring sub- system 21 and hazards monitoring sub-system 23 have not transmitted data in a timely manner, or if that data has become corrupted or implausible.
When a train is approaching a new route, it sends a request to the route monitoring sub-system 22 to request that it be monitored. The route monitoring sub-system 22 then makes a subscription request to the train monitoring sub-system 21 after which it receives updates of that train's data.
The train monitoring sub-system 21 monitors which routes of the network are currently subscribed to its updates. When a train has exited the route, the train monitoring sub-system sends a notification to the route monitoring sub-system 22 indicating to the route monitoring sub-system 22 that said train is no longer present on that route and the route monitoring subsystem 22 accordingly unsubscribes from said train's data.
For the purpose of clarifying the presence of a train on a specific route, the presence of the train is calculated using the following train positioning: • if a route contains only a worst-case forward position or emergency stopping point of a train, the route behind this point is assumed to contain the rest of the train; and · if a route contains only the worst-case rearward location of a train, the route ahead of this point is assumed to contain the rest of the train.
If the route monitoring sub-system 22 receives information or otherwise observes that a train is travelling faster than the permitted speed, or that a train passes a hazard that should not have been passed, it raises an alarm to control centre personnel and instructs the train to stop and for the train supervisor to intervene.
A governing or "watchdog" sub-system 24 included in the network information system 20 architecture which monitors for any sub-systems failing to perform effectively. This provides a further layer of protection against invalid or missing data.
External trains and traffic management systems subscribe to data from the route monitoring sub-system 22 in respect of specific routes of interest. This data is broadcast periodically from the network information system 20.
A secure gateway 25 ensures that only permitted trains and traffic management systems 26 can receive updates from the network information system 20.
The route data transmitted from the route monitoring sub-system 22 includes live data of all trains and hazards on that route including precise locations, speed, direction of travel and emergency stopping points.
In the event that transmission of status data has not been possible, the network information system 20 discards the data and transmits only the most up-to-date data on the next cycle. Any critical instructions such as "emergency stop" are repeated for as long as they are valid. A separate message broker system 27 is provided as an interface for other information systems. The message broker system 27 subscribes to all data available on trains, hazards and routes, in respect of the network information system 20.
The message broker system 27 manages subscription requests from other information systems and broadcasts data from the network information system 20 accordingly.
The network information system 20 provides a geospatial information model which has contextual information for each route including for example the route name, curvature, gradient, gauge, train compatibility classification, tilting sections, electrified sections, and features such as stations and platforms, tunnels. For characteristics that vary along the length of the route, the start and end kilometerage for each characteristic are defined.
A route is defined as a continuous section of track (a vertex) between two junctions (nodes), or to a physical end of a railway, which may be limited by buffer stops or another barrier (also a node). A route may vary in length from several meters to several thousand kilometres.
A route is identified by a country code as two ASCII characters stored as two bytes, and a 4- byte integer route unique identifier. For specific locales using alphanumeric route identifiers, a lookup table is used for user presentation.
A route has a datum kilometerage at the start of the route, and at the end of the route, and the node which that route is connected to at each end of the route.
Permanent hazards are denoted within the geospatial information model with a starting position and end position for a route.
A master geospatial information model 28 is formed as part of the network information system 20 to provide a "single-source of truth". A geospatial information model cache 29 is held on each train within the train protection and automation system 30 which provides information to the other sub-systems. The geospatial information model has a version number for the network interconnections, i.e. the makeup of routes and junctions. A train cannot proceed without its version number for network interconnections matching that of the master geospatial information model 28.
Each route and junction itself has a version number within the geospatial information model. A train cannot proceed to travel along a route or junction without its version number for that route or junction matching that of the master geospatial information model 28.
The train synchronises its geospatial information model cache 29 overnight whilst out-stabled or in the depot. However, if required a train may download updates to the geospatial information model whilst in service to allow for flexibility of trains and routes, for example for a train to take a diversionary route across a different network.
D. Train-borne system
A train-borne system 31 provides a system for the automatic safe control of a train based on the status of trains and hazards on a network.
Trains monitor their own speed and position through a train position and speed control subsystem 32. This consists of an integrated navigation system with an array of relative and absolute sensors, including for example without limitation, global navigation satellite systems receivers, communications-based assisted positioning, dead reckoning, tachometers, doppler radar, compass, and track-mounted transponders. These are integrated using an algorithm, such as Extended Kalman Filter, to give a dependable latitude, longitude, and speed to a determinable degree of accuracy.
The latitude and longitude position is integrated with train parameters for length and sensor configuration and combined with a static error correction parameter, real-time position error, and timeliness and accuracy error factors, to determine the worst-case forward and rearward locations of the train on the geospatial information model. The train determines its direction of travel as HIGH or LOW.
A determination of HIGH is found when the train is travelling from a low kilometerage to a high kilometerage. A determination of LOW is found when the train is travelling from a high kilometerage to a low kilometerage.
In the event that the train's position is found to be ambiguous, for example after the train has traversed a junction and is near other routes, its position is reconciled with the knowledge that the junction was correctly set for the train to travel across the junction. Where required to meet assurance cases, this may be augmented with beacons located along the railway to give absolute confirmation of the train's position.
The train position along a route is stored as a 32-bit (4-byte) fixed point number, scaled to three decimal places giving a resolution of 1 mm and maximum track length of 4,294.967296km sufficient to meet the needs of all known continuous lengths of track.
A train control sub-system 33 transmits data to the network information system 20 via radio communication. The data includes a minimum of a unique train identifier, worst-case rearward position, worst-case forward position, service braking target position, emergency braking target position, speed, direction of travel, and status.
This real-time data is transmitted on a regular frequency. The greater the frequency of transmission, the greater the capacity of the rail network as the data of the train position more accurately represents the proportion of the rail network occupied by the train by reducing unavailable parts of the network where the trains position hasn't yet updated.
If it has not been possible to transmit the data, the train discards the data and transmits only the most up-to-date data on the next cycle. The train receives a schedule of calling points given as target times and positions along the routes of the geospatial information model from the network information system 20, which itself receives them from a traffic management system 26.
The train includes a local scheduling and wayfinding sub-system 34 which uses an algorithm to evaluate the routes and junctions that should be traversed to reach the next calling point in the shortest amount of time.
The local scheduling and wayfinding sub-system 34 provides the train control sub-system 33 with the routes and junctions that the train must travel across to reach its stopping points.
The local scheduling and wayfinding sub-system 34 manages messages subscription requests and cancellations for route and junctions that the train is required to traverse in a timely manner.
The local scheduling and wayfinding sub-system 34 also monitors the train's speed and position along a route and determines the appropriate time when it should request control of a junction and raises the request accordingly to the network information system 20.
The train holds an electromechanical system dynamics model which describes generically how the train will accelerate and brake under idealised conditions using parameters such as for example, train speed, position, track curvature, gradient, permanent speed restrictions.
The electromechanical system dynamics model is adjusted based on the following factors:
• Train configuration data such as for example, length, load weight, and condition;
• Real-time sensor data such as for example, wheel slip/slide detection, environmental temperature, humidity; and
• Hazard data such as for example, temporary speed restrictions, adhesion levels, flooding. Trains determine their limit of safe movement across the routes and junctions defined by the local scheduling and wayfinding sub-system 34, based on the following data:
· route status, including positions and braking distances of other trains, and hazard positions and associated speed restrictions;
• junction status, whether it is under the trains control and has instruction to proceed;
• geospatial infrastructure model cache data, describing the characteristics of the route; and
· error factors, including processing time, actuation time, and communications lag.
The train calculates its emergency and service braking distances using the current dynamics model and an appropriate error margin for processing time, actuation time, and communications lag.
The train only moves if its worst case rearward position correlates with that received in the network information system 20. The network information system's worst case rearward position of the train, must be in rear of the train's worst case rearward position.
If a train is in a station area and the train has detected a hazard nearby with forward-facing sensors, or platform-train interface sensors, it shall not be proceed until the train supervisor confirms there is no hazard.
The train shall cease automatic driving and perform an emergency stop if it encounters a "Code Red" situation. The train will inform the train monitoring sub-system 21 in the network information system 20 that it is now in Code Red state. To resume from a Code Red situation, an authorisation code generated by the control centre must be entered on the train. Code Red scenarios include, without limitation:
· catastrophic loss of key safety functions of the train;
• emergency stop message from the control centre; • emergency stop message from train supervisor;
• impact with object (debris, suicide, road vehicle);
• derailment detected;
• the network information system 1 is no longer tracking train;
· loss of train integrity;
• loss of data integrity on train;
• corrupted data being received from network information system 1 for longer than 10 seconds;
• loss of authentication from Control Centre;
· new obstacle entering closed level crossing detected with forward-facing sensors;
• over-run of safe movement authority;
• door interlock failure in station area;
• obstacle detected within station area using forward-facing sensors;
• platform-train interface hazard detected.
The train shall drive to the next station and come to a stand if it encounters a Code Amber situation. The train will inform the train monitoring sub-system 21 in the network information system 20 that it is now in Code Amber state. To resume from a Code Amber situation, an authorisation code generated by the control centre must be entered on the train. Code Amber scenarios include, without limitation:
• health/security issue for passengers/staff;
• severe loss of key operational functions of the train;
• the network information system fails to update worst-case rearward position of the train;
• controlling the doors.
The traffic management system 26 defines which platform the train should stop at and the minimum length of time its doors should be open for. This is received by the train in the local scheduling and way-finding sub-system 34. The stopping point plan is generated from the local scheduling and way-finding sub-system 34 and communicated to the train control subsystem 33. When the train control sub-system 33 detects that the train has arrived at the stopping point with a reasonable degree of accuracy, the train control sub-system 33 determines which doors to open based on the length of the train, the length of the associated platform within the geospatial information model cache 29, and the side of the train on which the doors should open. The train control sub-system 31 communicates with a door controller interface within a train interface system 35 to open the doors.
The train control sub-system 31 continuously calculates its required driving profile to meet the next stopping point at the required time. If the train needs to depart from the station to comply with its stopping point timings, the train control sub-system 31 conducts checks to ensure the train has been at the station with the doors open for the required minimum amount of time and then either initiates its door-closure sequence, or waits for the remaining time to elapse before doing so.
If a train supervisor is present, the train supervisor receives a notification from the train control sub-system 31 when it is time to initiate the door closing sequence for the doors to be closed manually. If the train is operating without a train supervisor present, the train control subsystem 31 communicates with the door controller interface to close the doors. The door controller interface interacts with an obstacle detection system if one is present.
Once the train control sub-system 31 detects the doors are closed and locked, the train control sub-system 31 commences driving.
If the doors are detected to be unsecure within the station area, the train performs an emergency stop.
In the case of mechanical breakdown of the doors or door sensors, the train supervisor is permitted to override the door controller interface and manually confirm the doors are locked closed. If a train couples or uncouples the train consist information is changed within the train control system 31 to redefine the length of the train. This must be done by the train supervisor or the person in charge of the coupling/uncoupling operation.
After the consist information is updated, the train will not proceed until the control centre has been contacted to agree the status of the coupled/uncoupled rail vehicles to consider whether to define this as a hazard that should be recorded.
The control centre generates a confirmation code that must be entered on the train to authorise its autonomous operation. This could be manually entered or remotely transmitted to the train from the control centre.
Coupling and uncoupling operations should only be carried out in areas protected by lineside train detection systems such as Axle Counters and Track Circuits to ensure any unpowered rail vehicles are treated as a hazard.
This Axle Counter or Track Circuit protected section shall be defined as a permanent hazard with a nominal, proceed on-sight, speed limit, circa 10mph, when the section is entered.
Coupling and uncoupling shall be carried out with visual supervision, either through forward- facing sensors or a competent person governing the operation.
When a train identifier, and/or length, is changed the person in charge of the train will be prompted to confirm what the status of the remainder of the train is. If this train is unpowered then the control centre must define this to be a hazard.
Contextual information about the routes, included within the geospatial information model, is used by the train control sub-system 31 to determine in which areas special functions must be performed such as for example without limitation: • raising/lowering the pantograph;
• tilting the train laterally left or right or un-tilting; and
• sounding the horn/whistle. Adhesion hazards are a special classification of hazard in the hazard monitoring sub-system 23 within the network information system 20.
In the event that the train control sub-system 31 is informed of the adhesion hazards by the network information system 20, the train control sub-system 31 requests sand/de-icer spreading where appropriate.
Traction and brake controllers inform the train control sub-system 31 when adhesion issues are encountered. The hazard is reported to the network information system 1 and the train control sub-system 31 requests sand/de-icer spreading as appropriate.
If a train passes through an adhesion hazard, without encountering adhesion issues, the train control sub-system 31 informs the hazard monitoring sub-system 23.
After three trains have detected no adhesion issues, the hazard will be cleared within the hazard monitoring sub-system 23.
The train position and speed monitoring sub-system 10 includes an impact detection system, to detect sudden vertical or lateral acceleration in conjunction with a rapid longitudinal deceleration.
The train position and speed monitoring sub-system 32 will inform the train control sub-system 21 that derailment has been detected and initiate and emergency stop which will trigger a Code Red alert to be sent to the control centre.
E. Junction Controller A junction controller sub-system 36 within the network information system 20 provides a system for the control of railway junctions on a bi-directional moving-block train control system.
When a train determines that it needs to traverse a junction, it subscribes to updates of that junction's status from the junction controller sub-system 36.
When the junction is not under the control of any train, the train requests from the junction controller sub-system 36 that the junction is set for that train to the direction which it wishes to travel.
The junction controller sub-system 36 periodically receives a prioritised list of trains to traverse the junction from the traffic management system 26.
If the train making the request is the next in the list received from the traffic management system 26, and the junction is not under the control of any other train, a message is sent from the junction controller sub-system 36 to the train advising the train that it now has control of the junction.
If the train making the request is not next in the list received from the traffic management system 26 a message is sent from the junction controller sub-system 36 to the train denying control of the junction to the train.
If the junction controller sub-system 36 has no list from the traffic management system 26 then it permits control on a first-come-first-served basis.
The moving of the junction is forbidden if it creates a situation where two trains could be travelling head-on towards each other. The train requests a route to be set with an IN route and an OUT route. The junction controller sub-system 15 checks against a lookup table to ensure the IN and OUT combination is valid. This lookup table is preconfigured during installation.
If the combination is found to be valid, the junction controller sub-system checks the direction of travel currently associated with the entry and exit routes to mitigate against head-on routing of trains. This is done by each route having a direction parameter within the route monitoring sub-system 22 of the network information system 20.
The direction parameter is mapped onto IN and OUT directions for that Junction. The IN and OUT directions are checked in control tables to ensure that the route is allowed.
If the direction parameter for a route aligns with the IN and OUT directions mapped on to the lookup table, then there is no routing conflict to prevent the junction being set. If the direction parameter for a route does not align with the IN and OUT directions mapped on to the lookup table, then there is a routing conflict.
In the event that there is a routing conflict, the junction controller sub-system 36 makes a request to the route monitoring sub-system 22 to reverse the route direction of the conflicting route direction. On receipt of the request, the route monitoring sub-system 22 checks to make sure that all trains on that route are stationary and reverses its direction parameter. The direction parameter is restricted for 60 seconds to give sufficient time for the junction to set using a direction restriction parameter recording the junction identification and time. 60 seconds is chosen as being deemed adequate time for the train to extend its braking distance into the route which gives permanence to the direction of travel parameter.
The junction controller sub-system 36 monitors the route monitoring sub-system 22 for the direction parameter to be updated and once it is updated the conflict checking takes place again to confirm there is no routing conflict.
In the case of complex junction layouts, setting the state of a junction may be dependent on another junction being set in a certain state. This dependency is configured within the lookup tables. Where this occurs, the junction, rather than the train, submits a request for that junction to be set to a preconfigured state. This may be done without conflict checking as it is not expected that the junction will be traversed by the original requesting train.
When the original junction receives confirmation that the dependency junction has been correctly set, there is deemed to be no routing conflict.
The junction controller sub-system 36 sends a request to the lineside equipment that the junction be set to a certain state - typically called NORMAL or REVERSE. Once the junction is confirmed to be set in the correct direction, the train is given a PROCEED message. The PROCEED message repeats on a regular interval for as long as the junction is set for the train.
The junction controller sub-system 36 subscribes to updates from the routes from the route monitoring sub-system 22 and through this it monitors the worst-case rearward position of the train in control of the junction. It may otherwise do this by subscribing to updates from the train monitoring sub-system 21.
Once the worst-case rearward position of the train is on the OUT route, a safe distance beyond the junction, the junction is deemed to be clear. The junction controller sub-system 15 then terminates the transmission of the periodic PROCEED message to the train and revokes the control status for that train over the junction.
The junction controller sub-system 36 notifies the route monitoring sub-system 22 that the direction restriction parameter may be released.
The junction controller sub-system 36 then sets its status to be READY FOR REQUEST.
A train waiting to traverse the junction subscribes to updates from the junction controller sub- system and sees its status change to be READY FOR REQUEST and then submits its request for control. Ground frame controlled junctions are a permanent hazard within the hazard monitoring system 23 without any automatic supervision.
The Ground frame hazard is CLEAR when set in its normal positon. To operate the ground frame, the hazard must be set to ACTIVE within the control centre. The train may only be manually driven over the Ground frame without any automatic protection.
The ground frame hazard may only be reset to CLEAR once it is confirmed by the control centre that the train has completely passed the ground frame and that it is locked in the normal position.
Under scenarios where points operating equipment is failed, it may be necessary for trackside personnel to manually control and lock the points.
An override for the interface to lineside points operating and detection equipment 37 is provided for the control centre personnel to manually confirm that the junction is set and locked for an authorised route. An override to the route direction parameter is also provided to support this.
F. Level Crossing Controller
A level crossing controller sub-system 38 within the network information system 20 provides a system for managing the interface between the highway and railway to make sure the railway is clear of hazards for trains to cross the highway.
The level crossing controller sub-system 38 ensures that the level crossing is secured either open or closed, to provide that information to the train. A level crossing is OPEN when traffic and pedestrians are permitted to traverse across the level crossing and therefore trains cannot traverse across the level crossing.
A level crossing is CLOSED when traffic and pedestrians are not permitted to traverse across the level crossing and therefore trains are able to traverse across the level crossing.
A level crossing is a permanent hazard and has pre-configured start positions and end positions along the specific routes to which it is associated. This is defined within a configuration file for the level crossing controller sub-system 38.
When a level crossing is OPEN, the hazard status is ACTIVE and this is communicated to the hazards monitoring sub-system 23.
The level crossing controller sub-system 38 subscribes to updates from the route monitoring sub-system 22 for the routes which it is associated with.
The level crossing controller sub-system 38 has pre-defined activation distances for trains travelling at different speeds. The level crossing controller sub-system 38 monitors for approaching trains along the routes and when a train at a speed crosses an activation distance it commences the level crossing operation procedure.
To confirm the level crossing is clear of any obstacles, the level crossing controller sub-system is configured to request a check for obstacles in a variety of ways, depending upon the type of crossing and obstacle detection equipment available:
• lineside obstacle detection equipment 37;
• lineside personnel in-charge of the crossing;
• control centre personnel using CCTV monitoring equipment;
• train-borne confirmation via forward facing sensors; or
· train-borne confirmation via a train supervisor. Once it is determined that the level crossing is clear, the closure sequence is carried out. If required, a second obstacle check is carried out once the level crossing has been confirmed closed.
The level crossing hazard status is communicated to the hazards monitoring sub-system 23, clearing the hazard.
Once the level crossing controller sub-system 38, monitoring the route status from the route monitoring sub-system 22, observes that crossing is clear of trains, and no other trains are approaching within a pre-determined "next train approaching" time, the hazard status for the level crossing is set to ACTIVE within the hazards monitoring sub-system 23.
The level crossing controller sub-system 38 monitors its hazard status within the route monitoring sub-system 22. Once it has observed that the route monitoring sub-system correctly represents the ACTIVE hazard status, the procedure to open the level crossing is initiated.
A delay timer is activated within the level crossing controller sub-system 38 to ensure the level crossing remains open to road traffic for a pre-determined amount of time to avoid risks of level crossing misuse on highly utilised routes.
G. Legacy Signalling Systems Monitoring
A legacy signalling systems monitoring sub-system 39 the network information system 20 provides a system for integrating legacy fixed-block signalling assets into a continuous moving-block train control system.
Legacy signalling systems refer to fixed block signalling principals. In a fixed block signalling system the status of whether a train can enter a route is communicated via colour-light or mechanical semaphore signals.
The status of the colour-light or semaphore signals from interlocking data is converted into a hazard status:
• ACTIVE - when it is not permitted for a train to pass the signal, such as a Red signal aspect;
• CLEAR - when a train is permitted to pass the signal, such as a Yellow or Green signal aspect.
The block which the signal controls is a permanent hazard. The hazards monitoring subsystem 3 subscribes to updates about this hazard.
The hazard has a start position along a route mapping onto to the entry point for the fixed block protected by the signal, and a nominal length of 1 m to act as a barrier across the railway.
A legacy signalling hazard will typically only apply to one direction, such that a train will ignore it if travelling in the opposite direction. This is to allow for bi-directional signalling.

Claims

1 . A safety system for trains travelling on a train network, the system having: means to communicate with a plurality of independent sub-systems each relating to a specific control part of the train network; means to collate, categorise and publish information updates concerning a particular topic received from a sub-system; means to communicate with a train travelling on the network in such a way that the train is able subscribe to update information published by the system in respect of a selected topic; means to communicate with the train in order to receive periodic updates concerning the status of the train on the network; and means to publish information concerning the train status to any subscriber of said information.
2. A safety system according to claim 1 , wherein a sub-system consists of a route monitoring system which maintains a record of all trains and hazards currently on a route of a the network and wherein the sub-system provides the recorded information to the safety system for publication to any subscriber of said information.
3. A safety system according to claim 1 or claim 2, wherein a sub-system consists of a hazard monitoring system which maintains a record of locations of hazards on a route of the network and permissible speeds of a train transiting past said hazards and wherein the sub-system provides the recorded information to the safety system for publication to any subscriber of said information.
4. A system according to any one of claims 1 to 3, wherein a train travelling on the network as access to a map that includes a unique reference for each route and wherein said unique reference is used to subscribe and unsubscribe to updates concerning a particular topic received from a sub-system on that route.
5. A system for continuous control of trains over a train network, the system comprising a network information system that is in continuous communication with an on-board communication system of a train travelling through said network; wherein the train- borne communication system transmits to the network information system data concerning the train identification, position, speed, direction of travel and status; and wherein the network information includes means to monitor routes and hazards within the network and transmits information concerning relevant routes and hazards to the train-borne communication system.
6. A system according to claim 5, wherein the network information system includes a train monitoring sub-system which produces and maintains a replica copy of the data transmitted from a train and received by the network information system.
7. A system according to claim 5, wherein the train monitoring sub-system broadcasts train data within the network information system at regular intervals using a messaging subscription service.
8. A system according to claim 6 or claim 7, wherein the train-monitoring sub-system raises alerts and/or alarms when a train has not transmitted data in a timely manner, or if that data has become corrupted or if it is implausible.
9. A system according to any one of claims 6 to 8, wherein the train-monitoring subsystem transmits train data to a route monitoring sub-system 4 within the network information system.
10. A system according to any one of claims 5 to 9, further comprising a hazard monitoring sub-system for the monitoring hazards on the network through within the network information system.
1 1 . A system according to claims 10, wherein the hazard monitoring sub-system transmits data concerning hazards to the route monitoring sub-system.
12. A system according to claim 1 1 , wherein the route monitoring sub-system maintains a replica of the data of the trains and hazards on the route.
13. A system according to claim 12, wherein the route monitoring sub-system broadcasts all route data over a communications network at a regular interval using a messaging subscription service within the network information system 1 .
14. A system according to any preceding claim, further comprising a junction controller sub-system to provide control of railway junctions on bi-directional moving-block train control system.
PCT/EP2018/061932 2017-05-08 2018-05-08 A decentralised communications based train control system Ceased WO2018206610A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB1707347.9 2017-05-08
GBGB1707347.9A GB201707347D0 (en) 2017-05-08 2017-05-08 A system and apparatus for decentralised continuous train control

Publications (1)

Publication Number Publication Date
WO2018206610A1 true WO2018206610A1 (en) 2018-11-15

Family

ID=59065522

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2018/061932 Ceased WO2018206610A1 (en) 2017-05-08 2018-05-08 A decentralised communications based train control system

Country Status (2)

Country Link
GB (2) GB201707347D0 (en)
WO (1) WO2018206610A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110203258A (en) * 2019-05-29 2019-09-06 江苏飞梭智行设备有限公司 A method of it improving vehicle and enters special area efficiency
CN110304116A (en) * 2019-07-05 2019-10-08 上海电气泰雷兹交通自动化系统有限公司 A Wayside Controller Provides Envelope Protection for Lost Position Trains
CN115242768A (en) * 2022-06-30 2022-10-25 南京南瑞继保电气有限公司 Data forwarding method and device for subway comprehensive monitoring system and storage medium
CN115285180A (en) * 2022-07-22 2022-11-04 交控科技股份有限公司 Safety protection setting method and device for freight train
EP3976441A4 (en) * 2019-05-31 2023-01-25 Hitachi, Ltd. CONTROL SYSTEM, CONTROL DEVICE AND CONTROL METHOD
WO2024101293A1 (en) * 2022-11-10 2024-05-16 株式会社日立製作所 Data management apparatus, data management system, and data management method
JP2024070147A (en) * 2022-11-10 2024-05-22 株式会社日立製作所 Data management device, data management system and data management method
JP2024070142A (en) * 2022-11-10 2024-05-22 株式会社日立製作所 Data management device, data management system and data management method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020062181A1 (en) * 2000-11-22 2002-05-23 Polivka Alan L. Advanced communication-based vehicle control method
WO2006097788A1 (en) * 2005-03-14 2006-09-21 Mp S.R.L. Communication, monitor and control apparatus, and related method, for railway traffic
WO2008096048A1 (en) * 2007-02-07 2008-08-14 Siemens Transportation Systems S.A.S. Anticollision control system for a vehicle
US20110172856A1 (en) * 2010-01-08 2011-07-14 Wabtec Holding Corp. Short Headway Communications Based Train Control System

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19832594C2 (en) * 1998-07-09 2002-10-24 Siemens Ag Optimized communication system for radio-based traffic services
WO2014011887A1 (en) * 2012-07-11 2014-01-16 Carnegie Mellon University A railroad interlocking system with distributed control
US9718487B2 (en) * 2014-02-18 2017-08-01 Nabil N. Ghaly Method and apparatus for a train control system
BR112016022830B1 (en) * 2014-12-01 2023-02-14 Westinghouse Air Brake Technologies Corporation PROTECTION METHOD AND SYSTEM FOR A MULTITUDE OF TRAINS
US11021178B2 (en) * 2015-10-24 2021-06-01 Nabil N. Ghaly Method and apparatus for autonomous train control system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020062181A1 (en) * 2000-11-22 2002-05-23 Polivka Alan L. Advanced communication-based vehicle control method
WO2006097788A1 (en) * 2005-03-14 2006-09-21 Mp S.R.L. Communication, monitor and control apparatus, and related method, for railway traffic
WO2008096048A1 (en) * 2007-02-07 2008-08-14 Siemens Transportation Systems S.A.S. Anticollision control system for a vehicle
US20110172856A1 (en) * 2010-01-08 2011-07-14 Wabtec Holding Corp. Short Headway Communications Based Train Control System

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110203258B (en) * 2019-05-29 2021-06-11 江苏飞梭智行设备有限公司 Method for improving efficiency of vehicle entering special area
CN110203258A (en) * 2019-05-29 2019-09-06 江苏飞梭智行设备有限公司 A method of it improving vehicle and enters special area efficiency
EP3976441A4 (en) * 2019-05-31 2023-01-25 Hitachi, Ltd. CONTROL SYSTEM, CONTROL DEVICE AND CONTROL METHOD
AU2019447961B2 (en) * 2019-05-31 2023-07-13 Hitachi, Ltd. Train control system, train control device, and train control method
CN110304116B (en) * 2019-07-05 2021-06-11 上海电气泰雷兹交通自动化系统有限公司 Method for providing envelope protection for lost position train by trackside controller
CN110304116A (en) * 2019-07-05 2019-10-08 上海电气泰雷兹交通自动化系统有限公司 A Wayside Controller Provides Envelope Protection for Lost Position Trains
CN115242768A (en) * 2022-06-30 2022-10-25 南京南瑞继保电气有限公司 Data forwarding method and device for subway comprehensive monitoring system and storage medium
CN115285180A (en) * 2022-07-22 2022-11-04 交控科技股份有限公司 Safety protection setting method and device for freight train
CN115285180B (en) * 2022-07-22 2024-05-10 交控科技股份有限公司 Safety protection setting method and device for freight train
WO2024101293A1 (en) * 2022-11-10 2024-05-16 株式会社日立製作所 Data management apparatus, data management system, and data management method
JP2024070147A (en) * 2022-11-10 2024-05-22 株式会社日立製作所 Data management device, data management system and data management method
JP2024070142A (en) * 2022-11-10 2024-05-22 株式会社日立製作所 Data management device, data management system and data management method
JP7796001B2 (en) 2022-11-10 2026-01-08 株式会社日立製作所 Data management device, data management system and data management method

Also Published As

Publication number Publication date
GB2566573A (en) 2019-03-20
GB201807500D0 (en) 2018-06-20
GB201707347D0 (en) 2017-06-21

Similar Documents

Publication Publication Date Title
WO2018206610A1 (en) A decentralised communications based train control system
AU2002242170B2 (en) Advanced communication-based vehicle control method
US20220185350A1 (en) Quasi-moving block system of train control
US9340220B2 (en) Systems and methods for management of crossings near stations
US8783626B2 (en) Light rail vehicle monitoring and stop bar overrun system
EP2720927B1 (en) Control of automatic guided vehicles without wayside interlocking
AU2002242170A1 (en) Advanced communication-based vehicle control method
US5740046A (en) Method to control in a track traffic system moving units, device for effecting of such control and process for installation of the device
EP3061666B1 (en) Signalling system for a railway network and method for the full supervision of a train realised by such a signalling system
US20140361126A1 (en) Systems and method for controlling warnings at vehicle crossings
EP3235706B1 (en) Method for initializing the fs mode for the movement of a train on a railway equipped with an ertms/etcs signaling system
WO2017010245A1 (en) Train and signal security system
CA3147820A1 (en) Method for controlling a train within a train control system, and train control system
CN107848549B (en) System and method for personnel evacuation of rail vehicles
DE102005042218A1 (en) Railway collision warning system, carried in the rail vehicle, has a transceiver to transmit and receive data packets of other trains for the control unit to determine collision risks together with its own data unit
AU2023263425B2 (en) Train control systems with hazard management and associated methods
CN119611472A (en) Train operation control method, device, equipment, storage medium and program product
Hann Incremental train control system
Schnieder Main Functions of Automatic Train Control Systems
CN105612094B (en) Prograde orbit design description
JP2000289615A (en) Position error elimination system for output results of on-vehicle position detection device and ground position detection device
Üyümez et al. Drone-Assisted Flying Ad-Hoc Networks for Mitigating Communication and Sensor Failures in Fully Automated Train Operations
JP2024050239A (en) On-board device
ZA200210165B (en) Advanced communication-based vehicle control method.
Steo et al. INFORMATION/COMMUNICATION BASED TRAIN CONTROL: presented at Institution of Civil Engineers Conference Innovation in the Railway System Basel Switzerland December 5, 1996

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18728310

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18728310

Country of ref document: EP

Kind code of ref document: A1