WO2025011769A1 - Method for checking and updating computing instances of rail vehicle - Google Patents

Abstract

The invention comprises the following subject matter: a method for checking computing instances (RI) of rail vehicles, wherein programs installed on the computing instances (RI) and/or configurations stored in the computing instances (RI) are checked, of said rail vehicles, a first rail vehicle (FZ1), which is a locomotive (LV) or a goods carriage (GW), forms a coupled vehicle group (FV) with at least one second rail vehicle (FZ2), which is a goods carriage (GW), the computing instances (RI) in the vehicle group (FV) are checked by the first rail vehicle (FZ1), a communication connection is established between the computing instance (RI) of the first rail vehicle (FZ1) and the computing instance (RI) at least of the second rail vehicle (FZ2) via a first interface (S1), the computing instance (RI) of the first rail vehicle (FZ1) receives, via the communication connection, data from at least the computing instance (RI) of the second rail vehicle (FZ2) about the software properties of the programs and/or stored configurations present on the rail vehicles concerned, on the basis of the received data a message is generated which relates to an up-to-dateness of the software properties and/or configurations and the validity of a digital certificate for operation of the programs. On the basis of this message, a simple software update can also be performed advantageously for goods carriages (GW). The invention also relates to a goods carriage (GW) and locomotive (LV), and to a computer program.

Description

Description

PROCEDURE FOR CHECKING AND UPDATING COMPUTING INSTANCES OF RAIL VEHICLES

technical field

The invention also includes the following subject matter: a method for checking computing instances of rail vehicles. The invention also includes the following subject matter: a locomotive. The invention also includes the following subject matter: a freight car. The invention also includes the following subject matter: a computer program. The invention also includes the following subject matter: a computer-readable storage medium.

Technical Background

According to the state of the art, it is known that communication between freight wagons should be improved. For this purpose, the digital automatic coupling (DAK) is being developed in Europe, which, among other things, also provides a communication interface so that the freight wagons can communicate with each other by coupling them to one another and to a locomotive via cable.

The digital automatic coupling is currently being tested. Vehicle groups consisting of locomotives and freight wagons and coupled to one another via the digital automatic coupling have hardware that forms a computing instance on each freight wagon and on the locomotive. The hardware therefore has at least one computer, also known as an onboard unit (OBU) per vehicle, on which the necessary software is installed in the form of programs. These programs must be kept up to date, with updates being carried out manually by employees of the Test project directly with the computers to be updated. Each freight car forms an independent unit, as required by the standards IEC 61375-1 and IEC 61375-2-5. The Ethernet Train Backbone (ETB) is to be provided as the software protocol for communication between the locomotive and freight car and the freight car itself. An alternative is the Wire Train Bus (WTB).

The problem that arises from the state of the art described above is that the functionalities implemented on the freight wagons must be implemented with different requirements for operational safety. For this purpose, safety management must be able to be carried out reliably. This also includes updates to the software and digital certificates that regulate access to the software and prevent unauthorized external influence.

Software updates on passenger trains are generally known and are carried out in xMUs (so-called motor units, also called multiple units), where they can be performed at xMU level. These software updates are only carried out in certain modes, i.e. the xMU (or at least the system to be updated) is brought into a certain state (e.g. maintenance mode) in which the update can be carried out safely. Before the xMU is put back into operation, the validity and correct functioning of the newly installed software is checked so that safe operation is possible. The fully updated xMU can then be put back into operation.

However, this technology cannot be easily transferred to the updating of freight trains. Another problem arises from the fact that freight wagons are as passenger trains are recombined in rapid succession during operation, for example on processing systems. This makes it difficult to keep the software of a specific freight train (vehicle combination) up to date, as new combinations of freight wagons (i.e. other vehicle combinations) are constantly appearing. On the other hand, it can happen that a freight wagon is not in use for a long time. If such a freight wagon is put back into operation, there is a risk that the software available for this freight wagon is out of date.

Summary of the Invention

The object of the invention is to resolve the problems described in the prior art. In particular, it is the object to provide a method for checking computing instances of rail vehicles, which is suitable for the operation of freight wagons and at the same time can be implemented with high efficiency. Furthermore, it is the object of the invention to provide a locomotive or a freight wagon with which the method can be implemented. Finally, it is the object of the invention to provide a computer program or a computer-readable storage medium which is suitable for carrying out the method mentioned.

According to a first aspect of the invention, a method is described for checking computing instances of rail vehicles, wherein a) programs installed on the computing instances and/or configurations stored in the computing instances are checked, b) of these rail vehicles, a first rail vehicle, which is a locomotive or a freight car, forms a coupled vehicle assembly with at least one second rail vehicle, which is a freight car. To avoid misunderstandings, it should be noted at this point that individual claim features are numbered using small Latin letters without taking the claim numbering into account. This means that each letter only appears once in the entire set of claims, which enables the relevant claim features to be clearly addressed without mentioning the claim number. For this reason, however, the order of the letters is not important.

The first rail vehicle can be a locomotive or a freight car. The first rail vehicle does not have to be at the front of the vehicle convoy. The first rail vehicle is only defined by its property that the inventive method for checking is carried out by this first rail vehicle. The vehicle convoy is formed by the first rail vehicle and at least one other rail vehicle, namely the second rail vehicle. However, the vehicle convoy can of course also have other rail vehicles, i.e. a third rail vehicle, a fourth rail vehicle and so on, which fulfill the same function as the second rail vehicle within the meaning of the invention.

According to the invention, the checking of the computing instances in the vehicle assembly is carried out by the first rail vehicle, whereby c) a communication connection is established between the computing instance of the first rail vehicle and the computing instance of at least the second rail vehicle (if applicable, also of other rail vehicles) via a first interface, d) the computing instance of the first rail vehicle is monitored via the communication connection by at least the computing instance of the second rail vehicle (if applicable, also of other rail vehicles) receives data on the software properties of the programs and/or stored configurations existing on the rail vehicles concerned, e) on the basis of the data received, a message is generated concerning the up-to-dateness of the software properties and/or configurations as well as the validity of a digital certificate for the operation of the programs.

The programs to be checked consist of applications that are to be executed on the rail vehicle. The programs can be installed on a computer that is made available to the computing instance of the rail vehicle in question. The configurations to be checked can be hardware configurations or software configurations. Hardware configurations are understood to be specifications that relate to the hardware, for example which hardware components the computing instance consists of and/or how the computing instance uses the hardware available to it. Software configurations are understood to be specifications that regulate the operation of the program in question. These are, for example, specifications that define or influence the execution of the program in question. The configurations are preferably stored as configuration data and the programs are preferably stored as program data on a storage unit used by the computing instance in question.

One advantage of the invention is that the method for checking the computing instances can be used to determine at any time whether a vehicle combination consisting of freight wagons, which may also include a locomotive, is ready for operation. This addresses the problem that vehicle combinations consisting of freight wagons are separated and reassembled much more frequently than is the case with passenger cars. is. Therefore, there is a high probability that by combining new vehicle convoys, freight wagons will be combined that are equipped with different versions of programs and different certificates for their operation. Due to the inventive generation of a message relating to this information, it is advantageously possible to quickly determine whether the different versions of the programs or configurations of these programs and the computing instances used on the freight wagons are compatible with one another and thus whether the functionalities provided by the computing instances are available for the vehicle convoy in question. If this is not the case, further measures must be carried out before the vehicle convoy in question is used (more on this below). For example, railway staff could specifically update only freight wagons that would otherwise not be able to operate in the vehicle convoy in question. This saves the railway staff's working time, which is why the inventive method contributes to increasing rail-bound freight transport.

The generated message concerns the currentness of the software properties. The software properties are determined, for example, by the version of the program installed on the computing instance. It is possible that the program in a computing instance does not correspond to the current version, but is compatible with the current version and therefore does not interfere with the functionalities that are to be implemented in the vehicle group. In this case, updating the program would be optional. However, if certain functionalities of the computing instance in question cannot be implemented within the vehicle group, updating the program is a mandatory requirement for implementing these functionalities in the computing instance in question. The message also concerns the validity of a digital certificate for the operation of the programs. Certificates can be used to increase operational safety (safety) when running the programs. It can be ensured that a certain program is only used for the intended purpose. A certificate can also improve security against external attacks (security). The message can therefore be used to determine whether the prerequisite for the safe operation of the vehicle group is met or not.

A device is computer-aided or computer-implemented if it has at least one computer or processor, or a method if at least one computer or processor carries out at least one method step of the method.

A computing environment is an IT infrastructure consisting of components such as processors, storage units, programs and data to be processed with the programs, which are used to execute at least one application that has to perform a task. The IT infrastructure can also consist of a network of the above-mentioned components.

Computing instances (or instances for short) form functional units within a computing environment that can be assigned to applications (given, for example, by a number of program modules) and can execute them. When the application is executed, these functional units form self-contained systems, physically (e.g. computer, processor) and/or virtually (e.g. program module).

Computers are electronic devices with data processing capabilities. Computers can be, for example, clients, servers, handheld computers, These can be communication devices and other electronic devices for data processing, which can have processors and storage units and can also be connected to a network via interfaces.

Processors can be, for example, converters, sensors for generating measurement signals or electronic circuits. A processor can be a central processing unit (CPU), a microprocessor, a microcontroller or a digital signal processor, possibly in combination with a memory unit for storing program instructions and data. A processor can also be understood as a virtualized processor or a soft CPU.

Storage units can be implemented as computer-readable memory in the form of a main memory (Random-Access Memory, RAM) or data storage (hard disk or data carrier).

Program modules are individual software functional units that enable a program sequence of method steps according to the invention. These software functional units can be implemented in a single computer program or in several computer programs that communicate with each other. The interfaces implemented here can be implemented in software within a single processor or in hardware if several processors are used.

Interfaces can be implemented in hardware, for example as a wired or wireless connection, or in software, for example as an interaction between individual program modules of one or more computer programs. According to a further aspect of the invention, a locomotive with a computer and a first interface is described. The locomotive is suitably prepared with its computer for carrying out the method. According to a variant, the aspects of the invention explained above are determined by the fact that the computer is set up to carry out a method according to one of the preceding claims. When using the locomotive, the advantages described in connection with the method according to the invention are achieved.

According to a further aspect of the invention, a freight car with a computer and a first interface is described. The freight car and its computer are suitably prepared for carrying out the method. According to a variant, the aspects of the invention explained above are determined by the fact that the computer is set up to carry out a method according to one of claims 1-11. When the freight car is used, the advantages described in connection with the method according to the invention are achieved.

According to a further aspect of the invention, a computer program is described, comprising program instructions which, when the program is executed by the locomotive or by the freight car, cause a computer to carry out the method described here.

According to the invention, a computer program containing program modules is described with program instructions, whereby the method according to the invention and/or its embodiments can be carried out by means of the computer program and the described advantages are achieved with the implementation. According to a further aspect of the invention, a computer-readable storage medium is described on which the computer program product described above is stored.

Furthermore, according to a further aspect of the invention, a provision device for storing and/or providing the computer program in the form of a computer-readable storage medium is described. The provision device is, for example, a storage unit that stores and/or provides the computer program. Alternatively or additionally, the provision device is a network service, a computer system, a server system, in particular a distributed, for example cloud-based computer system or virtual computer system, which stores the computer program on a computer-readable storage medium and preferably provides it in the form of a data stream.

The provision takes place in the form of program data sets as a file, in particular as a download file, or as a data stream, in particular as a download data stream, of the computer program.

The computer program is transferred into a computing environment, for example, using the provision device, so that the method according to the invention can be carried out in a computing instance of this computing environment.

General embodiments of the invention

Variants describing further developments of the invention are explained below without limiting the basic idea of the invention.

According to a variant, the aspects of the invention explained above are determined by f) in addition to the programs installed on the computing instances and/or the configurations stored in the computing instances, at least one computer forming the computing instance is checked, g) the computing instance of the first rail vehicle receives data about the hardware properties of the at least one computer on the relevant rail vehicles via the communications connection from at least the computing instance of the second rail vehicle (if necessary also from other rail vehicles), h) on the basis of the data received, a message is generated concerning the up-to-dateness of the hardware properties and the validity of a digital certificate for the operation of the at least one computer.

Since the computing instances in the locomotive or in the freight cars must be independent of one another, each freight car or each locomotive must have at least one computer that forms the hardware environment for the computing instance. This hardware environment, which can also consist of several computers and/or processors and/or sensors, must therefore meet minimum requirements so that the method according to the invention can be carried out. Hardware components can be defective or even become obsolete due to technical progress.

If the computer is also tested using the method according to the invention, it is advantageously possible to determine the hardware requirements for carrying out the method according to the invention on the relevant freight wagon or locomotive. Outdated hardware can mean that it is not possible to carry out the method according to the invention. This can be determined, for example, based on the validity of digital certificates for the operation of the computer. The generated message can be evaluated in this regard and, in case of doubt, provides Information about why the procedure cannot be carried out on a particular vehicle combination. The reason can be determined even if there are problems with the hardware rather than the software.

According to a variant, the aspects of the invention explained above are determined in that the first interface is formed by a wire train bus or Ethernet train backbone.

These are advantageously the standardized communication interfaces already mentioned above, which advantageously simplifies the possibility of implementing the method according to the invention in existing systems.

According to a variant, the aspects of the invention explained above are determined in that the first rail vehicle and at least the second rail vehicle are coupled to one another via a digital automatic coupling.

As already mentioned, digital automatic coupling will, at least in Europe, enable communication between freight wagons and the locomotive in the foreseeable future. It is particularly advantageous to embed the process in a communication infrastructure provided by the freight wagons and the locomotive.

According to a variant, the aspects of the invention explained above are determined in that the first rail vehicle i) carries out an update of the software in the computing instance of at least the second rail vehicle in the event that the software version is not up to date and/or j) carries out an update of the certificate in the computing instance of at least the second rail vehicle in the event that a certificate cannot be verified. The first rail vehicle must meet the technical requirements for updating the software or certificate. This requires at least that the first rail vehicle has the data and rights required for an update. For this purpose, the data and rights required for this must either be stored in the computing instance used in the first rail vehicle or be able to be requested from it (more on this below).

The option that the first rail vehicle can update other rail vehicles, such as the second rail vehicle (in terms of both the software version and the certificates), creates the possibility that vehicle groups whose rail vehicles have inconsistent software versions and certificates can be brought to a uniform version and/or certificate level. In particular, rail vehicles whose software version is outdated, particularly because it is no longer suitable for use due to a lack of compatibility with newer versions, or whose certificates have expired, can be functionally integrated into the vehicle group after the update, without operating personnel having to manually update the affected freight wagons. This advantageously increases the cost-effectiveness of rail-based freight transport. It is particularly advantageous if all rail vehicles are brought up to the latest applicable version. However, this is not absolutely necessary if there is compatibility between different versions (more on this below).

According to a variant, the aspects of the invention explained above are determined in that the first vehicle has a second interface via which update data for updating the software or updating the certificate can be obtained from a server. In other words, the second interface enables the first vehicle, which is capable of updating certificates or software, to request current versions of the software or certificates from a central server. This is preferably possible if the first vehicle is a locomotive. The locomotive's computing instance usually also contains interfaces via which data can be transferred from outside.

However, it is also possible to equip freight wagons with additional hardware so that they can form a second interface. In this case, it is not necessary for all freight wagons in a vehicle convoy to be able to use this additional option. It is only necessary that one of the freight wagons in a vehicle convoy can use a second interface. This will advantageously always have the option of having the latest software and the latest certificates available by using the second interface and is therefore always suitable in a vehicle convoy to be the first rail vehicle to carry out the method according to the invention.

This has the advantage that the current software and the current certificates for a vehicle group can be made available at any time via the second interface. If the first rail vehicle is formed by a freight wagon, there is also the advantage that a vehicle group can also be updated when it is not currently coupled to a locomotive. For example, vehicle groups that have been put together in a processing system can be updated on the directional track while they are waiting to be pulled out of the directional track by a locomotive. If the locomotive couples the vehicle group on the directional track at a later point in time, it is then already updated and is immediately available. fully operational. This saves time, which improves the economic efficiency of the process according to the invention.

According to a variant, the aspects of the invention explained above are determined in that a freight wagon is selected as the first rail vehicle in the vehicle convoy, wherein before the selection it is checked whether the programs installed on the computing instances can be executed and the digital certificates are valid.

In order for the first rail vehicle to be able to check the other rail vehicles and update them if necessary, it is necessary for the first rail vehicle to have executable software and a valid certificate. Both can then be transferred to other rail vehicles as part of an update if necessary. This does not have to be the latest software and the latest certificates. Older software versions and certificates can also still be valid or compatible with newer versions of the software and therefore executable.

As already mentioned, the latest software and the newest certificate can be made available by using the second interface. However, if a second interface is not available on the first rail vehicle, for example a freight wagon, executable older software and/or a still valid certificate can also be transferred to other rail vehicles if the latter have software that is no longer executable and/or a no longer valid certificate. In these circumstances, a vehicle combination without a locomotive can also be advantageously updated if none of the freight wagons is equipped with a second interface. According to a variant, the aspects of the invention explained above are determined by selecting, among the freight wagons of the vehicle convoy, the wagon or wagons having the most recent version of the installed programs.

In this variant of the invention, it is provided that the rail vehicles of the vehicle convoy can communicate with each other in such a way that it can be determined which of the rail vehicles is the first rail vehicle to be able to transmit the most recent version of the software to the other rail vehicles. If one of the rail vehicles is equipped with a second interface, this rail vehicle will usually be able to make the current and therefore the most recent software version available. Otherwise, a query among the rail vehicles involved makes it possible to make a version that is locally optimal for the vehicle convoy available to all rail vehicles in the vehicle convoy without using the second interface.

According to a variant, the aspects of the invention explained above are determined by the fact that the digital certificate contains a permission for use.

This makes it possible to implement rights management. The digital certificate also provides protection against unauthorized and abusive interventions by third parties.

According to a variant, the aspects of the invention explained above are determined by the fact that the digital certificate proves an integrity and/or validity of the software. The software can also be provided with a certificate. This ensures that outdated software can no longer be used as soon as the certificate is no longer valid. This is an advantageous way of safely ruling out any problems with compatibility between individual software versions of the programs installed on the freight wagons.

According to one variant, the aspects of the invention explained above are determined by the fact that a whitelist of all permissible versions for installed programs and all permissible certificates is present on the first rail vehicle and/or a blacklist of all impermissible versions for installed programs and all impermissible certificates is present, based on which it is checked whether the program installed on at least the second rail vehicle can be executed in the existing version and/or the at least one digital certificate available on at least the second rail vehicle is valid. By comparing with a whitelist and/or blacklist, it can be determined very reliably and in a very short time whether a certain software or a certain certificate, which is transmitted to the first rail vehicle by the second rail vehicle or other rail vehicles, can be accepted or not. This advantageously improves the reliability and the performance of the method according to the invention (more on the exact procedure for evaluating a whitelist and/or blacklist below).

Furthermore, according to a further aspect of the invention, a computer program containing program modules with program instructions for carrying out the method according to the invention and/or its embodiments is described, wherein by means of the Computer program, the method according to the invention and/or its embodiments can be carried out.

Furthermore, according to a further aspect of the invention, a provision device for storing and/or providing the computer program in the form of a computer-readable storage medium is described. The provision device is, for example, a storage unit that stores and/or provides the computer program. Alternatively and/or additionally, the provision device is, for example, a network service, a computer system, a server system, in particular a distributed, for example cloud-based computer system and/or virtual computer system, which stores and/or provides the computer program preferably in the form of a data stream.

The provision takes place in the form of a program data set as a file, in particular as a download file, or as a data stream, in particular as a download data stream, of the computer program. This provision can also take place, for example, as a partial download consisting of several parts. Such a computer program is transferred, for example, using the provision device into a computing environment, so that the method according to the invention can be carried out in a computing instance.

Exemplary embodiments of the drawing

Further details of the invention are described below with reference to the drawing. Identical or corresponding drawing elements are provided with the same reference numerals in the individual figures and are only explained several times how differences arise between the individual figures.

The embodiments explained below are preferred embodiments of the invention. In the embodiments, the components of the embodiments described each represent individual variants of the invention that are to be considered independently of one another, which also develop the invention independently of one another and are therefore to be viewed as part of the invention individually or in a combination other than that shown. Furthermore, the components described can also be combined with the variants of the invention described above.

Regardless of the grammatical gender of the terms concerned, persons with male, female or other gender identity are equally included.

Figure 1 shows an embodiment of the devices according to the invention, namely rail vehicles designed as locomotives or freight cars, with their functional relationships schematically.

Figure 2 shows an embodiment of a computing environment for the devices according to Figure 1 as a block diagram, wherein the individual computing instances execute program modules which can each run in one or more of the computers shown as examples and wherein the interfaces shown can accordingly be implemented in software in one computer or in hardware between different computers.

Figure 3 shows an embodiment of the method according to the invention as a flow chart, whereby the method steps shown can be implemented individually or in groups by program modules and whereby the Computing instances and interfaces are shown as examples in Figure 2.

Detailed description of the drawing

In a computing environment, the computing instances RI used according to Figure 1 and Figure 2 and their and other functional components, namely a first functional component Fl, a second functional component F2 and a third functional component F3 are connected by a first interface S1, by a second interface S2, by a third interface S3, by a fourth interface S4 and by a fifth interface S5. The first functional component, the second functional component and the third functional component are merely indicated as examples. These can each be one or more functional units, which can be formed, for example, by computers, processors or sensors. The functional components contribute to the functions to be implemented in the freight cars or locomotives, which are known in themselves and will not be explained further at this point. Computers, processors, sensors and other functional units are also referred to in the context of this invention as end devices or ED for short.

According to Figure 2, in particular in the computing environment, in a first computer CI, a first processor PI is connected to a first memory unit SE1 through an eleventh interface S11, in a second computer C2, a second processor P2 is connected to a second memory unit SE2 through a twelfth interface S12, in a third computer C3, a third processor P3 is connected to a third processor P3 and to a third memory unit SE3 through a thirteenth interface S13, in a fourth computer C4, a fourth processor P4 is connected to a fourth memory unit SE4 through a fourteenth interface S 14 , wherein the above-mentioned first to fourth computers C4 are referred to jointly as computers, the above-mentioned first to fourth processors P4 are referred to jointly as processors and the above-mentioned first to fourth memory units SE4 are referred to jointly as memory units. The tasks of the method according to the invention can be accomplished by the respective computers. The respective memory units are also intended, among other things, to store programs in the form of program data and certificates in the form of certificate data so that these can be called up by the computers when required.

In Figures 1 and 2 it can also be seen that a connection can be established between the locomotive LV and a data center RZ via the second interface S2, which is a radio interface. The locomotive LV according to Figure 1 is coupled to three freight wagons GW and together form a vehicle convoy FV. The individual freight wagons GW and the locomotive LV are each coupled to one another via a digital automatic coupling DAK. The vehicle convoy FV, which is a freight train according to Figure 1, is shown standing on a track GL.

Just like the locomotive LV, the freight wagons GW shown in Figure 1 can also use the second interface S2 (not shown). For this purpose, the locomotive LV, the freight wagons GW and also a data center RZ housing a server SV are equipped with antennas AT. Not shown, but equally possible, is that not all of the freight wagons GW have an antenna AT, whereby only freight wagons GW that have an antenna AT can download current software or current certificates from the data center RZ via the second interface S2. Freight wagons GW with an antenna AT can also advantageously be used as the first rail vehicle FZ 1. The function of the first rail vehicle FZ 1 , the second rail vehicle FZ2 and the third rail vehicle is shown in Figure 2 . The first rail vehicle can be a locomotive LV, as shown in Figure 1, but alternatively also a freight wagon GW . In the latter case, the vehicle formation FV is formed in particular by a formation of freight wagons GW that is not connected to a locomotive LV, as can be formed, for example, after running on a directional track of a run-off system (not shown in more detail).

As can be seen from Figure 1, the first interface S 1 is a bus system, which can be implemented in particular by an Ethernet Train Backbone ETB or by a Wire Train Bus WTB. The Ethernet Train Backbone ETB is routed via the digital automatic couplings DAK.

As can be seen from Figure 2, each of the rail vehicles (regardless of whether these vehicles are a locomotive LV or a freight car GW) has its own computing instance RI. These computing instances RI also each contain a node of the communications network formed by the first interface S 1, so that communication can be regulated via the first interface S 1. The first rail vehicle FZ 1 forms a control node or monitoring node (not shown in more detail), which assumes a controlling or, in other words, managerial function with regard to checking the computing instances RI of the other rail vehicles and, if necessary, a subsequent software update or update of the certificates. The nodes and also the control node of the first rail vehicle FZ 1 are connected via so-called Ethernet Train Backbone Nodes ETBN to the first interface S 1, which is designed as an Ethernet Train Backbone ETB. In the following, a software (hereinafter referred to as SW) updating and management mechanism for the freight wagons GW and, if necessary, also for the locomotives LV is described in detail. This consists of the following main steps, some of which are optional - i.e. they can be carried out by other means without affecting the other steps of the invention:

Step 1 (hereinafter referred to as INI): In a vehicle convoy FV with or without a locomotive LV (hereinafter referred to as train), a control node is set up as part of the computing instance RI, preferably on a locomotive LV. The computing instances RI of the rail vehicles each form an Ethernet Consist Network (hereinafter referred to as ECN) per rail vehicle. Each ECN is connected via an Ethernet Train Backbone Node ETBN (hereinafter referred to as ETBN) to an Ethernet Train Backbone ETB, which forms the first interface S 1. In the case of multiple traction, in which more than one locomotive LV is connected to the Ethernet Train Backbone ETB (hereinafter referred to as ETB), a locomotive LV is selected to host the control node. Preferably this should be the one with the occupied driver's cab, but other selection mechanisms are also possible (such as, but not limited to, the leading train formation or the highest/lowest UIC number).

Step 2 (abbreviated to INF): Transmission of the SW version of the ETBN and (optionally) the terminal devices (hereinafter abbreviated to ED) that can be reached and updated via this ETBN, such as computers, processors or sensors (which together form the computing instance RI of the vehicle in question) via the ETB. Optionally, software and hardware information such as identifiers, including revision, version and status information as well as digital certificates are also transmitted. This information is then used by the control node to determine whether the train, represented by the set of connected ETBNs, is in a safe operating condition. This requires an extension of the series of standards IEC 61375, in particular - 1 (General Architecture), -2-5 (ETB) and -2- 8 (TCN conformity tests).

Step 3 (called VAL for short): In addition to transmitting the identification information (version, secure hashes, signatures), the system provides a mechanism that enables the control node to cryptographically validate the software version using digital certificates, so that it can detect unauthorized software on an ETBN (and/or ED). This is the mechanism that ensures that, on the basis of the data received, a message is generated concerning the up-to-dateness of the software properties and/or configurations as well as the validity of a digital certificate for the operation of the programs of the other computing instances RI and, optionally, on the basis of the data received, a message is generated concerning the up-to-dateness of the hardware properties as well as the validity of a digital certificate for the operation of the computer, optionally also of processors and/or sensors of the other computing instances RI. This is preferably done in steps 4 and 5 described below.

Step 4 (LST for short): The SV server keeps a list of software versions and certificates up to date (more on this in step 5). This is transferred to the control node when required.

Step 5 (CHK for short): The control node updates the list of SW versions (including all information required for validating the cryptographic version information, e.g. digital certificates) to determine whether the are valid for the SW versions used. This list can be a. a whitelist, where software on this whitelist is safe to use and no further action is required (an update to a newer version can still be carried out, see below), or a b. a blacklist, where the software on the blacklist is considered outdated, incompatible and/or unsafe to use and remedial action must be taken (e.g.

B. Updating the SW and/or informing the personnel responsible for train integrity checking/validation, as already explained). In a pure blacklist approach, any software not on this blacklist is considered safe to operate and treated as described above for the whitelist.

In addition, it may be a combination of blacklist and whitelist, where a software version detected as being present but not included in either list will result in a notification to the staff responsible for checking train integrity and will require an explicit confirmation of the operational safety of the train composition. The treatment of SW versions that are either whitelisted or blacklisted is as described above, with the exception of automatic whitelisting when using the pure blacklist approach.

Step 6 . 1 and 6 . 2 ( UPD_ETBN and UPD_ED for short ) : These steps form the basis for updating the software in the computing instance RI of at least the second and further rail vehicles in the event that the software version is not up to date and / or for the If a certificate cannot be verified, an update of the certificate in the computing instance RI of at least the second and further rail vehicles is carried out.

For this purpose, a SW update mechanism is introduced, in particular by means of the ETB via the so-called e-coupler contacts of the digital automatic coupling DAK. a. This is optional for the entire invention, so it can also be done wirelessly or via the mentioned Wireless Train Bus WTB. i. If not implemented, no SW distribution via the coupler is possible. SW updates must then be carried out by the wagon, e.g. via a wireless connection on each wagon or via a local service connection SV. ii. If implemented as a proprietary solution (and therefore not compatible between manufacturers), only certain wagons can be updated in this way by a certain locomotive LV, which can be ensured e.g. by digital certificates. iii. When extending the IEC 61375 series, in particular -1 (General Architecture), -2-5 (ETB) and -2-8 (TCN-

conformity tests), it can be provided that software updates of the ETBN and the connected ED (terminals) are made possible in a standardized manner. Manufacturer-dependent certificates would not be required under these conditions. b. If the option (see below) is not selected, a two-stage approach is followed, in which the ETBN itself is updated first and then the EDs.

Step 6.1: The ETBN is updated first. As mentioned, the first interface S1 can be used for this. - The ETBN receives a SW update request from a control node in the leadership group.

- The ETBN authenticates the control node

- The ETBN retrieves the new SW package from the controlling node (or the controlling node pushes the SW); once the SW is received, the ETBN installs the SW autonomously if it is safe to do so (or it waits for the controlling node's instruction to install the SW).

Optionally, the ETBN can perform additional compatibility checks for a successful update (comparison with the current software and hardware revision).

- Once the update is completed, the ETBN reports the new SW version to the controlling node.

Step 6 . 2 : The updated ETBN updates the connected EDs

- The ETBN reports the EDs reachable via this ETBN (which are capable of a SW update by informing the ETBN of this capability) to the controlling node in the leadership group. For each ED, the current SW and HW versions as well as status information are reported.

- The controlling node checks whether the ED needs a SW update (see above: general rules for updating).

- The control node, also called controlling node , passes the SW update package for the ED to the ETBN and instructs the ETBN to perform the update (provided the system is in a state where such an update is allowed) Alternatively, the ETBN can act only as a gateway and the control node performs the update directly on the ED (with the ETBN as GW between ETB and ECN).

- The ETBN will only initiate an update of an ED if it receives instructions to do so and is itself in a state where it is safe to do so. - The ED checks whether a SW update is safe in the current state before initiating the SW update.

- The ED performs the update and reports the current version to the controlling node via the ETBN.

Option : A variant is also possible where the SW for the ETBN and all connected EDs is contained in a single package ), not shown in Figure 3 . c . General rules for the update strategy : Since the update must be automated , the following rules apply

- If a SW with a newer version is available for a specific ETBN/ED on or for the controlling node, an update is performed (if the system is in good condition)

- If the current SW version of an ETBN/ED is blacklisted on the controlling node and another (valid, non-blacklisted) SW is available on or for the controlling node, an update will be performed, even if this downgrades the SW of the ETBN/ED.

- If the current SW version of an ETBN on the controlling node is blacklisted and no other (valid, non-blacklisted) SW is available on or for the controlling node, the ETBN is set to "broken" mode and not used.

- If the current SW version of an ED is blacklisted by the controlling node and no other (valid, non-blacklisted) SW is available on or for the controlling node, the ETBN controlling this ED is informed to put the ED into "broken" mode.

- If ETBNs or EDs cannot be updated for any reason, the controlling node must Inform the train driver/train supervisor/wagon manager/railway company so that the problem can be remedied. d. In addition, a local software update must be possible at any time if the train is in a safe condition.

- To support the update mechanism, the control node provides access to one or more trackside repositories from which the latest software can be retrieved for each ETBN/ED node that needs to be updated. In addition, the controlling node can provide local storage for some or all of these software packages to avoid having to retrieve them multiple times over a wireless/mobile network. Optionally, additional information is provided with each image on how often it is used, so that when the storage capacity in the control node is exhausted, a decision can be made as to which image to discard.

reference symbol list

RI computing instances

Fl first functional component

F2 second functional component

F3 third functional component

51 first interface

52 second interface

53 third interface

54 fourth interface

55 fifth interface

CI first computer

PI first processor

SEI first storage unit

511 an eleventh interface

C2 second computer

P2 second processor

SE2 of a second storage unit

512 a twelfth interface

C3 third computer

P3 third processor

SE3 third storage unit

513 a 13th interface

C4 fourth computer

P4 fourth processor

SE4 fourth storage unit

514 14 . Interface

LV locomotive

RZ data center

GW freight cars

FV Vehicle Association

DAK digital automatic coupling

GL track

SV Server

AT antenna

FZ 1 first rail vehicle FZ2 second rail vehicle

ETB Ethernet Train Backbone

WTB Wire Train Bus

ETBN Ethernet Train Backbone Nodes

Claims

patent claims 1. Method for checking computing instances (RI) of rail vehicles, wherein a) programs installed on the computing instances (RI) and/or configurations stored in the computing instances (RI) are checked, b) of these rail vehicles, a first rail vehicle (FZ1), which is a locomotive (LV) or a freight wagon (GW), forms a coupled vehicle assembly (FV) with at least one second rail vehicle (FZ2), which is a freight wagon (GW), characterized in that the checking of the computing instances (RI) in the vehicle assembly (FV) is carried out by the first rail vehicle (FZ1), wherein c) a communication connection is established between the computing instance (RI) of the first rail vehicle (FZ1) and the computing instance (RI) of at least the second rail vehicle (FZ2) via a first interface (S1), d) the computing instance (RI) of the first rail vehicle (FZ1) is connected to at least the computing instance (RI) of the second rail vehicle (FZ2) via the communication connection. Rail vehicle (FZ2) receives data on the software properties of the programs and/or stored configurations existing on the rail vehicles concerned, e) on the basis of the data received, a message is generated which indicates that the software properties and/or configurations and the validity of a digital certificate for the operation of the programs. 2. Method for checking according to claim 1, characterized in that f) in addition to the programs installed on the computing instances (RI) and/or to the configurations stored in the computing instances (RI), at least one computer forming the computing instance (RI) is checked, g) the computing instance (RI) of the first rail vehicle (FZ1) receives data about the hardware properties of the at least one computer on the relevant rail vehicles via the communication connection from at least the computing instance (RI) of the second rail vehicle (FZ2), h) on the basis of the data received, a message is generated which relates to the up-to-dateness of the hardware properties and the validity of a digital certificate for the operation of the at least one computer. 3. Method for checking according to claim 1 or 2, characterized in that the first interface (S1) is formed by a Wire Train Bus (WTB) or Ethernet Train Backbone (ETB). 4. Method for checking according to one of the preceding claims, characterized in that the first rail vehicle (FZ1) and at least the second Rail vehicle (FZ2) are coupled to each other via a digital automatic coupling (DAK). 5. Procedure for checking according to any of the preceding Claims, characterized in that the first Rail vehicle (FZ1) i) in the event that the software version is not up to date, carries out an update of the software in the computing instance (RI) of at least the second rail vehicle (FZ2) and/or j) in the event that a certificate cannot be verified, carries out an update of the certificate in the computing instance (RI) of at least the second rail vehicle (FZ2). 6. Method for checking according to one of the preceding claims, characterized in that the first vehicle has a second interface (S2) via which update data for updating the software or updating the certificate can be obtained from a server (SV). 7. Method for checking according to one of the preceding claims, characterized in that a freight wagon (GW) is selected as the first rail vehicle (FZ1) in the vehicle convoy (FV), wherein before the selection it is checked whether the programs installed on the computing instances (RI) can be executed and the digital certificates are valid. 8. Method for checking according to claim 7, characterized in that from among the freight wagons (GW) of the vehicle convoy (FV) the one or more of those freight wagons (GW) is selected which has the latest version of the installed programs. 9. A method for verifying according to any one of the preceding claims, characterized in that the digital certificate contains a permission to use. 10. Method for checking according to one of the preceding claims, characterized in that the digital certificate proves an integrity and/or validity of the software. 11. Method for checking according to one of the preceding claims, characterized in that a whitelist of all permissible versions for installed programs and all permissible certificates is present on the first rail vehicle (FZ1) and/or a blacklist of all impermissible versions for installed programs and all impermissible certificates is present, based on which it is checked whether the program installed on at least the second rail vehicle (FZ2) may be executed in the existing version and/or the at least one program installed on at least the second rail vehicle (FZ2) available digital certificate is valid. 12. Locomotive with a computer and a first interface (S1), characterized in that the computer is set up to carry out a method according to one of the preceding claims. 13. Freight wagon with a computer and a first interface (S1), characterized in that the computer is set up to carry out a method according to one of claims 1-11. 14. Computer program comprising program instructions which, when the program is executed by the locomotive (LV) according to Claim 12 or by the freight wagon (GW) according to claim 13 causing a computer to carry out the method according to one of claims 1 - 11. 15. Computer-readable storage medium on which the Computer program product according to the last preceding claim is stored.