CN1289345C - Method for controlling safety-critical railway operating process and device for carrying out said method - Google Patents
Method for controlling safety-critical railway operating process and device for carrying out said method Download PDFInfo
- Publication number
- CN1289345C CN1289345C CNB018238238A CN01823823A CN1289345C CN 1289345 C CN1289345 C CN 1289345C CN B018238238 A CNB018238238 A CN B018238238A CN 01823823 A CN01823823 A CN 01823823A CN 1289345 C CN1289345 C CN 1289345C
- Authority
- CN
- China
- Prior art keywords
- computer
- reliable
- commercial
- railway
- technology
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 113
- 230000008569 process Effects 0.000 title claims description 77
- 238000004886 process control Methods 0.000 claims abstract description 11
- 238000012545 processing Methods 0.000 claims description 37
- 238000005516 engineering process Methods 0.000 claims description 21
- 230000006870 function Effects 0.000 claims description 11
- 238000012544 monitoring process Methods 0.000 claims description 11
- 230000011664 signaling Effects 0.000 claims description 7
- 238000012795 verification Methods 0.000 claims description 7
- 230000005540 biological transmission Effects 0.000 claims description 6
- 230000015654 memory Effects 0.000 claims description 5
- 238000004891 communication Methods 0.000 claims description 4
- 230000009897 systematic effect Effects 0.000 claims 1
- 230000008901 benefit Effects 0.000 abstract description 2
- 238000007689 inspection Methods 0.000 abstract 1
- 230000007246 mechanism Effects 0.000 description 3
- 230000006378 damage Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 208000027418 Wounds and injury Diseases 0.000 description 1
- 230000006735 deficit Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 208000014674 injury Diseases 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000003936 working memory Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1497—Details of time redundant execution on a single processing unit
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L21/00—Station blocking between signal boxes in one yard
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1608—Error detection by comparing the output signals of redundant hardware
- G06F11/1625—Error detection by comparing the output signals of redundant hardware in communications, e.g. transmission, interfaces
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1629—Error detection by comparing the output of redundant processing systems
- G06F11/1641—Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1675—Temporal synchronisation or re-synchronisation of redundant processing components
- G06F11/1683—Temporal synchronisation or re-synchronisation of redundant processing components at instruction level
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Mechanical Engineering (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Train Traffic Observation, Control, And Security (AREA)
- Safety Devices In Control Systems (AREA)
- Electric Propulsion And Braking For Vehicles (AREA)
Abstract
In a method of the present invention for controlling a safe and severe railway operation course, a program is divided into system software (V, PMS) and special software (BO) of railway administration. Through system software operated on a computer (SR*) with a reliable signal technique, instructions (K) influencing control and prompt (M) are collected from the outside and are sent to business computers (R1, R2), and actual process control which is given in advance according to the operating specifications of each railway is operated in the business computers. The parallel execution or the serial execution of two channels of the specific program of railway administration is realized, wherein the inspection of whether the business computers respectively obtain the same result or not is carried out on the computer with a reliable signal technique. As long as consistent treatment results supplied by the business computers by at least two times are reliably identified, the reliable computer supplies output (SB) towards a course (BA) to be controlled, or the connection of parts (W, S) of the course is reliably separated on the signal technique. The present invention has the advantages that the reliable computer on the signal technique can usually use the same system software, and the special software of railway administration can be separated, developed, and inspected in a mode without relationship with the system software. Thereby, compared with the prior art, a lot of expenses and time are saved, and safety is not influenced.
Description
Technical Field
The invention relates to a method for controlling a safety-critical railway operation process using at least one signaling-technology-reliable computer, which processes input commands according to railway operation specifications in a signaling-technology-reliable manner and outputs the processed control command signals to process components in a signaling-technology-reliable manner, and uses the prompts generated by the process components for process state monitoring and process control, and to a device for carrying out the method.
Background
The railway operation process is a safety critical process, since possible functional failures, if not identified and prevented in a timely manner from affecting the process, can lead to significant property damage and possible injury to personnel. For this reason, signal-technology-reliable devices have been used for controlling such processes, the task of which is to detect internal functional faults within the process to be controlled and the process control itself, and to thus guide or maintain the process in a more safe state. Such a signal-technically reliable control can be realized by different techniques, for example by relay technology or by electronic technology. In the case of signal-technically reliable process control, expensive special-purpose computers have hitherto been used which process the current processing task two-channel and compare the consistency of the processing sequence in terms of content in a real-time signal-technically reliable manner. Outputting a processing control instruction to a process part of the process to be controlled only when the results obtained by the two processing channels are the same respectively; the connection to the process is interrupted unless there is at least one standby computer that can take over and actually take over the functions of the failed computer.
The above-described functions for reliably inputting and outputting data and for performing data comparison, including the function of reliably disconnecting process components if necessary, are implemented by the system software of a reliable computer. In addition, reliable computers have heretofore included railroad management specific software for actual process control (e.g., central control station control). The railway management software is determined by the respective railway management operation rules and describes, for example, the route sequence and route unlocking dependencies predefined by it (Signal + draw, 77(1985)12, page 259-265). Railway management specific software differs not only from one railway authority to another, but also at least in part from one facility to another of the same railway authority. This means that the software installed and running in a signally reliable computer varies from application to application, the correctness of the loaded software having to be proven by a proof of authenticity or convincing for each application. By mixing system software and railway management specific software in each computer, complex software packages are created that are difficult to see and time consuming and expensive to build and verify.
Disclosure of Invention
The object of the invention is to provide a method for controlling safety-critical railway operations, which requires little effort in the creation of the programs required for reliable process management and which can react quickly and inexpensively to the requirements of the railway operator for possible changes in the process control. The invention also provides a device for implementing the method.
The object of the invention is achieved by a method for controlling a safety-critical railway operation process using at least one signaling-technology-responsible computer, which processes input commands according to railway operation specifications in a signaling-technology-responsible manner and outputs the processed control command signals to process components in a technical-responsible manner and uses the prompts generated by the process components for process state monitoring and process control, wherein only system software is stored in the responsible computer, the program of which enables the responsible computer to perform signal-technology-reliable input/output and signal-technology-reliable data comparison, and railway management-specific software is stored in at least one non-signaling-technology-responsible computer, which contains the conditions and dependencies predefined for the railway operation process by the railway management department via its railway operation specifications The signal-technology-responsible computer generates a processing task on the basis of the instructions and prompts transmitted thereto and transmits it to the commercial computer, where the processing task is processed at least twice independently of one another, the processed and/or intermediate results are transmitted to the responsible computer and the content-consistency verification is reliably carried out by the signal-technology-responsible computer, wherein the responsible computer only accepts the results and/or intermediate results which are provided at least doubly consistently by the commercial computer and reliably outputs the control-instruction signal technology derived therefrom to the process component.
The object of the invention is also achieved by a device for carrying out a method for the safe and critical control of a railway operation process using at least one signaling-technology-responsible computer which processes input commands in accordance with railway operation specifications in a signaling-technology-responsible manner and outputs the processed control command signals to process components in a technical-responsible manner and uses the prompts generated by the process components for process state monitoring and process control, wherein only one system software is implemented in the signaling-technology-responsible computer, the program of which makes it possible for the responsible computer to input/output signals in a technical-responsible manner and to compare data in a technical-responsible manner, at least one non-signaling-responsible commercial computer is provided, in which a railway management-specific software is implemented, which contains a control specification for the railway operation process predefined by a railway management department via its railway operation specifications The reliable computer and the commercial computer are connected to a communication system, via which the signal technology reliable computer transmits processing tasks to the commercial computer and receives results and/or intermediate results from the commercial computer, wherein the commercial computer is provided for carrying out the processing tasks at least twice independently of one another, and the reliable computer verifies the content consistency of the results and/or intermediate results signal technology transmitted to it by the commercial computer in each case and derives control commands for the process component from the verification results and outputs them to the process component via a drive provided for this purpose.
The basic idea of the invention is to load the railway management software from a signal-technology-reliable computer into a commercial computer, in which the data are processed at least twice in each case and to carry out a consistency check in the signal-technology-reliable computer before being output to the process. Besides the task of data comparison, the computer with reliable signal technology mainly has the following tasks: input prompts and commands are reliably detected and transmitted to the commercial computer, and process components are reliably influenced and the connection to the process components is reliably interrupted by signaling technology in the event of a fault.
Preferred embodiments and developments of the inventive method and of the inventive device are given in the dependent claims.
Drawings
The present invention will be further described with reference to embodiments shown in the drawings. Wherein,
figure 1 schematically shows the structure of the apparatus for controlling a safety-critical railway operation process of the present invention,
fig. 2 shows the structure of a corresponding prior art implementation.
Detailed Description
Fig. 2 shows a known signal-technology-reliable computer SR for process processing in two separate processing channels K1, K2, preferably by the same processing program. The reliable computer SR represents any number of signal technology reliable computers; the number of which depends mainly on the scale of the process to be controlled. The process to be controlled is a railway operation process for acting on the railway equipment BA. In the figure, one switch W and one signal S represent process components of the railway system. The control and monitoring of the process elements is carried out by control and monitoring circuits, not explicitly shown in the figure, which are developed for this purpose, by means of which control commands are issued to the process elements by a reliable computer SR and from which prompts M are input to the reliable computer.
The signally reliable computer SR outputs the prompts M transmitted to it from the process to the input and display computer EAR via the communication bus KB. The input and display computer, among other functions, monitors the course of the railway operation in accordance with the presentation rules established in the respective railway operation regulations; it is preferably implemented as a computer that is signal-technology method reliable. Via this input and display computer EAR, commands K for controlling the railway operation process are also generated and transmitted to a signaling-technology-reliable computer SR. The input can be made by an operator, for example a driving service supervisor, or also by automation techniques, for example for automated job mode (selbsttillberieb) or continuous through-job (duchletberiib).
The prompts and commands are processed in a signal-technology-reliable computer in two channels according to the conditions and dependencies determined in the operating regulations of the respective railway operator. The data, address and control signals present on the buses of the two processing systems are reliably compared in real time by means of signal technology, in order to be able to immediately detect possible deviations. In this case, the checking program checks even the input/output registers of a reliable computer and its program and working memories and their address registers for a predetermined minimum time interval to see whether its memories can assume one state or the other. In this way, possible malfunctions can be identified event-or time-controlled and cause a reliable disconnection of the external device: the control command can no longer be output to the switch and the signal is off.
The storage of the predefined conditions and dependencies of the operational specifications of the railway management system, which are represented in the figure by the oval diagram BO, in the program memory of the reliable computer SR and the mixing with the system software makes the software stored in the reliable computer for controlling the railway operation process a software which is very complex and is extraordinarily expensive both in the set-up and in the testing.
In the device for controlling a railway operation according to the invention shown in fig. 1, there is also at least one computer SR whose signaling technology is reliable*With two preferably identically constructed and identically operating process channels K1*And K2*. Their task is, like the reliable signal technology computer SR according to the prior art, to reliably capture and process all the prompts M and commands K input to it. It is also the task of the signaling technology to reliably output the processed control commands SB to the process components W, S of the respective piece of railway equipment BA and to ensure that the output of the control commands is reliably halted in the event of a fault. In contrast to the prior art, the processing of conditions and dependencies defined by the individual railway operations BO for the control and monitoring of railway operations is not a signal-technology-reliable computer SR*But in commercial computers R1, R2.. Rn. Also stored in these commercial computers are equipment-specific data for controlling the course of railway operations; computers R1, R2 represent one or more computer pairs, wherein each computer may also belong to multiple computer pairs; that is, three computers can form three computer pairs. It is composed of a base, a cover and a coverThe reliable computers SR are executed independently of each other according to the conditions and dependencies determined for process control in the railway operations BO*Input to their processing task a. Two computers of each pair R1, R2 transmit their processing results to a signaling-technology-reliable computer SR*Wherein a waiting time with time monitoring must be set for the temporally preceding computer R1 or R2, at which time the processing result of the further computer is waited for, or fault handling takes place if the time is exceeded. The verification mechanism PM for the authenticity of the prompts input to the pair of commercial computers R1, R2 and the output processed thereby and the signature of the memory area is schematically shown in fig. 1. Input to a reliable computer SR by an input and display computer EAR*By the computer SR*Converted into processing task A and transmitted to commercial computers R1, R2 in the form of telegrams; this leads to a processing in the commercial computers R1, R2 according to the conditions and dependencies of the respective railway operations specifying BO.
In the case where the processing by the railway management dedicated software of the commercial computer reaches a program point where the continuation processing of the program is to be performed after a predetermined waiting time, a signal technology-reliable computer is used to ensure the synchronization of the commercial computer processing program in response to the requirements of the commercial computer in order to continue the processing of the program after the waiting time has elapsed. For example, certain sensor cues should be read in and processed by the commercial computer several seconds after the waiting time.
The processing result E determined by the commercial computer for R1, R2 is sent as a telegram to a signaling-technology-reliable computer SR*Where it is reliably distributed by signaling to two processing channels K1*And K2*And the signal technique reliably performs consistency comparisons. In order to reliably assign the prompts and to reliably compare the results of the processing by the commercial computers R1, R2, a functional block V is shown in which the relevant programs are stored as system software. Unlike the authentication mechanisms PM of commercial computers R1, R2, the authentication mechanism of a signal-technology-reliable computerPMS is a reliable implementation of signal technology.
In comparison with corresponding devices designed according to the prior art, the inventive device has the advantage that, in a signal-technology-reliable computer, only reliable inputs and outputs and reliable data comparison functions are always implemented, and that the requirements and conditions, which are respectively determined by the operating regulations of the individual railway authorities, are independent. Thus, not only is the system software running in a reliable computer simple and clear; it is rather the same for all application scenarios, i.e. no longer needs to be reprocessed and license verified as the situation changes. Railway management specific software, determined by the different operating specifications of the various railway authorities, is run in a commercial computer. Its co-operation with the system software of a reliable computer does not have to be verified. But only requires that a special interface between the computer and the commercial computer is reliable in respect of signal technology and that the functionality of the railway management-specific software implemented in the commercial computer is checked, i.e. that a particular input actually results in a particular output. The verification of this function is carried out separately from the verification of the system software and, unlike the prior art, is no longer combined with the system software of a reliable computer, as is also clear from the prior art.
The programming of the railway management specific software is not necessarily carried out by a computer for which the manufacturer responsible for the signal technology reliability of the process events is reliable. Rather, a contract programmed for a commercial computer may be given to a qualified engineer's office or the like, which coordinates its programmed software with various railroad administration and authorities such as the federal railway administration. The procedure for controlling and monitoring safety-critical railway operations can thus be adapted more quickly and more cost-effectively to the respective conditions than hitherto, without any safety-related impairment being associated therewith.
In the above-described embodiments, the commercial computers R1, R2 represent one or more dual-computer systems or computer systems with redundant computers, wherein the computers are intended to run the same programs for processing predetermined conditions and dependencies of the respective railway operations, wherein the commercial computers preferably either implement only specific partial functions of the operation specifications or respectively act only on specific parts of the railway system. However, provision can also be made for the commercial computers R1, R2 each to be a separate computer, in which the programs of the railway management-specific software determined by the operating provision of the railway management are processed several times (at least twice) in succession independently of one another. The railway management specific software required for this purpose can be designed in a versatile manner, but can also be identical in terms of content for both processes.
For the transmission of the results of the processing of the commercial computer to the signal-technology-reliable computer, a non-signal-technology-reliable data transmission can preferably be used, wherein the results of the serial or parallel processing on the two channels are either transmitted to the reliable computer on the two channels or transmitted twice in succession only over one channel. A second or third redundant channel improves availability. Possible data distortions in the transmission path from the commercial computer to the signal-technology-responsible computer and vice versa can be recognized in the receiving computer by the signature issued by the transmitting computer, which encodes the telegram content by means of a calculation specification. When serially transmitting data to a reliable computer, data markers are added, which enable the reliable computer to recognize whether the transmitted data are current and actually come from different computation channels of a commercial computer, and are the result of different processes; in the case of data transmission via separate buses, a signaling-capable computer can recognize from the data transmitted to it via one or the other of the buses whether the data is also actually from one or the other of the pair of commercial computers.
In a preferred embodiment of the invention, the commercial computer can be implemented as a so-called operator terminal computer, by means of which instructions for carrying out the railway operation process can be given by the railway workers or by automation and the response of the railway operation process can be visualized. In this way, programs for inputting and visualizing commands and prompts and programs for controlling process elements according to the railway operating regulations are run in the operator terminal computer independently of one another. The program for inputting commands and visualizing the process events can also be combined with a process control program, which is predefined, for example, by railway operating regulations.
The computer with reliable signaling can also be implemented as an m of n computer system, wherein the decision as to whether and which control commands should be output to the process is determined by a majority vote of at least two scatheless computers.
The control instruction is output to the process and is realized by two channels; each computer may block the output of control instructions when a processing fault is determined.
The inventive method and the inventive device can be advantageously applied to all safety-critical railway operations. Such applications can be, for example, the reliable control of railway operations by a controller, but also, for example, the reliable control of railway crossings, of the section equipment and of the train equipment of the axle counter equipment (achzaehlanlage) and of the continuous train automation (LZB).
Claims (20)
1. A method for controlling a safety-critical railway operation process using at least one signaling-technology-reliable computer, which processes input commands according to railway operation specifications in a signaling-technology-reliable manner and outputs the processed control command signals to process components in a signaling-technology-reliable manner and uses the prompts generated by the process components for process state monitoring and process control,
in the reliable computer (SR)*) In which only system software (V, PMS) is stored, the program of said system softwareThe reliable computer can reliably carry out input/output by signal technology and data comparison by signal technology,
-storing railway management specific software (BO) in at least one non-signal technically reliable commercial computer (R1, R2), the railway management specific software containing conditions and dependencies predetermined by the railway administration by its railway operations for the railway operation process,
the signally reliable computer generates a processing task (A) on the basis of the instructions (K) and prompts (M) transmitted thereto and transmits it to the commercial computer,
the processing tasks are processed at the business computer at least twice independently of each other,
the result (E) of the processing and/or intermediate results are transmitted to the trusted computer and content consistency verification is reliably performed by the trusted computer signal technology,
wherein the reliable computer accepts only results and/or intermediate results which are provided at least in duplicate by the commercial computer and reliably outputs control command (SB) signals derived therefrom to the process component (BA).
2. Method according to claim 1, characterized in that the same or different software is used for at least two processes of the processing task in a commercial computer.
3. Method according to claim 1 or 2, characterized in that the time results produced in the processing of the railway management specific software (BO) are reliable by the signal technology computer (SR)*) The synchronization is performed according to the requirements of the commercial computer.
4. Method according to claim 1, characterized in that the results determined by the commercial computer and/or intermediate results are transmitted to the reliable computer via a non-signal technology reliable communication channel.
5. A method as claimed in claim 1, characterized in that a data transmission in the form of a telegram is provided and the telegram is signed, on the basis of which signature each receiving computer can recognize whether the telegram was transmitted undistorted.
6. A method as claimed in claim 1, characterized in that a telegram-like data transmission is provided and the telegram is signed, on the basis of which signature a signaling-technical reliable computer can recognize: whether a distortion occurs in the program memory and data memory of the commercial computer or the CPU of the commercial computer no longer functions correctly.
7. Method according to claim 1, characterized in that the processing tasks are processed essentially simultaneously in at least two commercial computers (R1, R2) respectively, or temporally in series in only one computer, and the determined results and/or intermediate results are transmitted in pairs to the reliable computer for comparison respectively.
8. A method according to claim 7, characterized in that a marking is attached to the telegram, on the basis of which the reliable computer can identify whether the telegram was actually processed separately.
9. The method of claim 7 wherein said trusted computer identifies whether said telegram is from a different computer based on results of a prompt from a commercial computer transmitted to said trusted computer by a different input.
10. Method according to claim 1, characterized in that system errors in the railway management specific software (BO) are excluded by employing a plurality of operating systems in the concerned computers (R1 to Rn).
11. A method according to claim 1, characterized in that systematic errors in the hardware of the commercial computer are excluded by using various computer components in the concerned computers (R1 to Rn).
12. An apparatus for implementing a method for controlling a safety-critical railway operation process using at least one signaling-technology-reliable computer which processes input commands signal-technology-reliably according to railway operation specifications and outputs processed control command signals-technology-reliably to process components and uses indications generated by the process components for process state monitoring and process control,
computer (SR) reliable in said signalling technique*) In such a way that the reliable computer can reliably perform input/output (K, E, M, A, SB) and data comparison using signaling techniques,
at least one non-signal technology-reliable commercial computer (R1, R2) is provided, in which railway management-specific software is implemented, which contains conditions and dependencies predetermined by the railway administration via its railway operations for the control of railway operation processes,
connecting the reliable computer and the commercial computer to a communication system via which the signal-technology-reliable computer transmits processing tasks (A) to the commercial computer and receives results (E) and/or intermediate results from the commercial computer,
wherein the commercial computer is arranged to perform the processing tasks at least twice independently of each other,
the reliable computer reliably verifies the content consistency of the results (E) and/or intermediate result signals respectively transmitted to it in pairs by the commercial computer, and derives control commands (SB) for the process components (W, S) from the verification results and outputs them to the process components via a driver provided for this purpose.
13. The apparatus according to claim 12, characterized in that only programs whose functions are verified are installed in the commercial computer as well.
14. The apparatus according to claim 12 or 13, wherein the commercial computer performs the processing task at least twice using the same or different software.
15. Apparatus according to claim 12, wherein at least two commercial computers are provided for executing the same processing task in pairs independently of each other.
16. Arrangement according to claim 12, characterized in that a plurality of commercial computers (R1, R2) are provided in a single-computer or multi-computer embodiment, respectively, for carrying out different functions or partial functions or for controlling and monitoring different equipment components.
17. The device according to claim 12, characterized in that at least one commercial computer is an operator terminal computer, by means of which instructions (K) are entered into the secured computer and prompts (M) are displayed.
18. The apparatus of claim 12, wherein the trusted computer is an m of n computer system.
19. The arrangement according to claim 12, characterized in that the reliable computer is arranged to identify from the tags attached to the results and/or intermediate results transmitted by at least one of the commercial computers whether the results and/or intermediate results come from different processes.
20. The apparatus of claim 12 wherein the reliable computer gives the process component possible control instructions on two channels.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/DE2001/004485 WO2003047937A1 (en) | 2001-11-22 | 2001-11-22 | Method for controlling a safety-critical railway operating process and device for carrying out said method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1558848A CN1558848A (en) | 2004-12-29 |
| CN1289345C true CN1289345C (en) | 2006-12-13 |
Family
ID=5648319
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB018238238A Expired - Fee Related CN1289345C (en) | 2001-11-22 | 2001-11-22 | Method for controlling safety-critical railway operating process and device for carrying out said method |
Country Status (8)
| Country | Link |
|---|---|
| JP (1) | JP4102306B2 (en) |
| KR (1) | KR20040063935A (en) |
| CN (1) | CN1289345C (en) |
| AU (1) | AU2002224742A1 (en) |
| CA (1) | CA2467972A1 (en) |
| HK (1) | HK1069363A1 (en) |
| MX (1) | MXPA04004840A (en) |
| WO (1) | WO2003047937A1 (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2929056B1 (en) * | 2008-03-19 | 2010-04-16 | Alstom Transport Sa | DEVICE FOR DETECTING A SECURITY THRESHOLD OF A RAIL SYSTEM |
| DE102012211273A1 (en) * | 2012-06-29 | 2014-01-02 | Siemens Aktiengesellschaft | Method and arrangement for controlling a technical installation |
| DE102013218814A1 (en) * | 2013-09-19 | 2015-03-19 | Siemens Aktiengesellschaft | Method for operating a safety-critical system |
| CN105822665A (en) * | 2016-06-02 | 2016-08-03 | 株洲时代新材料科技股份有限公司 | Integrated metal joint bearing in low-floor vehicle fixed hinge and assembly method thereof |
| CN112462731B (en) * | 2020-10-16 | 2022-06-24 | 北京西南交大盛阳科技股份有限公司 | Safety supervision control method, safety supervision control device, computer equipment and safety supervision system |
| EP4293957A1 (en) * | 2022-06-16 | 2023-12-20 | Siemens Mobility GmbH | Method and assembly for creating a control signal |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE3323269A1 (en) * | 1983-06-28 | 1985-01-10 | Siemens AG, 1000 Berlin und 8000 München | DEVICE FOR THE OPERATION OF A COMPUTER-CONTROLLED ACTUATOR |
| ATE110477T1 (en) * | 1990-08-14 | 1994-09-15 | Siemens Ag | HIGH SECURITY MULTIPLE COMPUTER SYSTEM WITH THREE COMPUTERS. |
| DE4107639A1 (en) * | 1991-03-09 | 1992-09-10 | Standard Elektrik Lorenz Ag | DEVICE FOR SIGNAL-SAFE REMOTE CONTROL OF A SUBSTATION IN A RAILWAY SYSTEM |
-
2001
- 2001-11-22 MX MXPA04004840A patent/MXPA04004840A/en active IP Right Grant
- 2001-11-22 AU AU2002224742A patent/AU2002224742A1/en not_active Abandoned
- 2001-11-22 CA CA002467972A patent/CA2467972A1/en not_active Abandoned
- 2001-11-22 CN CNB018238238A patent/CN1289345C/en not_active Expired - Fee Related
- 2001-11-22 WO PCT/DE2001/004485 patent/WO2003047937A1/en active Application Filing
- 2001-11-22 JP JP2003549144A patent/JP4102306B2/en not_active Expired - Fee Related
- 2001-11-22 KR KR10-2004-7007825A patent/KR20040063935A/en not_active Application Discontinuation
-
2005
- 2005-03-09 HK HK05102045A patent/HK1069363A1/en not_active IP Right Cessation
Also Published As
| Publication number | Publication date |
|---|---|
| AU2002224742A1 (en) | 2003-06-17 |
| WO2003047937A1 (en) | 2003-06-12 |
| MXPA04004840A (en) | 2004-08-02 |
| HK1069363A1 (en) | 2005-05-20 |
| KR20040063935A (en) | 2004-07-14 |
| JP4102306B2 (en) | 2008-06-18 |
| JP2005511386A (en) | 2005-04-28 |
| CN1558848A (en) | 2004-12-29 |
| CA2467972A1 (en) | 2003-06-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10272933B2 (en) | Railway safety critical systems with task redundancy and asymmetric communications capability | |
| WO2006051355A1 (en) | A control system, a method to operate a control system, a computer data signal and a graphical user interface for rail-borne vehicles | |
| JP4277030B2 (en) | Communication control system | |
| CN111694702B (en) | Method and system for secure signal manipulation | |
| Mongardi | Dependable computing for railway control systems | |
| CN1289345C (en) | Method for controlling safety-critical railway operating process and device for carrying out said method | |
| US7209811B1 (en) | System and method for controlling a safety-critical railroad operating process | |
| CN114860518A (en) | Detection method and system of function safety system, electronic equipment and storage medium | |
| JP4939814B2 (en) | Railway vehicle system | |
| EP1197418B1 (en) | Control method for a safety critical railway operation process and device for carrying out this method | |
| JPWO2005049467A1 (en) | Elevator control device | |
| CN110239575B (en) | Logic control equipment and system based on two-by-two-out-of-two | |
| EP3131804B1 (en) | Railway safety critical systems with task redundancy and asymmetric communications capability | |
| Mutlu et al. | A new test environment for PLC based interlocking systems | |
| Erb | Safety Measures of the Electronic Interlocking System “Elektra” | |
| JP5612995B2 (en) | Input bypass type fail-safe device and program for fail-safe | |
| JPH10338133A (en) | Signal safety control device for train | |
| Akita et al. | Safety and fault-tolerance in computer-controlled railway signalling systems | |
| EP3696048B1 (en) | System and method for traffic management of railway networks | |
| JP2007323190A (en) | Calculation control system for performing data communication and its communication method | |
| JP3395288B2 (en) | Information processing apparatus and information processing method | |
| EP0163921A1 (en) | Measurement data processing device | |
| Chlada | Software Test Automation: Safety System of a High Speed Train | |
| JP3802895B2 (en) | Parallel output type electronic interlocking device with a fail-safe majority logic circuit | |
| JP4443206B2 (en) | Software simulation equipment for train security control equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 1069363 Country of ref document: HK |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C19 | Lapse of patent right due to non-payment of the annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |