RS63339B2 - Train traffic control system and method for safe displaying a state indication of a route and train control system - Google Patents
Train traffic control system and method for safe displaying a state indication of a route and train control systemInfo
- Publication number
- RS63339B2 RS63339B2 RS20220616A RSP20220616A RS63339B2 RS 63339 B2 RS63339 B2 RS 63339B2 RS 20220616 A RS20220616 A RS 20220616A RS P20220616 A RSP20220616 A RS P20220616A RS 63339 B2 RS63339 B2 RS 63339B2
- Authority
- RS
- Serbia
- Prior art keywords
- operator
- control system
- workstation
- component
- route
- Prior art date
Links
Classifications
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L19/00—Arrangements for interlocking between points and signals by means of a single interlocking device, e.g. central control
- B61L19/06—Interlocking devices having electrical operation
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L21/00—Station blocking between signal boxes in one yard
- B61L21/06—Vehicle-on-line indication; Monitoring locking and release of the route
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L25/00—Recording or indicating positions or identities of vehicles or trains or setting of track apparatus
- B61L25/06—Indicating or recording the setting of track apparatus, e.g. of points, of signals
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L27/00—Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
- B61L27/20—Trackside control of safe travel of vehicle or train, e.g. braking curve calculation
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L27/00—Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
- B61L27/30—Trackside multiple control systems, e.g. switch-over between different systems
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L27/00—Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
- B61L27/50—Trackside diagnosis or maintenance, e.g. software upgrades
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L19/00—Arrangements for interlocking between points and signals by means of a single interlocking device, e.g. central control
- B61L19/06—Interlocking devices having electrical operation
- B61L2019/065—Interlocking devices having electrical operation with electronic means
Landscapes
- Engineering & Computer Science (AREA)
- Mechanical Engineering (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Train Traffic Observation, Control, And Security (AREA)
- Electric Propulsion And Braking For Vehicles (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Description
[0001] Opis[0001] Description
[0002] Pozadina ovog pronalaska[0002] Background of the present invention
[0003] Ovaj pronalazak se bavi sistemom za kontrolu železničkog saobraćaja koji obuhvata sistem za kontrolu rute i voza, radnu stanicu operatera sa ekranom, i komponentu pokazatelja bezbednog stanja sa bezbednosnim nivoom SIL>0, određenije SIL4, za označavanje bezbednosnih informacija o stanju elemenata sistema za kontrolu rute i voza na ekranu radne stanice operatera. Ovaj pronalazak se dalje bavi postupkom za bezbedno prikazivanje pokazatelja stanja sistema za kontrolu rute i voza.[0003] This invention deals with a railway traffic control system that includes a route and train control system, an operator's workstation with a screen, and a safety status indicator component with a security level of SIL>0, more specifically SIL4, for indicating safety information about the state of elements of the route and train control system on the screen of the operator's workstation. The present invention further relates to a method for securely displaying status indicators of a route and train control system.
[0004] Odgovarajući sistem za kontrolu železničkog saobraćaja je poznat iz [1][0004] A suitable railway traffic control system is known from [1]
[0005] Sistemi upravljanja rutom i vozom su podešeni za bezbedno upravljanje rutama, a odobrenja za bezbedno kretanje u železničkim mrežama za vožnju vozova i za kontrolnu zaštitu i zaštitu vozova od prebrze vožnje ili van njihovog kraja odobrenja za bezbedno kretanje. Tipični sistemi za kontrolu rute i voza su na primer signalno-sigurnosni sistemi, radio-komandni centri ili slični sistemi.[0005] Route and train management systems are set up for safe route management, and safe movement approvals in railway networks for running trains and for control protection and protection of trains from speeding or outside their end of safe movement approvals. Typical systems for route and train control are for example signaling and safety systems, radio command centers or similar systems.
[0006] Daljinsko upravljanje za upravljanje signalno-sigurnosnim sistemima i drugim sistemima za kontrolu rute i voza putem sistema za upravljanje saobraćajem postaje sve više važno. Sistemi za upravljanje saobraćajem obuhvataju interfejs humane mašine za upravljanje sistemima za kontrolu rute i voza od strane ljudskog operatera. Sistem za kontrolu rute i voza prima naredbe od sistema upravljanja saobraćajem vezano za redovnu operaciju kao i vezano za bezbednosne kritične operacije. Bezbednosne kritične operacije se izbode upotrebom sistema za kontrolu rute i voza u posebnim operativnim situacijama ili u slučaju smetnji. U poređenju sa redovnim operacijama za koje prihvatljivost može da se proveri u bilo koje vreme sistemom upravljanja vozom, bezbednosne kritične operacije zadaje operater dok se zaobilaze elementi sistema za kontrolu rute i voza (npr. radio-komandni centar ili signalno-sigurnosni sistem). Tj. bezbednosne kritične operacije izvodi operater, npr. bezbednosno čišćenje rute, promena bezbednosne kritične tačke, itd. tj. operater može da zaobiđe bezbednosno podešavanje sistema.[0006] Remote control of signal-safety systems and other route and train control systems through traffic management systems is becoming increasingly important. Traffic management systems include a human machine interface for the control of route and train control systems by a human operator. The route and train control system receives commands from the traffic management system related to regular operation as well as related to safety critical operations. Safety-critical operations are carried out by the use of route and train control systems in special operational situations or in the event of disturbances. Compared to regular operations for which the acceptability can be checked at any time by the train control system, safety critical operations are assigned by the operator while bypassing elements of the route and train control system (eg radio command center or signaling safety system). That is safety critical operations are performed by the operator, e.g. security clearance of route, change of security critical point, etc. i.e. the operator can bypass the security setting of the system.
[0007] [0005] Za kontrolisanje bezbednosnih kritičnih operacija, moraju da se ispune izuzetni bezbednosni zahtevi. U nekim slučajevima klijenti zahtevaju ne samo bezbednosno kritično upravljanje sistemom za kontrolu rute i voza, već i pokazatelja bezbednog stanja sistema za kontrolu rute i voza, npr. u slučaju bezbednosnih kritičnih operacija koje zaobilaze signalno-sigurnosni sistem, kao što je "schriftlicher Befehl" i operacija "Ersatzsignal". "Schriftlicher Befehl" predstavlja naredbu operatera da se zaobiđe sistem za kontrolu rute i voza ručno, koja mora da se izda zaposlenima u vozu ili da se sačuva u pisanom obliku u slučaju npr. operativne greške. "Ersatzsignal" je dodatni signal, koji zamenjuje nalog za prolaz pored znaka za zaustavljanje. Izvršavanjem takvih bezbednosnih kritičnih operacija , operater može da zaobiđe bezbedno podešavanje sistema. Osnova za odluku operatera da li će da izvrši takvu kritičnu operaciju je stanje sistema za kontrolu rute i voza označeno na ekranu radne stanice operatera. Stoga se suštinski zahteva da stanje sistema za kontrolu rute i voza bude prikazano tačno. Prema radnim stanicama operatera, koje ispunjavaju traženi nivo bezbednosnog integriteta (obično SIL2, ponekad čak SIL4), razvijeni su [1], [2], [3].[0007] [0005] To control safety-critical operations, exceptional safety requirements must be met. In some cases, customers require not only safety-critical management of the route and train control system, but also indicators of the safe state of the route and train control system, e.g. in the case of safety-critical operations that bypass the signal-safety system, such as the "schriftlicher Befehl" and the "Ersatzsignal" operation. "Schriftlicher Befehl" is an operator's order to bypass the route and train control system manually, which must be issued to train employees or saved in writing in the case of e.g. operational errors. "Ersatzsignal" is an additional signal, which replaces the order to pass a stop sign. By performing such safety-critical operations, the operator can bypass the system's secure setup. The basis for the operator's decision whether to perform such a critical operation is the state of the route and train control system indicated on the operator's workstation screen. Therefore, it is essential that the status of the route and train control system is displayed accurately. According to operator workstations, which meet the required level of safety integrity (usually SIL2, sometimes even SIL4), they have been developed [1], [2], [3].
[0008] Klijenti sada traže sve više i više integracije dodatne nebezbednosne funkcionalnosti ili SIL0 funkcija u radnim stanicama operatera [4]. Opet, ovo dovodi do velikih napora jer mora da se osigura da SIL0 komponente nemaju međusobnog uticaja ("ruckwirkungsfrei") sa SIL>0 okolinom radne stanice operatera. Međutim ovo ipak dovodi do velikih troškova hardvera za ovaj posvećeni računar i takođe do velikih troškova za razvoj softvera, integraciju i ispitivanje, zato što sve ove komponente moraju da se razviju u skladu sa visokim nivoom bezbednosnog integriteta (obično SIL4) prema standardu EN 50128 [5].[0008] Customers are now demanding more and more integration of additional non-safety functionality or SIL0 functions in operator workstations [4]. Again, this leads to great effort as it has to be ensured that the SIL0 components do not interact ("ruckwirkungsfrei") with the SIL>0 environment of the operator's workstation. However, this still leads to high hardware costs for this dedicated computer and also high costs for software development, integration and testing, because all these components must be developed according to a high level of safety integrity (usually SIL4) according to the EN 50128 standard [5].
[0009] Postojeća rešenja obezbeđuju samo malu fleksibilnost i ne ispunjavaju zahteve klijenata. Klijenti naročito traže korisnički interfejs baziran na internetu fleksibilan za rad. Korisnici bi trebalo da imaju mogućnost ne samo da rade za RTCS iz centralne radne stanice operatera već takođe i sa mobilnih telefona. Korisnički interfejs baziran na internetu predstavlja podesivo rešenje koje obezbeđuje neophodnu fleksibilnost.[0009] Existing solutions provide only little flexibility and do not meet client requirements. Clients are particularly looking for a web-based user interface that is flexible to work with. Users should be able to not only work for RTCS from the operator's central workstation but also from mobile phones. The web-based user interface is a configurable solution that provides the necessary flexibility.
[0010] Postupak za siguran prenos podataka je otkriven u [2]. Postupak za verifikovanje ispravnog prenosa podataka je otkriven u [3].[0010] A method for secure data transmission is disclosed in [2]. A procedure for verifying correct data transmission is disclosed in [3].
[0011] Dokument EP 3040862 A1 otkriva sistem za kontrolu železničkog saobraćaja koji obuhvata: sistem za kontrolu rute i voza, radnu stanicu operatera sa ekranom, pri čemu radna stanica operatera obuhvata najmanje jednu komponentu pokazatelja osnovnog integriteta, sa bezbednosnim nivoom SIL0 za označavanje informacija sa osnovnim integritetom na ekranu, pri čemu je radna stanica operatera podešena da generiše grafičke podatke o informacijama sa osnovnim integritetom, komponentu pokazatelja bezbednog stanja sa bezbednosnim nivoom SIL>0 konfigurisanu da pretvara podatke o stanju koje se tiče stanja elemenata sistema za kontrolu rute i voza u grafičke podatke i na taj način generiše indikativne podatke koji ukazuju na bezbednosne informacije o stanju elemenata sistema za kontrolu rute i voza na ekranu radne stanice operatera, pri čemu komponenta pokazatelja osnovnog integriteta i komponenta pokazatelja bezbednog stanja predstavljaju komponente softvera, pri čemu je komponenta pokazatelja bezbednog stanja funkcionalno odvojena od komponente pokazatelja osnovnog integriteta, bezbedni kanal koji povezuje komponentu pokazatelja bezbednog stanja i ekran radi bezbednog prenosa bezbednosnih informacija o stanju elemenata sistema za kontrolu rute i voza.[0011] Document EP 3040862 A1 discloses a railway traffic control system comprising: a route and train control system, an operator's workstation with a display, wherein the operator's workstation comprises at least one basic integrity indicator component, with a security level of SIL0 for marking information with basic integrity on the screen, wherein the operator's workstation is set to generate graphic data on basic integrity information, a component of a safe state indicator with a security level of SIL>0 configured to convert state data concerning the state of elements of the route and train control system into graphical data and thus generate indicative data indicating safety information about the state of the elements of the route and train control system on the screen of the operator's workstation, wherein the component of the basic integrity indicator and the component of the safe state indicator are software components, wherein the component of the safe state indicator is functionally separated from the component of the basic integrity indicator, a secure channel connecting the component of the safe state indicator and the screen for the safe transmission of safety information about state of the elements of the route control system i train.
[0012] Predmet ovog pronalaska[0012] The subject of this invention
[0013] Predmet ovog pronalaska je da predloži sistem za kontrolu železničkog saobraćaja, kojim se sa jedne strane realizuje potreban visok bezbednosni nivo za pokazatelja bezbednog stanja, a sa druge strane omogućava značajno smanjenje troškova i fleksibilnost.[0013] The object of this invention is to propose a system for controlling railway traffic, which, on the one hand, realizes the necessary high level of security for indicators of the safe state, and on the other hand, enables a significant reduction in costs and flexibility.
[0015] Opis ovog pronalaska[0015] Description of the present invention
[0016] Ovaj predmet se rešava sistemom za kontrolu železničkog saobraćaja prema patentnom zahtevu 1 i postupkom prema patentnom zahtevu 9.[0016] This case is solved by the railway traffic control system according to patent claim 1 and the process according to patent claim 9.
[0017] Prema ovom pronalasku, radna stanica operatera obuhvata najmanje jednu komponentu pokazatelja osnovnog integriteta sa bezbednosnim nivoom SIL0 za označavanje informacija sa osnovnim integritetom na ekranu. Obezbeđen je server indikacije koji obuhvata komponentu pokazatelja bezbednog stanja sa bezbednosnim nivoom SIL>0, određenije SIL4, za označavanje bezbednosnih informacija o stanju elemenata sistema za kontrolu rute i voza na ekranu radne stanice operatera, pri čemu je komponenta pokazatelja bezbednog stanja funkcionalno nezavisna od radne stanice operatera. Dalje, izveden je bezbedan kanal koji povezuje server indikacije bezbednog stanja i ekran radi bezbednog prenosa bezbednosnih informacija o stanju elemenata sistema za kontrolu rute i voza.[0017] According to the present invention, the operator's workstation includes at least one basic integrity indicator component with a security level of SIL0 for marking information with basic integrity on the screen. An indication server is provided that includes a component of the safe state indicator with a security level of SIL>0, more specifically SIL4, for indicating safety information about the state of elements of the route and train control system on the screen of the operator's workstation, the component of the safe state indicator being functionally independent of the operator's workstation. Furthermore, a secure channel connecting the safe state indication server and the display is implemented for the secure transmission of safety information about the state of elements of the route and train control system.
[0018] Komponente pokazatelja osnovnog integriteta i komponenta pokazatelja bezbednog stanja predstavljaju komponente softvera, tj. kapsulirane gradivne blokove softvera.[0018] Basic integrity indicator components and safe state indicator components represent software components, ie. encapsulated software building blocks.
[0019] Komponenta pokazatelja osnovnog integriteta označava bilo koji tip informacija sa osnovnim integritetom, kao što je odlaganje voza ili vremenski uslovi, sistema za kontrolu železničkog saobraćaja na ekranu radi obaveštavanja operatera o određenim uslovima sistema za kontrolu železničkog saobraćaja, kontrolisanog sistema za kontrolu rute i voza i njihovih elemenata sa nivoom bezbednosti-integriteta SIL0. Elementi sistema za kontrolu rute i voza mogu biti npr. elementi polja (tačke, signali, sistemi za detekciju slobodnih koloseka, železnički prelazi, itd.), logički elementi (rute, odobrenja za bezbedno kretanje, sistemi linijskog blokiranja, itd.), elementi voza (parametri voza kao što su brzina ili dužina voza, itd.) ili elementi povezani sa poljem (zone za privremene restrikcije brzine, radne oblasti zaposlenih u održavanju, polja odgovornosti konkretnog operatera itd.).[0019] The basic integrity indicator component means any type of information with basic integrity, such as train delay or weather conditions, of the railway traffic control system on the screen to inform the operator about certain conditions of the railway traffic control system, the controlled route and train control system and their elements with the safety-integrity level SIL0. Elements of the route and train control system can be e.g. field elements (points, signals, track-free detection systems, level crossings, etc.), logical elements (routes, safe movement approvals, line blocking systems, etc.), train elements (train parameters such as speed or train length, etc.) or field-related elements (zones for temporary speed restrictions, work areas of maintenance employees, fields of responsibility of the specific operator, etc.).
[0020] Komponenta pokazatelja bezbednog stanja generiše grafičke podatke (indikativne podatke) kako bi se označila bezbednosna stanja sistema za kontrolu železničkog saobraćaja, kontrolisani sistem za kontrolu rute i voza i njihovi elementi sa nivoom bezbednosti-integriteta SIL>0, određenije SIL4 radi pouzdanog informisanja operatera o ovim stanjima. Bezbednosne operacije mogu da se izvršavaju na osnovu ovih pokazatelja.[0020] The safety status indicator component generates graphic data (indicative data) in order to indicate the safety status of the railway traffic control system, the controlled route and train control system and their elements with a safety-integrity level of SIL>0, more precisely SIL4, in order to reliably inform the operator about these conditions. Security operations can be executed based on these indicators.
[0021] Prema ovom pronalasku, komponenta pokazatelja osnovnog integriteta je integrisana u radnu stanicu operatera, dok je komponenta pokazatelja bezbednog stanja funkcionalno nezavisna od radne stanice operatera. Drugim rečima, funkcija za generisanje indikativnih podataka o bezbednosnim informacijama o stanju elemenata sistema za kontrolu rute i voza (podaci o stanju) je izdvojena van radne stanice operatera, tj. komponenta pokazatelja bezbednog stanja je funkcionalno odvojena od komponente pokazatelja osnovnog integriteta i može (ali ne mora) biti instalirana na odvojenim lokacijama. Samim tim, bez međusobnog uticaja SIL0 komponenti pokazatelja osnovnog integriteta sa komponentom pokazatelja bezbednog stanja može lakše da se obezbedi. Pošto radna stanica operatera obuhvata samo niskobezbednosne komponente, radna stanica operatera može biti konstruisana sa osnovnim integritetom (određenije SIL0), što je mnogo jeftinije u poređenju sa visokobezbednosnom radnom stanicom operatera poznatom iz stanja tehnike. Samim tim, inventivni sistem za kontrolu saobraćaja omogućava ekonomski povoljno bezbedno označavanje stanja elemenata sistema za kontrolu rute i voza na ekranu radne stanice operatera.[0021] According to the present invention, the basic integrity indicator component is integrated into the operator's workstation, while the safe state indicator component is functionally independent from the operator's workstation. In other words, the function for generating indicative data on safety information about the state of elements of the route and train control system (status data) is separated outside the operator's workstation, i.e. the secure state indicator component is functionally separate from the basic integrity indicator component and may (or may not) be installed in separate locations. Therefore, without the mutual influence of the SIL0 component of the basic integrity indicator with the component of the safe state indicator, it can be more easily ensured. Since the operator workstation includes only low-security components, the operator workstation can be constructed with basic integrity (specifically SIL0), which is much cheaper compared to the high-security operator workstation known from the prior art. Therefore, the inventive traffic control system allows economically advantageous safe indication of the status of elements of the route and train control system on the screen of the operator's workstation.
[0022] Prenos bezbednosnih informacija o stanju elemenata sistema za kontrolu rute i voza između komponente pokazatelja bezbednog stanja i ekrana se realizuje obezbeđivanjem bezbednog kanala (komunikacioni kanal između servera indikacije i ekrana) koji prenosi grafičke indikativne podatke do ekrana, a informacije kontrolnog zbira do komponente pokazatelja bezbednog stanja. Postupci za obezbeđivanje bezbednih komunikacija putem ovog kanala se primenjuju prema relevantnim standardima (npr. EN 50159) i potrebnom nivou bezbednosnog integriteta.[0022] The transfer of safety information about the state of elements of the route and train control system between the safety condition indicator component and the screen is realized by providing a secure channel (communication channel between the indication server and the screen) that transmits graphic indicative data to the screen, and checksum information to the safety condition indicator component. Procedures for ensuring secure communications through this channel are implemented according to relevant standards (eg EN 50159) and the required level of security integrity.
[0023] Na ekranu radne stanice operatera, i informacije sa osnovnim integritetom kao i bezbednosne informacije, određenije pokazatelj bezbednog stanja sistema za kontrolu rute i voza su prikazane operateru.[0023] On the operator's workstation screen, both basic integrity information and safety information, more specifically an indication of the safe state of the route and train control system, are displayed to the operator.
[0024] Prema pronalasku, komponenta pokazatelja bezbednog stanja je integrisana u sistem za kontrolu rute i voza, tj. u podcentar sistema za kontrolu železničkog saobraćaja. U ovom slučaju nije potreban dodatni računar, koji čini ovaj način ostvarivanja efektivnijim. Opet dodatna funkcija mora da bude integrisana u sve sisteme za kontrolu rute i voza, koji su pod kontrolom sistema za kontrolu železničkog saobraćaja.[0024] According to the invention, the safety indicator component is integrated into the route and train control system, i.e. to the sub-center of the railway traffic control system. In this case, no additional computer is needed, which makes this method of realization more effective. Again, an additional function must be integrated into all route and train control systems, which are under the control of the rail traffic control system.
[0025] Komponenta pokazatelja bezbednog stanja može biti integrisana u server indikacije. Server indikacije može biti deo sistema za kontrolu rute i voza. Ovo je naročito poželjno u slučaju kada ne postoji celokupni kontrolni centar i kada je potrebno da se kontroliše samo jedan (mali) sistem za kontrolu rute i voza.[0025] The safe state indicator component can be integrated into the indication server. The indication server can be part of the route and train control system. This is particularly desirable in the case where there is no overall control center and only one (small) route and train control system needs to be controlled.
[0026] [0021] U alternativnom načinu ostvarivanja, sistem obuhvata kontrolni centar, pri čemu je server indikacije integrisan u kontrolni centar. Ovaj način ostvarivanja je poželjan u slučajevima gde postojeći sistem za kontrolu rute i voza (na primer od različitih dobavljača) kontroliše, pošto nema potrebe za integrisanjem dodatnih funkcija u sistem za kontrolu rute i voza. Poznati su kontrolni centri npr. od DB "Betriebszentrale" ili "Steuerzentrale" tim redom i upravljaju zadacima kontrolisanja, osiguravanja i premeštanja železničkih operacija.[0026] [0021] In an alternative embodiment, the system includes a control center, whereby the indication server is integrated into the control center. This way of realization is preferred in cases where the existing route and train control system (for example from different suppliers) controls, since there is no the need to integrate additional functions into the route and train control system. Well-known control centers, e.g. from DB "Betriebszentrale" or "Steuerzentrale" respectively and manage the tasks of controlling, securing and moving railway operations.
[0027] U daljem alternativnom načinu ostvarivanja, server indikacije integrisan u računarskom centru na daljinu (udaljenom od ekrana). Ovo omogućava korišćenje tankih klijenata za radnu stanicu operatera (radi smanjenja količine potrebne energije, buke i prostora u kontrolnom centru). Računarski centar na daljinu može biti deo kontrolnog centra.[0027] In a further alternative embodiment, the indication server is integrated in a remote computing center (remote from the screen). This enables the use of thin clients for the operator's workstation (to reduce the amount of power required, noise and space in the control center). A remote computer center can be part of a control center.
[0028] Poželjno, server indikacije je zaštićen postupkom, tj. neophodan nivo bezbednosnog integriteta se postiže postupkom koji, sa jedne strane, integriše humanog korisnika (operatera) a, sa druge strane ga kontroliše komponenta sistema za kontrolu rute i voza. Uobičajeni industrijski računar može da se koristi kao server indikacije.[0028] Preferably, the indication server is protected by a process, ie. the necessary level of security integrity is achieved by a process that, on the one hand, integrates the human user (operator) and, on the other hand, is controlled by the component of the route and train control system. A common industrial computer can be used as an indication server.
[0029] Alternativno, server indikacije može biti kompozitni sigurnosni server. tj. server indikacije predstavlja višekanalni server sa 2002 ili 2003 arhitekturom. Bezbednosni nivo SIL4 može da se postigne ovim načinom ostvarivanja.[0029] Alternatively, the indication server may be a composite security server. i.e. the indication server is a multi-channel server with a 2002 or 2003 architecture. Safety level SIL4 can be achieved with this implementation.
[0030] Poželjno, radna stanica operatera je integrisana u sistem za upravljanje saobraćajem. Sistem za upravljanje saobraćajem može da obuhvata dodatne funkcije za upravljanje radom voza, npr. detekcija odlaganja, detekcija konflikta zauzetosti vozova, (automatsko) rešenje konflikta, upravljanje resursima kao što su zaposleni u održavanju duž rute, integracija telekomunikacija i video nadzor. Integrisanjem radne stanice operatera u sistem za upravljanje saobraćajem, samo jedan skup ulaznih uređaja (miš, tastatura itd.) je potreban za kontrolisanje železničkog saobraćaja. Tako da jedan operater može da upravlja vozom najvišeg nivoa kao i da izvede bezbednosne kritične operacije koje zahtevaju bezbednu indikaciju.[0030] Preferably, the operator's workstation is integrated into the traffic management system. The traffic management system can include additional functions for managing the train operation, e.g. delay detection, train occupancy conflict detection, (automatic) conflict resolution, management of resources such as maintenance staff along the route, telecommunications integration and video surveillance. By integrating the operator's workstation into the traffic management system, only one set of input devices (mouse, keyboard, etc.) is required to control rail traffic. So that one operator can operate the train at the highest level as well as perform safety critical operations that require safe indication.
[0031] U izuzetno poželjnom načinu ostvarivanja, bezbedni kanal je usmeren kroz radnu stanicu operatera. U ovom slučaju, nije potreban dodatan računar za prenos bezbednosnih informacija. Dok se, prema stanju tehnike, podaci o stanju prenose i obrađuju u radnoj stanici što dovodi do celokupnog bezbednosnog integriteta SIL>0 za samu radnu stanicu, ovaj pronalazak koristi radnu stanicu samo kao "sivi kanal" koji je obezbeđen postupkom koji dovodi do dodatnih potreba za bezbednosnim integritetom same radne stanice. Ovim se smanjuju troškovi razvoja.[0031] In a highly preferred embodiment, the secure channel is routed through the operator's workstation. In this case, no additional computer is needed to transfer security information. While, according to the prior art, the state data is transmitted and processed in the workstation leading to an overall security integrity of SIL>0 for the workstation itself, this invention uses the workstation only as a "gray channel" provided by a process that leads to additional needs for the security integrity of the workstation itself. This reduces development costs.
[0032] U izuzetno poželjnom načinu ostvarivanja komponenta pokazatelja bezbednog stanja je podešena da izračunava prvi kontrolni zbir indikativnih podataka koji generiše komponenta pokazatelja bezbednog stanja i dalje je podešen za izvođenje poređenja kontrolnog zbira i/ili pikselnog poređenja podataka o piksmapi.[0032] In a highly preferred embodiment, the safe state indicator component is configured to calculate a first checksum of indicative data generated by the safe state indicator component and is further configured to perform a checksum comparison and/or a pixel comparison of the pixmap data.
[0033] Komponenta pokazatelja bezbednog stanja je poželjno podešena da preuzme ponovo pročitanu komponentu iz pretraživača radne stanice operatera.[0033] The security indicator component is preferably configured to retrieve the read-back component from the operator's workstation browser.
[0034] Ovaj pronalazak se takođe bavi postupkom za bezbedno prikazivanje bezbednosnih informacija o pokazatelju stanja sistema za kontrolu rute i voza na radnoj stanici operatera sistema za kontrolu železničkog saobraćaja kako je prethodno opisano, sa fazama iz patentnog zahteva 9.[0034] The present invention also relates to a method for securely displaying safety information on a route and train control system status indicator at a railway traffic control system operator's workstation as previously described, with the stages of patent claim 9.
[0035] Bezbednosne informacije se prenose iz sistema za kontrolu rute i voza do servera indikacije. Server indikacije generiše grafičke podatke (indikativne podatke) iz bezbednosnih informacija, koje se zatim šalju na ekran radne stanice operatera preko bezbednog kanala.[0035] Safety information is transmitted from the route and train control system to the indication server. The indication server generates graphical data (indicative data) from the safety information, which is then sent to the operator's workstation screen via a secure channel.
[0036] Grafički podaci o informacijama sa osnovnim integritetom se međutim generišu unutar radne stanice operatera. Grafički podaci o informacijama sa osnovnim integritetom se zatim prenose unutar radne stanice operatera do ekrana.[0036] Graphical information data with basic integrity is, however, generated within the operator's workstation. Graphical information data with basic integrity is then transmitted within the operator's workstation to the display.
[0037] U izuzetno poželjnoj varijanti, bezbedni kanal je usmeren kroz radnu stanicu operatera. U ovom slučaju, bezbedni kanal je barem delimično deo radne stanice operatera.[0037] In a highly preferred embodiment, the secure channel is routed through the operator's workstation. In this case, the secure channel is at least partially part of the operator's workstation.
[0038] Poželjno, podaci o stanju se pretvaraju u indikativne podatke o piksmapi, a indikativni podaci o piksmapi se prenose do ekrana upotrebom postupka za verifikovanje ispravnog prenosa podataka o piksmapi. Postupak za verifikovanje ispravnog prenosa podataka o piksmapi poželjno obuhvata: a) modifikovanje najmanje jednog svojstva fiksnog broja piksela izabranog od indikativnih podataka piksmape u prvoj memoriji, pri čemu je taj izbor urađen nasumično,[0038] Preferably, the state data is converted to indicative pixmap data, and the indicative pixmap data is transmitted to the display using a procedure for verifying the correct transfer of pixmap data. The method for verifying the correct transmission of the pixmap data preferably includes: a) modifying at least one property of a fixed number of pixels selected from the indicative pixmap data in the first memory, wherein the selection is made randomly,
[0039] b) prenos indikativnih podataka piksmape koji obuhvataju modifikovane piksele iz prve memorije u drugu memoriju,[0039] b) transfer of indicative pixmap data that includes modified pixels from the first memory to the second memory,
[0040] c) ponovno čitanje modifikovanih piksela iz druge memorije, i[0040] c) re-reading modified pixels from another memory, i
[0041] d) poređenje ponovo pročitanih modifikovanih piksela i modifikovanih piksela prve memorije radi verifikovanja ispravnog prenosa indikativnih podataka sa piksmape, pri čemu je najmanje jedno svojstvo modifikovano tako da modifikacija ne može da se primeti kada se prikazuju modifikovani pikseli na grafičkom prikazu. Odgovarajući postupak je opisan u [3].[0041] d) comparing the read-back modified pixels and the modified pixels of the first memory to verify the correct transfer of the indicative data from the pixmap, wherein at least one property is modified so that the modification cannot be observed when displaying the modified pixels on the graphics display. The corresponding procedure is described in [3].
[0042] U izuzetno poželjnoj varijanti indikativni podaci koje generiše komponenta bezbednog stanja su prikazani u internet pretraživaču radne stanice operatera radi obezbeđivanja neophodne fleksibilnosti.[0042] In an extremely preferred variant, the indicative data generated by the safe state component are displayed in the Internet browser of the operator's workstation in order to provide the necessary flexibility.
[0043] Da bi se verifikovalo da je vizualizacija indikativnih podataka u pretraživaču zaista ono što je predviđeno da bude prikazano, poželjna varijanta obezbeđuje da se prikazani indikativni podaci ponovo čitaju, naročito generisanjem podataka o piksmapi.[0043] In order to verify that the visualization of the indicative data in the browser is indeed what is intended to be displayed, a preferred variant ensures that the displayed indicative data is read again, in particular by generating pixmap data.
[0044] [0036] U izuzetno poželjnoj varijanti komponenta pokazatelja bezbednog stanja generiše prvi kontrolni zbir indikativnih podataka, pretraživač generiše drugi kontrolni zbir podataka ponovo pročitanih i prenosi drugi kontrolni zbir do komponente pokazatelja bezbednog stanja bezbednim kanalom, a komponenta pokazatelja bezbednog stanja upoređuje prvi kontrolni zbir i drugi kontrolni zbir. Samim tim, može da se proveri da li je prenos indikativnih podataka do pretraživača i prikazivanje prenesenih indikativnih podataka ispravno. Prema ovom načinu ostvarivanja poređenje kontrolnog zbira se izvodi na daljinu iz radne stanice operatera do posebnog bezbednosnog poređenja iz SIL0 radne stanice operatera.[0044] [0036] In an extremely desirable variant, the component of the safe state indicator generates the first checksum of the indicative data, the browser generates the second checksum of the re-read data and transmits the second checksum to the component of the safe state indicator through a secure channel, and the component of the safe state indicator compares the first checksum and the second checksum. Therefore, it can be checked whether the transfer of indicative data to the browser and displaying the transferred indicative data correctly. According to this implementation, the checksum comparison is performed remotely from the operator's workstation to a special security comparison from the SIL0 operator's workstation.
[0045] Alternativno ili dodatno, pretraživač prenosi podatke ponovo pročitane do komponente pokazatelja bezbednog stanja preko bezbednog kanala, a komponenta pokazatelja bezbednog stanja upoređuje podatke ponovo pročitane sa indikativnim podacima (poređenje piksela).[0045] Alternatively or additionally, the browser transmits the read back data to the secure state indicator component via a secure channel, and the secure state indicator component compares the read back data with the indicative data (pixel comparison).
[0046] Da bi se izbeglo poređenje pogrešne-pozitivne greške, koriste se algoritmi koji proveravaju samo nekoliko piksela (npr. prema [3]) ili algoritmi za morfološko poređenje (npr. prema [6]).[0046] To avoid false-positive comparison, algorithms that check only a few pixels (eg according to [3]) or morphological comparison algorithms (eg according to [6]) are used.
[0047] Ovaj pronalazak realizuje postupak zasnovan na bezbednom grafičkom pokazatelju stanja sistema za kontrolu rute i voza u SIL0 sistemu za upravljanje saobraćajem. Samim tim, bezbednosni sistemi za kontrolu rute i voza, npr. signalno-sigurnosni, signalni sistemi mogu da se kontrolišu iz SIL0 sistema za upravljanje saobraćajem.[0047] The present invention realizes a method based on a secure graphical indication of the state of the route and train control system in a SIL0 traffic management system. Therefore, safety systems for route and train control, e.g. signal-safety, signaling systems can be controlled from the SIL0 traffic management system.
[0048] Inventivni sistem za kontrolu saobraćaja omogućava izvršavanje bezbednosnih kritičnih operacija u bezbednosnom kritičnom sistemu uz smanjene troškove, određenije izvršavanje bezbednosnih kritičnih operacija koje zahtevaju bezbedan prikaz stanja sistema za kontrolu rute i voza, npr. zato što se sistem za kontrolu rute i voza zaobilazi izvršavanjem odgovarajuće kritične operacije.[0048] The inventive traffic control system enables the execution of safety-critical operations in a safety-critical system with reduced costs, more specifically the execution of safety-critical operations that require a safe display of the state of the route and train control system, e.g. because the route and train control system is bypassed by performing the corresponding critical operation.
[0049] Dalje prednosti mogu da se izvuku iz opisa i priloženog crteža. Pomenuti načini ostvarivanja ne bi trebalo da se tumače kao iscrpno nabrajanje već pre kao primer za opis ovog pronalaska.[0049] Further advantages can be derived from the description and the attached drawing. The mentioned embodiments should not be interpreted as an exhaustive enumeration, but rather as an example to describe the present invention.
[0051] Crteži[0051] Drawings
[0052] Ovaj pronalazak je prikazan na crtežu.[0052] This invention is shown in the drawing.
[0053] Sl.1 prikazuje arhitekturu sistema za kontrolu saobraćaja prema stanju tehnike.[0053] Fig. 1 shows the architecture of the traffic control system according to the state of the art.
[0054] Sl.2 prikazuje arhitekturu sistema za kontrolu saobraćaja koji ne pripada pronalasku sa serverom indikacije integrisanim u kontrolni centar.[0054] Fig. 2 shows the architecture of a traffic control system not belonging to the invention with an indication server integrated in the control center.
[0055] Sl.3 prikazuje arhitekturu sistema za kontrolu saobraćaja prema ovom pronalasku sa serverom indikacije integrisanim u sistem za kontrolu rute i voza.[0055] Fig. 3 shows the architecture of a traffic control system according to the present invention with an indication server integrated into the route and train control system.
[0056] Sl.4 prikazuje arhitekturu sistema za kontrolu saobraćaja prema ovom pronalasku, pri čemu je komponenta pokazatelja bezbednog stanja integrisana u sistem za kontrolu rute i voza bez servera indikacije.[0056] Fig. 4 shows the architecture of the traffic control system according to the present invention, wherein the safe state indicator component is integrated into the route and train control system without an indication server.
[0057] Sl.5 prikazuje arhitekturu sistema za kontrolu saobraćaja koji ne pripada ovom pronalasku sa serverom indikacije integrisanim u računarski centar na daljinu.[0057] Fig. 5 shows the architecture of a traffic control system not belonging to the present invention with an indication server integrated in a remote computing center.
[0058] Sl.6 prikazuje arhitekturu sistema za kontrolu saobraćaja koji ne pripada pronalasku sa komponentom integracije bezbednog stanja podešenom da otkriva grešku u prenosu i/ili prikazu indikativnih podataka i radne stanice operatera bazirane na internetu.[0058] Fig. 6 shows the architecture of a traffic control system not belonging to the invention with a safe state integration component configured to detect an error in the transmission and/or display of indicative data and an Internet-based operator workstation.
[0059] Sl. 1 prikazuje arhitekturu sistema za kontrolu saobraćaja prema stanju tehnike. Sistem za kontrolu saobraćaj obuhvata sistem RTCS za kontrolu rute i voza i radnu stanicu OW' operatera sa ekranom D. Radna stanica OW' operatera obuhvata komponente BIC pokazatelja osnovnog integriteta sa bezbednosnim nivoom SIL0 za označavanje informacija na ekranu D sa osnovnim integritetom (podaci o upravljanju železničkim saobraćajem). Radna stanica OW' operatera dalje obuhvata komponentu SSC pokazatelja bezbednog stanja sa bezbednosnim nivoom SIL>0 za obradu podataka o stanju (informacije relevantne za bezbednost o stanjima elemenata sistema za kontrolu rute i voza RTCS). Ti podaci o stanju se prenose iz sistema RTCS za kontrolu rute i voza do komponente SSC pokazatelja bezbednog stanja radne stanice OW' operatera. Komponenta SSC pokazatelja bezbednog stanja pretvara podatke o stanju u grafičkih podataka i samim tim generiše indikativne podatke, koji su zatim prikazani na ekranu D.[0059] FIG. 1 shows the architecture of the traffic control system according to the state of the art. The traffic control system includes the RTCS system for route and train control and the OW' operator's workstation with display D. The OW' operator's workstation includes components of the basic integrity indicator BIC with safety level SIL0 to indicate information on the D display with basic integrity (rail traffic management data). The OW' operator's workstation further includes a component of the SSC safe condition indicator with safety level SIL>0 for processing condition data (safety-relevant information about the conditions of RTCS train and route control system elements). That condition data is transmitted from the RTCS route and train control system to the SSC component of the safe condition indicator of the operator's workstation OW'. The SSC component of the Safe Condition Indicator converts the condition data into graphic data and thereby generates indicative data, which is then displayed on the D screen.
[0060] Prema ovom pronalasku, sistem za kontrolu saobraćaja obuhvata radnu stanicu OW operatera koja ne uključuje bilo koje komponente sa bezbednosnim nivoom SIL>0, tj. radna stanica operatera samo obuhvata komponente sa bezbednosnim nivoom SIL0 ili manje, kao što je komponente BIC pokazatelja osnovnog integriteta. Pošto je komponenta SSC pokazatelja bezbednog stanja zamenjena iz radne stanice OW operatera i funkcionalno nezavisna od radne stanice OW operatera, tj. primenjuje se na različit način, može da se obezbedi nemanje međusobnog uticaja između SIL=0 radne stanice operatera i SIL>0 komponente pokazatelja bezbednog stanja.[0060] According to the present invention, the traffic control system includes an OW operator's workstation that does not include any components with a security level of SIL>0, ie. the operator's workstation only includes components with a safety level of SIL0 or less, such as BIC components of the basic integrity indicator. Since the SSC component of the safe state indicator has been replaced from the OW operator's workstation and is functionally independent from the OW operator's workstation, ie. applied in a different way, it can be ensured that there is no interaction between the SIL=0 operator workstation and the SIL>0 component of the safe state indicator.
[0061] Informacije sa osnovnim integritetom se prenose iz sistema RTCS za kontrolu rute i voza do radne stanice OW operatera kanalom C1. Bezbednosne informacije se (podaci o stanju) međutim prenose do komponente SSC pokazatelja bezbednog stanja odvojenim kanalom C2 da bi se generisale prema grafičkim indikativnim podacima. Prenosni kanal C2 je izvedeni kanal, npr. izveden sigurnosnim mrežnim prolazom kako bi se izbegla manipulacija podacima o stanju. Indikativni podaci se prenose od komponente pokazatelja bezbednog stanja SSC na ekran D od radne stanice operatera. Da bi se izbeglo falsifikovanje indikativnih podataka usled lošeg funkcionisanja hardvera ili softvera, prenos podataka se izvodi bezbednim kanalom C3.[0061] Information with basic integrity is transmitted from the RTCS system for route and train control to the OW operator's workstation via channel C1. The safety information (status data) is however transferred to the SSC safety indicator component via a separate channel C2 to be generated according to the graphical indication data. Transmission channel C2 is a derived channel, e.g. performed by a security gateway to avoid manipulation of state data. Indicative data is transmitted from the SSC safe condition indicator component to the D screen from the operator's workstation. In order to avoid falsification of indicative data due to hardware or software malfunctions, data transmission is carried out via the secure C3 channel.
[0062] Komponentu SSC pokazatelja bezbednog stanja može da izvede server IS indikacije kao što je prikazano na Sl. 2, Sl. 3 i Sl. 5 (tj. dodatni računar je obezbeđen za izvođenje komponente SSC pokazatelja bezbednog stanja) ili zaštićena particija već postojećeg računara sistema za kontrolu saobraćaja prikazanog na Sl.4.[0062] The SSC component of the safe state indication can be performed by the IS indication server as shown in FIG. 2, Fig. 3 and Fig. 5 (ie, an additional computer is provided to perform the SSC component of the safe state indicator) or a protected partition of the already existing traffic control system computer shown in Fig.4.
[0063] U prvom načinu ostvarivanja koji ne prripada ovom pronalasku, prikazanom na Sl.[0063] In the first embodiment that does not belong to this invention, shown in FIG.
[0064] 2, komponenta SSC pokazatelja bezbednog stanja je integrisana u a kontrolni centar CC zajedno sa radnom stanicom OW operatera. Nemanje međusobnog uticaja između radne stanice OW operatera i komponente SSC pokazatelja bezbednog stanja je osigurano obezbeđivanjem odvojenog računara (server IS indikacije) za izvršavanje komponente SSC pokazatelja bezbednog stanja.[0064] 2, the SSC safety indicator component is integrated into a control center CC together with the operator's workstation OW. Non-interference between the OW operator's workstation and the SSC safety indicator component is ensured by providing a separate computer (IS indication server) for executing the SSC safety indicator component.
[0065] Umesto integrisanja komponente SSC pokazatelja bezbednog stanja u kontrolni centar CC takođe je moguće da se integriše komponenta SSC pokazatelja bezbednog stanja u sistem RTCS za kontrolu rute i voza, koju izvršava ili server indikacije (Sl. 3) ili postojeći računar samog RTCS (Sl.[0065] Instead of integrating the SSC safety indicator component into the CC control center, it is also possible to integrate the SSC safety indicator component into the RTCS system for route and train control, which is performed by either the indication server (Fig. 3) or the existing computer of the RTCS itself (Fig.
[0066] 4). Ukoliko sa nekoliko sistema RTCS za kontrolu rute i voza upravlja sistem za kontrolu saobraćaja, svaki sistem RTCS za kontrolu rute i voza mora biti opremljen odgovarajućom komponentom SCC pokazatelja bezbednog stanja.[0066] 4). If several RTCS route and train control systems are managed by a traffic control system, each RTCS route and train control system must be equipped with an appropriate SCC safety indicator component.
[0067] U primeru, koji ne pripada ovom pronalasku, koji je prikazan na Sl. 5, server IS indikacije sa komponentom SSC pokazatelja bezbednog stanja je integrisan u računarski centar RZ, koji može biti lociran na udaljenosti od radne stanice OW operatera.[0067] In an example, which does not belong to this invention, which is shown in FIG. 5, the IS indication server with the SSC component of the safe state indicator is integrated into the RZ computer center, which can be located at a distance from the OW operator's workstation.
[0068] Sl. 6 prikazuje arhitekturu sistema za kontrolu saobraćaja koji je pripada ovom pronalasku upotrebom radne stanice operatera zasnovane na internetu. Radna stanica operatera obuhvata pretraživač B i komponentu R koja se ponovo čita. Komponenta SSC pokazatelja bezbednog stanja je podešena da preuzima ponovo pročitanu komponentu R iz radne stanice OW operatera. Izvršavanjem ponovo pročitane komponente R prikazani indikativni podaci se ponovo čitaju (ponovo pročitani podaci) i prenose do komponente SSC pokazatelja bezbednog stanja.[0068] FIG. 6 shows the architecture of a traffic control system of the present invention using an Internet-based operator workstation. The operator's workstation includes a browser B and a read-back component R. The SSC component of the safe state indicator is configured to retrieve the read-back R component from the OW operator's workstation. By executing the reread component R, the displayed indicative data is read again (reread data) and transferred to the SSC component of the safe state indicator.
[0069] Faze u nastavku opisuju realizovanje izuzetno poželjne varijante inventivnog postupka pomoću sistema za kontrolu saobraćaja prikazanog na Sl.6. Odgovarajuće faze postupka se poželjno izvršavaju u bilo koje vreme kada operater koristi pretraživač za izvršavanje bezbednosnih kritičnih naredbi. Bezbednosne kritične naredbe takođe mogu da se izvršavaju izričito na zahtev, preko posvećenog mehanizma za interakciju sa korisnikom (taster, padajući taster itd.). Poželjne faze postupka su sledeće:[0069] The following stages describe the implementation of an extremely desirable variant of the inventive method using the traffic control system shown in Fig. 6. The corresponding steps of the procedure are preferably executed any time the operator uses the browser to execute security critical commands. Safety-critical commands can also be executed explicitly on demand, via a dedicated user interaction mechanism (key, dropdown, etc.). The preferred stages of the procedure are as follows:
[0070] 1. Komponenta pokazatelja bezbednog stanja ima funkcionalnost da pretvara podatke o stanju u grafičke indikativne podatke. Komponenta pokazatelja bezbednog stanja šalje ove indikativne podatke preko bezbednog kanala do pretraživača radne stanice operatera. Pretraživač prikazuje ove indikativne podatke na ekranu. Prikazani podaci se ponovo čitaju a pretraživač izračunava prvi kontrolni zbir ponovo pročitanih podataka.[0070] 1. The Safe Condition Indicator component has the functionality to convert condition data into graphical indicative data. The secure state indicator component sends this indicative data over a secure channel to the operator's workstation browser. The browser displays this indicative data on the screen. The displayed data is re-read and the browser calculates the first checksum of the re-read data.
[0071] 2. Ponovo pročitani podaci (podaci o piksmapi) zajedno sa prvim kontrolnim zbirom se šalju do komponente pokazatelja bezbednog stanja bezbednim kanalom.[0071] 2. The re-read data (pixmap data) together with the first checksum is sent to the secure state indicator component over a secure channel.
[0074] 1[0074] 1
[0075] 3. Komponenta pokazatelja bezbednog stanja zatim upoređuje prvi kontrolni zbir koji generiše pretraživač sa drugim kontrolnim zbirom koji izračunava komponenta pokazatelja bezbednog stanja. Drugi kontrolni zbir je kontrolni zbir indikativnih podataka koje generiše komponenta pokazatelja bezbednog stanja. Samim tim, verifikovano je da indikativni podaci koji se šalju u pretraživač, a dobijeni ponovo pročitani podaci o piksmapi poslati iz pretraživača bezbednim kanalom nisu bili oštećeni na bilo koji način en ruta.[0075] 3. The security indicator component then compares the first checksum generated by the browser to the second checksum calculated by the security indicator component. The second checksum is a checksum of the indicative data generated by the safe state indicator component. Thus, it is verified that the indicative data sent to the browser, and the resulting re-read pixmap data sent from the browser over the secure channel, were not corrupted in any way en route.
[0076] 4. Komponenta pokazatelja bezbednog stanja zatim radi poređenje kontrolnog zbira i (ukoliko je primenjivo, određenije ako je poređenje kontrolnog zbira uspešno) poređenje piksela između ponovo pročitanih podataka koje šalje pretraživač i indikativnih podataka koje sama komponenta pokazatelja bezbednog stanja generiše na osnovu podataka o stanju. Ako je poređenje uspešno šalje uspešno obaveštenje radnoj stanici operatera bezbednim kanalom.[0076] 4. The safe state indicator component then performs a checksum comparison and (if applicable, more specifically if the checksum comparison is successful) a pixel comparison between the re-read data sent by the browser and the indicative data that the safe state indicator component itself generates based on the state data. If the comparison is successful, it sends a successful notification to the operator's workstation via a secure channel.
[0077] 5. Na osnovu odgovora komponente pokazatelja bezbednog stanja, kritična komanda koju je operater pokrenuo će se nastaviti ili prekinuti.[0077] 5. Based on the response of the safe state indicator component, the critical command initiated by the operator will continue or terminate.
[0078] Inventivno rešenje se zasniva na ideji izmeštanja SIL>0 komponente SSC pokazatelja bezbednog stanja iz radne stanice OW operatera i uspostavljanju bezbednog kanala C3 (npr. primenom daljinskih desktop protokola) pojačanih bezbednosnih mera, naročito prema EN50159. Ovaj bezbedni kanal C3 je poželjno usmeren kroz radnu stanicu OW operatera pri čemu se koristi postupak za verifikovanje prenosa ispravnih podataka. Samim tim, ovaj pronalazak realizuje bezbedan grafički pokazatelj stanja elemenata železničkog kontrolnog sistema (npr. signalnosigurnosnog, RBC,...) u radnoj stanici OW operatera, određenije unutar sistema TMS za upravljanje saobraćajem koji obezbeđuje (samo) SIL0 okruženje.[0078] The inventive solution is based on the idea of moving the SIL>0 component of the SSC safety indicator from the OW operator's workstation and establishing a secure channel C3 (eg by using remote desktop protocols) of enhanced security measures, especially according to EN50159. This secure channel C3 is preferably routed through the OW operator's workstation using a procedure to verify the transmission of correct data. Therefore, this invention realizes a safe graphical indication of the state of elements of the railway control system (eg signal safety, RBC,...) in the workstation of the OW operator, more specifically within the TMS traffic management system that provides (only) a SIL0 environment.
[0080] Citirani dokumenti[0080] Cited documents
[0081][0081]
[0082] [1] EP 0443377 A2 (Lorenz)[0082] [1] EP 0443377 A2 (Lorenz)
[0083] [2] EP 2683589 B1 (Siemens)[0083] [2] EP 2683589 B1 (Siemens)
[0084] [3] EP 2244188 A1 (Thales)[0084] [3] EP 2244188 A1 (Thales)
[0085] [4] Antweiler: "Bahn-Betriebsleitsistem ILTIS" Signal & Draht , 87 (1995) 10, Seiten 337 - 340 [5] EN 50128 "Telekommunikationstechnik, Signaltechnik und Datenverarbeitungssisteme" Ausgabe: 2012-03[0085] [4] Antweiler: "Bahn-Betriebsleitsistem ILTIS" Signal & Draht , 87 (1995) 10, Seiten 337 - 340 [5] EN 50128 "Telekommunikationstechnik, Signaltechnik und Datenverarbeitungssisteme" Ausgabe: 2012-03
[0086] [6] Mantere, Timo: "Electronic Imaging & Signal Processing - Image comparison based on morphological transforms" 29 November 2007, SPIE Newsroom. DOI: 10.1117/2.1200711.0926[0086] [6] Mantere, Timo: "Electronic Imaging & Signal Processing - Image comparison based on morphological transforms" 29 November 2007, SPIE Newsroom. DOI: 10.1117/2.1200711.0926
[0087] Spisak pozivnih oznaka[0087] List of call signs
[0088][0088]
[0089] BIC komponenta pokazatelja osnovnog integriteta[0089] BIC component of the basic integrity indicator
[0090] C1 prenosni kanal za informacije sa osnovnim integritetom[0090] C1 transmission channel for information with basic integrity
[0091] C2 prenosni kanal za bezbednosno relevantne informacije (podaci o stanju) C3 bezbedni prenosni kanal za grafičke indikativne podatke[0091] C2 transmission channel for safety relevant information (status data) C3 secure transmission channel for graphic indicative data
[0092] CC kontrolni centar[0092] CC control center
[0093] D ekran[0093] D screen
[0094] IS server indikacije[0094] IS indication server
[0095] OW radna stanica operatera[0095] OW operator workstation
[0096] RTCS sistem za kontrolu rute i voza[0096] RTCS system for route and train control
[0097] RZ računarski centar[0097] RZ computer center
[0098] SSC komponenta pokazatelja bezbednog stanja[0098] The SSC component of the safe state indicator
[0099] TMS sistem za upravljanje saobraćajem[0099] TMS traffic management system
Claims (15)
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| DE102018205235 | 2018-04-06 | ||
| EP18166202.4A EP3549841B1 (en) | 2018-04-06 | 2018-04-06 | Train traffic control system and method for carrying out safety critical operations within a train traffic control system |
| EP18177217.9A EP3549842B9 (en) | 2018-04-06 | 2018-06-12 | Train traffic control system and method for safe displaying a state indication of a route and train control system |
Publications (3)
| Publication Number | Publication Date |
|---|---|
| RS63339B1 RS63339B1 (en) | 2022-07-29 |
| RS63339B9 RS63339B9 (en) | 2022-11-30 |
| RS63339B2 true RS63339B2 (en) | 2025-06-30 |
Family
ID=62620726
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| RS20220616A RS63339B2 (en) | 2018-04-06 | 2018-06-12 | Train traffic control system and method for safe displaying a state indication of a route and train control system |
Country Status (14)
| Country | Link |
|---|---|
| EP (1) | EP3549842B9 (en) |
| KR (1) | KR102536023B1 (en) |
| AU (1) | AU2019249938B2 (en) |
| DK (1) | DK3549842T4 (en) |
| ES (1) | ES2923182T5 (en) |
| FI (1) | FI3549842T4 (en) |
| HR (1) | HRP20220827T4 (en) |
| HU (1) | HUE059058T3 (en) |
| LT (1) | LT3549842T (en) |
| PL (1) | PL3549842T5 (en) |
| RS (1) | RS63339B2 (en) |
| SA (1) | SA520420235B1 (en) |
| SI (1) | SI3549842T2 (en) |
| WO (1) | WO2019193145A1 (en) |
Family Cites Families (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE4005393A1 (en) | 1990-02-21 | 1991-08-22 | Standard Elektrik Lorenz Ag | DEVICE FOR SIGNAL-RELIABLE REPRESENTATION OF A REPORTING IMAGE |
| CH683953A5 (en) † | 1992-04-30 | 1994-06-15 | Siemens Integra Verkehrstechni | Procedure to improve the signal-related safety of the user interface of a data processing system. |
| ITSV20020018A1 (en) † | 2002-05-03 | 2003-11-03 | Alstom Transp Spa | DEVICE FOR PROCESSING OR COMMAND OPERATING IN INTRINSICALLY SAFE |
| GB0411277D0 (en) † | 2004-05-20 | 2004-06-23 | Balfour Beatty Plc | Railway signalling systems |
| DE202005020802U1 (en) * | 2004-11-15 | 2007-03-15 | Abb As | Control system for rail vehicles |
| US8094003B2 (en) † | 2006-11-22 | 2012-01-10 | Sharp Kabushiki Kaisha | Display control unit, on-vehicle display system, display controller, and on-vehicle display |
| GB2445374A (en) † | 2007-01-04 | 2008-07-09 | Westinghouse Brake & Signal | A method for regulating the movement of a train through an area of railway fitted with trackside radio signaling equipment. |
| FR2919951B1 (en) † | 2007-08-08 | 2012-12-21 | Airbus France | SYSTEM FOR PROCESSING AND DISPLAYING DATA |
| US8328143B2 (en) * | 2008-01-17 | 2012-12-11 | Lockheed Martin Corporation | Method for isolation of vital functions in a centralized train control system |
| GB2459097B (en) † | 2008-04-08 | 2012-03-28 | Advanced Risc Mach Ltd | A method and apparatus for processing and displaying secure and non-secure data |
| US9061589B2 (en) † | 2008-05-20 | 2015-06-23 | Freescale Semiconductor, Inc. | Display controller, image processing system, display system, apparatus and computer program product |
| PT2244188T (en) † | 2009-04-25 | 2018-03-13 | Thales Man & Services Deutschland Gmbh | Method for verifying correct data transfer to a video memory |
| US8605044B2 (en) † | 2010-02-12 | 2013-12-10 | Maxim Integrated Products, Inc. | Trusted display based on display device emulation |
| DE102011005188A1 (en) | 2011-03-07 | 2012-09-13 | Siemens Aktiengesellschaft | Railway Control System |
| DE102011090135A1 (en) † | 2011-07-25 | 2013-01-31 | Deuta-Werke Gmbh | Device and method for safety-relevant input via a display device with touch input |
| DE102012207439A1 (en) † | 2012-05-04 | 2013-11-07 | Cassidian Airborne Solutions Gmbh | Method for displaying safety-critical data by a display unit; display unit |
| US20140088802A1 (en) † | 2012-09-27 | 2014-03-27 | Siemens Industry, Inc. | Railway train control system having multipurpose display |
| EP2735962B1 (en) † | 2012-11-22 | 2022-03-09 | Bombardier Transportation GmbH | Colour-discriminating checksum computation in a human-machine interface |
| DE102012221714A1 (en) * | 2012-11-28 | 2014-05-28 | Siemens Aktiengesellschaft | Method for fault disclosure in interlocking computer system with control channel, involves comparing pixel data of display with process data of process image of state information of reference system for display-protection |
| PL2879008T3 (en) * | 2013-11-28 | 2018-11-30 | Thales Management & Services Deutschland Gmbh | Method for handling a safety critical command in a computer network |
| NO2696690T3 (en) † | 2014-01-29 | 2018-03-03 | ||
| ES2619190T3 (en) † | 2014-12-30 | 2017-06-23 | Matthias Auchmann | Method and system for the secure display of information relevant to security |
| DE102015002973B4 (en) † | 2015-03-10 | 2020-09-24 | Airbus Defence and Space GmbH | Method for the joint representation of safety-critical and non-safety-critical information and display device |
| US9811932B2 (en) † | 2015-04-17 | 2017-11-07 | Nxp Usa, Inc. | Display controller, heads-up image display system and method thereof |
| DE102015209448A1 (en) † | 2015-05-22 | 2016-11-24 | Bayerische Motoren Werke Aktiengesellschaft | Method for displaying safety-relevant display elements |
| US20160379381A1 (en) † | 2015-06-23 | 2016-12-29 | Freescale Semiconductor, Inc. | Apparatus and method for verifying the origin of texture map in graphics pipeline processing |
| US20160379331A1 (en) † | 2015-06-23 | 2016-12-29 | Freescale Semiconductor, Inc. | Apparatus and method for verifying the integrity of transformed vertex data in graphics pipeline processing |
-
2018
- 2018-06-12 RS RS20220616A patent/RS63339B2/en unknown
- 2018-06-12 ES ES18177217T patent/ES2923182T5/en active Active
- 2018-06-12 FI FIEP18177217.9T patent/FI3549842T4/en active
- 2018-06-12 PL PL18177217.9T patent/PL3549842T5/en unknown
- 2018-06-12 HR HRP20220827TT patent/HRP20220827T4/en unknown
- 2018-06-12 SI SI201830714T patent/SI3549842T2/en unknown
- 2018-06-12 EP EP18177217.9A patent/EP3549842B9/en active Active
- 2018-06-12 LT LTEP18177217.9T patent/LT3549842T/en unknown
- 2018-06-12 DK DK18177217.9T patent/DK3549842T4/en active
- 2018-06-12 HU HUE18177217A patent/HUE059058T3/en unknown
-
2019
- 2019-04-05 AU AU2019249938A patent/AU2019249938B2/en active Active
- 2019-04-05 KR KR1020207031789A patent/KR102536023B1/en active Active
- 2019-04-05 WO PCT/EP2019/058618 patent/WO2019193145A1/en not_active Ceased
-
2020
- 2020-09-28 SA SA520420235A patent/SA520420235B1/en unknown
Also Published As
| Publication number | Publication date |
|---|---|
| SI3549842T1 (en) | 2022-08-31 |
| KR20200140860A (en) | 2020-12-16 |
| EP3549842B1 (en) | 2022-05-11 |
| EP3549842B2 (en) | 2025-02-12 |
| ES2923182T3 (en) | 2022-09-26 |
| DK3549842T3 (en) | 2022-07-18 |
| WO2019193145A1 (en) | 2019-10-10 |
| HRP20220827T4 (en) | 2025-08-01 |
| HRP20220827T1 (en) | 2022-10-14 |
| DK3549842T4 (en) | 2025-05-12 |
| HUE059058T3 (en) | 2023-01-28 |
| DK3549842T5 (en) | 2022-10-31 |
| RS63339B1 (en) | 2022-07-29 |
| AU2019249938A1 (en) | 2020-10-01 |
| EP3549842A1 (en) | 2019-10-09 |
| LT3549842T (en) | 2022-07-25 |
| KR102536023B1 (en) | 2023-05-23 |
| FI3549842T4 (en) | 2025-05-19 |
| SI3549842T2 (en) | 2025-06-30 |
| PL3549842T5 (en) | 2025-11-17 |
| PL3549842T3 (en) | 2022-08-22 |
| EP3549842B9 (en) | 2025-08-13 |
| HUE059058T2 (en) | 2022-10-28 |
| ES2923182T5 (en) | 2025-06-17 |
| RS63339B9 (en) | 2022-11-30 |
| SA520420235B1 (en) | 2022-11-25 |
| AU2019249938B2 (en) | 2022-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2021376213B2 (en) | Connected diagnostic system and method | |
| MX2014001538A (en) | Function-monitoring of a safety element. | |
| KR20240021899A (en) | Method for safe train remote control by processing of image frames via two processing lines | |
| GB2468745A (en) | Graphic display of railway and train operation | |
| RS63339B2 (en) | Train traffic control system and method for safe displaying a state indication of a route and train control system | |
| Oransa et al. | “Railway as a Thing”: New railway control system in Egypt using IoT | |
| JP6725454B2 (en) | Video monitoring system and video monitoring device | |
| CN210072356U (en) | Extended operator control unit display system and operator control unit | |
| EP2998185A1 (en) | System and method for remotely and centrally controlling guided vehicles and trackside devices | |
| RS63288B1 (en) | RAIL TRAFFIC CONTROL SYSTEM AND PROCEDURE FOR PERFORMING SAFETY CRITICAL OPERATIONS WITHIN RAIL TRAFFIC CONTROL SYSTEM | |
| JP6630254B2 (en) | Electronic interlocking device | |
| ÜZÜMCÜ et al. | Usage of digital twin technologies during system modeling and testing in vessel traffic services system project | |
| CN104995641A (en) | Method for revealing errors in a signal box computer system, and signal box computer system | |
| Pawlik | Communication systems’ safety and security challenges in railway environment | |
| JPH10320033A (en) | Equipment monitoring system and equipment monitoring method | |
| KR101159682B1 (en) | Trnasmitting/receiving apparatus for envent occurred in train and processing method thereof | |
| CN113570819A (en) | Line crossing alarm method and system, computer readable storage medium and alarm server | |
| DE102019206802A1 (en) | Measuring device for automation technology with optical data transmission | |
| CN112996706B (en) | Method for preventing the deactivation of an unallowable number of homogeneous components of a rail vehicle | |
| EP4393789A1 (en) | Monitoring system for monitoring one or more work zones within a rail track | |
| EP4234359A1 (en) | System and method for displaying the status of a railway transportation plant | |
| KR20100125737A (en) | CT system for railroad cars | |
| CN101297520A (en) | Communication Systems | |
| WO2025076557A1 (en) | Ai-powered platform system and event recorder with multi-channel audio to text | |
| WO2025076277A1 (en) | Ai powered rail platform system and event recorder with multi-channel audio to text |