TRAIN TRAFFIC CONTROL SYSTEM AND METHOD FOR SAFE DISPLAYING A STATE INDICATION OF A ROUTE AND TRAIN CONTROL SYSTEM

Abstract

 The inventive train traffic control system comprises a route and train control system (RTCS), an operator workstation (OW) with a display (D), wherein the operator workstation (OW) comprises at least one basic integrity indication component (BIC) with safety level SIL0 for indicating information with a basic integrity on the display (D), and a safe state indication component (SSC) with safety level SIL>0, in particular SIL4, for indicating safety-related information concerning the state of elements of the route and train control system (RTCS) on the display of the operator workstation (OW), wherein the safe state indication component (SSC) is functionally independent of the operator workstation (OW), and a safe channel (C) connecting the safe state indication component (SSC) and the display (D) for safe transmission of safety-related information about the state of elements of the route train control system (RTCS). The inventive train traffic control system realizes the required high safety level for safe state indication and allows considerable cost reduction and flexibility.

Description

Background of the invention

[0001] The invention concerns a train traffic control system comprising a route and train control system, an operator workstation with a display, and a safe state indication component with safety level SIL>0, in particular SIL4, for indicating safety-related information concerning the state of elements of the route and train control system on the display of the operator workstation. The invention further concerns a method for safe displaying a state indication of a route and train control system.

[0002] An according train traffic control system is known from [1]

[0003] Route and train control systems are adapted to manage safely routes and movement-authorities in railway networks for running trains and to control protect and protect trains from running to fast or beyond their end of movement-authority. Typical route and train control systems are for example interlocking systems, radio-block-centers or similar systems.

[0004] Remote control for controlling interlocking systems and other route and train control systems via traffic management systems getting increasingly important. Traffic management systems comprise human machine interfaces for operating route and train control systems by a human operator. The route and train control system receives commands from the traffic management system concerning regular operation as well as concerning safety critical operations. Safety critical operations are carried out by using the route and train control system in special operational situations or in case of disturbances. In contrast to regular operations for which the admissibility can be checked at any time by the route and train control system, safety critical operations are instructed by the operator while bypassing elements of the route and train control system (e.g. the radio block center or the interlocking system). I.e. safety critical operations are operator actions, e.g. safety critical route clearing, safety critical point change, etc. with which the operator can circumvent a safe setting of the system.

[0005] For controlling safety critical operations, high safety requirements have to be fulfilled. In some cases customers require not only a safety critical operation of a route and train control system, but also a safe state indication of the states of the route and train control system, e.g. in case of safety critical operations which bypass the interlocking system, such as "schriftlicher Befehl" and operation of a "Ersatzsignal". "Schriftlicher Befehl" is an order from the operator to bypass a route and train control system manually, which has to be given to the train staff or recorded in written form in case of e.g. an operational failure. "Ersatzsignal" is an additional signal, which replaces the order for passing a stop sign. By executing such safety critical operations, the operator can circumvent a safe setting of the system. The basis for decision of the operator whether to execute such a safety critical operation is the state of the route and train control system indicated at the display of the operator workstation. It is therefore an essential requirement that the state of the route and train control system is displayed correctly. According operator workstations, which fulfill the required safety integrity level (typically SIL2, sometimes even SIL4), have been developed [1], [2], [3].

[0006] Customers now require more and more the integration of additional non-safety related functionality or SILO functions in operator workstations [4]. Yet, this results in large efforts, because it must be ensured that the SILO components are non-intrusive ("rückwirkungsfrei") to the SIL>0 environment of the operator workstation. This however results in high hardware costs for this dedicated computer and also in high costs for software development, integration and test, because all these components have to developed according a high safety integrity level (typically SIL4) according the standard EN 50128 [5].

[0007] Existing solutions provide only low flexibility and do not meet the customer's requirements. In particular customers request for a flexible operation web-based user interfaces. Users should have the possibility not only to operate the RTCS from central operator workstation but also from mobile devices. A web-based user interface is an adaptable solution that provides the necessary flexibility.

[0008] A method for secure transmission of data is disclosed in [2]. A method for verifying correct data transfer is disclosed in [3].

Object of the invention

[0009] It is an object of the invention to suggest a train traffic control system, which on the one hand realizes the required high safety level for safe state indication and on the other hand allows considerable cost reduction and flexibility.

Description of the invention

[0010] This object is solved by a train traffic control system according to claim 1 and a method according to claim 10.

[0011] According to the invention, the operator workstation comprises at least one basic integrity indication component with safety level SILO for indicating information with a basic integrity on the display. An indication server is provided comprising a safe state indication component with safety level SIL>0, in particular SIL4, for indicating safety-related information concerning the state of elements of the route and train control system on the display of the operator workstation, wherein the safe state indication component is functionally independent of the operator workstation. Further, a safe channel is provided connecting the safe state indication server and the display for safe transmission of safety-related information about the state of elements of the route train control system.

[0012] The basic integrity indication components and the safe state indication component are software components, i.e. encapsulated building blocks of software.

[0013] The basic integrity indication component indicates any type of information with basic integrity, such as delay of a train or the weather conditions, of a train traffic control system on a display to inform an operator about the respective conditions of the train traffic control system, the controlled route and train control system and their elements with a safety-integrity-level SILO. Elements of the route and train control system can be e.g. field elements (points, signals, track vacancy detection systems, level crossings, etc.), logical elements (routes, movement authorities, line block systems, etc.), train related elements (train parameters like speed or length of a train, etc.) or area related elements (zones for temporary speed restrictions, working areas of maintenance staff, responsibility areas of a specific operator etc.).

[0014] The safe state indication component generates graphical data (indication data) in order to indicate safety related states of the train traffic control system, the controlled route and train control system and their elements with a safety-integrity-level SIL>0, in particular SIL4 to inform an operator reliably about these states. Safety related operations can be executed based on these indications.

[0015] According to the invention, the basic integrity indication component is integrated in the operator workstation, whereas the safe state indication component is functionally independent of the operator workstation. In other words, the function for generating indication data of safety-related information concerning the state of elements of the route train control system (state data) is outsourced from the operator workstation, i.e. the safe state indication component is functionally separated from the basic integrity indication component and can (but doesn't have to) be installed in separate locations. Thus, non-intrusiveness of the SILO basic integrity indication components on the safe state indication component can be ensured more easily. Since the operator workstation comprises only low safety components the operator workstation can be designed with basic integrity (in particular SILO), which is much cheaper compared to the high safety operator workstation known from the state of the art. Thus, the inventive traffic control system enables safe indication of states of elements of the route and train control system on the display of the operator workstation at low cost.

[0016] The transmission of safety-related information about the state of elements of the route train control system between the safe state indication component and the display is realized by providing a safe channel (communication channel between the indication server and the display) that transmits graphical indication data to the display and checksum information to the safe state indication component. The procedures to ensure safe communications via this channel are implemented according the relevant standards (e.g. EN 50159) and the required safety integrity level.

[0017] At the display of the operator workstation both, information with basic integrity as well as safety-related information, in particular safe state indication of the route and train control system is displayed to the operator.

[0018] In a special embodiment of the inventive train traffic control system the safe state indication component is integrated in the route and train control system, i.e. in a sub-center of the train traffic control system. No further computer is required in this case, which makes this embodiment cost effective. Yet, an additional function has to be integrated in all route and train control systems, which are to be controlled by the train traffic, control system.

[0019] The safe state indication component can be integrated in an indication server. The indication server can be part of the route and train control system. This is in particular advantageous in case no overall Control Centre exists and only one (small) route and train control system has to be controlled.

[0020] In an alternative embodiment, the system comprises a control center, wherein the indication server is integrated in the control center. This embodiment is advantageous in cases where existing route and train control system (for example from different suppliers) shall be controlled, since no further functions have to be integrated in the route and train control system. Control centers are known e.g. from DB "Betriebszentrale" or "Steuerzentrale" respectively and handle the tasks of controlling, securing and dispositioning of railway operations.

[0021] In a further alternative embodiment, the indication server is integrated in a remote computer center (remote from the display). This allows the usage of thin-clients for the operator workstation (to reduce the amount of needed energy, noise and space in the control center). The remote computer center can be part of the control center.

[0022] Preferably, the indication server is procedure-protected, i.e. the necessary safety integrity level is achieved by a procedure that, on the one hand, integrates the human user (operator) and, on the other hand, is controlled by a component of the route and train control system. Common industrial computer can be used as indication server.

[0023] Alternatively, the indication server can be a composite fail-safety server. I.e. the indication server is a multi-channel server having a 2002 or 2003 architecture. Safety level SIL4 can be achieved with this embodiment.

[0024] Preferably, the operator workstation is integrated in a traffic management system. The traffic management system may comprise further functions for managing train operation, e.g. delay detection, detection of train occupancy conflicts, (automatic) conflict resolution, management of resources such as maintenance area staff along the route, integration of telecommunications and video surveillance. By integrating the operator workstation in a traffic management system, only one set of input devices (mouse, keyboard etc.) is required for controlling the train traffic. So one operator is able to manage the top-level train operation as well as perform the safety critical operations that require the safe indication.

[0025] In a highly preferred embodiment, the safe channel is routed through the operator workstation. In this case, no further computer is required for transmission of the safety-related information. While, according to the state of the art, state data are transmitted and processed in the workstation leading to an overall safety integrity SIL>0 for the workstation itself, the present invention uses the workstation only as a "grey channel" which is secured by a procedure leading to no additional safety integrity needs for the workstation itself. This reduces the development costs.

[0026] In a highly preferred embodiment the safe state indication component is adapted to calculate a first checksum of the indication data generated by the safe state indication component and is further adapted to carry out a checksum comparison and/or a pixel comparison of pixmap data.

[0027] The safe state indication component is preferably adapted to download a read back component from a browser of the operator workstation.

[0028] The invention also concerns a method for safe displaying safety-related information concerning the state indication of a route and train control system at an operator workstation of a train traffic control system as described above, wherein state data comprising the safety relevant information is transformed into graphical indication data within the state indication component with safety level SIL>0 which is independent (functionally separated) from the basic integrity indication components with safety level SILO of the operator workstation, and wherein the indication data are transmitted to a display by via the safe channel.

[0029] Safety-related information is transmitted from the route and train control system to the indication server. The indication server generates graphical data (indication data) from the safety-related information, which are then sent to the display of the operator workstation via the safe channel.

[0030] Graphical data of information with basic integrity however are generated within the operator workstation. The graphical data of information with basic integrity are then transmitted within the operator workstation to the display.

[0031] In a highly preferred variant, the safe channel is routed through operator workstation. In this case, the safe channel is at least partially part of the operator workstation.

[0032] Preferably, the state data is transformed to pixmap indication data and the pixmap indication data are transmitted to the display by using a method for verifying correct transfer of pixmap data. The method for verifying correct transfer of pixmap data preferably comprises:

a) modifying at least one property of a fixed number of pixels selected from the pixmap indication data in a first memory, the selection being performed in a random way,

b) transferring the pixmap indication data comprising the modified pixels from the first memory to a second memory,

c) reading back the modified pixels from the second memory, and

d) comparing the read-back modified pixels to the modified pixels of the first memory for verifying the correct transfer of the pixmap indication data, wherein the at least one property is modified in such a way that the modification is not observable when displaying the modified pixels on the graphical display. An according method is described in [3].

[0033] In a highly preferred variant the indication data generated by the safe state component is displayed in a web-browser of the operator workstation to provide the necessary flexibility.

[0034] In order to verify that the visualization of the indication data in the browser is indeed what was intended to be displayed, a preferred variant provides that the displayed indication data are read back, in particular by generating pixmap data.

[0035] In a highly preferred variant the safe state indication component generates a first checksum of the indication data, the browser generates a second checksum of the read back data and transmits the second checksum to the safe state indication component via the safe channel, and the safe state indication component compares the first checksum and the second checksum. Thus, it can be checked whether the transmission of the indication data to the browser and the displaying of the transmitted indication data has been correct. According to this embodiment the checksum comparison is carried out remote from the operator workstation to separate the safety related comparison from the SILO operator workstation.

[0036] Alternatively or in addition the browser transmits the read back data to the safe state indication component via the safe channel and the safe state indication component compares the read back data with the indication data (pixel comparison).

[0037] To avoid a false-positive error comparison, algorithms that check only a few pixels (e.g. according to [3]) or morphological comparison algorithms (e.g. according to [6]) are used.

[0038] The present invention realizes a procedure based safe graphical indication of a route and train control system state in a SILO traffic management system. Thus, safety related route and train control systems, e.g. interlockings, signaling systems can be controlled from SILO traffic management systems.

[0039] The inventive traffic control system enables execution of safety critical operations in a safety critical system with reduced cost, in particular the execution of safety critical operations which require a safe display of the state of the route and train control system, e.g. because the route and train control system is bypassed by executing the respective safety critical operation.

[0040] Further advantages can be extracted from the description and the enclosed drawing. The features mentioned above and below can be used in accordance with the invention either individually or collectively in any combination. The embodiments mentioned are not to be understood as exhaustive enumeration but rather have exemplary character for the description of the invention.

Drawings

[0041] The invention is shown in the drawing.

Fig. 1

shows the architecture of a traffic control system according to the state of the art.

Fig. 2

shows the architecture of a traffic control system according to the invention with an indication server integrated in a control center.

Fig. 3

shows the architecture of a traffic control system according to the invention with an indication server integrated in the route and train control system.

Fig. 4

shows the architecture of a traffic control system according to the invention, wherein a safe state indication component is integrated in the route and train control system without indication server.

Fig. 5

shows the architecture of a traffic control system according to the invention with an indication server integrated in a remote computer center.

Fig. 6

shows the architecture of a traffic control system according to the invention with a safe state integration component adapted to reveal error in transmission and/or display of the indication data and a web-based operator workstation.

[0042] Fig. 1 shows an architecture of a traffic control system according to the state of the art. The traffic control system comprises a route and train control system RTCS and an operator workstation OW' with a display D. The operator workstation OW' comprises basic integrity indication components BIC with safety level SILO for indicating information on the display D with a basic integrity (railway traffic management data). The operator workstation OW' further comprises a safe state indication component SSC with safety level SIL>0 for processing state data (safety relevant information concerning states of elements of the route and train control system RTCS). The state data are transmitted from the route and train control system RTCS to the safe state indication component SSC of the operator workstation OW'. The safe state indication component SSC transforms the state data into graphical data and thus generates indication data, which is then displayed at the display D.

[0043] According to the invention, the traffic control system comprises an operator workstation OW which does not involve any components with safety level SIL>0, i.e. operator workstation only comprises components with safety level SILO or less, such as the basic integrity indication components BIC. Since the safe state indication component SSC is swapped out of the operator workstation OW and is functionally independent of the operator workstation OW, i.e. implemented in a different way, non-intrusiveness of the SIL=0 operator workstation to the SIL>0 safe state indication component SSC can be ensured.

[0044] Information with basic integrity is transmitted from the route and train control system RTCS to the operator workstation OW via channel C1. Safety relevant information (state data) however is transmitted to the safe state indication component SSC via a separate channel C2 in order to generate according graphical indication data. The transmission channel C2 is a secured channel, e.g. secured by means of a security gateway in order to avoid manipulation of the state data. The indication data is transferred from the safe state indication component SSC to the display D of the operator workstation. In order to avoid falsification of indication data due to malfunction of hardware or software, the data transfer is carried out via a safe channel C3.

[0045] The safe state indication component SSC can either be executed by an indication server IS as shown in Fig. 2, Fig. 3 and Fig. 5 (i.e. an additional computer is provided for executing the safe state indication component SSC) or by a secured partition of an already existing computer of the traffic control system, as shown in Fig. 4.

[0046] In a first embodiment, shown in Fig. 2, the safe state indication component SSC is integrated in a control center CC together with the operator workstation OW. Non-intrusiveness between operator workstation OW and safe state indication component SSC is ensured by providing a separate computer (indication server IS) for executing the safe state indication component SSC.

[0047] Instead of integrating the safe state indication component SSC in the control center CC it is also possible to integrate the safe state indication component SSC in the route and train control system RTCS, either executable by the indication server (Fig. 3) or by an existing computer of the RTCS itself (Fig. 4). If several route and train control systems RTCS are operated by the traffic control system, each of the route and train control systems RTCS has to be equipped with an according safe state indication component SCC.

[0048] In an alternative embodiment, which is shown in Fig. 5, the indication server IS with the safe state indication component SSC is integrated in a computer center RZ, which can be located remote from the operator workstation OW.

[0049] Fig. 6 shows the architecture of a traffic control system using a web-based operator workstation. The operator workstation comprises a browser B and a read back component R. The safe state indication component SSC is adapted to download the read back component R from the operator workstation OW. By executing the read back component R the displayed indication data are read back (read back data) and transmitted to the safe state indication component SSC.

[0050] The steps below describe the realization of a highly preferred variant of the inventive method by means of the traffic control system shown in Fig. 6. The according method steps are preferably executed anytime the operator uses the browser to execute safety critical commands. The safety critical commands might also be executed explicitly on demand through a dedicated user interaction mechanism (button, drop down button etc.). The preferred method steps are as follows:

1. The safe state indication component has the functionality to convert the state data into graphical indication data. The safe state indication component sends this indication data via the safe channel to the browser of the operator workstation. The browser displays this indication data on the display. The displayed data are read back and the browser calculates a first checksum of the read back data.

2. The read back data (pixmap data) along with the first checksum is sent to the safe state indication component through the safe channel.

3. The safe state indication component then compares the first checksum generated by the browser with a second checksum calculated by the safe state indication component. The second checksum is the checksum of the indications data generated by the safe state indication component. Thereby, it is verified that the indication data sent to the browser and the resulting read back pixmap data sent from the browser through the safe channel were not corrupted in anyway en route.

4. The safe state indication component then does checksum comparison and (if applicable, in particular if the chesum comparison is successful) a pixel comparison between the read back data sent by the browser and the indication data the safe state indication component itself generated based on the state data. If the comparison is successful it sends a success notification to the operator workstation via the safe channel. If it is not, it will send a failure notification.

5. Based on the reply of the safe state indication component, the critical command that was initiated by the operator will be either continued or terminated.

[0051] The inventive solution is based on the idea of outsourcing the SIL>0 safe state indication component SSC from the operator workstation OW and to set-up a safe channel C3 (e.g. by applying remote desktop protocols) enhanced with safety measures, in particular according to EN50159. This safe channel C3 is preferably routed through the operator workstation OW wherein a method for verifying correct data transfer is used. Thus, the invention realizes safe graphical indication of states of elements of the railway control system (e.g. interlocking, RBC,...) in an operator workstation OW, in particular within a traffic management system TMS that provides (only) a SILO environment.

Cited Documents

[0052] 

[1] EP 0 443 377 A2 (Lorenz)

[2] EP 2 683 589 B1 (Siemens)

[3] EP 2 244 188 A1 (Thales)

[4] Antweiler: "Bahn-Betriebsleitsystem ILTIS" Signal & Draht , 87 (1995) 10, Seiten 337 - 340

[5] EN 50128
"Telekommunikationstechnik, Signaltechnik und Datenverarbeitungssysteme" Ausgabe: 2012-03

[6] Mantere, Timo: "Electronic Imaging & Signal Processing - Image comparison based on morphological transforms" 29 November 2007, SPIE Newsroom. DOI: 10.1117/2.1200711.0926

List of Reference Signs

[0053] 

BIC

basic integrity indication component

C1

transmission channel for information with basic integrity

C2

transmission channel for safety relevant information (state data)

C3

safe transmission channel for graphical indication data

CC

control center

D

display

IS

indication server

OW

operator workstation

RTCS

route and train control system

RZ

computer center

SSC

safe state indication component

TMS

traffic management system

Claims

1. Train traffic control system comprising
a route and train control system (RTCS),
an operator workstation (OW) with a display (D), wherein the operator workstation (OW) comprises at least one basic integrity indication component (BIC) with safety level SILO for indicating information with a basic integrity on the display (D), and
a safe state indication component (SSC) with safety level SIL>0, in particular SIL4, for indicating safety-related information concerning the state of elements of the route and train control system (RTCS) on the display of the operator workstation (OW), wherein the safe state indication component (SSC) is functionally independent of the operator workstation (OW), and
a safe channel (C) connecting the safe state indication component (SSC) and the display (D) for safe transmission of safety-related information about the state of elements of the route train control system (RTCS).

2. Train traffic control system according to claim 1 characterized in that the safe state indication component (SSC) is integrated in the route and train control system (RTCS).

3. Train traffic control system according to claim 1 or 2 characterized in that the safe state indication component (SSC) is integrated in an indication server (IS).

4. Train traffic control system according to claim 3 characterized in that the system comprises a control center (CC), wherein the indication server (IS) is integrated in the control center.

5. Train traffic control system according to claim 3 or 4 characterized in that the indication server (IS) is integrated in a remote computer center (RZ).

6. Train traffic control system according to any one of the claims 3 through 5, characterized in that the indication server (IS) is procedure-protected.

7. Train traffic control system according to any one of the claims 3 through 5, characterized in that the indication server (IS) is a composite fail-safety server.

8. Train traffic control system according to one of the preceding claims, characterized in that the operator workstation (OW) is integrated in a traffic management system (TMS).

9. Train traffic control system according to one of the preceding claims, characterized in that the safe channel (C) is routed through the operator workstation (OW).

10. Method for safe displaying safety-related information concerning the state of a route and train control system (RTCS) at an operator workstation (OW) of a train traffic control system according to one of the preceding claims,
wherein state data comprising the safety relevant information is transformed into graphical indication data within the state indication component (SSC) with safety level SIL>0 which is independent from the basic integrity indication components (BIC) with safety level SILO of the operator workstation (OW), and
wherein the indication data are transmitted to a display (D) by via the safe channel (C).

11. Method according to claim 10, characterized in that the safe channel is routed through the operator workstation (OW).

12. Method according to claim 10 or 11, characterized in that indication data are pixmap data and wherein the indication data are transmitted to the display (D) by using a method for verifying correct transfer of pixmap data.

13. Method according to any one of the claims 10 through 12, characterized in that indication data are displayed in a web browser of the operator workstation.

14. Method according to claim 13, characterized in that the displayed indication data are read back.

15. Method according to claim 14, characterized in
that the safe state indication component generates a first checksum of the indication data;
that the browser generates a second checksum of the read back data and transmits the second checksum to the safe state indication component via the safe channel; and
that the safe state indication component compares the first checksum and the second checksum.

16. Method according to claim 14 or 15, characterized in
that the browser transmits the read back data to the safe state indication component via the safe channel; and
that the safe state indication component compares the read back data with the indication data.

Drawing