|
(11) | EP 1 338 492 A1 |
| (12) | EUROPEAN PATENT APPLICATION |
|
|
|
|
|||||||||||||||||||||||
| (54) | System for occupancy detection in a railroad line and for digital communication with trains that run along said railroad line |
| (57) A system for occupancy detection in a railroad line, or the like, and for digital
communication with trains that run along said railroad line, which uses coded signals
transmitted to the tracks, said tracks being segmented into various galvanically insulated
sections, and each track section being connected to a control and monitoring subunit
which communicates with a central control unit. According to the invention, each subunit
for controlling and monitoring the means that generate a signal when a train is detected
on the corresponding section, which signal is transmitted by the transmitter associated
to an end of the block to the associated receiver at the opposite end of the block
in the direction opposite to the train running direction, and which train detection
signal is provided before transmitting a carrier having a predetermined fixed low
frequency to a phase modulator of the track segment, which modifies the carrier phase
for predetermined time intervals between two definite phases, with reference to a
reference signal having the carrier frequency, the time intervals between the frequency
steps of the two phase settings having a predetermined length, and said train detection
signals being uniquely differentiated for each block, by setting different time intervals
between two successive phase steps. |
[0001] The invention relates to a system for occupancy detection in a railroad line, or the like, and for digital communication with trains that run along said railroad line, according to the preamble of claim 1.
[0002] Such systems are well-known and may have various construction architectures. The invention has the object of improving a system according to the preamble of claim 1, in such a manner as to allow the use of control and monitoring subunits which have such a construction and operation as to limit construction efforts, thanks to the fact that they can be used easily either in combination with existing systems, or in combination with various system configurations, or in possible combination with other types of objects to be controlled or monitored, while maintaining very high safety levels. The invention has the additional object of providing a system as described hereinbefore, wherein the train detection and digital communication arrangements are highly simplified.
[0003] The invention achieves the above purposes by implementing the characterizing part of claim 1.
[0005] The characteristics of this invention and the advantages derived therefrom will appear more clearly from the following description of an embodiment which is illustrated in the accompanying drawings, in which:
Figure 1 is a simplified block diagram of the inventive system, wherein the communication links to diagnostic devices have been omitted for the sake of simplicity.
Figure 2 is a functional block diagram of the subunit for controlling and monitoring the track circuit element.
Fig. 3 is block diagram of the Vital Computer module with reference showing all interfaces as well as the functional structure.
Figure 4 is a block diagram of the section for controlling and monitoring the Vital Computer Module.
Figs. 5 and 6 show a chart of the protection section 121 at different detail levels.
Fig. 7 is a block diagram of the module for generating train detection signals and/or coded communication signals.
Fig. 8 is a block diagram of the demodulator / amplifier.
Fig. 9 is a simplified diagram of the H-bridge.
Fig. 10 is block diagram of the track interface module, which is also named Protection, Inversion and Diagnostic module.
Fig. 11 shows a block diagram of the inversion section in greater detail.
Fig. 12 is a schematic view of the inverting operation.
Figs. 13a and 13bb are schematic views of the connections for verifying the switch condition of the inverting relays.
Fig. 14 is a block diagram of diagnostic section of the track circuit.
Figure 15 is a functional block diagram of the track circuit signal acquisition and recognition module.
Fig. 16 is a block diagram of the acquisition and recognition module.
Fig. 17 is a diagram of the power supply block for the acquisition and recognition module.
Fig. 18 is a block diagram of the input circuit.
Fig. 19 is a block diagram of the logic block according to Fig. 17.
Figure 20 is a block diagram of the interface between the acquisition and recognition module and the Vital Computer Module.
Fig. 21 is a block diagram of the test signal generating section.
[0006] Referring to Figure 1, a system for occupancy detection in a railroad line, or the like, and for digital communication with trains running along said railroad line comprises at least one track which forms the railroad line and is divided into a plurality of successive galvanically insulated segments having a predetermined length, the so-called blocks, the rails of each segment forming a basic element, named track circuit. In Figure 1, Track Circuits are indicated as Cdb1, Cdb2 and Cdb3. These Track Circuits use rails to send the signals that allow train detection on the corresponding track segment, and to communicate with a train. Moreover, the signals sent to each track segment may be used to detect any track failures or damages.
[0007] The system includes a central control and monitoring unit 1, which is specially named Stationary Control Apparatus ASCV, which generates and transmits control signals to execute train detection procedures and/or train communication procedures relating to a train T on that track and/or to execute diagnostic procedures. The central control unit 1 communicates with the track circuit of each block section by means of a control and monitoring subunit 2, 2', 2'', associated to each block section or track circuit Cdb1, Cdb2 and Cdb3 to generate and receive codes, which subunit executes the procedures to detect the presence of a train T within the associated block, the communication procedures and/or the diagnostic procedures and transmits control signals corresponding to the presence or absence of the train T within the corresponding block and/or to the proper communication established with the train and/or diagnostic signals relating to the track circuit and informs central control and monitoring unit about the results thereof. Each control and monitoring subunit 2 is associated to each corresponding block section and to its respective track circuit Cdb1 Cdb2 and Cdb3, and is connected to the terminal ends thereof by means of a transmitter 3 and a receiver 4. Each subunit 2 and its respective block Cdb1, Cdb2 and Cdb3 associated thereto are uniquely identified by a predetermined ID code.
[0008] Hence, the control and monitoring subunit is interposed between the central unit 1 and its respective element Cdb1, Cdb2 and Cdb3, and allows to control the "Track circuit" element, by providing occupied/unoccupied signalling and code transmission and decoding functions.
[0009] The subunit 2, 2', 2'' is a modular system which may be configured to be used in several different application contexts. This disclosure relates to an application designed for double insulated rail track circuits. In this type of tracks, both rails are mechanically interrupted, and traction power is returned by inductive connections.
[0010] The control and monitoring subunits 2 are designed for use on two-direction track circuits and, to this end, a signal transmission inversion feature is provided to propagate train detection signals and coded communication signals in the direction opposite to the train running direction.
[0012] The module 102, named Vital Computer Module, is an extended double Europe board (233x220mm), having "general purpose" features, which includes basic computation and communication resources and interfaces, by means of a parallel bus, with application-specific I/O modules. In the application described herein, the Vital Computer Module 102 interfaces with the module 202 for generating and transmitting train detection signals and coded communication signals, with the module 302 for acquiring and recognizing track circuit signals and with a module 402 for interfacing with the rails of the track circuit element and for inverting the signal transmission direction on the track circuit, as well as for track circuit diagnostic protection.
[0013] The Vital Computer Module 102 supervises the subunit 2, manages the communication with the Stationary Apparatus and controls the other modules 202, 302, 402 which compose the control and monitoring subunit 2.
[0015] A control section, which consists of a microprocessor system, including the required peripherals (program memory, Random Access Memory (RAM), serial interfaces, auxiliary clock and reset signal generating circuits, watchdogs). The control section includes processing software, which is identical for all applications, particularly as regards safety and protection functions, and is specialized by means of application-specific configuration software, wherein the specific system configuration and the desired code selections are accounted for. The control section is also allocated all the functions for communication with the central unit 1 and for managing the interface (VCM_IOBUS) with the other modules in the control and monitoring subunit 2.
[0016] A vital protection section, i.e. a checking and protecting unit which uses hardware blocks and safety code-related software blocks which are independent from the specific system configuration, but form a system for certifying the check codewords or checkwords being generated by the control section based on the feedback transmitted by the modules 202, 302, 402, controlled by said section to the section itself, to control the compatibility with the received control and the proper execution of the controlled function. The checking and protecting unit has the function of ensuring the achievement of a safety state in case of failures in the control section. The operation of the protecting section is independent from the specific application. The safety architecture of the Vital Computer Module 102 is of the reactive type; the protection section has the task of identifying any behavior which might potentially affect the safety of the control section and to force the system into a safety state in a given time. The protection section is designed with inherent fail-safe techniques. Therefore, the Vital Computer Module 102 accomplishes the following functions:
subsystem control logic;
serial interface with the Stationary Apparatus;
management of the interface with the other boards (VCM_IOBUS) ;
protection logic.
[0017] The module 202 for generating and transmitting train detection signals and coded communication signals is a power board designed to safely generate the signal to be transmitted to the track circuit. This is a peripheral board with no microprocessor and its function is to generate an output signal to the track circuit in response to the control transmitted by the logic.
[0018] The module shall safely ensure:
that no code is generated other than the requested code;
that the transmitted signal is at a proper level.
[0019] The module is divided into two logic sections: the first section is designed to generate a digital Pulse Width modulated, or PWM signal, which is the requested code. The second section is a power amplified Pulse-Width demodulator, or PWM demodulator, which provides the signal to be transmitted to the track. The Pulse Width Modulation PWM code generation section is protected by a Pulse Width Modulated (PWM) signal reread function. The Vital Computer Module 102 receives the information from the reread function and can compare the code that is actually synthesized by the module 202 with the code required by the control of the central unit 1. If an inconsistency is found, the Vital Computer Module 102 disables code transmission by means of a vital mechanism. The demodulation and power section, cascaded with the generation section, is designed with inherent fail-safe techniques.
[0020] The track circuit signal acquisition and recognition module 302 is designed to receive signals from the track circuit and consists of a double digital signal processing channel and of an input signal decoupling stage, which is designed with inherent fail-safe techniques.
[0022] The module 302, which is designed to safely measure and decode track circuit signals uses composite safety design techniques and is composed of the following logic blocks:
a block for decoupling the track circuit signal and generating two distinct signals. This function is accomplished by implementing inherent fail-safe techniques;
two distinct processing channels, which separately interface with the Vital Computer Module 102, by means of Dual Port Memories, and which receive two distinct input signals from the module 302.
[0023] The two Digital Signal Processor (DSP)-based processing channels generate two independent outputs toward the Vital Computer Module 102. The outputs from the two channels are checked for consistency by the control section of the Vital Computer Module 102.
[0024] The safety architecture of the module 302 involves a continuous check of each measuring channel, by using logically generated test signals to ensure, as is shown in greater detail below, both the protection against common errors, and the detection of failures on the individual channels.
[0025] The module 402 for interfacing with the rails of the track circuit element and for inverting the direction of signal transmission in the track circuit, as well as for diagnostic protection of the track circuit, accomplishes functions of TX/RX inversion logic, of insulation from/to the yard; measures analog quantities for diagnostic purposes, and manages the interface with the diagnostic system.
[0026] The module 402 is physically composed of a board and of a Rx and Tx transformer tray, and implements the two following independent logic blocks:
vital block;
diagnostic block.
[0027] The vital functions accomplished by the first block are:
track circuit inversion;
interfacing with the track and insulation therefrom, both upon transmission and upon reception.
[0028] The diagnostic functions on yard quantities, accomplished by the second block are:
yard diagnostic circuits (voltages, currents, insulation) ;
microprocessor module for the acquisition of physical quantities and interface with the diagnostic network;
serial interface with the Vital Computer Module 102.
[0029] The module 402 must safely accomplish, the function of interfacing with the track and of insulation therefrom and the inversion function.
[0030] The interface with the track is obtained by means of insulating transformers (which are required to ensure that a 4 KVdc voltage is maintained between the control and monitoring subunit 2 and the track); these transformers are allocated on a different additional rear tray, but belong functionally and logically to this board. The inversion function must ensure that the Tx and the Rx are stably connected to the opposite ends of the track circuit. The safety architecture of this function is of the reactive type, and such as to ensure that the subsystem may be switched to the safety state in case of a failure thereof. The board is controlled by the Vital Computer Module through the VCM_IOBUS, for all vital functions. The architecture also provides a second communication channel, a serial line, between the module 402 and the Vital Computer Module 102, which is used to receive useful data for the diagnostic section, i.e. the transmission direction of the requested signal.
[0031] The diagnostic functions for yard data are handled by an optional commercial module with an on-board microprocessor, which is designed to manage the diagnostic network. Diagnostic yard data acquisition circuits are made of non vital hardware; diagnostic information only relating to the cab/yard interface are transmitted over the diagnostic network, if present.
[0032] The control and monitoring subunit is designed with reactive safety techniques. From a functional point of view, the safety of a railroad signaling system/subsystem/equipment consists in the identification of a safe state and in the implementation of design techniques that allow safe state restoration upon occurrence of any potentially dangerous failure. For the control and monitoring subunit 2, when the context of its functions is considered within the signaling system, the "safe" state is deducted as follows:
no transmission of ecoded information to the train, said condition being attainable either by safely turning the transmission section off or by using standardized signals;
detection of an "occupied" status for the interfaced track circuit;
no dangerous voltages in the parts accessible to the service personnel.
ensuring the maintenance of safety conditions even when:
specification-allowed driving powers are present;
the rail is broken;
the insulation of an insulating joint between two adjacent track circuits is lost.
[0033] In consideration of the function accomplished by the control and monitoring subunit 2 and of response times, e.g. with reference to the actual train detection and/or code transmission times, the implementation of a reactive safety architecture with composite safety and inherent fail-safe elements for the main logic is justified. This approach involves a 64-bit coding of Boolean input variables on two parallel processing channels (32 bit codeword for each processing channel, with different coding on the two channels), codeword processing according to a default logic, a recheck of the outputs by a process separated from the main process, and output generation, the latter function being accomplished by using fail-safe hardware. The safety architecture requires that the control process and the protection process are handled by two independent processors. The control process generates checkwords to feed the protection process, implemented on a different processor, which cyclically consumes the checkwords and detects possible control process errors. The intervention of the protection section forces the control and monitoring subunit 2 into the above defined safety state.
[0034] Advantages may be further obtained from the implementation of a reactive safety architecture to generate a PWM signal representing the code to be transmitted to the track. The generated signal is reread and sent to the main logic which, in case of failure, triggers the protection section.
[0035] Conversely, an inherent fail-safe architecture (i.e. failsafe hw) should be used for demodulating and amplifying the PWM signal transmitted to the track.
[0036] The inversion function may be advantageously handled by a reactive safety architecture with fail-safe hw elements. The inverting relays are controlled in a non vital manner but their status is reread in fail-safe conditions and transmitted to the main logic which triggers the protection section whenever a failure occurs.
[0037] For all communications from the control and monitoring subunit 2 to the main unit 1 a safety layer (FSFB2) has been selected to ensure the integrity of the information received and transmitted by the Stationary Apparatus, whereas a system for interconnecting the boards (VCM_OBUS) is used, which may ensure the integrity of the information exchanged between the Vital Computer Module 102 and the other modules 202, 302, 402 inside the control and monitoring subunit 2. Particularly, for all vital functions connected to the bus, a unique routing must be safely ensured, as well as the information content, regardless of their physical and functional features.
[0038] The track signal receiving function shall be accomplished by means of a composite safety architecture. The architecture in use includes such failure detection mechanisms as to ensure that a safety state may be restored, in a given time, whenever a failure occurs at one of the two elements.
[0039] A separation is also recommended between non vital diagnostic functions and vital functions, as well as the transmission of different signals on adjacent track circuits, when no path is provided, to allow the detection of insulation losses at the insulating joints.
[0041] The Vital Computer Module 102 has been developed with "general purpose" features, to execute control, monitoring and protection procedures. The board has such characteristics that it can be used in several different applications; the application-specific operation is obtained by modifying the management software and to this end the process software is separated from the configuration software which contains all system-specific information. The configuration software which provides the special characteristics of the process software for the specific application is allocated in a dedicated memory area, e.g. a flash memory.
[0042] The Vital Computer Module 102 is composed of two distinct functional blocks, i.e. the control and monitoring section 120 and the protection section 121 respectively.
[0043] The control and monitoring section 120 is based on the use of a microprocessor with different peripherals, such as, for instance, serial line controllers, timers, etc.; in the application mentioned herein for the track circuit control and monitoring subunit, this section is designed to handle the basic functions of the track circuit. It periodically performs a processing cycle (named main cycle), whereby it communicates, in a vital manner, with the central control and monitoring unit 1 (wherefrom it receives the code to be generated and the train running direction, and whereto it transmits track circuit status information), and controls the other modules 202, 302, 402 to manage the inversion, the transmission and the reception functions. Furthermore, the control section 120 periodically performs a recheck of all reactive safety logic blocks (by rereading the inversion block position and the signal generated by the module 202); this check, which is performed in the so-called rechecking cycle, is used to verify the consistency between the control and the detected status.
[0044] The main cycle is used to perform, every T seconds, all low-priority cyclic operations (e.g. receiving information from the Stationary Apparatus and consequently determining the controls to be transmitted to the module boards). The second cycle, or recheck cycle has a duration of 50 ms and is used to perform all the operations that must be performed more frequently (such as the recheck of the inversion block status and the verification of the generated signal) to allow a faster failure detection. The duration T of the main cycle is an integer multiple of the recheck cycle time and constitutes the time unit of the subsystem.
[0045] The control and monitoring section transmits a set of checkwords to the protection section, which words are used to verify the proper performance of all safety-related operations. Each of the two cycles generates a set of checkwords, during its respective processing operations, which words are named "main checkwords" and "recheck checkwords" respectively.
[0046] Therefore, the main functions of the control and monitoring section 120 may be summarized as follows:
receiving from the Stationary Apparatus the information containing the type of code to be generated and the train running direction;
transmitting the inversion circuit position control to the module 402, and continuously verifying the actual status of said block;
transmitting the code generation control to the module 202, and continuously checking that the generated signal, transmitted to the track, is actually the same as requested;
acquiring the track circuit signal from the two channels of the module 302 and checking the consistency of the information read from the two channels with each other and with the actually generated code;
transmitting all track circuit status information to the central control and monitoring unit 1;
diagnostics.
[0047] The microprocessor-based protection section 121 monitors the behavior of the control section 120 and its own behavior and stops the vital voltage generation whenever a malfunction is detected. It generates, in vital mode, the voltage used for enabling the vital switches, on the module 202, which allow the transmission of the generated signal to the track. The checks performed by the protection section 121 are both logic and time checks; the protection section periodically receives checkwords from the control section 120, which checkwords are used to confirm the proper performance of all safety-related operations, and checks the validity thereof. If checkwords are logically correct, they arrive in well defined time ranges and no failure is detected by the self-diagnostic process of the protection section 121, which can supply power to vital switches, otherwise, the self-diagnostic process removes such power supply, and prevents any signal transmission to the track circuit.
[0048] The safety architecture of the Vital Computer Module 102 is of the reactive type; the protection section 121 has the task of identifying any potential safety jeopardizing behavior and of forcing the system into a safe state in a given time. The protection section 121 ensures that vital voltage be disabled both in case of malfunctioning of the control section 120 and in case of risks identified by the control section 121 on the other modules 202, 302, 403 and in case of failures of the protection section 121 itself. To this purpose, as is better explained below, the protection section 121 is designed with inherent fail-safe techniques.
[0049] Figure 4 is a block diagram of the control and monitoring section 120 of the Vital Computer Module.
[0050] A CPU 20 is connected to: a RAM memory 21 and a FLASH memory 21', serial line controllers 22, a Polynomial Divider 23, an VCM_IOBUS interface 24, the interface with the protection section 25.
[0051] The CPU uses a microprocessor, e.g. INTEL i386EX, consisting of a core i386CX and of a wide set of peripherals; the core has a 32-bit internal architecture and a 16-bit external bus. The latter is connected with the appropriate support circuits required for its operation, such as: the Reset generating circuit, Power Down analyzers, several different oscillators to ensure time independency between the various functions (particularly there are provided: a 50 MHz oscillator for the microprocessor, a 20 MHz oscillator dedicated to one of the 3 programmable logics, and a 10 MHz oscillator dedicated to the two asynchronous serial lines), a Watchdog circuit which is triggered whenever a malfunction is detected at the control section 120, thereby disabling the interfaces and generating an interrupt request.
[0052] The memory consists of two fixed RAM chips 21 with a maximum total capacity of 1Mbytes and two FLASH memory chips 21', with a maximum total capacity of 4 Mbytes. The FLASH memory 21' contains the application-specific management program and system configuration parameters.
[0053] Three serial line controllers 22 are provided, one being inside the processor and the other two outside it. The controller inside the processor manages two asynchronous channels, which are compatible with the component 16450, whose electric interface is of the RS232 type.
[0054] The two external controllers are identical, and each of them manages two full-duplex channels, that can be programmed as synchronous and asynchronous. These controllers may be managed, depending on the application needs, in polling, in interrupt and in DMA operation. The electric interface of the two serial lines associated to the first external controller and used for the connection to the FNET network is of the V35 type (the differential data and clock being of the RS485 type); whereas the one associated to the second controller is of the RS232 type.
[0055] The block 23 consists of a so-called Polynomial divider (PD), which is a processor's peripheral based on a programmable device, and used to validate vital data, to generate CRC polynomials, and to act as a Boolean operator to check the proper sequence of operations. This check generates checkwords which are passed, inside the Vital Computer Module, at given times, from the CPU 20 of the control section 120 to the protection section 121. This function uses a 20 MHz oscillator, to rely on a time base that is independent from the microprocessor time base.
[0056] The interface VCM_IOBUS 24 is based on a programmable device. The pur pose of this interface is to allow direct management of vital I/O modules or expansion cards with a compatible interface. The interface VCM_IOBUS ensures:
proper module routing; for this function prior art scrambling and signature techniques are implemented, e.g. in control units 1.
[0057] The interface with the protection signal is provided by an 8-bit bus, which consists of a subset of the processor bus used to connect the on-board memories and peripherals. Through this bus, the CPU transfers the checkwords of vital operations to the protection section.
[0058] Figures 5 and 6 show the protection section 121 in greater detail. The protection section has the function to monitor the behavior of the control section 120 and its own behavior and is triggered in case of unproper operation, to set the system into safety conditions. This is obtained by generating or not generating a voltage that is known as Vital voltage for enabling the transmission of train detection signals and/or coded communication signals. This section periodically receives checkwords (recheck checkwords every 50 ms and main checkwords every T seconds, with T being an integer multiple of 50 ms) and checks the validity thereof. If checkwords are correct, it supplies power to vital circuits, i.e. generates the vital voltage, othewise it removes such power supply. Checkwords are consumed in a destructive manner, thereby ensuring that a given set cannot be used more than once. The protection section includes a vital power supply controller 32 which does not interpret the meaning of received checkwords, but uses them on the basis of their numeric characteristics, by processing them as digital signals. Moreover, the checkwords change from one cycle to the other, since the control section 120 modifies them by an incremental value before transmitting them.
[0059] Diversity hardware/software safety rules are implemented in the protection section 121 between the controller system and the controlled system (even when inherent fail-safe hardware is used), as well as data structure navigation rules, with a data structure of a well-defined class, with predetermined values, though different for each processing cycle.
[0060] The protection section is composed of the following three functional blocks, as shown in Figure 5. The block 32 constitutes the checkword processing logic, which is of the digital type and has the function to process the checkwords received from the control section 120, by using the Dual Port RAM 33 and to generate a pair of appropriate frequency signals and duty cycles.
[0061] The Active Vital Filter block 34 has the purpose of safely checking that the characteristics of the received signals (frequency and duty-cycle) comply with the prescribed characteristics and of enabling Vital Voltage generation provided that no failure has been detected. The filter has inherent fail-safe features that ensure that the enabling signal to the vital generator is only generated if the two input frequencies have the prescribed frequency and duty-cycle characteristics;
the Vital Generator block 35, also designed with inherent fail-safe characteristics, has the purpose of physically generating the desired output voltage, if enabled by the frequency signal coming from the Active Vital Filter 34. This voltage may be used as a vital enabling signal, for all hardware and software functions that can only be operative in safety conditions.
[0062] The Processing Checkword Logic PCL block 31 has the function to vitally check the vital processing operations performed by the Vital Computer Module 102. Checkwords are exchanged with the control section 120 through a Dual Port Memory 33 and by exchanging two handshake digital signals, named flags, and more precisely: a REQUEST flag (REQ) and a READY flag (RDY).
[0063] The data structures provided to the Processing checkword logic "feed" the processing operations of the logic component thereof and, when correct, cause the safe generation of two digital signals having precise frequency and duty-cycle and phase relation values (vital frequencies). The final check element consists of an analog filter 34, which is desgned with inherent fail-safe techniques (Active Vital Filter, AVF) and which only produces the frequency for enabling the Vital power generator VG 35 if the digitally generated frequencies are correct in all respects. Therefore, the presence of this enabling signal safely confirms that the digital logic processing operations, resulting from the reception of the proper checkwords inside the data structures, are correct. Any checkword error, or missed reception of checkwords in prescribed times, causes the vital generator to be disabled.
[0064] In order to ensure that the checking action is constantly vital with time, two rechecking time cycles are provided in the Vital Computer Module 102 (VCM), which correspond to the transfer of checkword sets for the system cycle being run (main or recheck cycle) to the Processing Checkword Logic PCL 31. The main cycle has a period T, an integer multiple of the recheck cycle, which lasts 50 ms (a time of 50 ms was selected because it allows to detect an error and disable the vital generator 35 in a sufficiently reduced time to avoid subsystem failures).
[0065] Once the checkwords have been received, the microprocessor of Processing Checkword Logic 31 processes them, by using a number of software algorythms and hardware rechecking hardware (CRC adding circuit, time check counters/timers), to safely provide the generation of two digital signals to confirm proper system operation. The circuit which manages the reset/watchdog signal of the Processing Checkword Logic ensures proper operation of the Vital Power Controller logic 31; if the management software, for any reason or manfunctioning whatsoever, does not retrigger the Watchdog, a Reset signal is triggered which attempts a restart of the Vital Power Controller.
[0066] The block diagram of the processing checkword logic 31 is shown in Fig. 6. As shown in the Figure, the latter also uses a microprocessor, which is independent from the one of the control section 120. The microprocessor in use is an 8-bit INTEL 8085 microprocessor, which is itself connected to appropriate support circuits, required for its operation, such as: a Reset generator circuit, a 5 MHz oscillator used as a clock generator, a Watchdog circuit to be rearmed in a predetermined time; if this does not occur (e.g. due to a shutdown of the protection section microprocessor), the watchdog is triggered to generate the CPU reset signal.
[0067] The following devices are connected to the microprocessor 132: RAM and EPROM memories 232, 232', a Dual Port RAM memory 33, a Timer 332, a Cyclic Redundancy Check or CRC circuit 432, an I/O Port 532.
[0068] The memory is composed of a fixed RAM chip and an EPROM chip 232, 232'. The EPROM memory 232' includes the firmware for safely processing the checkwords which is not application-specific.
[0069] The Dual Port RAM 33, which is based on a programmable logic, is used to exchange information with the CPU of the control section 120. The checkwords for checking the vital operations are received through this RAM 33. The arbiter, which controls the access to the Dual Port RAM, is controlled by the protection section 121 and uses two digital control lines (READY and REQUEST lines). Both the microprocessor (8085) of the protection section 121, which has master functions, and the microprocessor (80386 EX) of the control section 120, which has slave functions, access the Dual Port RAM 121.
[0070] The timers 332, whose clocks are different from those of the CPU 132, to ensure time base independency, are 16-bit counters which measure different signals depending on the function they accomplish; they are used to count the number of "machine states" of the vital power controller processor and to measure code execution times. The CRC circuit 432 performs polynominal division operations on sequences of received data, and generates a result in the form of 16-bit "remainder" of the division; it is used for checkword processing operations and for "runtime" check operations on the EPROM content 232'. The CRC circuit 432 has been provided in hardware form, since it is a particularly difficult function for the microprocessor, if it is provided in software form.
[0071] The I/O port is used to drive certain digital signals, more precisely: vital frequency signals for the Active Safety Filter 34, a Watchdog rearming signal, REQ and RDY signals for managing the access to the Dual Port RAM 33.
[0072] The Active Vital Filter block 34 is mostly made of a discrete analog circuitry, and has been designed with inherent fail-safe rules. It has the purpose of safely detecting the simultaneous presence of signals having well-defined characteristics. If the above signals comply with the prescribed characteristics (frequency and duty cycle) , it triggers the Vital Voltage generation enabling signal (OK_PWM).
[0073] The peculiar frequency, duty-cycle and timing characteristics required for the wave forms to be deemed valid, determine a high safety level against self-pulsing, since the unintentional generation of two signals with such characteristics is highly unlikely.
[0074] If the two signals are transmitted in correct form, and in proper manners and times, the active filter generates the following output signals:
a signal for enabling the Vital Generator VG 35;
an optoisolated diagnostic signal for informing the operator of proper operation by turning the ENABLE LED on.
[0075] The Vital Generator block VG, indicated with numeral 35, is itself made of a discrete analog circuitry, and has been designed with inherent fail-safe rules. This block has the purpose of physically generating the Vital output voltage (+12Vdc @1.5W), if it is enabled by the Active Vital Filter 34, from the continuous voltage of 24Vdc1. This voltage, if present, enables the generation of the code to be transmitted to the track by the train detection signal and/or the coded communication signal generator.
| Block interfacing signals | ||
| Communicat ion bus | Identifies the address bus, the data bus and the 8085-specific control signals | |
| RDY | Advises the PLC of the end of checkword transfer from the control section | |
| REQ | Advises the control section of the availability to receive new checkwords into the Dual Port RAM. | |
| F1 | (PCL→ AVF) | Fixed frequency signal (500 Hz 50%) transmitted to the AVF block for the following test phase |
| F2 | (PCL→ AVF) | Fixed frequency signal (5 KHz 25% on) transmitted to the AVF block for the following test phase |
| ENABLE | (AVF→ PCL) PCL) | Operational status of the AVF module, read by the PCL, and duplicated on the LED |
| OUT_F | (AVF→ VG) | Enabled Vital voltage generation OK_PWM (5 KHz 25% off) |
| OK_PWM | (VG→ PINV) | Vital voltage OK_PWM used to enable signal transmission to the CdB on the PINV board. |
| Output signals | ||||
| Min. | Typ. | Max. | Unit | |
| OK_PWM | - | 12 | - | V |
[0076] Figure 7 is a block diagram of the train detection signal and or coded communication signal generating module 202. This module has the function of safely generating the signal to be transmitted to the track in response to the control given by the Vital Computer Module 102. Its structure may be used in various contexts in which signals having different characteristics must be generated. The board is specialized for the different application contexts by using different configurations of programmable logic devices.
[0078] Generator and checker section 40. This section is formed by two different blocks; the former is a digital synthesizer 140 which provides two logical output signals, corresponding to the PWM modulation of the signal required by the Vital Computer Module 102. The two generated signals are different, so as to directly drive, downstream from the vital switches 41, the bridge 143 (Figs. 8 and 9) and to improve the capability of identifying any malfunctioning of the checker block 240. The second checker block 240, itself consisting of two similar functional sections, has the function of checking the two PWM output signals of the vital switches 41. Each section dynamically provides the Vital Computer Module 102, at each check cycle, with a checkword which is a function both of the signal sampled in that cycle and of a starting word, the so-called precondition, received by the Vital Computer Module 102. The safety architecture is of the reactive type: if there is an inconsistency between control information and the reread checkwords, the protection section 121 of the Vital Computer Module sets the system to a safe state, thereby disabling the transmission of a signal to the track, through the Vital Switches (see below).
[0079] The Vital Switch block 41 is formed by two replicated circuits and transfers the signals from the generator and checker section 40 to the power amplifier section 43, provided that the "Vital voltage" generated by the protection section 121 of the Vital Computer Module 102 is present. The Vital Computer Module 102 only generates such voltage if checkwords are consistent with the requested signal and all other safety conditions of the system have been checked. The safety architecture of the switches is of the inherent fail-safe type.
[0080] The power amplifier 43 demodulates the PWM signals and amplifies them to a sufficient extent for transmission thereof to the track. Said amplifier is of the inherent fail-safe type, and prevents any degradation of the signal transmitted to the track toward more permissive conditions.
[0081] The train detection signal and coded communication signal generation module 202 receives and transmits information and/or controls by using the interface parallel bus (VCM_IOBUS).
[0082] Signal transmission enabling is a discrete signal (OK_PWM) which corresponds to the "vital voltage" safely handled by the protection section 121 of the Vital Computer Module 102.
[0083] The control of the code to be generated, as received by the Vital Computer Module 102, through VCM_IOBUS is acquired by the generator programmable logic-based section 140. Depending on the received control, the generator section 140 synthesizes two logical signals PWM1 and POWM2 corresponding to the generation control required by the Vital Computer Module 102. It shall be noted that the modulation technique PWM reports signal amplitude information for the signal to be generated during the ON periods (logical 1) and OFF (logical 0) of the corresponding PWM signal. The two signals normally negate each other. When the enabling function is on, i.e. the vital voltage generated by the protection section 121 of the Vital Computer Module 102 is present, the two signals PWM1 and PWM2 are transmitted to the power amplifier 43 for generating the signal to be transmitted to the track.
[0084] The checker section 240 consists of a programmable logic and manages two independent "checker" sections inside it, which validate PWM1_F and PWM2_F signals respectively (which, as shown in Fig. 7, are the signals PWM1 and PWM2 downstream from vital switches).
[0085] The generator and checker sections 140, 240 are totally independent, and use two separate programmable logics and time bases (generated by different clocks). The checker section allows the control logic of the Vital Computer Module 102 to validate the signals transmitted to the power amplifier 43, i.e. allows it to check the control pulse sequences generated by the generator section 140 and transferred to the power stage throgh vital switches 41.
[0086] At each control cycle, each checker generates a recheck word toward the Vital Computer Module 102, which is a function of:
the word preloaded from the Vital Computer Module 102 at each cycle (which is different depending on the checker and the cycle);
duration and state of the pulses for the signal at the input of the checker 240;
position of the fronts in the above signal.
[0087] The dynamic operation and diversity of the output words issued by each checker is ensured by the variability of the word preloaded from the Vital Computer Module 102, which is different depending on the checker and cycle, whereby, even when a constant PWM signal is present at the input of each checker, different recheck words are generated.
[0088] It shall be noted that the control sent by the generator section 140 and the recheck word preloading and reading functions of each checker are under strict time control by the Vital Computer Module 102, whereby the correctness of the PWM sequence, input to the amplification stage 43 is ensured both by the correctness of checkwords and by the time between two successive read operations.
[0089] When a malfunction is detected, the Vital Computer Module can force the system to a safe state, by disabling the generation of signals to be transmitted to the track, through vital switches 41. The Vital Computer Module 102 only generates the enabling vital voltage if checkwords are consistent with the requested signal and all other safety conditions of the system have been checked.
[0090] The data interface between the Vital Computer Module 102 and the signal generating module 202 is protected by scrambling vital data to ensure a safe behavior even when module routing errors on VCM_IOBUS occur.
[0091] The two digital signals PWM1 and PWM2, generated by the generator section 140 are connected to the power amplifier through Vital switches 41, which use optoisolators to ensure galvanic insulation between the two sections.
[0092] From the functional point of view, each Vital Switch 41, when enabled, is designed to pass PWM control pulses toward the drivers of the power stage; vice versa, when a malfunction is detected, it is disabled and in this case it is designed to cancel any output control signal.
[0093] To this purpose, each switch is provided in such a manner as to be:
fast enough to ensure the passage of PWM control signals, limit distortions on transmitted pulses, reduce the delay introduced between the input signal and the output signal (which delay is to be small and well-defined, so that the feedback signal may be easily controlled), ensure that no failure may short-circuit the switch, if it is controlled to be open, ensure, when no vital voltage is present, that the PWM signal is locked, allow continuous dynamic testing on its operational state, so as to turn it off when the PWM signal transmitted to the power amplifier is deformed.
[0094] The signal output from each Vital Switch 41 is continuously, independently and autonomously rechecked by the corresponding certification section, to verify the correctness thereof. Therefore, any failure, though temporary and only on one of the two switches, involving a change of the signal output from the Vital Switch, is recognized by the Vital computing module 102, which disables both switches, thereby sending a "no signal to the track" control to the power amplifier 43.
[0095] The enabling control is shared by the two switches and is issued by the protection section 121 of the Vital Computer Module 102 (Vital voltage - OK_PWM). Said control is only vitally generated when all safety conditions of the system have been checked. Any failure of the vital switch, in the "enabled switch" state, does not constitute risk factors because any problem occurring during this operational state is detected by the feedback recheck system (the protection section 121 of the Vital Computer Module 102, which supervises the safe operation of the subsystem, may disable the Vital Switches). The switches are made in such a manner as to ensure that an "open switch" condition does not cause short-circuit failures, or failures resulting in an output signal.
[0096] Both Vital Switches are based on the same inherent fail-safe circuit as the Vital input modules, so that the same basic safety compliance rules may be used.
[0097] The power amplifier block 43 is used to demodulate and amplify the logical PWM signals to safely generate the power signal to be transmitted to track and is designed with inherent fail-safe design techniques. The power amplifier, whose block diagram is shown in figure 8, is composed of: an H bridge 143, an AC/DC converter 243, a driver logic 343, an output LC filter 443.
[0098] Strictly speaking, the power section of the power amplifier consists of the H bridge 143, which is supplied with direct current and is driven by the signals output from the driver logic 343. This block is composed of 4 power switches which are arranged to form an H (see Fig. 9), two of them being named Top switches (A and C) and two being named Bottom switches (B and D). The four switches are driven by the check signals obtained from the two inputs PWM1_F and PWM2_F issued by the vital switches. The PWM1_F signal to the logical 1 enables the closing of switch A , whereas to the logical 0 it enables the switch B; the PWM2_F signal has the same operation on the other pair of switches. Hence, when the PWM1_F and PWM2_F are complementary, a voltage applied to the load is obtained having a positive, negative or null polarity depending on the corresponding duty-cycle.
[0099] The AC/DC converter 343 is used to generate, from the 220 VAC input, the DC voltage required to power the H bridge 143. Also, it is used to generate the insulated auxiliary supply voltages required by the "Driver logic" block 343.
[0100] The "Driver logic" block 343 is designed to adapt and filter the digital PWM signals, issued by the Vital switches 41, to directly generate the signals for driving the power switches of the H bridge. Each switch driving signal has the following characteristics: logical signal conditioning to adapt the voltage and/or current levels to the values required by the power switch; galvanic separation of the control signals issued by the vital switches, by means of an optoisolated circuit; independent supply stage, different from the supply of the H bridge 143; non-deformation of the PWM information to be transferred; noise immunity; no self-pulsing which might affect the inherent safety of the power amplifier.
[0101] Moreover, the four driver circuits, which are comprehensively considered in the bridge-like switching network, have the following characteristics: the 4 drivers only use two logical control signals; the TOP and BOTTOM switches of the H bridge may be switched on simultaneously, to obtain a null voltage on the load; the power switches may be controlled in columns complementarily to prevent the bridge power supply from being short-circuited; the time required to open a switch prior to closing the other switch of the same column is met (to avoid the problem mentioned in the previous item); the driver power supplies are separate, to prevent the load or the switches from being short-circuited by common terminals: particularly, three separate power supplies are used, one for BOTTOM switches, and one for each TOP switch.
[0102] The output LC filter is designed to remove the high-frequency component of the PWM (25 KHz), including the components of the power block switching frequency, and to allow the passage of the useful Low Frequency band of the PWM signal spectrum, which contains the desired harmonic components.
[0103] Fig. 10 is a block diagram of the track interfacing module 402, also named protection, inversion and diagnostic module. This module accomplishes the following functions: protection and insulation at 4 KV/5 min from the track; inversion of the signal transmission direction over the track; in order to ensure that coded information is transmitted to the train, the signal propagation direction must be opposite to the train running direction; acquisition and transmission of diagnostic information toward the Stationary Apparatus.
[0104] These functions are accomplished by the module 402 which is composed of a circuit board and of a transmit/receive transformer tray.
[0105] The board included in the interfacing module 402 may be logically divided into two functional areas:
the first area, which is dedicated to signal inversion over the track circuit, includes the inverting relays, the so-called inversion block 50, and the relevant inverting relay control and position reading circuits 51. This area is also required to have protection functions, since it must provide insulation between the relay contacts connected to the yard cables and the logic circuits.
[0106] The second area, dedicated to diagnostics, includes the circuits 52 for measuring some electric quantities of diagnostic interest, such as voltages and currents on the field cables and measuring cable insulation. Again, this area is required to have protection functions, since it must provide galvanic insulation between the diagnostic signals and the rest of the control and monitoring subunits 2.
[0107] The Tx/Rx TRANSF tray is connected between the inversion function and the transmission logic boards of the train detection signal and coded communication signal generation module 202, the track circuit signal acquisition and recognition module 302. The Tx/Rx TRANSF tray accomplishes the following functions:
insulation (at 4 KVdc) between the logic boards of the control and monitoring subunit 2 and the yard cables;
transmission signal adjustment;
protection of the receive function against extra-high voltages out of the operational band of the track circuit;
[0109] The tray contains the following components: a transmit transformer TA, having a primary and secondary winding with variable taps; a receive transformer TR, having a primary and two secondary windings TR1 and TR2 (TR1 is used for the receive function, whereas TR2 is used for diagnostic purposes); a printed circuit board, whereon the connector for the control taps of the TA transformer and an LRC filter designed to protect the track circuit signal acquisition and recognition module 302 are mounted, connected in series between the tap TR1 of the TR insulating transformer and the input of said module 302. The TA transformer is controlled as a function of the distance between the cab and the track; additional control may be effected on terminal boxes, mainly relating to the length of the track circuit.
[0110] The most significant functions of the circuit portion of the module 402 are:
relay inversion (including the "Control and Relay position" block and the "Relay inversion management" block)
diagnostic circuits (including "Diagnostic management" and "RS232 serial communication" blocks).
[0111] The inversion block 50 shall ensure that the left (Sx) and right (Dx) signals are stably connected to the opposite ends of the track circuit and that they can be inverted as a function of the train running direction on the line. In particular, the transmission direction of the coded signal to be sent to the track shall be always opposite to the train running direction. In this architecture, the circuit which performs the inversion is not deemed vital, whereas the function of rechecking the actual position of the switch is considered vital. Further, since the removal of the transmission signal from the track is ensured by switching the transmitter off, the inversion function shall not necessarily safely ensure the disconnection from the track circuit. Moreover, the inversion block 50, which is directly connected to the track circuit, provides the required insulation at 4 KVdc between the subsystem and the track.
[0112] The selection control, as well as the function of rereading the position of the inversion block 50 are handled by the Vital Computer Module 102, through the parallel bus VCM_IOBUS.
[0113] The inversion function is based on the use of a pair of relays, named ddx and dsx which, when appropriately controlled, connect the transmitter to an end of the CdB and the receiver to the opposite end. The relay switching function is always performed when no transmission signal is present; this allows to ensure the required function reliability; also, if the above operational conditions are considered, no particular surface treatments are required on relay contacts. The control is coded by a programmable logic which may be accessed through the VCM_IOBUS, which generates the signals for driving the two relays. Since this architecture requires an excited relay and a non-excited relay in order that the transmitter may be connected to one end and the receiver to the other end, or vice versa, the only admitted combinations of the driving signals are ON/OFF and OFF/ON. The undesired condition of both excited or non excited relays is recognized by the reread function, which forces the subsystem to a safe state.
[0114] Figure 13a shows the connection scheme between the two relays and the contact status for the left (sx) train running direction, whereas Figure 13b is applicable for the opposite direction.
[0115] Each relay includes: 4 contacts, used for the actual inversion function; 2 contacts, used for detecting the position of the relays; 1 contact used for diagnostic functions.
[0116] The two relays selected for this function are printed circuit board safety relays, whose main characteristics are: Forced guide contacts, i.e. mechanically connected in such a manner that quiescent closed contacts and quiescent open contacts cannot be closed simultaneously; even when a failure occurs (i.e. a contact is stuck), a minimum opening distance is ensured for antithetic contacts; contact/contact and contact/coil 4Kdc insulation (which characteristic is required to ensure the necessary insulation between the subsystem and the track); no exchange contacts are provided, but only normally closed (NC) or normally open (NA) contacts, which are switched to the opposite state when the relay is triggered; 3 NC contacts and 4 NA contacts.
[0117] The reread function is handled by the Vital Computer Module 102 which dynamically circulates two words through two parallel circuits, i.e. MODULE0 and MODULE1 (Figure 13) Each reread circuit uses a NA contact of a relay and a NC contact of the other relay, connected in series; since the two relays are controlled exclusively, one circuit has both closed contacts, whereas the other circuit has both open contacts (as shown by Fig. 13 for the "sx" case). Referring to Figure 13, the words to be recirculated drive the DRIVE0 and DRIVE1 signals, whereas the reread reckeck words use the SENSE0 and SENSE1 signals; the SENSE signal is the logical negation of the corresponding DRIVE signal, provided that both contacts are closed (which condition may be only met for one of the two reread circuits). If no reread or an incorrect reread is performed either by the circuit enabled for word recirculation (both contacts should be closed) or by the circuit that should be disabled (both contacts should be open), this is interpreted as an inversion block malfunction.
[0118] The vital circuit for rereading the state of the inversion block 50 is designed in such a manner that any component failure or power supply loss prevents the checkword from being read: the correctness of the checkword depends on the proper reception of the checkword by the hardware (scrambling, signature)
[0119] The data interface between the Vital Computer Module 102 and the protection, inversion and diagnostic module 402 is protected by common signature and scrambling techniques.
[0120] The safety architecture of this function is of the reactive type, and such as to ensure that the subsystem may be switched to the safety state in case of a failure thereof.
[0121] The following table lists the signals connected to the inversion block.
| Signals | Wires | Description |
| Triggering control | 2 | Control for triggering the two relays |
| Control reread | 2 | Feedback for checking the two control signals |
| UAB connection | 2+2 | Control line toward the track, a pair for the right side and a pair for the left side. Each side will be connected to the transmit or receive transformer depending on the state of the inversion function |
| Receive connection | 2 | Transfer of the signal received by the track to the TR insulating transformer |
| Transmit connection | 2 | Transfer of the signal transmitted to the track to the TA insulating transformer |
[0122] The diagnostic functions for the yard data are implemented on non vital hardware and are handled by a commercial module with an on-board microprocessor, which is connected to the system diagnostic network. The commercial module, named Echelon, is a "general purpose" module, which manages 10 discrete I/O channels; by using an external A/D converter, it can acquire 8 additional analog channels.
[0123] The microprocessor module includes a second serial RS232 interface, which is connected to the Vital Computer Module 102 and is used to receive the information required to check the yard signals, such as the signal transmission direction over the track circuit. The above module is optional and is only provided when a diagnostic network is available, e.g. of the Echelon type, whereto diagnostic information about the cab/yard interface are only transmitted.
[0124] In the architecture of the protection, inversion and diagnostic module, the diagnostic module is used to acquire the following quantities:
insulation of the left (sx) and right (dx) cables to the track (this information is also displayed by two front panel LEDs);
current on the secondary winding of the transmit transformer (measured by a Hall effect sensor)
voltage on the secondary winding of the transmit transformer (measured by a Hall effect sensor)
power of the signal received in band (the signal is received by a separate secondary winding of the receive transformer);
power of the signal received out of band;
frequency of the modulating carrier of the transmission signal.
[0125] All the circuits required for signal acquisition and conditioning are powered by a self-contained power supply and insulated at 4KV DC from the track.
[0127] Figures 15 to 21 show several details of the track circuit signal acquisition and recognition module. This module is designed as a safety track circuit signal receiver operating in the 40 Hz-1kHz band, and is used to recognize the coded signals provided by the n-code block system and the "fixed frequency" signals used when no code is provided.
[0128] The safety architecture of the APRX module, as mentioned above, includes two acquisition and conditioning channels 60, 61, which are decoupled by an input stage 62. The latter is designed with inherent fail-safe techniques, ensuring that the output signals acquired by the two channels cannot degrade to more permissive conditions due to a failure.
[0129] Each channel 60, 61, based on a Digital Signal Processor DSP, uses dedicated hardware and includes, as Fig. 16 shows in detail, self-standing test functions, which operate continuously and independently from the track circuit state.
[0130] Failure detection for each channel is performed by measuring the locally generated test signals; there are particularly provided: a signal for checking the proper amplitude of the input signal; a signal for checking the proper frequency of the input signal; a monitor for all internal supply and reference voltages.
[0131] The negation of failure effects is allocated to the output construction function, which requires a proper measure of all test and reference signals to generate permissive output information.
[0132] The board is composed of the following functional blocks: a power supply block 63, which provides all internal power supplies and reference voltages required by the two channels of the module 302, an input signal circuit 64, which is designed with inherent fail-safe techniques and distributes the receive signal to the two channels 60, 61 and allows to add the amplitude test signal to the input signal; the channel A 60 and the channel B 61 which are made of replicated hardware. The two channels operate independently, i.e. acquire the track signal and transmit the code/fixed frequency information detected on the track to the Vital Computer Module 102 through a Dual Port Memory 70.
[0133] Each processing channel 60, 61 is in turn composed of the following functional blocks: a logic 160, 161, having the following functions: measuring the track circuit signal; measuring the test signals and the internal reference signals; demodulating the signal and recognizing codes; coding and transferring the information to the Vital Computer Module 102;
a test logic 260, 261, which provides the test, amplitude and frequency signals that are used to check the integrity of the measuring channel.
[0134] Each channel uses a Dual Port RAM 70 to exchange information with the Vital Computer Module 102, through the VCM_IOBUS interface. Said data interface between the Vital Computer Module 102 and the track circuit signal acquisition and recognition module 302 is protected by scrambling vital data to ensure a safe behavior even when module routing errors to VCM_IOBUS occur.
[0135] The track circuit signal recognition algorithm used by each of the two channels 60, 61 generates an internal "present/absent signal" word; these words that are predetermined for each code/fixed frequency signal and different for the two channels 60, 61 are initialized at the start of each cycle with "absent" code/fixed frequency. Each channel 60, 62 samples the track circuit signal at slightly different sampling frequencies, i.e. differing by about 16 KHz. Then, the sampled signal is digitally filtered and analyzed by two parallel processes which discriminate it as a code or fixed frequency signal, and more precisely:
[0136] Code recognition: the filtered signal is demodulated, thereby obtaining the square wave which constitutes the code modulating signal. The recognition of a particolar code, as obtained from ON/OFF duration analysis of said square wave, changes the word corresponding to the recognized code from absent to present;
[0137] Fixed frequency signal recognition: the recognition of the fixed frequency signal is obtained by comparing the phase of the acquired signal with an internal 50Hz reference signal. The recognition of a particular fixed frequency signal is obtained by analyzing the above phase difference in the time domain (phase/counterphase and transition times); the word corresponding to the recognized fixed frequency signal is changed from absent to present.
[0138] Each of the above internal words, associated to any code or fixed frequency signal, are further changed and made available to the Vital Computing Module VCM 102 in the Dual Port memory 70, by a process that uses a word, named "Time Stamp", preloaded from the Vital Computing Module 102 at every cycle and varying from one cycle to the other; the previously determined detected/absent code/fixed frequency word; the proper measure of all test and reference signals.
[0139] The dynamic operation and diversity of the output words issued by each channel is ensured by the variability of the "Time Stamp" preloaded from the Vital Computing Module 102, and varying from one cycle to the other, and by the different code/fixed frequency coding performed by the two channels 60, 61, whereby even when the same signal is detected at the input of the two channels, different status words are generated.
[0140] The function of comparing the results produced by the two channels 60, 61 is not allocated to this module, but to the Vital Computing Module 302. This design arrangement allows the function to be accomplished in a self-standing manner.
[0141] The following table lists, as schematically shown in Figure 17, the interface signals between the module 302 and the other boards of the control and monitoring subunit 2.
| Signals | Lines | Description |
| VCM_IOBUS | 41 | Parallel bus for communicating vital information to the VCM |
| Rx Input | 2 | Insulated track signal receiving line from MPD/CC |
| +5V | System supply generated by the switching power supply | |
| 24Vdc2 | 2 | Self-contained power supply generated by the PAL. |
[0142] As shown in Figure 16, the Power supply block 63 and the Input Signal Circuit block 62 are common to both channels; a description will be provided below for both common blocks, whereas only one of the two processing channels, which are functionally identical, will be described.
[0143] Figure 17 schematically shows the functional block for generating internal power supplies. This block has the following inputs:
+5 VDC: voltage generated and controlled by the switching power supply contained in the logic frame. The following internal power supplies are obtained from this power supply voltage, thanks to voltage regulators replicated for the two channels:
the voltages of 3.3V / 1.8 V and ± 5V required for proper operation of the logic;
[0144] The test ref. Voltage (2.5V) used as a reference voltage for generating the amplitude test signal;
24Vdc2: the following internal power supplies are obtained from this voltage:
a voltage of 4.1 V which is used as a reference for the amplitude of the track signal; replicated voltage regulators are provided at the two channels for this function.
the powering voltage for both the track signal measuring device and the frequency test signal generator.
[0145] The generated voltages are summarized in the following table:
| Generated power supplies | Description |
| Power supplies for the logic of the two channels A/B | Generated by a voltage of +5V by means of a voltage reguator (3.3/1.8) for the operation of the logic of the two channels. |
| Ref. Test1 signal gen. Channels A/B | Voltage generated by the 5V voltage as a reference for the test1 signal. |
| Power supply for the +5V logic of channels A/B | Power supply voltage of +5V for the two channels. |
| Reference for measuring channels A/B | Voltage generated by the 24VdC2 voltage as a reference for measuring the channels. |
| I/O ADC Power supply for channels A/B | Power supply voltage generated by the 24VDC2 voltage, for the I/O device and the ADC converter of the two channels. |
| Supp. Test2 signal gen. Channels A/B | Power supply voltage generated by the 24VDC2 voltage for the test2 signal generator. |
[0146] The above functional block 63 meets the following safety rules:
it ensures the independency between the reference voltages that are used to measure the track signal (as derived from the 24V2 voltage) and the voltage that is used to generate the amplitude test signal. This allows to detect any measuring reference voltage changes caused by failures or supply voltage variations.
it ensures the independency between the voltage used to generate the time base of the logic (derived from the 5V voltage) and the voltage used to generate the frequency test signal (derived from the 24 VDC2) ;
it ensures the independence of reference voltages between the two processing channels. This condition is achieved by using physically separated voltage regulators.
[0147] Fig. 18 shows the block diagram of the input circuit 62 for the track circuit signal, which is composed of the following functions: bridge adder 162, antialiasing filters 262.
[0148] The signal input stage 62 includes a bridge adder 162 which accomplishes the double function of distributing the track circuit signal to the two measuring channels 60, 61 and of adding the amplitude test signal of each channel to the track signal.
[0149] The input signal circuit is designed in an "inherent fail-safe" manner, to safely ensure that the ratio between the block output voltage and the input voltage does not increase, due to failures, without being detected through test signal measurement.
[0150] This block uses a transformer having two secondary windings for signal distribution. Test signals are injected by creating a bridge which is balanced between a center tap of the secondary winding and the signal measuring point. The components of the measuring bridges shall have such a technology as to ensure that no voltage increase can be expected on the measuring point due to failures.
[0151] By choosing to use a test signal to check the signal measuring amplitude ensures the detection of failures downstream from the test signal injection point (for this reason, said injection point shall be situated at the uppermost point); all circuits upstream from the amplitude test signal injection point shall be designed with inherent fail-safe rules.
[0152] Downstream from the signal separation block 164, a low-pass, antialiasing filter is provided for each processing channel 60, 61. The filter has such a cutoff frequency as to ensure that the module 302 has an input band of 1 KHz.
[0153] The potential effects of the antialsiasing filter 262 on safety might be:
an altered input/output signal ratio; particularly, a gain increase (or an attenuation decrease) has adverse effects on safety. This hypothetical event is detected by measuring the amplitude test signal, which is injected upstream from the antialiasing filter 264. Moreover, since the filter is only made of passive components, which have a negligible attenuation in the passa band, this event is actually impossible;
altered cutoff frequency . An increase of the cutoff frequency beyond the half of the sampling frequency (Nyquist's theorem) potentially affects safety, therefore power noises might be expected beyond such frequency, and such characteristics that may be confused with the expected signals, due to aliasing. The remedy therefor is allocated in the logic block, which uses a sampling frequency of ∼ 16 KHz, therefore above the train noise band. Further, the use of modulated signals both in code transmission conditions and in no-code conditions provides an additional safety key.
[0154] The logic functional block 160, 161, as shown in Fig. 21, accomplishes the following functions:
sampling 8 analog signals, with a sampling frequency of up to 18 KHz per channel;
processing the acquired signals;
interfacing with the Vital Computing Module 102.
[0155] The logic functional block is composed of the following three physical blocks:
an acquisition block 80, which is based on an analog to digital converter ADC device for sampling and measuring 8 analog signals;
a processing block 81, which is based on a microprocessor specifically designed for Digital Signal Processing (DSP) operations, and on the use of flash memories, clocks, and oscillators;
an interface 82 with the Vital Computing Module 102.
[0156] The acquisition block 80 is composed of an ADC device having eight input channels, that are used as follows:
channel 1: track signal sampling. It shall be noted that the track signal is amplitude translated due to the presence of the amplitude test signal
channel 2: frequency test signal sampling.
channels 3, 5, 7: internal reference voltage sampling
channels 4, 6, 8: grounding reference sampling.
[0157] The ADC devices provide a digital output corresponding to the input voltage upon sampling; this output value depends on the reference voltage provided to the device.
[0158] The architecture of the measuring channel, which uses the above test signals, allows to detect and appropriately handle any measuring errors.
[0159] It shall be noted that the choice of adding the amplitude test signal to the track signal allows for a complete and continuous check of the acquisition channel dedicated to track signal measurement.
[0160] Other potential signal sampling errors may be:
wrong acquisition channel: the signals existing on the different channels of the ADC have been defined with such different frequency, modulation and amplitude characteristics that they cannot be confused. This malfunction prevents any recognition of the signals for the relevant channels.
sampling frequency drift: this risk is prevented by measuring the frequency of the frequency test signal which, as mentioned above, is not generated by the time base generating device of the logic section.
[0161] Each channel 60, 61 is equipped with a DSP microprocessor; such microprocessors are specifically designed to perform sequential multiplication and addition operations to determine digital filters. The DSP processor, which executes the application software, is designed to filter and demodulate the signals and recognize the codes thereof. Also, this block includes the auxiliary circuits required for DSP operation, more precisely:
a clock generator, the drifts of this signal being detected by measuring the frequency of the frequency test signal;
a flash memory which is used for storing the application program, in power failure conditions. The power-on code integrity check protects against all risk associated to this function;
[0162] RAM memory: the DSP microprocessors of the selected family include an "on chip" RAM memory which is sufficient for state-of-the-art applications, therefore no additional memory is required at present. For future applications, an optional additional memory has been expected to be added to the board;
a programmable logic-based device which forms the Dual Port memory in common with the Vital Computer Module 102 and other logic functions such as external address decoding, and acquisition device control.
[0163] An interface with the Vital Computer Module 102. This interface is provided by a Dual Port memory. Any simultaneous access to the memory by the Vital Computer Module 102 and the track circuit signal acquisition and recognition module 302, i.e. the VCM and the APRX is managed by dedicated logic circuits. Both the Dual Port Memory and the relevant logic circuits consist of programmable hardware. The protection against any failure of the Dual Port memory function, such as data freezing, wrong routing or wrong access arbitration is provided by software remedies.
[0164] For each processing channel 60, 61, two different routing areas are provided, designed for vital and non vital information exchange respectively. As shown in Fig. 20, when predetermined vital data areas are routed, the data provided by the module 302 are changed by the mechanical scramble of bus data, which is physically performed on the mother board. Scrambling is performed in a different manner for each mother board position; this technique allows to differentiate the outputs generated by each module. This provides a protection against any routing errors for the modules on the VCM_IOBUS. Accesses to non vital areas are not differentiated by scrambling; this simplifies the management of non vital data inside the Vital Computing Module, thereby avoiding any decoding as a function of the routed module.
[0165] The test logic module 260, 261, as shown in Figure 21, generates two test signals, i.e.:
Test1 to check the amplitude of the measuring channel;
Test2 to check the time base of the measuring channel.
[0166] The generation of the Test1 signal provides a signal whose amplitude may be set by the logic; the logic cyclically changes the amplitude of the test signal so as to ensure the function vitality. For safety reasons, the reference voltage used for generating the signal Test1 and that used for measuring the track signal are independent and generated by self-contained power supplies. This condition is provided by the "Power supply" block, which generates the measuring reference voltage from the external voltage of 24Vdc2 and the reference for generating the test signal from the external voltage of +5V. This technique ensures that each channel can independently detect such changes of any power supply voltages as to alter the reference voltage values.
[0167] Conversely, the Test2 signal has the purpose of providing the logic function with a time base-unrelated frequency reference. To this end, the safety architecture of the module includes, for this function, a dedicated oscillator whose supply voltage is independent from the logic powering voltage (the voltage of +5Vb, as illustrated in Fig. 22, is generatad by the "Power supply" block, from a voltage of 24VDC2, whereas the logic supply derives from the +5V voltage).
[0168] Fig. 22 shows a particular configuration of the system, wherein fixed current signals are used for train detection, as well as a four code train communication signal coding.
[0169] A train is detected by injecting a fixed current signal in each track circuit, i.e. a signal having a fixed current level once it is decoded. The signal transmitted by the transmitter to the track circuit toward the receiver in a direction opposite to the train running direction is received if no train is detected. When a train is present, the rails are short-circuited by the train itself, and the receiver is not reached by any signal.
[0170] The control and monitoring subunit 2 according to the invention and to the above disclosure may be appropriately programmed by the appropriate system-specific configuration program, which cooperates with the processing program, independent from the system-specific structure, for the ITALIA 4 code Automatic Block application, and can handle (transmit/receive/recognize) the following signals:
codes;
"fixed frequency" signal, which is used to obtain the occupied/unoccupied function when no code is provided (no path or routing).
[0171] As described above, the track circuit is coded by interrupting a carrier frequency a predetermined number of times per minute (amplitude modulation). This application uses four code types. These types are obtained by using a 50 HZ carrier interrupted 75, 120, 180 or 270 times a minute (the corresponding code is indicated by the number of interruptions per minute).
[0172] The characteristics of the Fixed Current (CF) train detecting signal must ensure the maintenance of safety conditions even when insulation losses occur at the joints between adjacent track circuits. The architecture of the control and monitoring subunit 2 according to the invention allows to provide a transmitter for each track circuit connected by the network with the central control and monitoring unit 1. The carriers that are used by transmitters are produced locally, hence with no phase relation with each other. No assumption can be made regarding the phase difference between two adjacent track circuits.
[0173] Therefore, a modulation shall be introduced in the CF signal, which is different between adjacent track circuits and is adapted to ensure safety conditions even when power is transferred from a track circuit and the following one.
[0174] The arrangement implemented herein includes the use of different CF signals (4 sets) to be appropriately allocated to track circuits so as to ensure that said signal is not present on adjacent track circuits. In all sets, the signal is composed of a 50 Hz carrier alternately transmitted in phase and in phase opposition with respect to a hypothetical 50 Hz reference. The sets are differentiated by the time intervals between two successive phase steps. Opposed sections are connected by 5 55.55 Hz signal periods, to ensure a progressive transition. This arrangement provides, at the output of a 50Hz tuned pass band filter, a constant amplitude signal, which ensures occupancy detection anytime.
[0176] Signal frequencies are selected based on the following rules:
50 Hz and 55.55 Hz frequencies cannot disturb , or be disturbed by any track circuit equipped with adjacent phase control receivers; it shall be noted that the two systems use the 50 Hz frequency in different manners, i.e. the phase control receiver uses it in continuous wave, and the control and monitoring subunit 2 according to this invention uses it for alternation with the 55.55 Hz frequency.
the filter attenuation at the input of the signal acquisition and recognition module (which is tuned around 50 Hz) at the frequency of 55.55 Hz is compensated by the amplification of track inductive connections;
an appropriate noise mask, such as the noise mask FS-96 ensures that, around 50 Hz, no noise can limit normal operation.
[0177] The duration of section T1 is used to differentiate the different track circuit sets, as indicated in the following table:
| set | T1 ms | No. of 50 Hz periods | total signal period T = 2T1 +2T2 |
| A | 260 ms | 13 | 700 ms |
| B | 360 ms | 18 | 900 ms |
| C | 460 ms | 23 | 1100 ms |
| D | 560 ms | 28 | 1300 ms |
[0178] The section T2 has a duration of 90 ms (5 f2 periods), which value allows to reach a phase shift of 180°.
[0179] The time T1 has been determined considering that:
T1 shall be a short period to reduce the degradation of the receiver response time, in case of insulation loss at the joint; when an insulation loss occurs, the signal is expected to be disturbed by an in-phase signal issued by the adjacent track circuit, thereby causing, for a few ms, a signal increase at the receiver. The longest signal increase time is equal to the shorter between the duration of the relevant track circuit signal and that of the adjacent track circuit signal;
the T1 difference between the two sets shall be of at least 100 ms, so as to safely ensure the recognition of the set whereto the signal belongs.
[0180] In accordance with a variant embodiment, a nine code coding may be used. In this case, the above mentioned PWM coded signal may be added or superposed to an additional signal derived by an identical PWM modulation of a carrier having a different frequency, i.e. a carrier of 100 to 200 Hz, particularly of 178 Hz.
[0181] List of abbreviations and acronyms, as used in the Figures and in the description
- @
- measure determined at
- A/D
- Analog to Digital
- ADC
- Analog to Digital Converter
- ASCV
- Vital computer station apparatus
- ASCVGS
- Vital computer station apparatus for big stations
- AVF
- Active Vital Filter
- CA, AC
- ca, Alternate Current
- CC, DC
- cc, Direct Current
- CdB
- Track circuit
- FC
- Fixed current
- CPU
- Central Processing Unit
- CRC
- Cyclic Redundant Check
- D/A
- Analog to Digital
- DSP
- Digital Signal Processor
- FNET
- Field NETwork
- FSFB2
- Fail Safe Field Bus - 2nd generation
- HDLC
- Highlevel Data Link Control
- HW
- Hardware
- I/O
- Input/Output
- MGRC
- Code generating and receiving module
- NISAL
- Numerical Integrated Safety Assurance Logic
- PAL
- Power supply panel
- PCL
- Processing Control Logic
- PD
- Polynomial Divider
- PWM
- Pulse Width Modulation
- RAM
- Random Access Memory
- RCF
- Phase control receiver
- Rx
- Reception
- SAL
- Safety Assurance Logic
- SIL
- Safety Integrity Level
- SRS
- Subsystem Requirements Specification
- SW
- Software
- Tx
- Transmission
- UAB
- Track Supply Unit (terminal boxes)
- V&V
- Verification & Validation
- VG
- Vital Generator
- VPC2
- Vital Power Controller Vs. 2
a) The track which forms the railroad line is divided into a plurality of successive galvanically insulated segments having a predetermined length, the so-called blocks, the rails of each segment forming a track circuit for detecting the presence of a train within said track segment, for communicating with a train within said track segment and/or for detecting diagnostic data about said track segment condition;
b) A central control and monitoring unit is provided, which generates and transmits control signals to execute train detection procedures and/or train communication procedures relating to a train on that track and/or to execute diagnostic procedures;
c) Which central control unit communicates with the track circuit of each block section by means of a control and monitoring subunit, associated to each block section or track circuit to generate and receive codes, and which subunit executes the procedures to detect the presence of a train T within the associated block, the communication procedures and/or the diagnostic procedures and transmits control signals corresponding to the presence or absence of the train within the corresponding block and/or to the proper communication established with the train and/or diagnostic signals relating to the track circuit and informs the central control and monitoring unit about the results thereof.
d) Each control and monitoring subunit associated to each corresponding block being connected to the ends thereof by a transmitter and a receiver;
e) And each subunit and its associated block being uniquely identified by a predetermined
ID code.
Characterized in that
f) Each code generating and receiving control and monitoring subunit comprises means for generating a signal when a train is detected on the corresponding block, which signal is transmitted by the transmitter associated to an end of the block to the associated receiver at the opposite end of the block in the direction opposite to the train running direction;
g) Which train detection signal is provided before transmitting a carrier having a predetermined fixed low frequency to a phase modulator of the track segment, which modifies the carrier phase for predetermined time intervals between two definite phases, with reference to a reference signal having the carrier frequency, the time intervals between the frequency steps of the two phase settings having a predetermined length;
h) And said train detection signals being uniquely differentiated for each block, by setting different time intervals between two successive phase steps.
f) The track which forms the railroad line is divided into a plurality of successive galvanically insulated segments having a predetermined length, the so-called blocks, the rails of each segment forming a track circuit for detecting the presence of a train within said track segment, for communicating with a train within said track segment and/or for detecting diagnostic data about said track segment condition;
g) A central control and monitoring unit is provided, which generates and transmits control signals to execute train detection procedures and/or train communication procedures relating to a train on that track and/or to execute diagnostic procedures;
h) Which central control unit communicates with the track circuit of each block section by means of a control and monitoring subunit, associated to each block section or track circuit to generate and receive codes, and which subunit executes the procedures to detect the presence of a train T within the associated block, the communication procedures and/or the diagnostic procedures and transmits control signals corresponding to the presence or absence of the train within the corresponding block and/or to the proper communication established with the train and/or diagnostic signals relating to the track circuit and informs the central control and monitoring unit about the results thereof.
i) Each control and monitoring subunit associated to each corresponding block being connected to the ends thereof by a transmitter and a receiver;
j) And each subunit and its associated block being uniquely identified by a predetermined ID code.
Characterized in that each code generating and receiving control and monitoring subunit comprises
k) A microprocessor-based Vital Computer Module, which contains the programs for managing and controlling the peripheral modules for generating and transmitting train detection signals and coded communication signals, for receiving signals from the track circuit of the corresponding block, for communicating, i.e. receiving and interpreting controls from the central control and monitoring unit, and for transmitting train detection and communication information, as well as for managing communication and timed triggering of peripheral modules;
l) A module for generating train detection signals and coded communication signals controlled by the Vital Computer Module;
m) A module for acquiring and recognizing track circuit signals relevant to the corresponding block, which is controlled by the Vital Computer Module, and provides it with the signals received by the circuit track of the corresponding block;
n) A module for interfacing the output of the train detection signal and/or coded communication signal generation module with the track, and for interfacing the input of the track circuit signal acquisition and processing module with the track, which is controlled by the Vital Computer Module, as regards the connection the two track interfaces disposed on the track at the ends of the corresponding block, alternately with the output of the signal generating module and with the input of the acquisition and processing module.
o) A module communication bus, which is controlled by the Vital Computer Module.
p) A network interface for communication with the central control and monitoring unit, which is controlled by the Vital Computer Module.
a) The track which forms the railroad line is divided into a plurality of successive galvanically insulated segments having a predetermined length, the so-called blocks, the rails of each segment forming a track circuit for detecting the presence of a train within said track segment, for communicating with a train within said track segment and/or for detecting diagnostic data about said track segment condition;
b) A central control and monitoring unit is provided, which generates and transmits control signals to execute train detection procedures and/or train communication procedures relating to a train on that track and/or to execute diagnostic procedures;
c) Which central control unit communicates with the track circuit of each block section by means of a control and monitoring subunit, associated to each block section or track circuit to generate and receive codes, and which subunit executes the procedures to detect the presence of a train T within the associated block, the communication procedures and/or the diagnostic procedures and transmits control signals corresponding to the presence or absence of the train within the corresponding block and/or to the proper communication established with the train and/or diagnostic signals relating to the track circuit and informs the central control and monitoring unit about the results thereof.
d) Each control and monitoring subunit associated to each corresponding block being connected to the ends thereof by a transmitter and a receiver;
e) And each subunit and its associated block being uniquely identified by a predetermined
ID code.
Characterized in that each code generating and receiving control and monitoring subunit comprises a reactive
safety architecture, which subunit being equipped with
f) A microprocessor-based Vital Computer Module, which contains the programs for managing and controlling the peripheral modules for generating and transmitting train detection signals and coded communication signals, for receiving signals from the track circuit of the corresponding block, for communicating, i.e. receiving and interpreting controls from the central control and monitoring unit, and for transmitting train detection and communication information, as well as for managing communication and timed triggering of peripheral modules;
g) A module for generating train detection signals and coded communication signals controlled by the Vital Computer Module;
h) A module for acquiring and recognizing track circuit signals relevant to the corresponding block, which is controlled by the Vital Computer Module, and provides it with the signals received by the circuit track of the corresponding block;
i) A module for interfacing the output of the train detection signal and/or coded communication signal generation module with the track, and for interfacing the input of the track circuit signal acquisition and processing module with the track, which is controlled by the Vital Computer Module, as regards the connection the two track interfaces disposed on the track at the ends of the corresponding block, alternately with the output of the signal generating module and with the input of the acquisition and processing module.
j) The Vital Computer Module including a unit which generates codes for checking the proper execution of train detection signal and/or coded communication signal generating and track circuit signal receiving and interpreting operations, which checkcodes are provided to a protection check unit, which checks them for correctness, and has a section for disabling vital operations of the code generation and receiving subunit, and for forcing the system to a more restrictive state, e.g. track occupancy state, when an invalid checkcode is detected.