CONTROL SYSTEM FOR A RAILWAY CROSSING

(19)

(11)

EP 3 428 037 A1

(12)	EUROPEAN PATENT APPLICATION

(43)	Date of publication:
	16.01.2019 Bulletin 2019/03

(21)	Application number: 18182560.5

(22)	Date of filing: 10.07.2018

(51)

International Patent Classification (IPC):

B61L 29/24^(2006.01)

G06F 11/16^(2006.01)

(84)	Designated Contracting States:
	AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR
	Designated Extension States:
	BA ME
	Designated Validation States:
	KH MA MD TN

(30)

Priority:

10.07.2017 NL 2019206

(71)	Applicant: Vialis B.V.
	3990 DD Houten (NL)

(72)	Inventors:
	van Wissen, Robert Edwin 2631 DH Nootdorp (NL) van Maarschalkerweerd, Carolus Wilhelmus 3755 KA Eemnes (NL)

(74)	Representative: Nederlandsch Octrooibureau
	P.O. Box 29720 2502 LS The Hague 2502 LS The Hague (NL)

(54)	CONTROL SYSTEM FOR A RAILWAY CROSSING

(57) Control system for a railway crossing having signal inputs (S) and signal outputs (AC), and processing logic (P). The processing logic includes a channel A part (PA) and a channel B part (PB) for each railway crossing logic function (such as controlling white and red lights). Each of the channel A part (PA) and the channel B part (PB) has an AND logic gate (AA; AB) receiving a direct signal (DI-A; DI-B) and a cross check signal (DI-AtoB; DI-BtoA) and outputting an internal data signal (DII). The cross check signal (DI-AtoB; DI-BtoA) is provided by a first data exchange channel (SE-A) between the channel A part (PA) and the channel B part (PB). The processing logic is implemented to provide the control system with a sufficient high availability and reliability depending on the requirements of the specific railway crossing logic function.

Description

Field of the invention

[0001] The present invention relates to a control system for a railway crossing, wherein the control system comprises a plurality of signal inputs and a plurality of signal outputs, and processing logic connected to the plurality of signal inputs and plurality of signal outputs,

Background art

[0002] Control systems for railway crossings are still mostly based on hard-wired circuitry and logic, separate for each railway crossing function. As in other technical application areas, system integration is attempted, but difficult to achieve in view of the very high safety, reliability and availability levels now required.

[0003] International patent publication WO2016/142159 discloses a safety relevant computer system for railway applications. Two hardware channels are used, of which data is fed to a comparator. If the comparison fails, an error response is generated. Similarly, two different software programs may be used, for which data checks are implemented. Note that the embodiments described use a SIL4 level processing system.

[0004] The article by W. Eue et al. entitled 'SIMIS-C - Die Kompaktversion des sicheren Microcomputer-systems SIMIS', Signal+Draht, DVV, part 79, nr. 4, pages 30-34, discloses a railway processing unit having two similar processing units VAU, of which processing outputs are compared using a comparator VGL).

Summary of the invention

[0005] The present invention seeks to provide an improved control system for a railway crossing, which is provided as an integrated and flexible system.

[0006] According to the present invention, a control system as defined above is provided, wherein the processing logic comprises a channel A part and a channel B part for each railway crossing logic function, wherein the plurality of signal inputs are each connected to both the channel A part and the channel B part of the processing logic to input a channel A signal and channel B-signal, each of the channel A part and the channel B part comprising an AND logic gate receiving a direct signal and a cross check signal and outputting an internal data signal, the cross check signal being provided by a first data exchange channel between the channel A part and the channel B part. In a further embodiment, an output signal associated with each railway crossing logic function is arranged in either a redundant availability implementation or a redundant implementation with diagnostics.

[0007] The invention embodiments allow the processing logic to be implemented in a flexible manner, in order to provide the control system with a sufficient high availability and reliability depending on the requirements of the specific railway crossing logic function.

Short description of drawings

[0008] The present invention will be discussed in more detail below, with reference to the attached drawings, in which

Fig. 1 shows a schematic diagram of a processing logic implementation for a railway crossing function according to an embodiment of the present invention;

Fig. 2 shows a schematic diagram of a processing logic implementation for a railway crossing function according to a further embodiment of the present invention;

Fig. 3 shows a schematic diagram of an output part of a processing logic implementation for a railway crossing function according to an embodiment of the present invention;

Fig. 4 shows a schematic diagram of an output part of a processing logic implementation for a further railway crossing function according to a further embodiment of the present invention;

Fig. 5 shows a schematic diagram of an output part of a processing logic implementation for an even further railway crossing function according to an even further embodiment of the present invention.

Description of embodiments

[0009] Railway crossings are nowadays guarded and monitored using warning devices (light, sound) and physical blocking devices (moving barrier), and controlled remotely and fully automatic. To allow the remote and automatic control of railway crossing devices, various sensors and data exchange to a central rail surveillance center are used. Also, for the various railway crossing related functions, the implementation is such that safety can be guaranteed to a high as possible level (e.g. using fail-safe design of equipment), but also the availability of systems (often expressed as mean time between failure MTBF) is required to be high. Using conventional control systems, it is possible that some requirements related to safety and availability cannot be met.

[0010] According to the present invention embodiments, the design of a control system for a railway crossing allows a flexible allocation of the system resources allowing to obtain a predetermined degree of safety and availability for each and every function associated with operation of a railway crossing. Functions associated with a control system of a railway crossing may include, but are not limited to actuation of the railway gate (closing actuation and opening actuation may be seen as separate functions), actuation of the red warning lights, actuation of warning sounds, actuation of white lights, actuation of a radar device, reception of sensor signals, reception of signal post signals, generation of signal post signals. The railway crossing functions may be implemented as logic functions, using one or more input parameters and providing one or more output signals.

[0011] Depending on requirements, especially the availability of different functions for the control system may vary significantly. For example, the availability for the operation of barriers of a railway crossing may be less stringent than the availability for the operation of the white lights (which indicate to users that it is safe to cross the railway crossing). If the availability is measured in mean time between failure (MTBF) figures in failures per hour, the threshold value for operation of the white lights may be orders of magnitude smaller (e.g. around 1E-10 failures/hour) compared to the function of operation of the barrier (e.g. around 1E-7 failures/hour).

[0012] The present invention embodiments relate to a control system for a railway crossing, wherein the control system comprises a plurality of signal inputs (S) and a plurality of signal outputs (AC), and processing logic (P) connected to the plurality of signal inputs (S) and plurality of signal outputs (AC). The processing logic comprising a channel A part (PA) and a channel B part (PB) for each railway crossing logic function. This is shown in the schematic view of an exemplary implementation in Fig. 1. The plurality of signal inputs S e.g. comprise control input signals and/or sensor input signals, and the plurality of signal outputs AC e.g. comprises signalling output signals and/or actuator drive signals. The plurality of signal inputs (S) are each connected to both the channel A part (PA) and the channel B part (PB) of the processing logic (P) to input a channel A signal (DI-A) and channel B-signal (DI-B). This allows two independent executions of logic functions for the railway crossing functions by a first logic server LA in the channel A part PA and a second logic server LB in the channel B part PB, resulting in an increased (redundancy based) safety level. To prevent an unwanted system behaviour if a failure would occur in the input part of the control system, the channel A part PA and channel B part PB are arranged to cross check the input signals. In each channel A, B, the logic servers LA, LB each provide an independent output signal DO-A and DO-B, respectively.

[0013] In the embodiment as shown in Fig. 1, this cross check is implemented by each of the channel A part (PA) and the channel B part (PB) comprising an AND logic gate (AA; AB) receiving a direct signal (DI-A; DI-B) and a cross check signal (DI-A; DI-B) and outputting an internal data signal (DII). The cross check signal (DI-A; DI-B) is provided by a first data exchange channel (SEA) between the channel A part (PA) and the channel B part (PB). The AND logic gates AA, AB ensure that the first channel A cannot unsafely influence the other channel B, and vice versa. In other words, a failure in an input part of one of the channels A, B can never result in using an unsafe value of the input signal DI-A, DI-B in the other channel B, A. The first data exchange channel SEA is e.g. a safe-Ethernet channel as available in many present day processing logic modules, e.g. in the form of a Programmable Logic Control (PLC) unit.

[0014] As shown in the embodiment of Fig. 1, the signal input S (e.g. a sensor signal) is split in the two paths, and for each path a signal adaptation unit (TA; TB) is provided, which e.g. is used to convert an AC signal to a DC signal which can be input to the processing logic P. The signal adaptation unit may be implemented as a transformer-rectifier unit. In other words, the plurality of signal inputs (S) are each connected to both the channel A part (PA) and the channel B part (PB) of the processing logic (P) via a separate signal adaptation unit (TA; TB). If the signal input S is already compatible with the processing logic, such signal adaptation units TA, TB need not be present, or are implemented as signal converters, e.g. DC-DC converters.

[0015] In a generic group of embodiments, an output signal (DO) associated with each railway crossing logic is arranged in either a redundant availability implementation (2-out-of-2, or 2oo2) or a redundant implementation with diagnostics (2-out-of-2 with diagnostics, or 2oo2d).

[0016] The exemplary embodiment of Fig. 1 is an example of a redundant availability implementation (2oo2). The output part of the processing logic P comprises an OR logic gate (OR) receiving the railway crossing logic function output signals of the channel A part (DO-A) and of the channel B part (DO-B) for a specific railway crossing logic function, and providing an associated output signal (DO). The redundant channel architecture and output combination logic, will thus ensure that if one channel A, B fails, the specific railway crossing function will still be available and function properly. Each channel A, B is arranged to provide a fail-safe implementation of the specific railway crossing function, and the output combination logic ensures that the output signal AC can have an 'unsafe' value if one of both channels A, B has an unsafe value.

[0017] The specific railway crossing logic function comprises one or more of actuation of railway crossing barrier closing; actuation of railway crossing barrier opening; actuation of red lights; actuation of a warning sound; actuation of a traffic radar device. These functions can then be provided with a desired level of safety in combination with a desired availability (e.g. a threshold value of less than 1E-9 failures per hour).

[0018] For railway crossing functions requiring a more stringent availability (e.g. a threshold value of less than 1E-10 failures per hour), a different implementation of the processing logic P is used, of which an exemplary embodiment is shown in the schematic diagram of Fig. 2. In this embodiment, an additional process logic unit is used in the form of diagnostic unit D. The control system as shown further comprises a diagnostic unit (D), and the redundant implementation with diagnostics comprises an OR logic gate (OR) receiving the railway crossing logic function output signals of the channel A part (DO-A) and the channel B part (DO-B) for a specific railway crossing logic function. The diagnostic unit (D) is arranged to receive the railway crossing logic function output signals of the channel A part (DO-A), the channel B part (DO-B), and to bring the signal output (DO) of the associated specific railway crossing logic function to a safe state if the railway crossing logic function output signals of the channel A part (DO-A) and the channel B part (DO-B) are different. This embodiment allows to reach a higher degree of availability than the implementation shown in Fig. 1, and thus combines a high safety level (redundancy) and high availability. It is noted that the diagnostic unit D is not executing the specific railway crossing function as executed in both channels A, B, again, but only checks whether a discrepancy exists between the channel A output part signal DO-A and channel B output part signal DO-B. In case of a detected discrepancy, the output signal DO is then brought to a safe state, enhancing the safety level of this implementation. During normal operation, the output signal DO can only have an unsafe state if the logic servers LA, LB in both channels A, B have calculated that the output should be in an unsafe state.

[0019] Similar as the embodiment shown in Fig. 1 and described above, this implementation allows two independent executions of logic functions for the railway crossing functions by a first logic server LA in the channel A part PA and a second logic server LB in the channel B part PB, resulting in an increased (redundancy based) safety level. The additional control of the output signals by the diagnostic unit D allows an even further increased safety level, as well as an even better availability (i.e. a lower threshold value of 1E-10 or even 1E-11 failures per hour).

[0020] In the embodiment shown in Fig. 2, the diagnostic unit (D) is connected to railway crossing logic function output signals of the channel A part (DO-A) and of the channel B part (DO-B) via a respective second data exchange channel (SD-A; SD-B). Again this data exchange channel SD-A, SD-B may be implemented as a safe Ethernet channel.

[0021] In a further embodiment, the diagnostic unit (D) is further arranged to provide an alert signal if the signal outputs of the channel A part (DO-A) and the channel B part (DO-B) are different. This alert signal may be provided locally, but can also be logged, or communicated to a remote location (e.g. a central railway monitoring station).

[0022] The specific railway crossing logic function implemented in this type of processing logic P comprises one or more of: actuation of white lights; output signals to a signal post.

[0023] The related signals as used in an exemplary embodiment of the present invention, and related to the specific railway crossing logic functions include: control signal for railway crossing DA, control signal indicating that railway crossing is safely closed KFX, control signal for deactivating railway crossing annunciation RHS, control signal for activating railway crossing annunciation, NRHS, control signal for white lights for traffic CLP, control signal for red lights for traffic CLR, control signal for barriers NCB, CB, control signal for alarm bells CSB, remote alarm signal RA/Ra, and control signal for red light monitoring of traffic Radar.

[0024] If one channel A, B would become unavailable (e.g. due to a malfunction), the processing logic for that specific railway crossing logic function is still operable, however, the diagnostic unit D can then no longer execute the monitoring function of both channels, but only of the remaining channel A, B. If the diagnostic unit D would become unavailable, the specific railway crossing logic function is still operative. In a further embodiment, the diagnostic unit (D) is further arranged to execute a self-test, e.g. using an output of the OR logic gate as shown in Fig. 2 as an additional input. This fail-operational conditions should however not last too long, in order to meet prescribed safety levels. In a further embodiment, the processing logic (P) is arranged to generate a warning signal if the diagnostic unit (D) is non-functional for more than a predetermined time period.

[0025] As shown in the exemplary embodiment of Fig. 2, the processing logic P may further comprise a switch (R) (e.g. a solid state switch such as a relais) connected to the diagnostic unit (D), wherein the switch (R) is arranged to bring the signal output (DO) of the associated specific railway crossing logic function to a safe state. To further enhance reliability (and safety), the diagnostic unit D may be arranged to periodically check the switch for proper functioning.

[0026] Fig. 3 shows an exemplary implementation of the output combinatory logic for the sound warning system S of a railway crossing. The channel A part PA of the processing logic P provides an output signal DO-A, and the channel B part PB of the processing logic P provides an output signal DO-B, both of which are input to an OR gate, which then provides the output signal AC for the sound warning system S. The warning sound will thus be generated in one of the channels A, B or both channels A, B have established that a warning sound must be generated.

[0027] Fig. 4 shows an exemplary implementation of the output combinatory logic for the barrier operation CB, NCB of a railway crossing, which is a complementary function (close barrier signal, or a not close barrier (open barrier) signal. The channel A part PA of the processing logic P in this case provides an output signal DO-A+ and an inverted output signal DO-A-, and the channel B part PB of the processing logic P provides an output signal DO-B+ and an inverted output signal DO-B-. For the closing barrier function CB, the inverted output signals DO-A- and DO-B- are combined in an OR gate, and for the open barrier function NCB, the output signals DO-A+ and DO-B+ are combined in an OR gate. The respective signals CB, NCB are then provided to the barrier actuators.

[0028] Fig. 5 shows an exemplary implementation of the output combinatory (and diagnostic) logic for the output of signals to a (remote) signal post, which requires the highest level of safety and availability. The output signal AC is eventually provided as an actuation of a relais DA. The channel A part PA of the processing logic P provides an output signal DO-A, and the channel B part PB of the processing logic P provides an output signal DO-B, both of which are input to an OR gate and to the diagnostic unit D via safe Ethernet channels SD-A, SD-B. Furthermore, an output of the diagnostic unit D is connected to relais R, which would allow the diagnostic unit to bring the output signal AC to a safe state. Furthermore, the output signal AC is also fed back to the diagnostic unit D, as indicated here via a transformer TO.

[0029] To be able to have sufficiently high reliability of the control system for the railway crossing, the processing logic (P) comprises a programmable logic control (PLC) unit having a reliability level in accordance with a safety integrity level SIL-4. In an embodiment, each of the channel A part PA, channel B part PB, and the diagnostic unit D are implemented in a separate SIL-4 PLC unit. Each PLC unit may be connected to one or more remote I/O units, if the available number of I/O ports on the PLC unit are not sufficient to implement all needed railway crossing functions and associated signal inputs S and signal outputs AC. The interconnection between a PLC unit and remote I/O unit can be bus based, e.g. using a safe Ethernet connection. In a further embodiment the PLC units may also be connected to a (local) data logging module via a separate local network connection.

[0030] The present invention has been described above with reference to a number of exemplary embodiments as shown in the drawings. Modifications and alternative implementations of some parts or elements are possible, and are included in the scope of protection as defined in the appended claims.

Claims

1. Control system for a railway crossing,
wherein the control system comprises a plurality of signal inputs (S) and a plurality of signal outputs (AC), and processing logic (P) connected to the plurality of signal inputs (S) and plurality of signal outputs (AC), the processing logic comprising a channel A part (PA) and a channel B part (PB) for each railway crossing logic function,
wherein the plurality of signal inputs (S) are each connected to both the channel A part (PA) and the channel B part (PB) of the processing logic (P) to input a channel A signal (DI-A) and channel B signal (DI-B),
each of the channel A part (PA) and the channel B part (PB) comprising an AND logic gate (AA; AB) receiving a direct signal (DI-A; DI-B) and a cross check signal (DI-AtoB; DI-BtoA) and outputting an internal data signal (DII),
the cross check signal (DI-AtoB; DI-BtoA) being provided by a first data exchange channel (SE-A) between the channel A part (PA) and the channel B part (PB).

2. Control system according to claim 1, wherein an output signal (DO) associated with each railway crossing logic function is arranged in either a redundant availability implementation, 2oo2, or a redundant implementation with diagnostics, 2oo2d.

3. Control system according to claim 2, wherein the redundant availability implementation, 2oo2, comprises an OR logic gate (OR) receiving the output signals of the channel A part (DO-A) and the channel B part (DO-B) for a specific railway crossing logic function, and providing an associated output signal (DO).

4. Control system according to claim 3, wherein the specific railway crossing logic function comprises one or more of:
actuation of railway crossing barrier closing; actuation of railway crossing barrier opening; actuation of red lights; actuation of warning sound; actuation of traffic radar device.

5. Control system according to claim 2, wherein the control system further comprises a diagnostic unit (D), and the redundant implementation with diagnostics comprises
an OR logic gate (OR) receiving the output signals of the channel A part (DO-A) and the channel B part (DO-B) for a specific railway crossing logic function, and
wherein the diagnostic unit (D) is arranged to receive the railway crossing logic function output signals of the channel A part (DO-A) and the channel B part (DO-B), and to bring the signal output (DO) of the associated specific railway crossing logic function to a safe state if the railway crossing logic function output signals of the channel A part (DO-A) and the channel B part (DO-B) are different.

6. Control system according to claim 5, wherein the diagnostic unit (D) is connected to railway crossing logic function output signals of the channel A part (DO-A) and of the channel B part (DO-B) via a respective second data exchange channel (SD-A; SD-B).

7. Control system according to claim 5 or 6, wherein the diagnostic unit (D) is further arranged to provide an alert signal if the signal outputs of the channel A part (DO-A) and the channel B part (DO-B) are different.

8. Control system according to any one of claims 5-7, wherein the specific railway crossing logic function comprises one or more of:
actuation of white lights; output signals to a signal post.

9. Control system according to any one of claims 5-8, wherein the diagnostic unit (D) is further arranged to execute a self-test.

10. Control system according to any one of claims 5-9, wherein the processing logic (P) is arranged to generate a warning signal if the diagnostic unit (D) is non-functional for more than a predetermined time period.

11. Control system according to any one of claims 5-10, further comprising a switch(R) connected to the diagnostic unit (D), wherein the switch (R) is arranged to bring the signal output (DO) of the associated specific railway crossing logic function to a safe state.

12. Control system according to any one of claims 1-11, wherein the plurality of signal inputs (S) are each connected to both the channel A part (PA) and the channel B part (PB) of the processing logic (P) via a separate signal adaptation unit (TA; TB).

13. Control system according to any one of claims 1-12, wherein the processing logic (P) comprises a programmable logic control (PLC) unit having a reliability level in accordance with SIL-4.

14. Control system according to claim 13, wherein a PLC unit is connected to one of more remote I/O units.

Drawing

Search report

Search report

Cited references

REFERENCES CITED IN THE DESCRIPTION

This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Patent documents cited in the description

WO2016142159A [0003]

Non-patent literature cited in the description

W. EUE et al.SIMIS-C - Die Kompaktversion des sicheren Microcomputer-systems SIMISSignal+Draht, DVV, 30-34 [0004]