U.S. patent application number 15/738416 was filed with the patent office on 2018-06-21 for control arrangement for a vehicle.
The applicant listed for this patent is SIEMENS AKTIENGESELLSCHAFT. Invention is credited to HARALD FISCHER.
Application Number | 20180170412 15/738416 |
Document ID | / |
Family ID | 56116401 |
Filed Date | 2018-06-21 |
United States Patent
Application |
20180170412 |
Kind Code |
A1 |
FISCHER; HARALD |
June 21, 2018 |
CONTROL ARRANGEMENT FOR A VEHICLE
Abstract
A control arrangement for a vehicle, in particular a rail
vehicle, includes an operational control system which has at least
one central control unit, a set of decentralized sub-system
controllers and a control network to which the control unit and the
sub-system controllers are connected. In order to ensure that the
control satisfies high safety requirements, the control arrangement
has an operational control module which is different from the
control unit, is connected to the control network and has a data
connection unit which is different from the control network and by
which the operational control module is connected by data
technology to the sub-system controllers. A vehicle having the
control arrangement and an operational control module forming the
control arrangement in cooperation with an operational control
system, are also provided.
Inventors: |
FISCHER; HARALD; (FUERTH,
DE) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
SIEMENS AKTIENGESELLSCHAFT |
Munchen |
|
DE |
|
|
Family ID: |
56116401 |
Appl. No.: |
15/738416 |
Filed: |
May 24, 2016 |
PCT Filed: |
May 24, 2016 |
PCT NO: |
PCT/EP2016/061710 |
371 Date: |
December 20, 2017 |
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
B61L 2027/0044 20130101;
B61L 15/0063 20130101; B61L 15/0036 20130101; B61L 27/0038
20130101; B61L 3/006 20130101 |
International
Class: |
B61L 15/00 20060101
B61L015/00; B61L 3/00 20060101 B61L003/00 |
Foreign Application Data
Date |
Code |
Application Number |
Jun 23, 2015 |
DE |
102015211587.9 |
Claims
1-15. (canceled)
16. A control arrangement for a vehicle or a rail vehicle, the
control arrangement comprising: an operational control system
including a control network, at least one central control unit
connected to said control network and a set of decentralized
sub-system controls connected to said control network; and an
operational control module being different from said at least one
central control unit, being connected to said control network and
having a data connection unit being different from said control
network, said data connection unit connecting said operational
control module by data technology to said sub-system controls.
17. The control arrangement according to claim 16, wherein said
operational control module is configured to transfer at least one
item of information to one of said sub-system controls for
safety-compliant performance of a task of said one sub-system
control.
18. The control arrangement according to claim 17, wherein said
operational control module is configured to determine the at least
one item of information before the transfer, in dependence on the
task to be performed.
19. The control arrangement according to claim 17, wherein said
operational control module is configured to at least one of acquire
the at least one item of information before the transfer by using
said data connection unit or to transfer the at least one item of
information to said one sub-system control by using said data
connection unit.
20. The control arrangement according to claim 16, which further
comprises interfaces connecting said operational control module and
said sub-system controls to said control network.
21. The control arrangement according to claim 16, wherein said
operational control module is configured to carry out a consistency
check in relation to an item of information received from said
control network and an item of information received from said data
connection unit.
22. The control arrangement according to claim 16, wherein said
operational control module is configured to monitor at least one
operational process of one of said sub-system controls by
evaluating a first item of information received from said control
network relating to said one sub-system control and a second item
of information received from said connection unit relating to said
one sub-system control.
23. The control arrangement according to claim 16, which further
comprises a vehicle bus connecting said control network to a
further control network of the vehicle, said data connection unit
being formed at least partially by said vehicle bus.
24. The control arrangement according to claim 16, wherein said
sub-system controls are components of a set including a control of
a vehicle door system, a braking control, a drive control, a
control of a vehicle protection system, and a control of a
human-machine interface.
25. The control arrangement according to claim 16, which further
comprises a set of sensor units connected to said control network
and to said operational control module.
26. The control arrangement according to claim 16, wherein said
operational control module has a computer unit including at least
two processors (62, 64).
27. The control arrangement according to claim 26, wherein said at
least two processors include a first processor for carrying out
communication tasks and a second processor for carrying out other
tasks.
28. The control arrangement according to claim 16, wherein said
operational control module is configured to initiate a
safety-related braking of the vehicle.
29. A vehicle or a rail vehicle, comprising a control arrangement
according to claim 16.
30. An operational control module forming a control arrangement
according to claim 16 in cooperation with an operational control
system.
Description
[0001] The invention relates to a control arrangement for a
vehicle, in particular a rail vehicle, having an operational
control system which comprises at least one central control unit, a
set of decentralized sub-system controls and a control network to
which the control unit and the sub-system controls are
connected.
[0002] Vehicles, in particular rail vehicles, having an operational
control system are known.
[0003] It is an object of the invention to provide a control
arrangement which meets high safety requirements.
[0004] For this purpose, it is proposed that the control
arrangement comprises an operational control module which is
different from the control unit and is connected to the is control
network and has a data connection unit which is different from the
control network, by means of which the operational control module
is connected by data technology is to the sub-system controls. By
this means, a control arrangement can be provided which has a high
level of redundancy. Particularly advantageously, an existing
control arrangement of the vehicle can be improved to the effect
that the control arrangement comprising the operational control
system and the components which complement said operational control
system and are formed by the module and the data connection unit,
satisfies high safety requirements. This is advantageous--in
particular in the field of rail vehicle operation--with regard to
costly approval procedures, since an increase in the safety level
is possible by means of which a costly process for furnishing proof
for the existing operational control system can be avoided during
the approval of the control arrangement. The expression "safety"
should be understood in this text to mean, in particular, safety
with regard to the protection of persons. In the English specialist
terminology, this type of safety is denoted with the expression
"safety". In particular--in the field of rail vehicle
operation--"safety" can be understood within the meaning of the
standards for functional safety in the railway industry, e.g. as
defined by the standards EN 50126, 50128, 50129 and/or 50159. A
"safety level" can be understood, in particular, to be a safety
integrity level (also known by the abbreviation "SIL"). In
particular, it is possible with the proposed control arrangement to
complement an operational control system having a safety is level
SIL 0 or SIL 1 such that the resulting control arrangement has at
least a safety level SIL 2.
[0005] The operational control system is preferably provided for is
controlling vehicle basic functions. Such vehicle basic functions
include, in particular, a vehicle operation with drive rolling and
braking phases, controlling of the vehicle doors and a
human-machine communication for the vehicle driver.
[0006] An operational equipment sub-system--referred to in this
text as a "sub-system"--denotes, respectively, an operational
equipment unit with an associated functionality or a combination of
operational equipment units which are grouped together under this
term according to an allocated functionality. Examples of
sub-systems are "doors", "brakes", "air-conditioning", "train
protection system", "passenger information system". The sub-system
controls can be implemented as drive control, braking control,
control of the vehicle door system, control of a human-machine
interface for an input of information by the vehicle driver and/or
an output of information to the vehicle driver, control of a
vehicle protection system. Particularly associated with these basic
functions are the aspects mentioned above of the personal
protection-related safety.
[0007] The implementation of each vehicle basic function can be
associated with at least one task of the corresponding sub-system
control. The control unit is considered, in relation to the
sub-system controls which carry out these tasks of the respective
local operational equipment sub-systems as a higher-order or
"central" control unit. In order to distinguish the sub-system
controls from the control unit, they are referred to as
"decentralized" sub-system controls. The control unit is in
particular configured, in relation to the sub-system controls, as a
central control unit in that, during operation for at least one,
preferably for each of the tasks to be carried out by the
sub-system controls, it monitors said task.
[0008] The central control unit can have the function, for example,
at least of a bus administration in the control network. Herein, it
administers a data communication between the bus participants
connected to the control network. The control network herein has,
in particular, a bus topology in which for data communication, a
point-to-multipoint connection is implemented.
[0009] The control unit can also be configured in relation to the
sub-system controls as an input-output controller. This is
suitable, in particular, for an embodiment of the control network
with a network topology in which for data communication, a
point-to-point connection from subscriber terminal to subscriber
terminal is realized.
[0010] The control network is preferably configured as an Ethernet
network. In a particular embodiment, the control network can be a
Profinet network. The control network can also have a ring
topology.
[0011] The operational control module is preferably physically
different from the control unit. In particular, the control unit
and the module can be arranged in housing units which are separable
from one another. This is advantageous in relation to an upgrading
of an existing operational control system. The data connection unit
is preferably also physically different from the control network.
Herein, the control network and the data connection unit preferably
have different conductors.
[0012] According to a preferred embodiment of the invention, the
operational control module is provided, with regard to a task of a
sub-system control to transfer to the sub-system control at least
one item of information for safety-compliant performance of the
task. "Safety-compliant" performance of a task should be understood
to mean performance according to a safety regulation relevant to
the task, in particular, at least one applicable safety standard.
Such an item of information can also be referred to as
"safety-relevant" information. In particular, it is characteristic
of a particular operating state of the vehicle. For example, it can
be configured as velocity information that is characteristic of the
vehicle velocity.
[0013] In this regard, a redundant transfer of a particular item of
safety-relevant information to the sub-system control can take
place by means of the operational control module. If the transfer
of an item of safety-relevant information regarding a particular
operating state of the vehicle to the sub-system control is already
provided via the control network, in addition, the transfer of an
item of different safety-relevant information to the sub-system
control that is characteristic for the same operating state can
take place by means of the operational control module. By means of
these items of information, a diverse provision of information
regarding a particular operating state can be achieved.
[0014] Furthermore, it is proposed that the operational control
module is provided, dependent upon the task to be carried out, to
determine the item of information before the transfer. By this
means, rapid provision of the information can be achieved
independently of the typical computation time of the central
control unit. Herein, the operational is control module is
advantageously programmed to determine the at least one
safety-relevant item of information itself. Herein, the operational
control module suitably determines by means of its own computation
and storage unit which safety-relevant item of information is
necessary for the task to be carried out by the sub-system control.
Following the determination of the information, acquisition thereof
can take place by means of the operational control module.
[0015] Furthermore, it is advantageous if the operational control
module is provided to acquire the information before the transfer
by means of the data connection unit and/or to transfer the
information to the sub-system control by means of the data
connection unit. By this means, a rapid acquisition and/or a rapid
transfer of the information can be achieved. The operational
control module advantageously has the function--as compared with a
sensor unit and/or a further sub-system control--of an input module
and/or--as compared with the sub-system control relating to the
task--of an output module. For this purpose, it is herein
advantageously provided to read in, by means of the data connection
unit, at least one variable from a sensor unit and/or a further
sub-system control and/or to output, by means of the data
connection unit, a variable for the sub-system control. With this
output function, the operational control module is usefully
provided, by means of the data connection unit, to provide a
communication channel in addition to the control network for
communication of at least one variable to the sub-system control.
In an advantageous embodiment in which a diverse provision of
information takes place regarding a particular operating state, one
item of the information is advantageously is transferred by means
of the data connection unit to the sub-system control.
[0016] An advantageous modularity can be achieved in the structure
of the control arrangement if the operational control module and
the sub-system controls are connected via similar interfaces to the
control network. By this means, a simple enhancement, in particular
an upgrading of the operational control system can be achieved.
This upgrading thus requires few changes in the existing
operational control system. In particular, the influence of the
connection to the operational control system takes place upon
approval aspects such that approval-related changes to the system
can thereby be prevented. The interfaces for the sub-system
controls and the module are advantageously unified by
communications technology and/or physically. The interfaces can be
similar, at least according to one communication protocol, in
particular, with regard to a data communication with the central
control unit. Advantageously, it can thereby be achieved that the
operational control module is connected to the control network such
that it is perceived by the control unit functionally, in
particular with regard to communication technology, as a
decentralized sub-system control. The interfaces are preferably
similar with regard to a physical connection possibility.
[0017] A high safety level can also be achieved if the operational
control module is provided to carry out a consistency check in
relation to an item of information received by means of the control
network and an item of information received by means of the data
connection unit. In particular, the correctness and/or reliability
of an item of information present in the operational control
system, in particular, a safety-relevant item of information, can
be checked by the is module. If this information is a first item of
information characteristic of an operating state of the vehicle,
the consistency checking can comprise the acquisition of the is
same information by means of the module and/or the acquisition of a
second, different item of information characteristic for the
operating state by means of the module.
[0018] Suitably, the operational control module is provided, by
evaluating a first item of information received by means of the
control network relating to a sub-system control and a second item
of information received by means of the connection unit relating to
the sub-system control, to monitor at least one operational process
of the sub-system control, so that a high level of safety can be
achieved during the operation of the vehicle.
[0019] In an advantageous development of the invention, the data
connection unit is provided at least for digital transmission.
Herein, the operational control module advantageously has at least
one interface unit with input interfaces provided for the digital
input of data and for the digital output of data, to which
conductors of the data connection unit that are provided for
digital transfer are connectable.
[0020] In particular, it is proposed that the data connection unit
has Ethernet connections.
[0021] Furthermore, a network of simple construction can be
achieved if the control arrangement has a vehicle bus which
connects the control network to a further control network of the
vehicle wherein the data connection unit is formed by the vehicle
bus. If the vehicle is configured as a chain of cars, in
particular, in the case of a rail vehicle, the control networks are
each associated, in particular, with at least one different car of
the vehicle. Furthermore, groups of coupled cars can each be
defined as an operational control unit (including known under the
expression "consist"), wherein the control networks are each
associated with a different unit. In the cases mentioned, the
vehicle bus extends over a plurality of cars of the vehicle, in
particular, over the whole vehicle. If relevant, the vehicle bus
can connect a plurality of similar vehicles that are coupled to one
another. The vehicle bus can be constructed, for example, according
to a standard, e.g. as a WTB (wire train bus) or as an ETB
(Ethernet train backbone) bus.
[0022] Furthermore, a reliable acquisition of operating variables
can be achieved if the control arrangement has a set of sensor
units which are connected to the control network and the
operational control module.
[0023] A further increase in the safety level of the control
arrangement can be achieved in that the operational control module
has a computer unit which comprises at least two processors.
Particularly advantageously, the processors can be of different
construction types and/or diversely programmed.
[0024] Herein, a high level of safety can be achieved with regard
to the data communication if a first processor is provided for
carrying out communication tasks and a second processor is provided
for carrying out other tasks. A communication task suitably
comprises at least the administration of a data communication with
the units connected to the module.
[0025] It is further advantageous if the operational control module
is provided to initiate a safety-related braking of the vehicle.
For this purpose, a direct connection of the operational control
module with a braking control, in particular braking master valves
preferably exists. Braking can be triggered, in particular, by
means of the module if the aforementioned consistency checking
and/or monitoring have failed. By means of the braking, the vehicle
can be brought into a safe state.
[0026] An exemplary embodiment of the invention will now be
described by reference to the figures. In the drawings:
[0027] FIG. 1: is a representation of a rail vehicle with
operational equipment sub-systems in a schematic side view,
[0028] FIG. 2: is a representation of a control arrangement of the
rail vehicle of FIG. 1 with an operational control system and an
operational control module,
[0029] FIG. 3: is a schematic representation of the operational
control system, the module and the communication connections
creatable between these,
[0030] FIG. 4: is the operational control system and the module
which is connected to a display unit and an input device of the
rail vehicle, and
[0031] FIG. 5: is a detail view of the operational control
module.
[0032] FIG. 1 shows a rail vehicle 10 in a schematic side view. The
rail vehicle 10 is configured as a chain of a plurality of cars
12.1, 12.2, etc., which are mechanically coupled to is one another
and form a train unit. In the embodiment under consideration, the
rail vehicle 10 is configured as a so-called multiple unit. For
this purpose, at least one of the cars of the chain is provided
with a drive unit 14 for driving at least one axle 16. The drive
unit 14 has an electric motor (not shown). In a further embodiment,
it is conceivable that the rail vehicle 10 is configured as a
single motorized car. Furthermore, the rail vehicle 10 can have a
chain of driveless passenger cars which is coupled to at least one
traction vehicle, e.g. a locomotive.
[0033] The rail vehicle 10 has a number of operational equipment
units, as known, which enable an operation of the rail vehicle 10.
These can be configured, in particular, as control unit, sensor
unit and/or actuator system unit.
[0034] The operational equipment units 20 shown by way of example
in FIG. 1 are provided as operational equipment units 20.1 of the
drive unit 14, operational equipment units 20.2 of a braking
apparatus 19, operational equipment 20.3 and 20.4 of a door
apparatus, operational equipment 20.5 of an air-conditioning unit,
operational equipment 20.6 of a passenger information system,
operational equipment 20.7 and 20.8 of a human-machine interface
for the traction vehicle driver, operational equipment 20.11 of an
emergency brake apparatus and operational equipment 20.13 of a
train protection system.
[0035] An "operational equipment sub-system"--referred to in this
text as a "sub-system"--denotes, respectively, a combination of
operational equipment units 20 which are grouped together under
this term according to an allocated functionality. Examples of
sub-systems are "doors", "brakes", "air-conditioning", "train
protection system", "passenger information system". As train
protection systems, for example, PZB ("punctiform train
influencing"), LZB ("linear train influencing"), ETCS ("European
Train Control System") are conceivable.
[0036] FIG. 2 shows an operational control system 22 of the rail
vehicle 10 in a schematic view. This comprises a control network 24
which has a ring-shaped network structure. It is configured as an
Ethernet network, in particular, according to the Profinet
standard. The system 22 also has a control unit 26 which is
connected to the control network 24. The operational equipment
sub-systems mentioned above each have at least one sub-system
control 28 which is provided for controlling one or more
operational equipment units of the corresponding operational
equipment sub-systems. The sub-system controls 28 are each provided
for controlling a task in conjunction with the functionality
associated with the respective sub-system. Shown in the drawing as
the sub-system control 28.1 is a drive control, as the sub-system
control 28.2 is a braking control, as the sub-system control 28.3
is a control system of the vehicle door system, as the sub-system
controller 28.13 is a control of the train protection system. These
controls are also shown in FIG. 1.
[0037] The sub-system controls 28 are each connected to the control
network 24 by means of an interface 30. The interfaces 30 are
connected into the network structure. Also arranged in the network
structure are further interfaces 32. A set of sensor units 34 and
an actuator unit 36 are connected to interfaces 32. The control
unit 26 and the operational equipment 20.8 configured as a display
unit of the human-machine interface are connected to a further
interface 32. The operational equipment 20.7 provided as an input
device for the input of train data is also connected to the control
network 24. The interfaces 30 and 32 each have, in particular, a
switch functionality.
[0038] The interfaces 30 and 32 are each provided in the control
network 24 as input-output modules by means of which a data traffic
is generated between the respective participant, in particular an
associated sub-system control 28, and the central control unit 26.
The control unit 26 is considered, in relation to the sub-system
controls 28 which carry out local tasks of the respective
operational equipment sub-systems, as a "central" control unit. In
order to distinguish the sub-system controls 28 from the control
unit 26, these are named "decentralized" sub-system controls 28.
The control unit 26 is configured, in relation to the sub-system
controls 28, as an input-output controller which, for each of the
automation tasks respectively to be carried out by the sub-system
controls 28, controls said task.
[0039] The interfaces 30 and 32 are similar in their function for
creating a communication between the respective connected
participant and the central control unit 26. They can have
physically different forms that are specific in relation to the
function of the connected participant. The interfaces 30 can be
configured, for example, as a plug-in card of a computer unit,
whereas the interfaces 32 can be configured, in particular, as
components of programmable controls. The grouping together of a
plurality of interfaces 32 in a coherent module or the arrangement
of these interfaces 32 into a common housing unit are indicated by
a dashed outline.
[0040] The control network 24 further comprises a vehicle bus
connection unit 38 which forms an interface between the control
network 24 and a vehicle bus 40. The vehicle bus 40 extends over a
plurality of cars 12, in particular over the whole rail vehicle 10
and connects the control network 24 to a further, similar control
network of the rail vehicle 10 (not shown), where relevant, to a
control network of a similar rail vehicle coupled to the rail
vehicle 10. The vehicle bus 40 can be configured, for example, as
an Ethernet bus. The vehicle bus connection unit 38 can be equipped
with a gateway functionality by means of which the control network
24 is connected as a sub-network to the higher order train
network.
[0041] Also connected to the control network 24 is an operational
control module 42. This differs physically from the central control
unit 26. In particular, the control unit 26 and the module 42 are
arranged in different housing units. The module 42 is furthermore
connected by means of a data connection unit 44 through data
technology to the sub-system controls 28 and the sensor units 34.
This data connection unit 44 is physically different from the
control network 24. In particular, the data connection unit 44 has
conductors that are different from conductors of the control
network 24.
[0042] The operational control module 42 has a computer unit 45
(see FIGS. 3 to 5), an interface unit 46 and a bus connection unit
48.
[0043] The bus connection unit 48 has a first connection 48.1 by
means of which the module 42 is connectable to the control network
24. The connection 48.1 is connected via an interface 30 to the
control network 24. A connection via an interface 32 is also
conceivable. The module 42 and the sub-system controls 28 are thus
connected to the control network 24 by means of similar
interfaces.
[0044] In particular, it can thereby be achieved that the module 42
is functionally perceived by the control unit 26 as a sub-system
control.
[0045] The module 42 is connected to the vehicle bus 40 by means of
a second connection 48.2. One or more further connections 48.3 can
be provided by means of which the module 42 is connectable to
further buses 50.1, 50.2 (see FIGS. 3 and 5), for example, a CAN
("Control Area Network") bus or an MVB ("Multifunction Vehicle
Bus").
[0046] As shown in FIG. 5, the interface unit 46 has input
interfaces 46.1 provided for the digital input of data and output
interfaces 46.2 provided for the digital output of data. In
addition, the interface unit 46 can comprise input interfaces 46.3
for the analogue input of data and output interfaces 46.4 for the
analogue output of data.
[0047] The module 42 is preferably connected by means of the
digital interfaces 46.1, 46.2 via data technology and conductors of
the data connection unit 44 to the sub-system controls 28. For this
purpose, the data connection unit 44 is equipped at least with
conductors which are provided for digital data transmission. In
particular, conductors can be formed by Ethernet cables.
[0048] The function of the module 42 will now be described in
greater detail on the basis of a first implementation example.
[0049] This implementation example relates to the sub-system
"doors" which comprises the sub-system control 28.3 that is
connected to the control network 24. The doors of the rail vehicle
10 can only be released by the vehicle driver for opening when the
rail vehicle 10 has reached a standstill. According to one safety
requirement, the acquisition of the "stopped" operating state of
the rail vehicle 10 by the sub-system control 28.3 must take place
diversely. A first variable provided for the sub-system control
28.3 corresponds to the speed of the rail vehicle 10. This can be
transferred by means of the control network 24 following
acquisition by a sensor unit 34 and/or after transfer by the train
protection system to the sub-system control 28.3. A second variable
provided for the sub-system control 28.3 is a characteristic
variable which characterizes the operating state of the sub-system
control 28.1 which corresponds to the drive control. For example,
from the variable, the operating state in which the drive control
outputs no clock commands for power electronic components of the
drive unit 14 should be determinable.
[0050] For this purpose the module 42 independently determines,
from the available information of the operational control system
22, the information required for safety-compliant performance of
the task of the sub-system control 28.3 (release of the doors) that
is required and specifically determines that the variable is
required for the clock state of the drive control. The module 42
serves to provide the variable for this information, and is
connected by data technology via the data connection unit 44 to the
sub-system control 28.1. It acquires the variable of the sub-system
control 28.1 via the data connection unit 44 and transfers it via
the data connection unit 44 to the sub-system control 28.3. If the
velocity "0" and the operating state "no clocking" of the
sub-system control 28.3 exist, this can place the vehicle door
system in a state in which the doors can be freed to open.
[0051] The sub-system control 28.3 thus receives two variables over
two separate, physically different transmission channels. The
module 42 therefore provides, by means of the data connection unit
44, a communication channel that is redundant in relation to the
control network 24, by means of which the variable "operating state
of the drive control" is transmitted to the sub-system control
28.3. The release of the doors is closely associated with the
protection of persons. The processes of the sub-system control 28.3
must then fulfill safety-critical requirements--in the specialist
language called "safety" requirements. The variables upon which the
door release is based are therefore safety-critical items of
information in this relation, which is transferred via the control
network 24 and by means of the module 42 via the data connection
unit 44 to the sub-system control 28.3.
[0052] FIG. 3 shows in a schematic and abstracted representation
the module 42, the operational control system 22, the vehicle bus
40 and the connections existing between these.
[0053] The module 42 is connected via an interface 30 to the
operational control system 22. It is also connected via the
interface unit 46 and the data connection unit 44 by means of data
technology to the sub-system controls 28. The connection of the
module 42 to the vehicle bus 40 and to further buses 50.1, 50.2,
for example a CAN bus and an MVB bus, takes place via the bus
connection unit 48. The operational control system 22 is connected
via the vehicle bus connection unit 38 of the control network 24 to
the vehicle bus 40 and via suitable interfaces to the further buses
50.1, 50.2.
[0054] It is apparent, in particular, from this drawing that the
module 42 and the data connection unit 44 can be used in the form
of a retrofitting system which is used in combination with an
existing operational control system 22.
[0055] Based upon FIG. 3, an embodiment is also shown in which
alternatively or additionally, conductors of the vehicle bus 40
form a constituent of the data connection unit 44. Herein, a
communication between the module 42 and a sub-system control 28 can
take place via the vehicle bus 40. This is shown dashed in the
drawing.
[0056] A further exemplary embodiment will now be described on the
basis of FIG. 4. This shows the operational control system 22, the
module 42, the sub-system control 28.13 of the train protection
system, a sensor unit 34 configured as a velocity sensor, the
operational equipment 20.7 and 20.8 of the human-machine interface,
which correspond to the input device for the input of train data
and/or the display unit.
[0057] As described above, the module 42 is connected via its
connection 48.1 and an interface 30 to the operational control
system 22. The operational equipment 20.7 configured as an input
device is connected to the control network 24 and via the data
connection unit 44 to the module 42 (see also FIG. 2). This also
applies to the operational equipment 20.8 configured as a display
unit.
[0058] The connection of the operational equipment 20.7, 20.8 takes
place, in particular by means of an equipment connection unit 52
which is different from the interface unit 46. For example, the
connections to the operational equipment 20.7, 20.8 are realized
via serial interfaces. The connection of the module 42 to the
sub-system control 20.13 of the train protection system takes place
by means of a digital interface 46.1. The connection of the module
42 to the sensor unit 34 takes place, for example, by means of an
analogue interface 46.3.
[0059] The module 42 is provided to monitor the input of train data
via the operational equipment 20.7. For this purpose, it carries
out a consistency check, as described below. By means of the direct
connection provided by the data connection unit 44 of the module 42
to the operational equipment 20.7, a value input by the operating
person can be acquired by the module 42. By means of the connection
to the control network 24, the module 42 can also receive the value
which has been acquired on input by the operating person from the
operational control system 22. In this way, it can be checked by
the module 42 whether the two received items of information are
consistent with one another.
[0060] Furthermore, the module 42 serves to monitor the acquisition
of the vehicle velocity. For this purpose also, it carries out a
consistency check. It receives, by means of the connection to the
control network 24, a first item of velocity information which is
available in the operational control system 22 and is to be taken
into account for the performance of safety-critical tasks. It also
receives, by means of the data connection unit 44, an item of
velocity information from the sub-system control 20.13 of the train
protection system. By means of a comparison of the velocity
information, the module 42 can carry out a consistency check. In
addition, a further item of velocity information can be derived
from the sensor unit 34 as additional information. For example, the
sensor unit 34 shown can be configured as a radar sensor.
[0061] Furthermore, the operational control module 42 is provided
in order to monitor the display of the velocity value by the
operational equipment 20.8. For this purpose, it receives an item
of velocity information by means of the control network 24 of the
operational control system 22. This corresponds to the velocity
information which is transferred via the control network 24 to the
operational equipment 20.8. By means of the data connection unit
44, the module 42 receives the velocity value that is displayed by
the operational equipment 20.8. The operational equipment 20.8 has
a display 54 and a display memory 56 which is connected by means of
data technology to an interface 58 for connection to the data
connection unit 44.
[0062] The velocity value is read out from the display memory and
is transferred via the data connection unit 44 to the module 42.
The module compares the velocity information received from the
system 22 with the velocity value received from the operational
equipment 20.8 via the data connection unit 44.
[0063] If one of the above-described consistency checks or
monitorings is failed in that an inconsistency is determined
between two compared values, a safety-related braking of the
vehicle is initiated by the operational control module 42. This
takes place via a direct connection of the module 42 to a braking
control 60. This is configured as a pair of redundant main brake
valves of a pneumatic braking apparatus of the rail vehicle 10.
[0064] FIG. 5 shows the operational control module 42 in a detail
view. The following text is directed to the features of the module
42 that are not mentioned in the above description, for the
avoidance of unnecessary repetitions.
[0065] The computer unit 45 of the module 42 has two processors 62,
64 (see also FIG. 4). These have different constructions and can be
programmed diversely. The bus systems of the two processors are
separated internally and have a separate protocol in order to bring
about a separation necessary from a safety standpoint. The
administration of the communication of the module 42 with the
connected units takes place by means of the processor 64 which is
associated with this task. The module 42 also has an intelligent
RAM/EPROM administration system.
* * * * *