Railway train critical systems having control system redundancy and asymmetric communications capability

DC CAFC

US 8,714,494 B2
Filed: 09/10/2012
Issued: 05/06/2014
Est. Priority Date: 09/10/2012
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A control system for a railway vital application system, comprising:

a first controller having an external bilateral communications interface capable of sending and receiving a vital systems message within a railway vital application system, the message including a security code and vital data;

a second controller having an external communications interface capable of receiving a vital systems message, but incapable of sending a vital systems message that is generated within the second controller, the second controller having a security code generator; and

an inter-controller communications pathway coupling the first and second controllers;

wherein the first and second controllers respectively receive an input vital systems message including input vital systems data and an input security code, verify the input message integrity and generate output vital systems data, the second controller generates an output security code and sends it to the first controller, and the first controller sends an output vital systems message including the output vital systems data and the second controller output security code for use within the railway vital application system.

View all claims

3 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

A railway vital or critical application system substitutes commercial off-the-shelf (COTS) hardware and/or software for railway-domain specific product components, yet is validated to conform with railway vital system failure-free standards. The vital system uses a pair of COTS personal computers and operating systems with asymmetric communications capability. Each computer and operating system may differ for additional redundancy. Both computers receive and verify vital systems input message data and security code integrity and separately generate output data responsive to the input message. The first computer has sole capability to send vital system output messages including the output data and an output security code, but only the second computer has the capability of generating the output security code. A failure of either computer'"'"'s hardware, software or processing capability results failure to transmit a vital system output message or an output message that cannot be verified by other vital systems.

Citations

20 Claims

1. A control system for a railway vital application system, comprising:
- a first controller having an external bilateral communications interface capable of sending and receiving a vital systems message within a railway vital application system, the message including a security code and vital data;
  
  a second controller having an external communications interface capable of receiving a vital systems message, but incapable of sending a vital systems message that is generated within the second controller, the second controller having a security code generator; and
  
  an inter-controller communications pathway coupling the first and second controllers;
  
  wherein the first and second controllers respectively receive an input vital systems message including input vital systems data and an input security code, verify the input message integrity and generate output vital systems data, the second controller generates an output security code and sends it to the first controller, and the first controller sends an output vital systems message including the output vital systems data and the second controller output security code for use within the railway vital application system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the first and second controllers compare their respective input message integrity verifications prior to generating respective output vital systems data.
  - 3. The system of claim 2, wherein the first and second controllers compare their respective output vital systems data.
  - 4. The system of claim 3, wherein the first and second controllers compare their respective output vital systems data prior to generation of the output security code.
  - 5. The system of claim 1, wherein the first controller verifies output vital systems data integrity before sending the output vital systems message.
  - 6. The system of claim 1, wherein the first and second controllers comprise personal computers selected from the group consisting of respectively having at least one of different microprocessors, operating systems or software instruction sets.
  - 7. The system of claim 1 wherein the functions of at least one of the controllers is virtually simulated.
  - 8. A railway vital application system comprising the control system of claim 1.
  - 9. A railway vital application system comprising the control system of claim 6.

10. A railway system comprising:
- a plurality of control systems for controlling railway vital systems, the control systems communicatively coupled to each other for receipt and transmission of vital systems messages respectively having vital data and a security code, the respective control systems comprising;
  
  a first controller having an external bilateral communications interface capable of sending and receiving a vital systems message that is generated within the railway system;
  
  a second controller having an external communications interface capable of receiving a vital systems message, but incapable of sending a vital systems message that is generated within the second controller, the second controller having a security code generator; and
  
  an inter-controller communications pathway coupling the first and second controllers;
  
  wherein the first and second controllers respectively receive an input vital systems message including input vital systems data and an input security code, verify the input message integrity and generate output vital systems data, the second controller generates an output security code and sends it to the first controller, and the first controller sends an output vital systems message including the output vital systems data and the second controller output security code, for use within the railway system.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The railway system of claim 10, wherein the first and second controllers compare their respective input message integrity verifications prior to generating respective output vital systems data.
  - 12. The railway system of claim 11, wherein the first and second controllers compare their respective output vital systems data.
  - 13. The railway system of claim 12, wherein the first and second controllers compare their respective output vital systems data prior to generation of the output security code.
  - 14. The railway system of claim 10, wherein the first controller verifies output vital systems data integrity before sending the output vital systems message.
  - 15. The railway system of claim 10, wherein within each respective control system the first and second controllers comprise personal computers selected from the group consisting of respectively having at least one of different microprocessors, operating systems or software instruction sets.
  - 16. The railway train of claim 15, wherein each respective control system the computers have different hardware and different operating systems.

17. A method for controlling a railway vital application control system, comprising:
- receiving with respective first and second controllers a vital systems input message that is generated within a railway vital application system that includes a security code and vital data, and independently verifying the input message integrity;
  
  independently generating output vital systems data in response to the input message with the respective first and second controllers;
  
  generating an output security code only with the second controller and sending the generated output security code to the first controller; and
  
  assembling and sending an output vital systems message including the output vital systems data and second controller output security code with the first controller.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising comparing first and second controllers respective input message integrity verifications prior to generating respective output vital systems data.
  - 19. The method of claim 18, further comprising comparing first and second controllers respective output vital systems data.
  - 20. The method of claim 19, further comprising comparing first and second controllers respective output vital systems data prior to generating the output security code.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Siemens Mobility, Inc. (Siemens AG)
Original Assignee
Siemens Industry Incorporated (Siemens AG)
Inventors
Weber, Claus
Primary Examiner(s)
Tarcza, Thomas
Assistant Examiner(s)
GOLDMAN, RICHARD A

Application Number

US13/608,313
Publication Number

US 20140074327A1
Time in Patent Office

603 Days
Field of Search

None
US Class Current

246/131
CPC Class Codes

B61L 15/0027   Radio-based, e.g. using GSM-R

B61L 15/0063   Multiple on-board control s...

B61L 27/70   Details of trackside commun...

B61L 29/00   Safety means for rail/road ...

Railway train critical systems having control system redundancy and asymmetric communications capability

First Claim

3 Assignments

Litigations

1 Petition

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Railway train critical systems having control system redundancy and asymmetric communications capability

First Claim

3 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links