CONTROL ARRANGEMENT FOR A VEHICLE

The invention relates to a control arrangement for a vehicle, in particular a rail vehicle, having an operational control system which comprises at least one central control unit, a set of decentralized sub-system controls and a control network to which the control unit and the sub-system controls are connected.

Vehicles, in particular rail vehicles, having an operational control system are known.

It is an object of the invention to provide a control arrangement which meets high safety requirements.

For this purpose, it is proposed that the control arrangement comprises an operational control module which is different from the control unit and is connected to the is control network and has a data connection unit which is different from the control network, by means of which the operational control module is connected by data technology is to the sub-system controls. By this means, a control arrangement can be provided which has a high level of redundancy. Particularly advantageously, an existing control arrangement of the vehicle can be improved to the effect that the control arrangement comprising the operational control system and the components which complement said operational control system and are formed by the module and the data connection unit, satisfies high safety requirements. This is advantageous—in particular in the field of rail vehicle operation—with regard to costly approval procedures, since an increase in the safety level is possible by means of which a costly process for furnishing proof for the existing operational control system can be avoided during the approval of the control arrangement. The expression “safety” should be understood in this text to mean, in particular, safety with regard to the protection of persons. In the English specialist terminology, this type of safety is denoted with the expression “safety”. In particular—in the field of rail vehicle operation—“safety” can be understood within the meaning of the standards for functional safety in the railway industry, e.g. as defined by the standards EN 50126, 50128, 50129 and/or 50159. A “safety level” can be understood, in particular, to be a safety integrity level (also known by the abbreviation “SIL”). In particular, it is possible with the proposed control arrangement to complement an operational control system having a safety is level SIL 0 or SIL 1 such that the resulting control arrangement has at least a safety level SIL 2.

The operational control system is preferably provided for is controlling vehicle basic functions. Such vehicle basic functions include, in particular, a vehicle operation with drive rolling and braking phases, controlling of the vehicle doors and a human-machine communication for the vehicle driver.

An operational equipment sub-system—referred to in this text as a “sub-system”—denotes, respectively, an operational equipment unit with an associated functionality or a combination of operational equipment units which are grouped together under this term according to an allocated functionality. Examples of sub-systems are “doors”, “brakes”, “air-conditioning”, “train protection system”, “passenger information system”. The sub-system controls can be implemented as drive control, braking control, control of the vehicle door system, control of a human-machine interface for an input of information by the vehicle driver and/or an output of information to the vehicle driver, control of a vehicle protection system. Particularly associated with these basic functions are the aspects mentioned above of the personal protection-related safety.

The implementation of each vehicle basic function can be associated with at least one task of the corresponding sub-system control. The control unit is considered, in relation to the sub-system controls which carry out these tasks of the respective local operational equipment sub-systems as a higher-order or “central” control unit. In order to distinguish the sub-system controls from the control unit, they are referred to as “decentralized” sub-system controls. The control unit is in particular configured, in relation to the sub-system controls, as a central control unit in that, during operation for at least one, preferably for each of the tasks to be carried out by the sub-system controls, it monitors said task.

The central control unit can have the function, for example, at least of a bus administration in the control network. Herein, it administers a data communication between the bus participants connected to the control network. The control network herein has, in particular, a bus topology in which for data communication, a point-to-multipoint connection is implemented.

The control unit can also be configured in relation to the sub-system controls as an input-output controller. This is suitable, in particular, for an embodiment of the control network with a network topology in which for data communication, a point-to-point connection from subscriber terminal to subscriber terminal is realized.

The control network is preferably configured as an Ethernet network. In a particular embodiment, the control network can be a Profinet network. The control network can also have a ring topology.

The operational control module is preferably physically different from the control unit. In particular, the control unit and the module can be arranged in housing units which are separable from one another. This is advantageous in relation to an upgrading of an existing operational control system. The data connection unit is preferably also physically different from the control network. Herein, the control network and the data connection unit preferably have different conductors.

According to a preferred embodiment of the invention, the operational control module is provided, with regard to a task of a sub-system control to transfer to the sub-system control at least one item of information for safety-compliant performance of the task. “Safety-compliant” performance of a task should be understood to mean performance according to a safety regulation relevant to the task, in particular, at least one applicable safety standard. Such an item of information can also be referred to as “safety-relevant” information. In particular, it is characteristic of a particular operating state of the vehicle. For example, it can be configured as velocity information that is characteristic of the vehicle velocity.

In this regard, a redundant transfer of a particular item of safety-relevant information to the sub-system control can take place by means of the operational control module. If the transfer of an item of safety-relevant information regarding a particular operating state of the vehicle to the sub-system control is already provided via the control network, in addition, the transfer of an item of different safety-relevant information to the sub-system control that is characteristic for the same operating state can take place by means of the operational control module. By means of these items of information, a diverse provision of information regarding a particular operating state can be achieved.

Furthermore, it is proposed that the operational control module is provided, dependent upon the task to be carried out, to determine the item of information before the transfer. By this means, rapid provision of the information can be achieved independently of the typical computation time of the central control unit. Herein, the operational is control module is advantageously programmed to determine the at least one safety-relevant item of information itself. Herein, the operational control module suitably determines by means of its own computation and storage unit which safety-relevant item of information is necessary for the task to be carried out by the sub-system control. Following the determination of the information, acquisition thereof can take place by means of the operational control module.

Furthermore, it is advantageous if the operational control module is provided to acquire the information before the transfer by means of the data connection unit and/or to transfer the information to the sub-system control by means of the data connection unit. By this means, a rapid acquisition and/or a rapid transfer of the information can be achieved. The operational control module advantageously has the function—as compared with a sensor unit and/or a further sub-system control—of an input module and/or—as compared with the sub-system control relating to the task—of an output module. For this purpose, it is herein advantageously provided to read in, by means of the data connection unit, at least one variable from a sensor unit and/or a further sub-system control and/or to output, by means of the data connection unit, a variable for the sub-system control. With this output function, the operational control module is usefully provided, by means of the data connection unit, to provide a communication channel in addition to the control network for communication of at least one variable to the sub-system control. In an advantageous embodiment in which a diverse provision of information takes place regarding a particular operating state, one item of the information is advantageously is transferred by means of the data connection unit to the sub-system control.

An advantageous modularity can be achieved in the structure of the control arrangement if the operational control module and the sub-system controls are connected via similar interfaces to the control network. By this means, a simple enhancement, in particular an upgrading of the operational control system can be achieved. This upgrading thus requires few changes in the existing operational control system. In particular, the influence of the connection to the operational control system takes place upon approval aspects such that approval-related changes to the system can thereby be prevented. The interfaces for the sub-system controls and the module are advantageously unified by communications technology and/or physically. The interfaces can be similar, at least according to one communication protocol, in particular, with regard to a data communication with the central control unit. Advantageously, it can thereby be achieved that the operational control module is connected to the control network such that it is perceived by the control unit functionally, in particular with regard to communication technology, as a decentralized sub-system control. The interfaces are preferably similar with regard to a physical connection possibility.

A high safety level can also be achieved if the operational control module is provided to carry out a consistency check in relation to an item of information received by means of the control network and an item of information received by means of the data connection unit. In particular, the correctness and/or reliability of an item of information present in the operational control system, in particular, a safety-relevant item of information, can be checked by the is module. If this information is a first item of information characteristic of an operating state of the vehicle, the consistency checking can comprise the acquisition of the is same information by means of the module and/or the acquisition of a second, different item of information characteristic for the operating state by means of the module.

Suitably, the operational control module is provided, by evaluating a first item of information received by means of the control network relating to a sub-system control and a second item of information received by means of the connection unit relating to the sub-system control, to monitor at least one operational process of the sub-system control, so that a high level of safety can be achieved during the operation of the vehicle.

In an advantageous development of the invention, the data connection unit is provided at least for digital transmission. Herein, the operational control module advantageously has at least one interface unit with input interfaces provided for the digital input of data and for the digital output of data, to which conductors of the data connection unit that are provided for digital transfer are connectable.

In particular, it is proposed that the data connection unit has Ethernet connections.

Furthermore, a network of simple construction can be achieved if the control arrangement has a vehicle bus which connects the control network to a further control network of the vehicle wherein the data connection unit is formed by the vehicle bus. If the vehicle is configured as a chain of cars, in particular, in the case of a rail vehicle, the control networks are each associated, in particular, with at least one different car of the vehicle. Furthermore, groups of coupled cars can each be defined as an operational control unit (including known under the expression “consist”), wherein the control networks are each associated with a different unit. In the cases mentioned, the vehicle bus extends over a plurality of cars of the vehicle, in particular, over the whole vehicle. If relevant, the vehicle bus can connect a plurality of similar vehicles that are coupled to one another. The vehicle bus can be constructed, for example, according to a standard, e.g. as a WTB (wire train bus) or as an ETB (Ethernet train backbone) bus.

Furthermore, a reliable acquisition of operating variables can be achieved if the control arrangement has a set of sensor units which are connected to the control network and the operational control module.

A further increase in the safety level of the control arrangement can be achieved in that the operational control module has a computer unit which comprises at least two processors. Particularly advantageously, the processors can be of different construction types and/or diversely programmed.

Herein, a high level of safety can be achieved with regard to the data communication if a first processor is provided for carrying out communication tasks and a second processor is provided for carrying out other tasks. A communication task suitably comprises at least the administration of a data communication with the units connected to the module.

It is further advantageous if the operational control module is provided to initiate a safety-related braking of the vehicle. For this purpose, a direct connection of the operational control module with a braking control, in particular braking master valves preferably exists. Braking can be triggered, in particular, by means of the module if the aforementioned consistency checking and/or monitoring have failed. By means of the braking, the vehicle can be brought into a safe state.

An exemplary embodiment of the invention will now be described by reference to the figures. In the drawings:

FIG. 1: is a representation of a rail vehicle with operational equipment sub-systems in a schematic side view,

FIG. 2: is a representation of a control arrangement of the rail vehicle of FIG. 1 with an operational control system and an operational control module,

FIG. 3: is a schematic representation of the operational control system, the module and the communication connections creatable between these,

FIG. 4: is the operational control system and the module which is connected to a display unit and an input device of the rail vehicle, and

FIG. 5: is a detail view of the operational control module.

FIG. 1 shows a rail vehicle 10 in a schematic side view. The rail vehicle 10 is configured as a chain of a plurality of cars 12.1, 12.2, etc., which are mechanically coupled to is one another and form a train unit. In the embodiment under consideration, the rail vehicle 10 is configured as a so-called multiple unit. For this purpose, at least one of the cars of the chain is provided with a drive unit 14 for driving at least one axle 16. The drive unit 14 has an electric motor (not shown). In a further embodiment, it is conceivable that the rail vehicle 10 is configured as a single motorized car. Furthermore, the rail vehicle 10 can have a chain of driveless passenger cars which is coupled to at least one traction vehicle, e.g. a locomotive.

The rail vehicle 10 has a number of operational equipment units, as known, which enable an operation of the rail vehicle 10. These can be configured, in particular, as control unit, sensor unit and/or actuator system unit.

The operational equipment units 20 shown by way of example in FIG. 1 are provided as operational equipment units 20.1 of the drive unit 14, operational equipment units 20.2 of a braking apparatus 19, operational equipment 20.3 and 20.4 of a door apparatus, operational equipment 20.5 of an air-conditioning unit, operational equipment 20.6 of a passenger information system, operational equipment 20.7 and 20.8 of a human-machine interface for the traction vehicle driver, operational equipment 20.11 of an emergency brake apparatus and operational equipment 20.13 of a train protection system.

An “operational equipment sub-system”—referred to in this text as a “sub-system”—denotes, respectively, a combination of operational equipment units 20 which are grouped together under this term according to an allocated functionality. Examples of sub-systems are “doors”, “brakes”, “air-conditioning”, “train protection system”, “passenger information system”. As train protection systems, for example, PZB (“punctiform train influencing”), LZB (“linear train influencing”), ETCS (“European Train Control System”) are conceivable.

FIG. 2 shows an operational control system 22 of the rail vehicle 10 in a schematic view. This comprises a control network 24 which has a ring-shaped network structure. It is configured as an Ethernet network, in particular, according to the Profinet standard. The system 22 also has a control unit 26 which is connected to the control network 24. The operational equipment sub-systems mentioned above each have at least one sub-system control 28 which is provided for controlling one or more operational equipment units of the corresponding operational equipment sub-systems. The sub-system controls 28 are each provided for controlling a task in conjunction with the functionality associated with the respective sub-system. Shown in the drawing as the sub-system control 28.1 is a drive control, as the sub-system control 28.2 is a braking control, as the sub-system control 28.3 is a control system of the vehicle door system, as the sub-system controller 28.13 is a control of the train protection system. These controls are also shown in FIG. 1.

The sub-system controls 28 are each connected to the control network 24 by means of an interface 30. The interfaces 30 are connected into the network structure. Also arranged in the network structure are further interfaces 32. A set of sensor units 34 and an actuator unit 36 are connected to interfaces 32. The control unit 26 and the operational equipment 20.8 configured as a display unit of the human-machine interface are connected to a further interface 32. The operational equipment 20.7 provided as an input device for the input of train data is also connected to the control network 24. The interfaces 30 and 32 each have, in particular, a switch functionality.

The interfaces 30 and 32 are each provided in the control network 24 as input-output modules by means of which a data traffic is generated between the respective participant, in particular an associated sub-system control 28, and the central control unit 26. The control unit 26 is considered, in relation to the sub-system controls 28 which carry out local tasks of the respective operational equipment sub-systems, as a “central” control unit. In order to distinguish the sub-system controls 28 from the control unit 26, these are named “decentralized” sub-system controls 28. The control unit 26 is configured, in relation to the sub-system controls 28, as an input-output controller which, for each of the automation tasks respectively to be carried out by the sub-system controls 28, controls said task.

The interfaces 30 and 32 are similar in their function for creating a communication between the respective connected participant and the central control unit 26. They can have physically different forms that are specific in relation to the function of the connected participant. The interfaces 30 can be configured, for example, as a plug-in card of a computer unit, whereas the interfaces 32 can be configured, in particular, as components of programmable controls. The grouping together of a plurality of interfaces 32 in a coherent module or the arrangement of these interfaces 32 into a common housing unit are indicated by a dashed outline.

The control network 24 further comprises a vehicle bus connection unit 38 which forms an interface between the control network 24 and a vehicle bus 40. The vehicle bus 40 extends over a plurality of cars 12, in particular over the whole rail vehicle 10 and connects the control network 24 to a further, similar control network of the rail vehicle 10 (not shown), where relevant, to a control network of a similar rail vehicle coupled to the rail vehicle 10. The vehicle bus 40 can be configured, for example, as an Ethernet bus. The vehicle bus connection unit 38 can be equipped with a gateway functionality by means of which the control network 24 is connected as a sub-network to the higher order train network.

Also connected to the control network 24 is an operational control module 42. This differs physically from the central control unit 26. In particular, the control unit 26 and the module 42 are arranged in different housing units. The module 42 is furthermore connected by means of a data connection unit 44 through data technology to the sub-system controls 28 and the sensor units 34. This data connection unit 44 is physically different from the control network 24. In particular, the data connection unit 44 has conductors that are different from conductors of the control network 24.

The operational control module 42 has a computer unit 45 (see FIGS. 3 to 5), an interface unit 46 and a bus connection unit 48.

The bus connection unit 48 has a first connection 48.1 by means of which the module 42 is connectable to the control network 24. The connection 48.1 is connected via an interface 30 to the control network 24. A connection via an interface 32 is also conceivable. The module 42 and the sub-system controls 28 are thus connected to the control network 24 by means of similar interfaces.

In particular, it can thereby be achieved that the module 42 is functionally perceived by the control unit 26 as a sub-system control.

The module 42 is connected to the vehicle bus 40 by means of a second connection 48.2. One or more further connections 48.3 can be provided by means of which the module 42 is connectable to further buses 50.1, 50.2 (see FIGS. 3 and 5), for example, a CAN (“Control Area Network”) bus or an MVB (“Multifunction Vehicle Bus”).

As shown in FIG. 5, the interface unit 46 has input interfaces 46.1 provided for the digital input of data and output interfaces 46.2 provided for the digital output of data. In addition, the interface unit 46 can comprise input interfaces 46.3 for the analogue input of data and output interfaces 46.4 for the analogue output of data.

The module 42 is preferably connected by means of the digital interfaces 46.1, 46.2 via data technology and conductors of the data connection unit 44 to the sub-system controls 28. For this purpose, the data connection unit 44 is equipped at least with conductors which are provided for digital data transmission. In particular, conductors can be formed by Ethernet cables.

The function of the module 42 will now be described in greater detail on the basis of a first implementation example.

This implementation example relates to the sub-system “doors” which comprises the sub-system control 28.3 that is connected to the control network 24. The doors of the rail vehicle 10 can only be released by the vehicle driver for opening when the rail vehicle 10 has reached a standstill. According to one safety requirement, the acquisition of the “stopped” operating state of the rail vehicle 10 by the sub-system control 28.3 must take place diversely. A first variable provided for the sub-system control 28.3 corresponds to the speed of the rail vehicle 10. This can be transferred by means of the control network 24 following acquisition by a sensor unit 34 and/or after transfer by the train protection system to the sub-system control 28.3. A second variable provided for the sub-system control 28.3 is a characteristic variable which characterizes the operating state of the sub-system control 28.1 which corresponds to the drive control. For example, from the variable, the operating state in which the drive control outputs no clock commands for power electronic components of the drive unit 14 should be determinable.

For this purpose the module 42 independently determines, from the available information of the operational control system 22, the information required for safety-compliant performance of the task of the sub-system control 28.3 (release of the doors) that is required and specifically determines that the variable is required for the clock state of the drive control. The module 42 serves to provide the variable for this information, and is connected by data technology via the data connection unit 44 to the sub-system control 28.1. It acquires the variable of the sub-system control 28.1 via the data connection unit 44 and transfers it via the data connection unit 44 to the sub-system control 28.3. If the velocity “0” and the operating state “no clocking” of the sub-system control 28.3 exist, this can place the vehicle door system in a state in which the doors can be freed to open.

The sub-system control 28.3 thus receives two variables over two separate, physically different transmission channels. The module 42 therefore provides, by means of the data connection unit 44, a communication channel that is redundant in relation to the control network 24, by means of which the variable “operating state of the drive control” is transmitted to the sub-system control 28.3. The release of the doors is closely associated with the protection of persons. The processes of the sub-system control 28.3 must then fulfill safety-critical requirements—in the specialist language called “safety” requirements. The variables upon which the door release is based are therefore safety-critical items of information in this relation, which is transferred via the control network 24 and by means of the module 42 via the data connection unit 44 to the sub-system control 28.3.

FIG. 3 shows in a schematic and abstracted representation the module 42, the operational control system 22, the vehicle bus 40 and the connections existing between these.

The module 42 is connected via an interface 30 to the operational control system 22. It is also connected via the interface unit 46 and the data connection unit 44 by means of data technology to the sub-system controls 28. The connection of the module 42 to the vehicle bus 40 and to further buses 50.1, 50.2, for example a CAN bus and an MVB bus, takes place via the bus connection unit 48. The operational control system 22 is connected via the vehicle bus connection unit 38 of the control network 24 to the vehicle bus 40 and via suitable interfaces to the further buses 50.1, 50.2.

It is apparent, in particular, from this drawing that the module 42 and the data connection unit 44 can be used in the form of a retrofitting system which is used in combination with an existing operational control system 22.

Based upon FIG. 3, an embodiment is also shown in which alternatively or additionally, conductors of the vehicle bus 40 form a constituent of the data connection unit 44. Herein, a communication between the module 42 and a sub-system control 28 can take place via the vehicle bus 40. This is shown dashed in the drawing.

A further exemplary embodiment will now be described on the basis of FIG. 4. This shows the operational control system 22, the module 42, the sub-system control 28.13 of the train protection system, a sensor unit 34 configured as a velocity sensor, the operational equipment 20.7 and 20.8 of the human-machine interface, which correspond to the input device for the input of train data and/or the display unit.

As described above, the module 42 is connected via its connection 48.1 and an interface 30 to the operational control system 22. The operational equipment 20.7 configured as an input device is connected to the control network 24 and via the data connection unit 44 to the module 42 (see also FIG. 2). This also applies to the operational equipment 20.8 configured as a display unit.

The connection of the operational equipment 20.7, 20.8 takes place, in particular by means of an equipment connection unit 52 which is different from the interface unit 46. For example, the connections to the operational equipment 20.7, 20.8 are realized via serial interfaces. The connection of the module 42 to the sub-system control 20.13 of the train protection system takes place by means of a digital interface 46.1. The connection of the module 42 to the sensor unit 34 takes place, for example, by means of an analogue interface 46.3.

The module 42 is provided to monitor the input of train data via the operational equipment 20.7. For this purpose, it carries out a consistency check, as described below. By means of the direct connection provided by the data connection unit 44 of the module 42 to the operational equipment 20.7, a value input by the operating person can be acquired by the module 42. By means of the connection to the control network 24, the module 42 can also receive the value which has been acquired on input by the operating person from the operational control system 22. In this way, it can be checked by the module 42 whether the two received items of information are consistent with one another.

Furthermore, the module 42 serves to monitor the acquisition of the vehicle velocity. For this purpose also, it carries out a consistency check. It receives, by means of the connection to the control network 24, a first item of velocity information which is available in the operational control system 22 and is to be taken into account for the performance of safety-critical tasks. It also receives, by means of the data connection unit 44, an item of velocity information from the sub-system control 20.13 of the train protection system. By means of a comparison of the velocity information, the module 42 can carry out a consistency check. In addition, a further item of velocity information can be derived from the sensor unit 34 as additional information. For example, the sensor unit 34 shown can be configured as a radar sensor.

Furthermore, the operational control module 42 is provided in order to monitor the display of the velocity value by the operational equipment 20.8. For this purpose, it receives an item of velocity information by means of the control network 24 of the operational control system 22. This corresponds to the velocity information which is transferred via the control network 24 to the operational equipment 20.8. By means of the data connection unit 44, the module 42 receives the velocity value that is displayed by the operational equipment 20.8. The operational equipment 20.8 has a display 54 and a display memory 56 which is connected by means of data technology to an interface 58 for connection to the data connection unit 44.

The velocity value is read out from the display memory and is transferred via the data connection unit 44 to the module 42. The module compares the velocity information received from the system 22 with the velocity value received from the operational equipment 20.8 via the data connection unit 44.

If one of the above-described consistency checks or monitorings is failed in that an inconsistency is determined between two compared values, a safety-related braking of the vehicle is initiated by the operational control module 42. This takes place via a direct connection of the module 42 to a braking control 60. This is configured as a pair of redundant main brake valves of a pneumatic braking apparatus of the rail vehicle 10.

FIG. 5 shows the operational control module 42 in a detail view. The following text is directed to the features of the module 42 that are not mentioned in the above description, for the avoidance of unnecessary repetitions.

The computer unit 45 of the module 42 has two processors 62, 64 (see also FIG. 4). These have different constructions and can be programmed diversely. The bus systems of the two processors are separated internally and have a separate protocol in order to bring about a separation necessary from a safety standpoint. The administration of the communication of the module 42 with the connected units takes place by means of the processor 64 which is associated with this task. The module 42 also has an intelligent RAM/EPROM administration system.

CONTROL ARRANGEMENT FOR A VEHICLE

Information

Publication Number

Date Filed

Date Published

Inventors

Original Assignees

CPC

International Classifications

Abstract

Description

Claims

Priority Claims (1)

PCT Information