This application is directed to implementing domain data configuration changes, additions, and deletions during the run-time operations of a software system.
Data is critical to virtually all information systems, and the accuracy, completeness, and availability of data is a distinct measure of an information system's value. Complex information systems, such as those supporting thousands of transactions, queries, and user interactions per hour, typically include one or more databases responsible for maintaining and managing the vast amounts of operational and archival data. Transient operational data is particularly sensitive to the disruption of run-time operations and, if the system is vital, often requires highly specialized measures to protect it (e.g., fail-over, redundancy, and hot-standbys for sustained operation, recovery, and prevention of data loss). Among the transient data in use, statically figured data normally defines the fixed domain environment or context within which the system operates, while dynamic data exists temporarily to facilitate operations and act as a vehicle for persisting event data. In some industries and public sector applications, the information systems in use do not require changes to the definition of their static domain environment data very often. In other businesses and government systems, however, the need to make such changes is both frequent and ongoing. Such an information system may require monthly, weekly, or even daily modifications to its statically configured domain data. Depending on system design and the extent of reconfiguration, implementing changes typically requires taking the software system off-line, either in full or in part, recompiling the software with the new configuration data, and bringing the system back online. For many businesses and government operations, this is not only a tremendous inconvenience; it is a costly and precarious procedure.
Routinely, in the course of maintaining a large, sophisticated information system, the need arises to reconfigure aspects of the domain environment that defines the system. Domain data can be considered both the arena within which the system operates and the static, semi-permanent constructs that serve as vehicles, parameters, and mechanisms for carrying out business operations through the system. Much of this static domain data represents actual, physical devices that are themselves subject to reconfiguration, replacement, and inclusion in the system. In general, a change to domain data is either driven by (1) changes to the physical environment emulated by the software, or (2) by a decision to reconfigure the definition of domain data to optimize, correct, or simply the role of these static elements in the information system. Once a change is decided upon, the development of the reconfiguration “change set” is invariably performed offline, usually by a back office system administrator, software engineer, or database personnel. Developing the “change set” offline has many advantages. It offers the opportunity to create the new configuration independent of the various technical and business constraints imposed by an operational environment, allows for desk-checking, automated testing, and database validation. Once ready for incorporation, the offline developer needs to make the change set available to the information system. Most prior art data reconfiguration methods produce an entirely new baseline database to be manually uploaded into the system at a time when the system can be taken down with relatively little impact on operations.
The loss of revenue due to “downtime”, or worse yet the potential for human casualty, can make database changes (or upgrades) a harrowing ordeal for the maintainer of the system. Dispatching and control systems are particularly vulnerable to the adverse effects of downtime. Whether the system is responsible for controlling aircraft, trains, military drones, or satellites, the need to maintain continuous operation is essential. It is also imperative to minimize the affected area of the system and to constrain the disruption to the fewest functions possible. Clearly, a means of maintaining a high level of system availability while reconfiguring a system's static domain data during run-time is the ideal, but it can be as technologically challenging as changing the carpet out from under the feet of guests at a cocktail party. The difficulty lies in the established dependencies among transient data, the complex interactions among software objects, and the ability of the software to recognize and incorporate not only changes, but additions and deletions, as well, without adversely impacting or corrupting the system.
The present disclosure addresses the problems identified in the prior art by allowing reconfiguration of domain data to the run-time system without requiring the system to be taken down, and to limit reconfiguration to only the affected data.
In another aspect, the present disclosure maximizes the availability of system functions by limiting the reconfiguration to only the affected data. In a further aspect, the present disclosure minimizes the number of affected entities, offers alternative configuration changes from a common baseline, and performs run-time reconfiguration in real time. In another aspect the present application detects dynamic software entities currently using the domain data subject to change and (a) automatically removes from the system those dynamic entities that are non-critical, (b) coordinates the removal of problematic dynamic entities through a user interface, and (c) updates the remaining dynamic entities to reflect data changes.
When an information system is upgraded or altered in some way, it is typically done for one of three reasons: (1) to fix problems with the software (i.e., to apply a “patch”); (2) to enhance—or add new features to—the existing implementation (i.e., to install a version upgrade); or (3) to reconfigure domain parameters, or entities, upon which the software operates. Virtually every information system contains an array of domain-specific entities, emulated in software, which the software system must “know about”, manipulate, and interact with during processing. For example, in an Airport Management System, these domain entities could be the runways available for landing, a fueling station, or a baggage-handling unit. When the airport gains a new runway as the result of an airport expansion project, there is a fundamental change to the domain environment within which the system operates. In a railroad dispatching system, domain entities include trains, stations, switches, track segments, signals, and electric locks, actual devices connected to field circuitry that receive controls and send indications via a specialized protocol. When one railroad loses a station to another railroad, perhaps due to an acquisition, there is a similar structural change that needs to be assimilated. In each of the above examples, for the information system to operate properly, a new configuration of static domain data needs to be defined and “uploaded” into the system.
In step 110, the upgrade is scheduled during a period of low system usage. Because reconfiguration of domain data typically requires that the software program using the data be taken offline, it is critical that the configuration upgrade be performed during an off-peak period of low resource usage. In order to take a critical software system offline, it is necessary to coordinate the operational activities that will be taking place during the period of downtime to ensure that access to the offline software system is not necessary, and to minimize any impact to the system. As used in this disclosure, when a system is taken off-line, it is accessible only to the personal performing maintenance and is not accessible to other programs or to end users.
In step 120, the software system is placed offline. When a system is placed offline, the operational user does not have access to the system resources, and is unable to perform normal operations, until the system is brought back online. In some systems, it may be possible to place only a portion of the system offline.
In step 130, the new configuration of domain data is loaded.
In step 140, the system is brought back online.
In step 150, a battery of tests is performed to ensure the new configuration is verified as complete and satisfactory. Once a change set has been applied, extensive testing and a functional “check-out” are performed by test, maintenance, and operational personnel to verify the correctness and integration of the new configuration. Importantly, if anomalies are detected, the configuration change must be reversed, and the system must be returned to its original configuration, to ensure the continuity of operations. Typically the “reversing” procedure requires placing the system offline again, in full or in part, reconfiguring the domain data, recompiling the software, if necessary installing the old software and bringing it back online. Thus, the typical method of incorporating a configuration change set requires that the system be taken offline both for the installation of the change set, as well as to return the system to its original configuration if problems are encountered during installation of the new domain data configuration.
In practice, it is not uncommon to take a software system offline, implement a change, bring the system back online, encounter a problem, take the system offline again, reverse the configuration change, restore the original domain data configuration, and bring the system back online. Most of the problems encountered when reconfiguring domain data are due to the difficulty in identifying the interrelationships between entities and predicting the effect that a change to one entity will have on another entity. This is the “ripple effect” of data reconfiguration, and it is directly linked to the relationships among domain entities, relationships—often subtle and complex—that must be mined from the operational database schema.
If the software system taken offline is a critical system, it is likely that the denial of access to the system while offline has created adverse effects. Accordingly, in step 160, after the system is placed back online, it is necessary to remedy any adverse effect that may have been caused during the period that the system was offline.
In one embodiment of the present disclosure, and as described in greater detail below, the reconfiguration of domain data is accomplished without taking the software system offline. Instead, the system remains online for use by the operational user and access to the domain data is tightly controlled during the data reconfiguration, with greater flexibility provided to obviate some of the deficiencies noted in the prior art. For example, access may be granted to the domain data that is not subject to reconfiguration. The software system may be comprised of program modules, each of which may require access to portions of the domain data. Those program modules that require domain data undergoing reconfiguration may be disabled until the reconfiguration is complete, while those that do not require access to the data undergoing reconfiguration may be fully functional.
The example of a railroad dispatching system is used throughout this disclosure to demonstrate the complexities involved in applying a “change set” to an operational system and the challenges of incorporating changes within that environment, and discloses a suitable solution to incorporating run-time data changes. Those skilled in the art of data management will appreciate that the principles discussed herein may be applied to other systems, as well, and the present disclosure is in no way limited to railroad dispatching systems.
With respect to a railroad dispatching system where the domain data defines schedulable entities in the train network, the following examples illustrate some of the changes to domain data that may be implemented:
(1) Addition of a new entity. For example, a double-headed hold signal is added to a 20-mile section of track.
(2) Deletion of an existing entity. For example, the removal of two control points (including signals, switches, code stations and track).
(3) Association change, i.e., altering a relationship to another entity. For example, an association change may be (1) a dispatch territory is assigned to a different district, (2) a field traffic device is moved to a different track, or (3) a circuit is changed to indicate-in at a different code station.
(4) Attribute change, i.e., altering the setting of an entity's attribute. For example, an attribute change may be (1) the restoration time of a switch is changed from ten to thirty seconds, (2) a signal is changed from “slotting with transmit” to “no transmit”, or (3) a station's name is changed from Edgewood to Tyler.
(5) Presentation change, i.e., altering the placement of an entity in a user's view. For example, a switch heater is moved from above track to below track.
In a railroad dispatching system, voluminous amounts of data are required to accurately emulate and interact with the railway infrastructure, trains, and the management information system responsible for planning train movements. When an aspect of a new system is replacing an old one, this data must be converted (as necessary), absorbed in the new system, and fully validated before the new system is approved for service. In the prior art systems, implementing the types of changes listed above typically could not be done online; the dispatching system would have to be placed offline and would not be available to the dispatcher during the downtime.
The impact of the addition of a double-headed hold signal is illustrated in
Note that the addition and deletion of railroad domain entities, particularly those that communicate to the dispatch center via an established protocol, invariably require reconfiguration of electronic circuitry in the field, which is usually done before the dispatching system is expected to accommodate the change. However, this does not obviate the need to upgrade the software, nor does it increase the likelihood of a “bug-free” upgrade. The only true benefit of procedurally upgrading the field before the office is being able to immediately begin testing the new configuration once the upgrade operation is complete.
In one embodiment, only those data configuration changes that affect dynamic entities that are unable to recover or incorporate the changes in the normal course of processing are rejected.
As part of applying the change set, a user interface is used to identify those entities that may be adversely affected by the domain data reconfiguration and disallows proceeding until the affected dynamic entities are either removed or suitably addressed. Other entities not adversely affected by the run-time reconfiguration are updated to reflect the domain data changes. To minimize the impact on operations, it is important to localize the affected region, or set of objects, to the smallest portion of interrelated domain data. Thus, in one embodiment, the system attempts to apply a reconfiguration of domain data at run-time that strictly localizes the affected region of the system, implements the upgrade in a matter of minutes, and maximizes the availability of system functions. For example, with reference to
In the present disclosure, a link is made between the operational system and the offline repository of change sets so that change sets can be readily retrieved, on demand, without taking the software system offline and with only minimal disruption to normal dispatching operations.
In one aspect of the present disclosure, strict configuration management is maintained by producing domain data change sets in pairs: (1) the user-defined change set; and (2) the automatically generated “reverse change set”, or undo change set, which allows change set reversal by the same means of applying a new change set. Once a change set has been retrieved by the operational system, it is then “locked” from any further modification.
Operationally, in the railroad context, a dispatcher or supervisor initiates the online implementation of a change set. While change sets can be localized in practice, the present disclosure also allows the entire railroad's domain data to be loaded—or replaced—as a single change set, without any deviation from the normal procedure. The content and scope of a change set depends entirely on the configuration defined by the data manager.
In operation, the data manager is presented with the current configuration of the domain data baseline 400 and a list of “configuration versions” to which the system may migrate. Choosing a target configuration version is equivalent to applying a change set. For example, it may be desired to implement Configuration A by applying Change set A 410 to baseline 400.
During the application process 420, which may take anywhere from a few seconds (one device) to 60 minutes (an entire division) depending on the size of the change set, the run-time system disables the affected area by rendering the applicable domain data inaccessible in all users' displays via a graphical user interface, and by internally blocking access to the underlying data. Examples of how this may be accomplished include: (a) by disallowing access to user functions (e.g., by graying-out context menus and rendering user interface objects non-selectable), and (b) by internally rejecting requests to access the domain data subject to change.
In determining the extent of a change set, it is necessary to identify the entities that will be affected by the implementation of the change set to smartly schedule the reconfiguration event. This identification requires a thorough understanding of how static domain entities interact with dynamic entities in the system, and how various types of data changes will affect those relationships. As a result, it may be preferable to implement a series of change sets rather than a single change set. For example, in
In some cases, it may be preferable to produce several alternative change sets for a given software baseline. This might be needed for training purposes in a “test bed”, or when the correct configuration of a large, complex set of domain data is not completely known or understood. In one embodiment of the present disclosure (see
In another embodiment in the present disclosure, the run-time reconfiguration process detects affected dynamic entities in the system and presents the user with a solution strategy. For example, if a movement authority, which is a dynamic railroad-domain entity authorizing movement of a train, were in the affected area prior to application of a change set, the change set solution would reject the dispatcher's attempt to apply the change set, identify the offending entity, and communicate that the movement authority needs to be removed in order to proceed. Likewise, there could be other offending entities in the affected area such as trains, bulletins, and trip plans. The change set solution identifies each offending entity, presents them in a list for the user to address, and applies the reverse change set process to the current baseline. Other dynamic entities, not considered critical, may be either automatically removed from the system during the change set process, or updated to reflect the data configuration changes once the change set process is complete.
Another aspect of the present disclosure involves the recreation of domain entities that are temporarily removed during the change process. For example, in one embodiment, the run-time reconfiguration process automatically reapplies track blocks over an affected area. For example, whenever a section of railroad topology is planned for reconfiguration, it is normal operating procedure for responsible personnel to put down one or more track blocks over the affected area, as a safety precaution, to prevent access to the tracks. These dynamic entities are not considered offending entities that inhibit application of a change set, nor are they suppose to be automatically removed from the system. They actually need to be reapplied, either in full or in part, based on the extent of the topology change. If the entire track they cover is being deleted, or the specific track used to initiate the block is being removed in the change set, then the block is automatically removed; otherwise, it is recreated on the remaining track.
Another aspect of the present disclosure is that when domain data has been successfully reconfigured, the movement planner is notified and the movement plan is will then automatically update the existing movement plans to take into account the changes made to the domain data. The automatic regeneration of the movement plan helps minimize any disruptions that may be caused by the reconfiguration of the domain data.
In summary, the change set solution provided by the present disclosure minimizes disruption of dispatching operations, offers easy application of multiple change sets complete with the ability to reverse those changes, and accommodates the interaction of dynamic domain objects by rejecting requests, automatically deleting objects, and recreating objects in the new, reconfigured environment.
While preferred embodiments of the present invention have been described, it is to be understood that the embodiments described are illustrative only and the scope of the invention is to be defined solely by the appended claims when afforded a full range of equivalents, many variations and modifications naturally occurring to those of skill in the art form a perusal hereof.
This application is a divisional of U.S. Ser. No. 11/142,260 filed on Jun. 2, 2005 now U.S. Pat. No. 7,908,047, the entire disclosure of which is incorporated herein by reference.
Number | Name | Date | Kind |
---|---|---|---|
5450589 | Maebayashi et al. | Sep 1995 | A |
5960204 | Yinger et al. | Sep 1999 | A |
6976079 | Ferguson et al. | Dec 2005 | B1 |
7444310 | Meng et al. | Oct 2008 | B2 |
20030236598 | Villarreal Antelo et al. | Dec 2003 | A1 |
20060059233 | Takei et al. | Mar 2006 | A1 |
20060067360 | Ohara | Mar 2006 | A1 |
Number | Date | Country | |
---|---|---|---|
20110139941 A1 | Jun 2011 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 11142260 | Jun 2005 | US |
Child | 13031189 | US |