The present invention relates, in general, to the field of the convoys of vehicles. In particular, the invention relates to a system for verifying the integrity of a convoy, particularly a railway convoy, including at least two vehicles (at least two railway vehicles in the case of a railway convoy).
During normal operation of a convoy, it is necessary that the driver or various systems on board the convoy or remote control stations are able to verify the integrity of the convoy.
Verifying the integrity of the convoy means verifying that the vehicles RV that make up the convoy T have not disconnected from each other. An example of a convoy T whose integrity is not compromised is shown in
As may be seen in
In this case, a first section S1 of the convoy, including a leading vehicle H, could in any case remain safely under the manual control of the driver or of any automatic control systems. The leading vehicle and the tail vehicle may be defined as a function of the travelling direction D of the convoy, e.g. the leading vehicle may be the first vehicle according to the travelling direction D and the tail vehicle may be the last vehicle according to the travelling direction D.
Disadvantageously, a second section S2 of the convoy, disconnected from said first section S1 of the convoy, could be prevented from receiving commands from the driver or from any automatic control systems. In this case, the second section of the convoy may continue its travel in an uncontrolled manner, generating a considerable safety risk.
Generally, referring by way of example to the railway vehicle sector, a braking system of a railway convoy comprises a pneumatic line P, also called “brake pipe”, which crosses all the railway vehicles of the railway convoy and which, when said railway convoy is not braked, has a pressure of about 5 bar. When it is necessary to brake the railway convoy, a more or less marked depression may be created in the brake pipe, so as to achieve a gradual braking of the railway convoy.
When the integrity of the railway convoy is compromised, the two distinct sections of the railway convoy, which were created due to the disconnection of said railway vehicles, automatically initiate an emergency braking action to stop and bring both sections of the railway convoy back to safety.
Such emergency braking takes place automatically by virtue of the aforementioned structure of the brake pipe of the railway convoy.
At the moment of detachment of the railway vehicles of the railway convoy, the brake pipe will be interrupted, thus generating a loss of pressure inside it. The pressure drop in the line will cause the various braking systems (whose braking force is a function of the pressure in the pipe) of the railway vehicles to apply the greatest possible braking force.
However, in addition to the emergency braking, no other control over the pace of the second disconnected section could be carried out by the driver or by any automatic control systems remaining on the first section S1. For example, further commands to activate further braking means of the second section, e.g. electromechanical, electronic, mechanical, mechatronic, etc., may not be operated manually by the driver.
During normal operation, the integrity of the railway convoy is verified at the start of the mission by means of an exhaust brake test of the brake pipe. During operation, however, the integrity of the convoy is verified both by the driver and by systems positioned on the side of the rail R which interact with the signaling system. An example of such known systems is the axle counting system 100. An axle counting system is based on the principle of counting the axles A of the railway vehicles engaging a block section. For example, in the vicinity of a station, a special electromagnetic device 102 may be provided which allows the number of axles A of railway vehicles, including locomotives, which pass on rail R to be counted. If the count is not correct with respect to a number of axles expected for such railway convoy, this clearly means that the integrity of the railway convoy is compromised.
An example of axle count is illustrated by way of example in
The use of fixed track-side systems is burdensome both for installation and maintenance costs and in itself represents a rigid and non-configurable verification system based on the increasing volumes of railway traffic.
What has just been described applies likewise also to convoys of vehicles of other sectors, in addition to the railway one, for example to other vehicle convoys including a “brake pipe” which crosses all vehicles, even though not railway vehicles, or convoy of vehicles which, unlike railway vehicles, move for example on road or on rubber wheels, or other means.
An object of the present invention is therefore to provide a system for verifying the integrity of a convoy which is highly configurable, which may be implemented directly on board the convoy, which reduces its installation and maintenance costs.
The above and other objects and advantages are achieved, according to an aspect of the invention, by a system for verifying the integrity of a convoy having the features defined in claim 1. Preferred embodiments of the invention are defined in the dependent claims, the content of which is to be understood as an integral part of the present description.
The functional and structural features of some preferred embodiments of a system for verifying the integrity of a convoy e according to the invention will now be described. Reference will be made to the accompanying drawings, in which:
Before describing a plurality of embodiments of the invention in detail, it should be clarified that the invention is not limited in its application to the construction details and configuration of the components presented in the following description or illustrated in the drawings. The invention may assume other embodiments and be implemented or constructed in practice in different ways. It should also be understood that the phraseology and terminology have a descriptive purpose and should not be construed as limiting. The use of “include” and “comprise” and their variations is to be understood as encompassing the elements set out below and their equivalents, as well as additional elements and the equivalents thereof.
A first embodiment of a system for verifying the integrity of a convoy will be described below. Preferably, the convoy may be a railway convoy.
As may be seen in
By way of example, in the figures the convoy illustrated is a railway convoy.
Observing now
Referring for example to a convoy formed by four railway vehicles, the first vehicle RV1 may be any vehicle among the four vehicles which make up the convoy and the second vehicle RV2 may be any other vehicle among the three remaining vehicles which make up the convoy.
For example, the first controller 402 and the second controller 404 may each be or include at least one of at least one controller, at least one processor, at least one microprocessor, at least one microcontroller, at least one PLC, and the like.
Furthermore, the system for verifying the integrity of a convoy also includes at least one communication means N arranged to allow communication between the first controller 402 and the second controller 404.
The first controller 402 is arranged to determine that the integrity of the convoy T is compromised, when the first controller 402 and the second controller 404 are no longer able to communicate with each other through said at least one communication means N. Alternatively or in addition, the second controller 404 is arranged to determine that the integrity of the convoy T is compromised, when the first controller 402 and said second controller 404 are no longer able to communicate with each other through said at least one communication means N.
The fact that the communication between the first controller 402 and the second controller 404 is interrupted is a clear signal that the communication means has been damaged due to the compromise of the integrity of the convoy, or due to the fact that the first controller 402 and the second controller 404 are not arranged with respect to each other within a distance sufficient to ensure that the communication means allows communication between the first controller 402 and the second controller 404. In the second case, the distance between the first controller 402 and the second controller 404 may increase due to the compromise of the integrity of the convoy.
By way of example, as may be seen in
Preferably, the first controller 402 and the second controller 404 may be arranged to determine the vehicle of the convoy on which they are respectively installed. Preferably, the first controller 402 and the second controller 404 may be arranged to determine the vehicle of the convoy on which they are respectively installed according to a safety integrity level greater than a predetermined minimum safety integrity level.
The method that the first controller and the second controller may use to determine the vehicle of the convoy on which they are respectively installed may be any known automatic/autonomous determination method of the position in the convoy.
In this case, it will not be necessary for the first controller 402 and the second controller 404 to be pre-configured or pre-programmed in order to receive or contain information regarding the vehicle during the installation on board the convoy on which they are installed.
Once installed on board the convoy, they will be able to identify by themselves the vehicle on which they are installed.
In an alternative embodiment, the first controller 402 and the second controller 404 may be pre-configured or pre-programmed to receive or contain information regarding the vehicle on which they are installed. The first controller 402 and the second controller 404 will in this case be able to determine the vehicle on which they are respectively installed on the basis of this information. This solution may be used for example for convoys that rarely or do not modify their vehicle composition.
When the first controller 402 determines to be installed on a leading vehicle H of the convoy and the second controller 404 determines to be installed on a tail vehicle TA of the convoy:
In the scenario just described, it is the controller installed in the leading vehicle H which verifies that the tail vehicle TA is still connected to the convoy.
Otherwise, when the first controller 402 determines to be installed on a tail vehicle TA of the convoy and the second controller 404 determines to be installed on a leading vehicle H of the convoy:
In this second scenario, it is the controller installed in the tail vehicle TA which verifies that it is able to communicate with the leading vehicle H, so as to determine whether the tail vehicle TA itself is still connected to the convoy.
Preferably, for both scenarios described above, the first controller may be arranged to determine that the integrity of the convoy is compromised when it does not receive, via the at least one means of communication N, the response message transmitted by the second controller on the at least one communication means N within a predetermined time interval from when the first controller has sent the interrogation message.
Or, for both scenarios described above, the first controller may be arranged to determine that the integrity of the convoy is compromised when it receives, through the at least one communication means N, the response message transmitted by the second controller but such received response message differs from an expected response message.
Preferably, for both scenarios described above, the second controller may be set up to determine that the integrity of the convoy is compromised when it does not receive, via the at least one communication means N, the interrogation message transmitted by the first communication means on the at least one communication means N for more than a waiting interval. Or, the second controller may be arranged to determine that the integrity of the convoy is compromised when it receives, through the at least one communication means N, the interrogation message transmitted by the first controller but such received interrogation message differs from an expected interrogation message.
For example, the waiting time may be a predetermined time.
Preferably, the content of the response message may be determined as a function of the content of the interrogation message.
In one example, the response message may be determined on the basis of a generation algorithm known to the first controller and to the second controller. In this way, the first controller will be able to determine its own expected response message through this algorithm and verify that the response message received in response from the second controller has actually been generated by the second controller through this algorithm, as it matches the expected one. The same logic may be applied analogously to the interrogation message as well.
Preferably, as may be seen in
The elements of
For example, the third controller 403 may be or include at least one of at least one controller, at least one processor, at least one microprocessor, at least one microcontroller, at least one PLC, and the like.
Preferably, the third controller 403 may be arranged to determine the vehicle of the convoy on which it is installed. Preferably, the third controller 403 may be arranged to determine the vehicle of the convoy on which it is installed according to a safety integrity level greater than the predetermined minimum safety integrity level.
The method that the third controller may use to determine the vehicle of the convoy on which it is installed may be any known automatic/autonomous determination method of the position in the convoy.
In this way, it will not be necessary that during the installation step on board the convoy of this controller 403, it is pre-configured or pre-programmed so as to receive or contain information regarding the vehicle on which it is installed.
Once installed on board the convoy, it will be able to identify by itself the vehicle on which it is installed.
In an alternative embodiment, the third controller 403 may be pre-configured or pre-programmed to receive or contain information regarding the vehicle on which it is installed. The third controller 403 will then be able to determine the vehicle on which it is installed on the basis of this information.
When the third controller 403 determines to be installed on an intermediate vehicle I, arranged to be positioned in the convoy between said leading vehicle and said tail vehicle:
In other words, the one or more controller installed on the respective intermediate railway vehicles should be “passing” and should not respond to the interrogation message by generating their own response message to be provided to the first controller which generated the interrogation message. If a controller of one of the intermediate railway vehicles responds to the interrogation message it received from the first controller by generating its own response message, i.e. “replacing” the second controller, there would be the risk of undue confirmation of the integrity of the vehicle without real confirmation that the vehicle on which the second controller is installed is still connected to the convoy. Only if the response message is received and it is the expected one is it possible to infer the integrity of the convoy. Any response messages generated by the controller of the intermediate vehicles would be recognized as unexpected messages by the first controller.
By intermediate vehicle I it is possible to mean any vehicle which in the convoy is installed between the leading vehicle and the tail vehicle. For example, in a convoy made by four vehicles, the second vehicle and the third vehicle RV3 (numbered according to the direction of travel of the convoy) are each an intermediate vehicle I of the convoy.
Preferably, the first controller 402 and the second controller 404 may each be implemented according to a safety integrity level greater than a predetermined minimum safety integrity level.
When present, the third controller 403 may also be implemented according to a safety integrity level greater than a predetermined minimum safety integrity level.
In other words, the first controller 402, the second controller 404 and the third controller 403 may be implemented according to a minimum safety integrity level (SIL), so as to ensure that any lack of communication may not be attributed to their malfunctions or breakdowns. By implementing the first controller 402 and the second controller 404 according to a high SIL, it is certain that any lack of communication is due to the compromise of the integrity of the convoy.
With regard to the definition of the safety integrity level SIL, in the railway vehicle sector, in the present document reference may be made to European standards EN50129:rev.2018, EN 50159:rev.2010, EN 50126-1:rev.2017, EN 50126-2:rev.2017, EN 50128:rev.2011, according to the latest update available at the filing date of the present invention, where:
In particular, standard EN50126 defines the methodologies for assigning the SIL0/1/2/3/4 safety levels (with safety integrity level SIL4 indicating the maximum safety integrity level) to the subsystems making up the system in question, based on the results of the Safety Analysis, and standards EN50128 and EN50129 define the design criteria to be applied to the Software and Hardware components, respectively, based on the SIL levels assigned based on said Safety Analysis results.
A controller, a device, a unit or module, etc., may be considered implemented according to a high safety integrity level when made at least according to a SIL>=3 safety integrity level.
Furthermore, preferably, also the at least one communication means may be arranged to allow a communication according to a predetermined safety protocol. For example, such predetermined safety protocol may be a protocol commonly referred to as the “black channel” type.
In a further aspect, preferably, the communication means may be two or more and may be arranged to be connected together by means of a communication unit.
The communication means may also be created in accordance with the methodologies specified by standard EN 50159, guaranteeing a high safety integrity level (SIL).
In some embodiments, the first controller 402, the second controller 404 and the third controller 403 may be controller already usually included on board a vehicle and made according to a high safety integrity level SIL.
Preferably, as may be seen in
When present, the third controller 403 may also be included in a braking control unit or braking control module.
In other words, the first controller 402 and/or the second controller 404 and/or the third controller 403 may each be a controller already on board respective braking control units or modules. In this way, the same controller may be used both to manage the braking of the vehicle and to verify the integrity of the convoy.
Usually, the controller and the braking control units or modules are already made according to high integrity safety levels, therefore, they are also suitable to be used for verifying the integrity of the convoy according to the present invention.
A braking control unit or module may generally be a controller installed on board a vehicle which is responsible for managing the braking means 502 of one or more railway vehicles of the convoy. The braking means may be braking devices of one or more braking systems.
Preferably, the first controller 402 and the second controller 404 may be arranged to determine the vehicle of the convoy on which they are respectively installed by means of a physical or hardware coding implemented by optical technology means.
Preferably, when present, the third controller 403 may be arranged to determine the vehicle of the convoy on which it is respectively installed by means of a physical or hardware coding implemented by optical technology means.
Preferably, in addition to the third controller, further controller may also be provided, which, when they determine to be installed on an intermediate vehicle, may similarly perform the message forwarding function performed by the third controller. In other words, the controller arranged on the intermediate vehicles may forward the messages received to each other, until the messages transmitted by the first controller reach the second controller, and vice versa. For example, the messages may be forwarded between the various controller according to an order defined according to the position along the convoy of the vehicle on which they are respectively installed. For example, if the first controller is installed in the leading vehicle, the interrogation message may be transmitted, via the communication means, to the controller installed on the second vehicle in running order. The controller installed on the second vehicle in running order, once the interrogation message has been received, will be able to forward it, via the communication means, to the controller installed on the third vehicle in running order. The forwarding may proceed in the same way for the further controller until the interrogation message has reached the second controller. The response message may follow the reverse path until it reaches the first controller. Or, the forwarding order may be a predetermined order.
Preferably, the communication means may include at least two redundant communication channels, and at least one of such communication channels may be a communication network 600. These communication channels may be wired or wireless.
Alternatively, or in addition, the first controller 402 and the second controller 404 may be arranged to determine the vehicle of the convoy on which they are respectively installed by means of a software coding implemented by means of a process of sequential recognition of nodes of said communication means.
Preferably, when present, the third controller 403 may be arranged to determine the vehicle of the convoy on which it is respectively installed by means of a software coding implemented by means of a process of sequential recognition of nodes 602 of the at least one communication means N.
In this case, as may be seen in
Further embodiments of the system for verifying the integrity of a convoy are described below.
Preferably, the first controller 402 may be arranged to transmit, through the at least one communication means N, the interrogation message according to a first predetermined periodicity.
In other words, the first controller 402 and the second controller 404 may be arranged to transmit, through said at least one communication means, the respective communication messages used for the integrity verification according to a predetermined periodicity.
This serves to verify that the communication between the first controller 402 and the second controller 404 is still active and to avoid that a communication silence between the first controller 402 and the second controller 404 is not recognized to be a compromise of the integrity of the convoy.
Preferably, the first controller 402 may be arranged to update, according to a second periodicity, the interrogation message, and said second controller 404 is arranged to update, according to a third periodicity, the response message.
Preferably, the first, second and third periodicities may be different or equal to each other.
In other words, the first controller 402 and the second controller 404 may be arranged to update, according to a specific second periodicity, the communication messages used for the integrity verification.
Also in this case, by updating the communication messages used for the integrity verification, a safety check has been carried out which ensures that the first controller 402 and the second controller 404, even if blocked in a fault condition, continue to transmit a previous message, thus nullifying the integrity verification of the convoy.
Preferably, when the first controller 402 and the second controller 404 respectively determine that the integrity of the convoy is compromised, the first controller 402 and/or the second controller 404 may each be arranged to perform at least one predetermined safety action.
For example, the at least one predetermined safety action may include the actuation of at least braking means of the first vehicle RV1 or of the second vehicle RV2, to which the first controller 402 and the second controller 404 are respectively associated. Preferably, the braking means may be of any type, for example pneumatic, electromechanical, electronic, mechanical, mechatronic, friction, etc.
Preferably, when the first controller 402 determines that the integrity of the convoy is compromised, the first controller 402 may be arranged to send an alarm message to the third controller 403. Alternatively or additionally, when the second controller 404 determines that the integrity of the convoy is compromised, the second controller 404 may be arranged to send an alarm message to the third controller 403. The third controller 403 may therefore be arranged to perform at least one predetermined safety action when it receives an alarm message from the first controller and/or from the second controller.
For example, the at least one predetermined safety action may include the actuation of at least braking means of the third vehicle RV3, with which the third controller 403 is associated.
Preferably, the braking means may be of any type, for example pneumatic, electromechanical, electronic, mechanical, mechatronic, friction, etc.
What is described in this application may be applied similarly, where possible, to any type of convoy, for example and not limited to: railway convoy, underground convoys, underground convoys on rubber, road convoys, bound guide convoys, bound guide convoys, convoy of land vehicles or other types, and the like.
The advantage achieved is that of having implemented a system for verifying the integrity of a convoy which is highly configurable, which may be implemented directly on board the convoy, which reduces its installation and maintenance costs.
Various aspects and embodiments of a system for verifying the integrity of a convoy according to the invention have been described. It is understood that each embodiment may be combined with any other embodiment. Furthermore, the invention is not limited to the described embodiments, but may be varied within the scope defined by the appended claims.
Number | Date | Country | Kind |
---|---|---|---|
102020000027089 | Nov 2020 | IT | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/IB2021/060501 | 11/12/2021 | WO |