The present invention relates in general to railroad communications and control messaging.
Centralized Traffic Control (CTC) is a well-known system in the railroad industry that allows a dispatcher at a central dispatch office to monitor and control interlockings and traffic flow within a designated territory. (“Interlockings” is generally a signaling arrangement that prevents conflicting train movements through junctions and crossings.) Among other things, a CTC system allows a dispatcher, in some circumstances, to directly control the signal indications giving train movement authorities for a block of track. In addition, at least in some circumstances, a dispatcher may directly control switches, for example, to allow a train to move to a passing siding, crossover to an adjacent track, or turnout to an alternate track or route. A CTC system may also ensure that appliances, such as switches, are properly set before and during a train movement through a track block. In addition to receiving status information from signals and switches, the CTC system may also collect status information from other “wayside devices” such as rail integrity/track circuits and hazard detectors.
Positive train control (PTC) systems help to prevent train-to-train collisions, over-speed derailments, incursions into established work zone limits, and the movement of a train through a switch left in the wrong position. A PTC system is “interoperable” if it allows locomotives of a host railroad and a tenant railroad to communicate with and respond to the PTC system while supporting uninterrupted movements over property boundaries. Interoperable PTC (IPTC) systems have been mandated for some railroads under the Rail Safety Improvement Act of 2008 (Public Law 110-432 of 2008.
In addition, the computerized Interoperable Train Control System Management (ITCSM) system allows for the configuration and management of system assets across the operating territories of different railroads.
In order to efficiently use available resources, it would be advantageous to employ a system that allows different types of messages, including CTC, IPTC, and ITCSM messages, to be exchanged between communications nodes using at least some of the same underlying communications infrastructure.
Embodiments of the present principles allow for different types of railroad messages, such as Centralized Traffic Control (CTC), Interoperable Positive Train Control (IPTC) and Systems Management System (SMS) messages to be exchanged between a railroad dispatch office and remote assets, such as waysides, using the same communications segment. In particular, by encapsulating CTC messages in a message stack including the industry-standard EMP and Class D headers, control and signal indications information can be exchanged using the Interoperable Train Control Communications (ITCC) infrastructure and the Interoperable Train Control Messaging (ITCM) system, which also support IPTC and Interoperable Train Control System Management (ITCSM) system messaging applications.
An example of one embodiment of a method of exchanging messages in a railroad communication system includes generating a message having a format defined by a protocol with an application running on a sending one of a railroad wayside system and a railroad dispatch system. A railroad edge messaging protocol (EMP) header and a railroad Class D messaging transport header are appended to the message to generate a packet. The packet is transmitted to a receiving one of the railroad dispatch system and the railroad wayside system across the railroad communications system.
The method can be used to exchange messages for any application over a communications segment of a railroad communications system. More generally, a method for exchanging application-level data messages across a communications segment of a railroad communication system therefore comprises encapsulating a message that is generated by a computer application running with a railroad edge messaging protocol (EMP) header and a railroad Class D messaging transport header to form a packet, and then transmitting the packet across a communications segment of a railroad communications system. The method may be used, for example, to transport messages from different applications, over the same communications segment. Thus, the same railroad communication system segment or infrastructure is able to be used to send different types of railroad application messages.
Using the disclosed methods, current and future railroad communication system segments, infrastructures and systems are able to support not current application such as IPTC, Interoperable Train Control System Management (ITCSM) system, Distributed Power (DP), and other applications that communicate or exchange messages, but also messaging for future railroad applications.
In the following description, like numbers designate like parts.
In the following description of the exemplary embodiments, the abbreviations and definitions provided in Table 1 of the Appendix will be used. In addition, the following specifications, publications, and standards are incorporated herein by reference for all purposes:
Communications segment 103 generally includes a network of hardwired connections, radio base stations, and wireless links. For example, DO 101 may communicate to a given WDC 106 through a hardwired communications network path or through a radio base station and a wireless link. Each WDC 106 may control single or multiple wayside devices 102 at a wayside, depending on the particular system configuration. A wayside interface unit (WIU) (see
DO 101, which includes the host railroad's automated dispatch system (CAD) and back office (BO) (e.g., operator consoles, security keys, repositories), interfaces with communications segment 103 either directly or through an office gateway (OG) 104 and office gateway interface (a communications gateway) 105. WDC 106 interfaces either directly to communications segment 103 through CTC wayside interface (a communications gateway) 107 or through a field gateway (FG) 302 (
An Interoperable Train Control Systems Management (ITCSM) System 116 may also supported by communications segment 103. ITCSM System 116 is generally used to securely pass status, event, and configuration data between different railroad assets using ITCM messaging system. For example, the ITCSM architecture provides a secure method for railroad Back Office (BO) applications to remotely configure and manage each ITC asset, such as a wayside device 102a, to implement PTC functionality. ITCSM System 116 also supports the transfer and loading of software, security, data and configuration kits to remote assets, as well as the remote execution of commands by those assets.
In the ITCSM architecture, DO 101 communicates with remote assets, such as waysides 102, through an ITCSM gateway, the communications segment 103, and an ITCSM agent. The ITCSM agent serves as an asset proxy that is either linked into the remote asset executable (e.g., operates as an ITCSM Embedded Agent) or is connected over a direct Internet Protocol (IP) path to the remote asset (e.g., operates as an ITCSM Remote Agent). The ITCSM Agent handles security, pass commands, receives responses, reports events, and transfers files (kits/logs) to or from the asset. The ITCSM also provides the interface between ITCSM system and the asset, as well as handles parsing and translation of ISMP messages into the asset-specific API calls.
The ITCSM gateway also communicates with similar ITCSM gateways of other railroads via communications segment 103. In the preferred embodiment, any ITCSM communication between the host railroad BO and an asset is routed through the host railroad ITCSM gateway, which performs orchestration, role authorization, and other security services.
For ITCSM and PTC applications, ITCM system 110 embeds an ISMP application message within an Edge Message Protocol (EMP) message envelope. The EMP message envelope is then embedded into a Class D transport packet for TCP/IP-based presentation to communications segment 103. The basic packet structure is shown in
OG interface 105 and CTC wayside interface 107 implement, among other things, connection managers, external link managers, and radio exchange processes that convert the messages received from OG 104 and WDCs 106 into the ITCC transmission protocol. (See U.S. Pat. No. 8,340,056).
System 100 exchanges CTC control signals (e.g., for changing switch positions and signal indications) and indications (e.g., information representing current signal indications) between WDC 106 and DO 101 using ITCM system 110 and the ITCC features of communications segment 103. In some circumstances, system 100 also uses particular assets of the ITCSM system for CTC messaging between DO 101 and wayside devices 102. In addition, system 100 may also use particular resources of the PTC system 112.
An alternate approach to the existing interfaces defining wayside device communications may provide for, among other things, any one or more of the following: (1) the support of ITCM-based transports of CTC messages from a given wayside device 102 through a BO to applications running at DO 101; (2) the integration with ITCC environment through the use of ITCM supported protocols, such as the Edge Messaging Protocol (EMP) in accordance with the AAR S-9354 specification and Class D messaging in accordance with the AAR S-9355 specification; (3) the reuse of the existing Advanced Train Control System (ATCS) message data payload where possible to reduce impacts on the creators and consumers of these messages; (4) the reduction of repetitive status checks message overhead; (5) the support for the authentication of critical messages by the wayside and office endpoints through the use of an EMP Hash Message Authentication Code (HMAC); (6) the support for management functions using the Interoperable Systems Management Protocol (SMP) standard; and (7) the support of TCP/IP-based transport of SMS messages between wayside devices 102 and applications running on DO 101.
In the preferred embodiment, the physical cable and connector configurations are implementation specific and the IP Address and TCP port configuration is coordinated at time of installation. Class D Layer 203 preferably supports, at a minimum, the Protocol Layer of Class D in the Client role in accordance with AAR Specification S-9355 including all identified options with the exception of the Transport Layer Security (TLS) requirements, which are optional.
Indications and controls are exchanged between Dispatch 101 and WDC 106 through OG 104, ITCM system 301, and when used, FG 302. ISMP commands and events are exchanged between OG 104 and WDC 106 through ITCM 301. When used, FG 302 translates the ISMP commands, indications, controls, and events into native commands suitable for WDC 106. TNUs and link status messages are exchanged between OG 104 and ITCM system 301. OG 104 translates indications, controls, ISM messages, and so on, into native messages and/or commands for processing by DO 101.
ITCM system 301 provides link/transport state information to communicating applications in several ways. For example, the primary mechanism for determining the status of connections between OG 104 and waysidewas 104 is to configure OG 104 or a separate application to capture a feed of the Transport Network Updates (TNUs) used internally in ITCM system 301 to build routing tables. These routing tables list all the transports available to all the waysides, and are refreshed regularly (depending on the ITCM system configuration, the refresh can take place every few seconds).
In addition, basic filtering by the communicating applications eliminates routes to areas outside the interest of CTC, for example the routes to the waysides of
other railroads or the routes to locomotives. Alternately, an given application may implement more complex filtering. Given a captured data stream, an application can determine if a transport to the messaging server at a wayside 106 is available, although no indication of the connectivity to WDC 106 or FG 302 may be available.
ITCM System 301 also has a number of Systems Management System (SMS) events available to report on its internal state changes. For example, events are generated when applications connect or disconnect over Class D to ITCM. Events are also generated when connections are made or lost to the remotes (e.g., waysides 102). These events can be used to further refine the state of the applications using ITCM 301. WDC 106 (or FG 302) therefore support much of the ISMP, which allows that component to also generate SMS events to report on the state of its connectivity, further refining the state of WDC 106 and/or connected devices within the system.
In the preferred embodiment, messages exchanged between WDC 106 and OG 104 include EMP layer 202, with each message including the EMP header described in Table 2 and the immediately following discussion.
The value in the Data Integrity field, when application specific, is obtained by truncating to 32 bits a 160-bit value calculated using the SHA-1-160 Hash Message Authentication Code (HMAC) algorithm and the Operational Private Key assigned to the WIU. The calculation of the HMAC and its truncation are described in the FIPS Publication 198 and NIST Publication 800-107 [7] cited above and is preferably performed over the entire EMP header and payload. In alternate embodiments, a Cyclical Redundancy Check (CRC) is a configurable option for the Data Integrity field value for testing purposes and is also calculated over the entire EMP header and payload. In the preferred embodiment, the HMAC and CRC options are mutually exclusive, such that when the HMAC is used, the CRC option is not used, and vice versa.
ITCM System 301 does not guarantee that messages are delivered to the destination in the order in which they are sent by the source. It also does not guarantee that duplicates will never be created. Consequently, each end point in a CTC conversation must maintain a sequence number, which is inserted into the EMP Message Number field for determining the ordering of messages, as well as removal of duplicates. For backwards compatibility with existing CTC waysidewa device controllers and the ATCS protocol, this sequence number starts at 0 and increments to 127 before rolling over to start again. OG 104 maintains separate sequence numbers for each WDC 106.
In the preferred embodiment, the EMP Message Number field supports a 32-bit number, which advantageously allows for an increased range of Message Numbers while still supporting a backwards compatibility mode. OG 104 must therefore track each WDC 106 to determine whether it supports a 7 or 32 bit sequence number and to use the correct type of sequence number when communicating with that particular wayside. The sequence number is incremented for all messages, with the exception of Acknowledgments (Ack) or Negative Acknowledgments (Nack).
Preferably, the Message Number on an Ack/Nack is set to the same value as the Message Number of the request for which it was created. The Reset WDC Sequence Number message is available for OG 104 to request the WDC reset its sequence number to 0.
The Message Time is the time defined by the sender's application layer.
In the preferred embodiment, a wayside component (e.g., a WDC 106 or WIU) maintains clock synchronization with an accuracy of +/−1 second per one hour period when connected to one of two sources: (1) a Class C messaging source with a one second time resolution, assuming a 10 second Class C broadcast interval; or (2) a source using a time clock synchronization protocol in accordance with either the native IP Network Time Protocol (NTP), Version 3, as specified in the Internet Engineering
Task Force (IETF) Request for Comment (RFC) 1305, or the Simple Network Time Protocol (SNTP), Version 4, as specified in IETI RFC 4330. In the illustrated embodiment, both options (1) and (2) are implemented, although the wayside component ensures that only one is enabled at a time via configuration options.
In the absence of time information, a given WDC 106 maintains its WDC clock time so that the drift from clock time does not exceed +/−2000 ms for at least an 8 hour period, although a duration greater than 8 hours may be specified for a particular WDC 102. Over the life of a WDC 106, once temperature and life are factored in, the clock drift shall not exceed +/−2000 ms for at least a 2 hour period.
For ISMP message addressing, the source and destination address fields preferably use lower case alphanumeric characters. (By convention all ITCM EMP addresses are lower case, since the ITCM protocol is case sensitive and different case EMP addresses resolve to different end points.)
Each WDC 106 is associated with a WDC Identifier for all ITC-compliant applications and is constructed (but not formatted) generally in accordance with AAR S-5800, cited above (Appendix T). The format in which the WDC Identifier is used and encoded into the EMP message header is described below. The WDC identifier is constructed in accordance with the following template, for ITC-compliant applications:
IRRRLLLGGGSS
Where:
I=ATCS Address Type Identifier;
RRR=ATCS Number assigned to owning organization;
LLL=Decimal numeric identifier assigned by owning organization;
GGG=Decimal numeric identifier assigned by owning organization;
SS=Decimal numeric identifier assigned by owning organization; and
LLLGGGSS is unique for any owning organization ATCS WDC identifier.
Each WDC 106 is associated with an EMP address, which is constructed and formatted in accordance with the grammar for wayside EMP addresses described in Appendix A to AAR S-9354. The preferred construction of the WDC EMP address is as follows:
(1) <wayside identifier> consists only of the LLLGGG portion of the WDC identifier described above;
FG 302 is used to connect a WDC 106 using legacy protocols by acting as a proxy with respect to ITCM System 301. An FG 302 therefore uses the same addressing conventions on behalf of the corresponding legacy WDC 104.
For addressing OG 104, the Host Dispatch System Identifier for all ITC-compliant applications is constructed (but not formatted) generally in accordance with AAR S-5800 cited above (Appendix T). The preferred construction of the ATCS Host Dispatch System Identifier is as follows:
IRRRNNRLLL
Where
I=ATCS Address Type Identifier (2 for ground based hosts);
RRR=ATCS AAR Number assigned to owning organization;
NN=Decimal numeric network node identifier assigned by owning organization;
R=Decimal numeric address range identifier assigned by owning organization; and
LLL=Decimal numeric codeline identifier assigned by owning organization.
EMP addresses to OG 104 are preferably constructed and formatted in accordance with the grammar for wayside EMP addresses described in Appendix A to AAR S-9354. When OG 104 is used to facilitate operation between Dispatch 101 and a WDC 106, the preferred construction of the OG EMP Address is:
Generally, in CTC messaging, each message is acknowledged by the receiving node and the requesting node is responsible for the retry of the request in the event if the requested node fails to reply. Table 3 illustrates the preferred message format of the application layer data exchanged between a WDC 106 and OG 104.
106, a requested reset of the sequence number for the WDC 106 to zero, or the receipt of a WDC Get Status message.
As shown in
The preferred message formats for the exchanges shown in
A preferred format for the Get WDC Status Message (Message Type 7123), which does not include a payload field, is shown in Table 9. (In legacy systems, this messages is a recall message).
A preferred WDC control message exchange is shown in
Here, a request for a WDC 106 to change the state of one or more of the associated controlled wayside devices 102 is triggered by an Operator Request 706. In turn, OG 104 sends a request (WDC Control Message 701) to the WDC 106 to effectuate a change the state of the identified wayside device(s) 102 (State Change 705). The WDC Control Message 701 is acknowledged by the WDC 106, after validation and acceptance, with an WDC Control Ack Message 702a or, if the request cannot be successfully validated, a WDC Control Nack Message 702b. (For a control request,
validation is any verification actions taken prior to actually attempting to perform the requested action, such as the execution of the WDC Control Message 701 by the receiving WDC 106 to effectuate the requested wayside device state changes.) OG 104 will send the WDC Control Message 701 a configurable number of times if it fails to receive a Control Ack Message 702a or a Control Nack Message 702b from WDC 106 within a configurable timeout period.
The successful processing of the control request and the change of the wayside device status by the WDC 106 may generate an Unsolicited WDC Status Message 703. OG 104 then returns a WDC Status Ack Message 704a or WDC Status Nack Message 704b upon validation of the WDC Status Message 703. The WDC 106 will resend the WDC Status Message 703 a configurable number of times if it receives a WDC Status Nack Message 704b or fails to receive a WDC Status Ack Message 704a within a configurable timeout period.
Table 10 shows the fields of the preferred format of the WDC Control Message (Message Type 7124), which is commonly used to set switch positions and clear/block signals. (In legacy systems, this message is a control request). The format of the body of the WDC Control Message is set out in Table 11. Tables 12 and 13 set out the preferred fields for the WDC Status Ack Message (Message Type 7125) and WDC Status Nack Message (Message Type 7126). The condition codes for the WDC Status Ack Message are described in Table 14.
A preferred WDC sequence number reset message exchange is shown in
The WDC 106 resets the sequence number after which messages from the WDC 106 start with the new sequence number. After the WDC 106 resets the sequence number, it generates a standard WDC Status Message 803 for delivery to OG 104. OG 104 sends a WDC Status Ack Message 804a or a WDC Status Nack Message 804b upon validation of the Reset WDC Sequence Number Ack Message 802. The WDC 106 will resend the WDC Status Message 803 a configurable number of times if it receives a WDC Status Nack Message 804b or fails to receive the WDC Status Ack Message 804a within a configurable timeout period.
If OG 104 receives the Reset Sequence Number Ack Message 802, but fails to receive a new WDC Status Message 803, it may consider the sequence number to be reset and optionally send a Get WDC Status Message (discussed above) in order to confirm the sequence number. If OG 104 does not receive the Reset Sequence Number Ack Message 802, but does receive a WDC Status Message 803 with the correct sequence number, it may consider the sequence number to be reset and no further action is required. If the Reset Sequence Number Ack Message 802 later arrives after the WDC Status Message 803, the Reset Sequence Number Ack Message 802 may be discarded.
The preferred format of the Reset WDC Sequence Number Message 801 (Message Type 7127) is set out in Table 15 and the preferred format for the Reset WDC Sequence Number Ack Message 802 (Message Type 7128) is set out in Table 16.
In the ISMP system design, the Systems Management Gateway (SMG) preferably receives and responds to messages from a single Back Office address from Dispatch 101. The present CTC take advantage of SMS by this management infrastructure by integrating CTC messaging with the SMS system as shown in
In the message flow of
An exemplary ISMP Solicited Status Message exchange using the system of
(Preferably, the ITCM system also supports a trace route message that allows a user to internally trace the delivery of messages through the ITCM components. This feature can be used, for example, to test delivery of messages to any EMP address without impacting the destination application.)
A preferred ISMP Retrieve Log exchange is shown in
In the preferred embodiment, each WDC 106 implements a number of features for ISMP security, which allows assets to be provisioned securely and to receive new Operational Private Keys (OPKs), as needed. The ISMP security features, at a minimum, require that each WDC 106: (1) be a securable asset; (2) support a One Time User Password (OTUP), if deployed in a factory reset state; (3) accept security kits; and (4) accept OPK kits. To meet these requirements, System 100 implements a number of messages to support the management of the various keys from their delivery, to staging, to production usage.
In the preferred embodiment of System 100, the sending application layer uses the EMP layer settings and values identified in their respective message details. Table 17 summarizes some of the key header field values for all the CTC messages.
Generally, the PTC application has the highest priority (7) for the four key messages used to deliver PTC wayside status messages to a locomotive. As long as the train is operating in the PTC territory, if the wayside status is not continuously received by the locomotive within 18 seconds, the train will be put into restricted operation, which is very likely to delay train operations. The remainder of the PTC messages are allocated priorities between 4 and 6 so as to have a high priority, but not interfere with the wayside status related messages. CTC messages, although much lower in frequency, are also very high priority and can effectively stop all trains along a section of track if they are not delivered successfully (without the restricted operation option sometimes available to PTC applications). Therefore, the default priority for CTC messages is set to 6. (Preferably, the fields shown in Table 17 are configurable and the indicated values are the preferred default values).
In the preferred embodiment of System 100, WDC Status Messages deliver CTC data to a BO using CTC over ITCM System. In an alternate embodiment, CTC data are instead delivered using the Will Status Message used in the PTC messaging protocol. In particular, the additional CTC data is added to the PTC WIU Status Message and delivered through the existing communications channels. Where used, this approach eliminates the generation of a WDC Status message when the state of the system changes in favor of an unsolicited, periodic WIU Status Message containing the same information.
In the event that the additional CTC information is unavailable or uncertain, the entire CTC data is preferably not be included in the WIU Status Message and the size of the message reduced accordingly. (There is no appropriate binary value available for the message to indicate a field has no value.) Enhancing the WIU Status Message may also reduce or eliminate the use of the Get WDC Status message as well; however, this message could still be provided as a backup depending on the needs of the dispatching system.
could be joined with the stream of CTC data destined for the dispatching system. In one embodiment, this process is implemented as a static subscription from OG 104 to WSRS 1301.
In the exchanges shown in
In the process shown in
This process of
Table 18 illustrates a preferred WIU Status Message Body format for implementing the process shown in
Status Message at the end of the Device Status field. This will have no effect on the WIU Status Message—EMP header.
In some embodiments of System 100, a separate WDC 106 may create indications to be delivered to a WIU for inclusion in the WIU Status messages. In these embodiments, the preferred implementation uses the WDC Status Message discussed above.
Table 19 provides a preferred set of ISMP Data Dictionary Variables used by WDC 106 in the ISMP Get Status and Send Status messages. Table 20 provides a preferred set of WDC/FG Specific Data Dictionary Variables. The Variable IDs specified in Tables 19 and 20 are integers.
As in any complex system, a failure of a component or communications link can always occur. In System 100, a failure can occur at various points in the message flow between a WDC 106 and Dispatch 101. Tables 20 and 21 identify some of the main components or linkages where a failure may occur.
In particular, Table 20 identifies particular WDC Failures, WDC-FG Link Failures, WDC-ITCM Link Failures (where no FG is used), and WDC-WIU Link Failures (where WIU Status is used). Table 20 illustrates scenarios including a failure of WDC 106 components, as well as scenarios in which a WDC 106 is unable to communicate with other components of System 100.
Table 21 identifies scenarios including a failure of a FG 302 component, as well as scenarios where ITCC experiences a failure resulting in a complete loss of communications between a FG 302 and OG 104. An ITCC failure could be due to a failure of ITCM, or the failure of all transports in the communications path (e.g., a radio, cell/base station, and so on) between the FG 302 and OG 104. In a configuration where the WDC status is combined with a PTC Status and delivered through ITCC, the failure of ITCC or the WSRS components would result in the same state, the loss of regular status messages to OG 104.
In the event of an OG 104 failure or the failure of the link to OG 104, all messages initiated from Dispatch 101 cannot be delivered and will timeout. Consequently, Dispatch 101 must take appropriate action to notify and remedy the failure. Similarly, messages from the field will not be delivered to OG 104 in the event of the OG failure and will time out in the component that issued them. The given component will then attempt a retry of the messages a configurable number of times if appropriate. Finally, messages from the field can be delivered to the OG in the case of a failure in the link between OG 104 and the Dispatch 101. Those messages requiring a response will be responded to normally with appropriate error codes in the Nacks.
Although the invention has been described with reference to specific embodiments, these descriptions are not meant to be construed in a limiting sense. Various modifications of the disclosed embodiments, as well as alternative embodiments of the invention, will become apparent to persons skilled in the art upon reference to the description of the invention. It should be appreciated by those skilled in the art that the conception and the specific embodiment disclosed might be readily utilized as a basis for modifying or designing other structures for carrying out the same purposes of the present invention. It should also be realized by those skilled in the art that such equivalent constructions do not depart from the spirit and scope of the invention as set forth in the appended claims. It is therefore contemplated that the claims will cover any such modifications or embodiments that fall within the true scope of the invention.
The present application is a continuation-in-part of U.S. application Ser. No. 14/558,959, filed Dec. 3, 2014, and claims the benefit of U.S. Provisional Patent Application Ser. No. 61/934,120, filed Jan. 31, 2014, each of which is incorporated herein in their entirety for all purposes.
Number | Date | Country | |
---|---|---|---|
61934120 | Jan 2014 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 14558959 | Dec 2014 | US |
Child | 16231891 | US |