- Email: [email protected]
Safety Issues of Remote Control in Railway Signaling
Copyright @) IFAC Telematics Applications in Automation and Robotics, Weingarten, Germany, 2001
SAFETY ISSUES OF REMOTE CONTROL IN RAILWAY SIGNALING
G. Tarnai
B. Saghi
Department o/Transport Automation, Budapest University o/Technology and Economics, Hungary Bertalan 2., Budapest, Hungary, H-IIII Phone: (+361) 4631013, Fax: (+361) 463 3087, E-mail: {tarnailsaghi}@kaut.kka.bme.hu
Abstract: The paper deals with the special safety requirements of the railway interlocking remote control systems. First the concepts of tele-operation, tele-monitoring and remote control are introduced in the special sense of railway interlocking. Then the safety considerations are discussed in connection with the remote control of railway signaling systems. Finally, the latest remote control center in Hungary will be introduced. Copyright @200IIFAC Keywords: remote control, teleoperation, railway signaling, safety, traffic control, programmable logical controllers
I. TELE-OPERATION, TELE-MONITORlNG AND REMOTE CONTROL
about tele-operation (command direction) and telemonitoring (report or response direction). This teleoperation and tele-monitoring realize basic safety functions, therefore during the construction and the operation of these special requirements must be fulfilled (EN 50126).
Signals along the track play an important role in the operative control of the railway traffic, as they permit or prohibit the movements of the trains. The routes of the trains are defined by the positions of the switches, which are affected in course of the movement. The interlocking systems establish such a dependency on the switches and the signals, that the signals permit the train movements only in that case, if the switches are fixed in adequate position according to the intended path and other train movements are closed out (interlocked) at the same time.
The demand on the rationalization of the railway operation accompanies the history of the railway. The reduction of staff and the control of the traffic of bigger and bigger areas from one center can be accomplished more and more effective, parallel with the technical development. In a simple case, the signals and the switches of one ore more smaller stations are controlled from a neighboring, bigger station. This control, however, cannot be carried out by means oftele-operation and tele-control any more, because of the larger distances, and the huge amount of information to transmit. Instead, remote control is applied: the interlocking system of the controlled station is operated from a controlling station (Fig. I).
Because of the large dimension of the railway stations, the switches and the signals are placed in a far distance (more hundred meters or even more kilometers) from the interlocking system, which operates and monitors them. The connection between the interlocking system and the outdoor objects is not a remote control type connection, according to the usual meaning of remote control. Instead we speak
379
Until the beginning of the 80s, the railways were equipped almost exclusively with relay based signaling systems. Since then the market has been shifting towards the electronic interlocking systems, equipped with control systems connected into network and with supervisory remote control systems.
•
Transport companies are nowadays facing the challenge, to integrate relay and electronic interlocking systems into modem, highly efficient control systems, in frame of reconstruction of existing systems and establishment of new pieces of equipment. They are forced to find such costeffective solutions that provide possibility for comprehensive, unified operation and the highest level of safety, at the same time (KrUger, et aI., 1999).
Remote Control Center
I
I
i
I i i I I
I
I
Interlocking logic Tele-operation
Tele-monitoring
I I
! I I I
Fig. I .
Ii
In command direction, in case of local operation (i.e. control from the station) from a command failure (missing pushing the right buttons) flows, that not the intended push-button relays will switch.
i ! I I i
I
In case of remote control, additionally the following failures are possible: • faulty command output from the remote control center, • data transmission failure between the remote control center and the controlled equipment, • hardware and software errors in the receiver during the processing, • failure of the remote control interface towards the interlocking system (this interface operates the push-button relays of the equipment).
I
Outdoor appliances (signals, switches)
I
II
2. STANDARD COMMANDS EXTRAORDINARY COMMANDS
In the following the special safety requirements will be outlined for both types of commands.
Remote Control
I
Also in a model like this, the required safety level is basically provided by the station interlocking and the open-line signaling systems. The remote control system just controls the interlocking system just like a " long arm", so, apparently, safety requirements cannot be identified. In the following we examine, whether this is true or not.
The commands, carried out by the operator of a station interlocking system or of an operative (remote) control center can be divided into two groups: • Standard commands, the reaction of which are accomplished under full technical safety coverage, provided by the interlocking system. • Extraordinary, or safety-critical commands, in case of which, the safety dependencies of the interlocking system are evaded, and the safety responsibility is directly taken over by the human operator. This kind of command is necessary in case of technical disturbances or abnormal railway operation.
The increase of the centralization of the traffic control leads to the situation, that the interlocking systems of a large district are controlled from one center. E.g. the whole railway network of the Swiss Federal Railways (SBB) is controlled from only 18 remote control centers, so that 2/3 of all the 800 stations have no staff. Such efforts can be observed at other railways as well. According to the concept of the German Railway, the traffic control service, which is nowadays distributed on more thousands of stations, should be concentrated in seven centers.
i i I
Dispositional Control Level The level of over-region decisions on trains and on the engagement of resources (e.g. in Switzerland there are three centers of this highest level) (Antweiler, 1996).
I i
I
I
i
Station Interlocking System
II
Tele-operation, tele-monitoring and remote control
According to the intentions described above, a threelevel operation control model can be identified: • Safety Level The level of the station and open-line signaling systems (relay, electronic, with or without shunt movement support). • Operative Control Level The control and automation of the safety level in one region or district is concentrated in a remote control center.
All these failures can cause that after receiving the command in the interlocking system, not the intended push-button relays will switch. If a so-called common- or group push-button relay is missed, we speak about function mistake; if a single
380
o
push-button relay is missed, we speak about object mistake.
reduce possibility of unintended commands (expressing the intention).
Prevention from the output of a faulty command from the remote control center is primarily done in case of extraordinary commands. • Traditionally, the output of the command is accomplished in more phases, and before the permission of proceeding of the command, it is read back from the level of the interlocking system. If they are equal, the operator has to give a special permissive command, which is usually given out on a physically separated channel. • Other systems apply multi-channel processing on independent hardware, comparing of the results and the command is given out (in a redundant form) only in case of equivalence.
Function or object mistake in case of standard commands can have different consequences. If such push-button relays are switched that do not belong together, the subsequent events will be prevented already in the circuits of the push-button relays . If the switched push-button relays are interpretable by the interlocking system (i.e. in principle they could belong together), then the command will be carried out, and this may result in traffic disturbance, but never in dangerous situation. E.g. for a train the free track 2 is intended, but because of a failure the train route will be set to track 3, which is also free . If track 3 were not free, the interlocking system would not allow setting that route. Function or object mistake in case of extraordinary commands is not free from dangers. In such cases the operator eliminates the safety dependencies of the interlocking system, but not the intended command will be carried out, or not for the intended object, what can lead directly to dangerous situations.
The data transmission has to fulfill rigorous requirements in case of railway traffic control networks. Especially in case of transmission of safety-critical information is the reliability of the telecommunication vital. The railway system must not get into prohibited (dangerous) state more likely, than it is acceptable by the user, not even because of a communication failure (Krbilova, et al., 1999). To achieve the required error detection capability, standardized communication protocols are used.
Of course it is desirable to avoid the traffic disturbances, caused by function or object mistake, however the evolution of dangerous situation must be closed out. It is also not allowable, that a standard command, because of a failure, elicits the operation of an extraordinary command. This can be achieved, by the eliminating the factors that object or function mistake can cause. If this is not possible, the resulted failure must be detected as soon as possible and the subsequent operation must be hindered.
To detect the failures of the remote control receiver and of the interlocking interface, the different systems apply different system structures and methods (KrUger, et at., 1999; Tamai, et at., 1999). These are: • Feed back of the outputs for checking and comparing with the intended command. In case of a failure a safety switch-off mechanism must be operated. • Redundant, usually anti valent output of safety-critical commands. • Multi-phase command processing, with a separate permissive command.
In the next section the methods to prevent and to detect failures in the command direction process will be discussed.
3. SAFETY OF THE COMMAND DIRECTION The most common measures to avoid command mistakes are as follows (Antweiler, et aI. , 1997; Pachl, 1998): • Adequate construction of the operator interface, by means of the harmonization of ergonomic and operational aspects. • Training and retraining of the personnel, e.g. by means of simulator (Aranyosy, et al., 1997). • Insertion of a simulator based filter for the purpose of displaying the commands that can not be carried out in a given situation, and of blocking these outputs. • Adequate support for the personnel in case of extraordinary commands by means of o giving information about the operational process, o automatic generation of checklists,
In the following the safety issues of the monitoring direction will be discussed.
4. SAFETY OF THE MONITORING DIRECTION For the remote control operation it is characteristic, that the operator personnel have no chance to make a survey of the local operational situation in order to support himself in giving out extraordinary commands. However this is true for huge railway stations in local operation too . In such cases the staff can only lean on the indicated state, and, according to the prescriptions and the possibilities, on other of information, gained e.g. by means telecommunication connection.
381
chance to intervene directly in the operation of the local interlocking systems; this also meant, that the stations had personnel). Real CTC systems that have intervention capability have been applied in the recent years, after being able to fulfil the most rigorous safety requirements according to the output of the safety-critical commands. A recently installed system is a CTC system on a four-station branch line in the neighborhood of Budapest, with significant suburban traffic. In frame of a line-electrification project the CTC of the 60s has been replaced with a modem remote control system, named IL TIS, supplied by Siemens Schweiz Co. In the following this new CTC will be introduced shortly (Tamai, et aI., 1999., Tarnai and Saghi, 2000).
According to the traditional approach, in the monitoring direction there is no significant difference between the reliability of the information provided by local operation and remote control. The reason for this is, that even the local indications are mostly only informative, and not safety signals, because of the source of this information (indicator bulbs, nonsafety relay contacts). However, the information, which is relevant to the extraordinary commands, must be available in a safe way. Therefore, the source of this information in the interlocking system must be available in a safe way as well (safety relay contact or a pair of contacts). The data transmission and the processing in the remote control center have to be also of safe type. A simulator that contains interlocking logic (plausibility check) can effectively support the detection of logical faults in the incoming information. This is of special importance in case of one-channel transmission and processing.
The old remote control system was characterized by simplified services, the remote control commands were used only to start route-setting automatics in the local interlocking systems. The required safety was provided by the local station interlocking systems. The center of the new remote control system is placed in station Veresegyhaz, just like in the case of the old one. The pieces of equipment of the IL TIS control center are located in the signaling personnel's office. For the sake of a unified operation mode of the four station of the line, the central station, Veresegyhaz is also operating as a remotely controlled station. The original, traditional operator's desk has been saved, it serves as reserve. In Veresegyhaz the automatic operations have been omitted.
Hence, it is very important to detect fast and to inform the operator unambiguously about displaying errors. Therefore the displaying is carried out with help of special safety methods. The most common procedures are the two-channel picture-changing and symbol-joining techniques, and the read-back and comparison of the contents of the video memory with the gathered monitoring information (Antweiler, 1996;. Kriiger, et at., 1999) The picture-changing and the symbol-joining techniques have the advantage, that they cover the whole displaying process, however the failure can not be detected automatically: it must be recognized by the operator. The read-back from the video memory enables to detect failures automatically, but in this way it cannot be checked, whether the displayed image corresponds to the contents of the video memory or not.
The remote control commands of the IL TIS system are received in the stations and forwarded to the interlocking system by S7-400 type Siemens PLC. The monitored signals of the interlocking system are collected and transmitted to the center also by the PLC (Fig. 2). The original command program has been radically extended, according to the requirements of the user MA V. Among the already existing automatics commands, every command can be given out remotely, that formerly existed only in local mode. In such way the number of commands have been increased from 15 to nearly 60 (almost 70 in case of Veresegyhaz).
5. STATE OF THE REMOTE CONTROL SYSTEMS IN HUNGARY The first, semi-electronic Centralized Traffic Control (CTC) system on the network of the Hungarian State Railways (MA V) was installed in the late 60s on a main line section of 45 km-s for the remote control of 8 relay interlocking systems. A specialty of this system was, that the control center was located 50 km-s away from the line itself, at the place of the dispositional control center of the region. In the same period was put the first, in Hungary, at the TU Budapest developed, fully electronic remote control system into operation, which controlled the relay interlocking system of an open-line junction.
Because of the extension of the command program, new push-button relays had to be projected. For the purpose of correct separation of the remote control and the local mode, these push-button relays are double-coiled. Similarly, for double-coiled relays were exchanged the formerly single-coiled pushbutton relays, which were operated by the automatics. The old, single-coiled relays became the repeaters of the new double-coiled relays, so that minimal modification is necessary in the circuits (Fig. 3).
In the following decades several main lines have been equipped with so-called monitoring CTC (the operator only monitors the traffic, he/she has not got
382
FOT
CSOMAD
ORBOTTyAN
VERESEGYHAz
Fig. 2. The connection of the remote control center and the controlled stations operation of these objects. The remote control program has been widened in the monitoring direction too: every local indication on the stations is transmitted to the center. Additionally, every extraordinary command, executed in local mode, is transmitted to the center for protocolling purposes. The extended monitor program consists of more than 100 indications from each station, compared with the formerly used 13. The standard indications are transmitted on a single channel, the safety-critical indications on two channels, antivalentIy.
In remote control mode the push-button relays are supplied by the outputs of the PLC, through a relaybased checking circuit. The commands are not coded, they appear directly on the outputs of the PLC, and the checking circuit. In case of extraordinary (safety-critical) commands, in order to fulfill the safety requirements, the affected push-button relays are supplied by the contacts of two, independent, checked, antivalentIy switching relays of the checking circuit. The possibility of the individual remote setting of the switches and the level-crossings made it necessary, to modify the control circuits of these objects in order to add extra dependencies, that detect occasional failures in the circuits and so close out the unwanted
* * * The introduced system has been operating since 1999 without any trouble.
S7 400 PLC v.v.
Checking circuit
v.v.
. Automl)tics
Interlocking logic
Local indications
!
P, - Single-object command P A; - Automatics command PB; - Safety command
Remote Control Mode
Fig. 3. The connection of the PLC and the interlocking system
383
JLocal Mode
REFERENCES Antweiler, B. (1996). IL TIS, das Leitsystem fur die operative Fiihrung des Bahnbetriebes. Signal + Draht (88) 12/1996 pp. 9-11. Antweiler, B., W. Staab, G. Tamai (1997). The Electronic Interlocking System of Siemens in Station Tata (in Hungarian) Signal Specialists ' Journal "Vezetekek Vitaga" 3/97 pp. 20-23 . Aranyosy, Z., L. Mos6czi, G. Racz, G. Tamai (1997). Training the Personnel Using Simulator and Training System. World Congress on Railway Research Conference. Florence, Italy, pp. 745751. EN 50126: Railway applications: The specification and demonstration of dependability, reliability, availability, maintainability and safety (RAMS). Krbilova, I., P. Rusnak, P. Tomasov (1999). Protection of Information in Process Control Systems (in Hungarian). Magyar TiNk6zles (10) 3/1999 pp. 40-41. KJiiger, M., T. Lehrke, J. Raimer (1999). VI COS OC 15 - eine Femsteuerung zur Vemetzung von Relaisstellwerken. Signal + Draht (91) 6/1999 pp. 28-35 . Pachl, J. (1998). Anforderungen an die sicherheitsgerechte Visualisierung der Betriebslage. Signal + Draht (90) 1+2/1998 pp. 5-9. Tamai, G., A. Sulykos, L. Berenyi (1999). Interfacing Old and New Technique on the Line Veresegyhaz. (in Hungarian) Signal Specialists' Journal "Vezetekek Viltiga" 3/99 pp. 25-29. Tamai, G., B. Saghi (2000). Anpassung der herkommlichen und neuen SignaJtechnik in Ungam. Signal + Draht (92) 12/2000 pp. 50-53.
384
SAFETY ISSUES OF REMOTE CONTROL IN RAILWAY SIGNALING
G. Tarnai
B. Saghi
Department o/Transport Automation, Budapest University o/Technology and Economics, Hungary Bertalan 2., Budapest, Hungary, H-IIII Phone: (+361) 4631013, Fax: (+361) 463 3087, E-mail: {tarnailsaghi}@kaut.kka.bme.hu
Abstract: The paper deals with the special safety requirements of the railway interlocking remote control systems. First the concepts of tele-operation, tele-monitoring and remote control are introduced in the special sense of railway interlocking. Then the safety considerations are discussed in connection with the remote control of railway signaling systems. Finally, the latest remote control center in Hungary will be introduced. Copyright @200IIFAC Keywords: remote control, teleoperation, railway signaling, safety, traffic control, programmable logical controllers
I. TELE-OPERATION, TELE-MONITORlNG AND REMOTE CONTROL
about tele-operation (command direction) and telemonitoring (report or response direction). This teleoperation and tele-monitoring realize basic safety functions, therefore during the construction and the operation of these special requirements must be fulfilled (EN 50126).
Signals along the track play an important role in the operative control of the railway traffic, as they permit or prohibit the movements of the trains. The routes of the trains are defined by the positions of the switches, which are affected in course of the movement. The interlocking systems establish such a dependency on the switches and the signals, that the signals permit the train movements only in that case, if the switches are fixed in adequate position according to the intended path and other train movements are closed out (interlocked) at the same time.
The demand on the rationalization of the railway operation accompanies the history of the railway. The reduction of staff and the control of the traffic of bigger and bigger areas from one center can be accomplished more and more effective, parallel with the technical development. In a simple case, the signals and the switches of one ore more smaller stations are controlled from a neighboring, bigger station. This control, however, cannot be carried out by means oftele-operation and tele-control any more, because of the larger distances, and the huge amount of information to transmit. Instead, remote control is applied: the interlocking system of the controlled station is operated from a controlling station (Fig. I).
Because of the large dimension of the railway stations, the switches and the signals are placed in a far distance (more hundred meters or even more kilometers) from the interlocking system, which operates and monitors them. The connection between the interlocking system and the outdoor objects is not a remote control type connection, according to the usual meaning of remote control. Instead we speak
379
Until the beginning of the 80s, the railways were equipped almost exclusively with relay based signaling systems. Since then the market has been shifting towards the electronic interlocking systems, equipped with control systems connected into network and with supervisory remote control systems.
•
Transport companies are nowadays facing the challenge, to integrate relay and electronic interlocking systems into modem, highly efficient control systems, in frame of reconstruction of existing systems and establishment of new pieces of equipment. They are forced to find such costeffective solutions that provide possibility for comprehensive, unified operation and the highest level of safety, at the same time (KrUger, et aI., 1999).
Remote Control Center
I
I
i
I i i I I
I
I
Interlocking logic Tele-operation
Tele-monitoring
I I
! I I I
Fig. I .
Ii
In command direction, in case of local operation (i.e. control from the station) from a command failure (missing pushing the right buttons) flows, that not the intended push-button relays will switch.
i ! I I i
I
In case of remote control, additionally the following failures are possible: • faulty command output from the remote control center, • data transmission failure between the remote control center and the controlled equipment, • hardware and software errors in the receiver during the processing, • failure of the remote control interface towards the interlocking system (this interface operates the push-button relays of the equipment).
I
Outdoor appliances (signals, switches)
I
II
2. STANDARD COMMANDS EXTRAORDINARY COMMANDS
In the following the special safety requirements will be outlined for both types of commands.
Remote Control
I
Also in a model like this, the required safety level is basically provided by the station interlocking and the open-line signaling systems. The remote control system just controls the interlocking system just like a " long arm", so, apparently, safety requirements cannot be identified. In the following we examine, whether this is true or not.
The commands, carried out by the operator of a station interlocking system or of an operative (remote) control center can be divided into two groups: • Standard commands, the reaction of which are accomplished under full technical safety coverage, provided by the interlocking system. • Extraordinary, or safety-critical commands, in case of which, the safety dependencies of the interlocking system are evaded, and the safety responsibility is directly taken over by the human operator. This kind of command is necessary in case of technical disturbances or abnormal railway operation.
The increase of the centralization of the traffic control leads to the situation, that the interlocking systems of a large district are controlled from one center. E.g. the whole railway network of the Swiss Federal Railways (SBB) is controlled from only 18 remote control centers, so that 2/3 of all the 800 stations have no staff. Such efforts can be observed at other railways as well. According to the concept of the German Railway, the traffic control service, which is nowadays distributed on more thousands of stations, should be concentrated in seven centers.
i i I
Dispositional Control Level The level of over-region decisions on trains and on the engagement of resources (e.g. in Switzerland there are three centers of this highest level) (Antweiler, 1996).
I i
I
I
i
Station Interlocking System
II
Tele-operation, tele-monitoring and remote control
According to the intentions described above, a threelevel operation control model can be identified: • Safety Level The level of the station and open-line signaling systems (relay, electronic, with or without shunt movement support). • Operative Control Level The control and automation of the safety level in one region or district is concentrated in a remote control center.
All these failures can cause that after receiving the command in the interlocking system, not the intended push-button relays will switch. If a so-called common- or group push-button relay is missed, we speak about function mistake; if a single
380
o
push-button relay is missed, we speak about object mistake.
reduce possibility of unintended commands (expressing the intention).
Prevention from the output of a faulty command from the remote control center is primarily done in case of extraordinary commands. • Traditionally, the output of the command is accomplished in more phases, and before the permission of proceeding of the command, it is read back from the level of the interlocking system. If they are equal, the operator has to give a special permissive command, which is usually given out on a physically separated channel. • Other systems apply multi-channel processing on independent hardware, comparing of the results and the command is given out (in a redundant form) only in case of equivalence.
Function or object mistake in case of standard commands can have different consequences. If such push-button relays are switched that do not belong together, the subsequent events will be prevented already in the circuits of the push-button relays . If the switched push-button relays are interpretable by the interlocking system (i.e. in principle they could belong together), then the command will be carried out, and this may result in traffic disturbance, but never in dangerous situation. E.g. for a train the free track 2 is intended, but because of a failure the train route will be set to track 3, which is also free . If track 3 were not free, the interlocking system would not allow setting that route. Function or object mistake in case of extraordinary commands is not free from dangers. In such cases the operator eliminates the safety dependencies of the interlocking system, but not the intended command will be carried out, or not for the intended object, what can lead directly to dangerous situations.
The data transmission has to fulfill rigorous requirements in case of railway traffic control networks. Especially in case of transmission of safety-critical information is the reliability of the telecommunication vital. The railway system must not get into prohibited (dangerous) state more likely, than it is acceptable by the user, not even because of a communication failure (Krbilova, et al., 1999). To achieve the required error detection capability, standardized communication protocols are used.
Of course it is desirable to avoid the traffic disturbances, caused by function or object mistake, however the evolution of dangerous situation must be closed out. It is also not allowable, that a standard command, because of a failure, elicits the operation of an extraordinary command. This can be achieved, by the eliminating the factors that object or function mistake can cause. If this is not possible, the resulted failure must be detected as soon as possible and the subsequent operation must be hindered.
To detect the failures of the remote control receiver and of the interlocking interface, the different systems apply different system structures and methods (KrUger, et at., 1999; Tamai, et at., 1999). These are: • Feed back of the outputs for checking and comparing with the intended command. In case of a failure a safety switch-off mechanism must be operated. • Redundant, usually anti valent output of safety-critical commands. • Multi-phase command processing, with a separate permissive command.
In the next section the methods to prevent and to detect failures in the command direction process will be discussed.
3. SAFETY OF THE COMMAND DIRECTION The most common measures to avoid command mistakes are as follows (Antweiler, et aI. , 1997; Pachl, 1998): • Adequate construction of the operator interface, by means of the harmonization of ergonomic and operational aspects. • Training and retraining of the personnel, e.g. by means of simulator (Aranyosy, et al., 1997). • Insertion of a simulator based filter for the purpose of displaying the commands that can not be carried out in a given situation, and of blocking these outputs. • Adequate support for the personnel in case of extraordinary commands by means of o giving information about the operational process, o automatic generation of checklists,
In the following the safety issues of the monitoring direction will be discussed.
4. SAFETY OF THE MONITORING DIRECTION For the remote control operation it is characteristic, that the operator personnel have no chance to make a survey of the local operational situation in order to support himself in giving out extraordinary commands. However this is true for huge railway stations in local operation too . In such cases the staff can only lean on the indicated state, and, according to the prescriptions and the possibilities, on other of information, gained e.g. by means telecommunication connection.
381
chance to intervene directly in the operation of the local interlocking systems; this also meant, that the stations had personnel). Real CTC systems that have intervention capability have been applied in the recent years, after being able to fulfil the most rigorous safety requirements according to the output of the safety-critical commands. A recently installed system is a CTC system on a four-station branch line in the neighborhood of Budapest, with significant suburban traffic. In frame of a line-electrification project the CTC of the 60s has been replaced with a modem remote control system, named IL TIS, supplied by Siemens Schweiz Co. In the following this new CTC will be introduced shortly (Tamai, et aI., 1999., Tarnai and Saghi, 2000).
According to the traditional approach, in the monitoring direction there is no significant difference between the reliability of the information provided by local operation and remote control. The reason for this is, that even the local indications are mostly only informative, and not safety signals, because of the source of this information (indicator bulbs, nonsafety relay contacts). However, the information, which is relevant to the extraordinary commands, must be available in a safe way. Therefore, the source of this information in the interlocking system must be available in a safe way as well (safety relay contact or a pair of contacts). The data transmission and the processing in the remote control center have to be also of safe type. A simulator that contains interlocking logic (plausibility check) can effectively support the detection of logical faults in the incoming information. This is of special importance in case of one-channel transmission and processing.
The old remote control system was characterized by simplified services, the remote control commands were used only to start route-setting automatics in the local interlocking systems. The required safety was provided by the local station interlocking systems. The center of the new remote control system is placed in station Veresegyhaz, just like in the case of the old one. The pieces of equipment of the IL TIS control center are located in the signaling personnel's office. For the sake of a unified operation mode of the four station of the line, the central station, Veresegyhaz is also operating as a remotely controlled station. The original, traditional operator's desk has been saved, it serves as reserve. In Veresegyhaz the automatic operations have been omitted.
Hence, it is very important to detect fast and to inform the operator unambiguously about displaying errors. Therefore the displaying is carried out with help of special safety methods. The most common procedures are the two-channel picture-changing and symbol-joining techniques, and the read-back and comparison of the contents of the video memory with the gathered monitoring information (Antweiler, 1996;. Kriiger, et at., 1999) The picture-changing and the symbol-joining techniques have the advantage, that they cover the whole displaying process, however the failure can not be detected automatically: it must be recognized by the operator. The read-back from the video memory enables to detect failures automatically, but in this way it cannot be checked, whether the displayed image corresponds to the contents of the video memory or not.
The remote control commands of the IL TIS system are received in the stations and forwarded to the interlocking system by S7-400 type Siemens PLC. The monitored signals of the interlocking system are collected and transmitted to the center also by the PLC (Fig. 2). The original command program has been radically extended, according to the requirements of the user MA V. Among the already existing automatics commands, every command can be given out remotely, that formerly existed only in local mode. In such way the number of commands have been increased from 15 to nearly 60 (almost 70 in case of Veresegyhaz).
5. STATE OF THE REMOTE CONTROL SYSTEMS IN HUNGARY The first, semi-electronic Centralized Traffic Control (CTC) system on the network of the Hungarian State Railways (MA V) was installed in the late 60s on a main line section of 45 km-s for the remote control of 8 relay interlocking systems. A specialty of this system was, that the control center was located 50 km-s away from the line itself, at the place of the dispositional control center of the region. In the same period was put the first, in Hungary, at the TU Budapest developed, fully electronic remote control system into operation, which controlled the relay interlocking system of an open-line junction.
Because of the extension of the command program, new push-button relays had to be projected. For the purpose of correct separation of the remote control and the local mode, these push-button relays are double-coiled. Similarly, for double-coiled relays were exchanged the formerly single-coiled pushbutton relays, which were operated by the automatics. The old, single-coiled relays became the repeaters of the new double-coiled relays, so that minimal modification is necessary in the circuits (Fig. 3).
In the following decades several main lines have been equipped with so-called monitoring CTC (the operator only monitors the traffic, he/she has not got
382
FOT
CSOMAD
ORBOTTyAN
VERESEGYHAz
Fig. 2. The connection of the remote control center and the controlled stations operation of these objects. The remote control program has been widened in the monitoring direction too: every local indication on the stations is transmitted to the center. Additionally, every extraordinary command, executed in local mode, is transmitted to the center for protocolling purposes. The extended monitor program consists of more than 100 indications from each station, compared with the formerly used 13. The standard indications are transmitted on a single channel, the safety-critical indications on two channels, antivalentIy.
In remote control mode the push-button relays are supplied by the outputs of the PLC, through a relaybased checking circuit. The commands are not coded, they appear directly on the outputs of the PLC, and the checking circuit. In case of extraordinary (safety-critical) commands, in order to fulfill the safety requirements, the affected push-button relays are supplied by the contacts of two, independent, checked, antivalentIy switching relays of the checking circuit. The possibility of the individual remote setting of the switches and the level-crossings made it necessary, to modify the control circuits of these objects in order to add extra dependencies, that detect occasional failures in the circuits and so close out the unwanted
* * * The introduced system has been operating since 1999 without any trouble.
S7 400 PLC v.v.
Checking circuit
v.v.
. Automl)tics
Interlocking logic
Local indications
!
P, - Single-object command P A; - Automatics command PB; - Safety command
Remote Control Mode
Fig. 3. The connection of the PLC and the interlocking system
383
JLocal Mode
REFERENCES Antweiler, B. (1996). IL TIS, das Leitsystem fur die operative Fiihrung des Bahnbetriebes. Signal + Draht (88) 12/1996 pp. 9-11. Antweiler, B., W. Staab, G. Tamai (1997). The Electronic Interlocking System of Siemens in Station Tata (in Hungarian) Signal Specialists ' Journal "Vezetekek Vitaga" 3/97 pp. 20-23 . Aranyosy, Z., L. Mos6czi, G. Racz, G. Tamai (1997). Training the Personnel Using Simulator and Training System. World Congress on Railway Research Conference. Florence, Italy, pp. 745751. EN 50126: Railway applications: The specification and demonstration of dependability, reliability, availability, maintainability and safety (RAMS). Krbilova, I., P. Rusnak, P. Tomasov (1999). Protection of Information in Process Control Systems (in Hungarian). Magyar TiNk6zles (10) 3/1999 pp. 40-41. KJiiger, M., T. Lehrke, J. Raimer (1999). VI COS OC 15 - eine Femsteuerung zur Vemetzung von Relaisstellwerken. Signal + Draht (91) 6/1999 pp. 28-35 . Pachl, J. (1998). Anforderungen an die sicherheitsgerechte Visualisierung der Betriebslage. Signal + Draht (90) 1+2/1998 pp. 5-9. Tamai, G., A. Sulykos, L. Berenyi (1999). Interfacing Old and New Technique on the Line Veresegyhaz. (in Hungarian) Signal Specialists' Journal "Vezetekek Viltiga" 3/99 pp. 25-29. Tamai, G., B. Saghi (2000). Anpassung der herkommlichen und neuen SignaJtechnik in Ungam. Signal + Draht (92) 12/2000 pp. 50-53.
384