Title of Invention	DEVICE FOR FAIL SAFE CONTROLING AND MONITORING ELECTRIC LOADS IN RAIL TRANSPORT
Abstract	Device for fail safe controlling and monitoringelectric loads in rail transport For alternately switching on and off the signal lamps of optical signals and for switching on and off the actuating current of point drives (WA), use is made of switches (H11/1, H21/1, H12/1, H22/1) which do not satisfy the requirements placed on such switches so far in rail transport. These switches can, in particular, be constructed as contacts of power contactors or as elec-tronic switches. The switches are controlled by indepen-dent channels of a computer system, it being ensured by a specific arrangement of the switches that a circuit leading via the load is made only if both computer channels of the computer system have given matching connecting commands. If one of the switches switches at the wrong time, this can be detected for the computer system by evaluating the detector signals, because the detector signals deviate from a prescribed scheme in the event of a fault.

Title of Invention

DEVICE FOR FAIL SAFE CONTROLING AND MONITORING ELECTRIC LOADS IN RAIL TRANSPORT

Abstract

Device for fail safe controlling and monitoringelectric loads in rail transport For alternately switching on and off the signal lamps of optical signals and for switching on and off the actuating current of point drives (WA), use is made of switches (H11/1, H21/1, H12/1, H22/1) which do not satisfy the requirements placed on such switches so far in rail transport. These switches can, in particular, be constructed as contacts of power contactors or as elec-tronic switches. The switches are controlled by indepen-dent channels of a computer system, it being ensured by a specific arrangement of the switches that a circuit leading via the load is made only if both computer channels of the computer system have given matching connecting commands. If one of the switches switches at the wrong time, this can be detected for the computer system by evaluating the detector signals, because the detector signals deviate from a prescribed scheme in the event of a fault.

Full Text	-1A- Co-pending Application Nos. 235/CAL/97 and 236/CAL/97. both filed on February ll, 1997 are hereby incorporated by reference. Application No. 235/CAL/97 provides a circuit for monitoring light-signals such that it is possible instead of signalling relays to use conventional control relays which are to be selected exclusively in accordance with the electrical operating conditions, the required reliability and cost. Application No. 236/CAL/97 provides a circuit for controlling and monitoring railway switch mechanisms such that it can be used for any desired drive connections, the design, both in terms of the actuating current connection and the monitoring, always being intended to be the same. Such a circuit would have the major advantage that it can be used for any desired drive type. It is presently customary to use electronic interlocking cabins to control and monitor railway traffic (Signal + Draht 75 (1983) 11, pages 210 - 215). In accordance with the demands of station inspectors or when prompted by an automatic system, these i interlocking cabins work out movement instructions for the trains using the line,, set up the appropriate routes, monitor them and release them again after use. As in the case of relay interlocking cabins, the control and monitoring devices for the field elements of the electronic interlocking cabins are a constituent of the indoor equipment. In this case, the control and monitoring of the -IB- points are implements, as in the case of relay interlocking cabins, by means of the point operating circuits tried and tested there using relay technology. The fail safe acting of the point-control and -monitoring devices is achieved by process assurance and by using safety components; process assurance is based on checking all the components incorporated into the control and monitoring operations at regular intervals, or else in an event-controlled fashion. The situation for the light signal control resembles that for point control. The necessary fail safe acting is also achieved here by using safety components and by means of process assurance. All the modules in the control section, the supply leads to the light signal, and the signal lamps are tested in accordance with the operating sequence. If shorter test cycles are required compared with the operating sequence, these test cycles can also be carried out as far as the readiness of the signal lamps to light. The reactions of monitors and detectors are transmitted to an evaluating computer system which evaluates the signals by desired-value/actual-value comparison and reacts accordingly. - 2 - As in relay interlocking cabins, signalling relays have so far been used in electronic interlocking cabins as well in order to switch the wires leading to the loads. These are relays which have been specially developed for the requirements of railway signalling engineering and in which it is ensured in terms of design by a rigid coupling of the contacts one with another that break contacts and make contacts cannot be simultaneously closed. This property of signalling relays is the pre-condition for the fact that the contact-making of, for example, signalling relay contacts arranged in control circuits can be monitored reliably in other circuits via further contacts of the relay which are positively driven with the contacts to be monitored. Such signalling relays are, of course, much more expensive than conventional control relays, even if the latter are of particularly reliable design. It has not been possible so far to use such control relays in applications of railway signalling engineering which are critical in terms of safety, because it has not been ensured that the switching position of a contact being monitored by a circuit or by a computer really does correspond to the switching position of a corresponding contact of this relay in a safety-relevant load circuit. The lack of testability is also the reason why electronic switching means have also not been used so far for such safety-relevant circuits, but regular use has been made of a plurality of series-connected contacts or individual contacts of safety relays. It is the object of the invention to specify a for fai1 safe controlling and monitoring electric device loads which manages specifically for fail safe control in rail transport without the signalling relays developed for that purpose and tried and tested per se. The relays/ contactors replacing the signalling relays are to be selectable only in accordance with the electrical opera ting conditions, reliability and costs. THIS is achieved by The device of the present invention. The device ana GR 96 P 4019 DE - 3 - advantageous refinements and developments of the invention will now be described. The invention is explained in more detail below with the aid of exemplary embodiments represented in the drawing. The drawing shows, in Figure 1, a partial representation of the control section of an light signal and, in Figure 2, likewise a partial representation of the control section of a point drive. For reasons for clarity, the drawing does not show designations of switching means which are not absolutely necessary for explaining the present invention. The light signal LS represented diagrammatically in Figure 1 is provided with a proceed signal lamp LG and a stop signal lamp LR, which can be switched on alternately by an interlocking cabin. For this purpose, the two signal lamps are connected, via diagrammatically indicated and lengthy supply lines L1, L2 to the indoor equipment of the interlocking cabin. Actuators SO and S1 which can be set one after another from the interlocking cabin in a way known per se are used to switch the signal lamps. These actuators are connected from a reliable computer system which forms the interlocking cabin together with other computer systems. One channel of this reliable computer system uses one actuator, and the other channel the other actuator. The channel separation is illustrated in Figure 1 by a dotted line; dashed lines indicate a captive electrical isolation of the individual components of the device. Deviating from the prior art, the two actuators SO and S1 are constructed not as signalling relays with muhauically couried make and break contacts, but as control relays with changeover contacts SO/1 and SO/2 or S1/1 which are hot muhauically couried. They are designed mechanically such that the individual changeover contacts, should they weld in one position, can no longer change upon changeover of the relevant relay; the break contact remains closed and the make contact remains open. This means that in the event of a fault one of the contacts of the actuator SO is fixed mechanically, while - 4 - the other changeover contact of the relay continues to operate properly. Such sticking of a contact in one or other position cannot be excluded even in the case of using reliable actuators; the fault occurring is to be displayed. Owing to the use of actuators SO, S1 which are not muhauically couried, it is no longer possible to monitor the proper functional response of the actuators via further contacts, actuated together with the contacts SO/1, SO/2; Sl/l, of the relevant actuators. To test the functioning of the actuators, the monitoring computer system therefore has to monitor their switching position in the respectively connected light signal circuit. This is performed here by monitoring a voltage which is derived by means of a measuring shunt Rx from the supply current flowing in the supply circuit of the respectively monitored signal lamp during the measuring operation. This measuring voltage is transmitted via an optocoupler OK3 to the window discriminator FD of a monitor U which evaluates the respective measuring voltage and relays the evaluation result via an optocoupler OK1 to the two computer chan-nels of the fail safe computer system. The computer system reads in the signals fed to it by the window discriminator and, in the event of a fault, detects from the occurrence of indicating signals not expected at the time a wrongly timed open state/closed state of at least one of the switches. By means of the indicating signal transmitted to it by the window discriminator, the computer system detects from the supply current flowing in the lamp circuit in Figure 1 with the signal lamp LR for the stop signal indication switched on that the two break contacts S01/1 and S02/2 of the operationally disconnected actuator SO and the break contact S1/1 of the likewise disconnected actuator S1 really are closed. If one of these contacts were to remain, because of a fault, in the respective other switching position, the current flow via the stop signal lamp would be inter rupted or the measuring shunt would be short-circuited. - 5 - with the result that the window discriminator would transmit to the computer system an indicating signal not expected at this time. Whether one of these contacts is welded in the position represented is detected by the evaluating computer system when the proceed signal lamp LG is switched on. For this purpose, the computer system initially switches over the actuator SO via one computer channel. If the contacts of said actuator are operating properly, the contact SO/2 interrupts the supply circuit for the stop signal lamp LR, which is still switched on, while the contact SO/1 switches over the contact SO/2; the stop signal lamp thus remains switched on. The contact SO/1 does not, however, bridge only the contact SO/2, but also the measuring shunt Rx with the result that during the exclusive connection of the actuator SO the window discriminator FD detects the undershooting of a prescribed threshold value and transmits an appropriate signal to the evaluating computer system. At the same time, in conjunction with the contact SO/2 the contact SO/1 switches on the proceed signal lamp LG in single-pole fashion. If, by virtue of a fault, voltage were to be present at this time due to wire contact on a wire leading to the signal lamp LG for the proceed indication, the consequence of this would be that the current then flowing in the measuring shunt Rx builds up a voltage drop which would be detected by the window discriminator and passed on to the computer system; the computer system would detect the presence of a fault from the wrongly timed occurrence of the relevant indicating signal. Welding of one of the two actuator contacts SO/1, SO/2 has the same effects as wire contact. If, for example, the actuator contact SO/1 were welded in the position represented, this would be detectable upon connection of the actuator SO, because the current flow via the proceed signal lamp LG would be interrupted via the then switched-over actuator contact SO/2, with the result that the computer system would be fed by the window discriminator an indicating signal not expected at the time. Something similar happens if the actuator contact - 6 - SO/2 were to be welded in the position represented. Only the actuator contact SO/1 would then change upon connection of the actuator SO. This contact would prevent the subsequent switching-on of the proceed signal lamp LG, because it has made a connection to the stop signal lamp LR instead of to the proceed signal lamp LG. Welding of the actuator contact Sl/1 in one or other position renders it impossible to switch on the proceed signal lamp LG or to switch off the stop signal lamp LR. An appropriate check-back signal from the window discriminator informs the computer system of the fault occurring. If the actuator contact SO/1 is welded in the position, not shown in Figure 1, which it reached when the proceed signal lamp was switched on, the stop signal lamp can certainly light up after the proceed signal indication is switched off; however, the corresponding monitoring signal is lacking because the contact SO/1 bridges the measuring shunt Rx. If the actuator contact SO/2 welds, which is not the normal position shown in Fiaure 1. the proceed signal indication can certainly still be switched on, but the stop signal indication cannot. An appropriate signal informs the computer system of the fault occurring and blocks the signal. The actual fault signal to the computer system is the same as is triggered if shortly before the proceed signal lamp is switched on the supply leads to this signal lamp are checked for wire contact with other live lines, that is to say the emission to the computer system of a state signal respectively not expected at the time. This state signal differs markedly from the state signal which would have to be produced in the case of a proper switch position. In an advantageous way, the controlling computer system is assigned only a limited number of loads. Thus, it is put into the position of being able to subject the loads and/or the switching means incorporated into the control and monitoring operation to cyclic or event-controlled functional testing. By means of the cyclic - 7 - reading-in and evaluation of monitoring signals, the computer system detects each change in the event status display, be it proper or improper. Conclusions can be reached concerning specific states inter alia of the actuators in the connecting circuit of the loads from the potentials present on the supply leads to the loads by firstly connecting the loads in single-pole fashion and only thereafter in two-pole fashion. These loads can therefore be monitored and the possibility is consequently opened up of using entirely normal signalling relays or contactors for these actuators. Another possibility for monitoring the switching position of strike-out contacts (mechanically or electronically) consists in electrical coupling of the supply and monitoring circuits. Given a faulty switching position of a strike-in contact, voltages not expected at this instant are switched onto the monitoring detector, the unexpected event status display indicating the occurrence of a fault to the computer. Such an exemplary embodiment of the invention is shown in Figure 2; it relates to the application of the invention in the case of a point drive which is supplied in a way known per se via four wires from a three-phase system. Each wire contains a switch H11/1, H21/1, H12/1 and H22/1, respec tively, which is represented by a contact of a conven tional control relay H11, H21, H12, H22. Two of these control relays are respectively connected in series, that is to say are connected and disconnected in common. Connection is performed by one or other of the computer channels of a reliable controlling and monitoring computer system; disconnection is performed by a running-current monitor LU, which can detect when the closed position of the point is reached, and interrupts the supply circuit of the control relays, connected respectively in series, upon detecting the closed position of the point. The control relays are assigned to the two computer channels such that the supply circuits for the motor windings W1 to W3 of the point drive WA are always led via the switches of control relays operated from - 8 - different computer channels. In the end position of the drive which is represented, the series-connected windings W1 and W3 can be connected only via the switches H11/1 and H21/1, and the winding W2 can be connected only via the switches H12/1 and H22/1; the respectively associated control relays are controlled from different computer channels. When the drive rotates, concatenated phase voltages are present on the windings W1 and W3 or W3 and W2. The two control circuits lead via the switches H12/1 and H21/1 or Hll/1 and H21/1; the associated control relays are assigned to different computer channels. If the drive has reached its new end position but the drive contacts have not yet changed, the motor windings W2 and W3 are connected to voltage via the switches Hll/1 and H21/1, and the winding W1 is connected to voltage via the switches K12/1 and H21/1, before they are then disconnected after the switching of the drive contacts. The disconnection of the control relays is performed via the running-current monitor LU, which is de-energized by the drive contacts. The drive windings are also supplied in the running-down phase via switches which are controlled from different computer channels. Should one or more of the switches not close upon connection of the point drive, the drive could either not rotate, or else it would require an impermissibly long time to rotate. Both of these would be detected by detectors which are still to be explained and signalled to the computer system. If one or more of the switches were not to open upon disconnection of the drive, this would likewise be detected by the detectors and signalled to the computer system. How this is effected is explained in more detail below. Two detectors Ml and M2 are used to monitor the point drive and thus to detect directly switches which are opened or closed at the wrong time. These detectors are constructed as operational amplifiers and their function is to output state signals to the two computer channels. As a function of the input potential fed to it, each detector can emit two different signals of which it - 9 - phases one as first bit and the other as second bit into a message MK1 or MK2 to the associated computer channel. The two detectors are connected to frame in single-pole fashion via separate lines. Their signal inputs are connected via straps B5, B6, B1 to two of the wires leading to the point drive. The two other wires leading to the point drive are connected via straps B3, B4 to the live outputs of two direct-voltage sources U3 or U4, one wire being connected to the positive pole of the voltage source U3, and the other being connected to the negative pole of the voltage source U4. The other terminals of the two direct-voltage sources are connected to earth via separate lines. The potentials made available by the two direct-voltage sources U3 or U4 are respectively fed as monitoring potentials to one or other of the detectors M1, H2 via the drive contacts AK1 to AK4. In the repre sented end position of the drive, positive potential is present at the signal input of the detector HI, and negative potential is present at the signal input of the detector M2. In the case of the other end position of the drive, negative potential would be present at the signal input of the detector Ml, and positive potential would be present at the signal input of the detector M2. The indicating signals output by the detectors Ml, M2 during point rotation are not evaluated by the computer. For this purpose, the computer system receives from the running-current monitor LU appropriate state signals which are phased, for example, at the third point into the messages MK1, MK2 to be fed to the two computer channels. However, it is also possible to use the output signals of the running-current monitor to disconnect the detectors during point rotation, and thus to prevent the evaluation of state signals during point rotation. If, as a consequence of a fault, one or more of the switches switched into the supply circuit of the drive windings now remain closed, for example by welding, upon disconnection of the drive, at least in the case of one of the detectors the monitoring potential fed to it is superimposed on the control voltage connected by the - 10 - defective switch to the relevant control wire. The detector would then carry no output signal on the output side. This would be detected as a fault by the computer system, evaluating the messages. If one or more of the actuators were not to close properly upon connection of the point drive, for example because they are welded in the position of rest, after the maximum value provided for the setting of points, the running-current monitor would also still disconnect the detectors or inform the computer system that the detector output signals are not to be evaluated. The computer system detects the occurrence of a fault from the lack of the expected detector signals. Any switch malfunctions in the two switch positions can thus be reliably detected. Since this is so, it is now also possible with regard to controlling point drives to connect and disconnect the latter via control relays and to dispense with the expensive signalling relays used for this purpose so far. Instead of control relays, it is also possible to use electronic switching means for switching the supply lines, because their possible malfunctions can likewise be detected by the computer system. If both the control voltage for the loads and the voltages from which the monitoring potentials are derived are connected in common to frame potential, earth faults of loads can be reliably detected by short circuiting of the monitoring potentials. -11- Patent Claims fail safe 1. Device for/controlling and monitoring electric loads in rail transport, characterized in that a) each load circuit has at least two series-connected switches (SO/1, SO/2, S1/1; H11/1, H21/1; H12/1, H22/1) , which can be controlled independently of one another for opening/closing the circuit. the two switches can be controlled by independent computer channels of a reliable computer system, each wire of the circuit contains one of the two switches. at least one detector (FD; Ml, M2) is provided for detecting a test voltage which is derived from a supply or test current flowing via the load (LG, LR; WA) , or is. connected at least indirectly by the load, and is dependent on the operating state of the load. a switch closed or opened at the wrong time changes the test voltage in a marked way as against the test voltage set up given a proper switch position, f) the detector output signals are evaluated by the two computer channels of the reliable computer system, and the computer system detects a wrongly timed open/closed state of at least one of the switches from the occurrence of detector output signals not currently expected. wherein 2. Device according to Claim 1, the switches are constructed as contacts of control relays (H11, H12; H21, H22). wherein 3. Device according to Claim 1, the switches are constructed as electronic assem blies which switch in a contactless fashion. wherein 4. Device according to one of Claims 1 to 3, each computer system is assigned a number of loads which is limited such that, in addition to controlling the loads, said system is also capable of cyclic and/or event-controlled functional testing of the GR 96 P 4019 DE - 12 - loads and/or of the switching means incorporated into the control and/or monitoring operation. 5. Device according to Claim 4, wherein the functional testing comprises the initially one- pole and then two-pole connection of individual loads or a plurality of loads in temporary sequential switching steps, and reading in and evaluating corresponding monitoring potentials from the respectively connected wires. 6. Device according to one of Claims 1 to 5, wherein both the actuating voltage for the loads and the voltage/voltages from which the monitoring potentials are derived have a common reference potential. 7. Device according to Claim 6, wnerein that the reference potential is the earth potential. 8. Device according to one of Claims 1 to 7, wherein at least where the load (WA) can be switched over alternately into one of two possible end positions, there are provided for monitoring these end positions two detectors (Ml, M2) for detecting monitoring potentials which can be fed to the detectors, via posi tion contacts (AK1 to AK4) controllable by the load, from separate direct-voltage sources (U3, U4) which, like the detectors as well, are connected with different polarity to a common reference potential, it being the case that the arrangement is made such that in one end position of the load positive monitoring potential (+) reaches one detector (Ml) from one direct-voltage source (U3) via at least one position contact (AK4), and negative monitoring potential (-) reaches the other detector (M2) from the other direct-voltage source (U4) via at least one other position contact (AK1) while precisely the opposite happens in the other end position of the load. . 9. Device according to Claim 8, wherein that the two direct-voltage sources (U3, U4) and the two detectors (Ml, M2) are connected to the common reference potential via two separate lines in each case. 10. Device according to Claim 8 or 9, the detectors are constructed as operational - 13 - amplifiers. Device for fail safe controlling and monitoringelectric loads in rail transport For alternately switching on and off the signal lamps of optical signals and for switching on and off the actuating current of point drives (WA), use is made of switches (H11/1, H21/1, H12/1, H22/1) which do not satisfy the requirements placed on such switches so far in rail transport. These switches can, in particular, be constructed as contacts of power contactors or as elec-tronic switches. The switches are controlled by indepen-dent channels of a computer system, it being ensured by a specific arrangement of the switches that a circuit leading via the load is made only if both computer channels of the computer system have given matching connecting commands. If one of the switches switches at the wrong time, this can be detected for the computer system by evaluating the detector signals, because the detector signals deviate from a prescribed scheme in the event of a fault.

Full Text

-1A-
Co-pending Application Nos. 235/CAL/97 and 236/CAL/97. both filed on February ll, 1997 are hereby incorporated by reference.
Application No. 235/CAL/97 provides a circuit for monitoring light-signals such that it is possible instead of signalling relays to use conventional control relays which are to be selected exclusively in accordance with the electrical operating conditions, the required reliability and cost.
Application No. 236/CAL/97 provides a circuit for controlling and monitoring railway switch mechanisms such that it can be used for any desired drive connections, the design, both in terms of the actuating current connection and the monitoring, always being intended to be the same. Such a circuit would have the major advantage that it can be used for any desired drive type.
It is presently customary to use electronic interlocking cabins to control and monitor railway traffic (Signal + Draht 75 (1983) 11, pages 210 - 215). In accordance with the demands of
station inspectors or when prompted by an automatic system, these
i interlocking cabins work out movement instructions for the trains
using the line,, set up the appropriate routes, monitor them and release them again after use. As in the case of relay interlocking cabins, the control and monitoring devices for the field elements of the electronic interlocking cabins are a constituent of the indoor equipment. In this case, the control and monitoring of the

-IB-
points are implements, as in the case of relay interlocking cabins, by means of the point operating circuits tried and tested there using relay technology. The fail safe acting of the point-control and -monitoring devices is achieved by process assurance and by using safety components; process assurance is based on checking all the components incorporated into the control and monitoring operations at regular intervals, or else in an event-controlled fashion. The situation for the light signal control resembles that for point control. The necessary fail safe acting is also achieved here by using safety components and by means of process assurance. All the modules in the control section, the supply leads to the light signal, and the signal lamps are tested in accordance with the operating sequence. If shorter test cycles are required compared with the operating sequence, these test cycles can also be carried out as far as the readiness of the signal lamps to light. The reactions of monitors and detectors are transmitted to an evaluating computer system which evaluates the signals by desired-value/actual-value comparison and reacts accordingly.

- 2 -
As in relay interlocking cabins, signalling relays have so far been used in electronic interlocking cabins as well in order to switch the wires leading to the loads. These are relays which have been specially developed for the requirements of railway signalling engineering and in which it is ensured in terms of design by a rigid coupling of the contacts one with another that break contacts and make contacts cannot be simultaneously closed. This property of signalling relays is the pre-condition for the fact that the contact-making of, for example, signalling relay contacts arranged in control circuits can be monitored reliably in other circuits via further contacts of the relay which are positively driven with the contacts to be monitored. Such signalling relays are, of course, much more expensive than conventional control relays, even if the latter are of particularly reliable design. It has not been possible so far to use such control relays in applications of railway signalling engineering which are critical in terms of safety, because it has not been ensured that the switching position of a contact being monitored by a circuit or by a computer really does correspond to the switching position of a corresponding contact of this relay in a safety-relevant load circuit. The lack of testability is also the reason why electronic switching means have also not been used so far for such safety-relevant circuits, but regular use has been made of a plurality of series-connected contacts or individual contacts of safety relays.
It is the object of the invention to specify a
for fai1 safe controlling and monitoring electric device
loads which manages specifically for fail safe control in rail
transport without the signalling relays developed for
that purpose and tried and tested per se. The relays/
contactors replacing the signalling relays are to be
selectable only in accordance with the electrical opera
ting conditions, reliability and costs.
THIS is achieved by The device of the present invention. The device ana

GR 96 P 4019 DE - 3 -
advantageous
refinements and developments of the invention will now be described.
The invention is explained in more detail below with the aid of exemplary embodiments represented in the drawing. The drawing shows, in Figure 1, a partial representation of the control section of an light signal and, in Figure 2, likewise a partial representation of the control section of a point drive. For reasons for clarity, the drawing does not show designations of switching means which are not absolutely necessary for explaining the present invention.
The light signal LS represented diagrammatically in Figure 1 is provided with a proceed signal lamp LG and a stop signal lamp LR, which can be switched on alternately by an interlocking cabin. For this purpose, the two signal lamps are connected, via diagrammatically indicated and lengthy supply lines L1, L2 to the indoor equipment of the interlocking cabin. Actuators SO and S1 which can be set one after another from the interlocking cabin in a way known per se are used to switch the signal lamps. These actuators are connected from a reliable computer system which forms the interlocking cabin together with other computer systems. One channel of this reliable computer system uses one actuator, and the other channel the other actuator. The channel separation is illustrated in Figure 1 by a dotted line; dashed lines indicate a captive electrical isolation of the individual components of the device.
Deviating from the prior art, the two actuators
SO and S1 are constructed not as signalling relays with muhauically couried make and break contacts, but as control
relays with changeover contacts SO/1 and SO/2 or S1/1 which are hot muhauically couried. They are designed mechanically such that the individual changeover contacts, should they weld in one position, can no longer change upon changeover of the relevant relay; the break contact remains closed and the make contact remains open. This means that in the event of a fault one of the contacts of the actuator SO is fixed mechanically, while

- 4 -
the other changeover contact of the relay continues to operate properly. Such sticking of a contact in one or other position cannot be excluded even in the case of using reliable actuators; the fault occurring is to be displayed.
Owing to the use of actuators SO, S1 which are not muhauically couried, it is no longer possible to monitor the proper functional response of the actuators via further contacts, actuated together with the contacts SO/1, SO/2; Sl/l, of the relevant actuators. To test the functioning of the actuators, the monitoring computer system therefore has to monitor their switching position in the respectively connected light signal circuit. This is performed here by monitoring a voltage which is derived by means of a measuring shunt Rx from the supply current flowing in the supply circuit of the respectively monitored signal lamp during the measuring operation. This measuring voltage is transmitted via an optocoupler OK3 to the window discriminator FD of a monitor U which evaluates the respective measuring voltage and relays the evaluation result via an optocoupler OK1 to the two computer chan-nels of the fail safe computer system. The computer system reads in the signals fed to it by the window discriminator and, in the event of a fault, detects from the occurrence of indicating signals not expected at the time a wrongly timed open state/closed state of at least one of the switches. By means of the indicating signal transmitted to it by the window discriminator, the computer system detects from the supply current flowing in the lamp circuit in Figure 1 with the signal lamp LR for the stop signal indication switched on that the two break contacts S01/1 and S02/2 of the operationally disconnected actuator SO and the break contact S1/1 of the likewise disconnected actuator S1 really are closed. If one of these contacts were to remain, because of a fault, in the respective other switching position, the current flow via the stop signal lamp would be inter rupted or the measuring shunt would be short-circuited.

- 5 -
with the result that the window discriminator would transmit to the computer system an indicating signal not expected at this time. Whether one of these contacts is welded in the position represented is detected by the evaluating computer system when the proceed signal lamp LG is switched on. For this purpose, the computer system initially switches over the actuator SO via one computer channel. If the contacts of said actuator are operating properly, the contact SO/2 interrupts the supply circuit for the stop signal lamp LR, which is still switched on, while the contact SO/1 switches over the contact SO/2; the stop signal lamp thus remains switched on. The contact SO/1 does not, however, bridge only the contact SO/2, but also the measuring shunt Rx with the result that during the exclusive connection of the actuator SO the window discriminator FD detects the undershooting of a prescribed threshold value and transmits an appropriate signal to the evaluating computer system. At the same time, in conjunction with the contact SO/2 the contact SO/1 switches on the proceed signal lamp LG in single-pole fashion. If, by virtue of a fault, voltage were to be present at this time due to wire contact on a wire leading to the signal lamp LG for the proceed indication, the consequence of this would be that the current then flowing in the measuring shunt Rx builds up a voltage drop which would be detected by the window discriminator and passed on to the computer system; the computer system would detect the presence of a fault from the wrongly timed occurrence of the relevant indicating signal. Welding of one of the two actuator contacts SO/1, SO/2 has the same effects as wire contact. If, for example, the actuator contact SO/1 were welded in the position represented, this would be detectable upon connection of the actuator SO, because the current flow via the proceed signal lamp LG would be interrupted via the then switched-over actuator contact SO/2, with the result that the computer system would be fed by the window discriminator an indicating signal not expected at the time. Something similar happens if the actuator contact

- 6 -
SO/2 were to be welded in the position represented. Only the actuator contact SO/1 would then change upon connection of the actuator SO. This contact would prevent the subsequent switching-on of the proceed signal lamp LG, because it has made a connection to the stop signal lamp LR instead of to the proceed signal lamp LG.
Welding of the actuator contact Sl/1 in one or other position renders it impossible to switch on the proceed signal lamp LG or to switch off the stop signal lamp LR. An appropriate check-back signal from the window discriminator informs the computer system of the fault occurring.
If the actuator contact SO/1 is welded in the position, not shown in Figure 1, which it reached when the proceed signal lamp was switched on, the stop signal lamp can certainly light up after the proceed signal indication is switched off; however, the corresponding monitoring signal is lacking because the contact SO/1 bridges the measuring shunt Rx. If the actuator contact SO/2 welds, which is not the normal position shown in Fiaure 1. the proceed signal indication can certainly still be switched on, but the stop signal indication cannot. An appropriate signal informs the computer system of the fault occurring and blocks the signal.
The actual fault signal to the computer system is the same as is triggered if shortly before the proceed signal lamp is switched on the supply leads to this signal lamp are checked for wire contact with other live lines, that is to say the emission to the computer system of a state signal respectively not expected at the time. This state signal differs markedly from the state signal which would have to be produced in the case of a proper switch position.
In an advantageous way, the controlling computer system is assigned only a limited number of loads. Thus, it is put into the position of being able to subject the loads and/or the switching means incorporated into the control and monitoring operation to cyclic or event-controlled functional testing. By means of the cyclic

- 7 -
reading-in and evaluation of monitoring signals, the computer system detects each change in the event status display, be it proper or improper. Conclusions can be reached concerning specific states inter alia of the actuators in the connecting circuit of the loads from the potentials present on the supply leads to the loads by firstly connecting the loads in single-pole fashion and only thereafter in two-pole fashion. These loads can therefore be monitored and the possibility is consequently opened up of using entirely normal signalling relays or contactors for these actuators.
Another possibility for monitoring the switching position of strike-out contacts (mechanically or electronically) consists in electrical coupling of the supply and monitoring circuits. Given a faulty switching position of a strike-in contact, voltages not expected at this instant are switched onto the monitoring detector, the unexpected event status display indicating the occurrence of a fault to the computer. Such an exemplary embodiment of the invention is shown in Figure 2; it relates to the application of the invention in the case of a point drive which is supplied in a way known per se via four wires from a three-phase system. Each wire contains a switch H11/1, H21/1, H12/1 and H22/1, respec tively, which is represented by a contact of a conven tional control relay H11, H21, H12, H22. Two of these control relays are respectively connected in series, that is to say are connected and disconnected in common. Connection is performed by one or other of the computer channels of a reliable controlling and monitoring computer system; disconnection is performed by a running-current monitor LU, which can detect when the closed position of the point is reached, and interrupts the supply circuit of the control relays, connected respectively in series, upon detecting the closed position of the point. The control relays are assigned to the two computer channels such that the supply circuits for the motor windings W1 to W3 of the point drive WA are always led via the switches of control relays operated from

- 8 -
different computer channels. In the end position of the drive which is represented, the series-connected windings W1 and W3 can be connected only via the switches H11/1 and H21/1, and the winding W2 can be connected only via the switches H12/1 and H22/1; the respectively associated control relays are controlled from different computer channels. When the drive rotates, concatenated phase voltages are present on the windings W1 and W3 or W3 and W2. The two control circuits lead via the switches H12/1 and H21/1 or Hll/1 and H21/1; the associated control relays are assigned to different computer channels. If the drive has reached its new end position but the drive contacts have not yet changed, the motor windings W2 and W3 are connected to voltage via the switches Hll/1 and H21/1, and the winding W1 is connected to voltage via the switches K12/1 and H21/1, before they are then disconnected after the switching of the drive contacts. The disconnection of the control relays is performed via the running-current monitor LU, which is de-energized by the drive contacts. The drive windings are also supplied in the running-down phase via switches which are controlled from different computer channels.
Should one or more of the switches not close upon connection of the point drive, the drive could either not rotate, or else it would require an impermissibly long time to rotate. Both of these would be detected by detectors which are still to be explained and signalled to the computer system. If one or more of the switches were not to open upon disconnection of the drive, this would likewise be detected by the detectors and signalled to the computer system. How this is effected is explained in more detail below.
Two detectors Ml and M2 are used to monitor the point drive and thus to detect directly switches which are opened or closed at the wrong time. These detectors are constructed as operational amplifiers and their function is to output state signals to the two computer channels. As a function of the input potential fed to it, each detector can emit two different signals of which it

- 9 -
phases one as first bit and the other as second bit into a message MK1 or MK2 to the associated computer channel. The two detectors are connected to frame in single-pole fashion via separate lines. Their signal inputs are connected via straps B5, B6, B1 to two of the wires leading to the point drive. The two other wires leading to the point drive are connected via straps B3, B4 to the live outputs of two direct-voltage sources U3 or U4, one wire being connected to the positive pole of the voltage source U3, and the other being connected to the negative pole of the voltage source U4. The other terminals of the two direct-voltage sources are connected to earth via separate lines. The potentials made available by the two direct-voltage sources U3 or U4 are respectively fed as monitoring potentials to one or other of the detectors M1, H2 via the drive contacts AK1 to AK4. In the repre sented end position of the drive, positive potential is present at the signal input of the detector HI, and negative potential is present at the signal input of the detector M2. In the case of the other end position of the drive, negative potential would be present at the signal input of the detector Ml, and positive potential would be present at the signal input of the detector M2. The indicating signals output by the detectors Ml, M2 during point rotation are not evaluated by the computer. For this purpose, the computer system receives from the running-current monitor LU appropriate state signals which are phased, for example, at the third point into the messages MK1, MK2 to be fed to the two computer channels. However, it is also possible to use the output signals of the running-current monitor to disconnect the detectors during point rotation, and thus to prevent the evaluation of state signals during point rotation.
If, as a consequence of a fault, one or more of the switches switched into the supply circuit of the drive windings now remain closed, for example by welding, upon disconnection of the drive, at least in the case of one of the detectors the monitoring potential fed to it is superimposed on the control voltage connected by the

- 10 -
defective switch to the relevant control wire. The detector would then carry no output signal on the output side. This would be detected as a fault by the computer system, evaluating the messages.
If one or more of the actuators were not to close properly upon connection of the point drive, for example because they are welded in the position of rest, after the maximum value provided for the setting of points, the running-current monitor would also still disconnect the detectors or inform the computer system that the detector output signals are not to be evaluated. The computer system detects the occurrence of a fault from the lack of the expected detector signals.
Any switch malfunctions in the two switch positions can thus be reliably detected. Since this is so, it is now also possible with regard to controlling point drives to connect and disconnect the latter via control relays and to dispense with the expensive signalling relays used for this purpose so far. Instead of control relays, it is also possible to use electronic switching means for switching the supply lines, because their possible malfunctions can likewise be detected by the computer system.
If both the control voltage for the loads and the voltages from which the monitoring potentials are derived are connected in common to frame potential, earth faults of loads can be reliably detected by short circuiting of the monitoring potentials.

-11-
Patent Claims fail safe
1. Device for/controlling and monitoring electric
loads in rail
transport, characterized in that
a) each load circuit has at least two series-connected
switches (SO/1, SO/2, S1/1; H11/1, H21/1; H12/1, H22/1) , which can be controlled independently of one another for opening/closing the circuit. the two switches can be controlled by independent computer channels of a reliable computer system, each wire of the circuit contains one of the two switches.
at least one detector (FD; Ml, M2) is provided for detecting a test voltage which is derived from a supply or test current flowing via the load (LG, LR; WA) , or is. connected at least indirectly by the load, and is dependent on the operating state of the load.
a switch closed or opened at the wrong time changes
the test voltage in a marked way as against the test
voltage set up given a proper switch position,
f) the detector output signals are evaluated by the two
computer channels of the reliable computer system,
and the computer system detects a wrongly timed
open/closed state of at least one of the switches
from the occurrence of detector output signals not
currently expected. wherein
2. Device according to Claim 1, the switches are constructed as contacts of control relays (H11, H12; H21, H22). wherein
3. Device according to Claim 1, the switches are constructed as electronic assem blies which switch in a contactless fashion. wherein
4. Device according to one of Claims 1 to 3, each computer system is assigned a number of loads which is limited such that, in addition to controlling the loads, said system is also capable of cyclic and/or event-controlled functional testing of the

GR 96 P 4019 DE - 12 -
loads and/or of the switching means incorporated into the control and/or monitoring operation.
5. Device according to Claim 4, wherein the functional testing comprises the initially one- pole and then two-pole connection of individual loads or
a plurality of loads in temporary sequential switching
steps, and reading in and evaluating corresponding
monitoring potentials from the respectively connected
wires.
6. Device according to one of Claims 1 to 5, wherein
both the actuating voltage for the loads
and the voltage/voltages from which the monitoring
potentials are derived have a common reference potential.
7. Device according to Claim 6, wnerein that the reference potential is the earth potential.
8. Device according to one of Claims 1 to 7, wherein at least where the load (WA) can be
switched over alternately into one of two possible end
positions, there are provided for monitoring these end
positions two detectors (Ml, M2) for detecting monitoring
potentials which can be fed to the detectors, via posi
tion contacts (AK1 to AK4) controllable by the load, from
separate direct-voltage sources (U3, U4) which, like the
detectors as well, are connected with different polarity
to a common reference potential, it being the case that
the arrangement is made such that in one end position of
the load positive monitoring potential (+) reaches one
detector (Ml) from one direct-voltage source (U3) via at
least one position contact (AK4), and negative monitoring
potential (-) reaches the other detector (M2) from the
other direct-voltage source (U4) via at least one other
position contact (AK1) while precisely the opposite
happens in the other end position of the load. .
9. Device according to Claim 8, wherein
that the two direct-voltage sources (U3, U4) and the two
detectors (Ml, M2) are connected to the common reference potential via two separate lines in each case.
10. Device according to Claim 8 or 9, the detectors are constructed as operational

- 13 -
amplifiers.
Device for fail safe controlling and monitoringelectric loads in rail transport
For alternately switching on and off the signal lamps of optical signals and for switching on and off the actuating current of point drives (WA), use is made of switches (H11/1, H21/1, H12/1, H22/1) which do not satisfy the requirements placed on such switches so far in rail transport. These switches can, in particular, be constructed as contacts of power contactors or as elec-tronic switches. The switches are controlled by indepen-dent channels of a computer system, it being ensured by a specific arrangement of the switches that a circuit leading via the load is made only if both computer channels of the computer system have given matching connecting commands. If one of the switches switches at the wrong time, this can be detected for the computer system by evaluating the detector signals, because the detector signals deviate from a prescribed scheme in the event of a fault.

Documents:

00237-cal-1997 abstract.pdf

00237-cal-1997 claims.pdf

00237-cal-1997 correspondence.pdf

00237-cal-1997 description (complete).pdf

00237-cal-1997 drawings.pdf

00237-cal-1997 form-1.pdf

00237-cal-1997 form-2.pdf

00237-cal-1997 form-3.pdf

00237-cal-1997 form-5.pdf

00237-cal-1997 gpa.pdf

00237-cal-1997 priority document.pdf

« Previous Patent

Next Patent »

Patent Number

194038

Indian Patent Application Number

237/CAL/1997

PG Journal Number

30/2009

Publication Date

24-Jul-2009

Grant Date

13-Apr-2005

Date of Filing

11-Feb-1997

Name of Patentee

SIEMENS AKTIENGESELLSCHAFT

Applicant Address

WITTELSBACHERPLATZ 2, 80333 MUNCHEN

Inventors:

#	Inventor's Name	Inventor's Address
1	MEIER JOACHIM	LIEBKNECHTSTRABE 6, D-38112 BRAUNSCHWEIG
2	KLAUS, JURGEN	GERSTACKERSTRABE 21, D-38102 BRAUNSCHWEIG

PCT International Classification Number

B61L 19/00, 7/08,

PCT International Application Number

N/A

PCT International Filing date

PCT Conventions:

#	PCT Application Number	Date of Convention	Priority Country
1	1960689.4	1996-02-13	Germany