[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

EP3448735B1 - Server device operating a piece of software for controlling a function of a rail transport safety system - Google Patents

Server device operating a piece of software for controlling a function of a rail transport safety system Download PDF

Info

Publication number
EP3448735B1
EP3448735B1 EP17720733.9A EP17720733A EP3448735B1 EP 3448735 B1 EP3448735 B1 EP 3448735B1 EP 17720733 A EP17720733 A EP 17720733A EP 3448735 B1 EP3448735 B1 EP 3448735B1
Authority
EP
European Patent Office
Prior art keywords
software
server
server device
processes
srv
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP17720733.9A
Other languages
German (de)
French (fr)
Other versions
EP3448735A1 (en
Inventor
Christoph Erdmann
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Thales Management and Services Deutschland GmbH
Original Assignee
Thales Management and Services Deutschland GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thales Management and Services Deutschland GmbH filed Critical Thales Management and Services Deutschland GmbH
Priority to PL17720733T priority Critical patent/PL3448735T3/en
Publication of EP3448735A1 publication Critical patent/EP3448735A1/en
Application granted granted Critical
Publication of EP3448735B1 publication Critical patent/EP3448735B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L19/00Arrangements for interlocking between points and signals by means of a single interlocking device, e.g. central control
    • B61L19/06Interlocking devices having electrical operation
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/30Trackside multiple control systems, e.g. switch-over between different systems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L19/00Arrangements for interlocking between points and signals by means of a single interlocking device, e.g. central control
    • B61L19/06Interlocking devices having electrical operation
    • B61L2019/065Interlocking devices having electrical operation with electronic means

Definitions

  • the invention relates to a server device operating a software for controlling a function of a rail-bound transport securing system, the software operating at least two processes physically separate from one another, the results of which are compared with one another in order to carry out the control of the function.
  • Rail-bound transport security systems are increasingly automated via computers.
  • the aim is to ensure a high degree of reliability, availability, maintainability and safety of persons (so-called RAMS requirements; R eliability A vailability M aintainability S afety).
  • RAMS requirements R eliability A vailability M aintainability S afety
  • software errors programming errors
  • hardware errors in particular the failure of individual components, such as transistors
  • Such hardware faults must be identified in good time so that rail-bound transport security does not endanger people (locomotive drivers, passengers) and preferably not valuable resources (locomotives, wagons) or cargo.
  • Software from the field of rail-bound transport security systems is usually installed on individual devices where the physical separation of processes can be easily ensured.
  • the software and the device architecture are suitably coordinated.
  • the virtualization of applications means that the provision of individual devices can be dispensed with in many cases, and software development and integration are also simplified.
  • the virtualization of a train control system is, for example, in the WO 2015/126529 A1 been proposed.
  • the EP 1 085 415 A2 which is considered to be the closest prior art, discloses a program module and a method for increasing the security of a software-controlled system, in particular an electronic signal box for railway signaling technology.
  • a computer network comprising computers R8, R9, R10, R11 and a comparator V3 is used.
  • the computers R8 and R9 are connected in series, and the computers R10 and R11 are connected in series.
  • the computers R10 and R11 are connected in parallel to the computers R8 and R9.
  • the first program part of a program module is installed on computers R8 and R10, and the second program part of the program module is installed on computers R9 and R11. Both computers R8 and R10 receive the same input data.
  • the output data of the computers R9 and R11 are checked by the comparator V3; a route is only enabled if the output data of the computers R9 and R11 match.
  • the US 2003/0018927 A1 describes a cluster server system with high availability.
  • the cluster comprises several physical servers / individual servers referred to as “nodes”.
  • One or more software programs, called “virtual servers”, run on each node. If a node fails, an affected virtual server is transferred to another node.
  • the invention has for its object to provide a server device in which an improved availability of a software application can be guaranteed with high operational reliability of train traffic.
  • the invention makes the increased availability in server clusters accessible to a software application, but on the other hand ensures that processes whose results have to be compared with one another in order to maintain operational security run physically separate from one another.
  • the server device used to operate the software is set up with at least two server clusters.
  • Each of the server clusters of the server device comprises at least two individual servers allow each other to migrate processes in the event of a single server failure (high availability cluster). This ensures high availability (operational readiness).
  • the software is split into at least two parts, which are distributed among the at least two server clusters. Part of the software, and thus one of the processes, is permanently assigned to one of the server clusters.
  • the processes, the results of which are compared can be special test processes that run in addition to the control function of the software application (such as the calculation of check digits / checksums), or main processes that are themselves used for the control function (such as the calculation of a track diagram).
  • the processes to be compared with one another perform the same arithmetic operations in the same order in order to obtain the respective process result (identical processes).
  • the same process results generally indicate that the server device is functioning correctly; uneven process results generally indicate a malfunction.
  • One of the processes whose results are to be compared is, for example, a master process and a second process a slave process. If the result of the slave process deviates from the previously determined result of the master process, the status of the software application is set to "not safe” (unsafe) (for example by the software part of the master process and / or the software part of the Slave process and / or another software part for the comparison process), and none the results of the processes become more familiar. In the case of an interlocking application, for example, all of the signals concerned can be set to "Halt" as a precaution.
  • Virtualization makes it possible to operate the software largely independently of any local, available hardware. In particular, it is easily possible to exchange individual components (such as individual servers within one of the server clusters).
  • the software is a signal box application. Due to the architecture of the server device according to the invention, a high level of security, as is usually required for interlocking applications, can be guaranteed. The high availability is also advantageous in order to avoid or minimize delays in the operational flow of train traffic.
  • the software is an application for operating the user interface of a computer-controlled signal box, in particular with a functionality for connecting mobile devices Operator terminals.
  • HIS HIS server application
  • MPT m obile p ossession t erminal
  • HHT h and h eld t erminal
  • the server architecture according to the invention has proven particularly useful in this application. Calculated track diagrams can be used here as the processes to be compared and their results, which are displayed on operator terminals, in particular mobile operator terminals (such as tablet computers). Since the user can temporarily assume responsibility for the release of track sections, a high security standard should be available here, which the invention can offer
  • the software is a train protection application. Due to the architecture of the server device according to the invention, a high level of security, as is also usually required for train protection applications, can be guaranteed. Train protection applications can include, for example, emergency braking systems when passing "stop" signals.
  • An embodiment is also advantageous in which the software is set up according to safety integrity level 2 (SIL2) or higher.
  • This security level SIL2 is sufficient for many applications of rail-based transport security systems, and is easy to achieve with the server architecture according to the invention, while an increased availability can be made possible at the same time.
  • the safety integrity level (SIL) is determined in accordance with EN 61508 (in particular EN 50128 and EN 50129) in the version valid on April 4th, 2016.
  • the software can be a HIS server application, for example.
  • SIL4 safety integrity level 4
  • EN 61508 in particular EN 50128 and EN 50129
  • RBC Radio Block Center
  • SCM s afe c ommunication m odule
  • An embodiment is also advantageous in which the software operates exactly two processes, physically separated from one another, on exactly two different server clusters.
  • the setup of two server clusters for only two (in a respective test process) two processes to be compared is comparatively easy to set up, but increases security considerably while at the same time being highly available.
  • the server device comprises three physically separate server clusters
  • the software comprises at least three parts that are installed on different ones of the server clusters, so that the software operates three processes on different ones of the three server clusters, and that the Results of the processes are evaluated as part of a 2-out-of-3 decision for the control of the function of the rail-bound transport securing system.
  • the 2-out-of-3 decision it is possible to identify correct process results even if one hardware fails (here an error on one of the server clusters), which further increases availability.
  • the server device controls at least one further software for controlling a further function of a operates rail-bound transport securing system, and that the at least one additional software is installed and operated on only one of the server clusters.
  • the respective additional software is not broken down into different parts that have to be installed on different server clusters; this significantly simplifies the operation of the other software.
  • the other software is typically set up according to SILO.
  • one or more individual, further software applications are typically installed and operated on each of the server clusters.
  • the present invention is based on the distribution of processes of a software control of a rail-bound transport security system in a virtual operating level to different server clusters.
  • the processes can be migrated to the individual servers in their server cluster to ensure high availability in the event of the failure of individual individual servers.
  • the processes are similar and the results of the processes are compared for security purposes.
  • the distribution of the processes across different server clusters ensures that the processes always run on different individual servers, so that individual hardware errors lead to different process results that can easily be uncovered in the course of security checks.
  • HIS Human machine interface for Interlocking Systems
  • SIL2 Safety Integrity Level 2
  • CENELEC EN 50128 CENELEC EN 50128 standard. It essentially has the function of the user interface of an electronic signal box (ESTW) and can be designed in different forms for different markets or applications in order to take into account particular characteristics.
  • ESTW electronic signal box
  • HIS server which essentially serves to supply connected operator terminals with the calculated illuminations or states of the signal box elements.
  • the HIS architecture In order to meet the requirements of SIL2 from the EN 50128 standard, the HIS architecture must be designed in such a way that the master process and a slave process run on different (hardware) processors. With multi-core processors, this can be achieved by firmly binding the processes to certain processor cores (core binding; processor affinity). This ensures that a computing error in a processor (or a processor core) can never lead to the same, wrong result in the master and slave processes (simultaneous double errors are excluded from the standard).
  • server clusters can be formed from server computers (individual servers), which offer the advantages of a virtual operating level (high availability, redundancy) and at the same time ensure a physical separation of processes.
  • server computers individual servers
  • the master process can run on one server cluster and the slave process on the other server cluster. While it cannot be predicted which processor (core) in the server cluster is currently being used by a process, it can be excluded that the processes on the different server clusters will ever use the same processor (core).
  • FIG. 1 A first embodiment of a server device 1 according to the invention with two server clusters SC1, SC2 will be described in more detail.
  • the server device 1 is also referred to as a virtual cluster.
  • the server device 1 here includes a first server cluster SC1 and a second server cluster SC2, which are spatially separated from one another, which is shown in FIG Fig. 1 is illustrated by a physical limit 2.
  • spatially separated it is meant that the server computers (SRV) of the two server clusters SC1, SC2 do not consist of the same hardware, but are separate computers.
  • the spatial separation can thus be carried out both by building the server clusters SC1, SC2 in the same frame in a server room or in different frame in the same or different server rooms, as well as at different locations with a distance of several kilometers.
  • the limiting factor for the maximum distance between the server clusters SC1, SC2 is the speed and latency of the network in between for the synchronization of the server clusters SC1, SC2.
  • Network connections are in Fig. 1 represented by simple connecting lines.
  • first server cluster SC1 at least two server computers (individual servers) SRV-1-1, SRV-1-2 are combined to form a cluster.
  • second server cluster SC2 at least two server computers (individual servers) SRV-2-1, SRV-2-2 are also combined to form a cluster.
  • the server device 1 has a common cluster control 18 and a common storage control 19 for both server clusters SC1, SC2.
  • Each server cluster SC1, SC2 has its own high availability control (HA) 20a, 20b, with which processes of the applications between the individual computers SRV-1-1, SRV-1-2 or SRV-2-1, SRV-2-2 can be moved within the respective server cluster SC1 or SC2, especially if a defect should occur in a single computer.
  • HA high availability control
  • each server cluster SC1, SC2 each has its own storage (Storage Vol 1, Storage Vol2) 21a, 21b, which can be used by the individual servers of the respective cluster SC1, SC2.
  • the HIS server software 11 is divided into two parts: the HIS master process 11a is implemented on the first server cluster SC1, and the HIS slave process 11b (which is identical to the HIS master process 11a) implemented on the second server cluster SC2.
  • the HIS master process 11a will therefore always run on one of the individual servers SRV-1-1 or SRV-1-2 of the first server cluster SC1, but not on the individual servers of the second server cluster SC2.
  • the HIS slave process 11b will always run on one of the individual servers SRV-2-1 or SRV-2-2 of the second server cluster SC2, but not on the individual servers of the first server cluster SC1. This ensures that the HIS master process 11a and the HIS slave process 11b are always physically separate from one another. If the process results match, the matching process result can be trusted.
  • the similar processes 12a and 12b of the interlocking control software 12 are physically separated from one another, and the similar processes 13a and 13b of the train protection control software 13 are physically separated from one another; in the case of matching process results, the matching process result can in turn be trusted.
  • the other software applications 14, 15, 16, 17 or their processes here are each without a similar counterpart to the other server clusters SC1, SC2, so they are only carried out simply on one of the server clusters SC1, SC2. This is primarily intended for non-safety-related applications.
  • FIG. 2 An embodiment of a server device (virtual cluster) 30 according to the invention is shown, which has three server clusters SC1, SC2, SC3.
  • the structure of the server device 30 with three server clusters SC1, SC2, SC3 largely corresponds to the structure with two server clusters of Fig. 1 , so that only the main differences are explained below.
  • a criterion for approval according to the EN 50128 standard for the 2oo3 systems is that the individual processes run on different hardware. This can be ensured by the server device 30 according to the invention (virtual cluster), which is based on three server clusters SC1, SC2, SC3 separated by physical limits 2.
  • the interlocking application processes for example, run embedded in a virtual machine VM distributed over the three server clusters and thus never use the same processors or processor cores.
  • the safety standard according to SIL4 can also be achieved with 2003 systems.
  • the similar processes 31a, 31b, 31c or associated parts of the operating software 31 are distributed among the three server clusters SC1, SC2, SC3, so that the processes 31a, 31b, 31c are never on the same processor or run on the same hardware, and thus their process results cannot be wrong in the same way due to a single hardware fault.

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Hardware Redundancy (AREA)
  • Train Traffic Observation, Control, And Security (AREA)
  • Safety Devices In Control Systems (AREA)

Description

Die Erfindung betrifft eine Servereinrichtung, betreibend eine Software zur Steuerung einer Funktion eines schienengebundenen Transportsicherungssystems,
wobei die Software wenigstens zwei Prozesse physikalisch voneinander getrennt betreibt, deren Ergebnisse miteinander verglichen werden, um die Steuerung der Funktion vorzunehmen.The invention relates to a server device operating a software for controlling a function of a rail-bound transport securing system,
the software operating at least two processes physically separate from one another, the results of which are compared with one another in order to carry out the control of the function.

Schienengebundene Transportsicherungssysteme, insbesondere Stellwerke und Zugsicherungssysteme, werden zunehmend über Rechner automatisiert. Dabei soll ein hohes Maß an Zuverlässigkeit, Verfügbarkeit, Wartungsfreundlichkeit und Personensicherheit gewährleistet werden (so genannte RAMS-Anforderungen; Reliability Availability Maintainability Safety). Während Softwarefehler (Programmierfehler) durch geeignete Planung und Durchprüfung von Testszenarien in der Regel bis zur Inbetriebnahme aufgedeckt und beseitigt werden können, können Hardwarefehler (insbesondere das Versagen von einzelnen Bauteilen, etwa Transistoren) im Betrieb prinzipiell jederzeit auftreten. Solche Hardwarefehler müssen rechtzeitig aufgedeckt werden, sodass bei der schienengebundenen Transportsicherung keine Gefährdung von Menschen (Lokführern, Passagieren) und bevorzugt auch nicht von wertvollen Betriebsmitteln (Lokomotiven, Waggons) oder Ladung eintritt.Rail-bound transport security systems, especially signal boxes and train protection systems, are increasingly automated via computers. The aim is to ensure a high degree of reliability, availability, maintainability and safety of persons (so-called RAMS requirements; R eliability A vailability M aintainability S afety). While software errors (programming errors) can usually be detected and eliminated through suitable planning and testing of test scenarios up to commissioning, hardware errors (in particular the failure of individual components, such as transistors) can in principle occur at any time during operation. Such hardware faults must be identified in good time so that rail-bound transport security does not endanger people (locomotive drivers, passengers) and preferably not valuable resources (locomotives, wagons) or cargo.

Bei sicherheitsrelevanten Anwendungen in Transportsicherungssystemen wird daher üblicherweise eine mehrkanalige Verarbeitung und Überprüfung von sicherheitsrelevanten Komponenten durchgeführt, vgl. beispielsweise M. Schäfer, F. Schneider, "Standardisierte Bedienoberflächen für Bahnsteuerungssysteme", Signal + Draht (98), 9/2006, S. 50-52 .For safety-relevant applications in transport safety systems, multi-channel processing and checking of safety-relevant components is therefore usually carried out, cf. for example M. Schäfer, F. Schneider, "Standardized user interfaces for path control systems", Signal + Draht (98), 9/2006, pp. 50-52 .

Bei der mehrkanaligen Verarbeitung werden mehrere gleichartige Prozesse physikalisch voneinander getrennt, also mit unterschiedlicher Hardware, parallel betrieben, und die Ergebnisse werden miteinander verglichen. Bei Übereinstimmung der Ergebnisse kann davon ausgegangen werden, dass die beteiligte Hardware korrekt funktioniert. Bei einem Fehler in einer beteiligten Hardware kommt es zu einer Divergenz der Ergebnisse, was durch deren Vergleich erkannt werden kann. Die Anwendung kann dann geeignete Sicherungsmaßnahmen ergreifen, z.B. vorsorglich Signale auf "Halt" stellen.In multi-channel processing, several processes of the same type are physically separated from one another, i.e. with different hardware, operated in parallel, and the results are compared with one another. If the results agree, it can be assumed that the hardware involved is functioning correctly. If an error occurs in the hardware involved, the results diverge, which can be identified by comparing them. The application can then take suitable safety measures, for example, to put signals on "Halt" as a precaution.

Software aus dem Bereich der schienengebundenen Transportsicherungssysteme ist üblicherweise auf einzelnen Geräten installiert, bei denen die physikalische Trennung von Prozessen gut sichergestellt werden kann. Hierzu werden die Software und die Gerätearchitektur geeignet aufeinander abgestimmt.Software from the field of rail-bound transport security systems is usually installed on individual devices where the physical separation of processes can be easily ensured. For this purpose, the software and the device architecture are suitably coordinated.

Bei Rechnern mit so genannten Multicore-Prozessoren ist es möglich, durch geeignete Programmierung eine feste Zuordnung von einzelnen Prozessen zu Rechnerresourcen zu erwirken. Bei der Programmierung unter Linux hat sich dazu die Verwendung von so genannten "cgroups" bewährt, vgl. den englischen Wikipedia-Eintrag "cgroups" vom 31.3.2016. Entsprechend können für Prozesse, deren Ergebnisse verglichen werden müssen, unterschiedliche Prozessorkerne zugewiesen werden (so genanntes "core binding"), wodurch die physikalische Trennung der Prozesse sichergestellt werden kann.In the case of computers with so-called multicore processors, it is possible to achieve a fixed assignment of individual processes to computer resources by suitable programming. When programming under Linux, the use of so-called "cgroups" has proven itself, cf. the English Wikipedia entry "cgroups" from March 31, 2016. Accordingly, different processor cores can be assigned for processes whose results have to be compared (so-called "core binding"), which ensures the physical separation of the processes.

Durch die Virtualisierung von Anwendungen kann auf die Bereitstellung einzelner Geräte in vielen Fällen verzichtet werden, ebenso ist die Software-Entwicklung und Integration vereinfacht. Die Virtualisierung eines Zugkontrollsystems ist beispielsweise in der WO 2015/126529 A1 vorgeschlagen worden.The virtualization of applications means that the provision of individual devices can be dispensed with in many cases, and software development and integration are also simplified. The virtualization of a train control system is, for example, in the WO 2015/126529 A1 been proposed.

Durch Virtualisierung auf einem Servercluster aus mehreren Einzelservern ist es zudem möglich, bei Ausfall eines Einzelservers eine Migration von Prozessen zu einem anderen Einzelserver vorzunehmen und so die Verfügbarkeit einer Anwendung zu verbessern.Through virtualization on a server cluster of several individual servers, it is also possible to migrate processes to another individual server in the event of a single server failure, thus improving the availability of an application.

Bei Betrieb einer Software auf einer virtualisierten Betriebsebene eines Serverclusters können jedoch einzelne von der Software betriebene Prozesse nicht mehr bestimmten Rechnerressourcen zugewiesen werden; insbesondere werden die einzelnen Prozesse im Wesentlichen zufällig einem der Einzelrechner zugewiesen. Es besteht dann eine (statistisch relevante) Gefahr, dass mehrere Prozesse, deren Ergebnisse die miteinander verglichen werden sollen, auf derselben Hardware ablaufen, so dass ein Hardwarefehler dieser Hardware bei diesen mehreren Prozessen die gleichen Falschberechnungen erzeugt, und entsprechend der Hardwarefehler nicht mehr durch einen Vergleich der Ergebnisse der Prozesse gefunden werden kann. In diesem Fall ist die Betriebssicherheit im schienengebundenen Transportsicherungssystem mehr gewährleistet.When operating software on a virtualized operating level of a server cluster, however, individual processes operated by the software can no longer be assigned to specific computer resources; in particular, the individual processes are assigned to one of the individual computers essentially at random. There is then a (statistically relevant) danger that several processes, the results of which are to be compared with one another, run on the same hardware, so that a hardware error in this hardware generates the same incorrect calculations in these multiple processes, and accordingly the hardware errors can no longer be found by comparing the results of the processes. In this case, operational safety in the rail-bound transport security system is more guaranteed.

Die EP 1 085 415 A2 , die als nächstkommender Stand der Technik angesehen wird, offenbart ein Programmmodul und ein Verfahren zum Erhöhen der Sicherheit eines softwaregesteuerten Systems, insbesondere eines elektronischen Stellwerks für die Eisenbahnsignaltechnik. Im Ausführungsbeispiel der dortigen Fig. 4 wird ein Rechnerverbund aus Rechnern R8, R9, R10, R11 und einem Vergleicher V3 eingesetzt. Die Rechner R8 und R9 sind in Reihe geschaltet, und die Rechner R10 und R11 sind in Reihe geschaltet. Hierbei sind die Rechner R10 und R11 den Rechnern R8 und R9 parallel geschaltet. Auf den Rechnern R8 und R10 ist jeweils der erste Programmteil eines Programmmoduls installiert, und auf den Rechnern R9 und R11 ist jeweils der zweite Programmteil des Programmmoduls installiert. Beide Rechner R8 und R10 erhalten die gleichen Eingangsdaten. Die Ausgangsdaten der Rechner R9 und R11 werden vom Vergleicher V3 überprüft; nur wenn die Ausgangsdaten der Rechner R9 und R11 übereinstimmen, wird ein Fahrweg freigeschaltet.The EP 1 085 415 A2 , which is considered to be the closest prior art, discloses a program module and a method for increasing the security of a software-controlled system, in particular an electronic signal box for railway signaling technology. In the exemplary embodiment of FIG. 4 there, a computer network comprising computers R8, R9, R10, R11 and a comparator V3 is used. The computers R8 and R9 are connected in series, and the computers R10 and R11 are connected in series. The computers R10 and R11 are connected in parallel to the computers R8 and R9. The first program part of a program module is installed on computers R8 and R10, and the second program part of the program module is installed on computers R9 and R11. Both computers R8 and R10 receive the same input data. The output data of the computers R9 and R11 are checked by the comparator V3; a route is only enabled if the output data of the computers R9 and R11 match.

Die US 2003/0018927 A1 beschreibt ein Clusterserversystem mit hoher Verfügbarkeit. Der Cluster umfasst mehrere als "nodes" bezeichnete physikalische Server/Einzelserver. Auf jedem node laufen ein oder mehrere Softwareprogramme ab, die als "virtual server" bezeichnet werden. Fällt ein node aus, wird ein betroffener virtual server auf einen anderen node transferiert.The US 2003/0018927 A1 describes a cluster server system with high availability. The cluster comprises several physical servers / individual servers referred to as "nodes". One or more software programs, called "virtual servers", run on each node. If a node fails, an affected virtual server is transferred to another node.

Aufgabe der ErfindungObject of the invention

Der Erfindung liegt die Aufgabe zugrunde, eine Servereinrichtung bereitzustellen, bei der eine verbesserte Verfügbarkeit einer Software-Anwendung bei gleichzeitig hoher Betriebssicherheit des Zugverkehrs gewährleistet werden kann.The invention has for its object to provide a server device in which an improved availability of a software application can be guaranteed with high operational reliability of train traffic.

Kurze Beschreibung der ErfindungBrief description of the invention

Diese Aufgabe wird gelöst durch eine Servereinrichtung der eingangs genannten Art mit den Merkmalen des Anspruches 1, die dadurch gekennzeichnet ist, dass die Software auf einer virtuellen Betriebsebene der Servereinrichtung betrieben wird,
dass die Servereinrichtung wenigstens zwei physikalisch voneinander getrennte Servercluster umfasst,
wobei jeder der Servercluster der Servereinrichtung wenigstens zwei Einzelserver umfasst, die untereinander eine Migration von Prozessen bei Ausfall eines Einzelservers gestatten,
wobei die wenigstens zwei Prozesse auf virtuellen Maschinen laufen,
und dass die Software wenigstens zwei Teile umfasst, die auf verschiedenen der wenigstens zwei Servercluster installiert sind, so dass die wenigstens zwei Prozesse auf verschiedenen der wenigstens zwei Servercluster betrieben werden.This object is achieved by a server device of the type mentioned at the outset with the features of claim 1, which is characterized in that the software is operated on a virtual operating level of the server device,
that the server device comprises at least two physically separate server clusters,
wherein each of the server clusters of the server device comprises at least two individual servers, which allow processes to be migrated between one another if one individual server fails,
the at least two processes running on virtual machines,
and that the software comprises at least two parts that are installed on different ones of the at least two server clusters, so that the at least two processes are operated on different ones of the at least two server clusters.

Die Erfindung macht für eine Software-Anwendung zum einen die erhöhte Verfügbarkeit in Serverclustern zugänglich, stellt aber zum anderen sicher, dass Prozesse, deren Ergebnisse zur Wahrung der Betriebssicherheit miteinander verglichen werden müssen, physikalisch voneinander getrennt ablaufen. Dafür wird die Servereinrichtung, die zum Betrieb der Software verwendet wird, mit wenigstens zwei Serverclustern eingerichtet. Jeder der Servercluster der Servereinrichtung umfasst wenigstens zwei Einzelserver, die untereinander eine Migration von Prozessen bei Ausfall eines Einzelservers gestatten (High Availability Cluster). Dadurch wird eine hohe Verfügbarkeit (Betriebsbereitschaft) sichergestellt. Zum anderen wird die Software auf wenigstens zwei Teile aufgespalten, die auf die wenigstens zwei Servercluster verteilt werden. Jeweils ein Teil der Software, und damit einer der Prozesse, ist einem der Servercluster fest zugeordnet. Dadurch ist sichergestellt, dass die Prozesse, deren Ergebnisse miteinander verglichen werden sollen, auf verschiedenen Serverclustern und damit auf unterschiedlicher Hardware laufen. Diese physikalisch Trennung der Prozesse stellt sicher, dass ein einzelner Hardwarefehler, welcher ein falschen Ergebnis eines Prozesses bewirkt, durch Vergleich mit dem Ergebnis eines mit anderer (einwandfreier) Hardware berechneten, gleichartigen Prozesses aufgedeckt werden kann.On the one hand, the invention makes the increased availability in server clusters accessible to a software application, but on the other hand ensures that processes whose results have to be compared with one another in order to maintain operational security run physically separate from one another. For this purpose, the server device used to operate the software is set up with at least two server clusters. Each of the server clusters of the server device comprises at least two individual servers allow each other to migrate processes in the event of a single server failure (high availability cluster). This ensures high availability (operational readiness). On the other hand, the software is split into at least two parts, which are distributed among the at least two server clusters. Part of the software, and thus one of the processes, is permanently assigned to one of the server clusters. This ensures that the processes, the results of which are to be compared, run on different server clusters and thus on different hardware. This physical separation of the processes ensures that a single hardware fault, which causes a wrong result of a process, can be detected by comparison with the result of a similar process calculated with other (faultless) hardware.

Die Prozesse, deren Ergebnisse miteinander verglichen werden, können besondere Prüfprozesse sein, die zusätzlich zur Steuerungsfunktion der Softwareapplikation ablaufen (etwa die Berechnung von Prüfziffern/Prüfsummen), oder auch Hauptprozesse, die selbst für die Steuerungsfunktion genutzt werden (etwa die Berechnung eines Gleisbildes). Die miteinander zu vergleichenden Prozesse führen zur Erlangung des jeweiligen Prozessergebnisses die gleichen Rechenoperationen in gleicher Reihenfolge aus (gleichartige Prozesse). Gleiche Prozessergebnisse zeigen im Allgemeinen ein korrektes Funktionieren der Servereinrichtung an; ungleiche Prozessergebnisse zeigen im Allgemeinen eine Störung an.The processes, the results of which are compared, can be special test processes that run in addition to the control function of the software application (such as the calculation of check digits / checksums), or main processes that are themselves used for the control function (such as the calculation of a track diagram). The processes to be compared with one another perform the same arithmetic operations in the same order in order to obtain the respective process result (identical processes). The same process results generally indicate that the server device is functioning correctly; uneven process results generally indicate a malfunction.

Einer der Prozesse, deren Ergebnisse miteinander vergleichen werden sollen, ist beispielsweise ein Master-Prozess, und ein zweiter Prozess ein Slave-Prozess. Falls das Ergebnis des Slave-Prozesses vom zuvor ermittelten Ergebnis des Master-Prozesses abweicht, wird der Status der Software-Applikation auf "nicht sicher" (unsafe) gesetzt (etwa durch den Software-Teil des Masterprozesses und/oder den Software-Teil des Slave-Prozesses und/oder eines weiteren Software-Teils für den Vergleichsprozess), und keinem der Ergebnisse der Prozesse wird mehr vertraut. Bei einer Stellwerks-Applikation können sodann beispielsweise alle betroffenen Signale vorsorglich auf "Halt" gesetzt werden.One of the processes whose results are to be compared is, for example, a master process and a second process a slave process. If the result of the slave process deviates from the previously determined result of the master process, the status of the software application is set to "not safe" (unsafe) (for example by the software part of the master process and / or the software part of the Slave process and / or another software part for the comparison process), and none the results of the processes become more familiar. In the case of an interlocking application, for example, all of the signals concerned can be set to "Halt" as a precaution.

Durch den Vergleich der Ergebnisse der Prozesse kann zuverlässig ein sicherer Betrieb der Servereinrichtung bzw. der Software-Applikation und damit auch der gesteuerten Funktion des schienengebundenen Transportsicherungssystems, etwa in einem elektronischen Stellwerk, gewährleistet werden. Da die Prozesse strikt jeweils den einzelnen Serverclustern zugeordnet sind, ist die physikalische Trennung der Prüfungsmechanismen jederzeit sichergestellt. Physikalisch voneinander getrennt bedeutet dabei eine Trennung der Rechenprozesse bezüglich der verwendeten Hardware.By comparing the results of the processes, reliable operation of the server device or the software application and thus also the controlled function of the rail-based transport securing system, for example in an electronic signal box, can be guaranteed. Since the processes are strictly assigned to the individual server clusters, the physical separation of the checking mechanisms is ensured at all times. Physically separated from each other means a separation of the computing processes with regard to the hardware used.

Durch die Virtualisierung ist es möglich, die Software weitgehend unabhängig von einer lokalen, zur Verfügung stehenden Hardware zu betreiben. Insbesondere ist es leicht möglich, einzelne Komponenten (wie Einzelserver innerhalb eines der Servercluster) auszutauschen.Virtualization makes it possible to operate the software largely independently of any local, available hardware. In particular, it is easily possible to exchange individual components (such as individual servers within one of the server clusters).

Bevorzugte Ausführungsformen der ErfindungPreferred embodiments of the invention

Bei einer bevorzugten Ausführungsform der erfindungsgemäßen Servereinrichtung ist die Software eine Stellwerks-Applikation. Aufgrund der erfindungsgemäßen Architektur der Servereinrichtung kann ein hoher Sicherheitslevel, wie er für Stellwerks-Applikationen üblicherweise gefordert ist, gewährleistet werden. Auch ist die hohe Verfügbarkeit von Vorteil, um Verzögerungen im Betriebsablauf des Zugverkehrs zu vermeiden bzw. zu minimieren.In a preferred embodiment of the server device according to the invention, the software is a signal box application. Due to the architecture of the server device according to the invention, a high level of security, as is usually required for interlocking applications, can be guaranteed. The high availability is also advantageous in order to avoid or minimize delays in the operational flow of train traffic.

Besonders bevorzugt ist eine Weiterbildung, bei der die Software eine Applikation zum Betreiben der Bedienoberfläche eines rechnergesteuerten Stellwerks ist, insbesondere mit einer Funktionalität zum Anbinden von mobilen Bedienterminals. Beispielsweise kann die Software eine HIS-Server-Applikation (HIS = human machine interface for interlocking systems), insbesondere mit MPT- und/oder HHT-Proxy-Funktion sein (MPT = mobile possession terminal; HHT = hand held terminal). Bei dieser Applikation hat sich die erfindungsgemäße Serverarchitektur besonders bewährt. Als zu vergleichende Prozesse bzw. deren Ergebnisse können hier berechnete Gleisbilder genutzt werden, die auf Bedienterminals, insbesondere mobilen Bedienterminals (wie Tablet-Computern) angezeigt werden. Da der Verwender zeitweise Verantwortung für die Freigabe von Gleisabschnitten übernehmen kann, sollte hier ein hoher Sicherheitsstandard zur Verfügung stehen, den die Erfindung bieten kann.A development is particularly preferred in which the software is an application for operating the user interface of a computer-controlled signal box, in particular with a functionality for connecting mobile devices Operator terminals. For example, the software may be a HIS server application (HIS = h uman machine interface for i nterlocking s ystems), in particular with MPT and / or HHT proxy function (MPT = m obile p ossession t erminal; HHT = h and h eld t erminal). The server architecture according to the invention has proven particularly useful in this application. Calculated track diagrams can be used here as the processes to be compared and their results, which are displayed on operator terminals, in particular mobile operator terminals (such as tablet computers). Since the user can temporarily assume responsibility for the release of track sections, a high security standard should be available here, which the invention can offer.

Ebenfalls bevorzugt ist eine Ausführungsform, bei der die Software eine Zugsicherungs-Applikation ist. Aufgrund der erfindungsgemäßen Architektur der Servereinrichtung kann ein hoher Sicherheitslevel, wie er auch für Zugsicherungs-Applikationen üblicherweise gefordert ist, gewährleistet werden. Zugsicherungs-Applikationen können beispielsweise Notbremssysteme beim Überfahren von "Halt"-Signalen beinhalten.Also preferred is an embodiment in which the software is a train protection application. Due to the architecture of the server device according to the invention, a high level of security, as is also usually required for train protection applications, can be guaranteed. Train protection applications can include, for example, emergency braking systems when passing "stop" signals.

Vorteilhaft ist weiterhin eine Ausführungsform, bei der die Software nach Sicherheits-Integritäts-Level 2 (SIL2) oder höher eingerichtet ist. Diese Sicherheitsstufe SIL2 genügt für viele Anwendungen von schienenbasierten Transportsicherungssystemen, und ist mit der erfindungsgemäßen Serverarchitektur gut zu erreichen, wobei gleichzeitig eine erhöhte Verfügbarkeit ermöglicht werden kann. Der Sicherheits Integritäts Level (SIL) ist gemäß EN 61508 (insbesondere EN 50128 und EN 50129) in der am 4.4.2016 geltenden Fassung bestimmt. Die Software kann beispielsweise eine HIS-Server-Applikation sein.An embodiment is also advantageous in which the software is set up according to safety integrity level 2 (SIL2) or higher. This security level SIL2 is sufficient for many applications of rail-based transport security systems, and is easy to achieve with the server architecture according to the invention, while an increased availability can be made possible at the same time. The safety integrity level (SIL) is determined in accordance with EN 61508 (in particular EN 50128 and EN 50129) in the version valid on April 4th, 2016. The software can be a HIS server application, for example.

Besonders vorteilhaft ist eine Ausführungsform, bei der die Software nach Sicherheits-Integritäts-Level 4 (SIL4) eingerichtet ist. Damit genügt die Software höchsten Sicherheitsanforderungen. Die Sicherheitsstufe SIL4 ist mit der erfindungsgemäßen Serverarchitektur ebenfalls gut zu erreichen, wobei gleichzeitig eine erhöhte Verfügbarkeit ermöglicht werden kann. Der Sicherheits Integritäts Level (SIL) ist gemäß EN 61508 (insbesondere EN 50128 und EN 50129) in der am 4.4.2016 geltenden Fassung bestimmt. Die Software kann beispielsweise eine Anwendung einer Funkstreckenzentrale (RBC=Radio Block Centre) oder eines elektronischen Stellwerks (interlocking module) sein, weiterhin auch eine SCM-Applikation (SCM = safe communication module) oder eine FEC-Applikation (FEC = field element controller).An embodiment in which the software is set up according to safety integrity level 4 (SIL4) is particularly advantageous. So the software is enough highest security requirements. The security level SIL4 is also easy to achieve with the server architecture according to the invention, whereby an increased availability can be made possible at the same time. The safety integrity level (SIL) is determined in accordance with EN 61508 (in particular EN 50128 and EN 50129) in the version valid on April 4th, 2016. The software may, for example application of a radio block center (RBC = Radio Block Center) or an electronic signal box (interlocking module), further, a SCM application (SCM = s afe c ommunication m odule) or a FEC Application (FEC = f ield e lement c ontroller).

Vorteilhaft ist weiterhin eine Ausführungsform, bei der die Software genau zwei Prozesse, physikalisch voneinander getrennt, auf genau zwei verschiedenen Serverclustern betreibt. Die Einrichtung von zwei Serverclustern für lediglich (bei einem jeweiligen Prüfvorgang jeweils) zwei miteinander zu vergleichenden Prozessen ist vergleichsweise einfach einzurichten, erhöht aber die Sicherheit bei gleichzeitig hoher Verfügbarkeit erheblich.An embodiment is also advantageous in which the software operates exactly two processes, physically separated from one another, on exactly two different server clusters. The setup of two server clusters for only two (in a respective test process) two processes to be compared is comparatively easy to set up, but increases security considerably while at the same time being highly available.

Eine alternative, vorteilhafte Ausführungsform sieht vor, dass die Servereinrichtung drei physikalisch voneinander getrennte Servercluster umfasst, dass die Software wenigstens drei Teile umfasst, die auf verschiedenen der Serverclustern installiert sind, so dass die Software drei Prozesse auf verschiedenen der drei Servercluster betreibt, und dass die Ergebnisse der Prozesse im Rahmen einer 2-aus-3-Entscheidung für die Steuerung der Funktion des schienengebundenen Transportsicherungssystems ausgewertet werden. Mit der 2-aus-3-Entscheidung ist es möglich, auch bei Ausfall einer Hardware (hier eines Fehlers auf einem der Servercluster) noch richtige Prozessergebnisse zu identifizieren, was die Verfügbarkeit weiter erhöht.An alternative, advantageous embodiment provides that the server device comprises three physically separate server clusters, that the software comprises at least three parts that are installed on different ones of the server clusters, so that the software operates three processes on different ones of the three server clusters, and that the Results of the processes are evaluated as part of a 2-out-of-3 decision for the control of the function of the rail-bound transport securing system. With the 2-out-of-3 decision, it is possible to identify correct process results even if one hardware fails (here an error on one of the server clusters), which further increases availability.

Bevorzugt ist auch eine Ausführungsform, bei der die Servereinrichtung wenigstens eine weitere Software zur Steuerung einer weiteren Funktion eines schienengebundenen Transportsicherungssystems betreibt, und dass die wenigstens eine weitere Software auf lediglich einem der Servercluster installiert ist und betrieben wird. Die jeweilige weitere Software wird nicht in unterschiedliche Teile zerlegt, die auf unterschiedlichen Serverclustern installiert werden müssen; hierdurch ist der Betrieb der weiteren Software deutlich erleichtert. Die weitere Software ist typischerweise nach SILO eingerichtet. Typischerweise sind bei dieser Ausführungsform auf jedem der Servercluster jeweils eine oder mehrere einzelne, weitere Software-Applikationen installiert und betrieben.An embodiment is also preferred in which the server device controls at least one further software for controlling a further function of a operates rail-bound transport securing system, and that the at least one additional software is installed and operated on only one of the server clusters. The respective additional software is not broken down into different parts that have to be installed on different server clusters; this significantly simplifies the operation of the other software. The other software is typically set up according to SILO. In this embodiment, one or more individual, further software applications are typically installed and operated on each of the server clusters.

Bei einer bevorzugten Weiterbildung dieser Ausführungsform umfasst die wenigstens eine weitere Software eine oder mehrere der folgenden Softwareapplikationen:

  • Fahrplan-Planungs-System, insbesondere Aramis-D;
  • Zugnummernverwaltungs- und Zuglenkungs-System, insbesondere ARAMIS-C;
  • Daten-Analyse- und Metrik-System (Business Intelligence);
  • Zugwartungs-System (Maintenance Centre);
  • Zugdaten Erfassungs- und Kontroll-System (Checkpoint Master Node);
  • Betriebskomponenten Erfassungs- und Auswertungs-System (Service Management Tool). Diese Anwendungen harmonieren in der Praxis gut mit der auf verscheidene Servercluster aufgeteilten Software, insbesondere wenn diese zum Betrieb einer Benutzeroberfläche eines Stellwerks, etwa mit Anbindung für mobile Endgeräte, ausgebildet ist.
In a preferred development of this embodiment, the at least one further software comprises one or more of the following software applications:
  • Timetable planning system, especially Aramis-D;
  • Train number management and control system, in particular ARAMIS-C;
  • Data analysis and metrics system (business intelligence);
  • Train maintenance system;
  • Train data acquisition and control system (Checkpoint Master Node);
  • Operating components acquisition and evaluation system (Service Management Tool). In practice, these applications harmonize well with the software distributed over various server clusters, especially if it is designed to operate a user interface of a signal box, for example with a connection for mobile devices.

Weitere Vorteile der Erfindung ergeben sich aus der Beschreibung und der Zeichnung. Ebenso können die vorstehend genannten und die noch weiter ausgeführten Merkmale erfindungsgemäß jeweils einzeln für sich oder zu mehreren in beliebigen Kombinationen Verwendung finden. Die gezeigten und beschriebenen Ausführungsformen sind nicht als abschließende Aufzählung zu verstehen, sondern haben vielmehr beispielhaften Charakter für die Schilderung der Erfindung.Further advantages of the invention result from the description and the drawing. Likewise, according to the invention, the features mentioned above and those which have been elaborated further can be used individually or in combination in any combination. The embodiments shown and described are not intended to be a conclusive list understand, but rather have exemplary character for the description of the invention.

Detaillierte Beschreibung der Erfindung und ZeichnungDetailed description of the invention and drawing

Die Erfindung ist in der Zeichnung dargestellt und wird anhand von Ausführungsbeispielen näher erläutert. Es zeigen:

Fig. 1
eine schematische Übersicht des Aufbaus einer ersten Ausführungsform einer erfindungsgemäßen Servereinrichtung, mit zwei Serverclustern;
Fig. 2
eine schematische Übersicht des Aufbaus einer zweiten Ausführungsform einer erfindungsgemäßen Servereinrichtung, mit drei Serverclustern.
The invention is illustrated in the drawing and is explained in more detail using exemplary embodiments. Show it:
Fig. 1
a schematic overview of the structure of a first embodiment of a server device according to the invention, with two server clusters;
Fig. 2
is a schematic overview of the structure of a second embodiment of a server device according to the invention, with three server clusters.

Überblick über die ErfindungOverview of the invention

Die vorliegende Erfindung basiert auf der Verteilung von Prozessen einer Softwaresteuerung eines schienengebundenen Transportsicherungssystems in einer virtuellen Betriebsebene auf verschiedene Servercluster. Die Prozesse können dadurch einer Migration auf den Einzelservern ihres Serverclusters unterzogen werden, um eine hohe Verfügbarkeit bei Ausfall einzelner Einzelserver sicherzustellen. Die Prozesse sind gleichartig, und die Ergebnisse der Prozesse werden für Sicherheitszwecke miteinander verglichen. Durch die Verteilung der Prozesse auf verschiedene Servercluster ist sichergestellt, dass die Prozesse stets auf unterschiedlichen Einzelservern laufen, so dass einzelne Hardwarefehler zu verschiedenen Prozessergebnissen führen, die im Rahmen von Sicherheitsüberprüfungen leicht aufgedeckt werden können.The present invention is based on the distribution of processes of a software control of a rail-bound transport security system in a virtual operating level to different server clusters. As a result, the processes can be migrated to the individual servers in their server cluster to ensure high availability in the event of the failure of individual individual servers. The processes are similar and the results of the processes are compared for security purposes. The distribution of the processes across different server clusters ensures that the processes always run on different individual servers, so that individual hardware errors lead to different process results that can easily be uncovered in the course of security checks.

HIS-Applikation im Rahmen der ErfindungHIS application in the context of the invention

Die Erfindung wird nachfolgend am Beispiel der Architektur einer HIS-Applikation, insbesondere in Hinblick auf die Prozessverteilung, näher beschrieben.The invention is described in more detail below using the example of the architecture of a HIS application, in particular with regard to the process distribution.

Die HIS-Applikation (HIS = Human machine interface for Interlocking Systems) ist eine SIL2 (Safety Integrity Level 2) Applikation, insbesondere entwickelt und zugelassen nach der Norm CENELEC EN 50128. Sie hat im Wesentlichen die Funktion als Bedienoberfläche eines elektronischen Stellwerks (ESTW) und kann für unterschiedliche Märkte bzw. Anwendungen in unterschiedlichen Ausprägungen ausgebildet sein, um jeweilige Besonderheiten zu berücksichtigen.The HIS application (HIS = Human machine interface for Interlocking Systems) is a SIL2 (Safety Integrity Level 2) application, especially developed and approved according to the CENELEC EN 50128 standard. It essentially has the function of the user interface of an electronic signal box (ESTW) and can be designed in different forms for different markets or applications in order to take into account particular characteristics.

Allen Ausprägungen gemeinsam ist die grundlegende Architektur, dass ein Master-Prozess Berechnungen durchführt, welche letztendlich zur sogenannten Ausleuchtung (= visuelle Darstellung auf einem Bildschirm) von Zuständen der Stellwerks-Elemente führen. Diese Berechnungen werden zeitgleich durch einen oder mehrere (je nach Ausprägung) Slave-Prozess(e) ebenfalls durchgeführt und die Ergebnisse der Berechnung werden kreuzweise gegeneinander verglichen, d.h. sowohl der Master-Prozess als auch der/die Slave-Prozess(e) vergleichen jeweils das eigene Rechenergebnis mit denen des/der Anderen. Im Falle einer Nicht-Übereinstimmung der Rechenergebnisse wird das Gesamt-System in einen sogenannten "nicht sicheren Zustand" versetzt, welcher bestimmte, sicherheitsrelevante Bedienhandlungen nicht mehr zulässt.Common to all versions is the basic architecture that a master process carries out calculations, which ultimately lead to the so-called illumination (= visual representation on a screen) of states of the signal box elements. These calculations are also carried out simultaneously by one or more (depending on the version) slave process (s) and the results of the calculation are compared crosswise, i.e. Both the master process and the slave process (s) compare their own calculation result with that of the other. In the event of a mismatch in the calculation results, the overall system is put into a so-called "non-safe state", which no longer permits certain, safety-relevant operating actions.

Eine besondere Ausprägung der HIS-Applikation ist der sogenannte HIS-Server, welcher im Wesentlichen dazu dient, angeschlossene Bedienterminals mit den berechneten Ausleuchtungen bzw. Zuständen der Stellwerks-Elemente zu versorgen.A special feature of the HIS application is the so-called HIS server, which essentially serves to supply connected operator terminals with the calculated illuminations or states of the signal box elements.

Um den Anforderungen nach SIL2 aus der Norm EN 50128 gerecht zu werden, muss die HIS-Architektur gemäß einem Merkmal so geartet sein, dass der Master-Prozess und ein Slave-Prozess auf unterschiedlichen (Hardware-)Prozessoren laufen. Bei Multi-Core Prozessoren kann dies erreicht werden, indem die Prozesse fest an bestimmte Prozessor-Kerne gebunden werden (Core Binding ; Processor affinity). Damit kann gewährleistet werden, dass ein Rechenfehler eines Prozessors (oder eines Prozessor-Kerns) niemals zum selben, falschen Ergebnis bei Master- und bei Slave-Prozess führen kann (gleichzeitige Doppelfehler werden von der Norm ausgeschlossen).In order to meet the requirements of SIL2 from the EN 50128 standard, the HIS architecture must be designed in such a way that the master process and a slave process run on different (hardware) processors. With multi-core processors, this can be achieved by firmly binding the processes to certain processor cores (core binding; processor affinity). This ensures that a computing error in a processor (or a processor core) can never lead to the same, wrong result in the master and slave processes (simultaneous double errors are excluded from the standard).

Bei der Portierung der Server-Applikationen auf eine gemeinsame virtuelle Betriebsebene (virtual platform) kann nicht mehr einfach gewährleistet werden, dass der Master- und der Slave-Prozess nicht über den selben Rechenfehler eines Prozessors laufen, da die Zuordnung von virtuellem Prozessor zu physikalischem Prozessor(-Kern) nicht so ohne weiteres gegeben und nachgewiesen werden kann.When porting the server applications to a common virtual operating level (virtual platform), it can no longer be easily guaranteed that the master and slave processes will not run over the same computing error of a processor, since the assignment of the virtual processor to the physical processor (Core) cannot be given and proven without further ado.

Die Erfinder haben erkannt, dass aus Server-Computern (Einzelservern) mehrere sogenannte Servercluster gebildet werden können, welche die Vorteile einer virtuellen Betriebsebene bieten (Hoch-Verfügbarkeit, Redundanz) und gleichzeitig eine physikalische Trennung von Prozessen gewährleisten. Mit zwei Serverclustern aus je mindestens zwei Server-Computern kann der Master-Prozess auf dem einen Servercluster und der Slave-Prozess auf dem anderen Servercluster laufen. Dabei kann zwar nicht vorhergesagt werden, welcher Prozessor(-Kern) im Servercluster von einem Prozess gerade verwendet wird, aber es kann ausgeschlossen werden, dass die Prozesse auf den unterschiedlichen Serverclustern jemals denselben Prozessor(-Kern) benutzen werden.The inventors have recognized that several so-called server clusters can be formed from server computers (individual servers), which offer the advantages of a virtual operating level (high availability, redundancy) and at the same time ensure a physical separation of processes. With two server clusters, each consisting of at least two server computers, the master process can run on one server cluster and the slave process on the other server cluster. While it cannot be predicted which processor (core) in the server cluster is currently being used by a process, it can be excluded that the processes on the different server clusters will ever use the same processor (core).

Dadurch ist die Realisierung des oben beschriebenen Merkmals der HIS-Architektur auch beim Einsatz der HIS-Applikation auf einer virtuellen Betriebsebene realisierbar.This is the realization of the feature of the HIS architecture described above Can also be implemented on a virtual operating level when using the HIS application.

Ausführungsform einer Servereinrichtung mit zwei ServerclusternEmbodiment of a server device with two server clusters

In Fig. 1 wird eine erste Ausführungsform einer erfindungsgemäßen Servereinrichtung 1 mit zwei Serverclustern SC1, SC2 näher beschreiben. Die Servereinrichtung 1 wird auch als virtueller Cluster (Virtual Cluster) bezeichnet.In Fig. 1 A first embodiment of a server device 1 according to the invention with two server clusters SC1, SC2 will be described in more detail. The server device 1 is also referred to as a virtual cluster.

Zu der Servereinrichtung 1 gehören hier ein erster Servercluster SC1 und ein zweiter Servercluster SC2, welche räumlich getrennt voneinander aufgebaut sind, was in Fig. 1 durch eine physikalische Grenze 2 veranschaulicht ist. Mit "räumlich getrennt" ist gemeint, dass die Server-Computer (SRV) der beiden Servercluster SC1, SC2 nicht aus derselben Hardware bestehen, sondern separate Rechner sind. Damit kann die räumliche Trennung sowohl durch Aufbau der Servercluster SC1, SC2 im selben Gestellrahmen in einem Serverraum oder in verschiedenen Gestellrahmen im selben oder unterschiedlichen Serverräumen, als auch an unterschiedlichen Standorten mit mehreren Kilometern Entfernung ausgeführt werden. Der begrenzende Faktor für die maximale Entfernung zwischen den Serverclustern SC1, SC2 ist die Geschwindigkeit und Latenzzeit des dazwischenliegenden Netzwerks zur Synchronisation der Servercluster SC1, SC2. Netzwerkverbindungen sind in Fig. 1 durch einfache Verbindungslinien dargestellt.The server device 1 here includes a first server cluster SC1 and a second server cluster SC2, which are spatially separated from one another, which is shown in FIG Fig. 1 is illustrated by a physical limit 2. By "spatially separated" it is meant that the server computers (SRV) of the two server clusters SC1, SC2 do not consist of the same hardware, but are separate computers. The spatial separation can thus be carried out both by building the server clusters SC1, SC2 in the same frame in a server room or in different frame in the same or different server rooms, as well as at different locations with a distance of several kilometers. The limiting factor for the maximum distance between the server clusters SC1, SC2 is the speed and latency of the network in between for the synchronization of the server clusters SC1, SC2. Network connections are in Fig. 1 represented by simple connecting lines.

Im ersten Servercluster SC1 sind mindestens zwei Server-Computer (Einzelserver) SRV-1-1, SRV-1-2 zu einem Cluster zusammengefasst. Im zweiten Servercluster SC2 sind ebenso mindestens zwei Server-Computer (Einzelserver) SRV-2-1, SRV-2-2 zu einem Cluster zusammengefasst.In the first server cluster SC1, at least two server computers (individual servers) SRV-1-1, SRV-1-2 are combined to form a cluster. In the second server cluster SC2, at least two server computers (individual servers) SRV-2-1, SRV-2-2 are also combined to form a cluster.

In einem Servercluster SC1, SC2 laufen verschiedene virtuelle Maschinen VM, in denen wiederum unterschiedlichste Applikationen bzw. deren Prozesse laufen. Dies können Applikationen sein, deren Prozesse verteilt auf die einzelnen Servercluster sind, aber erst deren Zusammenwirken eine gemeinsame Funktionalität ergibt, als auch Applikationen, die einzeln auf einem Servercluster laufen und unabhängig von den anderen Prozessen und Applikationen eine Funktionalität ergeben. Beispiele von Applikationen und Prozessen der virtuellen Maschinen VM sind:

  • HIS-Master 11a (Prozess der HIS Applikation)
  • HIS-Slave 11b (Prozess der HIS Applikation)
  • Stellwerks-Steuerung Prozess-1 12a (Prozess der Stellwerks-Steuerung Applikation)
    (Interlocking-Control Process-1 = IL-Ctrl Proc-1)
  • Stellwerks-Steuerung Prozess-2 12b (Prozess der Stellwerks-Steuerung Applikation)
    (Interlocking-Control Process-2 = IL-Ctrl Proc-2)
  • Zugsicherungs-Steuerung Prozess-1 13a (Prozess der Zugsicherungs-Steuerung Applikation)
    (Train Control-Control Process-1 = TC-Ctrl Proc-1)
  • Zugsicherungs-Steuerung Prozess-2 13b (Prozess der Zugsicherungs-Steuerung Applikation)
    (Train Control-Control Process-2 = TC-Ctrl Proc-2)
  • Bedienoberfläche A 14 (Human Machine Interface A = HMI A)
  • Anwendung B 15 (Application B = App B)
  • Bedienoberfläche C 16 (Human Machine Interface C = HMI C)
  • Anwendung D 17 (Application D = App D).
Various virtual machines VM run in a server cluster SC1, SC2, in which in turn a wide variety of applications and their processes to run. These can be applications whose processes are distributed across the individual server clusters, but only when they work together to produce a common functionality, as well as applications that run individually on a server cluster and provide functionality independently of the other processes and applications. Examples of applications and processes of the VM virtual machines are:
  • HIS Master 11a (process of the HIS application)
  • HIS slave 11b (process of the HIS application)
  • Signal box control process-1 12a (process of signal box control application)
    (Interlocking-Control Process-1 = IL-Ctrl Proc-1)
  • Signal box control process-2 12b (process of signal box control application)
    (Interlocking-Control Process-2 = IL-Ctrl Proc-2)
  • Train protection control process-1 13a (process of train protection control application)
    (Train Control-Control Process-1 = TC-Ctrl Proc-1)
  • Train protection control process-2 13b (process of train protection control application)
    (Train Control-Control Process-2 = TC-Ctrl Proc-2)
  • User interface A 14 (Human Machine Interface A = HMI A)
  • Application B 15 (Application B = App B)
  • User interface C 16 (Human Machine Interface C = HMI C)
  • Application D 17 (Application D = App D).

Die Servereinrichtung 1 weist eine gemeinsame Cluster-Kontrolle (Cluster Control) 18 und eine gemeinsame Speicher-Kontrolle (Storage Control) 19 für beide Servercluster SC1, SC2 auf. Jeder Servercluster SC1, SC2 verfügt über eine eigene Hochverfügbarkeits-Kontrolle (high availability = HA control) 20a, 20b, mit der Prozesse der Anwendungen zwischen den Einzelrechnern SRV-1-1, SRV-1-2 bzw. SRV-2-1, SRV-2-2 innerhalb des jeweiligen Serverclusters SC1 bzw. SC2 verschoben werden können, insbesondere wenn bei einem Einzelrechner ein Defekt auftreten sollte. Weiterhin verfügt jeder Servercluster SC1, SC2 jeweils über einen eigenen Speicher (Storage Vol 1, Storage Vol2) 21a, 21b, der von den Einzelservern des jeweiligen Clusters SC1, SC2 genutzt werden kann.The server device 1 has a common cluster control 18 and a common storage control 19 for both server clusters SC1, SC2. Each server cluster SC1, SC2 has its own high availability control (HA) 20a, 20b, with which processes of the applications between the individual computers SRV-1-1, SRV-1-2 or SRV-2-1, SRV-2-2 can be moved within the respective server cluster SC1 or SC2, especially if a defect should occur in a single computer. Furthermore, each server cluster SC1, SC2 each has its own storage (Storage Vol 1, Storage Vol2) 21a, 21b, which can be used by the individual servers of the respective cluster SC1, SC2.

Im gezeigten Ausführungsbeispiel ist die HIS-Server-Software 11 in zwei Teile aufgeteilt: Der HIS-Master-Prozess 11a ist auf dem ersten Servercluster SC1 implementiert, und der (zum HIS-Master-Prozess 11a gleichartige) HIS-Slave-Prozess 11b ist auf dem zweiten Servercluster SC2 implementiert. Der HIS-Master-Prozess 11a wird daher stets auf einem der Einzelserver SRV-1-1 oder SRV-1-2 des ersten Serverclusters SC1 ablaufen, nicht aber auf den Einzelservern des zweiten Serverclusters SC2. Umgekehrt wird der HIS-Slave-Prozess 11b stets auf einem der Einzelserver SRV-2-1 oder SRV-2-2 des zweiten Serverclusters SC2 ablaufen, nicht aber auf den Einzelservern des ersten Serverclusters SC1. Dadurch ist sichergestellt, dass der HIS-Master-Prozess 11a und der HIS-Slave-Prozess 11b stets physikalisch voneinander getrennt sind. Wenn die Prozessergebnisse übereinstimmen, kann dem übereinstimmenden Prozessergebnis vertraut werden.In the exemplary embodiment shown, the HIS server software 11 is divided into two parts: the HIS master process 11a is implemented on the first server cluster SC1, and the HIS slave process 11b (which is identical to the HIS master process 11a) implemented on the second server cluster SC2. The HIS master process 11a will therefore always run on one of the individual servers SRV-1-1 or SRV-1-2 of the first server cluster SC1, but not on the individual servers of the second server cluster SC2. Conversely, the HIS slave process 11b will always run on one of the individual servers SRV-2-1 or SRV-2-2 of the second server cluster SC2, but not on the individual servers of the first server cluster SC1. This ensures that the HIS master process 11a and the HIS slave process 11b are always physically separate from one another. If the process results match, the matching process result can be trusted.

Ebenso sind hier die gleichartigen Prozesse 12a und 12b der Stellwerksteuerungs-Software 12 physikalisch voneinander getrennt, und die gelichartigen Prozesse 13a und 13b der Zugsicherungssteuerungs-Software 13 sind physikalisch voneinander getrennt; bei übereinstimmenden Prozessergebnissen kann dem übereinstimmenden Prozessergebnis wiederum jeweils vertraut werden. Die weiteren Software-Applikationen 14, 15, 16, 17 bzw. deren Prozesse sind hier jeweils ohne ein gleichartiges Gegenstück beim jeweils anderen Servercluster SC1, SC2, werden also nur jeweils einfach auf einem der Servercluster SC1, SC2 ausgeführt. Dies ist vor allem für nicht sicherheitsrelevante Anwendungen vorgesehen.Likewise, the similar processes 12a and 12b of the interlocking control software 12 are physically separated from one another, and the similar processes 13a and 13b of the train protection control software 13 are physically separated from one another; in the case of matching process results, the matching process result can in turn be trusted. The other software applications 14, 15, 16, 17 or their processes here are each without a similar counterpart to the other server clusters SC1, SC2, so they are only carried out simply on one of the server clusters SC1, SC2. This is primarily intended for non-safety-related applications.

Ausführungsform mit drei ServerclusternEmbodiment with three server clusters

In Fig. 2 ist eine Ausführungsform einer erfindungsgemäßen Servereinrichtung (Virtual Cluster) 30 dargestellt, die über drei Servercluster SC1, SC2, SC3 verfügt. Der Aufbau der Servereinrichtung 30 mit drei Serverclustern SC1, SC2, SC3 entspricht weitgehend dem Aufbau mit zwei Serverclustern von Fig. 1, so dass nachfolgend nur die wesentlichen Unterschiede erläutert werden.In Fig. 2 An embodiment of a server device (virtual cluster) 30 according to the invention is shown, which has three server clusters SC1, SC2, SC3. The structure of the server device 30 with three server clusters SC1, SC2, SC3 largely corresponds to the structure with two server clusters of Fig. 1 , so that only the main differences are explained below.

Auf der Servereinrichtung 30 mit drei Serverclustern SC1, SC2, SC3 können Applikationen laufen, welche dem sogenannten 2aus3-Prinzip (2 out of 3 = 2oo3) folgen. Bei diesen Applikationen führen drei gleichartige Prozesse die gleichen Rechenalgorithmen durch und kommen dabei jeweils zu einem Rechenergebnis. Diese Rechenergebnisse werden von einem Vergleicher gegeneinander verglichen. Sofern mindestens zwei von den drei Rechenergebnissen übereinstimmen, wird dieses übereinstimmende Ergebnis als richtig betrachtet. Sollte der Vergleicher drei unterschiedliche Ergebnisse feststellen, wird das System als "nicht sicher" markiert. Nach diesem Prinzip arbeiten beispielsweise die Stellwerks-Applikation oder die Zugsicherungs-Applikation.Applications which follow the so-called 2out3 principle (2 out of 3 = 2oo3) can run on the server device 30 with three server clusters SC1, SC2, SC3. In these applications, three processes of the same type perform the same calculation algorithms and each result in a calculation result. A comparator compares these calculation results. If at least two of the three calculation results match, this matching result is considered correct. If the comparator finds three different results, the system is marked as "not sure". The signal box application or the train protection application, for example, work according to this principle.

Ein Kriterium zur Zulassung nach der Norm EN 50128 ist bei den 2oo3-Systemen, dass die einzelnen Prozesse auf unterschiedlicher Hardware laufen. Dies kann durch die erfindungsgemäße Servereinrichtung 30 (Virtual Cluster), die auf drei durch physikalische Grenzen 2 getrennten Serverclustern SC1, SC2, SC3 basiert, sichergestellt werden. Eingebettet in je eine virtuelle Maschine VM laufen beispielsweise die Prozesse der Stellwerks-Applikation verteilt auf den drei Serverclustern und benutzen somit niemals dieselben Prozessoren bzw. Prozessorkerne. Mit 2003-Systemen kann auch der Sicherheitsstandard gemäß SIL4 erreicht werden.A criterion for approval according to the EN 50128 standard for the 2oo3 systems is that the individual processes run on different hardware. This can be ensured by the server device 30 according to the invention (virtual cluster), which is based on three server clusters SC1, SC2, SC3 separated by physical limits 2. The interlocking application processes, for example, run embedded in a virtual machine VM distributed over the three server clusters and thus never use the same processors or processor cores. The safety standard according to SIL4 can also be achieved with 2003 systems.

Typische Applikationen von 2003 Systemen bzw. deren Prozesse sind:

  • Bedien Prozess-1 31a (Prozess der Bedienoberfläche) (Operation Control Process-1 = OC Proc-1)
  • Bedien Prozess-2 31b (Prozess der Bedienoberfläche) (Operation Control Process-2 = OC Proc-2)
  • Bedien Prozess-3 31c (Prozess der Bedienoberfläche) (Operation Control Process-3 = OC Proc-3)
  • Stellwerks Prozess-1 32a (Prozess der Stellwerks Applikation) (Interlocking Process-1 = IL Proc-1)
  • Stellwerks Prozess-2 32b (Prozess der Stellwerks Applikation) (Interlocking Process-2 = IL Proc-2)
  • Stellwerks Prozess-3 32c (Prozess der Stellwerks Applikation) (Interlocking Process-3 = IL Proc-3)
  • Zugsicherungs Prozess-1 33a (Prozess der Zugsicherungs Applikation) (Train Control Process-1 = TC Proc-1)
  • Zugsicherungs Prozess-2 33b (Prozess der Zugsicherungs Applikation) (Train Control Process-2 = TC Proc-2)
  • Zugsicherungs Prozess-3 33c (Prozess der Zugsicherungs Applikation) (Train Control Process-3 = TC Proc-3)
Typical applications of 2003 systems and their processes are:
  • Operating process-1 31a (process of the user interface) (Operation Control Process-1 = OC Proc-1)
  • Operating process-2 31b (process of the user interface) (Operation Control Process-2 = OC Proc-2)
  • Operating process-3 31c (process of the user interface) (Operation Control Process-3 = OC Proc-3)
  • Signal box process-1 32a (process of the signal box application) (Interlocking Process-1 = IL Proc-1)
  • Signal box process-2 32b (process of the signal box application) (Interlocking Process-2 = IL Proc-2)
  • Signal box process-3 32c (process of the signal box application) (Interlocking Process-3 = IL Proc-3)
  • Train protection process-1 33a (process of the train protection application) (Train Control Process-1 = TC Proc-1)
  • Train protection process-2 33b (process of train protection application) (Train Control Process-2 = TC Proc-2)
  • Train protection process-3 33c (process of train protection application) (Train Control Process-3 = TC Proc-3)

Vorliegend sind die gleichartigen Prozesse 31a, 31b, 31c bzw. zugehörige Teile der Bedienungs-Software 31 auf die drei Servercluster SC1, SC2, SC3 verteilt, so dass die Prozesse 31a, 31b, 31c nie auf demselben Prozessor bzw. derselben Hardware ablaufen, und somit deren Prozessergebnisse nicht durch einen einzelnen Hardwarefehler in gleicher Weise falsch sein können. Entsprechendes gilt für die Prozesse 32a, 32b, 32c der Stellwerks-Software 32 und weiterhin die Prozesse 33a, 33b, 33c der Zugsicherungs-Software 33. Auch in einem Virtual Cluster bzw. einer Servereinrichtung 30 mit drei Serverclustern SC1, SC2, SC3 können weitere, einzelne Applikationen bzw. weitere Prozesse laufen, welche unabhängig von den 2003-Systemen sind, hier die weiteren Software-Applikationen HMI A 34, App B 35, HMI C 36, App D 37, HMI E 38, App F 39.In the present case, the similar processes 31a, 31b, 31c or associated parts of the operating software 31 are distributed among the three server clusters SC1, SC2, SC3, so that the processes 31a, 31b, 31c are never on the same processor or run on the same hardware, and thus their process results cannot be wrong in the same way due to a single hardware fault. The same applies to the processes 32a, 32b, 32c of the interlocking software 32 and also the processes 33a, 33b, 33c of the train protection software 33. Others can also be used in a virtual cluster or a server device 30 with three server clusters SC1, SC2, SC3 , individual applications or other processes are running that are independent of the 2003 systems, here the other software applications HMI A 34, App B 35, HMI C 36, App D 37, HMI E 38, App F 39.

BezugszeichenlisteReference list

11
ServereinrichtungServer setup
22nd
physikalische Grenzephysical limit
11a, 11b11a, 11b
gleichartige Prozessesimilar processes
1111
Software (HIS-Server)Software (HIS server)
12a, 12b12a, 12b
gleichartige Prozessesimilar processes
1212th
Software (Stellwerksteuerung)Software (signal box control)
13a, 13b13a, 13b
gleichartige Prozessesimilar processes
1313
Software (Zugsicherungsteuerung)Software (train protection control)
14-1714-17
weitere Softwareother software
1818th
Cluster-KontrolleCluster control
1919th
Speicher-KontrolleMemory control
20a-20c20a-20c
Hochverfügbarkeits-KontrolleHigh availability control
21a-21c21a-21c
SpeicherStorage
3030th
ServereinrichtungServer setup
31a-31c31a-31c
gleichartige Prozessesimilar processes
3131
Software (Bedienung)Software (operation)
32a-32c32a-32c
gleichartige Prozessesimilar processes
3232
Software (Stellwerk)Software (signal box)
33a-33c33a-33c
gleichartige Prozessesimilar processes
3333
Software (Zugsicherung)Software (train protection)
34-3934-39
weitere Softwareother software
SC1-SC3SC1-SC3
ServerclusterServer cluster
SRV-1-1SRV-1-1
Server-Computer (Einzelserver)Server computer (single server)
SRV-1-2SRV-1-2
Server-Computer (Einzelserver)Server computer (single server)
SRV-2-1SRV-2-1
Server-Computer (Einzelserver)Server computer (single server)
SRV-2-2SRV-2-2
Server-Computer (Einzelserver)Server computer (single server)
SRV-3-1SRV-3-1
Server-Computer (Einzelserver)Server computer (single server)
SRV-3-2SRV-3-2
Server-Computer (Einzelserver)Server computer (single server)

Claims (10)

  1. A server device (1; 30) operating a piece of software for controlling a function of a rail transport safety system,
    wherein the software (11, 12, 13; 31, 32, 33) operates at least two processes (11a-11b; 12a-12b; 13a-13b; 31a-31c; 32a-32c; 33a-33c) physically separated from one another, the results of which are compared to one another in order to perform control of the function,
    characterized in that
    the software (11, 12, 13; 31, 32, 33) is operated on a virtual operating platform of the server device (1; 30),
    in that the server device (1; 30) comprises at least two physically separate server clusters (SC1, SC2, SC3),
    wherein each of the server clusters (SC1, SC2, SC3) of the server device (1; 30) comprises at least two individual servers (SRV-1-1, SRV-1-2, SRV-2-1, SRV-2-2, SRV-3-1, SRV-3-2) which between them allow for a migration of processes (11a-11b; 12a-12b; 13a-13b; 31a-31c; 32a-32c; 33a-33c) in the event that an individual server (SRV-1-1, SRV-1-2, SRV-2-1, SRV-2-2, SRV-3-1, SRV-3-2) fails,
    wherein the at least two processes (11a-11b; 12a-12b; 13a-13b; 31a-31c; 32a-32c; 33a-33c) run on virtual machines (VM),
    and in that the software (11, 12, 13; 31, 32, 33) comprises at least two parts that are installed on different server clusters of the at least two server clusters (SC1, SC2, SC3), so that the at least two processes (11a-11b; 12a-12b; 13a-13b; 31a-31c; 32a-32c; 33a-33c) are operated on different server clusters of the at least two server clusters (SC1, SC2, SC3).
  2. The server device (1; 30) as claimed in claim 1, characterized in that the software (11, 12, 13; 31, 32, 33) is an interlocking application.
  3. The server device (1; 30) as claimed in claim 2, characterized in that the software (11, 12, 13; 31, 32, 33) is an application for the operation of the user interface of a computer-aided interlocking, in particular with a functionality for linking in mobile operating terminals.
  4. The server device (1; 30) as claimed in claim 1, characterized in that the software (11, 12, 13; 31, 32, 33) is a train protection application.
  5. The server device (1; 30) as claimed in one of the preceding claims, characterized in that the software (11, 12, 13; 31, 32, 33) is configured according to safety integrity level 2 (SIL2) or higher.
  6. The server device (1; 30) as claimed in one of the preceding claims, characterized in that the software (11, 12, 13; 31, 32, 33) is configured according to safety integrity level 4 (SIL4).
  7. The server device (1; 30) as claimed in one of claims 1 to 6, characterized in that the software (11, 12, 13) operates precisely two processes (11a-11b; 12a-12b; 13a-13b), physically separated from one another, on precisely two different server clusters (SC1, SC2).
  8. The server device (1; 30) as claimed in one of claims 1 to 7, characterized in that the server device (30) comprises three server clusters (SC1, SC2, SC3) physically separated from one another, that the software (31, 32, 33) comprises at least three parts which are installed on different server clusters of the server clusters (SC1, SC2, SC3), so that the software (31, 32, 33) operates three processes (31a-31c; 32a-32c; 33a-33c) on different server clusters of the three server clusters (SC1, SC2; SC3), and that the results of the processes (31a-31c; 32a-32c; 33a-33c) are evaluated in the context of a 2-out-of-3 decision for the control of the function of the rail transport safety system.
  9. The server device (1; 30) as claimed in one of the preceding claims, characterized in that the server device (1; 30) operates at least one further software (14-17; 34-39) for controlling a further function of a rail transport safety system,
    and that the at least one further software (14-17; 34-39) is installed and operated on only one of the server clusters (SC1, SC2, SC3).
  10. The server device (1; 30) as claimed in claim 9, characterized in that the at least one further software (14-17; 34-39) comprises one or a plurality of the following software applications:
    - schedule planning system, in particular Aramis-D;
    - train number management and train routing system, in particular ARAMIS-C
    - data analysis and metric system (business intelligence);
    - train servicing system (maintenance center);
    - train data acquisition and control system (checkpoint master node);
    - operating component acquisition and evaluation system (service management tool).
EP17720733.9A 2016-04-25 2017-04-24 Server device operating a piece of software for controlling a function of a rail transport safety system Active EP3448735B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PL17720733T PL3448735T3 (en) 2016-04-25 2017-04-24 Server device operating a piece of software for controlling a function of a rail transport safety system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102016206988.8A DE102016206988A1 (en) 2016-04-25 2016-04-25 Server device operating software for controlling a function of a rail-bound transport security system
PCT/EP2017/059631 WO2017186629A1 (en) 2016-04-25 2017-04-24 Server device operating a piece of software for controlling a function of a rail transport safety system

Publications (2)

Publication Number Publication Date
EP3448735A1 EP3448735A1 (en) 2019-03-06
EP3448735B1 true EP3448735B1 (en) 2020-04-29

Family

ID=58664667

Family Applications (1)

Application Number Title Priority Date Filing Date
EP17720733.9A Active EP3448735B1 (en) 2016-04-25 2017-04-24 Server device operating a piece of software for controlling a function of a rail transport safety system

Country Status (8)

Country Link
EP (1) EP3448735B1 (en)
DE (1) DE102016206988A1 (en)
DK (1) DK3448735T3 (en)
ES (1) ES2795015T3 (en)
PL (1) PL3448735T3 (en)
PT (1) PT3448735T (en)
SA (1) SA518400293B1 (en)
WO (1) WO2017186629A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023020807A1 (en) * 2021-08-18 2023-02-23 Siemens Mobility GmbH Automatically detecting and correcting memory errors in a secure multi-channel computer

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109783103B (en) * 2019-03-19 2021-04-16 北京邮电大学 Method and device for realizing human-computer interface of rail transit train control system
EP4028301A4 (en) 2019-09-12 2023-11-08 Thales Canada Inc. Over-speed protection device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6243825B1 (en) * 1998-04-17 2001-06-05 Microsoft Corporation Method and system for transparently failing over a computer name in a server cluster
DE19942981A1 (en) * 1999-09-09 2001-03-22 Alcatel Sa Program module and method for increasing the security of a software-controlled system
US6944785B2 (en) * 2001-07-23 2005-09-13 Network Appliance, Inc. High-availability cluster virtual server system
EP2884392B1 (en) * 2013-12-13 2018-08-15 Thales Triple software redundancy fault tolerant framework architecture
US9718487B2 (en) 2014-02-18 2017-08-01 Nabil N. Ghaly Method and apparatus for a train control system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023020807A1 (en) * 2021-08-18 2023-02-23 Siemens Mobility GmbH Automatically detecting and correcting memory errors in a secure multi-channel computer

Also Published As

Publication number Publication date
DE102016206988A1 (en) 2017-10-26
WO2017186629A1 (en) 2017-11-02
EP3448735A1 (en) 2019-03-06
PT3448735T (en) 2020-07-07
PL3448735T3 (en) 2020-11-02
DK3448735T3 (en) 2020-06-22
SA518400293B1 (en) 2021-10-21
ES2795015T3 (en) 2020-11-20

Similar Documents

Publication Publication Date Title
DE102009054157B3 (en) Control system for controlling safety-critical and non-safety-critical processes
EP2445771B1 (en) Method to create an electronic interlocking for replacing an existing interlocking
EP1860564A1 (en) Method and device for exchanging data based on the OPC communication protocol between the redundant components of a process control system
EP3448735B1 (en) Server device operating a piece of software for controlling a function of a rail transport safety system
DE102017109886A1 (en) Control system for controlling safety-critical and non-safety-critical processes with master-slave functionality
DE102018118243A1 (en) Techniques for providing a secure control parameter for multi-channel control of a machine
DE102006012042A1 (en) Control device e.g. personal computer, for e.g. joint robot, has two channels for processing independent codes with mutual safety monitoring, and main storage provided for accessing two processor cores of multi-processor core
EP3201774B1 (en) Distributed real-time computer system and time-controlled distribution unit
DE10053023C1 (en) Method for controlling a safety-critical railway operating process and device for carrying out this method
DE102005023296B4 (en) Train Control System
EP2279480B1 (en) Method and system for monitoring a security-related system
DE102013223101A1 (en) Railway crossing safety system
EP0473834B1 (en) Electronic interlocking control system, set up according to the local processor control principle
EP2864845B1 (en) Automated reconfiguration of a discrete event control loop
EP3565752B1 (en) Switchover between element controllers in railway operation
DE102016205119A1 (en) System for controlling signal boxes in rail traffic
WO2016142159A1 (en) Safety-relevant computer system
EP4160845B1 (en) System for controlled starting and operating of a redundant energy bus
CH654260A5 (en) Computer-controlled signal box
DE202005016151U1 (en) Equipment is for remote control of relay positioning device and uses highly accessible diverse controls
WO2011113405A1 (en) Controller arrangement
DE19531923B4 (en) Device for realizing safe-life functions
EP3172671B1 (en) Method for parallel processing of data in a computer system comprising a plurality of computer units and computer system comprising a plurality of computer units
DE102006029851A1 (en) Security-relevant drive element manipulating method for nuclear power plant, involves determining whether both security-relevant and new dual inputs are matched and/or whether desired condition of drive element is occupied by element
EP4037126A1 (en) System for the controlled rapid start and operation of a redundantly designed power bus for fail-safe supply of an electrical consumer

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20181126

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTG Intention to grant announced

Effective date: 20191212

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

Free format text: NOT ENGLISH

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 502017005029

Country of ref document: DE

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1262873

Country of ref document: AT

Kind code of ref document: T

Effective date: 20200515

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

Free format text: LANGUAGE OF EP DOCUMENT: GERMAN

REG Reference to a national code

Ref country code: CH

Ref legal event code: NV

Representative=s name: RIEDERER HASLER AND PARTNER PATENTANWAELTE AG, CH

REG Reference to a national code

Ref country code: DK

Ref legal event code: T3

Effective date: 20200617

REG Reference to a national code

Ref country code: PT

Ref legal event code: SC4A

Ref document number: 3448735

Country of ref document: PT

Date of ref document: 20200707

Kind code of ref document: T

Free format text: AVAILABILITY OF NATIONAL TRANSLATION

Effective date: 20200630

REG Reference to a national code

Ref country code: NO

Ref legal event code: T2

Effective date: 20200429

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20200429

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200829

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200429

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200429

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200429

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200730

REG Reference to a national code

Ref country code: ES

Ref legal event code: FG2A

Ref document number: 2795015

Country of ref document: ES

Kind code of ref document: T3

Effective date: 20201120

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200729

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200429

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200429

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200429

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200429

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200429

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200429

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200429

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200429

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 502017005029

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200429

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

26N No opposition filed

Effective date: 20210201

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200429

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200429

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210424

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20210430

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210424

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210430

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200429

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20170424

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200429

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20240314

Year of fee payment: 8

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: PL

Payment date: 20240326

Year of fee payment: 8

Ref country code: IT

Payment date: 20240326

Year of fee payment: 8

Ref country code: FR

Payment date: 20240321

Year of fee payment: 8

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20240319

Year of fee payment: 8

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DK

Payment date: 20240411

Year of fee payment: 8

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: CH

Payment date: 20240501

Year of fee payment: 8

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: ES

Payment date: 20240509

Year of fee payment: 8

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: AT

Payment date: 20240326

Year of fee payment: 8

P01 Opt-out of the competence of the unified patent court (upc) registered

Free format text: CASE NUMBER: APP_35446/2024

Effective date: 20240613

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: RO

Payment date: 20240412

Year of fee payment: 8

Ref country code: NO

Payment date: 20240409

Year of fee payment: 8

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: PT

Payment date: 20240415

Year of fee payment: 8

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200429