Braking interface, braking system, and braking method suitable for heavy-haul freight train
By improving the braking interface and system, and using normally open relays and audible and visual alarm devices, the problem of unexpected emergency braking caused by main control computer failure or power failure in heavy-haul freight trains has been solved, ensuring safety and compliance with the railway signal failure-safe principle, and reducing the driver's workload.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- CASCO SIGNAL LTD
- Filing Date
- 2025-10-23
- Publication Date
- 2026-06-25
AI Technical Summary
When existing ATP braking interfaces and control methods are used on heavy-haul freight trains, a failure of the main control computer or loss of external power may lead to unexpected emergency braking commands, causing safety hazards such as broken coupling or derailment.
An improved braking interface and system are adopted, using two normally open relays to control the opening or closing of dry contacts, combined with an audible and visual alarm device, to ensure that no emergency braking command is output in the event of a main control computer failure or power loss. At the same time, the system safety is improved through minimum equipment list self-test and redundancy design.
It effectively prevents the output of unexpected emergency braking commands, ensures that the ATP train automatic protection function complies with safety principles, reduces the driver's operating difficulty and labor intensity, and improves the safety and reliability of the system.
Smart Images

Figure CN2025129466_25062026_PF_FP_ABST
Abstract
Description
Braking interfaces, braking systems and braking methods suitable for heavy-haul freight trains Technical Field
[0001] This invention relates to the field of vehicle-mounted safety protection equipment, and in particular to a braking interface, braking system and braking method suitable for heavy-duty freight trains. Background Technology
[0002] ATP (Automatic Train Protection) is an onboard safety protection device used on high-speed and conventional passenger railways in my country. However, if the existing ATP braking interface and control method are used on heavy-haul freight trains, during normal train operation, if the ATP experiences a hardware failure or loses external power, the ATP will output an unexpected emergency braking command to the locomotive. This unexpected emergency braking command may cause the heavy-haul freight train to break its coupling or even derail, posing a safety hazard to its operation.
[0003] The statements herein provide only background information in relation to this invention and do not necessarily constitute prior art.
[0004] Disclosure of the invention
[0005] The purpose of this invention is to provide a braking interface, braking system and braking method suitable for heavy-haul freight trains, which solves the safety hazard of the main control computer outputting unexpected emergency braking commands to normally operating heavy-haul freight trains due to failure or loss of external power.
[0006] To achieve the above objectives, the present invention provides a braking interface suitable for heavy-haul freight trains, which is connected to the main control computer and the locomotive braking system, and includes:
[0007] The first relay has its coil connected to the main control computer, and its front contact is connected in parallel to the dry contact of the locomotive braking system.
[0008] The second relay has its coil connected to the main control computer, and its front contact is connected in parallel to the dry contact of the locomotive braking system.
[0009] The present invention also provides a braking system suitable for heavy-haul freight trains, comprising:
[0010] The aforementioned braking interface;
[0011] A master control computer, which is connected to the coil of the first relay and the coil of the second relay.
[0012] The braking system includes: an alarm device connected to the main control computer;
[0013] The alarm device includes a third relay and an audible and visual alarm device. The coil of the third relay is connected to the main control computer, and the rear contact of the third relay is connected in series in the power supply circuit of the audible and visual alarm device. The audible and visual alarm device is connected to an independent power supply on the locomotive.
[0014] The main control computer includes: at least two logic processing units, at least two bus transmission units, and at least two output control units;
[0015] Each of the logic processing units is connected to each of the bus transmission units, each of the bus transmission units is connected to each of the output control units, and each of the output control units is connected to the coil of the first relay, the coil of the second relay, and the coil of the third relay.
[0016] The present invention also provides a braking method suitable for heavy-haul freight trains, comprising:
[0017] When the main control computer determines that an emergency braking command needs to be output, it supplies power to the coils of the first and second relays, causing the front contacts of the first and second relays to close and the dry contacts to conduct, thus outputting an emergency braking command to the locomotive, and the locomotive performs the braking operation.
[0018] When the main control computer determines that there is no need to output an emergency braking command, it cuts off the power supply to the coils of the first and second relays, causing the front contacts of the first and second relays to open, and the dry contacts to open accordingly.
[0019] If the main control computer malfunctions or loses external power, it stops supplying power to the coils of the first and second relays, causing the front contacts of the first and second relays to disconnect, and the dry contacts to disconnect as well, ensuring that no emergency braking command is automatically output to the locomotive.
[0020] During normal operation of the main control computer, power is continuously supplied to the coil of the third relay, causing the rear contact of the third relay to disconnect, thus disconnecting the power supply circuit of the audible and visual alarm device and rendering the audible and visual alarm device inoperable.
[0021] If the main control computer malfunctions or loses external power, the main control computer stops supplying power to the coil of the third relay. The coil of the third relay is de-energized, causing the rear contact of the third relay to close. This closes the power supply circuit of the audible and visual alarm device, which then sends an audible and visual alarm message to the driver.
[0022] Before being put into operation, the main control computer performs an automatic check of the minimum equipment list: the main control computer performs self-tests on all logic processing units, bus transmission units and output control units. The main control computer is allowed to be put into operation only when at least two logic processing units, at least two bus transmission units and at least two output control units pass the self-test.
[0023] This invention uses the front contacts (normally open contacts) of two relays to control the opening or closing of the dry contacts. When the main control computer malfunctions or loses external power, the relays lose power, causing the front contacts to open, and the dry contacts to open accordingly. This prevents the output of unexpected emergency braking commands to the train, thus solving the safety hazard of the main control computer outputting unexpected emergency braking commands to normally operating heavy-haul freight trains due to malfunctions or loss of external power.
[0024] To address hardware failures in the main control computer, an indirect method is employed to prevent dangerous consequences. By performing an automatic minimum equipment list check on the main control computer, it is ensured that all components related to emergency braking output are in redundant working condition during operation. This prevents any component failure from causing the ATP (Automatic Train Protection) system to malfunction and fail to output emergency braking commands to the locomotive.
[0025] In the event of a loss of external power to the main control computer or an ATP shutdown, a method to directly prevent dangerous consequences of the fault is still adopted. By using the third relay to be constantly energized, an audible and visual alarm is automatically sent to the driver, informing the driver to take over the operation of the train and brake to a stop.
[0026] This invention combines methods that indirectly prevent dangerous consequences of malfunctions with methods that directly prevent dangerous consequences of malfunctions, ensuring that the ATP train automatic protection function still complies with the fault-safe principle stipulated in TB / T 2615-2018 Railway Signal Fault-Safe Principles.
[0027] Brief description of the attached figures
[0028] Figure 1 is a schematic diagram of the brake interface currently in use.
[0029] Figure 2 is a schematic diagram of a braking system for heavy-duty freight trains provided by the present invention.
[0030] Figure 3 is a schematic diagram of the main control computer.
[0031] Best way to implement the present invention
[0032] The preferred embodiments of the present invention will be described in detail below with reference to Figures 1 to 3.
[0033] As shown in Figure 1, the current ATP braking interface includes two relays connected in parallel. The rear contact (normally closed contact) NC1 of the first relay 1 is connected in parallel to the emergency braking command output dry contact K, and the rear contact (normally closed contact) NC2 of the second relay 2 is also connected in parallel to the emergency braking command output dry contact K. The coils KM1 of the first relay 1 and KM2 of the second relay 2 are both connected to the main control computer 4. When the main control computer 4 determines that no emergency braking command needs to be output, it supplies power to the coils of relays 1 and 2, keeping the rear contact NC1 of relay 1 and the rear contact NC2 of relay 2 in the open state. When the main control computer 4 determines that an emergency braking command needs to be output, it cuts off the power supply to the coils of relays 1 and 2. The rear contact NC1 of relay 1 and the rear contact NC2 of relay 2 close under the action of mechanical forces such as springs, and the dry contact K is turned on, outputting an emergency braking command to the locomotive. The existing ATP braking interface controls the emergency braking command output dry contact K through two parallel relays. When either of the two relays' rear contact (normally closed contact) is closed, dry contact K is closed, outputting an emergency braking command to the locomotive. When the main control computer 4 malfunctions, it automatically cuts off its power supply to the relay coils, employing a method that directly prevents the dangerous consequences of the malfunction, ensuring that the ATP automatic protection function complies with the fail-safe principle stipulated in TB / T 2615-2018 Railway Signal Failure-Safety Principles.
[0034] According to TB / T 2615-2018 Railway Signal Failures - Safety Principles, methods for preventing dangerous consequences after a fault can be divided into direct and indirect prevention. Direct prevention involves employing reasonable structures and designs, such as using constantly energized relays, to ensure the system automatically enters a safe state where no dangerous consequences occur after a fault. Indirect prevention employs redundancy or monitoring methods to eliminate the fault's impact on system safety.
[0035] In the existing ATP braking interface control method, if the main control computer 4 malfunctions or loses external power, the coil power supply of relays 1 and 2 will be cut off, and the relay contacts (normally closed contacts) will close. If applied to heavy-haul freight trains, these malfunctions will cause the ATP to output unexpected emergency braking commands to normally operating heavy-haul freight trains, potentially leading to decoupling or even derailment, posing a safety hazard. Therefore, it is necessary to improve the existing ATP braking interface and control method to eliminate the safety hazards caused by the shortcomings of the existing technology. At the same time, it is necessary to ensure that the improved scheme does not cause the ATP automatic train protection function (i.e., the function of monitoring train speed and outputting an emergency braking command to the locomotive to stop the train when the train speed exceeds the safe speed) to violate the fault-safe principle stipulated in TB / T 2615-2018 Railway Signal Faults - Safety Principles.
[0036] In view of this, the present invention provides a braking system suitable for heavy-duty freight trains, as shown in FIG2. The braking system includes: a braking interface 101, a main control computer 102 connected to the braking interface 101, and an alarm device 103 connected to the main control computer 102.
[0037] The braking interface 101 includes a first relay 1 and a second relay 2. The coil KM1 of the first relay 1 is connected to the main control computer 102. The front contact (normally open contact) NO1 of the first relay 1 is connected in parallel to the dry contact K of the locomotive braking system. The coil KM2 of the second relay 2 is connected to the main control computer 102. The front contact (normally open contact) NO2 of the second relay 2 is also connected in parallel to the dry contact K of the locomotive braking system.
[0038] This invention modifies the circuit of the existing ATP braking interface, using the front contacts (normally open contacts) of the first relay 1 and the second relay 2 to control the opening or closing of the dry contact K. Simultaneously, it modifies the control logic of the main control computer 102 for the first relay 1 and the second relay 2. When the main control computer 102 determines that an emergency braking command needs to be output, it supplies power to the coil KM1 of the first relay 1 and the coil KM2 of the second relay 2, closing the front contact NO1 of the first relay 1 and the front contact NO2 of the second relay 2, and closing the dry contact K. When the main control computer 102 determines that an emergency braking command does not need to be output, it cuts off the power supply to the coil KM1 of the first relay 1 and the coil KM2 of the second relay 2, opening the front contact NO1 of the first relay 1 and the front contact NO2 of the second relay 2, and consequently, the dry contact K. By using two relays with their front contacts (normally open contacts) to control the opening and closing of the dry contact, if the main control computer malfunctions or loses external power, the relays lose power, causing the front contacts (normally open contacts) to open, and then the dry contact K to open. This prevents the output of unexpected emergency braking commands to the train, thus resolving the safety hazard of outputting unexpected emergency braking commands to normally operating heavy-haul freight trains due to main control computer malfunctions or loss of external power.
[0039] The alarm device 103 includes a third relay 3 and an audible and visual alarm device 5. The coil KM3 of the third relay 3 is connected to the main control computer 102. The rear contact (normally closed contact) NC3 of the third relay 3 is connected in series in the power supply circuit of the audible and visual alarm device 5. The audible and visual alarm device 5 is connected to an independent power supply D on the locomotive, and the independent power supply D provides power to the audible and visual alarm device 5.
[0040] This invention adds an audible and visual alarm device 5 powered independently by the locomotive. Simultaneously, it adds control of the third relay 3 to the main control computer 102. During normal operation of the main control computer 102, it continuously supplies power to the coil KM3 of the third relay 3, causing its downstream contact (normally closed contact) NC3 to open. If the main control computer 102 malfunctions or loses external power, the coil KM3 of the third relay 3 loses power, causing its downstream contact (normally closed contact) NC3 to close. The audible and visual alarm device 5 then sends an audible and visual alarm message to the driver. When the driver receives the alarm message from the audible and visual alarm device 5, he should immediately take over the train operation and brake to a stop.
[0041] As shown in Figure 3, the main control computer 102 includes at least two logic processing units 11, at least two bus transmission units 22, and at least two output control units 33. Each logic processing unit 11 is connected to each bus transmission unit 22, each bus transmission unit 22 is connected to each output control unit 33, and each output control unit 33 is connected to the coil of the first relay 1, the coil of the second relay 2, and the coil of the third relay 3. Any one of the logic processing units 11, any one of the bus transmission units 22, and any one of the output control units 33 can form a main control module. Each main control module can control the first relay 1, the second relay 2, and the third relay 3. When any one of the main control modules supplies power to any one of the relays, the relay coil will be energized.
[0042] By combining alarm devices with increased equipment redundancy, the safety of the control system is ensured.
[0043] The present invention also provides a braking method comprising the following steps:
[0044] The main control computer 102 performs an automatic minimum equipment list check: Before being put into operation, the main control computer 102 performs a self-test on all logic processing units 11, bus transmission units 22 and output control units 33. Only when at least two logic processing units 11 pass the self-test, at least two bus transmission units 22 pass the self-test, and at least two output control units 33 pass the self-test, is the main control computer 102 allowed to be put into operation. Otherwise, the main control computer 102 is not allowed to be put into operation, and the driver is prompted that the main control computer 102 does not meet the minimum equipment list requirements.
[0045] As shown in Figure 2, after the main control computer 102 is put into operation, when the main control computer 102 determines that an emergency braking command needs to be output, it supplies power to the coil KM1 of the first relay 1 and the coil KM2 of the second relay 2, so that the front contact NO1 of the first relay 1 and the front contact NO2 of the second relay 2 are closed, the dry contact K is turned on, and an emergency braking command is output to the locomotive, and the locomotive performs the braking operation.
[0046] When the main control computer 102 determines that there is no need to output an emergency braking command, it cuts off the power supply to the coil KM1 of the first relay 1 and the coil KM2 of the second relay 2, causing the front contact NO1 of the first relay 1 and the front contact NO2 of the second relay 2 to open, and the dry contact K to open accordingly.
[0047] During normal operation of the main control computer 102, power is continuously supplied to the coil KM3 of the third relay 3, causing the rear contact NC3 of the third relay 3 to disconnect, the power supply circuit of the audible and visual alarm device 5 to be disconnected, and the audible and visual alarm device 5 to stop working.
[0048] If the main control computer 102 malfunctions or loses external power, it stops supplying power to the coil KM1 of the first relay 1 and the coil KM2 of the second relay 2. This causes the front contact NO1 of the first relay 1 and the front contact NO2 of the second relay 2 to open, and the dry contact K to open accordingly, ensuring that no emergency braking command is automatically output to the locomotive. At the same time, the main control computer 102 stops supplying power to the coil KM3 of the third relay 3. The coil KM3 of the third relay 3 is de-energized, causing the rear contact NC3 of the third relay 3 to close. This closes the power supply circuit of the audible and visual alarm device 5, and the audible and visual alarm device 5 sends an audible and visual alarm message to the driver. When the driver receives the alarm message from the audible and visual alarm device 5, he should immediately take over the operation of the train and bring it to a stop.
[0049] This invention uses the front contacts (normally open contacts) of two relays to control the opening or closing of the dry contacts. When the main control computer malfunctions or loses external power, the relays lose power, causing the front contacts to open, and the dry contacts to open accordingly. This prevents the output of unexpected emergency braking commands to the train, thus solving the safety hazard of the main control computer outputting unexpected emergency braking commands to normally operating heavy-haul freight trains due to malfunctions or loss of external power.
[0050] Existing ATP braking interfaces and control methods directly prevent dangerous consequences of faults by using relays with constant energization to automatically output emergency braking commands after a fault, thus complying with the fail-safe principle. This invention combines methods that indirectly prevent dangerous consequences of faults with methods that directly prevent them, ensuring that the ATP train automatic protection function still complies with the fail-safe principle stipulated in TB / T 2615-2018 Railway Signal Fail-Safe Principles.
[0051] To address hardware failures in the main control computer, an indirect method is employed to prevent dangerous consequences. By performing an automatic minimum equipment list check on the main control computer, it is ensured that all components related to emergency braking output are in redundant working condition during operation. This prevents any component failure from causing the ATP (Automatic Train Protection) system to malfunction and fail to output emergency braking commands to the locomotive.
[0052] In the event of a loss of external power to the main control computer or an ATP shutdown, a method to directly prevent dangerous consequences of the fault is still adopted. By using the third relay to be constantly energized, an audible and visual alarm is automatically sent to the driver, informing the driver to take over the operation of the train and brake to a stop.
[0053] While solving the above problems, the ATP system was still automated as much as possible, so that the driver did not need to keep a close eye on the safety warning information of the equipment, thus reducing the difficulty and labor intensity of the driver's operation during the driving process.
[0054] Compared to existing ATP braking interfaces and control methods, this invention only additionally requires the driver to take over and immediately stop the train after receiving an alarm message from the audible and visual alarm device. In other scenarios, the driver's operation methods and requirements are no different from existing designs.
[0055] It should be noted that, in the embodiments of the present invention, the terms "center," "longitudinal," "lateral," "length," "width," "thickness," "upper," "lower," "front," "rear," "left," "right," "vertical," "horizontal," "top," "bottom," "inner," "outer," "clockwise," "counterclockwise," "axial," "radial," and "circumferential," etc., indicating the orientation or positional relationship, are based on the orientation or positional relationship shown in the accompanying drawings and are only for the convenience of describing the embodiments. They do not indicate or imply that the device or element referred to must have a specific orientation, or be constructed and operated in a specific orientation, and therefore should not be construed as a limitation of the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and should not be construed as indicating or implying relative importance.
[0056] In this invention, unless otherwise explicitly specified and limited, the terms "installation," "connection," "linking," and "fixing," etc., should be interpreted broadly. For example, they can refer to a fixed connection, a detachable connection, or an integral part; they can refer to a mechanical connection or an electrical connection; they can refer to a direct connection or an indirect connection through an intermediate medium; they can refer to the internal communication of two components or the interaction between two components. Those skilled in the art can understand the specific meaning of the above terms in this invention according to the specific circumstances.
[0057] It should be understood that, when used in this specification and the appended claims, the term "comprising" indicates the presence of the described feature, integral, step, operation, element and / or component, but does not exclude the presence or addition of one or more other features, integrals, steps, operations, elements, components and / or collections thereof.
[0058] It should also be understood that the terminology used in this specification is for the purpose of describing particular embodiments only and is not intended to limit the scope of the application. As used in this specification and the appended claims, the singular forms “a,” “an,” and “the” are intended to include the plural forms unless the context clearly indicates otherwise.
[0059] It should also be further understood that the term “and / or” as used in this application specification and the appended claims means any combination of one or more of the associated listed items and all possible combinations, and includes such combinations.
[0060] As used in this specification and the appended claims, the term "if" may be interpreted, depending on the context, as "when," "once," "in response to determination," or "in response to detection." Similarly, the phrases "if determined" or "if [described condition or event] is detected" may be interpreted, depending on the context, as "once determined," "in response to determination," "once [described condition or event] is detected," or "in response to detection of [described condition or event]."
[0061] Although the present invention has been described in detail through the preferred embodiments above, it should be understood that the above description should not be considered as a limitation of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, and not all of them. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without inventive effort are within the scope of protection of the present invention. After reading the above content, various modifications and substitutions to the present invention will be obvious to those skilled in the art. Therefore, the scope of protection of the present invention should be defined by the appended claims.
Claims
1. A braking interface suitable for heavy-haul freight trains, which is respectively connected to a main control computer and a locomotive braking system, characterized in that, Include: The first relay has its coil connected to the main control computer, and its front contact is connected in parallel to the dry contact of the locomotive braking system. The second relay has its coil connected to the main control computer, and its front contact is connected in parallel to the dry contact of the locomotive braking system.
2. A braking system suitable for heavy-haul freight trains, characterized in that, Include: The braking interface as described in claim 1; A master control computer, which is connected to the coil of the first relay and the coil of the second relay.
3. The braking system for heavy-haul freight trains as described in claim 2, characterized in that, The braking system includes: an alarm device connected to the main control computer; The alarm device includes a third relay and an audible and visual alarm device. The coil of the third relay is connected to the main control computer, and the rear contact of the third relay is connected in series in the power supply circuit of the audible and visual alarm device. The audible and visual alarm device is connected to an independent power supply on the locomotive.
4. The braking system for heavy-haul freight trains as described in claim 3, characterized in that, The main control computer includes: at least two logic processing units, at least two bus transmission units, and at least two output control units; Each of the logic processing units is connected to each of the bus transmission units, each of the bus transmission units is connected to each of the output control units, and each of the output control units is connected to the coil of the first relay, the coil of the second relay, and the coil of the third relay.
5. A braking method suitable for heavy-haul freight trains, implemented based on the braking system as described in any one of claims 2-4, characterized in that, Include: When the main control computer determines that an emergency braking command needs to be output, it supplies power to the coils of the first and second relays, causing the front contacts of the first and second relays to close and the dry contacts to conduct, thus outputting an emergency braking command to the locomotive, and the locomotive performs the braking operation. When the main control computer determines that there is no need to output an emergency braking command, it cuts off the power supply to the coils of the first and second relays, causing the front contacts of the first and second relays to open, and the dry contacts to open accordingly. If the main control computer malfunctions or loses external power, it stops supplying power to the coils of the first and second relays, causing the front contacts of the first and second relays to disconnect, and the dry contacts to disconnect as well, ensuring that no emergency braking command is automatically output to the locomotive.
6. The braking method for heavy-haul freight trains as described in claim 5, characterized in that, During normal operation of the main control computer, power is continuously supplied to the coil of the third relay, causing the rear contact of the third relay to disconnect, thus disconnecting the power supply circuit of the audible and visual alarm device and rendering the audible and visual alarm device inoperable. If the main control computer malfunctions or loses external power, the main control computer stops supplying power to the coil of the third relay. The coil of the third relay is de-energized, causing the rear contact of the third relay to close. This closes the power supply circuit of the audible and visual alarm device, which then sends an audible and visual alarm message to the driver.
7. The braking method for heavy-haul freight trains as described in claim 5 or 6, characterized in that, Before being put into operation, the main control computer performs an automatic check of the minimum equipment list: the main control computer performs self-tests on all logic processing units, bus transmission units and output control units. The main control computer is allowed to be put into operation only when at least two logic processing units, at least two bus transmission units and at least two output control units pass the self-test.