Ground control device redundancy system and ground control device redundancy method
The redundant ground control system addresses communication reliability issues by using a hot and cold standby configuration with a control circuit to manage power transitions, ensuring stable train operation and device lifespan.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- MITSUBISHI ELECTRIC CORP
- Filing Date
- 2024-12-27
- Publication Date
- 2026-07-02
AI Technical Summary
Existing redundant systems for train operation control, such as those in the railway field, face challenges in maintaining reliable communication with external devices due to uncertainty in device reliability, particularly when a device fails and is replaced, leading to unstable control states.
A redundant ground control system comprising a first and second ground control device in hot standby, a third in cold standby, and a control circuit to manage power transitions, allowing seamless communication with an external interlocking device by powering on the third device to take over when the first or second fails, ensuring stable operation.
Enables stable train operation control by maintaining redundancy and ensuring reliable communication with external interlocking devices, improving system availability and device lifespan while preventing control instability.
Smart Images

Figure JP2024046450_02072026_PF_FP_ABST
Abstract
Description
Ground control system redundancy system and ground control system redundancy method
[0001] This disclosure relates to a ground control system redundancy system and a ground control system redundancy method comprising multiple ground control devices.
[0002] Traditionally, to improve the reliability of the operation of devices such as control units and computing units, multiple devices are provided, i.e., the devices are configured redundantly. In a redundant system, a standby system capable of operating in the same way as the active system is provided. Such redundant systems include hot standby systems and cold standby systems.
[0003] In a hot standby system, the standby system is always powered on even when the active system is operating normally, and if the active system fails, the standby system will quickly switch over to the active system. In a cold standby system, the standby system is powered off when the active system is operating normally, and only after the active system fails does the standby system power on and switch over to the active system. The hot standby system has the advantage of being able to quickly switch over to the standby system when the active system fails, but the disadvantage is that because the standby system is always powered on, the lifespan of the standby system is the same as that of the active system. The cold standby system has the advantage of being able to extend the lifespan of the standby system because it is powered off when the active system is operating normally, but the disadvantage is that if the active system fails, it takes time to power on the standby system, so a quick switchover is not possible.
[0004] In view of such problems, Patent Document 1 discloses a technology related to an information processing system including a plurality of arithmetic units that combines a hot standby system and a cold standby system. In the information processing system of Patent Document 1, a predetermined number of arithmetic units are in an operating state during normal operation. However, when the number of operating arithmetic units becomes less than the predetermined number, a predetermined number of non-faulty non-operating arithmetic units are brought into an operating state from among the plurality of non-operating arithmetic units. Thereby, the information processing system of Patent Document 1 can maintain a state in which a predetermined number of arithmetic units are operating while considering availability and the lifespan of the arithmetic units.
[0005] Japanese Patent Application Laid-Open No. 2014-137681
[0006] However, according to the above conventional technology, when an operating arithmetic unit fails, a non-operating arithmetic unit becomes operating, and the failed arithmetic unit is replaced with the arithmetic unit that has become operating. Here, assume a case where each device communicates with an external device in a redundant configuration system including a plurality of devices. When a device in an operating state is replaced in a redundant configuration system, the external device may not be able to determine whether the communication partner device is a reliable device. In particular, in a system that controls train operation, such as in the railway field, control cannot be performed based on information from a device for which reliability cannot be confirmed. Therefore, there is a problem that a configuration such as the information processing system described in Patent Document 1 cannot be applied to a system that communicates with an external device.
[0007] The present disclosure has been made in view of the above, and an object thereof is to obtain a ground control device redundant system that can perform train operation control by communicating with an external interlocking device while having a redundant configuration of the ground control device.
[0008] To solve the aforementioned problems and achieve the objectives, this disclosure provides a redundant ground control system for controlling train operations together with an interlocking device. The redundant ground control system comprises a first ground control device, a second ground control device which, together with the first ground control device, constitutes a redundant system via hot standby, a third ground control device which remains in a cold standby state with its power off while the first and second ground control devices are operating normally, and a control circuit which controls the power of the third ground control device to be turned on when the first or second ground control device fails. The third ground control device is characterized in that, when its power is turned on, it takes over the information used by the failed first or second ground control device and starts operating.
[0009] The ground control device redundancy system disclosed herein has the effect of enabling train operation control by communicating with an external interlocking device while providing a redundant configuration for the ground control device.
[0010] Figures showing an example configuration of a redundant ground control device system according to Embodiment 1. Figures showing the state when the ground control device 10 fails in the redundant ground control device system according to Embodiment 1. Figures showing the state when the power to the ground control device 30 is turned on in the redundant ground control device system according to Embodiment 1. Figures showing the state when the failed ground control device 10 recovers in the redundant ground control device system according to Embodiment 1. Figures showing the state when the power to the ground control device 30 is turned off because the failed ground control device 10 has recovered in the redundant ground control device system according to Embodiment 1. Figures showing the state when the failed ground control device 10 starts operating as a dependent in the redundant ground control device system according to Embodiment 1. A flowchart showing the operation of the redundant ground control device system according to Embodiment 1. Figures showing an example of configuring the processing circuit that realizes the redundant ground control device system according to Embodiment 1 with a processor and memory. Figures showing an example of configuring the processing circuit that realizes the redundant ground control device system according to Embodiment 1 with dedicated hardware. A first figure showing the control state of the control circuit in the redundant ground control device system according to Embodiment 2. A second figure showing the control state of the control circuit in the redundant ground control device system according to Embodiment 2.
[0011] The following describes in detail, with reference to the drawings, a ground control device redundancy system and a ground control device redundancy method according to embodiments of the present disclosure.
[0012] Embodiment 1. Figure 1 is a diagram showing an example configuration of the Ground Control Device Redundancy System 1 according to Embodiment 1. The Ground Control Device Redundancy System 1 controls the operation of trains (not shown) by communicating and coordinating with the Interlocking Device 2. In other words, the Ground Control Device Redundancy System 1 is a system that controls the operation of trains together with the Interlocking Device 2. The Interlocking Device 2 controls points, signals, etc. (not shown) around the station where it is installed. The Ground Control Device Redundancy System 1 and the Interlocking Device 2 communicate with each other and control the train's route, stop, and decelerate at the station to operate trains at the station. For example, the Ground Control Device Redundancy System 1 transmits information to trains around the station, such as whether they can proceed or stop, based on the control status of points, signals, etc., by the Interlocking Device 2. The communication between the Ground Control Device Redundancy System 1 and the train is not particularly limited, as it can be a general method of communication between ground vehicles. The area under the jurisdiction of the train operation control performed by the Ground Control Device Redundancy System 1 and the Interlocking Device 2 may be the area around one station, or it may be the area around multiple adjacent stations.
[0013] The configuration and operation of the Ground Control Device Redundancy System 1 will now be described. As shown in Figure 1, the Ground Control Device Redundancy System 1 comprises a Ground Control Device 10, a Ground Control Device 20, a Ground Control Device 30, a Control Circuit 40, a Power Supply Unit 50, and a Power Supply Unit 51. The Ground Control Device 10 and the Ground Control Device 20 constitute a hot standby circuit 70 to ensure availability. In the hot standby circuit 70, if both the Ground Control Device 10 and the Ground Control Device 20 start up normally and continue to operate normally, the Ground Control Device 10 operates as the primary system and the Ground Control Device 20 operates as the secondary system. The interlocking device 2 adopts data from the primary Ground Control Device and does not adopt data from the secondary Ground Control Device. The "primary system" is also called the "operational system" or "current system." The "secondary system" is also called the "standby system" or "backup system."
[0014] The ground control device 10 can control the operation of trains (not shown) by communicating and coordinating with the interlocking device 2. The ground control device 10, together with the ground control device 20, constitutes a dual system using hot standby, i.e., a hot standby circuit 70. When the ground control device 10 is in the primary system, the data transmitted to the interlocking device 2 is used by the interlocking device 2, and when it is in the secondary system, the data transmitted to the interlocking device 2 is not used by the interlocking device 2. In the following description, the ground control device 10 may be referred to as the first ground control device. As shown in Figure 1, the ground control device 10 includes a communication unit 11, a control unit 12, and a communication unit 13.
[0015] The communication unit 11 communicates with the interlocking device 2 via the communication network 60. While the communication method of the communication network 60 is assumed to be, for example, Ethernet (registered trademark), it is not limited to this. The communication unit 11 communicates with the interlocking device 2 using an IP (Internet Protocol) address A. In the following description, IP address A may be referred to as the first address. Although the communication unit 11 is shown as a single configuration in the example in Figure 1, it is not limited to this configuration. The communication unit 11 may consist of multiple devices, such as an L2SW (Layer 2 Switch) and an interface connected to the control unit 12. The configurations of the communication units 13, 21, 23, 31, and 33, described later, are similar to those of the communication unit 11.
[0016] The control unit 12 communicates with the interlocking device 2 via the communication unit 11 and the communication network 60, and controls the operation of the train together with the interlocking device 2. In this embodiment, the train operation control by the control unit 12 and the interlocking device 2 can be a general control method, so a detailed explanation is omitted. The control unit 12 also outputs information indicating the operating status of the ground control device 10 to the control circuit 40 via the control network 62. As information indicating the operating status that the control unit 12 outputs to the control circuit 40 via the control network 62, along with identification information indicating the ground control device 10, for example, when it is operating normally, it outputs a 1-bit piece of information "1" indicating that it is operating normally, and when it malfunctions, it outputs a 1-bit piece of information indicating that it is malfunctioning, with a faulty contact "0". The control unit 12 may also include information in the information indicating the operating status whether it is operating in the main system or the secondary system.
[0017] The communication unit 13 confirms the status of the other ground control devices 20 and 30 via the monitoring network 61. This allows the communication unit 13 to understand the operating status of the other ground control devices 20 and 30. The communication unit 13 may include, in the status information it transmits, identification information indicating the ground control device 10, as well as information on whether it is operating in the primary system or the secondary system. The status information may be output from the communication unit 13 when the ground control device 10 is operating normally, and not output from the communication unit 13 when the ground control device 10 is not operating normally due to a malfunction or other reason. The communication method for the monitoring network 61 is assumed to be, for example, Ethernet, but is not limited to this. The monitoring network 61 may also use communication methods such as HDLC (High-level Data Link Control) or RS (Recommended Standards) 485.
[0018] The ground control device 20 can control the operation of trains (not shown) by communicating and coordinating with the interlocking device 2. The ground control device 20, together with the ground control device 10, constitutes a dual system using hot standby, i.e., a hot standby circuit 70. When the ground control device 20 is in the primary system, the data transmitted to the interlocking device 2 is used by the interlocking device 2, and when it is in the secondary system, the data transmitted to the interlocking device 2 is not used by the interlocking device 2. In the following description, the ground control device 20 may be referred to as the second ground control device. As shown in Figure 1, the ground control device 20 includes a communication unit 21, a control unit 22, and a communication unit 23.
[0019] The communication unit 21 communicates with the interlocking device 2 via the communication network 60. The communication unit 21 uses IP address B for communication with the interlocking device 2. In the following description, IP address B may be referred to as the second address.
[0020] The control unit 22 communicates with the interlocking device 2 via the communication unit 21 and the communication network 60, and controls the operation of the train together with the interlocking device 2. In this embodiment, the train operation control by the control unit 22 and the interlocking device 2 can be a general control method, so a detailed explanation is omitted. The control unit 22 also outputs information indicating the operating status of the ground control device 20 to the control circuit 40 via the control network 62. As information indicating the operating status that the control unit 22 outputs to the control circuit 40 via the control network 62, along with identification information indicating the ground control device 20, for example, when it is operating normally, it outputs a 1-bit value of "1" to indicate that it is operating normally, and when it malfunctions, it outputs a 1-bit value of "0" due to a fault contact to indicate that it is malfunctioning. The control unit 22 may also include information in the information indicating the operating status whether it is operating in the main system or the secondary system.
[0021] The communication unit 23 confirms the status of the other ground control devices 10 and 30 via the monitoring network 61. This allows the communication unit 23 to understand the operating status of the other ground control devices 10 and 30. The communication unit 23 may include, in the status information it transmits, identification information indicating the ground control device 20, as well as information on whether it is operating in the primary system or the secondary system. The status information may be output from the communication unit 23 when the ground control device 20 is operating normally, and not output from the communication unit 23 when the ground control device 20 is not operating normally due to a malfunction or other reason.
[0022] The ground control device 30 can control the operation of trains (not shown) by communicating and coordinating with the interlocking device 2. The ground control device 30 remains in a cold standby state with its power off while the ground control devices 10 and 20 are operating normally. The ground control device 30 can operate as a primary or secondary system, similar to the ground control devices 10 and 20. When it is the primary system, data transmitted to the interlocking device 2 is used by the interlocking device 2, and when it is the secondary system, data transmitted to the interlocking device 2 is not used by the interlocking device 2. In the following description, the ground control device 30 may be referred to as the third ground control device. As shown in Figure 1, the ground control device 30 includes a communication unit 31, a control unit 32, and a communication unit 33.
[0023] When the ground control device 30 is powered on, the communication unit 31 communicates with the interlocking device 2 via the communication network 60. Here, when the ground control device 30 is powered on, it means that at least one of the ground control devices 10 and 20 has failed. In such a case, when communicating with the interlocking device 2, the communication unit 31 uses the IP address A used by the failed ground control device 10 or the IP address B used by the failed ground control device 20. If both the ground control device 10 and 20 fail, the communication unit 31 communicates with the interlocking device 2 using the IP address used by the ground control device that failed first. If both the ground control device 10 and 20 fail simultaneously, the communication unit 31 communicates with the interlocking device 2 using a specified ground control device, for example, the IP address A used by the ground control device 10.
[0024] When the ground control device 30 is powered on, the control unit 32 communicates with the interlocking device 2 via the communication unit 31 and the communication network 60, and controls the operation of the train together with the interlocking device 2. In this embodiment, the train operation control by the control unit 32 and the interlocking device 2 can be a general control method, so a detailed explanation is omitted. Also, when the ground control device 30 is powered on, the control unit 32 outputs information indicating the operating status of the ground control device 30 to the control circuit 40 via the control network 62. As information indicating the operating status that the control unit 32 outputs to the control circuit 40 via the control network 62, along with identification information indicating the ground control device 30, for example, when it is operating normally, it outputs a 1-bit piece of information "1" indicating that it is operating normally, and when it malfunctions, it outputs a 1-bit piece of information "0" due to a fault contact indicating that it is malfunctioning. In the ground control device redundancy system 1, when the ground control device 30 is powered off, it may be assumed that the control unit 32 outputs a "0" due to a fault contact as information indicating the operating status, similar to when the ground control device 30 malfunctions. Furthermore, the control unit 32 may include information indicating whether it is operating in the main system or the secondary system in the information indicating the operating status.
[0025] The communication unit 33 confirms the status of the other ground control devices 10 and 20 via the monitoring network 61. This allows the communication unit 33 to understand the operating status of the other ground control devices 10 and 20. The communication unit 33 may include, in the status information it transmits, identification information indicating the ground control device 30, as well as information on whether it is operating in the primary system or the secondary system. The status information may be output from the communication unit 33 when the ground control device 30 is operating normally, and not output from the communication unit 33 when the ground control device 30 is not operating normally due to a malfunction or other reason.
[0026] The exchange of survival information between the ground control devices 10, 20, and 30 via the monitoring network 61 is not limited to the above-described communication method, as it is sufficient for the ground control devices to be able to understand the operating status of other ground control devices. Similarly, the exchange of information indicating the operating status between the ground control devices 10, 20, and 30 and the control circuit 40 via the control network 62 is not limited to the above-described communication method, as it is sufficient for the control circuit 40 to be able to understand the operating status of each ground control device.
[0027] Based on information indicating the operating status obtained from the ground control devices 10 and 20 via the control network 62, the control circuit 40 puts the ground control device 30 into a cold standby state with the power off if the ground control devices 10 and 20 are operating normally. Specifically, the control circuit 40 controls the power supply so that power is not supplied from the power supply device 50 to the communication unit 31 and control unit 32 of the ground control device 30. In the example in Figure 1, the control circuit 40 cuts off the power supply path from the power supply device 50 to the communication unit 31 and control unit 32 of the ground control device 30, but is not limited to this. The control circuit 40 may also control the operation of the power supply device 50 so that power is not supplied from the power supply device 50 to the communication unit 31 and control unit 32 of the ground control device 30.
[0028] The power supply unit 50 supplies power to the ground control device 10 and the ground control device 20 without being affected by the control circuit 40. The power supply unit 51 supplies power to the communication unit 33 of the ground control device 30 via a power supply path separate from the power supply path from the power supply unit 50 to the communication unit 31 and control unit 32 of the ground control device 30. As a result, the communication unit 33 of the ground control device 30 can continue to check for survival information with the ground control device 10 and the ground control device 20 without being affected by the control circuit 40. The ground control device redundancy system 1 may also be configured such that the power supply unit 51 supplies power to the communication unit 13 of the ground control device 10 and the communication unit 23 of the ground control device 20, similar to the communication unit 33 of the ground control device 30. In other words, the ground control device redundancy system 1 may be configured so that, similar to the communication unit 33 of the ground control device 30 when the power is off, the communication unit 13 of the ground control device 10 can continue to check for survival information even if the ground control device 10 fails, and the communication unit 23 of the ground control device 20 can continue to check for survival information even if the ground control device 20 fails.
[0029] Although not shown in the diagram, power supply units 50 and 51 may also supply power to components other than the ground control device, such as the control circuit 40. It is also possible for the ground control device redundancy system 1 to consist only of power supply unit 50 and not power supply unit 51. In this case, power supply unit 50 can, for example, branch the power supply paths to the ground control device 10 and the ground control device 20, and use the branched power supply paths to supply power to the communication unit 33 of the ground control device 30.
[0030] In this embodiment, the control circuit 40 controls the power of the ground control device 30 to turn on when the ground control device 10 or the ground control device 20 fails, based on information indicating the operating status obtained from the ground control device 10 and the ground control device 20 via the control network 62. As a result, when the power is turned on, the ground control device 30 can take over the information used by the failed ground control device 10 or the ground control device 20 and start operating. Specifically, when the ground control device 10 fails, the ground control device 30 takes over and uses IP address A, which the ground control device 10 used when communicating with the interlocking device 2, as the aforementioned information, and starts operating as a secondary system relative to the ground control device 20 which is operating as the primary system. Alternatively, when the ground control device 20 fails, the ground control device 30 takes over and uses IP address B, which the ground control device 20 used when communicating with the interlocking device 2, as the aforementioned information, and starts operating as a secondary system relative to the ground control device 10 which is operating as the primary system.
[0031] In the ground control unit redundancy system 1, ground control unit 10, ground control unit 20, and ground control unit 30 each check the status of other ground control units via the monitoring network 61, as described above. Here, it is assumed that ground control unit 30 holds information on IP addresses A and B. In the ground control unit redundancy system 1, since ground control units 10 and 20, which are provided in the hot standby circuit 70, are known, ground control unit 30 can hold information on IP addresses A and B in advance. As a result, ground control unit 30 holds information on IP addresses A and B, and if it determines that ground control unit 10 has failed as a result of checking the status of the ground control unit, it can use IP address A that was used by ground control unit 10, and if it determines that ground control unit 20 has failed, it can use IP address B that was used by ground control unit 20.
[0032] Furthermore, when the ground control device 10 fails, the ground control device 30 acquires control information used for train operation control, including train position information, from the ground control device 20. When the ground control device 20 fails, the ground control device 30 acquires control information used for train operation control, including train position information, from the ground control device 10. This allows the ground control device 30 to synchronize control information with the ground control device 10 or ground control device 20, which is operating as the main system, before starting to operate as a secondary system. When the ground control device 30 is powered on and starts operating, the control unit 32 of the ground control device 30 outputs a 1-bit value of "1" to the control circuit 40 via the control network 62 as information indicating the operating status of the ground control device 30, indicating that it is operating normally.
[0033] In the Ground Control Unit Redundancy System 1, if Ground Control Unit 10 or Ground Control Unit 20 fails, Ground Control Unit 30 starts up, ensuring continued operation with redundancy. If Ground Control Unit 10 or Ground Control Unit 20 fails, maintenance personnel managing the Ground Control Unit Redundancy System 1 will take action such as repairing or replacing the failed Ground Control Unit 10 or Ground Control Unit 20. Once Ground Control Unit 10 or Ground Control Unit 20 is operational again after repair or replacement, Ground Control Unit 30 detects that the failed Ground Control Unit 10 or Ground Control Unit 20 has been restored by checking for survival information via the monitoring network 61. When Ground Control Unit 10 or Ground Control Unit 20 has been restored, Ground Control Unit 30 takes action to turn off its own power.
[0034] Specifically, when the ground control device 30 determines, based on the results of the survival information check, that the malfunctioning ground control device 10 or ground control device 20 has recovered, it outputs a signal to the control circuit 40 to turn off the power to the ground control device 30. The signal to turn off the power to the ground control device 30 may be a signal that literally instructs the ground control device 30 to turn off its power, or it may be the same signal that is output when the ground control device 30 malfunctions as information indicating its operating status. When the control circuit 40 receives a signal from the ground control device 30 to turn off its power, it performs control to turn off the power to the ground control device 30. The ground control device 10 or ground control device 20 that has recovered from a malfunction will start operating in the slave system after the power to the ground control device 30 has been turned off, based on the results of the survival information check.
[0035] If the ground control device 10 is the one that has recovered from a malfunction, the ground control device 10 acquires information used for train operation control, including train position information, from the ground control device 20 which is operating as the main system. This allows the ground control device 10 to synchronize its control information with the ground control device 20 which is operating as the main system, and then start operating as the secondary system. The ground control device 10 communicates with the interlocking device 2 using the IP address A that it was originally using.
[0036] If the ground control device 20 is the one that has recovered from a malfunction, the ground control device 20 acquires information used for train operation control, including train position information, from the ground control device 10 which is operating as the main system. This allows the ground control device 20 to synchronize its control information with the ground control device 10 which is operating as the main system, and then start operating as the secondary system. The ground control device 20 communicates with the interlocking device 2 using the IP address B that it was originally using.
[0037] The operation of the ground control unit redundancy system 1 up to this point will be explained using diagrams. In the following section, the explanation will be based on the case where the ground control unit 10 fails, which is one of the two ground control units 10 and 20 that constitute the hot standby circuit 70.
[0038] Figure 2 shows the state when the ground control device 10 fails in the ground control device redundancy system 1 according to Embodiment 1. At this time, the ground control device 10 either outputs survival information indicating that it has failed, or does not output survival information indicating that it is operating normally. The ground control device 20 detects that the ground control device 10 has failed as a result of checking the survival information. As a result, the ground control device 20 switches from the slave system to the primary system and operates. Immediately after the ground control device 10 fails, the only ground control device operating in the ground control device redundancy system 1 is one of the ground control devices 20. In the state shown in Figure 2, the ground control device 10 outputs a "0" from the fault contact as 1-bit information indicating a failure to the control circuit 40 via the control network 62. The control circuit 40 detects that the ground control device 10 has failed by receiving a "0" signal as 1-bit information indicating a failure from the ground control device 10 via the control network 62.
[0039] Figure 3 shows the state when the power to the ground control device 30 is turned on in the ground control device redundancy system 1 according to Embodiment 1. The control circuit 40 detects that the ground control device 10 has failed and releases the interruption of the power supply path that supplies power from the power supply device 50 to the ground control device 30. As a result, the ground control device 30 is powered on. The ground control device 30 understands that the ground control device 10 has failed as a result of checking the status information and synchronizes control information with the ground control device 20 by acquiring control information from the ground control device 20. Also, the ground control device 30 understands that the ground control device 10 has failed as a result of checking the status information and communicates with the interlocking device 2 using the IP address A that the ground control device 10 was using. As a result, the ground control device 30 can start operating as a secondary system in the ground control device redundancy system 1.
[0040] Figure 4 shows the state when the ground control device 10, which had failed, is restored in the ground control device redundancy system 1 according to Embodiment 1. As shown in Figure 3, while the ground control device 20 is operating as the primary system and the ground control device 30 is operating as the secondary system, the ground control device 10 is restored from failure by repair, replacement, or other measures taken by maintenance personnel managing the ground control device redundancy system 1. When the ground control device 10 is restored from failure, it resumes communication on the monitoring network 61 and the control network 62, but immediately after restoration, IP address A is being used by the ground control device 30, so it does not communicate via the communication network 60. The ground control device 30 detects that the ground control device 10 has been restored from failure as a result of checking for survival information. Since the ground control device 10, which had failed, has been restored, the ground control device 30 outputs a signal to the control circuit 40 to turn off the power to the ground control device 30 in order to turn off its own power.
[0041] Figure 5 shows the state when the ground control device 10, which had been malfunctioning, has been restored in the ground control device redundant system 1 according to Embodiment 1, and the power to the ground control device 30 has been turned off. The control circuit 40 has received a signal from the ground control device 30 to turn off the power to the ground control device 30, and therefore cuts off the power supply path from the power supply unit 50 to the communication unit 31 and control unit 32 of the ground control device 30. As a result, the power to the ground control device 30 is turned off. Immediately after the power to the ground control device 30 is turned off, the only ground control device operating in the ground control device redundant system 1 is one of the ground control devices 20.
[0042] Figure 6 shows the state when the failed ground control device 10 in the ground control device redundancy system 1 according to Embodiment 1 starts operating as a secondary system. As a result of checking for life information, the ground control device 10 detects that the power to the ground control device 30 that was using IP address A has been turned off. As a result, the ground control device 10 can start operating as a secondary system in the ground control device redundancy system 1.
[0043] FIG. 7 is a flowchart showing the operation of the ground control device redundant system 1 according to Embodiment 1. In the ground control device redundant system 1, the ground control device 10 outputs information indicating the operating state to the control circuit 40 (step S1). The ground control device 20 outputs information indicating the operating state to the control circuit 40 (step S2). The control circuit 40 determines whether it has acquired information indicating normal operation from the ground control device 10 and the ground control device 20 (step S3). When the control circuit 40 has acquired information indicating normal operation from the ground control device 10 and the ground control device 20 (step S3: Yes), it cuts off the power supply from the power supply device 50 to the ground control device 30 (step S4). After step S4, the ground control device redundant system 1 returns to the operation of step S1.
[0044] When the control circuit 40 cannot acquire information indicating normal operation from at least one of the ground control device 10 and the ground control device 20 (step S3: No), it causes the power supply device 50 to supply power to the ground control device 30 (step S5). The ground control device 30 outputs information indicating the operating state to the control circuit 40 (step S6). The control circuit 40 determines whether it has acquired information indicating normal operation from the ground control device 30 (step S7). When the control circuit 40 has acquired information indicating normal operation from the ground control device 30 (step S7: Yes), it continues to supply power to the ground control device 30 (step S5). When the control circuit 40 cannot acquire information indicating normal operation from the ground control device 30 (step S7: No), it cuts off the power supply to the ground control device 30 (step S4). In the present embodiment, the case of step S7: No means that, as described above, the ground control device 30 has detected that the failed ground control device 10 or the ground control device 20 has recovered and has output a signal to turn off the power of the ground control device 30 to the control circuit 40. After step S4, the ground control device redundant system 1 returns to the operation of step S1.
[0045] Furthermore, the control circuit 40 may determine whether or not it has obtained information from the ground control device 10 and the ground control device 20 indicating that the operation in step S7 is normal. In this case, if the control circuit 40 obtains information from the ground control device 10 and the ground control device 20 indicating that the operation is normal, it proceeds to step S4. If the control circuit 40 is unable to obtain information from the ground control device 10 and the ground control device 20 indicating that the operation is normal, it proceeds to step S5.
[0046] The ground control device redundancy system 1, together with the interlocking device 2, continues to perform the operations shown in Figure 7 while controlling the operation of the train.
[0047] Next, the hardware configuration of the Ground Control Device Redundancy System 1 will be described. In the Ground Control Device Redundancy System 1, the power supply unit 50 is a power supply circuit that supplies control power to the Ground Control Device 10, the Ground Control Device 20, the communication unit 31 of the Ground Control Device 30, and the control unit 32 of the Ground Control Device 30. The power supply unit 51 is a power supply circuit that supplies control power to the communication unit 33 of the Ground Control Device 30. The communication units 11 and 13 of the Ground Control Device 10, the communication units 21 and 23 of the Ground Control Device 20, and the communication units 31 and 33 of the Ground Control Device 30 are interfaces that support communication methods such as Ethernet. The control unit 12 of the Ground Control Device 10, the control unit 22 of the Ground Control Device 20, and the control unit 32 of the Ground Control Device 30 are implemented by processing circuits. The processing circuits may be a processor and memory that execute programs stored in memory, or they may be dedicated hardware.
[0048] FIG. 8 is a diagram showing an example in the case where a processing circuit 90 that realizes the ground control device redundancy system 1 according to Embodiment 1 is constituted by a processor 91 and a memory 92. When the processing circuit 90 is constituted by the processor 91 and the memory 92, each function of the processing circuit 90 of the ground control device redundancy system 1 is realized by software, firmware, or a combination of software and firmware. The software or firmware is described as a program and stored in the memory 92. In the processing circuit 90, the processor 91 reads out and executes the program stored in the memory 92, thereby realizing each function. That is, the processing circuit 90 includes a memory 92 for storing a program in which the processing of the ground control device redundancy system 1 is ultimately executed. Also, these programs can be said to cause a computer to execute the procedures and methods of the ground control device redundancy system 1.
[0049] The above program causes the ground control device redundancy system 1 to execute a standby step in which the ground control device 30 waits in a cold standby state with the power off while the ground control device 20 that constitutes a dual system by hot standby together with the ground control device 10 and the ground control device 20 is operating normally, a control step in which the control circuit 40 performs control to turn on the power of the ground control device 30 when the ground control device 10 or the ground control device 20 fails, and an operation start step in which the ground control device 30 starts operating by taking over the information used in the failed ground control device 10 or the ground control device 20 when the power is turned on.
[0050] Here, the processor 91 may be a CPU (Central Processing Unit), processing unit, arithmetic unit, microprocessor, microcomputer, or DSP (Digital Signal Processor). The memory 92 may be, for example, a non-volatile or volatile semiconductor memory such as RAM (Random Access Memory), ROM (Read Only Memory), flash memory, EPROM (Erasable Programmable ROM), EEPROM (Registered Trademark) (Electrically EPROM), magnetic disk, flexible disk, optical disk, compact disk, minidisc, or DVD (Digital Versatile Disc).
[0051] Figure 9 shows an example of a case where the processing circuit 93 that realizes the ground control device redundant system 1 according to Embodiment 1 is configured with dedicated hardware. When the processing circuit 93 is configured with dedicated hardware, the processing circuit 93 shown in Figure 9 may be, for example, a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or a combination thereof. Each function of the ground control device redundant system 1 may be realized by the processing circuit 93 separately for each function, or each function may be realized together by the processing circuit 93.
[0052] Furthermore, some of the functions of the ground control device redundancy system 1 may be implemented using dedicated hardware, while others may be implemented using software or firmware. In this way, the processing circuit can implement the above-mentioned functions using dedicated hardware, software, firmware, or a combination thereof.
[0053] As described above, according to this embodiment, in the ground control device redundancy system 1, the ground control devices 10 and 20 of the hot standby circuit 70 constitute a redundancy system using hot standby, and the ground control device 30 constitutes a redundancy system using cold standby. If the ground control device 10 or the ground control device 20 fails, the ground control device 30 that has not failed will operate as the primary system, taking over the IP address used by the failed ground control device 10 or the ground control device 20, and will start operating as the secondary system in a state where it can communicate with the interlocking device 2. Furthermore, when the failed ground control device 10 or the ground control device 20 recovers, the ground control device 30 will perform control to turn off its own power. The failed ground control device 10 or the ground control device 20 will start operating as the secondary system in a state where it can communicate with the interlocking device 2. In this way, the ground control device redundancy system 1 avoids an unstable control state by performing a state transition in which one ground control device operates as the primary system and one ground control device operates as the secondary system.
[0054] As a result, the Ground Control Device Redundancy System 1 can improve the overall system availability and the lifespan of the Ground Control Devices by combining Ground Control Devices 10 and 20 operating in hot standby mode with Ground Control Device 30 operating in cold standby mode. The Ground Control Device Redundancy System 1 can control train operations by communicating with an external interlocking device 2 while maintaining a redundant configuration of Ground Control Devices. Furthermore, the Ground Control Device Redundancy System 1 is also applicable when the interlocking device 2 can only accept communication from two specified IP addresses, IP address A and IP address B in this embodiment.
[0055] In addition, the description above describes a case where the Ground Control Device Redundancy System 1 combines a dual-system hot standby system consisting of Ground Control Devices 10 and 20 with a cold standby system in which Ground Control Device 30 is powered off and on standby. However, the number of Ground Control Devices constituting the hot standby system is not limited to two, nor is the number of Ground Control Devices constituting the cold standby system limited to one. In the Ground Control Device Redundancy System 1, the number of Ground Control Devices constituting the hot standby system may be three or more, and the number of Ground Control Devices constituting the cold standby system may be two or more. Furthermore, the monitoring network 61 and control network 62, which are self-contained within the Ground Control Device Redundancy System 1, may be combined into a single network if it is possible to use a common communication method.
[0056] Embodiment 2. Embodiment 1 described the case where the ground control device 10 or the ground control device 20 fails in the ground control device redundancy system 1. Embodiment 2 describes the case where the control circuit 40 fails in the ground control device redundancy system 1.
[0057] In Embodiment 2, the configuration of the ground control device redundancy system 1 is the same as the configuration of the ground control device redundancy system 1 in Embodiment 1 shown in Figure 1 and the like. In Embodiment 2, the control circuit 40 performs control to turn off the power to the ground control device 30 when it itself, i.e., the control circuit 40, fails.
[0058] In the redundant ground control system 1, if multiple ground control devices operate as primary systems, the control may become unstable, potentially affecting train operation control. If the control circuit 40 fails, depending on the cause of the failure, it may not be able to correctly grasp the operating status of ground control devices 10, 20, and 30. For example, as a result of not being able to correctly grasp the operating status of ground control devices 10, 20, and 30, the control circuit 40 may mistakenly assume that ground control device 10 or 20 has failed, even though they are operating normally, and may supply power from the power supply unit 50 to the communication unit 31 and control unit 32 of ground control device 30. In the redundant ground control system 1, if ground control device 30 is powered on even though ground control devices 10 and 20 are operating normally, and then uses the IP address of either ground control device 10 or 20, the control will become unstable. Therefore, in order to avoid a situation in which the control of the ground control device redundant system 1 becomes unstable, the control circuit 40 performs a control to turn off the power to the ground control device 30 when it itself, i.e., the control circuit 40, fails.
[0059] When the control circuit 40 fails, it controls the power supply 50 so that power is not supplied to the communication unit 31 and control unit 32 of the ground control device 30, regardless of whether the ground control device 10 and ground control device 20 are operating normally as shown in Figure 1, or whether the ground control device 10 has failed as shown in Figure 2. Furthermore, when the control circuit 40 fails, it controls the power supply 50 so that power is not supplied to the communication unit 31 and control unit 32 of the ground control device 30, regardless of whether the ground control device 20 has failed as shown in Figure 10, or whether both the ground control device 10 and ground control device 20 have failed as shown in Figure 11. Figure 10 is a first diagram showing the control state of the control circuit 40 in the ground control device redundant system 1 according to Embodiment 2. Figure 11 is a second diagram showing the control state of the control circuit 40 in the ground control device redundant system 1 according to Embodiment 2.
[0060] As described above, according to this embodiment, the control circuit 40 performs a control to turn off the power to the ground control device 30 if it fails. As a result, the ground control device redundancy system 1 can avoid an unstable control state by performing a defined state transition even if the control circuit 40 fails.
[0061] The configurations shown in the above embodiments are examples only, and it is possible to combine them with other known technologies, combine different embodiments, and omit or modify parts of the configuration without departing from the gist of the invention.
[0062] 1. Ground control unit redundancy system, 2. Interlocking device, 10, 20, 30. Ground control unit, 11, 13, 21, 23, 31, 33. Communication unit, 12, 22, 32. Control unit, 40. Control circuit, 50, 51. Power supply unit, 60. Communication network, 61. Monitoring network, 62. Control network, 70. Hot standby circuit, 90, 93. Processing circuit, 91. Processor, 92. Memory.
Claims
1. A redundant ground control system for controlling train operations together with an interlocking device, comprising: a first ground control device; a second ground control device that forms a redundant system with the first ground control device via hot standby; a third ground control device that remains in a cold standby state with its power off while the first and second ground control devices are operating normally; and a control circuit that controls the power of the third ground control device to be turned on when the first or second ground control device fails, wherein the third ground control device starts operating by taking over the information used by the failed first or second ground control device when its power is turned on.
2. The ground control device redundancy system according to claim 1, characterized in that when the first ground control device fails, the third ground control device takes over and uses the first address that the first ground control device used when communicating with the interlocking device as the information, and starts operating as a secondary system with respect to the second ground control device which is operating as the primary system, and when the second ground control device fails, the third ground control device takes over and uses the second address that the second ground control device used when communicating with the interlocking device as the information, and starts operating as a secondary system with respect to the first ground control device which is operating as the primary system.
3. The ground control device redundancy system according to claim 2, characterized in that the first ground control device, the second ground control device, and the third ground control device check the status information of the other ground control devices, the third ground control device holds the information of the first address and the second address, and if it is determined as a result of the status information check that the first ground control device has failed, it uses the first address, and if it is determined that the second ground control device has failed, it uses the second address.
4. The ground control device redundancy system according to claim 3, characterized in that, as a result of the verification of the survival information, the third ground control device outputs a signal to the control circuit to turn off the power to the third ground control device when it determines that the first ground control device or the second ground control device that was malfunctioning has recovered, the control circuit performs control to turn off the power to the third ground control device when it receives a signal to turn off the power to the third ground control device, and the first ground control device or the second ground control device that has recovered from the malfunction starts operating in the dependent system after the power to the third ground control device has been turned off as a result of the verification of the survival information.
5. The ground control device redundancy system according to any one of claims 2 to 4, characterized in that the third ground control device acquires control information used for controlling the operation of the train, including the train's position information, from the second ground control device when the first ground control device fails, and acquires control information used for controlling the operation of the train, including the train's position information, from the first ground control device when the second ground control device fails.
6. The ground control device redundancy system according to any one of claims 1 to 5, characterized in that the control circuit performs control to turn off the power to the third ground control device when it fails.
7. A method for ground control device redundancy of a ground control device redundancy system that controls the operation of a train together with an interlocking device, wherein the ground control device redundancy system comprises a first ground control device, a second ground control device, a third ground control device, and a control circuit, the method comprising: a standby step in which the third ground control device waits in a cold standby state with its power off while the second ground control device, which together with the first ground control device and the first ground control device to form a dual system by hot standby, is operating normally; a control step in which the control circuit controls the power to turn on the third ground control device when the first ground control device or the second ground control device fails; and an operation start step in which the third ground control device starts operating after taking over the information used by the failed first ground control device or the second ground control device when its power is turned on.
8. The ground control device redundancy method according to claim 7, characterized in that, in the operation start step, the third ground control device takes over and uses the first address that the first ground control device used when communicating with the interlocking device as the information when the first ground control device fails, and starts operating as a secondary system with respect to the second ground control device operating as the primary system, and when the second ground control device fails, takes over and uses the second address that the second ground control device used when communicating with the interlocking device as the information, and starts operating as a secondary system with respect to the first ground control device operating as the primary system.
9. The ground control device redundancy method according to claim 8, comprising a survival information confirmation step in which the first ground control device, the second ground control device, and the third ground control device confirm the survival information of the other ground control devices, wherein in the operation start step, the third ground control device holds information of the first address and the second address, and if it is determined as a result of the survival information confirmation that the first ground control device has failed, it uses the first address, and if it is determined that the second ground control device has failed, it uses the second address.
10. The ground control device redundancy method according to claim 9, comprising: an operation termination step in which the third ground control device outputs a signal to the control circuit to turn off the power to the third ground control device when it determines, as a result of the confirmation of the survival information, that the first ground control device or the second ground control device that was malfunctioning has been restored; a first power off step in which the control circuit performs control to turn off the power to the third ground control device when it receives a signal to turn off the power to the third ground control device; and a recovery step in which the first ground control device or the second ground control device that has been restored from a malfunction starts operating in the dependent system after the power to the third ground control device has been turned off as a result of the confirmation of the survival information.
11. The ground control device redundancy method according to any one of claims 8 to 10, characterized in that, in the operation start step, the third ground control device obtains control information used for controlling the operation of the train, including the train's position information, from the second ground control device when the first ground control device fails, and obtains control information used for controlling the operation of the train, including the train's position information, from the first ground control device when the second ground control device fails.
12. The ground control device redundancy method according to any one of 7 to 11, characterized in that the control circuit performs a second power-off step in which it controls the power to the third ground control device when it fails.