Railroad operating processes are processes which are safety-critical because any malfunctions which are not detected in the appropriate time, and whose effect on the process is not prevented, can lead to considerable damage to property and possibly also place people in danger. For this reason, devices which are reliable in terms of signaling technology have been used for controlling such processes. The objective of these devices is to detect malfunctions both within the process to be controlled and within the process control system itself, and to subsequently place the process in a safe state, or leave it in such a state. Such control systems which are reliable in terms of signaling technology can be embodied in different technologies, for example using relay technology or electronic technology. In process control which is reliable in terms of signal technology using computers, expensive special computers have been used which process the waiting/queued processing orders on two channels and continuously compare, by means of signaling technology, processing sequences for correspondence in terms of contents. Control instructions which are produced are output to the process elements of the process to be controlled only if both processing channels have each arrived at the same result; otherwise, the connection to the process is interrupted, unless there is at least one backup computer which can take over, and actually takes over, the functions of the failed computer.
The abovementioned functions of the reliable inputting and outputting of data and the comparison of data with, if appropriate, reliable shutting down of process elements are brought about by the system software of the reliable computers. In addition, the reliable computers have also contained the railroad administration-specific software for the actual process control, for example the signaling cabin operations. The railroad administration-specific software is determined by the operating rules of the respective railroad administration and it describes, for example, the dependencies, predefined by it, of the setting and release of the routes (Signal+Draht [Signal and Wire], 77 (1985) 12, pp. 259–265). The railroad administration-specific software does not only differ from railroad administration to railroad administration, but also at least partially from one piece of equipment to another in the same railroad administration. This means that the software which is to be loaded into a computer, which is reliable in terms of signaling technology, and runs on the computer, differs from one application case to another, it being necessary to prove or make credible the freedom from faults of the loaded software by means of a safety certificate for each application case. As a result of the proliferation of the system software and of the railroad administration-specific software in each computer, this leads to complex software packets which are difficult to manage and which are time-consuming and costly to produce and to test.
FIG. 2 shows a known computer SR which is reliable in terms of signaling technology, for executing a process by means of preferably identical processing programs in two independent processing channels K1, K2. The reliable computer SR stands for any desired number of computers which are reliable in terms of signaling technology. Their number is determined essentially by the magnitude of the process to be controlled. The process to be controlled is a railroad operating process with which a railroad system BA is to be acted on. As representatives for the process elements of the railroad system, a railroad switch W and a signal S are indicated in the drawing. The control and the monitoring of the process elements is carried out by means of control and monitoring circuits which have been developed for that purpose, which are not explicitly illustrated in the drawing and via which control instructions SB are output by the reliable computer SR to the process elements and messages M are input into the reliable computer from the process elements.
The computer SR which is reliable in terms of signaling technology outputs the messages M transmitted to it by the process to an input and display computer EAR via a communications bus KB. The input and display computer EAR serves, inter alia, for monitoring the railroad operating process according to representation rules defined in the respective railroad operating rules. It is preferably embodied as a computer which is process-protected in terms of signaling technology. Using the input and display computer EAR, the commands K for controlling the railroad operating process are also generated and transmitted to the computer SR which is reliable in terms of signaling technology. The inputting can be carried out here by an operator, for example a stationmaster, or else by means of an automatic system, for example for automatic points changing or the transit mode.
The messages and commands are processed in the computer which is reliable in terms of signaling technology, on two channels in accordance with the conditions and dependencies which are defined in the respective operating rules of a railroad operator. The data, addresses and control signals which are respectively present on the buses of the two processing systems are continuously compared with one another in a way which is reliable in terms of signaling technology in order to be able to detect immediately any discrepancies. Test programs ensure that the input/output register of the reliable computer and its program memories and main memories as well as its address registers are checked within predefined minimum time periods to determine whether their memories can assume either the one state or the other. Any malfunctions are thus detected in an event-controlled or time-controlled fashion and lead to the external equipment being reliably shut down: control instructions to railroad switches can then no longer be output and the signals go to the Stop setting.
By virtue of the fact that the conditions and dependencies which are predefined by the respective operating rules of a railroad administration and are represented in the drawing by elliptical place markers BO, are stored in the program memories of the reliable computer SR and mixed up with the system software, the software which is stored in the reliable computers in order to control the railroad operating process is individual software which is very complex and extraordinarily costly both to produce and test.