The present invention relates to a railway signal system, both for control of crossing gates and for control of train movement and more particularly relates to insuring that the output of a signal module will be fail-safe or what is described in the railroad environment as having vitality.
Installations for railway signaling, crossing gate operation and control of train movement must exhibit fail-safe or vital characteristics. By xe2x80x9cvitalxe2x80x9d it is meant that the installation is guarded against failures and if a failure occurs, the failure produces a safe or restrictive mode of operation or control of the particular device. For example, if the signal module of the present invention controls a right-of-way signal, upon indication of a non fail-safe or non vital output signal, the signal device would turn red. Similarly, the crossing gates would come down if there was an indication of a non vital output from the module controlling operation of the crossing gate.
The present invention insures vitality by what is termed a cryptographic safe drive. Such a device insures that there cannot be an output signal of a type to permit traffic to pass or crossing gates to remain in a raised condition unless it is absolutely certain that the output signal is valid. This is accomplished in the present invention through the use of two independent comparison procedures. A master microcontroller generates both a periodic clock signal and sequential pseudo-random numbers. The master microcontroller is connected to a plurality of slave microcontrollers, each of which also generates a sequence of pseudo-random numbers. The numbers are generated in each instance by shift registers which are identical and are programmed to operate in an identical sequence.
The master microcontroller sends a clock signal at repeated intervals to a designated slave microcontroller which has been indicated to require a certain output signal. The master microcontroller also sends the currently available pseudo-random number provided by its shift register to the slave microcontroller. If the clock signal from the master is received at the slave within a predetermined time window, then, and only then, will the pseudo-random numbers from the master and the slave be compared. If the comparison indicates such numbers are identical, then the slave microcontroller will provide an output signal which statistically is known to be valid.
The present invention relates to railroad vital signal output modules and in particular to such a module which uses a comparison of pseudo-random numbers generated at two separate locations to insure vitality of the module output.
A primary purpose of the invention is an apparatus and method of using such apparatus which provides for two separate steps of comparison between master and slave microcontrollers to insure vitality of an output signal at a slave microcontroller.
Another purpose of the invention is to provide a control module and method for using such control module which includes the use of periodic clock signals and sequentially changing pseudo-random numbers, with the receipt of a clock signal within a predetermined window of time at a slave microcontroller permitting comparison of separately generated pseudo-random numbers and if such a comparison shows identical numbers, the module provides a valid output signal.
Another purpose of the invention is to provide a vital signal control module as described which includes a feedback path from the output of a slave microcontroller to the master microcontroller, which output is used to verify the functionality of the slave microcontroller.
Another purpose of the invention is to provide a railroad vital signal output module which is usable in a geographic train control such as shown in U.S. Pat. No. 5,751,569.
Another purpose of the invention is to provide a railroad vital signal output module as described which has substantially enhanced reliability and substantially reduced cost over prior modules for the same purpose.
Another purpose is a signal module as described which overcomes many of the defects of prior vital railroad signal modules.