A goal of automatic train operation systems is to eliminate the need for an operator aboard the locomotive. Automatic train operation systems may integrate multiple control systems with an end result of driverless operation of the locomotive. The system must be accompanied by proven safety cases and software validation. As such, only specific, approved combinations of control system software will be allowed to be used. There exists a need for a method of enforcing the required software combinations onboard the locomotive.
One proposed implementation of software validation is described in U.S. Patent Application Publication No. 2014/036851 A1 (“the '851 publication”). The train information managing apparatus of the '851 publication operates according to predetermined control software. Software is also used in the devices in other cars that are communicatively connected to the central train information managing apparatus, which runs the control software. Train information managing apparatuses each include a plurality of pieces of control software of versions different from each other. When functions related to each other in the control software of the train information managing apparatus and the software used in the devices are improved, it is necessary to simultaneously update the control software and the software of the devices. The train information managing apparatus compares version information of software for all devices in a formation and version correspondence information included in each of the plurality of pieces of control software. Then, the train information managing apparatus discriminates control software including version correspondence information consistent with the version information of the software for all the devices in the formation. When the discriminated, or preferred, control software is different from already-started control software, the train information managing apparatus selects and starts the discriminated control software, and transmits a switching command for switching from the already-started control software to the discriminated control software to all of the devices in the formation.
The method and system provided by the '851 publication may be subject to a number of possible drawbacks. For example, the method and system of the '851 publication only provides for version control of the same type of software running on different devices. It does not provide a means of coordinating multiple versions of multiple types of software running on different subsystems within a larger system. Further, it does not provide a mechanism for verifying the proper software prior to operating the locomotive. There is no safety mechanism in place to prevent the locomotive from running if it is using unauthorized software.
The presently disclosed systems and methods are directed to overcoming one or more of the problems set forth above and/or other problems in the art.