The invention generally relates to a Door Controller Unit (DCU) of the type typically used to control the operation of a door operator for a doorway of a passenger transit vehicle. More particularly, the invention relates to a system and method for verifying the authenticity of the door control signals that the DCU receives from a Central Door Controller (CDC).
The background information below is provided to assist the reader to understand the environment in which the invention will typically be used. The terms used herein are therefore not intended to be limited to any particular narrow interpretation unless explicitly stated otherwise in this document.
Shown in FIG. 1 is a typical passenger transit train. It has a lead railcar 16 and a plurality of trailing railcars 16 each linked serially by means of a mechanical coupler. Various electrical trainlines span the length of the train. Each trainline is composed of a series of interconnected wires or wire pairs, with each such wire/pair bundled (along with the wires/pairs of the other trainlines) within a protective conduit contained within each railcar. Each such conduit connects via a connector to another such conduit on a neighboring railcar so as to extend each trainline along the train. These trainlines are used to carry the electrical signals that are needed to operate and control the various systems on each railcar in the train.
Each railcar in the train typically has its own power distribution network (LVDN) from which it provides the relatively low voltage needed to power all of the electrical/electronic systems on the vehicle. The power level provided to the LVDN typically ranges from 12 to 150V dc (52V dc nominal), depending on the particular type of railcar at issue and the power requirements imposed by the transit authority.
Like the lead railcar, each of the trailing railcars may be equipped with one or more motors and a propulsion controller unit with which to control them. These propulsion controllers are connected by one or more trainlines to a master controller unit (MCU) located in the lead railcar. Using the controls of the MCU, a train operator can control, in addition to the mechanical brakes on each railcar, the operation of all of the propulsion controllers in the train. It is thus from the MCU that the train operator can operate the motors on all railcars in unison to propel or brake the train.
Transit railcars each have one or more doorways 12 through which passengers can enter and exit the vehicle. For railcars with more than one doorway, the openings 12 may be located in the same sidewall or opposite sidewalls of the vehicle. Near each doorway 12 is installed a Door Hardware System (DHS), also referred to as a door operator 15, to which the door panel(s) attach. The door operator is what actually moves the door panel(s) back and forth over the doorway to open and close the doors, depending on whether its pneumatic or electric motor is commanded to operate in the opening or closing direction. Plug doors, pocket doors, outside sliding doors and station platform doors are just some examples of the types of door systems currently being used in the transit industry.
The doors of the railcars in a passenger train are also centrally controlled from the lead railcar. Specifically, a central door controller (CDC) 1 housed in the lead railcar communicates with, and controls, one or more door controller units (DCU) 74 on each railcar through a number of discrete door control trainlines. The central command (i.e., door control) signals that the CDC 1 conveys along these trainlines each typically takes the form of a DC signal, the exact level depending on the requirements imposed by the transit authority. Each DCU 74 controls one or more door operators 15, and their associated motors, based on the input signals that it receives from two sources: (1) the central command (i.e., door control) signals received from the CDC 1 via such trainlines and (2) the various local door hardware signals received from the door operator(s) 15 and related hardware.
Transit authorities typically use a separate trainline to convey, to the DCUs on every railcar in the train, each of the central command signals. The following central command signals are typical: door unlock, door open, door close, door lock, side select enable, cliff side select enable, zero speed, park brake applied, and low speed. As noted earlier, there are many different types door systems in use in the passenger transit industry. Consequently, not every transit authority uses every one of the aforementioned central command signals. In some systems, for example, the door unlock and lock signals may be subsumed by the door open and close signals, respectively.
Each door control trainline typically takes the form of a single-switched input format or a doubled-switched input format. The particular format depends on the preference and tradition of the transit authority at issue. In the single-switched format, only the main input line is activated when a central command signal is sent, its associated return line (commonly the ground) being hardwired to the CDC. In the doubled-switched format, both the input line and its associated return are activated together at the CDC. When a double-switched input is not in use, both of its lanes are shorted together at the CDC to reduce the chance that unwanted bias voltages (or ground loops) will inadvertently be interpreted by a DCU as a valid incoming central command signal.
The electrical characteristics of the central command signals are also prescribed by the transit authorities. Some transit authorities implement their central command signals as a xe2x88x9250V DC signal, referenced to ground. The voltage, current, polarity and other attributes of the central command signals, however, vary among transit authorities. For this reason, the input circuitry of a DCU must be designed to comport with the input requirements imposed by the transit authority.
The electromagnetic environment in which a transit train operates has profound affect on the electronic circuitry of a DCU. As an electrically powered conveyance, a transit train typically acquires the energy it needs to power its operations from an overhead catenary, a third rail or similar power carrying conduit. An energy collector, mounted to at least one railcar in the train, rides along the power conduit as the train travels along its route of travel. The energy is conveyed from the power conduit through the energy collector and ultimately delivered to the power distribution networks and the propulsion controller units on the train. It is well known that voltages spikes are inflicted on the powered systems of a moving train as the energy collector bridges the small gaps between adjacent segments of the power conduit. Nearby radio and TV transmitters, power transmission lines, lightning, cellular telephones and other emissive sources add to the hostile electromagnetic environment in which the electrical/electronic systems of the train operate.
These adverse electrical influences tend to induce unwanted voltages and other spurious noise within the door control trainlines. Unless filtered out by the input circuitry of a DCU, such electrical noise can obscure, or, under the right conditions, even be confused with, the electrical characteristics of the central command signals. Left unfiltered, or otherwise inadequately protected, such noise can conceivably be interpreted by a DCU as a valid incoming central command signal and cause the doors to operate unintendedly. For this reason, transit authorities usually require the door control trainlines to be well filtered and optically coupled to the DCUs.
The input circuitry of prior art DCUs have therefore been designed to include filter circuitry and an optocoupler for each one of the discrete door control trainlines strung from the CDC. Commonly used to couple electronic systems that operate at different voltages, each optocoupler in a DCU provides high electrical isolation between one trainline input and its corresponding electronics inside the DCU. An optocoupler does this by converting the incoming central command signal to light and then reconverting it to an electrical signal for use by the DCU. The optocouplers serve collectively to isolate a DCU from the high voltages that may be induced in the trainlines. Together the filter circuitry and optocouplers prevent the transmission of unwanted noise and protect against the adverse electrical influences that could otherwise damage a DCU and, worse, cause its doors to operate unintendedly.
Despite their widespread use in the transit industry, optocouplers pose several problems to the designers of DCUs. Some of these problems are just inherent to optocoupler devices, regardless of the manufacturer. It is well known that an optocoupler exhibits a variety of failure modes and, consequently, a very poor life expectancy. Other failure modes notwithstanding, an optocoupler as it ages will experience a steady degradation in its performance. This is manifested as a gradual loss over time in its ability to emit light. Bad optocouplers have caused prior art DCUs to fail to recognize, and thus fail to react to, the incoming door control signals.
Optocouplers have traditionally been incorporated into prior art DCUs in a manner that delays the detection of failed optocouplers. Most manufacturers have programmed their DCUs to take appropriate protective action whenever a central command signal is received out of sequence or not received at all. For example, reception of a door close signal while the doors are closed could indicate that an earlier door open signal was not received. Such a fault could trap passengers within the affected railcar because the train might be leaving the station by the time the failure is reported to the DCU. A degraded optocoupler in the door open trainline can cause just such a failure. It would be preferable, of course, to make the train operator aware of the problem when, not after, the fault has occurred. Unfortunately, all prior art DCUs are known to be incapable of detecting a failure in any of their optocouplers until there is a disruption in the normal sequence in which the central command signals, and related signals, are received. A method of, or circuitry for, detecting a failed optocoupler earlier in the sequence, without the need to wait for such a disruption, would be a welcome development in the passenger transit industry.
It is, therefore, a primary objective of the invention to provide a system and method for verifying the authenticity of input signals used in the operation of an apparatus.
Another objective is to provide a mirror-image optoisolator device that optically couples an intelligent DCU (IDCU) to the trainlines strung from a CDC of a train and conveys the two separately optically isolated signals generated by the device for each trainline to two separate, but mirror-imaged, locations in separate input registers in the IDCU.
Yet another objective is to provide a mirror-image optoisolator device that can be used to optically couple any suitable electronic apparatus to the electrical lines strung from external componentry and to convey the two separately optically isolated signals generated by the device for each line to two separate, but mirror-imaged, locations in separate registers in the apparatus, as part of a system and/or method to assure not only the veracity of the incoming input signals but also the integrity of the circuitry itself.
Still another objective of the invention is to isolate electrically the electronic circuitry of a DCU from the potentially harmful electrical influences often induced in the discrete trainlines that are used to carry input signals from a central door controller (CDC) to the DCU.
A further objective is to endow the aforementioned system and method with the ability to test the operation and integrity of the I/O-CPLD, the complex programmable logic device that handles the input and output functions of the IDCU.
In addition to the objectives and advantages listed above, various other objectives and advantages of the invention will become more readily apparent to persons skilled in the relevant art from a reading of the detailed description section of this document. The other objectives and advantages will become particularly apparent when the detailed description is considered along with the drawings and claims presented herein.
In a presently preferred embodiment, the invention provides a system for verifying the authenticity of input signals used in the operation of an apparatus. The system includes two input registers, a microprocessor unit, and one circuit network for each of the input signals that the apparatus is designed to receive. Each circuit network generates twin binary signals in response to its input signal. Specifically, twin logic one signals are generated by a circuit network when its input signal assumes an active state. Conversely, twin logic zero signals are generated by a circuit network when its input signal assumes an inactive state. Each register has one bit location dedicated to each circuit network. Each circuit network conveys the first binary signal to its proper location in the first input register and the second binary signal, after inversion, to the corresponding, mirror-imaged location in the second input register. The bit order of one input register is thus the reverse of the other. Using an interrupt protocol, the microprocessor unit is alerted whenever any bit in either or both registers changes. Whenever such change is detected, the microprocessor unit reads both input registers to ascertain the state of the bits they contain. Specifically, the bit values in the first input register are read and conveyed to a first work register, with the bit values in the second input register being re-inverted, bit-reordered to again match the bit order of the first input register, and conveyed to a second work register. The microprocessor then compares each bit read from one work register with its corresponding twin bit read from the other work register. As long as each bit and its corresponding twin bit match, the microprocessor will allow the apparatus to operate according to the dictates of the input signal(s) received. If any bit and its corresponding twin bit fail to match, the microprocessor unit will carry out whatever protective action it is programmed to take.
In a related aspect, the invention provides a method of verifying the authenticity of input signals to be used in the operation of an apparatus. The first step of the method involves generating twin representations for each of the input signals. Specifically, for each input signal, the twin representations are manifested either as a logic one or a logic zero, the logic level depending on the state of the input signal. The next step involves conveying the twin representations, for each input signal, to certain designated locations in two input registers. Specifically, for each input signal, a first of the twin representations is conveyed to a dedicated location in the first input register whereas a second of the twin representations, after inversion, is conveyed to a corresponding, mirror-imaged location in the second input register. The bit order of the second input register is thus the reverse of that of the first input register. The next step involves monitoring all of the locations in one or both input registers for whether any bit contained therein has changed. Whenever any such change is detected, the reading step is performed. This involves reading all of the locations of both input registers to ascertain the state of the bits they contain. Specifically, the values of the bits in the first input register are read and then stored locally in a first work register, with the values of the bits in the second register being (i) re-inverted to undo the earlier inversion, (ii) reordered to match again the order of the bits read from the first input register, and (iii) stored locally in a second work register. In the comparison step, each bit in one work register is compared with its corresponding twin bit in the other work register. The outcome of the final step depends on whether all bit pairs match. If each bit read from one work register matches its corresponding twin bit read from the other work register, the final step is manifested as a command to the apparatus to operate according to the dictates of input signal(s) it received. If any bit and its corresponding twin bit fail to match, the final step involves commanding the apparatus to take whatever protective action is deemed appropriate.