Field of the Invention
The present invention relates to generating vital messages and, in particular, a system, method, and apparatus for generating vital messages on an on-board system of a vehicle.
Description of Related Art
As is known in the art, many train systems and networks use some form of computer-controlled train management system, such as a Positive Train Control (PTC) system (e.g., the I-ETMS® of Wabtec Corporation). These computer-controlled train management systems have on-board computers or controllers that are used to implement certain train control and management actions for ensuring safe and effective operation of the train. In addition, such PTC systems include communication components for effecting direct or indirect communication between individual trains, e.g., an on-board computer, a train management computer, a PTC on-board component, or the like, and a centralized remote system, e.g., a back office server (BOS), a central dispatch system, another train management computer, or some other remote server or computer system. These communications are used to safely operate the train in a complex network, as controlled and managed by the BOS.
While some communications and messages between trains, or between a train and the back office server, are routine or “non-critical,” many of the communications and messages are considered vital, critical, and/or “safety critical”. Such communications and messages may include, without limitation, messages that assist in train routing and traffic control in the track network. In particular, and to support other PTC components, the PTC on-board component must be capable of transmitting or sending vital messages containing safety critical data. There remains a need for a solution that can demonstrate that multiple processors are contributing to the vital message, and that one processor is not doing all of the processing (or bypassing a validation step due to an internal failure), such that the failure of one processor to correctly build or generate the message does not result in a message being sent that contains incorrect data.
With respect to existing messaging logic, when the PTC on-board component sends a message, each CPU will build the message and attempt to send it. Due to the architecture of the system (e.g., three redundant, independent CPUs running in parallel with the intent that they are all producing the same outputs), only the message built by the primary CPU (e.g., the CPU responsible for control decisions among parallel processors) will be sent out from the PTC on-board component. This logic can create an unsafe scenario if the primary CPU is out of synchronization with the other CPUs, or if the primary CPU builds or generates the message with incorrect data. If the primary CPU is not in synchronization with the other CPUs, it may send a message that the other CPUs did not actually send (e.g., locomotive system state report), or it may send a message with different content than the other CPUs attempted to communicate. In existing systems, there is no coordination between the CPUs to ensure that multiple CPUs should be sending the same message, or that the message has been built with correct data. A schematic diagram of such existing messaging logic is illustrated in FIG. 1.