1. Field of the Invention
The present invention generally relates to Electro-Pneumatic (EP) brake systems for railway trains and, more particularly, to a fail safe circuit for computer controlled railroad train brake systems.
1. Background Description
Electro-Pneumatic (EP) brakes for railway trains are controlled by radio frequency (RF) wireless transmission from a locomotive control unit (LCU), sometimes referred to as a head end unit (HEU), in the cab of the lead locomotive to an end of train (EOT) unit attached to the last car of the train. When a service brake application is made at the locomotive by operating the engineer's brake valve device, a coded radio signal corresponding to the level of braking requested by the engineer is transmitted to the EP brake control system in the EOT which initiates a service brake application sequence at the rear of the train. In the event of an emergency brake application requiring venting the brake pipe to atmosphere, the coded radio signal causes the EP brake control system to initiate an emergency brake application sequence at the EOT. The EP brake control system controls the various solenoid operated valves in the EOT according to the nature of the radio signal received and decoded.
The EP control system in the EOT is a microprocessor controlled unit which is battery powered. A failure of the microprocessor during a brake application can result in a release of the brakes. Such a failure of the microprocessor could be caused by several things, including but not limited to a failure of the battery supply and a failure (even temporary) of the microprocessor itself. For example, typically a brake application takes thirty seconds. If at any time during these thirty seconds the microprocessor were to fail in a way that the wrong commands are sent to the solenoids that drive the valve, an erronous brake application or the release of the brakes in the whole train could result.
A fail safe strategy is needed for safety of brake application because, after a service brake application is underway, one cannot allow a microprocessor failure to result in a brakes released condition even for the brief time (on the order of 0.2 seconds) that it will take an additional micro watchdog circuit to detect a microprocessor failure. The current system cuts the power off as part of the fail safe strategy so that the microprocessor cannot mistakenly energize the wrong solenoid. The fail safe circuit energizes the solenoid that needs to be energized and cuts off the solenoid that needs to be cut off. A brakes released condition can occur (that is, it may or may not happen) if the release solenoid is de-energized before a brake application is completed.