Railway control system grow increasingly more complex and the controlled area larger as modern centralized traffic control methods are implemented. Since the areas controlled extend over long distances of track and employ a large number of switch machines, signals, and track circuits, each of which is connected to the central control office, the communication means provided for carrying control signals must at least maintain the traditional standards of vital railway safety.
Safety philosophy in railway control dictates that any control signal must be proved to be genuine before it can be acted upon and, moreover, a change to a further control state can only be implemented when the further control signal has been proved to be genuine. Similar criteria also apply to signals which only indicate, e.g., those which indicate whether a track circuit is occupied or unoccupied should, if faulty, indicate an occupied state. Reliability is of great importance, that is, there should be the highest possible mean time between failures. But of even greater importance is the continued integrity or vital operation of the system so that when any fault occurs which can result in a wrong command or status indication being given, then that command or indication signal must automatically go to its most safe state. Failure to safety requirements impose an overriding dictum that where any control signal cannot be proved genuine, or upon occurrence of any failure, the system must remain in or automatically revert to its most safe state.
In design of the system, it may be that the most safe state is also an operating state, as in the case of track circuits indicating the location of a train and signal lamps controlling the passage of a train. Thus in the course of normal fault free operation, those states may be selected. Confidence in the control system will be greater if a distinction is drawn between a failure to a safe state and genuine operation to that state. In the latter case, it is implied that another operational state can be selected at will, subject to safety restraints, but in the former case remedial action has to be carried out. Further, in a railway control system, the control signals may not be required to change for long periods of time, i.e., they are quasi-static, so that a build up of uncorrected faults may lead to an unsafe situation from wrong assumptions made when diagnosis of multiple faults is attempted. This is particularly true of multiplexed communication systems where many control paths share common equipment.
Accordingly, an object of our invention is communication channel apparatus for checking the proper transmission of digital signature codes by periodically transmitting an error signal whose receipt is checked by corresponding programmed receivers.
Another object of the invention is communication apparatus for transmitting digital codes over a communication channel in which periodic, varied errors are included to actuate an error check element at the receiver location which registers a transmission fault if the error check does not correspond to a predetermined pattern.
A further object of the invention is to provide a communication channel for use in a railway control system which is vital in operation and which can distinguish whether the channel output corresponding to a safe state is operating in that state or has failed.
Yet another object of the present invention is apparatus for checking the operational status of a quasi-static digital communication channel comprising a transmitter including a signature pattern generator connected to provide for transmission of an output having a periodic signature and an error pattern generator operative to periodically corrupt the signature pattern at a rate less than the signature repetition rate, a transmitting medium, and a receiver including a signature detector operative to correlate the reception of successive signatures to energize a receiver output and an error pattern detector operative over a plurality of signature periods to correlate the pattern of received errors to prove that the channel has not failed to a mode corresponding to the receiver output energized.
Other objects, features and advantages of the invention will become apparent from the following description and appended claims when taken in connection with the accompanying drawings.