TECHNICAL FIELD.

The present invention is concerned with a control system for railway vehicles. In particular, it is a control system that provides railway signaling for one or more railway tracks.

BACKGROUND

It is known to use an industrial controller, a programmable logic controller (PLC) to control a non-safety critical part of a railway signaling system. In 1983 The Norwegian Railways (NSB) replaced a none-critical part of a relay based interlocking system called NSI-63 with an industrial PLC at Koppang station (2-tracks) . The PLC received orders from and sent indications to a local manoeuvre panel or signalmans panel. A Swedish patent SE 503 697, entitled Control system for traffic control comprising a "diverse" micro-computer system, to Novotek AB, describes a control system with a first and a second micro¬ computer which work in parallel and which both perform the same operations. If one micro-computer detects that the other micro¬ computer has an error it sets the signals to a predetermined safety condition.

A later development known as NSB-94 includes critical functions (interlocking) . This safety system was based on three PLCs, A&B&C. The interlocking is controlled by PLC A&B, in dual configuration and with an individual operation. The PLC C operates a local manoeuvre panel or/and a CTC (Central Train Control) (E-CTC or PLC-CTC) . NSB-94 went into operation November 1 1995 and operates in 11 installations in Norway. The hardware can handle a limit of 57 local I/0-modules or maximum four tracks. However, the software architecture is not applicable for

more than three tracks, and it may comprise software parts in different physical installations that are not identical to the software parts in other installations.

Another technical challenge with known signalling installations is that the equipment spread out over a large area demands extensive and expensive cabling, both power cabling and data cabling, some of which must be duplicated for back-up or safety reasons . The diversity of trackside equipment means that conventional signalling and traffic control installations require a diversity of different maintenance operations, routines and methods which must comply with safety regulations.

A patent application, JP2003-182577, entitled Interlocking device, to Nippon Signal, describes an interlocking control system for railway traffic which includes use of a PLC to control a non-vital part of a system, further connected to a CTC and to an interlocking device including a microcomputer for control one or more vital parts of the system. The interlocking device is simpler and more compact than previous systems because the non- vital functions have been moved to a PLC. The microcomputer performs diagnostic tests on itself and on incoming/outgoing signals according to the description. However, it may be difficult and/or expensive to guarantee a sufficiently high reliability for a single microprocessor.

SUMMARY OF THE INVENTION

The aim of the present invention is to remedy one or more of the problems of the prior art of railway signalling. This is obtained by a system and method as defined in the appended independent claims .

A first aspect of the invention comprises a control system for railway signalling. It provides for safety critical signal

operations as well as non-safety critical signaling for one or more railway tracks .

A second aspect of the invention comprises a control system for railway signaling for a plurality of railway tracks, up to 10 tracks or more. It provides for safety critical signal operations as well as non-safety critical signaling for the railway tracks.

A third aspect of the invention comprises a control system for railway signaling in which one single object control means, an I/O-card, is used to control a plurality and majority of equipment or type of objects such as Main Signal, Dwarf Signal, Point Machine, Line Block etc, without any need for hardware configuration. The configuration is done at the back-plane, TU832, which is strapped with fixed jumper wire, which is to say that jumper wire may be connected to different jumper connections on the backplane to configure the input type or output signal type as required.

According to an embodiment of the invention the interlocking system comprises a redundant safety critical PLC device (4, 5) supplied with a redundant power supply and controlled by redundant computer programs .

According to a preferred embodiment of the invention the interlocking system in which a first safety critical PLC device, PLC, is controlled by a first software application and a second and safety critical PLC is controlled by a second and different software application.

According to an embodiment of the invention the interlocking system comprises at least one communication unit of said connected to a safety critical PLC and arranged configurable for providing a local connection and/or a remote connection. Preferably the communication unit comprises an object control unit with means for handling communication by means of any

communication protocols from the list of: Ethernet, Module Bus, Profibus, RS232 serial.

The control system of the present invention comprises three sub- systems. Each such sub-system is defined as one PLC consisting of a CPU, power supply, I/0-modules etc. The interlocking system according to the invention as mentioned comprises three different PLC systems in a specific configuration. The control system is arranged grouped as 3 PLCs, that is PLC A, PLC B and PLC C. PLC A and PLC B, are for a safety critical part, and are connected to out-doors equipments (main signals, dwarf signals, points, switches etc) by means of I/O hardware. The third PLC, PLC C is non safety critical. PLC C is linked to a remote control centre or CTC, a local control centre and the interlocking systems (PLC A and PLC B) .

To obtain the required safety performance and the availability or uptime a principle of 1 of 2-voting is used, with a barrier and redundancy. Both safety critical PLC systems are totally physically and electrically separated, but they execute the same operations. There is also separation or software diversity between the applications programs in each of PLC A and PLC B. This means that both PLC systems operate according to the principle to 1 of 2 voting in both hardware and in software. Each PLC system behaves like a mutual barrier to avoid a failure in one of the systems that would put the signalling system into a dangerous condition. An example of a dangerous condition is if a false Green, Go, signal were to be signalled when the section under control has not been determined as safe to enter.

To operate the objects like switches, main signals, dwarf signals etc an new object control unit, sometimes referred to an 1/0- card, is used that has an interface compatible with and adjusted to a railway systems existing equipment objects like switches, main signals, dwarf signals, line block etc.. The I/O card comprises safety relays outputs, current measuring and internal

inputs contacts. The object control card, or summarily called an I/O card, is used for themajority of type of objects such as Main Signal, Dwarf Signal, Point Machine, Line Block etc, without any need for hardware configuration. The configuration is done at the back-plane, TU832, which is strapped with fixed jumper wire. This has the further advantages of conferring simplified installation, and maintenance and/or unit replacement operations.

The signalling system is normally supplied with power from the both local power grid (220V, 50 Hz) and from the Railway power grid (220V, I62/3 Hz) through an uninterruptible static converter. It is separate power supplies 220V, 50(95) Hz for signals which give "permission to go", (green light circuits, track signal circuits and ATC (Automatic Train Control) ) , and signals which give "stop instructions/wait stop instructions" (red light/yellow light circuits) .

In another aspect of the invention a computer program is described for carrying out the method or methods according to the invention. In another aspect of the invention a computer program product comprising a computer program for carrying out the method of the invention is described. In another aspect of the invention a computer data signal embodied in a carrier wave is described. In another, further aspect of the invention a graphical user interface is described for displaying a configuration for the control system and/or signal apparatus and/or points and switches and/or operational data for one or more of the signals so controlled.

The principal advantage of the invention is that a safe and secure control system for railway signalling is achieved using a combination of industrial components, of which a principal component, the PLC, is a standard industrial hardware product. This means that the reliability performance and maintenance requirements are well known and documented from the outset. Use of selected off-the-shelf components provides a system with a

High THR (Tolerable Hazard Rate) . The invention may be adopted over time in a planned and optimised operation because existing systems and combinations such as old relay equipment may be combined with and controlled by the new technology. The delivery time, using standard components, may be shorter and more predictable than when using one-off or custom combinations of equipment. The use of standard fieldbus technology together with the new technology of the invention makes the system highly scaleable, with an open architecture communications design. The interfaces are easily adapted to various equipment. Similarly the use of a standard I/O card as a standard object control unit means that operational predictability is increased for installed systems, and new systems or new part-systems. This is particularly the case with respect to, for example, traditional electro-mechanical (relay) equipment, which may have different characteristics and response times compared to modern relays. However the interfaces, open communications design and the standard object control units provide for different parameter settings to suit the different types of outdoors equipment for carrying out the same functions.

The invention may also be implemented with very short cable runs, which is a technical advantage because inductive and capacitive loads in system circuits change with varying cable length and cable types.

Another advantage is that the control system runs in the critical part diverse application software with object-based and geographical program structure. In addition every function shall be a dedicated program block, so that a software design shall fit all types of stations. Software changes shall be simple and lead to minimal changes in other program blocks. This allows the software for a new installation to be built up from existing library functions and function blocks. Prior art systems tended to include some custom programming and/or custom applications in

different installations and in different parts of a single installation. The use of standard function blocks gives the advantage of greater predictability and reliability for a part of any given system installation, and the possibilities in the use of simulation tools (correct response system) . In parallel with the use of standard hardware, efficiency is also increased by providing installations that run on software that has identical parts. Future developments or changes due rebuilding/reprogramming shall be tested in the factory to reduce the down-time. Another technical advantage of the use of standard software and function blocks is that certification to safety standards is made simpler for both the system operator and the inspection and authorisation authorities because the invention may comprise one or more Safety Case Generic Products - and so qualify for cross acceptance.

Another advantage is that the invention can support a human machine interface which also integrates with other local and/or remote railway systems. The human machine interface includes support for at least three different job categories that operate the interlocking system. The different job and task categories have access to different part of the system, such as to a local maneuver panel or one-man's panel, to an authorised-access-only technical workstation, and to a CTC. Normally a remote control operator is placed at the train operator centre and operates the interlocking system through the CTC (Centralized Train Control) . The local Train Controller operates the station manually from a local maneuver panel/signalmans panel. Authorized specialists can do troubleshooting with use of a technical workstation to get access to data from the log unit/PC.

Redundancy aspects include a dual PLC architecture (1 of 2 voting) with architectural redundance, redundant (backup) PLCs and communications (I/O) with both monitoring and redundancy. System software is in the form of Diverse Application Software

with Object based and geographical program structure, and is designed to also comply with CENELEC EN50126, .EN50128, EN50129 and to fulfil Safety Integrity Level 4 (SIL4) . BRIEF DESCRIPTION OF THE DRAWINGS A more complete understanding of the method and system of the present invention may be had by reference to the following drawings when taken in conjunction with detailed description; Figure 1 shows a schematic diagram for a System Configuration for a control system according to an embodiment of the invention, Figure 2 shows a schematic diagram for an electronic railway interlocking part of the control system,

Figure 3 shows a schematic diagram of the interlocking part of the control system with a schema for Connection 1 of 2 voting for green light, and Figure 4 shows a schema for a Connection 1 of 2 voting for red light,

Figure 5 is a schematic arrangement for a Human Machine Interface of the control system according to another embodiment, Figure 6 shows a schematic block diagram for indoor interfaces of an interlocking part of the control system and Figure 7 a block diagram for outdoor interfaces,

Figure 8 shows a schematic diagram for a one of the two PLCs in an interlocking part of a control system comprising connections and redundant connections for a plurality of data networks or field buses according to a preferred embodiment of the invention, Figure 9 shows a schematic block diagram for safety checking and barrier action carried out by each of the two safety critical PLCs on each other, according to a preferred embodiment of the invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

Figure 1 shows a configuration for a control system for controlling railway signalling and traffic. The control system includes an interlocking system which comprises at least two programmable logic controllers (PLCs) . The figure shows the control system to have a non-critical part and a (safety)

critical part. PLC A (4) and PLC B (3), which are in the safety- critical part Ib, are connected to outdoors equipment (main signals, switches etc, track section relay contacts, line block relays, switches, lock-lock, contacts to get feedback from the position of the switches etc) with 10, by means of input/output devices (principally I/O cards) PLC C (3) is non safety-critical. This PLC C is linked to a remote control centre, a local control centre and the interlocking systems (PLC A and PLC B) as shown in Figure 1.

To provide the safety and the availability a principle of 1 of 2- voting is used, barrier and redundancy. To operate the objects like switches, main signals, dwarf signals etc an object control unit (here summarily called an I/O-card) is used that has an interface adjusted to a railway systems existing objects like switches, main signals, dwarf signals, line block etc. The I/O card comprises safety relay outputs, current measuring and internal input contacts. A PLC system comprises one PLC consisting of a CPU, power, IO-modules etc. The interlocking system, as mentioned above, consists of three different PLC systems in a specific configuration. The control system is grouped as 3 PLCs, PLC A, PLC B and PLC C.

Figure 2 shows schematically a control system and a railway track layout with signal lamps. The control system is arranged as before in a non-safety critical part Ia and a critical part Ib. The non-critical part comprises PLC C, and a local maneuver panel 9. Non-critical PLC C (3) is connected to a least two PLCs in the safety critical part Ib, to PLC A and PLC B. Each or any of the PLCs may be arranged with a back-up CPU (which may in practice be another PLC such as 4r arranged with PLC A, see also Figure 8) . A railway track arrangement 100 is shown with one or more tracks 110, railway signals 102, 103, 105 with circles representing signal lamps. The signal lamps are shown cross-hatched with horizontal lines to represent a green light, vertical lines to

represent a red light and diagonal lines to represent yellow light in the arrangement. The railway arrangement shows that a number of other railway tracks, from 2-10 tracks, are accessible from a first track 110 which may be a main track or a through track.

Figure 3 shows the green light connection in an interlocking part of control system 1. Both safety critical PLC systems A and B are totally physically and electrically separated, but they execute the same operations. There is also software diversity between the application programs in both PLC A and PLC B. This means that both systems operate according to the principle to 1 of 2 voting in both hardware and software. Each system behaves then like a mutual barrier to avoid the condition that a failure in one of the PLC systems can place the signalling system into a dangerous condition.

Hardware separation is provided in the control system, in which both systems A and B have the same hardware modules. The voltage level for the input modules in PLC A, B and C are different, The voltage potential for the inputs in PLC A, PLC B and PLC C are not mixed, either with the voltages produced by transmitters. Inputs and outputs are galvanicly separated with at least 2 kv from the environment. External communication connections (series channels, buses, etc) are galvanicly separated with at least 2 kV. The control system supplies power 220V, 50(95) Hz separately for signals which give "permission to go", (green light circuits, track signal circuits and ATC (Automatic Train Control)), and signals which give "stop instructions/wait stop instructions" (red light/yellow light circuits) . The signalling system is normally supplied with power from the both local power grid (220 V, 50 Hz) and from the Railway power grid (220V, I62/3 Hz) through an uninterruptible static converter. This power supply redundancy provides for security of supply to the signalling system.

The control system hardware is arranged with separation and redundancy. There is redundancy of CPUs in the form of two PLCs, of power supply and of communication. The dual PLC architecture (1 of 2 voting) with architectural redundance, has (I/O) communications with monitoring and redundancy.

As mentioned above, the object control unit I/O card comprises safety relay outputs, current measuring and internal input contacts. This I/O card is arranged in the communications units in the local and remote clusters (see 3c, 4c Fig 2, and 87, 84, 85, 89, 90 Fig 8) . It is compatible at least with both Module Bus and Profibus. The I/O card comprises:

TUV approved Safety Relays to control points and signals, digital inputs to check the position of relay contacts, current transformer to measure the current intensity in the signal lamp circuits, self diagnostics, giving a coverage of better than 90%, wiring in a central relay house - via local Module Bus, and wiring near to objects - via distributed Profibus.

The control system also comprises software separation. The application software is developed with the programming tools, such as a tool called Control Builder. The Fail-Safe application software (in PLC A and PLC B) is preferably developed by 2 independent programming teams, respectively for PLC A and PLC B. The application softwares are executed separately and operate in a diverse way. Both PLC-programs satisfy the same functions specifications but in two different programming languages. The Software running in the PLCs shall preferably be: object based and geographical program structure, in which every function shall be a dedicated program block, where train routes may be released object by object, software changes may be simple and should lead to minimal changes in other program blocks, software design shall be designed to fit all types of stations,

with possibilities for the use of simulation tools (correct response system) , and where changes due software rebuilding may ^¬ be tested in the factory to reduce the down-time for implementation at a given track installation. Thus software for each given installation is preferably made up from the same library functions, generic library programs or function blocks representing switches, main line signals, dwarf signals and so on.

Figure 3 shows the interlocking control system 1 comprising a non critical PLC C, and two safety-critical PLCs A and B. Both PLC A and B are connected to an output relay 6' , 6' ' and a current module 7 ' , 7 ' ' . The control system Ig connection for the green lamp to light 1Og is shown. Figure 4 shows the connection scheme Ir to light a red light signal.

The human machine interface for the control system is schematically diagrammed in Figure 5. The figure shows that there are usually three different job categories that operate the interlocking system. They have access to different part of the system, as shown.

Remote control operator 71 is placed at the train operator central and operates the interlocking system through the CTC 70 (Centralized Train Control) . The local Train Controller 54 operates the station manually from a local manoeuvre panel/signalmans panel 9. Authorized specialists can do troubleshooting with use of a technical workstation 56 to get data from the log unit/PC 57.

The CTC is a system that electronically monitors the trains. In the centralised control office the remote train operator 71 - who watches over the train on long distance route i.e., over several stations - gets the information about the exact position of the train. The remote control operator gives orders to control the

train for example at a specific station. But the interlocking system at this specific station handles the Fail-Safe functionality and sends feedback to the CTC that the orders have been executed. Local train operation control is carried out by means of a local maneuver panel 9 which is physically placed in a front room 52 of the relay house 51, which is placed at the station. The Train Controller 54 can operate the train on this particular station after the station is released for manual control. Also in this situation the interlocking system handles the Fail-Safe functionality at this station and sends feedback to local manoeuvre panel that the orders have been executed.

A technical workstation 56 and logger PC 57 are physically placed in the inner room 53 of the relay house 51. Only specialists 55 have admission to unlock the room with a key. From the technical workstation both correction of errors and changes in the application software can be done. To have access to the technical workstation you also need a password. There may be three different levels to get this access: trouble shooting, download of software back-up, changes in the software.

The logger PC monitoring the interlocking installation and stores all alarms and events, for example on one or more hard drives. Neither the logger nor the interlocking system can be manipulated from this PC. The log PC is protected by password.

Figure 6 shows in a schematic way the different parts of the normally three PLCs in an interlocking part of the control system. In particular it shows the internal interfaces and external interfaces of the interlocking system. An internal system interface may be defined as the interface inside the relay house as shown. Interfaces not housed locally, eg not located in the relay house, are indicated in boxes arranged with a dashed line, such as for CTC 70 and a GPS unit 67. Figure 6 shows the communication between internal interfaces of:

-the three PLCs, PLC A, B and C are connected to the same Ethernet 2. The communication can be redundant or 'not redundant' ;

-each CPU and I/O of the PLCs, where the local I/O communicates on Module Bus. The remote I/O communicates on Profibus or distributed Profibus. The communication can be redundant (see Figure 8) or 'not redundant' (see Figure 6), and the figure shows remote I/O units 89, 90 for PLC A connected via redundant a Profibus 83r connection, (see also same reference numbers denoting same devices/functions in Figure 8) ;

-the PLCs and the technical workstation where the technical workstation 56 communicates with the PLC A, B and C on Ethernet

2";

-the PLCs and the log PC wherein PLC A, B and C transmit alarms and events to the log PC 57 on an RS232 line such as 65a-c; -the PLC C and the local manoeuvre panel, wherein the local manoeuvre panel 9 communicates with PLC C on I/O or respectively Ethernet 2' (as shown in Figure 2) . An external system interface may be described as an interface located outside the relay house. Figure 6 shows communication between the interlocking part of the control system and external (outdoors) interfaces, such as of:

-I/O units and outdoors equipment, which means track section relay contacts, line block relays, switches, switch-lock, contacts to get feedback from the position of the switches etc.; -communication between PLC C (3) and CTC 70 is on Ethernet, RS232 or with IO (interface to another type of sub-station) ; -PLC C and GPS 67 wherein PLC C receives signals from a GPS antenna on RS232 to synchronise the clock; -communication with other interlocking systems (neighbouring stations) is carried out using wiring connections to the line block, but in the future the control system has built-in possibilities to make use of an electronic line block connection on a bus or on a radio. The communication is monitored and, in the event of a communications failure, the control system is

switched to a safe mode until the communications failure has been repaired.

Figure 7 shows an overview for outdoor interfaces of a local interlocking control system and relationship to other control systems for a section of a railway. The figure shows an interlocking system 1, connected to one or more other interlocking systems 1', to outdoors objects eg 100 (and such as the I/O and out doors equipment, which means track section relay contacts, line block relays, switches, lock-lock, contacts to get feedback from the position of the switches etc noted above) and to a CTC 70 system. The CTC system 70 is connected to other CTC systems 70', to a railway timetable database 170, to information systems (PUB) 180 and to power technical systems 190. The interlocking part of the system may also be in communication with rolling equipment 300 (a train) or an engine driver.

In the best use of the invention, the object control unit or I/O card is preferably a type such as the ABB product known as DO822 or later, and the communications unit is preferably the ABB unit the AC 800M type or later.

Figure 8 shows an interlocking control system with three PLCs and comprising modules and clusters connected by data networks and/or field buses according to a preferred embodiment of the invention. Figure 8 is arranged to show in detail an arrangement for one PLC only, and the example has been numbered to show connections for PLC A only for the sake of simplicity; the arrangement for B may be identical, and so might be the arrangement for non-critical PLC C. Figure 8 shows a redundant configuration of two pics, PLC

A 4 and a redundant PLC for A, with reference number 4r (see also Figure 2) . A redundant bus 80 between the main and backup PLCs, which may be a CEX (Cyclic Executive) bus, is shown connecting PLC A4 and the backup PLC 4r. Also shown is a first bus connection, a redundant Profibus connection 83r between the two

PLCs 4, 4r. PLC A 4 is connected to an Ethernet network 2 (such as Ethernet TCP/IP, lOMbps) as is the redundant or backup PLC 4r. A redundant Profibus master interface unit 86 is shown arranged connected to both PLCs 4 and 4r. PLC A is also shown schematically arranged connected via a Module Bus 82 with a cluster 87 of I/O communication units, which cluster may each include of up to 12 communication units. Module bus 82 may also be arranged with a redundant CEX bus 81 as shown.

Remote I/O communications between PLC A and external objects are shown arranged as ProfiBus fieldbus 83 with connections to remote I/O stations 90, 89. A remote I/O station cluster may include up to 24 communication units. In the arrangement shown, up to 99 such remote 1/0 stations may be connected in this manner by the same fieldbus. Also shown are local I/O clusters 84, 85 which are connected to PLC A by means of a field bus, or databus, such as Module Bus . The arrangement shown may support up to 12 communication units per local I/O cluster, and up to 7 separate I/O clusters which may connected to PLC A on one ModBus line. Thus in the arrangement shown in Figure 8, up to 15,000 I/O channels may be controlled by one PLC. The communication unit I/O card may be so configured, for example using the same type of software tool as Control Builder, mentioned above.

Each interlocking system may be accessed by means of either a direct serial data connection 65, or by means of a computer connected to a network that is connected to one or more the field bus networks, using a logged on and authorised computer nearby or remotely. It is also the case that the interlocking systems may be configured over any data network (60/50) including over the Internet by means of one or other Ethernet or Fieldbus data connections, provided the logged in user has the necessary authority and/or passwords.

Configuration may also be carried out using wireless means such as an IR or Bluetooth equipped computer, mobile phone or PDA or other mobile computing device. A wireless node (not shown) may be connected to a data port or to the field bus network that the programmable controller devices is connected to. By means of the wireless node connected indirectly to the programmable controller, the device may be configured wirelessly using the same methods as herein described. Any wireless protocol capable of providing reliable transmissions in a railway or an industrial-type environment may be used, including standards or protocols such as Bluetooth, Wireless LAN (WLAN) . For the communication there may be further requirements imposed by the field busses or other parts of the control system. In a preferred embodiment of the invention the communication technology used is based on the Bluetooth system. The fact that the range of a

Bluetooth device is limited to around 10 m may be advantageous in environments with many radio devices or areas where it is very important to keep the radio interference levels as low as possible.

The communications from the relays and/or the PLCs also comprise a computer data signal. The data signal may comply with one or more exchangeable formats, for example internally formatted as an XML or similar file, and includes means to identify the sending programmable controller and the type of data such as number of event, alarms, configured protections etc. for the programmable controller.

The microprocessor (or processors) of a PLC or other programmable controller or programmable logic controller (PLC) comprises at least one central processing unit CPU performing steps of the method according to an aspect of the invention. This is performed with the aid of one or more computer programs, which are stored at least in part in memory accessible by the processor. It is to be understood that any of said computer programs may be run on an

industrial controller or on one or more general purpose industrial microprocessors or computers instead of one or more specially adapted computers or processors, FPGAs (field programmable gate arrays) or ASICs (application specific integrated circuits) or other devices such as simple programmable logic devices (SPLDs), complex programmable logic devices (CPLDs) , field programmable system chips (FPSCs) .

The computer program or programs such as the first software application or the second software application comprises computer program code elements or software code portions that make the computer, CPU or processor perform the method using equations, algorithms, data and calculations. A part of a program may be stored in a processor as above, but also in a ROM, RAM, PROM EPROM or EEPROM chip or similar memory means. The or a program may in part or in whole also be stored on, or in, other suitable computer readable medium such as a magnetic disk, CD-ROM or DVD disk, hard disk, magneto-optical memory storage means, in volatile memory, in flash memory, as firmware, or stored on a data server. Removable memory media such as removable hard drives, bubble memory devices, flash memory devices and commercially available proprietary removable media such as the Sony memory stick and memory cards for digital cameras, video cameras and the like may also be present and used in a part of the control system.

In a yet further embodiment of the invention, the graphical user interface or other HMI such as local maneuver panel 9 and/or local 56 or remote 70 terminals may be embodied at least in part as a touch screen. In this case, text lines or images included in the display of a preferred embodiment, and means such as select or navigation buttons, and each interlocking system, or I/O connections per interlocking system, may be embodied as images on a touch screen. Operation may be carried out according to the above method but executed by means of touching parts of the

screen instead of pressing buttons, or by clicking with a computer mouse or other pointing/selection device.

One or more of the client applications of the HMI may be implemented as a thin client using a structured text document or file to present any of CIM/XML information, arguments, variables, addresses, links, mappable objects, executable applications or applets, or for example an HTML or other WWW based or HTML derivative protocol or XML protocol. The structured text document or file format takes care of handling graphical user display and activation functions of the HMI client. Activation functions refers to functions in the web page or web client display carried out by executable applications or applets which may be implemented as Java (TM) or similar. By means of such a thin client version of the HMI with an architecture such as described above, a user or a technician may examine status or data, configure a parameter, change set points and/or issue commands remotely in to any object for which he/she has authority to so do via the HMI interface.

It should be noted that while the above describes exemplifying embodiments of the invention, there are several variations and modifications which may be made to the disclosed solution without departing from the scope of the present invention as defined in the appended claims.

In an embodiment two additional safety barriers are comprised in a control system of the 3 PLCs for monitoring the safe operation of the safety-critical PLCs PLC A and B. In contrast to the earlier interlocking system called NSB-94, two extra safety relays are used which operate as additional barriers to prevent a faulty operation such as an incorrect green light from occurring. The Safety Relay and dynamic monitoring are shown in Figure 9.

Figure 9 shows in this example for PLC A, functions 92, 92' for dynamic monitoring and extra two safety relays 95, 96 connected in series. Output 91 from PLC A is monitored at DO 810. An application function called WD.COM.A(B) monitors that the PLCs CPU has correct communication with the I/0-modules. A second function called WD.ACKNOW.A(B) monitors that the feedback of the safety relays outputs acknowledge contacts is in agreement with the relays program status. The relays 93, 94 are connected in parallel because of permission of single fault according to availability priority (that is, with the principle of 1 of 2 voting) . Figure 9 shows active current coils. If the system is faultless, the CPU of PLC A emits pulses 99, via DO810, to the monitoring unit EBW-AZ. The standard relays 93, 94 in EBW-AZ are NO/NE. This means an operating contact and the coil is normally current live. The operating contact and the coil normally make contact. The contacts of the Safety Relays 95, 96 are also NO/NE.

If a frequency pulse is detected in the EBW-AZ, the unit calculates that the system is ok, the coil is current live, and the contact in EBW-AZ is made, as shown. The Safety Relays coil is now current live, and the contacts lead current. Power to a green light 1Og is provided by a different supply 98 at 220/170V AC from the stop/wait signals, as described above. If the signal 91 from the PLC A, via DO810, is steady low or high (and not pulses) the contacts in EBW-AZ break and do not conduct current. The result is that the contacts of the Safety Relays 95, 96 break and may then not conduct current to the green lamp 1Og. In this way the operation of each PLC A, B is checked by the other PLC B, A to ensure that any break in communication results in the prevention of any green signal.

In another embodiment the CEX bus may be based on a simple cyclic, a time based cyclic, a multi-rate cyclic task or other. It may operate by polling I/O only or it may be designed to operate with both polling I/O and with interrupts.

In another embodiment wireless communication between an interlocking system and a rolling equipment/engine driver 300 may¬ be used to communicate a status of an interlocking system or of equipment controlled by the interlocking system to a rolling equipment, train, maintenance vehicle, or train driver or other vehicle operating on or beside a railway track. In other words, a process running on a computer and/or an operator on board a train such as a train driver may receive information on the status of a signal or points or any other such railway equipment monitored or controlled by an interlocking system by means of wireless communication.