阅读说明：本技术 用于监控铁路制动系统防滑装置运行的监控装置 (Monitoring device for monitoring operation of antiskid device of railway braking system ) 是由 R·托恩 于 2020-03-06 设计创作，主要内容包括：描述了一种监控铁路制动系统的防滑装置(703、803)运行的监控装置(701、801),监控装置(701、801)被布置为：获取与由防滑装置(703、803)控制的车轴(102、105)相关联的估计瞬时线速度；将与车轴(102...105)相关联的估计瞬时线速度(301,...,304)与铁路车辆的参考线速度(306)进行比较；监测制动缸(111,...,114)的压力状态；对于处于打滑阶段的每个车轴,根据预定操作条件,确定防滑装置(703、803)是否正在正常工作或是否未正在正常工作,预定操作条件包括与处于打滑阶段的车轴(102...105)相关联的每个估计瞬时线速度(301...304)相对于铁路车辆的参考线速度(306)的预定趋势,参考线速度与施加到与车轴(102...105)相关联的制动缸(111...114)的每个压力相关联；当监控装置(701、801)确定防滑装置(703、803)未正在正常工作时,维持、减少或取消至少一个计时装置(726、727、826、827)中的预加载时间值(T1、T2)。(There is described a monitoring device (701, 801) for monitoring operation of an anti skid device (703, 803) of a railway braking system, the monitoring device (701, 801) being arranged to: acquiring an estimated instantaneous linear speed associated with an axle (102, 105) controlled by an anti-skid device (703, 803); comparing the estimated instantaneous linear speed (301.... 304) associated with the axle (102.. 105) to a reference linear speed (306) of the railway vehicle; monitoring a pressure state of a brake cylinder (111.., 114); for each axle in the slip phase, determining whether the anti skid device (703, 803) is or is not functioning normally, according to predetermined operating conditions, the predetermined operating conditions comprising a predetermined trend of each estimated instantaneous linear velocity (301.. 304) associated with the axle (102.. 105) in the slip phase with respect to a reference linear velocity (306) of the railway vehicle associated with each pressure applied to a brake cylinder (111.. 114) associated with the axle (102.. 105); -maintaining, reducing or cancelling the preloaded time value (T1, T2) in the at least one timing device (726, 727, 826, 827) when the monitoring device (701, 801) determines that the anti-skid device (703, 803) is not functioning properly.)

1. A monitoring device (701, 801) for monitoring operation of an anti skid device (703, 803) of a railway braking system, the anti skid device being arranged to:

receiving instantaneous speed signals of at least two axles (102,..., 105);

controlling, by an electric valve unit (117,.., 120), a pressure of a brake cylinder (111,.., 114) associated with the axle (102,.., 105);

controlling, by the electric valve unit (117.. 120), a pressure of a brake cylinder (111...., 114) associated with the axle (102...., 105) to prevent the axle (102...., 105) from clogging and control a slip of the axle (102...., 105);

the electric valve units (117,.., 120) each comprise two pneumatic solenoid valves (220, 221), each pneumatic solenoid valve (220, 221) being equipped with a timing device (210, 212, 726, 727, 826, 827) arranged to measure a supply time of the respective pneumatic solenoid valve (220, 221) and each arranged to generate a signal arranged to de-energize the respective pneumatic solenoid valve (220, 221) if the measured supply time of the respective pneumatic solenoid valve (220, 221) exceeds a predetermined pre-load time value (T1, T2);

the monitoring device (701, 801) is arranged to:

acquiring an estimated instantaneous linear speed (301,...,304) associated with an axle (102,...,105) controlled by the anti-skid device (703, 803);

comparing the estimated instantaneous linear speed (301,.. 304) associated with the axle (102.. 105) to a reference linear speed (306) of a railway vehicle;

monitoring a pressure state of the brake cylinder (111.., 114);

for each axle in a slip phase, determining whether the anti skid device (703, 803) is or is not working properly according to predetermined operating conditions, the predetermined operating conditions comprising a predetermined trend of each estimated instantaneous linear speed (301.. 304) associated with the axle (102.. 105) in the slip phase relative to the reference linear speed (306) of the railway vehicle, the reference linear speed (306) being associated with each pressure applied to the brake cylinder (111.. 114) associated with the axle (102.. 105);

-maintaining, reducing or cancelling the preload time value (T1, T2) in at least one of the timing devices (726, 727, 826, 827) associated with the axle (102.. 105) in the slip phase, when the monitoring device (701, 801) determines that the anti-slip device (703, 803) is not working properly, during the counting of the preload time (T1, T2) by the timing device (726, 727, 826, 827).

2. The monitoring device (701, 801) according to claim 1, further arranged to maintain or increase the preload time value (T1, T2) in at least one of the timing devices (726, 727, 826, 827) when the monitoring device determines that the anti-skid device (703, 803) is functioning normally, during the counting of the preload time (T1, T2) by the timing device (726, 727, 826, 827) associated with the axle (102.. 105) in the slip phase.

3. A monitoring device (701, 801) according to any one of claims 1 or 2, wherein the anti-skid device (703, 803) is determined to be functioning properly if the axle in the slipping state exhibits one of the following predetermined operating conditions:

-the estimated instantaneous linear speed (401) of the axle is comprised within a tolerance band (405) for at least a predetermined time (TP 1);

-the estimated instantaneous linear speed (501) of the axle is characterized by an instantaneous acceleration above a given acceleration threshold (As) for at least a predetermined time (TP 2).

4. A monitoring device (701, 801) according to any one of the preceding claims, wherein it is determined that the anti-skid device (703, 803) is not functioning properly if at least one axle in the slipping state exhibits one of the following predetermined operating conditions:

-an instantaneous pressure value (604) of the brake cylinder associated with said at least one axle in said slipping condition represents a "maintenance" condition in which the pressure value of the brake cylinder is kept constant, or represents an "emptying" condition in which the pressure value of the brake cylinder is zero, while having an instantaneous linear velocity value (606) associated with said instantaneous pressure (604), characterized by being nominally equal to said reference linear velocity (602) of the vehicle for a predetermined time (TP 3);

-the instantaneous pressure value (604) of the brake cylinder associated with said at least one axle in slipping condition represents a "maintenance" or "emptying" condition, with an instantaneous linear velocity value (607) associated with said instantaneous pressure (604), characterized by an acceleration below a predetermined value (As) evolving within a predetermined time (TP3) outside the tolerance band (605).

5. The monitoring device (701, 801) according to any one of the preceding claims, wherein it is determined that the anti skid device (703, 803) is not functioning properly if a continuous control program between the monitoring device (701, 801) and the anti skid device (703, 803) is not set properly.

6. The monitoring device (701, 801) according to claim 5, wherein the continuous control program comprises exchanging a first master signal (901) generated by the monitoring device (701, 801) and received by the anti-skid device (703, 803) and a second slave signal (902) generated by the anti-skid device (703, 803) and received by the monitoring device (701, 801);

the master signal (901) having successive logic state transitions (S1.., Sn) decided by the monitoring device (701, 801), and the slave signal having response logic state transitions (a 1.., An) generated by the anti-skid device (703, 803) in response to transitions (S1.., Sn) of the master signal (901);

the response logic state transition (a 1.., An) needs to occur within a time TOK from the corresponding transition (S1.., S3) of the master signal (901) in order to consider that the anti-skid device (703, 803) is functioning properly.

7. The monitoring device (701, 801) according to claim 5, wherein the continuous control program comprises continuously generating:

-an information request (1030) generated by the monitoring device (701, 801) and received by the anti-skid device (703, 803); and

a response (1031) to the information request (1030);

-the response (1031) is generated by the anti-skid device (703, 803) and received by the monitoring device (701, 801); the information request is randomly retrieved by the monitoring device (801, 803) from a predetermined list (1020) pre-loaded into a non-volatile memory of the monitoring device (801, 803);

the response (1031) is calculated independently by the antiskid device (703, 803) and the monitoring device (701, 801);

the antiskid device (703, 803) is considered to be functioning properly as long as the monitoring device sees a correspondence between the response calculated by itself and the response (1031) sent by the antiskid device.

8. The monitoring device (701, 801) according to any one of the preceding claims, wherein monitoring of the pressure state of each brake cylinder (111.., 114) is performed directly by a specific pressure sensor (222, 223) of each antiskid valve unit (117.., 120) associated with the brake cylinder (111.., 114);

one of the two pneumatic solenoid valves (220, 221) is a pneumatic fill solenoid valve (220);

the pressure sensors (222, 223) indicate the brake pressure upstream of each pneumatic filling solenoid valve (220) of the antiskid valve unit (117, 120) and the pressure at each brake cylinder (111, 114), respectively.

9. The monitoring device (701, 801) according to any one of claims 1 to 7, wherein the monitoring of the pressure state of the brake cylinders (111.... 114) is performed indirectly by observing the state of a control signal (208, 209) relating to each antiskid valve unit (117.. 120) associated with each brake cylinder (111.. 114).

10. The monitoring device (701, 801) according to any one of the preceding claims, wherein the preload time value (T1, T2) has a value greater than or equal to zero seconds and less than ten seconds.

11. A monitoring device (701, 801) according to any one of the preceding claims, the monitoring device (701, 801) being arranged to calculate the reference linear velocity (306, 402, 502, 602) of the railway vehicle by operations performed on the estimated instantaneous linear velocity value (301.... 304) and at least one derivative virtual velocity (305) of the axle (102.. 105).

12. A monitoring device (701, 801) according to claim 11, the monitoring device (701, 801) being arranged to calculate the reference linear velocity (306, 402, 502, 602) of an associated railway vehicle by operation of a further instantaneous velocity value of an axle associated with an additional monitoring device or an anti skid device associated with the same railway vehicle;

the additional monitoring device and the anti-skid device are connected to the monitoring device (701, 801) via a communication network.

13. A monitoring device (701, 801) according to any of claims 3 to 12, wherein the tolerance band (405, 505, 605) is a function of the reference linear velocity (402, 502, 602).

14. A monitoring device (701, 801) according to claim 13, wherein the further speed values are transmitted by further generating means over the communication network according to EN50159 standard at a security level equal to or greater than the security level used to develop the monitoring device (701, 801).

15. A monitoring device (701, 801) according to any one of the preceding claims, the monitoring device (701, 801) being arranged to send a command to the anti skid device (703, 803);

-said command is a command requiring a logical conversion to said control output (208, 209) and is sent through connection means (750, 850);

the connection means (750, 850) comprises one or more digital signals or communication channels.

16. A monitoring device (701) according to any of the preceding claims, the monitoring device (701) being arranged to re-read the current remaining time value from the timing device (726, 727) of each antiskid valve unit (117,...,120) and, in case the remaining time to be counted is intended to be extended, to reload the timing device (726, 727) with a higher value than the newly read value; or

In the case where it is intended to reduce or clear the remaining time to be counted, the timer means (726, 727) is reloaded with a value lower than the newly read value or with a null value.

17. The monitoring device (801) according to any one of the preceding claims, the monitoring device (801) being arranged to:

-re-reading the current remaining time value of the internal counter (828, 829) associated with the timing means (826, 827) of each antiskid valve unit (117.. 120);

-if the remaining time to be counted is intended to be extended, "re-triggering" the timing device (826, 827) associated with the associated axle (112,.., 115) and reloading the internal counter (828, 829) associated with the timing device (826, 827) with the preloaded time value (T1, T2) of the timing device (826, 827);

-if the remaining time to be counted is intended to be zeroed, "resetting" the timing device (826, 827) associated with the associated axle (112,.., 115) and zeroing the internal counter (828, 829) associated with said timing device (826, 827).

18. Monitoring device (701, 801) according to any of the preceding claims, the monitoring device (701, 801) being arranged to indirectly "re-trigger" the timing device (726, 727, 826, 827) resulting in a pressure variation (404) sufficient to cause the instantaneous estimated linear velocity (401) to exit from the tolerance band (405);

the pressure variations (404) are obtained by acting on suitable signals (720, 721, 820, 821).

19. A monitoring device (701, 801) according to any one of the preceding claims, the monitoring device (701, 801) being arranged to inhibit the anti-skid device (703, 803) by means of a suitable signal (720, 721, 820, 821) to directly drive the anti-skid valve unit (117,.. multidot.120) by means of a further signal (732, 733, 832, 833) in order to operate an anti-skid algorithm.

20. A monitoring device (701, 801) according to any one of the preceding claims, the monitoring device (701, 801) being arranged to inhibit the antiskid device (703, 803) by means of a suitable signal (720, 721, 820, 821) and to directly control the antiskid valve unit (117,.. 120) by means of an additional signal (732, 733, 832, 833) in order to operate an anti-lock algorithm.

21. Monitoring device (701, 801) according to any one of the preceding claims, the monitoring device (701, 801) comprising a "watchdog" circuit (706, 806) arranged to monitor the normal operation of the monitoring device (701, 801) and provided with a switching element (710, 810), the switching element (710, 810) being placed in series on a power branch of a solenoid valve (714, 715, 814, 815) of the antiskid valve unit (117,.., 120);

-positioning the switching element (710, 810) in a closed state by the watchdog circuit (706, 806) when the watchdog circuit (706, 806) sees normal operation of the monitoring means (701, 801);

when the watchdog circuit (706, 806) detects an abnormal operation of the monitoring device (701, 801), the switching element (710, 810) is positioned in the open state by the watchdog circuit (706, 806).

22. The monitoring device (701, 801) according to claim 21, wherein an emergency switching element (704, 804) is placed in parallel with the switching element (710, 810);

the emergency switching element (704, 804) is in a closed state when the emergency request signal (705, 805) is in an "inactive" state;

the emergency switch element (704, 804) is in an open state when the emergency request signal (705, 805) is in an "active" state.

23. Monitoring device (701, 801) according to any of the preceding claims, the monitoring device (701, 801) being developed according to the EN50128 and EN50129 standards, according to the SIL ≧ 3 rating.

24. A monitoring device (701, 801) according to any of claims 12 to 23, wherein the further speed values are generated by the generating means according to the EN50128, EN50129 standard at a level equal to or greater than a level of security used to develop the monitoring device (701, 801).

25. Monitoring device (701, 801) according to any one of the preceding claims, the monitoring device (701, 801) being implemented by redundant microprocessor circuits, or by redundant programmable logic circuits, or by at least one microprocessor circuit and at least one programmable logic circuit.

26. The monitoring device (701) according to any one of the preceding claims, wherein the timing means (726, 727) and additional logic functions (722, 723, 734, 735) are implemented within the monitoring device.

27. The monitoring device (701) according to claim 26, wherein the functions equivalent to the timing means (726, 727) and the additional logic functions (722, 723, 734, 735) are implemented by software code or within the programmable logic circuit.

Technical Field

The present invention relates generally to the field of railway braking systems. More particularly, the present invention relates to a monitoring device for monitoring the operation of an antiskid device of a railway brake system.

Background

In railway transport systems, the instantaneous adhesion value between a wheel and a rail represents the maximum braking force limit currently applied to an axle, the wheels of which do not start a progressive slip phase.

If the axle enters a slipping phase, the axle gradually loses angular velocity if the applied braking force is not rapidly reduced properly until full lock-up is reached, resulting in immediate overheating and damage due to excessive wheel surface temperature of the axle at the point of wheel-to-rail contact. It is known that this condition, in addition to greatly extending the stopping distance due to further reduction of the coefficient of friction, may also cause derailment of the vehicle at high speed.

To overcome the above drawbacks, pneumatic railway braking systems (pneumatic brake braking systems) are equipped with a protection system, called anti-skid system.

Fig. 1 shows a known anti-skid system for a four-axle vehicle 102, 103, 104, 105. Brake system 110 generates pneumatic brake pressure in response to a request for brake pressure or braking force (not shown in fig. 1) via supply brake cylinders 111, 112, 113, 114. Each brake cylinder is responsible for braking the axle 102, 103, 104, 105, respectively, through the pneumatic supply lines 115, 116. Four anti-skid valve units 117, 118, 119, 120 guided by the anti-skid device 101 are inserted between the pneumatic supply lines 115, 116 and the respective brake cylinders 111, 122 and 113, 114. Angular velocity sensors 106, 107, 108, 109 detect the angular velocities of the axles 102, 103, 104, 105, respectively. The angular velocity sensors 106, 107, 108, 109 are electrically connected to the antiskid device 101 and continuously provide electrical signals representing instantaneous angular velocity information of each axle 102, 103, 104, 105. The antiskid device 101 continuously estimates the instantaneous linear velocity of the vehicle by performing an operation on information of the estimated instantaneous linear velocity of the axle shafts 102, 103, 104, 105 derived from the relevant measured angular velocities. These operations are known to those skilled in the art, such as, for example, but not limited to, calculating the average between the four speeds, or calculating the instantaneous maximum between the four instantaneous linear speeds of the axles 102, 103, 104, 105, or, as shown in fig. 3, calculating the maximum between the four instantaneous speeds 301, 302, 303, 304 associated with the axles 102, 103, 104, 105 and a fifth value, i.e. a derived virtual speed 305, obtained by reducing the speed value obtained in the last sampling period of the system by the maximum allowable deceleration value of the vehicle concerned, multiplied by the sampling period.

By continuously evaluating the difference Δ V between the estimated instantaneous linear speed of the individual axle and the estimated instantaneous linear speed of the vehicle, the antiskid device 101 detects whether one or more axles have begun a slip phase. If one or more axles have already begun a slip phase, the anti-skid device controls the slipping of said axles by: the pressure of the brake cylinder associated to the slipping axle is suitably reduced and adjusted, the action of the valve unit associated to the slipping axle is performed by known algorithms (for example the algorithms described in EP3393873, WO 2017175108), the axle is prevented from creating a blocking condition and it is attempted to obtain an optimal braking force while maintaining the slipping phase.

The anti-skid valve units 117, 118, 119, 120 each assume a detailed shape represented by a pair of pneumatic solenoid valves 220, 221 shown in fig. 2.

The pneumatic solenoid valves 220, 221 are energized by the antiskid device 201 via the respective switching elements 202, 203. Such switching elements 202, 203 are typically solid-state electronic elements.

For simplicity of illustration, fig. 2 does not show the connection of the solenoids (i.e., electrical coils) 204, 205 to ground.

The antiskid valve units 117, 118, 119, 120 can assume four overall states.

The first state is defined as "filled" and corresponds to a state in which both electropneumatic valves are de-energized, as shown in fig. 2: the electropneumatic valve 220 allows to tap the pressure present in the pneumatic conduit 215 (corresponding to the pneumatic conduits 115, 116 of fig. 1) into the brake cylinders 211 (corresponding to the brake cylinders 111, 112, 113, 114 of fig. 1), while the pneumatic solenoid valve 221 prevents the brake cylinders 211 and the pneumatic conduit 215 from being evacuated to the atmosphere. This state represents a rest or non-intervention state of the anti skid device, since it in fact constitutes a direct connection between the brake cylinder 211 and the pneumatic conduit 215, through which the brake system directly controls the pressure to the brake cylinder 211 from a null value to a maximum value.

The second state is defined as "hold", corresponding to the state in which the pneumatic solenoid valve 220 is energized. In this case, the pressure in brake cylinder 211 cannot be changed by the pressure change in pneumatic conduit 215. Pneumatic solenoid valve 221 continues to isolate brake cylinder 211 from the atmosphere. In general, the pressure to brake cylinder 211 will maintain its value indefinitely unless there is a leak in the brake cylinder.

The third state is defined as "exhaust" and corresponds to a state in which both pneumatic solenoid valves 220, 221 are energized. In this case, the pressure in brake cylinder 211 cannot be changed by the pressure change in pneumatic conduit 215. The energized pneumatic solenoid valve 221 connects brake cylinder 211 to atmosphere, reducing the pressure of the brake cylinder, possibly to a null value.

The fourth state is defined as "disabled", corresponding to a state in which only the pneumatic solenoid valve 221 is energized. In this case, the pneumatic solenoid valve connects the brake cylinder 211 and the pneumatic conduit 215 directly to the atmosphere, causing the pressure generated by the braking system to be excessively discharged to the atmosphere.

To systematically avoid the "inhibit" state, switching element 203 is connected to node 206 downstream of switching element 202. Thus, if switching element 203 is closed due to improper control of the upstream circuit or due to a short circuit thereof, switching element 203 cannot energize pneumatic solenoid valve 221 unless switching element 202 is also closed, in which case pneumatic solenoid valve 220 will also be energized, effectively placing brake cylinder 211 in a "vent" state, but avoiding excessive venting to the atmosphere of pneumatic conduit 215.

Various pilot circuits for pneumatic solenoid valves are known, involving a power supply or ground, however they allow systematically avoiding "inhibit" conditions.

In general, an anti-skid system necessarily reduces the braking force under its functional action. Obviously, in certain hardware or software failure modes, the antiskid device may keep the pneumatic solenoid valves 220, 221 permanently energized, resulting in a complete loss of braking force. In order to limit THE situation OF permanently energized valves, European Railway regulation UIC541-05 "BRAKES-SPECIFICATION OF VARIOUS BRAKE PARTS-WHEEL SLIDE PROTECTION DEVICE (WSP)" § 1.1.7.-EN15595 "railroad applications-Braking-Wheel slide PROTECTION" § 4.2.2.2 requires THE introduction OF timeout generating hardware timer DEVICEs 210, 212.

These timing devices are introduced to temporarily limit the continuous activation of the pneumatic solenoid valves 210, 212. In particular, the above rules specify a time limit of 10 seconds, which is commonly followed by most railway operators. However, some railway operators consider that other times than those suggested by the above regulations are also suitable.

Fig. 2 illustrates a functional implementation of the control system of the anti-skid system. The microprocessor 207 executes axle identification and control algorithms, such as, but not limited to, the algorithms described in EP3393873, WO2017175108, which generate respective control signals 208, 209 for the switching elements 202, 203.

When the microprocessor 207 places the control signal 208 at a logic level "1", i.e. it is intended to activate the switching element 202, the transition 0 → 1 of the control signal 208 activates the timer means 210, which timer means 210 in turn places its output 213 at a logic level "1", for a time interval T1 equal to (but not exclusively) 10 s. The logic gate 216 performs an AND function between the control signal 208 AND the signal at the output 213, such that the signal 214 in effect commands the closure of the switching element 202 to energize the pneumatic solenoid valve 220 accordingly.

When the microprocessor 207 places the control signal 208 at a logic level "0" to de-energize the pneumatic solenoid valve 220 before expiration of time T1, it places the timer device 210 in a reset state via its active low input R, ready for the subsequent transition 0 → 1.

If the command signal 208 remains permanently blocked at logic level "1" due to a hardware failure of the microprocessor 207 or due to a software error of the antiskid control algorithm, the time T1 counted by the timer means 210 will expire, causing the signals 213, 214 to return to logic level "0" and the pneumatic solenoid valve 220 to be permanently de-energized.

The same action occurs with respect to the pneumatic solenoid valve 221 by the timer device 212.

In some cases, there is a pressure sensor 222 that indicates to the microprocessor circuit 207 the pressure upstream of the pneumatic solenoid valve 220 through connection 224, and a pressure sensor 223 that indicates to the microprocessor circuit 207 the pressure of the brake cylinder 211 through connection 225.

Circuit variants for implementing the timing and suppression functions of the energization commands of the pneumatic solenoid valves 220, 221 are known.

The timing circuit shown in fig. 2 is duplicated for each antiskid valve unit 111, 112, 113, 114.

The above-described solution represents all the prior art approved by railway operators and railway safety agencies as a way of reducing the risk that a hardware failure or software problem may lead to a permanent and undesirable reduction in pneumatic pressure during braking.

In order to maintain one or more axles 102, 105 in a controlled slip state as long as the braking state remains in a reduced adhesion state under normal operation, the anti-skid system continuously corrects the pressure of one or more brake cylinders 111, 114, thereby resetting the timer devices 210, 212.

However, the use of a timing circuit according to the prior art described previously represents a counterproductive situation, although the anti-skid device performs its function correctly.

The first case is shown in fig. 4. In response to the braking request, brake system 110 increases pressure 404 on brake cylinder 211. As the adhesion condition between the wheel 202 and the rail 240 decreases, the wheel 202 begins to slip when the axle braking force generated by the pressure 404 exceeds the available adhesion. The estimated linear speed 401 of the axle is separated from the linear speed 402 of the train at time 403. Thereupon, the anti skid device 201 activates the "vent" phase by its own algorithm, resulting in a 0 → 1 transition of the control signals 208, 209 to energize the pneumatic solenoid valves 220, 221, respectively. From time 403, the pressure begins to drop and the timing devices 210, 212 activated by transition 0 → 1 begin to count times T1, T2, respectively. When the instantaneous estimated linear speed 401 of the axle enters the tolerance band 405, the antiskid device 201 switches from the "discharge" phase to the "maintenance" phase, placing the signal 209 at logic level "0" to de-energize the pneumatic solenoid valve 221. Thus, the timing device 212 is reset. If the instantaneous estimated linear velocity 401 remains within the tolerance band 405, the antiskid device 201 remains in the "hold" state. In this case, the timing device 210 continues to evolve, reaching the value T1, placing its output 213 in the logic state "0", de-energizing the switching element 202, returning the system to the filling state, thus eventually locking the wheel.

The second case shown in fig. 5 occurs in the case of very low adhesion and very high moment of inertia of the axle, for example an axle connected to the drive motor by means of a gear reducer.

In response to the braking request, brake system 110 increases pressure 504 to brake cylinder 211. Due to the adhesion conditions between the wheels 202 and the rail, the wheels begin to slip when the axle braking force generated by the pressure 504 exceeds the available adhesion. The instantaneous estimated linear speed 501 of the axle is separated from the linear speed 502 of the train at time 503. Thereupon, the anti skid device 201 activates the "vent" phase, resulting in a 0 → 1 transition of the control signals 208, 209 to energize the pneumatic solenoid valves 220, 221, respectively. From time 503, the pressure begins to drop and the timing devices 210, 212 activated by transition 0 → 1 begin to count times T1, T2, respectively. Since the adhesion force is very low, although the pressure 504 decreases with the activation of the discharging stage, the instantaneous estimated linear velocity 501 continues to decrease far below the tolerance band 505, and stops decreasing when the braking force generated by the pressure 504 is less than the low adhesion force.

In this case, the antiskid device 201 continues to remain in the "discharge" phase, waiting for the instantaneous estimated linear speed 501 of the axle to fall within the tolerance band. Due to the low adhesion and high moment of inertia, the instantaneous estimated linear velocity 501 of the axle starts very slowly with an acceleration dv/dt >0, but very low. In this case, the timekeeping devices 210, 212 continue to evolve, reaching the values T1, T2, respectively. Specifically, the timing device 210 places its output 213 in logic state "0", de-energizing the switching element 202, de-energizing the solenoid valves 204, 205, returning the system to the "fill" state, and eventually locking the wheels.

It should be noted that in the case shown in fig. 5, the instantaneous estimated linear velocity 501 may leave the tolerance band 505 due to a slow response time of the pneumatic solenoid valves (220, 221) with very low adhesion, or due to a sudden change in adhesion (not shown in fig. 5). In both cases, the anti-skid system adjusts the brake cylinder pressure associated with the instantaneous estimated linear velocity 501 back to within the tolerance band 405. This is a normal event, which can be tolerated as long as the instantaneous estimated linear velocity 501 continues outside the tolerance band 505 for a duration not exceeding the time TB.

The third situation shown in fig. 6 occurs in the event of a software failure problem of the algorithm or a hardware failure of the microcontroller 207.

In response to the braking request, brake system 110 increases pressure 604 to brake cylinder 211. Due to the low adhesion condition between the wheels 202 and the rail 240, the wheels begin to slip when the axle braking force generated by the pressure 604 exceeds the available adhesion. The estimated linear speed 601 of the axle is separated from the linear speed 602 of the train at time 603. Thereupon, the anti skid device 201 activates the "vent" phase, resulting in a 0 → 1 transition of the control signals 208, 208 to energize the pneumatic solenoid valves 220, 221, respectively. From time 603, the pressure begins to drop and the timing devices 210, 212 activated by transition 0 → 1 begin to count times T1, T2, respectively. As a result of the pressure drop 604, the instantaneous estimated linear velocity 601 of the axle 202 begins to recover by crossing the tolerance band 605 with a positive slope. At the same time, the antiskid device does not react due to some unexpected software or hardware failure of the microprocessor 207, the instantaneous estimated linear velocity 601 of the axle 202 is fully restored to the instantaneous linear velocity 602 of the vehicle, and the pressure is not restored to the initial value or at least the value required to maintain controlled slippage of the axle 202. In this case, only when the timing means 210, 212 reach the values T1, T2 respectively, in particular the timing means 210, will put its output 213 in the logic state "0", de-energize the switching element 202, de-energize the solenoid valves 204, 205, return the system to the "filling" state and consequently brake, even causing the wheels to lock. In this particular case, the brake cylinder is unnecessarily maintained for the time T1, T2 without brake pressure being applied, while for safety reasons it is appropriate to restore the brake pressure without waiting for the time T1, T2 to expire.

One way to overcome the first two described situations may be to reset the timing device before the expiration of the times T1, T2, effectively forcing an extension of the times T1, T2 and causing the timing device to be reset by the software transition 1 → 0 → 1 of the control signals 208, 209, but fast enough to be masked by the mechanical inertia of the pneumatic solenoid valves 220, 221. In the first case, the antiskid device is allowed to continue its normal operating mode, and in the second case, the axle 202 is allowed to resume its instantaneous speed as long as it is able to reach the tolerance band 405, thereby allowing the antiskid device to reapply the minimum pressure. In some cases, the railway operators require increasing times T1, T2 according to the actual situation, which usually occurs in the autumn and winter season, with very low adhesion due to rotten leaves or snow accumulated on the tracks for a long time.

On the other hand, in the third case, it is advisable to use very short times T1, T2, in order to avoid that, particularly in the case of failure of the anti-skid device, the emergency braking state remains for a long time without pressure being applied on the brake cylinders.

In deciding which of the possible solutions to adopt, european regulations must be considered:

-EN50126“Railway applications.The specification and demonstration of reliability,availability,maintainability and safety(RAMS).Basic requirements and generic process”；

-EN50128“Railway applications–Communications,signaling and processing systems–Software for railway control and protection systems”；

-EN50129“Railway applications.Communication,signalling and processing systems.Safety related electronic systems for signalling”。

in particular, the EN50126 standard (the latest version released on 3/8/2019) defines a method of assigning SIL0/1/2/3/4 safety levels to subsystems according to the results of safety analysis, while the EN50128 and EN50129 standards (the latest version released on 3/8/2019) define design standards applied to software and hardware components, respectively, according to the specified SIL levels. According to the application of the previously cited standards, the following statements and concepts may be expressed:

electronic systems for implementing a Service Braking function (Service Braking function) can generally be manufactured according to the above-mentioned standard specifications, limiting the implementation to a safety level not higher than SIL 2.

The electronic system for implementing the emergency braking function can be manufactured according to the above-mentioned regulation, limiting the implementation to a safety level not lower than SIL 3.

Current anti-skid systems are generally manufactured according to the standard EN50128, EN50129, grade SIL 2. The possible solution of resetting the timing device with a fast transition 1 → 0 → 1 runs counter to the same safety reasons for introducing the timing device. The re-triggering of the timing device in emergency braking can only be introduced fully and safely, based on the observation of the appropriate dimensions of the entire anti-skid system and the reasonable reaction resulting therefrom, if the construction is carried out according to the SIL ≧ 3 rating in the EN50128, EN50129 standards.

The complexity of the anti-skid algorithms, and the fact that adaptive standards are increasingly used, make the development of anti-skid systems with a safety rating of SIL ≧ 3 according to the standards EN50128, EN50129 extremely complex and expensive. It is well known that the development complexity and cost to certification ratio between SIL systems ≧ 2 and SIL systems ≧ 3 is typically between 1:20 and 1: 40. The interface between the antiskid algorithm, the brake control algorithm, the pneumatic braking and the synchronization algorithm between the regenerative braking obtained by using the drive motor is highly parameterized, complex to adapt, requiring a partial continuous rewriting of the antiskid algorithm, with the consequent expensive SIL4 EN50128 re-certification.

Furthermore, the use of devices developed according to the EN50128, EN50129 SIL2 levels, in fact for reducing the braking force over a certain time, violates the normal safety analysis of the emergency braking performed according to the EN50126 standard. In fact, railway operators or safety agencies now often require the disabling of anti-skid devices during emergency braking, which is in conflict with the need to activate anti-skid devices, in particular during emergency braking, in which case it is necessary to resort to all the means to assist in restoring adhesion and to achieve the shortest stopping distance.

The prior art therefore avoids the voluntary re-triggering action of the timing device by the anti-skid device itself, while applying only the times T1, T2 provided by UIC and EN, with further consent to the anti-skid device to be inhibited during emergency braking.

Disclosure of Invention

It is therefore an object of the present invention to avoid the counterproductive situation of known anti-skid devices by providing a solution that reduces complexity and development costs.

In summary, this patent describes the use of a monitoring device of a railway anti-skid system. The monitoring device is used for monitoring the behavior of the relevant antiskid system and improving the overall safety level of the antiskid system through the direct or indirect action of the timing device of the antiskid system so as to achieve the safety level required by the braking system during the emergency braking stage. Furthermore, the intervention of the monitoring device in the timing device is improved.

Furthermore, the monitoring device may replace the anti-skid system if said anti-skid system fails.

According to one aspect of the present invention, the above and other objects and advantages are achieved by a monitoring device having the features defined in claim 1. Preferred embodiments of the invention are defined in the dependent claims, the contents of which are to be understood as an integral part of the present description.

Drawings

The functional and structural features of some preferred embodiments of the electronic emergency and service brake control system according to the invention will now be described. Referring to the drawings wherein:

figure 1 shows a known anti-skid system;

figure 2 shows a functional embodiment of a control system of the anti-skid system;

fig. 3 shows the trend of the axle instantaneous speed times and the derivative virtual speed;

fig. 4 shows an explanatory diagram of a first counterproductive case of a timing circuit according to the prior art;

fig. 5 shows an explanatory diagram of a second opportune case of a timing circuit according to the prior art;

fig. 6 shows an explanatory diagram of a third counterproductive case of a timing circuit according to the prior art;

figures 7 and 8 respectively show an embodiment of the monitoring device;

figure 9 shows a continuous handshake exchange of the monitoring device with the anti-skid system to verify the correct reaction of the anti-skid device; and

fig. 10 illustrates the information exchange between the monitoring device and the anti-skid system when the connecting device consists of a communication channel.

Detailed Description

Before explaining several embodiments of the invention in detail, it is to be noted that the invention is not limited in its application to the details of construction and to the arrangements of the components set forth in the following description or illustrated in the drawings. The invention is capable of other embodiments and of being practiced or of being carried out in various ways. It is to be understood that the phraseology and terminology are for the purpose of description and should not be regarded as limiting. The use of "including" and "comprising" and variations thereof is meant to encompass the elements recited thereafter and equivalents thereof as well as additional elements and equivalents thereof.

A first embodiment of a monitoring device 701, 801 for monitoring the operation of an antiskid device 703, 803 of a railway brake system is described below.

The anti-skid device is designed for receiving instantaneous speed signals of at least two axles 102.. 105, for controlling the pressure of the brake cylinders 111.. 114 associated with the axles 102.. 105 by means of the electric valve unit (117.. 120), for preventing the axles (102.. 105) from being blocked and for controlling the axles (102.. 105) from skidding by controlling the pressure of the brake cylinders 111.. 114 associated with the axles 102.. 105 by means of the electric valve unit 117.. 120.

The electric valve units 117, 120 each comprise two pneumatic solenoid valves 220, 221. Each pneumatic solenoid valve 220, 221 is equipped with a timing means 210, 212, 726, 727, 826, 827 arranged to measure the supply time of the respective pneumatic solenoid valve 220, 221 and each arranged to generate a signal arranged to de-energize the respective pneumatic solenoid valve 220, 221 if the measured supply time of the respective pneumatic solenoid valve 220, 221 exceeds a predetermined preload time value T1, T2.

The monitoring devices 701, 801 are arranged to acquire an instantaneous estimated linear speed 301,.., 304 associated with the axle 102,...,105 controlled by the anti-skid devices 703, 803, compare the instantaneous estimated linear speed 301,.., 304 associated with the axle 102,.., 105 with a reference linear speed (306) of the railway vehicle, and monitor the pressure state of the brake cylinders 111,...., 114.

The monitoring means 701, 801 are further arranged to determine, for each axle in the skidding phase, whether the anti-skidding means 703, 803 are working normally or are not working abnormally according to predetermined operating conditions, wherein the predetermined operating conditions comprise a predetermined trend of each estimated instantaneous linear speed 301,.., 304 associated with the axle 102,.., 105 in the skidding phase relative to a reference linear speed 306 of the railway vehicle, wherein the reference linear speed is associated with each pressure applied to the brake cylinder 111,...., 114 associated with the axle 102,.., 105.

Furthermore, the monitoring devices 701, 801 are arranged to maintain, reduce or cancel the preload time values T1, T2 in at least one of the timing devices 726, 727, 826, 827 associated with the axle 102,... 105 in the slipping phase when the monitoring devices 701, 801 determine that the anti-skid devices 703, 803 are not functioning normally, during the counting of said preload time T1, T2 by said timing devices 726, 727, 826, 827.

The purpose of the monitoring devices 701, 801 is thus to act directly or indirectly on the timing device.

Preferably, the monitoring means 701, 801 are further arranged to maintain or increase the preload time value T1, T2 in at least one timing means 726, 727, 826, 827 when the monitoring means determines that the anti-skid device 703, 803 is functioning normally, during the counting of said preload time T1, T2 by the timing means 726, 727, 826, 827 associated with the axle 102.. 105 in the slip phase.

Preferably, the antiskid devices 703, 803 may be determined to be functioning properly if the axle in the slipping state exhibits one of the following predetermined operating conditions:

the estimated instantaneous linear speed 401 of the axle is included within the tolerance band 405 for at least the predetermined time TP 1;

the estimated instantaneous linear speed 501 of the axle is characterized by an instantaneous acceleration above a given acceleration threshold As, at least for a predetermined time TP 2.

The tolerance band 405, 505, 605 may be a function of the reference linear velocity 402, 502, 602.

Preferably, it may be determined that the antiskid devices 703, 803 are not functioning properly if at least one axle in a slipping state exhibits one of the following predetermined operating conditions:

the instantaneous pressure value 604 of the brake cylinder associated with at least one axle in a slipping condition represents a "maintenance" condition in which the pressure value of the brake cylinder is kept constant, or represents an "emptying" condition in which the pressure value of the brake cylinder is zero, with an instantaneous linear velocity value 606 associated with said instantaneous pressure 604, characterized by being nominally equal to the reference linear velocity 602 of the vehicle within a predetermined time TP 3;

the instantaneous pressure value 604 of the brake cylinder associated with said at least one axle in slipping condition represents a "maintenance" or "emptying" condition, with an instantaneous linear speed value 607 associated with said instantaneous pressure 604, characterized by evolution outside the tolerance band 605 within a predetermined time TP3 with an acceleration As lower than a predetermined value.

Preferably, if the continuous control program between the monitoring devices 701, 801 and the antiskid devices 703, 803 is not properly set, it may be determined that the antiskid devices 703, 803 are not operating normally.

The continuous control program may comprise exchanging a first master signal 901 generated by the monitoring device 701, 801 and received by the anti skid device 703, 803 and a second slave signal 902 generated by the anti skid device 703, 803 and received by the monitoring device 701, 801.

The master signal 901 has successive logic state transitions S1.. ann, Sn determined by the monitoring devices 701, 801, and the slave signal has a responsive logic state transition a 1.. ann, An generated by the antiskid devices 703, 803 in response to the transition S1.. ann, Sn of the master signal 901.

In response to a logic state transition a 1., An needs to occur within a time TOK from the corresponding transition S1., S3 of the master signal 901 in order to consider the antiskid device 703, 803 to function properly.

Alternatively, the continuous control process may include continuously generating an information request 1030 generated by the monitoring devices 701, 801 and received by the antiskid devices 703, 803, and a response 1031 to the information request 1030.

The response 1031 is generated by the antiskid devices 703, 803 and received by the monitoring devices 701, 801. The monitoring apparatuses 801, 803 randomly acquire information requests from a predetermined list 1020 that is pre-loaded in the non-volatile memory of the monitoring apparatuses 801, 803.

The response 1031 is calculated independently by the antiskid devices 703, 803 and the monitoring devices 701, 801.

As long as the monitoring device sees a correspondence between the response calculated by itself and the response 1031 sent by the anti skid device, it is assumed that the anti skid devices 703, 803 are functioning properly.

In another aspect, monitoring of the pressure condition of the brake cylinders 111. One of the two pneumatic solenoid valves 220, 221 may be a pneumatic fill solenoid valve 220. The pressure sensors 222, 223 may indicate the brake pressure upstream of each pneumatic fill solenoid valve 220 of the antiskid valve unit 117, 120 and the pressure at each brake cylinder 111, 114, respectively.

Preferably, monitoring of the pressure condition of the brake cylinders 111., 114 may be performed indirectly by observing the state of the control signals 208, 209 associated with each antiskid valve unit 117., 120 associated with each brake cylinder 111., 114.

In another aspect, the preload time values T1, T2 may have values greater than or equal to zero seconds and less than ten seconds.

Preferably, the monitoring devices 701, 801 may be arranged to calculate the reference linear speed 306, 402, 502, 602 of the railway vehicle by performing operations on the instantaneous speed 301...., 304 and the at least one derivative virtual speed 305 of the axle 102.

The monitoring devices 701, 801 may also be arranged to calculate the reference linear velocity 306, 402, 502, 602 of the associated railway vehicle by operating on further instantaneous velocity values of axles associated with additional monitoring devices or skid prevention devices associated with the same railway vehicle. Additional monitoring devices and anti-skid devices may be connected to the monitoring devices 701, 801 via a communication network.

The above-mentioned further speed values may be transmitted by the generating means according to the standard EN50159, according to a security level equal to or greater than that used for the development monitoring means 701, 801, through said communication network.

In yet another aspect, the monitoring devices 701, 801 may be arranged to send commands to the anti skid devices 703, 803. These commands are commands that require a logical transition to the control outputs 208, 209 and are sent over the connection means 750, 850. Thus, the connecting means 750, 850 may connect the monitoring means 701, 801 to the anti skid means 703, 803. The connection means 750, 850 may comprise one or more digital signals or communication channels. Multiple digital hardware signals may allow for simple handshake exchanges. For example, the communication channel may be, but is not limited to, RS232, RS485, CAN.

Preferably, the monitoring device 701 may be arranged to re-read the current remaining time value from the timing device 726, 727 of each antiskid valve unit 117,.., 120, and in the event that the remaining time to be counted is intended to be extended, then to reload said timing device 726, 727 with a higher value than the newly read value. Alternatively, the monitoring device 701 may be arranged to reload the timing devices 726, 727 with a lower value or with a null value than the newly read value in case it is intended to reduce or clear the remaining time to be counted.

The monitoring device may be arranged to:

re-reading the current remaining time value of the internal counter 828, 829 associated with the timing means 826, 827 of each antiskid valve unit 117,.., 120;

"re-triggering" the timing device 826, 827 related to the associated axle 112, if the remaining time to be counted is intended to be extended, and re-loading the internal counter 828, 829 associated to the timing device 826, 827 with the pre-load time value T1, T2 of the timing device 826, 827;

-if the remaining time to be counted is intended to be zeroed, "reset" the timing device 826, 827 related to the associated axle 112.

Preferably, the monitoring devices 701, 801 may be arranged to indirectly "re-trigger" the timing devices 726, 727, 826, 827, resulting in a pressure variation 404 sufficient to cause the instantaneous estimated linear velocity 401 to exit from the tolerance band 405. The pressure variations 401 may be obtained by acting on the appropriate signals 720, 721, 820, 821.

Preferably, the monitoring devices 701, 801 may be arranged to inhibit the anti-skid devices 703, 803 by means of appropriate signals 720, 721, 820, 821 to directly drive the anti-skid valve unit 117 by means of further signals 732, 733, 832, 833, in order to operate the anti-skid algorithm.

Preferably, the monitoring devices 701, 801 may be arranged to inhibit the anti-skid devices 703, 803 by means of appropriate signals 720, 721, 820, 821 and to directly control the anti-skid valve unit 117 by means of additional signals 732, 733, 832, 833 in order to operate the anti-lock algorithm.

Preferably, the monitoring devices 701, 801 may comprise watchdog circuitry 706, 806 arranged to monitor the proper operation of the monitoring devices 701, 801. The watchdog circuit 706, 806 is equipped with a switch element 710, 810, the switch element 710, 810 being placed in series on the power branch of the solenoid valve 714, 715, 814, 815 of the antiskid valve unit 117. When the watchdog circuits 706, 806 see normal operation of the monitoring devices 701, 801, the switching elements 710, 810 may be positioned in a closed state by the watchdog circuits 706, 806. When watchdog circuits 706, 806 see abnormal operation of monitoring devices 701, 801, switching elements 710, 810 may be positioned in an open state by watchdog circuits 706, 806.

The monitoring device may also include emergency switching elements 704, 804 placed in parallel with the switching elements 710, 810. The emergency switch elements 704, 804 may be in a closed state when the emergency request signals 705, 805 are in an "inactive" state, and the emergency switch elements 704, 804 may be in an open state when the emergency request signals 705, 805 are in an "active" state.

Preferably, the monitoring means 701, 801 are developed according to SIL ≧ 3 rating in relation to the EN50128 and EN50129 standards. Furthermore, the above further speed values will be generated by the generating means according to the EN50128, EN50129 standard according to a safety level equal to or greater than that used for developing the monitoring means 701, 801.

In another aspect, the monitoring devices 701, 801 may be implemented by redundant microprocessor circuits, redundant programmable logic circuits, or at least one microprocessor circuit and at least one programmable logic circuit.

Preferably, the timing means 726, 727 and the additional logic functions 722, 723, 734, 735 are implemented within the monitoring means. The functions equivalent to the timing means 726, 727 and the additional logic functions 722, 723, 734, 735 may be implemented by software code or within programmable logic circuits.

Figures 7 and 8 show some non-exclusive example embodiments.

Examples of embodiments are described in detail below.

The monitoring devices 701, 801 receive two or more instantaneous speed signals 702, 802 from the axles 102, 103, 104, 105 of the speed sensors 106, 107, 108, 109. For example, but not limiting of, the monitoring devices 701, 801 calculate the instantaneous linear speed of the vehicle in real time by the method previously described and illustrated in fig. 4. Furthermore, not shown in fig. 7 and 8, monitoring devices 701, 801 are connected to other on-board systems via a communication bus, such as, but not limited to, other monitoring or antiskid devices from which monitoring devices 701, 801 may receive speed information for other axles.

Since the calculated instantaneous linear speed of the vehicle has a direct role in analyzing the state of the monitored anti-skid system, the relevant calculation function has the same safety level as the monitoring devices 701, 801 have to reach. Therefore, the transmission of speed information pertaining to the axles of other on-board systems must also be carried out according to the procedure described, according to the european standard EN50159 for communication in railway applications-communication, signal and processing systems-transmission systems-related communication, in order to reach the same level of safety reached by the monitoring devices 701, 801.

The anti-skid devices 703, 803 receive the same two or more instantaneous speed signals 752, 852 of the axles 102, 103, 104, 105 to perform the anti-skid algorithm. Alternatively, the instantaneous speed signals 752, 852 may be generated and transmitted by the monitoring devices 701, 801 for the anti-skid devices 703, 803 as a reproduction of the instantaneous speed signals 702, 802. As a further alternative, the instantaneous speed signals 752, 852 may be generated by the monitoring devices 701, 801 and transmitted to the anti-skid devices 703, 803 via the connection devices 750, 850.

Emergency braking signals 705, 805 may be in an "inactive" state to indicate no emergency braking request and in an "active" state to indicate the presence of an emergency braking request.

When emergency braking signals 705, 805 are "inactive," switching elements 704, 804 are in a closed state. When emergency braking signals 705, 805 are "active," switching elements 704, 804 are in an open state.

The watchdog function 706, 806 maintains its output 711, 811 at a logic level "1" as long as the watchdog function 706, 806 verifies a normal operation of the monitoring means 701, 801, and switches its output 711, 811 to a logic level "0" when the watchdog circuit 706, 806 verifies an abnormal operation of the monitoring means 701, 801.

In a normal operating state, since the signals at the outputs 711, 811 are at logic level "1", the monitoring devices 701, 801 may close the switching elements 710, 810, thereby driving the internal signals 708, 808 to logic level "1". When internal signals 708, 808 are brought to a logic level "0" by monitoring devices 701, 801 or when watchdog circuits 706, 806 detect an operational error of monitoring devices 701, 801, switching elements 710, 810 are opened by signals 709, 809.

A security system designed according to the EN50126 standard requires the existence of a "security state" or a state in which a target level of security for an item is guaranteed in the event of a fault which renders the security system itself completely ineffective.

In antiskid systems controlled by higher safety systems, the "safe state" is such as, but not limited to, the suppressed state of the system during emergency braking.

The parallel connection of the switching elements 710, 704 or 810, 804 constitutes the "safe state" of the system: if the monitoring device 701, 801 is affected by a fault that does not allow it to perform safety monitoring activities that allow the anti-skid system 703, 803 to operate during emergency braking, the watchdog circuit actuates the switch element 710 to an open state, thereby allowing the emergency braking signal 705, 805 in an active emergency braking state to turn off the power to the solenoid valve 714, 715 or 814, 815, thereby opening the switch 704, 804, leaving the overall system in a state that inhibits the anti-skid function during emergency braking. If the antiskid function needs to be suppressed even during service braking, signals 730, 830 are connected to signals 709, 809, respectively, if the monitoring devices 701, 801 are affected by a fault that does not allow them to perform safety monitoring activities. Thus, when a fault is found in the monitoring devices 701, 801, the watchdog devices 706, 806 also suppress the antiskid devices 703, 803 by opening the switch elements 731, 831 during the braking of the vehicle.

The switching elements 712, 812 functionally correspond to the switching element 202 for energizing the solenoid valves 715, 815 of the solenoid valve 204 corresponding to the pneumatic solenoid valve 220. The switching elements 713, 813 correspond functionally to the switching element 203 for energizing the solenoid valves 714, 814 of the solenoid valve 205 corresponding to the pneumatic solenoid valve 221.

The timing devices 726, 727 are digital counters whose counts are timed by a clock not shown in the figure. The contents of which may be read or modified by the monitoring device 701 over the bidirectional buses 724, 725, respectively.

Timing devices 826, 827 are monostables of analog type. In order to know the remaining time to be counted by the two timing means 826, 827, the monitoring means 801 simulates the behavior of the timing means 826, 827 by means of two software counters 828, 829. The two software counters 826, 827 are preloaded at times nominally corresponding to the count times T1, T2 of the respective timing means 826, 827. The monitoring device 801 reads the control signals 208, 209. When the combination of command signals 208, 818 and 209, 819 is operated by the respective logic gates 824, 825 starting or resetting the respective timing means 826, 827, the monitoring means 801 performs the same operation on both respective software counters 826, 827, having continuous and real-time knowledge about the time count state of the respective timing means 826, 827.

The monitoring devices 701, 801 normally keep the signals 732, 733 or 832, 833 at the logic level "0", so that the logic gate or "734, 735 or 834, 835 is transparent to the output signal 722, 723 or 822, 823 of the logic gate and.

The monitoring means 701, 801 normally keep the signal 720, 721 or 820, 821 at a logic level "1" so that the logic gate and 722, 723 or 822, 823 operates according to the state of the other input signal to said logic gate 722, 723 or 822, 823 respectively. When the monitoring means 701, 801 keep the signal 720, 721 or 820, 821 at logic level "1" and keep the signal 732, 733 or 832, 833 at logic level "0", the anti-skid means 703, 803 act on the timing means 726, 727 or 826, 827 and the switching element 712, 713 or 812, 813, similarly to the description of the circuit of fig. 2.

At any time, for example, when the monitoring devices 701, 801 detect a fault in the antiskid devices 703, 803, the monitoring circuits 701, 801 may decide on a first solution to open the contacts 731, 831 by signals 730, 830 or to inhibit the antiskid system by placing signals 818, 819 or 720, 721 or 820, 821 at a logic level "0". Furthermore, the monitoring devices 701, 801 may decide to replace the antiskid devices 703, 803, inhibit the antiskid devices 703, 803 from placing the signals 720, 721 or 820, 821 at logic level "0", and directly control the state of the solenoid valves 715, 714 or 815, 814 by directly driving the switching elements 712, 713 or 812, 813 via the respective signals 733, 732 or 833, 832. In this case, the algorithm used by the monitoring means 701, 801 may be of an extremely simplified type to simplify the EN50128 SIL ≧ 3 authentication, such as a simple derivative algorithm sensitive to the instantaneous speed variation of the axle, and the algorithm used by the monitoring means 701, 801 may have an instantaneous speed threshold of the axle below which the antiskid valve unit is placed in the "empty" state for a time sufficient to avoid a wheel lock-up condition.

The monitoring devices 701, 801 may permanently monitor the activity of the anti-skid devices 703, 803, comparing the individual behavior of the instantaneous linear velocity of each axle 102, 103, 104, 105 with the reference linear velocity of the vehicle, while observing the state of each pneumatic pressure associated with the brake cylinder of each axle 102, 103, 104, 105.

Furthermore, the monitoring devices 701, 801 may monitor the activity of the outputs 208, 209 of the antiskid devices 703, 803.

The pressure state associated with brake cylinder 211 can be observed as the difference between brake pressure 215 read by sensor 222 and the pressure to brake cylinder 211 read by pressure sensor 223.

The "filled" state, representing full braking, corresponds to a pressure value of brake cylinder 211, nominally equal to brake pressure 215.

The "hold" state corresponds to the pressure value of brake cylinder 211 being constant and lower than brake pressure 215. Specifically, those skilled in the art know that the difference between brake pressure 215 and the pressure applied to brake cylinder 211 is indicative of the adhesion value at the point of contact between the axle and the rail, i.e., the greater the difference, the smaller the coefficient of friction.

The "empty" condition, indicating the brake is fully released, corresponds to the value of the air pressure of the brake cylinder 211.

Without the pressure sensors 222, 223, it is possible to deduce from the state of the control signals 208, 209, according to the definition initially provided, the pressure state associated with the brake cylinder 211, i.e. a "filling" state corresponding to both pneumatic solenoid valves being de-energized, a "maintaining" state corresponding to only the pneumatic solenoid valve 220 being energized, and a "discharging" state corresponding to the pneumatic solenoid valves 220, 221 being energized simultaneously.

For each axle 102,. -, 105, and based on the individual behavior of the instantaneous speed of each axle 102,. -, 105 at the vehicle reference speed and the state of each pneumatic pressure in relation to the brake cylinder 111,. -, 114 of each axle 102,. -, 105, the monitoring device 701, 801 may decide, depending on well-functioning or identified fault conditions, to not intervene, or to extend, reduce, reset the time T1, T2 associated with each valve unit 117,. -, 120.

For example, but not by way of limitation, fig. 4 and 5 illustrate situations where the monitoring device may decide not to intervene or extend the time T1, T2.

When the instantaneous linear speed 607 remains outside the band 604 for a time exceeding TB, the monitoring device may decide not to intervene.

The monitoring device may decide to reduce or reset the times T1, T2, as shown, for example, but not exclusively, in fig. 6.

The monitoring device 701 may extend the time T1, T2 of the timing devices 726, 727, respectively, such as, but not limited to, reading the remaining time in the timing devices 726, 727 over the buses 724, 725, respectively, and by reloading the timing devices 726, 727 with a time value greater than the remaining time. The monitoring device 701 may shorten the time T1, T2 of the timing devices 726, 727, such as but not limited to reading the remaining time in the timing devices 726, 727 over the buses 724, 725, respectively, and by reloading the timing devices 726, 727 with a time value or null value that is less than the remaining time.

The monitoring device 801 may extend the times T1, T2 of the timing devices 826, 827, respectively, for example by directly re-triggering the timing devices by means of a fast transition 1 → 0 → 1 performed on the signals 818, 819. In this case, the timing device will reload the times T1, T2, respectively.

The monitoring device 801 may reset the times T1, T2 of the timing devices 826, 827, respectively, for example by permanently resetting the timing devices 826, 827 directly by means of a permanent transition 1 → 0 performed on the signals 818, 819.

In the second mode, the monitoring means 701, 801 may indirectly re-trigger the times T1, T2, resulting in a minimum instability of the system, and it is therefore the anti-skid circuits 703, 803 themselves that directly re-trigger the timing means 726, 727 or 826, 827. The monitoring devices 701, 801 may destabilize the system by energizing the signals 732, 733 or 832, 833 for a sufficient time to cause a "dump" condition by causing a pressure drop in the brake cylinder 221 sufficient to cause the estimated linear velocity 401 to exceed the upper portion of the tolerance band 405. At this point, if the antiskid is active and functioning properly, it will react by acting on signal 208, 209 and re-triggering timer 726, 727 or 826, 827 causing the system to enter a "filled" state. Further, the anti-skid device will cause the estimated linear velocity 401 to fall within the tolerance band 405. The monitoring devices 701, 801 detect the correct reaction of the antiskid devices 703, 803 by monitoring the outputs 208, 209 of the antiskid devices 703, 803.

In addition, the monitoring device 701, 801 may prompt the antiskid device 703, 803 by requesting the antiskid device 701, 801 itself to perform the transition 1 → 0 → 1 to the output 208, 209 via a request made by the communication device 750, 850. This approach is particularly useful in the case shown in fig. 5, where the antiskid device tends to keep its outputs 208, 209 continuously at logic state "1" as long as the estimated linear speed 501 of the axle is not within the tolerance band 505. Any other method previously described will result in the re-triggering of the timing device 726, 727 or 826, 826 for the purpose of extending the time, but will not result in a transition of the output 208, 209, for example to allow the monitoring device 701, 801 to check the "life" status of the antiskid device 703, 803.

In the case shown in fig. 7, upon observing a system failure, the monitoring devices 701, 801 can decide to immediately and permanently reapply the brake pressure by acting on the available signal, without waiting for the time T1, T2 to expire by the timing devices 726, 727 or 826, 827.

Furthermore, as mentioned above, the monitoring device may replace the antiskid device by inhibiting the antiskid device 703, 803 from placing the signal 720, 721 or 820, 821 at logic level "0" and directly controlling the state of the solenoid valve 715, 714 or 815, 814 by directly driving the switching element 712, 713 or 812, 813, respectively, via the signal 733, 732 or 833, 832.

The circuit of fig. 7 or 8 is dedicated to each valve unit 117, 118, 119, 120 associated with the antiskid device 101, 703, 803 and with the monitoring device 701, 801.

One way to enforce the criteria that the monitoring devices 701, 801 consider the anti skid systems 703, 803 to behave correctly is where the monitoring devices 701, 801 implement a continuous exchange of handshakes with the anti skid systems 703, 803 via the connecting devices 750, 850, in order to check the correct reaction of the anti skid devices.

If the connection means 750, 850 consist of hard-wired discrete signals, an exemplary but non-exclusive method is illustrated in FIG. 9: digital signals 901 belonging to the set of discrete signals 750, 850 are generated by the monitoring devices 701, 801 and received by the anti-skid devices 703, 803. Digital signals 902 belonging to the discrete signal groups 750, 850 are generated by the antiskid devices 703, 803 and received by the monitoring devices 701, 801. The signal 901 is generated, for example but not exclusively, at a variable frequency. The signal 902 is generated in response to the signal 901, i.e. the anti skid device 703, 803 responds with a change a1, a 2.. An in the logic state of the signal 902 at each change S1, S2.. Sn in the logic state of the signal 901. The anti skid device 703, 803 monitors the signal 901 and executes the change a1, a 2.. An entirely by means of a software function integrated in the program flow relating to the anti skid function, completely released from execution under An interrupt call. When a change in the logic state a1, a 2.. An of the signal 902 is detected in response to a change in the logic state S1, S2.. Sn of the signal 901 within the maximum time TOK, the monitoring device 701, 801 considers the health status of the antiskid device 703, 803 to be correct.

An exemplary, but not exclusive, method is represented by the information exchange shown in fig. 10 if the connection means 750, 850 comprise a communication channel.

The monitoring devices 701, 801 have a list 1020 of n information requests that can be sent to the antiskid devices 703, 803. The information request provides, for example but not exclusively, information requests relating to the variable state of the system, the response of which is not known in advance but which can be obtained in real time from the monitoring devices 701, 801 and the antiskid devices 703, 803.

The monitoring devices 701, 801 cyclically execute the process 1001, for example, but not limited to executing the process 1001 at a variable frequency: in 1002, a random number is generated in the range 0 ÷ n, n corresponding to the maximum number of possible information requests, and the information request is taken from the information request list 1020.

In 1003, the monitoring devices 701, 801 transmit information requests to the antiskid devices 703, 803 via the communication channels constituting the connection devices 750, 850.

In 1012, the anti skid device 703, 803 processes the response to the received information request.

In 1013, the antiskid devices 703 and 803 transmit the processed responses to the monitoring devices 701 and 801.

At 1004, the monitoring devices 701, 801 process in turn the responses to the information requests acquired from the information request list 1020 at 1002.

In 1005, the monitoring devices 701, 801 verify the consistency between the responses they process and the responses that the anti-skid devices 703, 803 process.

In both described cases, if the monitoring device 701, 801 finds that the anti-skid device 703, 803 reacts incorrectly, it may decide to immediately reset the time T1, T2 and inhibit the operation of the anti-skid device 703, 803 by opening the switching element 701, 801 or by forcing the signal 720, 721, 820, 821 to logic state "0".

The functionality described in fig. 7 and 8 may be implemented in various alternative embodiments.

The monitoring circuits 701, 801 may be implemented by one or more microprocessors, or by one or more FPGA circuits, or by an assembly of a microprocessor and an FPGA circuit according to an architecture such that the integration between the monitoring circuits 701, 801 and the anti-skid system results in an overall safety level of the anti-skid function reaching SIL ≧ 3 according to EN 50126.

The functions corresponding to the circuit portions included within dashed line 760 may optionally be fully implemented in software mode within the microprocessor or FPGA forming monitoring device 701.

The switching elements 704, 710, 731 or 804, 810, 831 can be relays or solid state devices.

The limitations of the embodiments shown above constitute presently preferred embodiments, but may be varied without departing from the broader scope defined in the main claims.

The advantage thus obtained is that, by means of a solution with complexity and reduced costs, a solution is obtained which avoids the counterproductive situation of the known anti-skid devices.

Various aspects and embodiments of a method for implementing a monitoring device according to the invention have been described. It is to be understood that each embodiment may be combined with any other embodiment. Furthermore, the invention is not limited to the described embodiments, but may be varied within the scope defined by the following claims.