Title of Invention

DEVICE AND METHOD FOR CHECKING RAILWAY LOGICAL SOFTWARE ENGINES FOR COMMANDING PLANTS PARTICULARLY STATION PLAN

Abstract A device for checking logical software engines for controlling and commanding plants, particularly railway plants, particularly station plants, comprising: at least a computer with at least a central processing unit and at least a memory for loading and executjr^Eggrgnjsj interfaces to data and/or commands inputting means; display means; a logical engine for commanding a plant, particularly a station plant, being loaded or loadable in said memory for its execution, which plant comprises a plurality of operating units for actuating and/or detection and/or measurement and/or signaling, so- called wayside equipments, which units are provided for receiving command signals and for transmitting control signals about the operating condition, and which logical software engine reads control signals given by the opejffing^unite_fpir actuating and/or detection and/or measurement and/or signaling and it processes command signals of said operating units basing on an operation protocol of the plant itself, means for scheduling and ccjnfjgrtjgjrojiges and/or state and command variable lists of virtual operating units corresponding to the desired or correct operation or state condition of the plant in conjunction with a predetermined operation situation; means for setting specific operating conditions of the plant or of anomalous situations and for checking the plant reactions referringlo several operating environment; wherein in the computer memory a plant software simulation program that is to be controlled and commanded by the control and command logical progrSnTts-toaded or loadablejand it is executable by the computer itself and which simulation program reproduces exactly the plant structure and the operating modes of operating units provided in said plant and in that the operation of the control and command logical program is further represented, in parallel or alternatively, as behavior of the equivalent command hardware logic composed of a relay network, means for simulating relay operation and a means for simulating relay network operation being provided, as well as graphic means for representing relays univocally associated to each relay simulation means and to relay network graphic representation means.
Full Text FORM 2
THE PATENT ACT 1970 (39 of 1970)
The Patents Rules, 2003 PROVISIONAL / COMPLETE SPECIFICATION See Section 10, and rule 13)
TITLE OF INVENTION
DEVICE AND METHOD FOR CHECKING RAILWAY LOGICAL SOFTWARE
ENGINES FOR COMMANDING PLANTS PARTICULARLY STATION PLAN

2. APPLICANT(S)
a) Name
b) Nationality
c) Address

ALSTOM FERROVIARIA SPA
ITALIAN National
VIA OTTAVIANO MORENO 23,
12038 SAVIGLIANO (CN)
ITALY

PREAMBLE TO THE DESCRIPTION
The following specification particularly describes the invention and the manner in which it is to be performed : -

Device and method for checking railway logical software engines for commanding plants, particularly station plants.
The invention relates to a device for checking logical software engines for commanding railway plants, particularly station plants, comprising at least a computer with at least a central processing unit and at least a memory for loading and executing programs: a logical engine for commanding a plant, particularly a station plant, being loaded or loadable in said memory for its execution, which plant comprises a plurality of operating units for actuating and/or detection and/or measurement and/or signalling, so called wayside equipments, which units are provided for receiving command signals and for transmitting control signals about the operating condition, and which logical software engine reads control signals given by the operating units for actuating and/or detection and/or measurement and/or signalling and it processes command signals of said operating units basing on an operation protocol of the plant itself.
In railway field, the command of station plants occurs by means of command logical engines which are based on Boolean algorithms. Control and command signals are univocally associated to state variables which are processed by Boolean logic that provides output command signals as modifications of said Boolean variables. Depending on the features of provided operating units, each of the said variables may have various state conditions and the associated variables representing the state controls and the state commutation commands of operating units may vary within predetermined values, each of the said values represents an operating condition of the operating unit as far as variables representing control signals are concerned, while the said values represent a commutation command from a predetermined operating condition to a different predetermined operating condition or a command for maintaining the operating condition as far as command signals are concerned.
Starting from a traditional realization of command and control logics, particularly of railway plants, in the shape of relay networks, at present the greater reliability and stability, as well as the greater comfort and flexibility in using computers, have caused the transfer of command functions from the relay hardware structure to a software command system emulating the behavior of the traditional relay network by means of a command and control logical program composed of Boolean algorithms.
Because of the complexity of railway plants, even the logic for controlling and commanding the plant is relatively complex specially considering that in railway field the security operation standards are very high. In order to transform the control and command hardware logic formed by relay networks into a program in the form of a control and command Boolean engine, HARDWARE/SOFTWARE smart systems have been developed to process automatically the control and command Boolean program by starting from a traditional relay hardware network layout or from a table wherein the operation conditions of the plant are encoded in the shape of lists of state variables and state commutation variables, the so-called condition table.
At present the validation, i. e. tests, are directly made on the plant. However, this is a serious drawback firstly because an operating plant is actually required to which the control and command logic has to be applied. This causes great problems due to great prolongation of time for definitive installing a railway plant, since in addition to time for actual structural installation, such as line laying, and the hardware installation of operating units, it is necessary to make long validation phases of the command logic thereof.
To solve this problem, at least partially, software programs for validating command software logics have been provided, i. e. Boolean engines for controlling and commanding the station plants, that process individually and in parallel the same command and control logical engine by means of at least two generation programs of the control and command logical engine, starting from the same basic information about the system structure and the operation modes thereof.

Two command and control logical engines are therefore generated and are therefore compared, whereas the validation is based on diversity criterions of the programs generating the two logical engines which are considered correct in case of functional identity basing on said diversity of the two generating programs. Such validation or certification mode does not meet fully considerations that are made from the security perspective of the plant operation and so the control and command logical program that has been obtained is always subjected to a deep validation directly on the plant. The certification or validation mode by means of the diversity criterion of the software generating the command and control logical program lacks an interface with the plant. Therefore, even in this case of software certification and validation, such defect influences again the time for fabricating the plant in operation condition and the time for developing and setting up both the control and command logic and the plant itself. The situation becomes more serious considering not only the installation of a new plant, but also the modification of an existing plant. In such case certifications and validations made on field influence railway traffic that pass anyway and must continue to pass on railway lines already existing. Therefore times are smaller and working conditions are more critical both for the difficulty in working on a plant in use and for the considerations about traffic security that cannot be interrupted except for short periods.
Therefore, the purpose of the invention is to provide a device as described hereinbefore that allows to overcome the drawbacks existing at present and described above. The invention attains the above purposes by means of a device as described hereinbefore, wherein a software simulation program of the plant is loaded or loadable in the computer memory and is executable by the computer itself, which simulation program must be controlled and commanded by the control and command logical program and which simulation program faithfully reproduces the plant structure and the operating modes of operating units provided into said plant.
The simulation of the plant structure and of the operating units associated thereto, such as track circuits to detect the presence of the train, switch points actuators, signalling actuators and other different units is represented in the simulation program by Boolean algorithms, variables associated to said algorithms being univocally defined to represent control signals of the several state or operation conditions of various operating units and the command signals for COMMUTATING or maintaining state or operating conditions of said various operating units.
In a first embodiment the image of the plant behaviour under examination of the control and command logical program is displayed in the shape of variable lists univocally associated to the several operating units. In such case, the program displays or allows to display report files wherein the several operating units and the associated state or command variables are listed, f y Advantageously, the simulation program allows the user to set starting operating conditions of the plant and/or setting situations even anomalous of the plant operating units to verify the plant reaction to these conditions.
According to a preferred embodiment, to each plant operating unit and/or to each relevant structural element can be associated univocally a virtual image of the operating unit and/or of plant structural element, which image is generated by means of a graphic program loaded, loadable and/or executable by the computer of the device according to the invention. The virtual image is univocally correlated to the logical program for generating the operating unit or the plant structural element, the graphic program for generating the virtual image of each operating unit being such to generate various graphic aspect conditions of the operating unit, each of them is univocally correlated to a predetermined value of variables relevant to the operating condition of the operating unit itself and/or of command variables for commuting or maintaining the operating state of the operating unit.
According to a further aspect of the invention, the operation of the control and command logical program is additionally in parallel or alternatively represented in the shape of behaviour of the equivalent command hardware logic composed of a relay network, an operation

simulation program of relays and an operation simulation program of the relay network being provided, as well as graphic programs representing relays univocally associated to each program for simulating relays and to program for graphically displaying the relay network.
Also in this case, as in the case of operating units, each relay is simulated by means of a logical program of the Boolean type, single state conditions of the relay and/or the commutation commands being represented by state or command variables and graphic programs being such to associate various relay graphic aspects univocally correlated to values taken by said state or command variables.
By means of what said before, the device according to the invention allows to execute the validation or the certification of the control and command logical program of the system on the base of a true and reliable software model of the real plant with evident advantages in relation to certification and validation systems used at present. The two levels for displaying the functional behaviour of the plant, in the shape of report file displaying values of state variables generated by programs processed by simulation logical programs of operating units and in the shape of graphic representation of the operating condition of operating units allow to check in details the operating units of the plant and therefore the operation modes thereof both in an analytic way and in a direct visual way of the physical operation condition.
A further alternative allowing the display of the command and control logical engine in the shape of traditional relay network allows to check the engine operation according to the traditional hardware logic providing an additional visual check means. However, also in this case it is possible to display physically the aspect modifications of relays relevant to the operating condition, as well as to display analytically the state and command variably analogously to what said for the operating units. It will be noted that the graphic representation of the Boolean command and control logic, in the shape of traditional relay network, allows to check visually the internal operation of said logic, therefore making simpler the identification of errors inside the logic itself and not only on the base of wrong commands sent to operating units. Therefore it jS displayed not only the situation of output variables and input variables to the control and command logic engine, but also the situation of modifications to which said variables are subjected during the processing from input to output.
Additionally, the provision of an interface for setting particular operating conditions of the plant or anomalous conditions allows to check the plant reactions with reference to different operating environment. Such settings can be executed by the personnel by imposing specific state conditions to various operating units at the beginning of the execution cycle of the control and command logical engine, being possible, by means of a suitable scheduling, to provide also conditions wherein one or more operating units are non-operating or operating in a anomalous way. It is easy to notice that in the case of the present invention it is possible to program or configure images and/or state and command variable lists of virtual operating units corresponding to the desired or proper operation or state condition of the plant in conjunction with a predetermined operation situation. In such case, by providing such nominal graphic images and such nominal values of state and command variables of virtual operating units it is possible to make not only the direct and visual verification of a proper operation but also an automatic verification based on the comparison between the nominal image and the table or the nominal list of state and command variables desired and previously scheduled and the image and the state and command variables effectively processed in the moment of operation of the control and comm^d logic with the virtual model of railway plant, an error message being sent in case of non-identity. During this automatic verification can be displayed graphically and analytically the operating unit that assumed a wrong condition and the relative state or command variable/variables.
Such mode can be extended also to the simulating representation of relay network, indicating the relay or relays that have not been commutated in the right condition and the relative state or commutation command variables. As a further development it is also.cossfoJe to provide automatic means that correct trie cont>oi and command logical program on the base of possible corrections made by the user to

the state or command variables modified manually in the presence of a state or command error of a virtual operating unit or of a relay in the corresponding command logical circuit constituted of the virtual model of relay network. In this case, modification interventions both of alphanumeric type made on report files of state or command variables, or interventions for modifying graphically the aspect of the operating unit or relay corresponding to the state of said operating unit or said relay are interpreted by a correction program that analyse the values of state or command variables set manually to correct wrong values, analyse the control and command logical program and modify the code to commute the operating unit or the relay in the correct state condition when occurs the operation condition with which the control and command logical program had previously generated the error.
It is also possible to memorize areas of the virtual station plant and the relative parts of the control and command logical program having typical plant structures that are recurrent in various station plants, to load and reuse both programs of Boolean simulation, and graphic display programs as well as parts of control and command logical programs in new station plants having identical station areas. The HARDWARE/SOFTWARE structure of the device according to the invention allows to extend the validation and the certification even to a validation and certification system based on the diversity of the program for generating the control and command logical program, for example a so-called Boolean algorithm checker.
It is possible to provide several possibilities. A first of these possibilities is to provide an additional program for generating the control and command logical program object of validation by the device that works according to a code different than that used for generating the control and command logical program during the validation. The control and command logical program generated by the checker may be compared with the control and command logical program during the validation to notice the identity between the two control and command logical programs. In addition or alternatively the control and command logical program generated by the checker may be subjected to the certification or validation by means of the device described above and the results may be compared to those obtained during the validation or certification of the first control and command logical program. In this case the comparison verification is made on state and command variables of operating units and relays of the relay virtual network both from a numeric perspective and from a graphic perspective. For example a overlapping of graphic images of the plant state conditions may be supposed which are obtained with the two control and command logical programs. With this overlapping of the image of plant state condition the possible differences are graphically highlighted or catch directly the user eye.
The two modes described above may be made alternatively or successively one with respect to the other, the modification of the succession sequence of the two different comparison modes being also possible. By making first the comparison relevant to the plant conditions obtained by the two control and command logical programs it is possible for example to identify better the parts of the program wherein the comparison operations and so the possible correction operations thereof or the debugging enquires (error detection) may be limited. It is possible to make the certification based on diversity in addition to the control logical program even to the logical programs for simulating the single operating units and the plant structure as well as to logical programs for simulating relays or the relay network and in case this certification action based on the diversity of the generating program may be extended also to programs for graphically representing operating units or relays.
In a further embodiment, the Boolean checker Is composed of a parallel device for verifying the control and command logical program of the railway plant by simulating the plant itself, which checker comprises a check or test program and the simulation programs of the railway plant developed according to diversity criterions, i. e. by other generating or writing programs and such checker makes the same certification of the device according to the invention, that is toe 6r$! cbacter device, on foe same control and command logical program, foe

results of the two parallel tests being compared and from this comparison information or error messages are generated depending on the result of the test if it is equal or if it has diversities.
In the field of the device according to the invention a design program is included, i. e. for generating the Boolean code and the program for graphically representing the wayside equipments. While the device of the present invention is based on traditional or substantially traditional processing systems, it should be noticed that actually it is a technical device constituting substantially a virtual simulator of the real plant structure and so it has advantages and technical effects. The choice of software means is based on the fact that the command logic is a software too, whereby the implementation by means of a software means is the best solution. It should be noticed also that the device according to the present invention may be provided with a suitable network interface and it may become a non- vital node of the, railway plant by means of which it is possible to modify easily the command and control logical program and to overcome virtually the same, for example in the case of a structural modification of the station railway plant, such as the removal of a line or the addition of a line with the corresponding operating units.
Moreover the device according to the invention as a node network connected and interfaced with the railway plant may have supervisory or diagnostic functions of the correct operation of the real railway plant, because it is easy to make a comparison between the state condition that has been assumed by the real plant and the one assumed by the simulated plant by providing the device with the same input variables of the real plant for the control and command logic. Such comparison may be made analogously to the comparison of the plant conditions obtained with the two control and command programs as described before for the additional validation or certification based on diversity criterions.
By means of the device according to the invention, since it is a node that is part of a control and command system of a station plant, it is possible for example, in emergency event, to simulate various possibilities for intervening and commanding the plant to realize, on the plant itself, the choice that offers the best solution among the possible choices. Advantageously the device according to the invention comprise a program for executing the simulating functions with a user interface of the type used by Windows @ program of Microsoft Inc. and that therefore comprises operating windows with function buttons, quick choice menus and other functionalities typical of said interface, in addition obviously to the use of mouse or of other pointing means, to selection and input of commands and the keyboard to input numerical, alphanumerical data and/or numerical or alphanumerical commands, such as to create and modify the graphic images of operating units and/or of relays or of other parts of the plant structure. This makes the actions very simple and easy for the employed personnel by creating an interface between the computer and the program and the user that is very known and of large employment
Further features and improvements of the device according to the invention are subject matter of the dependent claims. The features of the invention and the advantages derived therefrom will appear more clearly from the following detailed description of some embodiments by way of a non-limiting example illustrated in the annexed drawings, in which: Fig. 1 schematically shows a device according to the invention in the shape of a computer or a personal computer and the possible remote connections.
Fig. 2 shows a flux diagram of the functional test made by the device according to the invention.
Fig. 3 shows a schematic diagram of the internal functions of the device according to the invention.
Fig. 4 shows an example of a display window of the system graphic layout, particularly of the station or the station region simulated by the

device during test function of a command and control logical program of a railway system.
Fig. 5 shows two details of toolbars and instruments of starting windows for carrying out the verification by means of the device according to the invention.
Fig. 6 shows an example of windows that are displayed when the complete simulating and test program is loaded and wherein a control window is opened for the dev pi equipment.
Fig. 7 shows an example of a window for the add and modify selection of simulating programs of system operating units, particularly wayside equipment.
Fig. 8 shows an example of a window for the interface specification of each operating unit or equipment simulator defined by fig. 7 window.
Fig. 9 shows an example of a window for executing the specification function of the behaviour of the operating unit or of the equipment in relation with the virtual model composed of the Boolean simulator that describes it.
Fig. 10 shows a table for describing values that can be assumed by variables in truth table and the above table.
Fig. 11 and fig. 12 show drop down menus that can be activated by the specification window of the behaviour of the operating unit or of wayside equipment according to fig. 10 to execute particular specification functions of said behaviour.
Fig. 13 shows an example of a window for selecting graphic aggregates.
Fig. 14 and 15 show additional windows to execute functions for modifying or adding graphic aggregates accessible by buttons of the window for selecting graphic aggregates according to figure 13.
Fig. 16 shows an example of a window to execute the state and colours specification of graphic objects.
Fig. 17 shows a window for selecting and loading a "Condition Table".
Fig. 18 shows a structure table of A'CONDITION Table "file.
Fig. 19 shows an example of "Condition table" file.
Fig. 20 shows an example of "Simulation Commands" window.
Fig. 21 shows an example of a window for managing simulation commands accessible by quick button or menu command in the window according to figure 20.
Fig. 22 shows an example of a window for selecting the variable value accessible in the window according to fig. 20 by quick button or menu command.

Fig. 23 shows a window for displaying Boolean equations of the control and command program.
Fig. 24 shows a mndow for displaying the equivalent circuit of a Boolean equation of the Boolean equation system composing the control and command program during the test step.
Fig. 25 shows an example of a window for displaying the circuit of a simulated equipment.
The annexed pages Al, A2, A3, A4 show an example of a test according to the tool for executing automatic test and include the report file of said test.
Referring to figure 1, the device according to the invention consists of a function simulator of one or more systems that are composed of a station apparatus with a vital computer with regard to test of the command and control application logical program which is implemented as a group of Boolean equations. The device is formed as to simulate a station apparatus with a vital computer in all its operating conditions.
In traditional systems for commanding and controlling railway plants, the application logic for operating the system is in the shape of a relay network. Lately, with introduction of computers more and more reliable and steady, application logic of the plant has been replaced by a command and control logical program which is executed by a computer. The program is comprised of a group of Boolean equations that cyclically read the state conditions of a plurality of operating units, the so-called wayside equipments, such as track circuits for detecting the presence of trains at predetermined line lockings, O;BRO; O;BRO; SIGNALLING DEVICES, SWITCH POINTS, ETC., AND BASING ON said conditions, coded in the shape of state variables, the Boolean equations compute or define new output state variables that constitute commands for commuting the state or for maintaining the operating state of operating units for the adjustment to conditions represented by the input variables.
The group of Boolean equations has to execute the computation of the state conditions of wayside equipments in a way corresponding to predetermined operation modes that are coded in functional behaviour tables of the plant, so-called condition tables. The device according to the present invention has to emulate the functional behaviour of a railway plant, that is a vital computer railway apparatus. Such emulation allows to verify the control and command logical program expressed by the formalism of the Boolean equation system as if the verification is executed on the real plant itself. And this occurs both when the plant is in correctly operating conditions and when there are anomalies of one or more wayside equipment.
The device according to the present invention as shown in figure 2 includes a computer memorizing a test and simulation program and has interfaces to data and/or commands inputting means, display means, connecting means to remote apparatus, such as the station apparatus with vital computer, remote computers for executing collateral procedures and so on. The emulation program includes several routines and in particular a routine to execute the Boolean equations that composed the program itself; a routine to configurate input or initialization variables of Boolean equation system, that is the setting of operation backgrounds of the plant; a routine to display the graphic image of the plant and of operating units included therein and which provide an image of operating units that is different for each of the operating states that can be assumed by the operating units or wayside equipment and which graphic image is univocally connected to said state or said operating condition of the wayside equipment, as well as to other collateral routines that complete and simplify test actions. The plant simulation occurs by generating a virtual model of station plant wherein the operating and/or structural elements of the plant are univocally identified and whose functional behaviour is restored by Boolean equations.

The physical structure of the system is defined by associations of said structural or operating units that describe and/or display the respective arrangement in the plant diagram and define which operating units have to work together. As it will be noticed more clearly below, the operating units, i. e. wayside equipments, are described by output state variables so-called control and that describe the operating condition of the unit or wayside equipment and by variables for maintaining and/or modifying the input state that indicate if the operating unit has to change state or not and towards which state the transition has to occur. To generate the virtual model of the railway plant, the device according to the present invention provides not only the simulation of the functional behaviour of wayside equipments in the shape of logical program in the form of Boolean equations, but also the graphic representation of the wayside equipment. Such graphic representation comprises several predetermined graphic aspect options of the wayside equipment, each of them corresponds univocally to an operating state thereof and is associated to one of the predetermined values that are assumed by the state variables of the simulation logical program of the wayside equipment or to a predetermined value combination of two or more state variables provided by the simulation logical program of wayside equipment. Obviously, the graphic aspects of the wayside equipment will be schematic reproductions of the wayside equipment aspect and the several aspects corresponding to the several operating conditions of each equipment are different one from the other so as to reproduce as much as possible the real modifications of the aspect of wayside equipment in various operating conditions.
Advantageously the device according to the invention may also comprise tools for modifying and/or generating simulation logical programs of wayside equipments and/or of the graphic aspect for representing said equipments in various operating conditions. These can be memorized and then recalled as generic routines that assume a specific and unique role in a predetermined plant diagram by means of defining univocal identification names and univocal relations or functional associations with other wayside equipments or other structural elements of the plant as well as with corresponding arrangement relations in the space regarding the placing thereof in the graphic representation of the plant. Obviously, as results from figure 1 the plant can operate also in direct combination with units generating the control and command logical program and/or with the real vital computer station apparatus and the real railway plant, being a non-vital node of a connection network with said units. Therefore, referring to figure 3, the device substantially is a workstation based on a personal computer. Advantageously the preferred operating environment is Windows NT @ environment upon which the specific device simulating software is set up. Said choice of the operating environment is an advantage as Windows NT @ ENVIRONMENT and its basic functionalities are broadly known. Therefore the operating environment is structured as to display several work windows, comprising the station or plant diagram, while the user is working on configuration and/or control elements of the simulation device itself. By means of one monitor and preferably two monitors the user can see directly the selected functions or set actions, as the main simulation logical program and the graphic management program interact therebetween.
The auxiliary display is controlled by the desktop extension functions already provided in Windows 0 environment. The software of the device is made as a typical Windows @ application and therefore it employs typical tools of the operating environment. Here the specific sphere of all the possibilities and of the window structure of Windows X is not considered since this is part of a basic common and WIDESPREAD knowledge. To execute the checking by means of simulation with the device according to the invention it is necessary to make several starting activities comprising the following steps: generating the graphic descriptive file for check means; checking said graphic file; generating Boolean equations whose system is the core of the control and command logical program; possible generating of the conversion table; possible generating of the coded condition table; possible generating of text files so-called batch commands.
The checking activity of the command logical program uses check means that are generally known. The check program by means of railway plant simulation comprises the foltowtag data- File -with Boolean equations that oescnbe a Stefan or an area to be checked;

Graphic files of the station or station or area o areas to be simulated; Possible files containing the conversion table; Possible files containing condition table and possible text files containing batch files.
As the result of test is provided an output report file that can be used by the user and/or memorized. During the test execution, the dynamic operation of the railway plant may be controlled both real-time and in case later and this by means of the display of alphanumeric messages or of state variable values and by means of the graphic representation of the plant itself. The starting of the working session may comprise the generation of a new project or the loading of projects already started. If it is a new project one or more stations or plant areas have to be selected to use in the simulation.
After the loading and/or the generation of the project data it is necessary to provide the device configuration. The activities to be executed to make the test by means of railway plant simulation are: setting of a system cycle time; definition of suffixes for each kind of wayside equipment, definition of simulators of wayside equipments, the possible addition of area to be controlled, association of equipment simulators to variables; definition of colours and states that the drawing objects can assume, assignment of stats and colours to the drawing objects.
As already said, there is also a command that operates directly on the graphic diagram of the station or of the plant area to define equipment states and objects colours. It is possible to activate control windows by selecting windows or objects to be inserted in windows and/or to activate the command bar if it is not already active. Obviously it is possible to make tests and save the current state of the project. To this end, it is convenient to make savings as the simulation situation evolves, saving always with different names to not overwrite the old configuration. Each configuration is re-loadable to start a new simulating step. During the simulation it is possible to execute configuration batch files corresponding for instance to different operation or configuration background of the plant or to different commands. The device can be completely managed by a remote workstation by means of a command and remote connection module, particularly by means of network protocol and more preferably by means of TCP/IP protocol. The user may end the check process by simulation at any time without loosing the work already carried out, by saving the project. Project means all files generated before the test process and all files generated during the configuration and simulation steps thereof.
Figure 4 shows an example of a screen showing what appears on a monitor during a test execution.
The first screen that appears by starting the system is substantially similar to that of figure 5. A window wherein the top 10 allows to manage the application is opened, whereas the window 11 is the command bar for the simulation. This second window can be shifted by highlighting the top band and dragging it in a location useful for the user. Directly below the main command line 110 (file, BR BR VIEWS, ETC.) A QUICK BUTTON BAR IS DISPLAYED TO activate quickly some commands.
The meaning of buttons will be disclosed in sections that deal with the command itself.
Moreover a help command or button is provided which activates a help menu by which it is possible to enter or consult a guide file. The guide can be of interactive type or on line analogously to Windows @ environment. Analogously to this environment once activated the command, a window of the guide appears from which it is possible to select display, printing options and so on.
File command in the command bar 110 allows to start a new project or to open an existing one, to save the current project and to save the current project and exit the application. The command options of file command are accessible by means of a typical drop-down menu

which lists all the command options and it is possible to select the desired command therefrom.
Some or all the commands can be personalized and transformed by creating a routine in any kind of quick activation buttons.
Quick button 210 allows to start a new project, in order to define the whole background of a simulation, that is to define the stations to be examined, control windows which are desired to be activated, variables to be displayed, display modes, as for example the window aspect, colours, intermitting colours, displays with numerical wave-forms or of other kind. If a project is already loaded in the device, the user is asked to save or eliminate the project by a communication window having command buttons for executing the above several options. In order to save a loaded project it is possible to use the corresponding command OFFILE'MENU or to use the save quick button indicated at 410.
When loading, the program controls syntax and semantics of configuration files and of graphic drawing file of the plant, of the areas thereof and of wayside equipments. Moreover, the simulator modules are identified, i. e. simulation programs of operating units, i. e. of wayside equipments and graphic display modes of wayside equipments or operating unit states, such as colours of graphic objects of the drawing. When said files include an irreparable error, the device does not load the file that has errors. Errors are listed in a summary box of a window displayed for each plant, station or plant area. The finishing function is ended when the operator sends a confirmation and the result of loading is the opening of two windows 10 and 30 as shown in figure 6. In addition to the main window 10, is generally displayed even the control window 30 and the graphic layout of the plant or of the station or of the loaded area.
The loading of a project provides displaying of following data: Name of the plant or of the station or of the area, number of variables which are included in equations describing the plant or the station or the area, number of Pterm, i. e. product terms obtained in the Boolean equations, of the plant, or of the station or of the area, the variable covering, i. e. the percentage of variables processed with the proceeding of the simulation and the covering of Pterm, i. e. the percentage that has been processed with the proceeding of the simulation.
The quick button 510 provides the closing function of a project. Project management menu that is accessible from the command bar 110 of window 10 makes available two commands that are Add Station/Area and Cancel Station/Area commands. To these commands quick command buttons are associated which are indicated at 610 and 710 in the quick button bar.
Add Station/Area command or the corresponding quick button 610 allows to add a new station or a new area to the project that is already loaded in the memory. A dialogue window is displayed for specifying the Station/Area. The user can specify filenames belonging to the station or to the area that the user must type in a field of the dialog window. Instead of typing the name, the user can use a searching means which is accessible by means of a searching button. In this case a window is opened wherein saved stations or areas are displayed. With pointing means, the user can select and load the desired stations or areas among these in the list. It is also possible to select the format of graphic files that contain the station or area graphic drawing for example a CAD or TGIF file type.
By THE"LAYOUT"BUTTON the user can specify the particular files constituting the station or area graphic drawing. Depending on the drawing fomiat, a dialog window is opened to specify the corresponding station or area. In the predetermined field the user can indicate the drawing filename for example in CAD format. An auxiliary CAD file field allows to specify a file containing further graphical symbols to be naturally joined with the CAD drawing. When the selection ends, the program loads the station or zone configuration file and the station or zone drawing files. During the loading, files are syntaxly and semantically controlled. If files have irreparable errors, the system does not bad files containing errors. The program lists errors in a summary box. If a serious error occurs in the configuration definition file, the

station or the area will not be made in the memory. If the loading is properly ended, the station or the area is made in the memory and the graphic drawing appears on the screen. It is possible to execute the action of eliminating a station or an area from the project by means of Cancel Station or Area command or by means of the corresponding quick button 710. The command bar 110 provides the additional "configure'command. This command provides the possibility of choosing between several options in a menu. A first option is the cycle time definition command. Even for this command a quick button is provided indicated at 810 in figures 5 and 6.
The logical program for controlling and commanding a railway plant, particularly a vital control station apparatus, executes the reading of control signals provided by wayside equipments and the sending of command signals according to a cyclic operation. Typically the whole transmission and processing reading cycle is executed in about 500 ms. In each cycle the Boolean equations which formed the control and command logical program are recalculated. In the program of the device according to the invention, the user can set any cycle time corresponding to a real number. To this end, the quick button 810 or the menu command cause the opening of a window for setting the cycle time wherein it is possible to specify a cycle time.
The'Configuration-Modification SUFFIXES'COMMAND, allows to determine the suffixes. It is an important action since suffixes determine the behaviour and the semantic meaning of Boolean variables in the system configuration file, that is equation file. A wrong suffix definition may cause an irreparable error during the processing of the system definition file and this error disables the management of corresponding stations or areas or wayside equipments, i. e. of operating units. Suffixes have to be defined in compliance with similar definitions included in the system definition file, that is in the data file from which system EPROM memories are programmed. Settings of suffixes are executed with the help of a dialog window.
It is possible to use a box for modifying the suffix to specify suffix name. The name can include block letters. A "Type" drop down menu comprises all possible types that are available and selectable. Suffix meanings are: Input: It is possible to use variables of "input" type only on the right (element of a product term) of a Boolean equation into the system configuration file. When reference is made to a variable of "input" type on the left of a Boolean equation, as a result the program points out an error during the system definition file loading.
Output: Variables OF'OUTPUTTYPE have to be used on the left of a Boolean equation only once. When reference is made to a variable of "output" type on the right of a Boolean equation or more than once on the left thereof, the program points out an error during the system configuration file loading. Current cycle: It is possible to use variables of "current cycle "type on both sides of a Boolean equation. A reference to the variable is possible only once on the left and so many times as desired on the right of equations which are successively calculated in the same cycle. If the use of a variable OF'CURRENT cycle "type does not comply with the above norms, the program points out an error.
'Subsequent cycle": It is possible referring to variables of "subsequent cycle" type on both sides of a Boolean equation. These variables may be placed on the right of an equation (term) at any time. If a reference has been made to such variable on the left of an equation (result) it is not more possible to use it on the right i. e. in equations executed in the same processing cycle but calculated successively.
Shared input :"shared input" variable type is similar to "input" type having the only difference that the program updates these input values by using suitable "shared outputs" of other areas or other equipments after each calculating cycle. Shared output:" shared output* type is similar to "OUTPUTTYPE having the only difference that the program employs values of these outputs to update suitable "shared inputs" of other areas or other equipments after each calculating cycle.

Timed :"TIMED"TYPE is similar TO'CURRENT CYCLE" type. The difference is that the variable associated to "TIMED'TYPE will be true if the equation calculating it is true and the delay time that is specified for the variable is expired, starting to count when the starting equation becomes true. If the variable associated to the timer has been previously calculated as true and the equation associated thereto is now calculated as false, the value of the timed variable will go immediately to false without any delay. An equation used to calculate a variable OFTIMED'TYPE must be preceded by the definition of a delay, as indicated before with reference to the command for setting the system cycle time. The program point out an error if a delay for an equation of a non "Timed" type has been specified or if an equation of "Timed" type is not preceded by a delay specification.
Blinking Output FLS : this type of variable is equivalent to the "Output" type. The equation that calculates the value of a variable of "Blinking Output FLS" type must be preceded by an equation calculating the value of a variable defined AS'OUTPUT". If equations do not meet this condition, the program point out an error.
The command bar comprises an additional command called "Configure-Add equipment simulator". Analogously to other commands, also this command can be activated by a quick button indicated at 910 in figures. By this command it is possible to define a physical equipment or operating unit simulator. The definition of physical and logical equipment simulators consists in defining a model that is made in three steps: defining a name for the new simulator interface specification; designing the behaviour; A window is activated an example of which is shown in figure 7. The window allows the selection of simulator name. The name may be typed in a suitable box of the window. An add button allows the addition of the specified name to an existing simulator list and at the same time it opens a dialog window for defining interface and the window of the truth table for the new simulator. If simulators having the same specified name already exist, the program denies the action and it opens a dialog window with an alert text to inform the user. By a modify button the user can modify existing simulators. Modification function allows the modification both of the simulator name and the content. The program allows to modify more than one simulator at the same time.
For removing a simulator from the simulator list it is possible to use a cancel button which will remove the simulator whose name has been highlighted in a selection dialog box. As regards the simulator interface constituting the second step for defining each simulator, this is composed of a form set and of corresponding alias, types and functions. To specify the interface a dialog window for defining the interface is displayed as illustrated in fig. 8. The user can specify a form by using A'MODIFY" command button provided in said dialog window. This form is used to identify the variable right name during the simulator-variables association. A form can include parametric or constant components in arbitrary order and depending on the syntax of the form itself. The form definition is an obligated step. Alias is the form short name and it is used to identify the form in the truth table of the simulator. Alias name has to be defined in an alias box in the interface definition dialog window and this name specification is necessary.
The form type substantially describes variable rule which are represented by the form in the simulation. It is possible to select the used type with a "type" option box. The variables types are: Parameter: the parametric type variables represent the outside simulator interface. The equations of the vital computer station apparatus control the simulator by using these variables, if they are defined as "INPUTS'. If variables are defined AS'OUTPUTS'THIS means that they are used as equation input variables of the control and command logical program to determine and to update the system state.
Control: Such variables are used to control the simulator behaviour. These variables are associated to buttons to offer the user an interface that allows to modify the simulator behaviour during the simulation or to simulate possible failure situations. Control variables may have input or input/output attributes. The output attribute is not inhibited but it has no meaning in the case of control variables. Variables

WITH'INPUT"ATTRIBUTES are associated to a button that is pressed by clicking with the mouse and released with another click. If a variable is provided with input/output attributes both the simulator and the user can set the button state. For example the user clicks on a button to activate it and the simulator can release it after some action cycle. The form associated TO'CONTROLTYPE can include only constant components.
Local State: "local" type variables are used to memorize simulator internal states. That is to say that this kind of variables allow to define a sequential behaviour and not only a combinatorial behaviour. These variables are not visible from the simulator outside. These variables may have only input/output attributes. The form associated to the local type variable may include only constant components. Input and output attributes may be selected by using an "input/output" option box.
After having specified form alias, the type and "input/output" attribute, the user may add these information in the interface by an "add "button command. Both the specification of the alias and the specification of the form are obligatory and must be univocal. It is possible to modify the specified attribute group such as form, alias, type and "input/output" by a selecting action in the dialog window list and by using A"MODIFY"FUNCTION button. Analogously it is possible to remove a specified attribute.
The third step for the simulator definition comprises the functional behaviour design. To this end the program is provided by a window with a truth table (see right side of fig. 9). This window is automatically opened when the user defines that the addition of a new equipment simulator is desired. The truth table is divided into two parts separated by a thick vertical line. The left part of the truth table represents the simulator current states, while the right part is the subsequent state. The table includes a column for each variable defined in the interface.
Variables with "input" attributes appear on the left, while variables with "output" attributes appear on the right. Variables WITH"INPUT/OUTPUT"ATTRIBUTES appear on both sides. The table header includes variable alias names. This representation allows to design both sequential and combinatory logic which functions for model the simulator behaviour. If a user designs a sequential logic (i. e. a logic including "input/output" attribute variables) on the left side appears Markov logic model. Circles represent logic states, while arcs are transitions. Positioning on arc arrows, the program displays the possible input states to start the transition and the output states set during the transition. The window structure is shown in figure 9.
In the case of a new simulator, the right side of the truth table INCLUDES'+'CHARACTERS representing a not initialized state. The user can OVERWRITE the values in the cells of the right side (outputs) by clicking on a cell with the mouse button. Practically this means to define that determined output state when input conditions appeared (left side of truth table). The table of fig. 10 sums up value meanings that can be assumed by each single cell of the truth table.
""VALUE is a cell value not initialized. "X"VALUE means that if said value is given to a cell on the right side of the truth table, in the same row even all the boxes of the left side will have "X" value. This means that the state identified by the corresponding row is not available. Practically this is a combination that is not admitted or used during the simulation. "0"VALUE means that when input conditions in this cycle are verified, next cycle output will go TO"0" value. Analogously the"1 "value allows that in the subsequent cycle the output will go to sakJ"1 "value. In order to help the user the window offers further functions illustrated in figs. 11 and 12.
It is possible to enter functions not only by menu commands but also by quick buttons, as will be described hereinafter. Modify-Parameters command can be executed also by the quick button indicated at 20 in figure 9. This command closes the interface definition dialog window.

When the dialog window is closed it is possible to open it by clicking on said button or by using the command.
Mod'rfy-Copy command or the quick button indicated at 21 in fig. 9 allows to select and to highlight any square area of truth table using the mouse as selection and activation tool. The selected area can be copied in note file. Modify-Paste command allows to control the content of noted in a selected area. The selected area has to correspond in size to the area that has been memorised in notes. Other commands are accessible in this step. For example the user can modify colours whereon selecting, modifying character fonts or task layout fonts.
The Association function of equipment simulators to variables allows to associate the simulators defined in the system to a suitable variable group. Such function is activated by means of Device Configuration- Definition command or by means of the quick button indicated at 1010 in figs. 5 and 6. To create a link between a type of simulator and logic variables associated thereto the user has to specify the station/the area or the equipment to which it is applied, the type of simulator and the label of the wayside equipment or of the command to be simulated. To help the user it is possible to select these information by using option boxes of a dialog window.
Option boxes allow to load the name of the area, of the station or of the equipment already defined, the defined simulator type and, if there are loaded drawing files, the label included in graphic objects of drawings. Even if the program prompts the possible information, the user is free to type any desired string. Such possibility allow to specify simulators which will be realized later, to make reference to a non-loading station and to specify the objects to be simulated which have not a graphic representation in drawings.
The association between variables and simulator occurs during the project loading process that is made after pressing the close command. If the loading process is not capable to carry out the desired association, the program points out an error and displays a message into the loader dialog box. These association errors do not prevent the simulation that can goes on with valid associations. The identifying string may include one or more labels separated by a "."character. The identifying string has to correspond to forms defined in the interface of the associated simulator. The program prevents the multiple definition of a descriptor by displaying a proper error message.
The definition of colours and states of the drawing objects occurs by means of the Layout Configuration command in Configuration menu or by means of the quick button indicated at 1110 in figs. 5 and 6. The state and colours of a graphic object that represent a wayside equipment, an area or a station, are determined by a variable group defined in the station/area configuration file. The variable group is described by using a form for each variable of the group. These forms are used to find variables during the step of assignment of state and colours to the drawing". As in the equipment simulator definition, it is possible to define the state and the colour of drawing objects in three steps: Type of graphic objects included into the drawing; Specification of interface, to be done for each element that has been added or modified during the preceding step (type of graphic objects); State and colour of the drawing objects, to be done for each interface of the preceding step.
Therefore the first step is the specification of graphic objects types included into the drawing. To this end by activating the Configuration-Configuration Layout command or by pressing the 1110 button, the program displays the dialog window illustrated in fig. 13. The user can type the name of new definition of graphic object in THE"TYPE"MODIFICATION box of the dialog window. The subsequent steps for defining the interface and for defining colours occurs by adding and modifying elements. When the modification option is activated, by means of a correspondent button, two new dialog windows are opened shown in figures 14 and 15 respectively and which windows allow to modify or add graphic objects.
The interface specification occurs during the second step for defining the state and the colour of objects. The interface is a variable group

to determine the current colour state of graphic objects. It is possible to define the variable group by using the dialog window illustrated in figure 15. The user can specify the variable name in the provided box by using the same syntax of which it has been already said discussed. Analogously to what has been already described more times referring to other functions, the dialog window has various buttons among which the Add button. In this case, such button causes a routine to add the specified for into the variable form list. The program controls the form from a syntax perspective.
Moreover, the program removes the wrong form and sends an error message that is displayed in the message area. The program prevents using suffixes which are not defined in forms. After the interface specification, it is necessary to define the state and the colour of the drawing objects. The user can specify a state text, an outline or filling colour for graphic objects of the drawing by using the table of fig. 15.
The window which can be resized to the maximum screen size includes variable list (forms) of the first row (header). The table, as already said, is divided into two parts separated by a thick vertical line. The left side of the table includes state table that can be scrolled by the underneath cursor or individually if the state table is bigger than the window, whereas the right part includes coloured signalling and the associated text. The user can specify form states by clicking on a cell with the mouse, the program displays a summary box for selecting the cell value. Entries of state summary box are: "0": this entry set the variable form on false.
"1": this entry set the variable form on true. "X": this entry removes the whole row containing cells that have been activated by the mouse. It is possible to add a new row to the definition table by clicking with the mouse on a cell of the first empty row in the state table. In this case, the program displays the same above state table, but the selected "0"AND"1 "VALUES are used to initialize the whole row. If the row has been initialized is than possible to set the desired values for each cell of the row as described above.
On the right side of the window are indicated the selected colours for the signalling. It will be noted that each box is a square with an internal colour and an outline or frame colour, both colours being alterable. For each row that has been filled in the table, it is possible to define a colour for outlines, a filling colour and a state indication text. After having defined a row, the program assigns the predetermined colour and state and displays the colours and state into the two columns on the extreme right of the table. The predetermined outline colour is intermittent light grey, whereas the filling colour is intermittent dark grey and the predetermined state text is'no defined state".
It is possible to modify the outline colour by clicking on the thick edge of the colour definition square in a row. In the same way it is possible to modify the filling colour by clicking with the mouse on the internal square of the colour definition square. To modify colours a dialog box is displayed. Even the flashing attributes may be modified in a analogue way as hereindescribed by using the mouse and clicking with the right button on the section that is desired to become flashing. The flashing is ended by repeating this action. It is also possible to modify the state text by clicking with the mouse on the text to be modify in the extreme right column of the table.
According to a further characteristic of the device of the present invention, the device may comprise means for connecting to a network for the connection to workstations or to other remote devices. The network can be realized according to various protocols. The network protocol that is generally used is the TCP/IP protocol due to its great spreading. The remote unit can be used to control the device and also to load and execute pre-existing simulation command files that have been previously written. Said command files called'batch files'can be also directly loaded in the device by means of proper and known reading interfaces, as for example files that are memorized on floppy disks, CD-ROM, or the like.
However in both the above cases it is necessary that batch file commands are translated in a language that can be executed by the

application of the device according to the invention. To this end a translate table is provided called conversion table. This one is offline written and must be loaded in the device according to the invention before executing the batch file or before executing the connection and the command from a remote workstation.
The condition table selection command allows to select a Condition table indicating the path. A dialog window is opened as the one illustrated in figure 17. The Condition Table file path can be directly written or a search function can be activated by means of a "Search'button provided in the dialog window. When the Condition Table file is found, by selecting this file it is possible to confirm its loading by means of a function button provided in the dialog window.
Advantageously the Condition Table file is structured with a structure similar to that of Windows files. INI. Figure 18 illustrates the basis of this structure.
Fig. 19 comprises an example of a Condition Table file. In order to make the information intelligible by the Boolean equation system constituting both the control and command logical program to be tested and the logical simulators of the wayside equipments, of stations and/or of the areas, the condition table substantially includes the behaviour rules of the plant, that are rules for assuming the several operating states of wayside equipments in predetermined operation condition.
As already said before, the device allows not only to check the final behaviour of the control and command logical program on the station or area reproduced by Boolean simulators, but also to check the internal behaviour of equation system. This occurs by means of control windows that can be defined in relation to the number by the user himself. The user can assign any desired variables to each single control window. The program of the device keeps a chronology for each variable to allow the user to recall the preceding states by using control windows. The tool used to define control windows is a tool CALLED'VIEWS". Such tool allows the opening of a menu that comprises various options. An option is the Add Control Window command. The command is also accessible by a quick button indicated at 1210 in figures 5 and 6. This command allows to open a new control window. For each new control window it is required to specify a name that must be univocal and for the name definition a new dialog window is opened. A typical control window is illustrated in the figure and where it is indicated at 30. An open control window has a toolbar that functions to set variables to be displayed moving inside the chronology. Analogously to what already described before in other cases, commands are always accessible alternatively by a choice in a drop down menu or by means of quick buttons.
Add variable command or the quick button 130 allow to select variables to be controlled. It is possible to pre-select variables to be displayed by using a search dialog window. The search dialog window provides various button that allow to perform functions such as to cancel the selection, to add a selected variable, to cancel one or more variables and to confirm the selected variables in the control window. It is also provided a button for cancel the current selection process.
By the Cancel Variable command or by the quick button 230, it is possible to remove a displayed variable from a control window. Even in this case, as in the preceding command a dialog window is displayed to execute the command and this window has buttons for activating specific functions such as Cancel, Cancel all, Close. The Display Wave/Numerical Form command or quick buttons 330,430 allow the selection of wave or numerical display modes of variable/variables which are displayed in the control window. Analogously it is possible to provide commands or quick buttons to scroll or browse among the various possible control windows that are defined by the user.
The Cancel Control Window command or quick button 1310 cause the cancellation of a control window. In this case a dialog window is

displayed wherein all the opened control windows are listed and among which it is possible to select the control window or windows to be eliminated, the cancellation being possible by means of a "Cancer button.
A further command is the simulation command named View Activation of command Bar. The command bar can be activated and disabled by this command that is available also as quick button indicated at 1410 in fig. 6. To give commands to the simulator, the program displays a control window that is illustrated in figure 20. The control window is composed of a toolbar for commands and an area for messages, to display commands and modifications during the simulation execution.
Quick commands in the shape of quick buttons are also available, drop down menu commands are also available for these commands as already provided for other commands. By the simulation Mode command the user can select various options in a drop down menu. Among these options the following are important: Single cycle option, that can be activated also by means of quick button 40. This option allows the execution of a single calculating cycle. After the execution the program automatically updates the message window and/or WINDOW/WINDOWS comprising the design/layout of the station or the area according to the new state.
Continuous cycle option accessible also by the quick button 41. In this case, the program starts to calculate in a continuous way cycle after cycle. During calculation, the message window and/or window/windows comprising the design/layout of the station are automatically updated.
Multiple cycle option. Even this option can be activated by a quick button 42. It is possible to specify a certain number of cycles to be calculated continually. The specification of the number of cycles is made by a dialog window wherein it is possible to indicate the desired number of cycles,
The calculation can be stopped in any moments by a stop command or a quick button 43. Finally there is also a batch command or a quick button 44, with which a batch file is loaded and executed comprising an already made predetermined sequence of commands. The batch file execution is similar to a macro execution. As already said before, batch file commands have to be translate by a conversion table and must have a predetermined structure. Batch files can be edited by means of a text-editor such as Writer or WORD-PAD@.
The Image file Generation command or the quick button 45 allow to memorize the current state of simulation in a file so-called'snapshot". Snapshot file is saved by the user command with a name suggested by the program and including the date and the current hour. The Reload Image file command or the quick button 46 allow to restore a specific simulation situation by calling up a snapshot file previously memorized.
Obviously to select the snapshot file to be call up the program displays a dialog window wherein it is possible to select the desired snapshot file and open it. By a restart command or a quick button 47 it is possible to restart the simulation. After a restart all the equation system variables and the simulator are set on value"0"and the cycle counter is reset. To start again the simulation it is necessary to execute a reset sequence of the normal state of wayside equipment simulators.
The User Commands command opens a drop down menu that allows to access the Commands Management and Variable Value Definition functions. The command management can be call up also with a quick button indicated at 48. By this tool it is possible to modify simulator behaviour of each type of equipment (both physical and logic) by using the button associated to the control variables defined during the simulator configuration of equipments. To access the proper button the program displays the dialog window illustrated in figure

21. The list on the left of the dialog window includes the existing types of simulators. The user can display the simulators in the list of the dialog window by clicking with the mouse on the selected type. Simulators are identified by the first element of identification strings that has been specified during the simulator-variable association described before. It is possible to call up control buttons by clicking with the mouse on the desired simulator and by pressing A"CONTROL"FUNGTION key.
In alternative, by the user command menu it is possible to select the Variable Value Definition command. Also this command may be activate by a quick button indicated at 49. This command or this tool allow to set manually the variables used in the simulation. To select the variable a dialog window is display as the one illustrated in fig. 22. The dialog window is very similar to the one used to select variables to be controlled. The selecting procedure is similar to that OF'CONTROL of variables". To set the desired or proper value it is possible to use two choice options located in the bottom comer on the right of the window and selectable alternately" True/False".
The button indicated at 50 allows to activate the remote connection procedure to a remote unit. According to a further feature and referring to figure 4, the state and colours of a graphic object in the layout of a station or of a zone or of a plant may be modified simply by clicking with the mouse on the graphic object in the drawing. The example that takes cue from figure 4 uses the signal 05d circled in black and placed on the left side of the illustrated layout. The program displays a dialog window to set colours and state.
In this window is provided a "label" field containing the internal label of the graphic object extracted by the corresponding TGIF or CAD drawing file. The user cannot modify it. The content of this field is used to solve THE'OTARAMETRIC components of forms. An'Auxiliary String'modification box allows to define the parametric components of forms. Each parameter must be separated by THE","CHARACTER. The parameter indexing starts with 1, referred to the elements comprised in the auxiliary string. The string specification is not obligatory.
Additionally it is possible to use an "alias" modification box to specify the alias name of the specified object. The alias name is used to replace the label extracted from TGIF or CAD file when the program lists, in the command window, the objects that are changing their state during the simulation. In this modification box it is possible to input any character. The specification of alias names is not obligatory. The program prints the original labels in the command window when alias are not specified. A "Type" list contains the colour and state tables previously defined. The user can select one of these. If the object has already a defined colour and state table, the list automatically highlights the current "type".
It is also possible to set the assignment for a graphic object by clicking with the mouse on a confirmation button. The setting of new colours and state occurs after the subsequent simulating cycle. If forms of a specific type cannot be found by using a specific label and the auxiliary string, the program sends an alert message and ignores the assignment, Analogously to other functions already described, the dialog window comprises or may comprise other function buttons with a Cancel button that allows to cancel the assignment or Cancel that allows to ignore the assignment.
Referring to a further advantageous feature, the device according to the invention may comprise also a function for executing different automatic test backgrounds both on Boolean simulator tool and on the tool used for the final functional test of the plant. Obviously, the execution of this function allows the opening of a window that allows to select commands, options or to select graphic or control objects, analogously to what previously described for other functions.
With the starting of graphic interface constituted of said window, lists for selecting areas, type of equipments of the station plant are displayed together with corresponding data relevant to the station under test. The user must select an element inside each lists i. e. an

area and a type of equipment. Now, the program provides to display values relevant to the equipment list of the selected equipment type of the selected area and the list of automatic tests which are available for the selected equipment type.
The user has the possibility of selecting one or more elements from the above lists i. e. selecting one or more equipments upon each of them one or more automatic tests can be executed. In each lists to each selection corresponds the display of the selected element in correlated lists. The correct selection that has been made respectively of an area, equipment type, equipment label and of the test label allows to start the execution of the test by means of A'LAUNCH Tesf button. The user is asked to confirm the test execution in a dialog window. If the response is affirmative, in the text box identificating the sigma "execution test" will be displayed the label of the current test and of the equipment that is object of the test, while in another list of the graphic interface will be displayed report messages.
After starting an automatic test, the button "Launch Test" label changes IN'END Test", giving the possibility to stop in any moment the automatic test. After the stopping of a test, the button label changes again TO'LAUNCH Test" state. It is also possible to execute individually a single command.
An example of automatic test background is shown by the corresponding report file enclosed to Al to A4 pages. The test is called' switch points on route (on routing)". During the test the covered switch points of a route firstly are locked in opposed position with respect to the one expected by the route itself. Then the test background, by commanding it more times, checks that the route does not block until all switch points are free. It should be noted that the complete test execution provides a series of other actions that are not subject of the present invention and that are not quoted for shortness reasons.
Referring to figure 1, the device according to the invention may be used in conjunction with another device called Boolean validating or checker. In this case it is a HARDWARE/SOFTWARE device, i. e. a computer or a personal computer that can be even the same computer of the device according to the present invention and wherein a program for executing the check of the control and command logical program is loaded, i. E. a checker of Boolean equations. The check program may be of the type operating according to a diversity principle. Particularly the Boolean checker may be composed of a comparator executing a comparison between the command and control logical program, which is in the test step in the device according to the invention, and a further control and command logical program which has been generated by generating means different from that during the test step. It is possible to execute the comparison both regarding the Boolean equation system of the two control and command logical programs and regarding the results of the simulating test executed for both the programs.
In case, even the programs simulating operating units, i. e. station equipments, areas or stations may be subjected to a similar diversity test with the help of the Boolean checker. According to a preferred type of checker this is composed of an independent program that is executed on a different computer or on the same computer of the device according to the invention. This program executes in parallel the test of the Boolean equation system constituting the control and command logical program that is subjected to the check. In this case, the same logical program for controlling and commanding the railway plant is subjected to a dual check test by means of railway plant simulation according to what described above with two disjoint programs and the behaviour of the simulated plant obtained under the control of the control and command logical program in the two disjoint and parallel check tests is compared, error or alert files being generated in case of differences.
According to a further feature of the invention, for each of the Boolean equation of the equation system that compose the logical program for controlling and commanding the railway plant, it is possible to display both a list of product terms that are part of the displayed equation

and the circuit corresponding to said displayed equation. Figures 23 and 24 show the window for selecting equations and the window for displaying a circuit corresponding to one of said equation. The selection and the opening of the corresponding circuit can be activated by buttons or by means of the mouse.
According to a further feature of the invention, the device comprises a program for designing and generating Boolean simulators of equipments or operating units that allows to generate new equipments with new behaviours. Equipments can be composed of basic components, I E. components for simulating a basic function and of complex components, i. E. a group of basic components operating in the sphere of an equipment simulator having a more elaborate structure.
A basic component may be created or selected by a list of existing components or crate. The basic component generating window is substantially similar to the one of figure 9. Obviously in figure 9 it is a component already generated or close to the generation. Analogously to what already said, a state table is generated wherein input variables, output variables, control ones and comments are defined. Variable values are selectable analogously to those provided for truth table and the provided functions are similar. The automaton illustrated on the left side of figure 9 (substantially similar to the one for generating the equipment simulator) is the Markov automaton, wherein states are represented by circles drawn along an horizontal line, by using distances calculated according to the description of the longer state. The description of the state is indicated by variables on the right of the circle, the state is composed by the local variable alias, the variable assuming THE'FALSE" condition being illustrated with a mark on it. On the contrary, state transitions are illustrated by arcs going from initial to final state and the direction of the state transition is indicated by an arrow upon the corresponding transition arc. By putting the mouse cursor upon the arrow of a transition arc are automatically displayed transition conditions as one or more input, control and output variable group. Circle and arcs colours are given in a different way depending on the configuration choices that have been set.
The individual basic components defined in such way can be combined or associated therebetween to form complex components, being interfaced therebetween by means of the indication of interfacing variables or input and output internal variables. It is also possible to display a block diagram of the structure of the equipment simulator as appears in figure 25.
It is clear from what disclosed before and as results from figure 1 that the device according to the invention may be provided also as a device always existing in the system for controlling and commanding plants as a further non-vital node which can be activated both in emergency mode to execute periodical checks of the control and command logical program as well as backup unit or even as a device to modify and upgrade the control and command logical program when the system is modified with the removing or the addition of stations, areas or wayside equipments.
With regard to the device according to the invention it is generally dear that it ma/ be employed in any plant having structural analogies vfflh toe described rafcwsy pterA and Yha\ terms Vite station ptart oi pterA area, operator wft and -MaysM© eqwpmerA are sinto terms.

Claim:
1. A device for checking logical software engines for controlling and commanding plants, particularly railway plants, particularly station plants, comprising: at least a computer with at least a central processing unit and at least a memory for loading and executjr^Eggrgnjsj interfaces to data and/or commands inputting means; display means; a logical engine for commanding a plant, particularly a station plant, being loaded or loadable in said memory for its execution, which plant comprises a plurality of operating units for actuating and/or detection and/or measurement and/or signaling, so- called wayside equipments, which units are provided for receiving command signals and for transmitting control signals about the operating condition, and which logical software engine reads control signals given by the opejffing^unite_fpir actuating and/or detection
and/or measurement and/or signaling and it processes command signals of said operating units basing on an operation protocol of the plant itself, means for scheduling and ccjnfjgrtjgjrojiges and/or state and command variable lists of virtual operating units corresponding to the desired or correct operation or state condition of the plant in conjunction with a predetermined operation situation; means for setting specific operating conditions of the plant or of anomalous situations and for checking the plant reactions referringlo several operating environment; wherein in the computer memory a plant software simulation program that is to be controlled and commanded by the control and command logical progrSnTts-toaded or loadablejand it is executable by the computer itself and which simulation program reproduces exactly the plant structure and the operating modes of operating units provided in said plant and in that the operation of the control and command logical program is further represented, in parallel or alternatively, as behavior of the equivalent command hardware logic composed of a relay network, means for simulating relay operation and a means for simulating relay network operation being provided, as well as graphic means for representing relays univocally associated to each relay simulation means and to relay network graphic representation means.
2. A device according to claim 1, wherein the simulation of plant structure and of operating units associated thereto, such as track circuits to detect the presence of the traJnT^wltch points actuators, signaling actuators and other different units is represented in the simulation program by Boolean algorithms, variables associated to said algorithms being univocally-defined to represent the control signals of various state or operation conditions of several operating units and the command signals for commutatjng and/or maintaining the state or operating conditions of said several operating units.
3. A device according to claims 1 or 2, wherein means for displaying the image of plant behavior are provided under the control of the control and command logical program as variable lists univocally associated to various operating units as report files wherein various operating units and the associated state or command variables are listed.
4. A device according to one or more of the preceding claims, wherein the simulation program comprises means for setting starting operating conditions of the plant and/or even anomalous setting situations of plant operating units to check the reaction of the plant to these conditions.
5. A device according to one or more of the preceding claims, where into each plant operating unit and/or to each important structural element and/or at least to one or more areas of the plant and/or to the whole plant can be univocally associated a virtual image of the operating unit and/or of the plant structural element and/or of the area or areas of the plant and/or of the whole plant which image is generated by a graphic program loaded or loadable and/or executable by the computer of the

device and which virtual image is univocally correlated to the logical program for simulating the operating unit or the plant structural element or the area or areas of the plant or the whole plant, the graphic program for generating the virtual image of each operating unit and/or of each area and/or of the plant being such to generate several graphic aspect conditions of the operating unit, of the area or of the whole plant each of them is univocally correlated to a predetermined value of variables relevant to the operating condition of the operating unit or of the area or of the plant and/or of command variables for commutating or maintaining the operating state of the operating unit or of the area or of the plant.
6. A device according to claim 1, wherein each relay is simulated by ajogical program of Boolean type, single state conditions of relays and/or commutation commands being represented by state or command variables and graphic programs being such to associate several relay graphic aspects univocally correlated to values assumed by said state or command variables.
7. A device according to one or more of the preceding claims, wherein it has means for scheduling and configuring images and/or state and command variable lists of virtual operating units corresponding to the desired or correct operation or state condition of the plant in conjunction with a predetermined operation situation, by providing means for checking, directly and visually, a correct operation in conjunction with automatic check means basing on the comparison between the nominal image and the nominal table or list of desired state and command variables previously scheduled and the image and state and command variables really processed during the operation of the control and command logic with the station plant virtual model, an error message being sent in case of non- identity.
8. A device according to claim 7, wherein it has means for displaying graphically and/or analytically the operating unit or units that have assumed a non-correct condition and the corresponding state or command variable or variables.
9. A device according to claims 7 or 8, wherein the automatic check means analyze even the simulated representation means of the relay network, indicating which relay or relays have not been commutated in the correct condition and the corresponding commutation stale or command variables.
10. A device according to one or more of the preceding claims, wherein it provides automatic means that correct the control and command logical program basing on the possible corrections made by the user to state or commands variables manually modified in the presence of a state or command error of a virtual operating unit or of a relay in the corresponding command logical circuit formed by the plant or network relay virtual model.
11. A device according to one or more of the preceding claims, wherein the modification means allow modification interventions both of alphanumeric type executed on report files of state or command variables, and interventions for graphically modifying the aspect of the operating unit or the relay corresponding to the state of said operating unit or of said relay, whereas analyze and interpretation means are provided which analyze state or command variable values manually set to correct the wrong values, analyze the control and command logical program and modify the code to commute the operating unit or relay in the correct state condition when the operation condition occurs with which the control and command logical program had previously generated the error.

12. A device according to one or more of the preceding claims, wherein it comprises means for associating operating units and plant structural elements to generate or to find areas of virtual station plant and the corresponding parts of the control and command logical program having typical plant structures that recur in several station plants, so as to load and reuse both the Boolean simulation programs, and graphic display programs as well as parts of control and command logical programs in new station plants having equal station areas.
13. A device according to one or more of the preceding claims, wherein it has means for connecting and interfacing with validation and certification means based on the diversity of the program for generating the control and command logical program, such as a so-called Boolean algorithms checker.
14. A device according to claim 13, wherein the Boolean checker comprises an additional program for generating the control and command logical program generated or memorized in the Boolean checker which additional control and command logical program is, generated through means different than the one during the test step by means of plant simulation and means for .comparing the additional control and command logical program generated or memorized in the Boolean checker with the control and command logical program during the test step by means of plant simulation to notice the identity between the two control and command logical programs.
15. A device according to claim 14, wherein the comparison occurs at the Boolean equation system of the control and command logical program generated or memorized in the Boolean checker and at the control and command logical program during the test step by means of simulation of the plant.
16. A device according to claims 14 or 15, wherein the comparison occurs according to text reports by means of plant simulation of the control and command logical program during the test step and of the additional control and command logical program generated and/or memorized in the Boolean checker means being provided means for comparing command and state variables of operating units and relays of the virtual relay network both from the numeric perspective and the graphic perspective.
17. A device according to claim 16, wherein it comprises means the displaying, in a combined way, of graphic images of plant state conditions obtained with the two control and command logical programs.
18. A device according to claim 17, wherein it comprises means for displaying, in an overlap way, plant layout images according to the two control and command logical programs, in which overlapping of the plant state condition image the possible differences are graphically highlighted in a visually relevant way.
19. A device according to one or more of the preceding claims 14 to 18, wherein the two comparison modes at the Boolean equation system and at report files of the test of control and command logical programs with the virtual plant are executed sequentially, the result of the first comparison being a means to identify the operating unit and/or the plant area and/or the Boolean equations wherein a difference has been noticed and it must be subjected to the second comparison step.

20. A device according to claim 19, wherein the comparison relevant to plant conditions obtained by the two control and command logical programs is firstly executed and therefore it is identified on which parts of the program the comparison actions can be limited with regard to the Boolean equation system to determine possible actions to correct the same or the debugging.
21. A device according to one or more of the preceding claims 14 to 20, wherein the Boolean checker analyses, basing on diversity, even logical programs for simulating the single operating units and/or the plant areas and/or the plant and/or the logical programs for simulating relays or relay network extending such check action, based on the diversity, of the generating program even to programs for graphically representing operating units or relays.
22. A device according to one or more of the preceding claims, wherein it comprises a network interface and it may constitute a non-vital node of the railway plant, being a means for quickly modifying the control and command logical program and for virtually validating the same, for instance in case of a structural modification of the plant by eliminating or adding plant elements.
23. A device according to claim 22, wherein said device, alternatively or in conjunction, is a diagnostic or supervisory tool of the correct operation of the real station plant, being provided a comparator between the state condition that has been assumed by the real plant and the one that has been assumed by the simulated plant.
24. A device according to claims 22 or 23, wherein it is device for simulating emergency interventions before their application to the real plant, in the emergency event being possible to simulate several intervention or command possibilities of the plant to execute on the plant itself the among the possible choices the one that is the best solution.
25. A device according to one or more of the preceding claims, wherein it comprises tools for executing simulating functions with a user interface of the type used by the WindowsO program soft Inc. and therefore it comprises operating windows with function buttons, quick choice menus and other functionalities typical of said interface, in addition obviously to the use of mouse or of other pointers, selection and command input systems and the keyboard to input numerical data, such as to create or modify graphic images of operating units and/or of relays or of other parts of the plant structure.
26. A device according to claim 1, wherein manually setting means are means provided by the personal imposing at the starting of the cycle for executing control and command logical program specific state conditions to the several operating units, being possible to provide by means of suitable scheduling even conditions wherein one or more operating units are not operating or operate in a anomalous way.
Dated this 14"' day of February, 2005.

Documents:

136-mumnp-2005-cancelled pages(12-05-2006).pdf

136-mumnp-2005-claims(granted)-(12-05-2006).doc

136-mumnp-2005-claims(granted)-(12-05-2006).pdf

136-mumnp-2005-correspondence(15-01-2007).pdf

136-mumnp-2005-correspondence(ipo)-(08-02-2007).pdf

136-mumnp-2005-drawing(12-05-2006).pdf

136-mumnp-2005-form 1(15-02-2005).pdf

136-mumnp-2005-form 18(15-02-2005).pdf

136-mumnp-2005-form 2(granted)-(12-05-2006).pdf

136-mumnp-2005-form 2(title page)-(12-05-2006).doc

136-mumnp-2005-form 3(14-02-2005).pdf

136-mumnp-2005-form 5(14-02-2005).pdf

136-mumnp-2005-form-pct-ipea-409(15-02-2005).pdf

136-mumnp-2005-form-pct-isa-210(15-02-2005).pdf

136-mumnp-2005-power of attorney(28-02-2005).pdf

abstract1.jpg


Patent Number 206467
Indian Patent Application Number 136/MUMNP/2005
PG Journal Number 30/2007
Publication Date 27-Jul-2007
Grant Date 26-Apr-2007
Date of Filing 15-Feb-2005
Name of Patentee ALSTOM FERROVIARIA SPA
Applicant Address VIA OTTAVIANO MORENO 23, 12038 SAVIGLIANO (CN) ITALY.
Inventors:
# Inventor's Name Inventor's Address
1 TRAMONTANA FRANCESCO V. GUERRIERI, 1-61034 FOSSOMBRONE, ITALY.
PCT International Classification Number G06F 17/50
PCT International Application Number PCT/EP03/50724
PCT International Filing date 2003-10-16
PCT Conventions:
# PCT Application Number Date of Convention Priority Country
1 SV 2002A000056 2002-11-14 Italy