METHOD AND SYSTEM FOR REMOTE CONTROL OF HUMAN MACHINE INTERFACES

Abstract

The present invention relates to a method for remotely controlling the status of graphic user interfaces such as monitors, panels, displays, screens and others, used in railway or transportation systems. For achieving a reliable safety level, so that a person can be sure that the information displayed by the graphic interface in real time correspond to the effective situation of the transportation network, there is provided a feedback control loop between an image elaboration-generation block, and a safety block. According to a preferred solution, the communications between the blocks of the control loop are encrypted. With the control method of the present invention, it is possible to achieve a top safety level in the railway networks, even when using commercially available graphic user interfaces, such as COTS terminal.

Claims

1-12. (canceled)

13. A method for remote control of human machine interfaces (HMI), such as those used for the supervision and/or regulation of railway transportation systems or parts thereof, comprising the steps of: acquiring data about the status of the system to be supervised or a part of it, and generating graphic symbol or information accordingly, processing the information and generating an image corresponding thereto, visualizing the image on displaying means, and comparing the graphic information and the image to be visualized, for checking whether they correspond to each other so that only images generated by data positively checked, are visualized by the displaying means.

14. The method of claim 13, wherein the graphic information is encrypted and the processing step includes the decryption of such information, for comparing the decrypted graphic information with that previously acquired, before the visualization step.

15. The method according to claim 14, wherein a two level encryption is used, preferably of symmetric and asymmetric type.

16. The method according to claim 15, wherein the graphic information acquired about the status of the system or a part of it comprise symbols.

17. The method according to claim 16, wherein the processing step and/or the visualization step are carried out respectively by means of COTS terminal and/or COTS display.

18. The method according to claim 17, wherein the transportation system is a railroad or tramway line.

19. Method according to claim 13, comprising the steps of: generating the status of the symbols to be displayed; sending an encrypted copy of the state to an HMI Terminal; providing, in the normal operational mode, to the HMI Terminal the cryptographic keys for decoding the state; supervising the outcome of the diagnostic tests performed on each HMI Terminal and assigning them the normal or safe operational mode.

20. The method according to claim 13, comprising the steps of: decrypting the status of the symbols received by an HMI Safe Server with the received key; generating the image to be displayed; running diagnostics routines required by the HMI Safe Server; sending the reply message to the HMI Safe Server.

21. A human machine interface for carrying out the method of claim 13, comprising: a safety unit or nucleus for acquiring data about the status of the system to be supervised or a part of it, and for providing graphic symbol or information according thereto; a human machine interface terminal communicating with the safety unit for processing graphic information and image generation; a visualization unit communicating with the interface terminal for displaying images, wherein the safety unit comprises means for encryption of graphic information, whereas the interface terminal comprises means for decryption of such information.

22. The human machine interface according to claim 21, wherein the terminal operates decryption of graphic information and compares them with the graphic symbol or information provided by the safety nucleus.

23. The human machine interface according to claim 22, wherein the safety nucleus supervises the comparison made by the interface terminal.

24. A human machine interface according to claim 21, wherein the terminal and the visualization means comprise elements of COTS type.

Description

[0041] Such features will become more apparent from the following description of a preferred but non limiting embodiment of the invention, which will be described herein after with reference to the appended drawing wherein:

[0042] FIG. 1 is a block diagram representing a control system of the prior art;

[0043] FIG. 2 is a block diagram representing a control system according to the present invention;

[0044] FIGS. 3, 4 and 5 are flow charts showing respective operating phases of the control method of the present invention;

[0045] FIGS. 6 and 7 are further block diagrams showing the operation of the control system of the present invention.

[0046] With reference to the drawings listed above and in particular to FIG. 2, that shows a block diagram of an HMI of the invention generally referred to with numeral 10, for sake of simplicity there are identified three main operating units or blocks: an HMI safe server block 11, an HMI terminal block 12, and a COTS monitor block 13.

[0047] These blocks or units 11, 12 and 13 are serially connected to each other as shown by arrows in the drawings and, according to a preferred embodiment, the HMI system 10 comprises a feedback control loop 15, between the HMI terminal 12 and the HMI safe server 11.

[0048] Overall, the process of generating and displaying the image to the video on COTS monitors 13, is divided into a series of steps involving the two subsystems HMI Safe Server 11 and HMI Terminal 12.

[0049] More specifically, HMI Safe Server 11 carries out the following steps: [0050] generating the status of the symbols to be displayed; [0051] sending an encrypted copy of the state to the HMI Terminal 12; [0052] providing, in the normal operational mode, to the HMI Terminal 12 the cryptographic keys for decoding the state; [0053] supervising the outcome of the diagnostic tests performed on each HMI Terminal 12 and assigning them the normal or safe operational mode.

[0054] Meanwhile, the HMI terminal 12 carries out the following steps: [0055] decrypting the status of the symbols received by HMI Safe Server with the received key; [0056] generating the image to be displayed; [0057] running diagnostics routines required by the HMI Safe Server 11; [0058] sending the reply message to the HMI Safe Server 11.

[0059] As can be seen from the flow charts of FIGS. 3-5, a new and original feature of the present invention is that through the use of cryptographic techniques, it allows the HMI safe server 11 to enable/disable safely the updating of the display on the individual HMI terminal 12.

[0060] In particular, according to a preferred embodiment, the communication between the HMI Safe Server 11 and HMI Terminals 12 uses two levels of encryption: [0061] 1. symmetric key encryption with AES to protect the symbols state sent by the HMI Safe Server 11 through all the HMI Terminals 12. The HMI Safe Server 11 uses a key Ks that is changed at each processing cycle; [0062] 2. asymmetric key encryption with RSA to protect the cryptographic key Ks. The HMI Safe Server 11 sends the Ks key (necessary to decrypt the state) in a further encrypted message. There is a pair of unique keys for each HMI Terminal 12; each HMI Terminal 12 can get the key Ks only decoding the proper key block.

[0063] In the drawings, Ks is the symmetric key used to encrypt the status block (FIG. 4point 1); Ktn is the public asymmetric key used to encrypt Ks towards the HMI Terminal n (FIG. 4point 2); Kpn is the private asymmetric key used by the HMI Terminal n to operate decryption Ktn(Ks) (FIG. 5point 1).

[0064] Upon providing the right key for decryption of the symbols state, and after having checked the required diagnostic outcomes, the HMI Safe Server 11 enables the HMI Terminals 12 to generate the output image to be sent to the COTS monitors 13.

[0065] In the absence of such authorization, the HMI Terminal 12 cannot build the correct state to produce a valid image.

[0066] This provides for two constraints or conditions for the applications that use the proposed system.

[0067] The first condition is that the diagnostic outcomes processed by the HMI Safe Server 11, must be designed to ensure, within the desired rate of probability, the identification of possible HMI Terminal 12 malfunctions.

[0068] The second condition or constraints is that in the absence of a non-updated state, the HMI Terminal 12 must not be able to produce a valid image for the operators COTS monitors 13.

[0069] Since in both cases it comes to application constraints which solution to apply, the application of the present invention to railways control systems is better explained with reference to FIGS. 6 and 7.

[0070] In the context of railway signaling applications, with particular reference to operator interfaces, a HMI control system 20 comprises a Safety Nucleus 21 acts like HMI Safe Server 11 of the diagram in FIG. 2, while COTS PC 22 acts like previous HMI Terminal 12.

[0071] In the system COTS LCD Monitors 23 are used, and having regard to these definitions, the table reported below shows in horizontal lines the parameters (threats) that must be addressed to ensure the accuracy of the display 23, whereas in the vertical columns there are reported the possible counteractions.

TABLE-US-00001 Runtime SW and Forced Video Ofllline/Runtime Control data Video Memory test of Graphic flow State diversity Refresh Testing Library check Checksum Vitality Video Memory x x x fault RAM fault x x x x Generic COTS x x x x software fault Generic COTS x x x x hardware fault Communication x fault

[0072] Each feature of the table can be allocated as in the flow diagram of FIG. 7.

[0073] Using the set of features disclosed herein, the feedback control loop provides for safely enabling or disabling the COTS terminals 22, thereby ensuring that an operator looking at the monitor 23 can rely on the full correctness of the images displayed therein.

[0074] In other words, in the HMI control system 20 according to the invention, only images whose reliability has been fully tested by the feedback control loop 25, are sent to the final monitor and/or screen, panel or other visual display 23, From the foregoing explanations it can therefore be appreciated how the present invention solves the technical problem set forth initially.

[0075] Indeed, the proposed solution improves the overall safety of a visualization system by adding a closed loop for controlling the critical path of COTS components.

[0076] The feedback chain makes independent the reliability of the visualization process from the particular set of used COTS products.

[0077] More precisely, considering only as necessary system specification the safe generation of the image corresponding to the status of signalling symbols, there is no other vital mechanism to introduce for reaching the safety goal. Every significant error caused by a malfunctioning hardware or software source, in fact, will be reported into the feedback loop and this will lead to a safe stop of the image updating.

[0078] The proposed method is easy to integrate and customize into existing architectures with no economic (i.e. costs) impact, so that in the railway field it is possible to discard the current monitoring systems based on proprietary hardware.

[0079] Besides, thanks to its independence from the specific application, the system can be applied wherever a safe graphical visualization interface (HMI, GUI or others) is required.

[0080] Therefore, it is possible to extend its employment to other operating contexts or to other companies as well, bringing to improve the safety of people and things, with a significant social impact.