Cross-Reference to Related Applications

This Patent Appl ication claims priority from Italian Patent Application No . 102022000010823 filed on May 24 , 2022 the entire disclosure of which is incorporated herein by reference .

Technical Field

This invention concerns a control method for a control system of a railway transport facility and said control system of said railway transport facility .

As a result, the technical field of this invention is that of control systems for railway transport facilities .

Background

In particular, railway transport facilities comprising at least one central control post , also called central post , wherein an operator monitors and/or drives and/or controls and/or acts on the control system . In central control posts , there is a graphic interface that illustrates the information, preferably all the information, that concerns the railway network . In addition, in central control posts , there is an input interface that comprises a command device for receiving input commands from an operator .

The control system comprises at least one central apparatus that manages the passages of trains on the railway network based on the instructions loaded and the commands from the operator in the central post . In addition, the control system comprises peripheral control posts staggered along the path of the tracks and/or near the stations or near trans fer areas . All the communications between the central apparatus , the peripheral control posts , and the countryside or field devices controlled by the central apparatus must have a high level o f security, in particular S IL 1 to S IL 4 certi fied . In the current state , the terminals that communicate with the central apparatus , for example peripheral post terminals , are expensive devices since they are proprietary and not commercial ; this increases the costs of the control system .

One drawback of the prior art is that the commercial devices freely available on the market , called Commercial Of f the Shel f ( COTS ) in English, for example commercial LCD monitors or tablets or palmtops , usually cannot connect to the central apparatus because they would not ensure the necessary S IL security requirements .

Summary

In general , one purpose of this invention is to provide a control method for a control system for a railway transport facility that reduces the drawbacks , highlighted here , in the prior art , for example it is simpler to produce and/or more economical , ensuring, at the same time , a high degree of reliability .

According to thi s invention, a control method for a control system for a railway transport facility, in accordance with Claim 1 , is provided .

Another purpose of this invention is to provide a control system for a railway transport facility that reduces the drawbacks of the prior art .

According to thi s invention, a control system for a railway transport facility, in accordance with Claim 16 , is provided .

Thanks to this invention, it is possible to use commercial terminals , for example LCD commercial monitors in the peripheral post stations . In addition, it is possible to use mobile commercial terminals or tablets or palmtops to give to operators who carry out maintenance along the line to manage or to give to train drivers who travel on trains without a screen or in cases where the screen of the train ( for example very old trains ) do not show all the information that train drivers need .

Brief Description of the Drawings

Additional features and advantages of this invention will be clear from the description that follows of a nonlimiting embodiment , with reference to the attached figures , in which :

- Figure 1 is schematic view of a railway transport facility; and

- Figure 2 is a schematic view of a procedure of a control system of the railway transport facility;

- Figure 3 is a view of a terminal of the control system;

- Figure 4 is a screen portion o f the terminal o f the control system;

- Figure 5 shows an encryption procedure of a display message ;

- Figure 6 shows an encryption procedure of multiple display messages ; and

Figure 7 shows a procedure of multiple display messages for multiple terminals .

Description of Embodiments

With reference to Figure 1 , the reference number 1 denotes a railway transport facility comprising a railway network 2 that , in turn, comprises tracks 3 that extend along multiple paths P and passenger or goods stations (not illustrated) ; trains that move along the railway network .

In the whole discussion in this text , the term "railway" also means "tram" ; as a result , "railway network" also means a "tram network" , and "railway transport facility" also means a "tram transport facility" and "trains" also means "trams" .

In one optional , non-limiting embodiment of this invention, the tracks 3 are divided, in particular in terms of logics and control , into multiple track 3 sections .

The railway transport facility 1 comprises a control system 10 configured for activating and controlling the railway network 2 , in particular the train traf fic along the railway network 2 is activated and controlled by the control system 10 . In addition, the railway network 2 comprises the countryside or field devices .

The control system 10 comprises at least one central , computerised apparatus 100 configured to control the railway network 2 , in particular to control train traf fic on said railway network 2 and wherein an operator monitors and/or drives and/or controls and/or acts on the central apparatus

100 .

In one embodiment , the control system 10 comprises more than one central apparatus 100 , in particular for redundancy and/or disaster recovery functions .

In one optional , non-limiting embodiment , the control system 10 comprises several apparatuses 100 that define a distributed system, i . e . , several apparatuses 100 that are geographically distributed .

The central apparatus 100 comprises a graphic interface

101 that illustrates the information that concerns the railway network, in particular information selected from a group comprising : the occupation o f each track 3 section by a respective train 5 , the track 3 sections that are enabled for being travelled on by a train and the track 3 sections that are prohibited from being travelled on by a train, the status of a countryside or field device o f the railway network 2 and/or information relating to the codi fying of the track circuits and/or indications of freedom and travel on the route assigned to a train .

"Countryside or field device" means any device selected from the group of devices comprising : light signalling devices , turnout actuators , turnout stops , foot switches , track circuits , level crossing barriers , and pickets . In all cases , the list of countryside or field devices is not to be considered limiting .

In addition, the apparatus 100 comprises an input user interface 102 that comprises a command device for receiving input commands from an operator located in the central control post .

In one alternative embodiment , the graphic interface 101 and the input user interface 102 may be implemented from a single device , for example via a touch screen .

The central apparatus 100 compri ses at least one data processing assembly 104 . The processing assembly 104 is secure .

In particular, the processing assembly 104 has a secure and redundant architecture .

In one optional and non-limiting embodiment , the secure processing assembly 104 is a 2 on 2 ( 2oo2 ) architecture .

In one optional and non-limiting architecture , the central apparatus 100 comprises at least two processing assemblies 104 , in particular secure ones .

In one optional and non-limiting version, the processing assembly 104 preferably comprises at least two identical processing units 104a and 104b, which preferably communicate with each other . In some optional cases , there are three or four or more identical processing units .

In particular, in one optional and non-limiting embodiment , each input to the processing assembly 104 is processed, preferably contemporaneously, by at least two processing units 104a and 104b ; in other words , each input is replicated and each copy of thi s input is given as input to the at least two processing units 104a and 104b, preferably in the same interval of time . The outputs of each processing unit 104a and 104b are veri fied by the processing assembly 104 to control whether in the same time interval the data received by the outputs of each processing unit 104a and 104b coincide with each other and, i f they do , the processing assembly 104 provides as output the data received by one of the two inputs . I f the outputs of the at least two processing units 104a and 104b do not coincide , the processing assembly 104 issues an error signal and disables the operation of the railway network 3 , making the trains that are moving on it stop, safely, in particular in accordance with a predetermined procedure .

In one embodiment, the at least two identical processing units 104a and 104b communicate with each other and each processing unit 104a and 104b receives the outputs from the other processing unit 104b and 104a and each processing unit 104a and 104b checks that its output is equal to the output of the other processing unit 104b and 104a in the same time interval and, i f they are , the processing assembly 104 or at least one of the at least two processing units 104 and 104b provides , as output, the data processed or, i f they are not , issues an error signal and disables the operation of the railway network 2 , making the trains that are moving on it stop, safely, in particular in accordance with a predetermined procedure .

In another, alternative embodiment to the previous optional and non- limiting embodiment of this invention, the processing assembly 104 comprises a comparison module 104c connected with the at least two processing units 104a and 104b to receive the outputs of the at least two processing units 104a and 104b . The outputs of each processing unit 104a and 104b are veri fied by the comparison module 104c to check whether in the same time interval the data received by the outputs of each processing unit 104a and 104b coincide with each other and, i f they do , the processing assembly 104 provides as output the data received by at least one of the two inputs . I f the outputs of the at least two processing units 104a and 104b do not coincide , the comparison module 104c issues an error signal and disables the operation of the railway network 2 , making the trains that are moving on it stop, safely, in particular in accordance with a predetermined procedure .

In addition, in one preferred embodiment , the processing assembly 104 comprises a supervision block 104d that is intrinsically secure , called a "watchdog" , which is in communication with the at least two processing units 104a and 104b and checks the correct operation of said at least two processing units 104a and 104b ; i f it determines a mal function of at least one of the at least two processing units 104a and 104b, the supervision block 104d issues an error signal and the processing assembly 104 disables the operation of the railway network 2 , making the trains that are moving on it stop, safely, in particular in accordance with a predetermined procedure .

In particular, the supervision block 104d is configured to detect one or more mal functions selected from the group of mal functions : stall of at least one of the at least two processing units 104a and/or 104b ; infinite calculation cycle or other mal functions that give rise to imprecise results of at least one of the at least two processing units 104a and/or 104b .

In one alternative embodiment , the supervision block 104d is omitted and each processing unit 104a and 104b supervises the at least one other processing unit 104a and 104b to detect one or more mal functions selected from the group of : stall of at least one of the at least two processing units 104a and/or 104b ; infinite calculation cycle or other mal functions that give rise to imprecise results of at least one of the at least two processing units 104a and/or 104b . I f at least one of the at least two processing units 104b and 104a detects a mal function, it issues an error signal and the processing assembly 104 disables the operation of the railway network, making all the trains that are moving on it stop, safely, in particular in accordance with a predetermined procedure .

In addition, in one embodiment , the processing assembly 104 comprises at least one local communication network (not illustrated) and the at least two processing units 104a and 104b are coupled together via said local communication network .

In the embodiment comprising the comparison module 104c, said comparison module 104c is coupled in communication with the at least two processing units 104a and 104b via the local communication network .

In the embodiment with the supervision block 104d, said supervision block 104d is coupled in communication with the at least two processing units 104a and 104b via the local communication network .

In addition, the apparatus 100 , in particular the processing assembly 104 , comprises a memory 104e .

In particular, the memory 104e is coupled in communication with the at least two processing units 104a and 104b via the local communication network .

In addition, the processing assembly 104 comprises a communication module 104 f connected to the local communication network and with the processing units 104a and 104b via the communication network to exchange data with the outside of the processing assembly 104 .

In one optional and non-limiting embodiment , each processing unit 104a and 104b implements or comprises a communication module .

In one embodiment , on the memory 104e of the processing assembly 104 , a series of instructions for managing the railway network may be loaded by connecting an external device . In one alternative embodiment , the instructions may be loaded in the memory 104e via the communication module 104 f remotely .

In one alternative embodiment , the processing assembly 104 comprises at least two identical memories (not illustrated in the attached figures ) , one for each processing unit 104a and/or 104b and wherein the same data are loaded in the at least two memories , in particular the same series of instructions for managing the railway network are loaded . The secure processing assembly 104 manages the transits of the trains on the railway network based on the instructions loaded in the memory 104e and/or the commands received from the input interface 102 and/or the data received via the communication module 104 f .

The processing assembly 104 manages the vital tasks and information of the railway network 2 , in particular the tasks and information that may have an impact on safety .

The apparatus 100 ensures the management of correct train traf fic, ensuring that on a certain segment of tracks , there is only one train and the transit of another train is prevented .

The apparatus 100 , in particular the processing assembly 104 , ensures this function, having as input the instructions in the memory ( also called railway logic to be executed) and/or the status of the countryside or field devices and/or the commands of the input interface 102 , and providing the outputs to the countryside or field devices of the railway network 2 or, more generally, to the components of the railway network 2 , preferably to all the components of the railway network 2 .

In one preferred embodiment , the apparatus 100 comprises a non-vital processing assembly 105 and a non- vital communication module 106 to manage non-vital tasks and information, i . e . , that do not impact safety .

The control system 10 comprises a communication network assembly 200 . The communication network assembly 200 is , preferably, di f ferent to the local communication network defined above .

In particular, the communication network assembly 200 comprises a vital network 201 and/or a non-vital network 202 , preferably of the Ethernet and/or wired type .

In particular, in one preferred, but non-limiting embodiment , it comprises a normal network and a redundant one . In particular, a network that enables the connection and communication between vital devices , i . e . , those that contribute to implementing functions that , potentially, impact the safety of the operators or people that use the railway transport facility, is defined as a vital network .

In general , a vital function of the control system 10 is a function that potentially has an impact on the safety of the operators or of the people who use or are in contact with the railway transport facility 1 .

In addition, in particular, in one optional and nonlimiting embodiment , the communication network assembly comprises at least one commercial wireless communication network 210 .

As non-limiting examples , the wireless communication network 210 may be : WI-FI and/or WI-FI MAX and/or GSM and/or GSM-R and/or TETRA and/or LTE and/or GPRS and/or UMTS and/or EDGE .

In one preferred, but non-limiting embodiment , the wireless communication network 210 is preferably connected in series to the vital network 201 and/or to the non-vital network 202 , preferably it is connected to the apparatus 100 through the vital network 201 and/or to the non-vital network 202 .

In one other optional and non-limiting embodiment , the wireless communication network 210 is preferably connected in parallel to the vital network 201 and/or to the non-vital network 202 , preferably it is connected to the apparatus 100 without using the vital network 201 and/or to the non-vital network 202 .

The control system 10 comprises at least one terminal 300 , in particular a commercial terminal that is freely available on the market , in particular of the Commercial Of f the Shel f type , also called COTS .

In one embodiment , the terminal 300 is a terminal fixed to , for example , a commercial PC connected to a commercial screen, for example an LCD or plasma screen, and to a commercial keyboard and/or with a touch screen .

In another embodiment , the terminal 300 is a commercial , mobile terminal , for example a tablet or palmtop, in particular small enough that it can be held in the hand ( called a Hand-held terminal in English) .

In particular, the terminal 300 is coupled in communication with the apparatus 100 via the communication network assembly 200 .

When the terminal 300 is of the mobile type , it is preferably coupled in communication with the wireless network 210 .

When the terminal 300 is of the fixed type , it is preferably coupled in communication with the vital network 201 and/or the non-vital network 202 and/or the wireless network 210 .

The terminal 300 comprises a screen 301 for displaying information and an input user interface 302 , for example a keyboard, so that an operator can insert commands or instructions or, in general , send data .

In one embodiment , the screen 301 and the input user interface 302 may defined by a single device , for example a touch screen .

The terminal 300 and the apparatus 100 are in communication with each other via the communication network ass e mb 1 y 200 .

The terminal 300 is configured to receive a first command from an operator via the input interface 302 and send said first command to the apparatus 100 , in turn the apparatus 100 is configured to execute the first command .

The first command is preferably a vital command, in particular a type of command that acts on vital functions of the control system 10 . In other words , it is a command that acts on functions that , potentially, may have impacts on the safety of the operators or of the people who use or are near the railway transport facility 1 .

In addition, the apparatus 100 is configured to send at least one display message MV containing information to show to the operator via the screen 301 to the terminal 300 .

In one preferred, but non-limiting, embodiment of this invention, the terminal 300 receives second commands from an operator, wherein the second commands comprise a command relating to the action of any one of the countryside or field devices as defined above , preferably di f ferent to the first command .

The terminal 300 sends these second commands to the apparatus 100 and the apparatus 100 actions said countryside or field device .

In addition, the control system 10 authenticates di f ferent operators with di f ferent enabling codes and the enabling of certain first or second commands based on the enabling code that has been used . In other words , the apparatus 100 comprises di f ferent enabling codes in the memory to enable di f ferent operators . The operator must insert an enabling code in the terminal 300 to log on when they wish to start operating . The apparatus 100 selectively enables the request for certain first or second commands via the terminal 300 based on the enabling code used by the operator to log on .

In one preferred embodiment , the display message MV received by the terminal 300 comprises information relating to the status of a countryside or field device activated and, preferably, to the status of other countryside or field devices of the railway network . As a result , the terminal

300 shows a graphic symbol or graphic symbols on the screen

301 that show/ s the information of the display message , in particular a graphic symbol or graphic symbols that show the status of said countryside or field device activated and, preferably, the status of other countryside or field devices of the railway network . In one optional and non-limiting embodiment of this invention, the control system 10 is configured so that the implementation of the first command only occurs i f there is another operator who is enabled to execute this first command, preferably an operator of the central post or an operator of a di f ferent peripheral post to the maintenance operator . In this embodiment , the apparatus 100 after having received the first command from the terminal and before executing the first command, asks the other operator to enable the execution of the first command; in particular, the apparatus 100 sends the enabling request via the input interface 102 of the apparatus 100 to the other operator and waits to receive a third command via the user interface to enable the execution of the first command via the user interface of the apparatus 100 . The apparatus 100 is configured to execute the first command only after being enabled to execute the first command, in particular via the third command .

In one preferred embodiment of this invention, sending the first command occurs through the following procedure , the operator sends through the input user interface 302 of the terminal 300 a first instruction I i that identi fies the action to take ; the apparatus 100 receives the first instruction Ii and sends to the terminal 300 a second instruction I2 containing the first instruction Ii sent by the terminal 300 to the apparatus 100 and a code C generated by the apparatus 100 , preferably the code C is made up of multiple digits and/or letters and/or characters and/or symbols and/or figures , in particular generated randomly . In addition, the terminal 300 displays the second instruction I2 received on the screen; the operator sends the code received C and, again, the first instruction Ii received, i f the first instruction sent the first time coincides with the first instruction received, through the input interface 302 of the terminal 300 . The apparatus 100 checks whether the first instruction Ii received the first time coincides with the first instruction Ii received the second time and whether the code sent C generated by the apparatus 100 coincides with the code C received by the apparatus 100. If the check is successful, the apparatus 100 actuates the first command and, preferably, the apparatus 100 sends a confirmation that the first command has been executed on the screen 302 of the terminal 300.

One of the functions executed by the control system 10 is the management of the so-called request or release of possession zones for delimiting a maintenance area. More specifically, when it is necessary to carry out maintenance works on the railway network 2, you need to delimit a maintenance area, i.e., an area where workers will need to work and that, therefore, must be temporarily excluded from train traffic.

As a result, the term "possession zone" or "possession area" or "maintenance zone" or "maintenance area" means an area of the railway network that has been temporarily prohibited to train traffic.

In other words, a possession zone consists of one or more portions of track, even not contiguous, wherein train traffic is disabled for the time that the operator requests and, therefore, from when they make the possession zone request until when they make the request to release the possession zone and wherein, preferably, only one authorised operator can perform specific actions.

The terminal 300, in particular when it is of the mobile type, is used to define the possession zone. In this embodiment, the first command comprises a request or a release of a possession zone, i.e., information indicating an area of the railway network 2 where train traffic is prohibited or enabled (possession zone request or release) . As a result, the apparatus 100, when it receives the possession zone request or release, prevents or enables train traf fic in the area identi fied by the first command . In this embodiment , the display message MV comprises the indication of the status of the possession zone , i . e . the indication of the area where railway traf fic is prohibited or enabled, and, preferably, the indication of the status of at least one other area of the railway network and, as a result , the terminal 300 shows on the screen 301 via a graphic representation the status of the possession zone enabled or released, i . e . the status of the area where railway traf fic is prohibited or enabled, and, pre ferably, the status of at least one other area of the railway network; in particular, showing the status of the area where railway traf fic is prohibited or enabled via a first colour and the status of at least one other area of the rai lway network via a second colour or with other graphic means ( Figure 4 ) .

In addition, when the apparatus 100 receives from the terminal 300 a first command for requesting the release of a possession zone , it checks whether the terminal 300 , from which the command to release a pos session zone came , is the same terminal 300 from which it had received the activation of that possession zone , and releases the possession zone only i f this check is success ful .

In particular, the apparatus 100 , when a possession zone is requested, stores the possession zone that has been requested and associates said possession zone with an identi fication code of the terminal 300 that requested it .

In particular, the apparatus 100 , thus , has in its memory the list o f each possession zone currently activated and for each possession zone activated it has the identi fication code associated with the terminal 300 that requested it .

When the apparatus 100 receives from the terminal 300 a first command for requesting the release of a possession zone , the apparatus 100 checks whether the terminal 300 from which the possession zone release request arrived has the same identi fication code that is present in the memory associated with said possession zone for which the release was requested; i f this check is success ful , the apparatus 100 releases the possession zone .

In this way, you prevent a di f ferent operator to the operator that requested the possession zone from releasing this possession zone . In this way, the safety of the operator who works in a possession zone is improved .

In addition, in one preferred embodiment , the control system 10 is configured so that when a certain mobile terminal 300 has requested, through the first command, the possession zone , said mobile terminal 300 is enabled to request second commands relating only to the field devices or system that are positioned within said possession zone . In other words , the apparatus 100 when it receives a second command from the terminal 300 checks whether this second command concerns a countryside or field device that is within the possession zone requested by said terminal and only i f so , does it execute this second command .

I f the terminal 300 is mobile , in one optional and nonlimiting embodiment of this invention, the control system 10 comprises a locator device 303 for locating the terminal 300 . The locator device is , preferably, a satellite locator device of the terminal 300 . Alternatively, the terminal 300 comprises an RFID that communicates its position to the locator device 303 of the control system .

The control system 10 detects the position of the operator via the locator device 303 ; and defines the display message MV to be sent to said terminal 300 based on the position detected, in particular the information contained in the display message MV is inherent to an area de fined by the surroundings of the position detected, these surroundings can preferably be configured, for example the surroundings define an area that extends for 15 km, 10 km, 5 km, o 3 km around the position detected . In other words , the terminal 300 shows said area around the position detected and/or the information relating to the countryside or field devices of said area on the screen . In one optional embodiment , the control system 10 veri fies whether the first command and/or the second command received from the terminal relates to said area and enables the execution of said first command and/or said second command only i f the check is success ful .

For example , i f the first command is the possession zone request or release , the control system 10 , in particular the apparatus 100 , before activating the possession zone , checks whether said possession zone is inside said area .

The control system 10 comprises the step of cyclically checking the correct operation of the terminal 300 making the terminal 300 , or part thereof , execute at least one diagnostic test or part of a diagnostic test .

In one preferred embodiment , the terminal 300 cyclically checks the correct operation of at least one of the components of the terminal selected from the group of terminal components : video memory; RAM; terminal software ; terminal hardware ; or communication block . In particular, the terminal cyclically executes at least one diagnostic test selected from the group of diagnostic tests : SW and data diversity check, forced video refresh, video memory runtime test , graphics library runtime/of f line test , control flow check, status check sum, or vitality . The terminal 300 sends the outcome of the check and, in particular, of the at least one diagnostic test to the apparatus 100 . An error message appears on the terminal 300 or the operation of the terminal 300 is disabled in the event that the check of the correct operation of the terminal is not success ful , in particular i f the at least one diagnostic test is not success ful .

In particular, the terminal 300 itsel f makes an error message appear or the apparatus 100 sends an error message to the terminal 300 and/or disables the operation of the terminal 300 .

In one embodiment, sending the display message MV occurs in encrypted form, in particular the display message is encrypted based on a first encryption procedure and you thus obtain a first encrypted display message 1MVC, preferably the first encryption procedure is carried out by the apparatus 100 . In this embodiment , the terminal 300 receives the first encrypted message 1MVC and implements a procedure of decrypting the first encrypted display message 1MVC in accordance with the first encryption procedure , in particular the procedure of decrypting the first encrypted display message 1MVC is carried out by a processing unit of the terminal 300 . The terminal 300 checks whether the decryption of the first encrypted display message 1MVC was success ful and enables the display of the display message on the screen 301 only i f the decryption of the first display message 1MVC was success ful . In particular, the decryption step of the first display message 1MVC and checking the outcome of the decryption step is carried out by the terminal 300 .

In particular, with reference to Figure 5 , the first encryption procedure comprises a first sub-step of encrypting the display message MV with a message private key KPR to obtain the first encrypted display message 1MVC, preferably via a symmetric encryption procedure , in particular via the Advanced Encryption Standard (AES ) protocol ; and preferably a second step of encrypting the message private key with a public key KPB associated with said terminal 300 , preferably via an asymmetric encryption procedure , in particular via the RSA protocol ; and sending the encrypted private key KPB [KP ] together with the first encrypted display message 1MVC . Wherein, the procedure of decrypting the first encrypted display mes sage 1MVC comprises , preferably, a first step of decrypting the encrypted private key KPB [KP ] of the message with the private key KPT associated with said terminal and a second step of decrypting the first encrypted display message 1MVC with the message private key KPR that has been decrypted .

Encrypting the private key with the public key of the terminal 300 also makes it possible to be sure that the message will only be decrypted by the terminal 300 for which it was created, thus avoiding that said message may be decrypted by another terminal 300 ( in the embodiment in which multiple terminals 300 are present ) to which it was erroneously delivered . Thanks to this mechanism, there is the certainty that the terminal 300 will only display the display message MV prepared and directed for said terminal 300 , increasing the reliability of the image displayed .

In one embodiment , wherein the control system 10 comprises j ust one terminal 300 , in an optional and nonlimiting embodiment , you can omit the step of encrypting the private key KPR with the public key KPB and the following step of decrypting the private key encrypted with the public key KPB [KPR] .

In one preferred embodiment , with reference to Figure 6 , the apparatus 100 cyclically sends display messages MVi - Mvn _n to said terminal 300 to update the information to be displayed on the screen 301 of said terminal 300 , in particular to update the status of the countryside or field devices displayed on the screen 301 and/or other vital information . In this embodiment , the first encryption substep involves the step of cyclically creating di f ferent message MVi - Mvn _n private keys KPRi - KPR _n and encrypting each display message MVi - Mvn _n with a corresponding message private key KPRi - KPR _n and thus cyclically creating first encrypted display messages IMVCi - lMVC _n obtained by corresponding encrypted display messages MVi - Mvn _n with the corresponding message private key KPRi - KPR _n .

The apparatus 100 cyclically sends to the terminal 300 the first encrypted display messages IMVCi - lMVC _n and the corresponding message private key KPRi - KPR _n for each first encrypted display message !MVCi- lMVC _n .

The terminal 300 carries out a procedure of decrypting each first encrypted display message IMVCi received through the corresponding message private key received KPR± ; it checks for each first encrypted display message IMVCi whether the decryption was success ful ; and updates the display on the screen of the terminal 300 with the updated display message Mvi until the decryption of the first encrypted display message IMVCi with the corresponding message private key KPRi is success ful , preferably the decryption step of each first encrypted display message IMVCi is carried out by the corresponding terminal 300i . Thanks to this invention, it is certain that the screen 301 of the terminal 300 is always updated given that each display message MVi cyclically sent is encrypted with a di f ferent message private key KPRi .

In one preferred embodiment , the control system 10 comprises multiple terminals 300 ¹ - 300 ^m coupled in communication with the apparatus 100 . In particular , one or some or all the terminals of the multiple terminals 300 ¹ - 300 ^m are mobile terminals . In this embodiment , each terminal 300 ¹ of the multiple terminals 300 ¹ -300 ^m is associated with a corresponding public key KPB ¹ that is di f ferent to the public key KPB ¹ - KPB ^m of the other terminals 300 ¹ -300 ^m and each terminal 300 ¹ possesses , in its memory, a private key KPT ¹ of the terminal 300 associated with its public key KPB ¹ .

The apparatus 100 has stored, in particular in the memory 104e , the public keys KPB ¹ - KPB ^m of each terminal 300 ¹ - 300 ^m . In particular, the apparatus 100 cyclically sends display messages MVi ¹ -MV _n ^m to the di f ferent terminals 300 ¹ - 300 ^m , in particular to each terminal 300 ¹ display messages MVi ¹ - Mvn ¹ are cyclically sent for said terminal 300 ¹ that may be di f ferent or equal to the display messages MVi ^r - Mv _n ^r cyclically sent to another terminal 300 ^r other than said terminal 300 ¹ .

In this embodiment , the first encryption procedure stipulates that , for each terminal 300 ¹ , each display message MVi ¹ directed to each terminal 300 ¹ is first encrypted with the corresponding private key KPRi ¹ , preferably via an asymmetric encryption procedure , in particular via the Advanced Encryption Standard (AES ) protocol ; and, subsequently, the corresponding message private key KPRi ¹ is encrypted with the public key KPB ¹ associated with each terminal 300 ¹ , preferably via an asymmetric encryption procedure , in particular via the RSA protocol .

In addition, the control system 10 , in particular the apparatus 100 , cyclically sends the respective encrypted private key KPBHKPR] ¹ together with the corresponding first encrypted display message IMVCi ¹ to each terminal 300 ¹ .

The procedure o f decrypting each encrypted di splay message IMVCi ¹ comprises , preferably, a first step of decrypting the corresponding encrypted private key KPB ¹ [KPR ¹ ] of the message with the private key KPT ¹ associated with said terminal 300 ¹ and a second step of decrypting the first encrypted display message IMVCi ¹ with the message private key KPRi ¹ that was encrypted and, thus , obtain the message MVi ¹ . Thanks to this invention, it is certain that the display message MVi ¹ displayed on each terminal 300 ¹ is always updated and is the one directed to each terminal 300 ¹ and there was no error in the delivery of the display message .

In addition, in one preferred embodiment , in the event that the above-illustrated step for checking the correct operation of the terminal 300 ¹ , executing the at least one diagnostic test , was not success ful , the operation of the terminal 300 ¹ is disabled through the step of stopping sending the corresponding message private key Kpri ¹ , preferably the corresponding encrypted private key KPBi CKPR ¹ ] , so as not to be able to decrypt the corresponding display message MVi ¹ . In particular , the apparatus 100 checks the outcome of the at least one diagnostic test by the terminal 300 ¹ and, in the event of the failure of the at least one diagnostic test , interrupts sending the corresponding message private key Kpri ¹ , preferably the encrypted message private key KPBi CKPR ¹ ] , to the terminal 300 ¹ .

In one optional and non-limiting embodiment , the display messages MVi ¹ -MV± ^m sent in an n ^th interval of time to the terminals 300 ¹ -300 ^m are equal ; in this embodiment , the private keys Kpri ^1- Kpri ^m in the n ^th interval are equal .

In one preferred embodiment , the display message MV during the j ourney from the apparatus 100 to the terminal 300 crosses the wireless communication network 210 , which in one preferred embodiment uses a transmission protocol that involves the encryption of data, for example one or more of the following networks : WI-FI with the use of passwords , WIFI MAX with the use of passwords , GSM, GSM-R, TETRA, UMTS , LTE , GPRS , EDGE . In this case , then, each first encrypted display message 1MVC is encrypted through a second encryption procedure defined based on the type of wireless communication network 210 and/or part of it to meet the encryption requirements of the communication protocol of the wireless communication network 210 that couples the terminal 300 to the apparatus 100 . In this embodiment , once the second encrypted display message has reached the mobile terminal 300 , a procedure of decrypting the second encrypted display message occurs , in accordance with the second encryption procedure and, thus , the first encrypted display message 1MVC is obtained . In one preferred embodiment , the procedure of decrypting the second encrypted display message is carried out by a communication module of the terminal 300 .

In addition, in one preferred embodiment , the terminal 300 sends the first command and/or the second command to the vital processing assembly 104 and receives the display message MV from the vital processing assembly 104 . In addition, the terminal 300 exchanges non-vital data with the non-vital processing assembly 105 , preferably without carrying out the encryption described for the display message MV .

In addition, the control system 10 comprises multiple peripheral control posts not illustrated, each of which is staggered along the path of the tracks or near the stations or near trans fer areas that comprises , preferably, a peripheral operator station . The terminal 300 may be a terminal of the peripheral control post that shows the operator of the peripheral control post the information of an area of the railway network . For example , through the screen 301 of the terminal 300 , an operator of the peripheral post may see the status of the railway network adj acent to said peripheral control post . In addition, the operator, through the terminal 300 , can see the status of the railway network 3 , preferably the status o f a portion of the railway network 3 adj acent to said peripheral control post .

The advantage of the use of mobi le terminals 300 , as mentioned above , is to manage the possession zones to carry out maintenance of the countryside or field devices and/or central post and peripheral post sub-systems . The system thus enables di f ferent operators to carry out the management of the maintenance areas , via the corresponding mobile terminal 300 , and to operate local ly for the maintenance of the components of the control system 10 , directly via the applications present on the terminal provided . In addition, via the mobile terminal 300 , the operator has a mobile command post from which it is possible to impart commands for taking possession of maintenance areas and, more generally, to send speci fic commands for the diagnostics and monitoring of countryside or field devices . The solution enables the use of pre-existing or new network infrastructure , without special associated security requirements ( open networks ) . Via the mobile terminal 300 , the operator can request the management of a possession zone and, after confirmation, proceed with the speci fic works . In the same way, the release of the possession zone can be requested, confirmed by the apparatus 100 . In particular, the release of the possession zone may be requested only through the terminal 300 with which it was requested .

In general , when the terminal 300 comprises the touch screen, the terminal 300 may be used as a tool to send and receive commands , via a functionality wherein the operator can directly select the obj ects represented on the terminal , in particular on the touch screen of the terminal , and send commands easily and intuitively .

The control system 10 makes it possible to arrange the commands configured and support the operator for the graphic selection of the countryside or field devices . On the terminal 300 , in particular on the mobile terminal , the second commands may also be diagnostic controller commands for the components of the Peripheral Post apparatus ( supply diagnostics , Area Controller, Device Controllers , Cable Insulation Check, fan diagnostics ) . This tool makes it possible to operate locally by sending through the mobile terminal the diagnostic commands to carry out speci fic works . The use of this application makes it possible to reduce the recovery times , thanks to the management of the maintenance operations all locally near the field device or system (without the need for communication with the cabin) . On the terminal , it is also possible to monitor, in real time , the status of the system alarms , to the advantage of an : immediate perception of the status of the system during the maintenance / repair operations . This enables a reduction in times for resolving problems and recovery, being able to display the alarms directly near the apparatus to be maintained .

Additional advantages both in terms of dividing the responsibilities of di f ferent divisions on the same line , and in terms of safety since , for example , a turnout will only be manoeuvred by maintenance workers physically present in the place with a reduction in the risks of remote communication and, thus , of manoeuvres made from the cabin that may put people on the spot in danger .

In another embodiment , the mobile terminal 300 may be given to a train driver on board the train who , for example , guides a train without a screen or, i f the screen of the train ( for example very old trains ) does not show all the information the train driver needs . In this case , the train driver may receive from the mobile terminal 300 all the updated information relating to the portion of railway network 2 that it is running along . In this case , the embodiment with the satellite locator device wherein the apparatus 100 processes the display messages MV to be sent to said terminal 300 , including based on the position detected by said terminal 300 , may be very useful . For thi s purpose , in one optional and non-limiting embodiment , the mobile terminal 300 is used, preferably only to display the display messages MV and not to implement first and second commands .

Lastly, it is clear that modifications and variations may be made to the apparatus and method described herein without departing from the scope of the present invention as set forth in the claims .