Fault-safety technology for PLC programmable controllers in the control circuit of controllable parking machines.
PLC (Programmable Logic Controller); Controllable Parking System; Control Circuit. A PLC is a programmable controller with an integrated CPU and system bus. It boasts advantages such as small size, light weight, easy installation, and strong anti-interference capabilities, making it highly convenient for implementing the logical functions required by industrial processes and machinery. Its logical functions can also be changed through reprogramming to meet new demands. Its application in industrial control is already widespread, and users generally find it relatively easy to meet common technical requirements using PLCs. Programmable logic controllers (PLCs) are also used in the railway signaling field, mainly in equipment with relatively simple control and less stringent requirements, such as derailers and parking devices. From a practical standpoint, they have replaced a large number of safety relays, saving investment, reducing size, and offering convenient and flexible control—the overall effect is good. However, these applications either substitute the high reliability of PLCs for fault-safe technology, or the fault-safe technology circuitry is incomplete. In fact, how to apply fault-safe technology to PLC control circuits is currently the biggest obstacle to the application of PLCs in the railway signaling field. This article discusses several issues related to the practical application of PLCs in controllable parking device control systems based on the fault-safe principle.
1. Fault-Oriented Problem of Controllable Parking Systems A controllable parking system, as the name suggests, is one whose state is controlled according to operational needs. It comes in various forms—electric, hydraulic, pneumatic, or a combination of these. Regardless of the form, it uses braking and releasing states to meet the requirements of parking cars and pulling trains. However, it's not enough for a controllable parking system to simply perform these actions; it must also have a reasonable fault-safe orientation. This requires us to determine a reasonable fault orientation for the controllable parking system based on the fault-oriented safety principle before designing a reasonable control system. Therefore, we need to first discuss the fault-safe orientation problem of controllable parking systems.
Next, we will determine the fixed and reverse positions of the two-position operation of the controllable parking device. In normal use, the controllable parking device is in the braking state. In this state, the parking line exit is always closed. Even if a vehicle mistakenly enters when the parking line entrance signal is open or not, the vehicle will be stopped within the parking line warning marker. We define the braking state of the controllable parking device as the fixed position; and the released state as the reverse position. This point has been agreed upon in the actual application of controllable parking devices in marshalling yards such as Shenxi, Zhengzhou, and Sujiatun. Furthermore, we make an assumption here: that the controllable parking device can effectively stop vehicles within the parking line warning marker when various vehicles are released at the prescribed speed (the reason for this assumption will be explained later). Under the above premise, let's examine the fault guidance of the currently used controllable parking device. In actual use at marshalling yards such as Shenxi and Sujiatun, the fault guidance of controllable parking devices is directional positioning. That is, when a fault occurs, the controllable parking device relies on its own structural power to maintain or return to positioning C (some controllable parking devices do not consider fault guidance). We can analyze its fault guidance process based on the general working principle of controllable parking devices. Currently used controllable parking devices generally have their own structural power, such as springs, accumulators, etc., which ensure the braking force for positioning the controllable parking device and brake the sledding vehicles; when pulling out the train, external energy is used to overcome its own structural power to release the parking device, allowing the train to pass unimpeded.
Now, let's assume that the controllable parking system malfunctions during the vehicle's slewing process while the system is in its positioning position. In this case, the controllable parking system relies on its own structural power; without external intervention, it will remain in its positioning state, and the slewing vehicle will still stop reliably. Now, let's assume that the controllable parking system malfunctions again while the system is in its reverse position. In this case, the system relies on external force for relief. Therefore, when the system malfunctions, the external force disappears, the controllable parking system's own structural power is restored, and it returns to its positioning position. Is this reasonable? Does it conform to the principle of fail-safe operation? This requires us to continue our previous fail-safe analysis and consider the consequences for the train and equipment when the controllable parking system malfunctions: When the controllable parking system is in its positioning position and the vehicle is slewing—during vehicle slewing and normal operation—the controllable parking system is already in its positioning position according to the signal tower's control commands. If the controllable parking system malfunctions at this time, it will still remain in its positioning position relying on its own structural power, and the slewing vehicle will stop as required.
2. When the controllable stop device is in the reverse position and the train is being pulled out—the controllable stop device is released to the reverse position according to the control command from the signal tower, and the train is pulled out at normal speed. At this time, if the controllable stop device system malfunctions, it can effectively stop the train, meaning the braking force is large enough. This could potentially cause accidents ranging from minor stops to train derailment or damage to the stop device.
Analysis shows that the fault indication in the first state is correct, while the fault indication in the second state is actually incorrect. So why do controllable train stoppers rarely experience train derailment or damage to the stopper in actual use? Based on the experience of marshalling yards like Shenxi, there are two main reasons: First, the probability of a fault occurring in this situation is low. The controllable train stopper is in the positioning state for over 95% of the time, and the time spent pulling the train in the reverse position is even less, thus the probability of a fault occurring in the reverse position is relatively low. In actual use, faults mostly occur during the transition between the two positions. At this time, the train marshalling is complete and ready to be pulled, or the cars have not yet been sled. The aforementioned accidents generally do not occur at this time.
The second controllable stop has insufficient braking force. A typical controllable stop allows the train to be pulled out at speeds of 5 km/h or even higher (Note 1). In this state, when the controllable stop is fault-guided, neither the train nor the stop will have any problems.
Despite this, potential safety hazards still exist, indicating that the braking force of the controllable parking system is still insufficient, which is why the assumptions made earlier were necessary. To address this issue, some marshalling yards have adjusted the longitudinal profile to increase the reverse slope. However, during operation, it's still unavoidable that some rolling cars, especially high-energy, thin-wheeled, or oil-tank cars, will cross the warning markers or enter the section. How can we ensure effective stopping by the controllable parking system while eliminating potential safety hazards? We have adopted technical measures to ensure reasonable stress on all parts of the vehicle, thereby increasing the braking force of the controllable parking system and guaranteeing effective stopping.
At the same time, the fault guidance of the controllable parking device will be changed—the second fault guidance will be changed to reverse guidance. That is, if the controllable parking device malfunctions while it is in the positioning state, it will remain in the positioning state to prevent the vehicle from rolling away.
When the controllable stop device is in the reverse position, if it malfunctions, it will remain in the reverse position, allowing the train to pass unimpeded. This prevents the train from being jammed, derailed, or the stop device from being damaged. We will discuss this further according to the new fault guidance. When the controllable stop device is in the positioning position, the fault guidance remains positioning. This has already been discussed, and the conclusion remains unchanged. When the controllable stop device is in the reverse position, the fault guidance is reversed, allowing the train to continue passing unimpeded. The controllable stop device is in the transition state from positioning to reverse. Before the train is pulled, the controllable stop device releases to the reverse position according to the signal tower control command. If the controllable stop device malfunctions at this time, failing to release or releasing incompletely, the system will issue a fault message, preventing the signal on that line from being activated and stopping the train from departing. After the fault is cleared, the train can depart again without causing an accident. The controllable stop device is in the transition state from reverse to positioning. After the train is pulled out, the controllable stop device returns to positioning according to the signal tower control command. If the controllable parking device malfunctions at this time, and the positioning cannot be restored or is not restored properly, the system will also issue a fault message, block the final branch switch at the entrance, and prohibit the vehicle from sliding onto that line. This will prevent the released vehicle from crossing the warning marker or rushing into the section.
In summary, according to the new fault-oriented principle of the controllable parking system, under no circumstances will a traffic accident be caused by a malfunction of the controllable parking system. Therefore, we can fully describe the fault-oriented principle of the controllable parking system as follows: When a malfunction occurs, the fault-oriented principle is to maintain the state of the controllable parking system after completing the signal tower control command.
2. Controllable Parking Unit PLC Control Circuit: Based on the new fault-oriented principle of controllable parking units and combined with the requirements of modern marshalling yard operations, the control system of the controllable parking unit must not only meet the parking unit's operational requirements but also adapt to the automation requirements of the hump yard. Based on these requirements, we determined the design concept of the controllable parking unit control system as follows: simple structure, convenient use and maintenance, reduced initial investment and operation and maintenance costs; adaptable to various structural and power forms of controllable parking units; possessing signal safety circuit functionality, meeting the fault-oriented safety requirements of controllable parking units; and capable of being integrated into the tail interlocking system or used independently as a system.
Under the premise of meeting these requirements, through scheme comparison, we selected a controllable parking machine control system with a PLC programmable controller as the core component. As we mentioned earlier, the PLC programmable controller itself does not have fail-safe functions.
Although the PLC programmable controller has a memory unit, its output will all return to zero when the machine is powered off or an alarm is triggered (self-diagnostic error). Therefore, it is necessary to combine the fault-safe technology of the PLC programmable controller's control circuit with the fault-safe technology of the controllable parking device's structure to achieve the fault-safe technology of the PLC programmable control system for the controllable parking device.
Following this approach, the controllable parking device control circuit should meet the following technical requirements: 1. The starting circuit and indicator circuit are safety circuits with comprehensive protection; 2. When the controllable parking device control circuit malfunctions, it should maintain the state after executing the signal tower control command; 3. When the controllable parking device starts, the indicator circuit should be disconnected first; 4. When the controllable parking device switches positions, the indicator circuit should not have any output; 5. After the controllable parking device switches to the correct position, the motor circuit should be disconnected; 6. When the controllable parking device protection device operates or when the power source fails, an alarm should be triggered; 7. Ensure that the controllable parking device can freely switch between automatic and manual control; 8. The positioning interlocking conditions and the reverse position interlocking conditions are different; 9. The circuit should not malfunction during power switching; 10. The starting circuit should have maintenance control conditions.
The actuators in Table 1 of the computer system communication terminal can be either pilot valves or electric motors. Draw according to the control of pilot valves.
The interlocking strip of the pumping station (Figure I) shows that in the actual circuit, part of the circuit and the starting circuit are combined. The parking device is also equipped with a parking device starting relay TQ and an automatic switch. TQ and the automatic switch together complete the stationary and reverse position control of the parking device; the position indication of the parking device is also given through the stationary and reverse position indication contacts of the automatic switch. TQ uses a safety-type polarity holding relay, the purpose of which is to meet the requirements of the second technical requirement. The position of TQ is given according to the intention of the signal tower operator; the parking device can only give a correct indication when it operates according to the signal tower operator's intention.
The sequence of actions of the starting circuit is as follows: (assuming the parking device is in the stationary position). After the control console issues a command to reverse the polarity of TQ, the circuit that was previously disconnected by the automatic switch is reconnected. TZ―TQ(F)―XI―F (actuator)―FD―X2―TQ(F)―TF. The parking device then changes from the stationary position to the reverse position. The sequence of actions of the automatic switch contacts is as follows: ―12―Controllable parking device PLC control system action sequence action process stationary unlocking conversion locking reverse position Note: 1 on; 0 off.
From the sequence of automatic gate switch contacts, we can see that after the parking device unlocks, the timer is first cut off and the positioning action contact is connected, allowing the parking device to move in the opposite direction at any time, ensuring the continuity of parking device operation. This also meets the requirements of technical requirement 3. After the controllable parking device switches to the correct position, the starting circuit is cut off, meaning the automatic gate switch action contact FD (DD) enables the parking device to meet the requirements of technical requirement 5. The indication circuit is partially integrated with the starting circuit. The indication circuit not only provides position indication through the automatic gate switch indication contacts but also checks the coil of the actuator at that position through the action contacts. This makes the entire circuit more reliable and safe. The indication circuit is connected to the PLC programmable controller input relay D (F)B through the TQ contact, thus saving one cable core wire through the combination of contacts inside the PLC programmable controller. At the same time, the cooperation of TQ with the slow-release delay relays (PLC internal delay relays 1S and 2S) and the indication contacts ensures that the indication circuit has no output during the controllable parking device switching period, fulfilling the requirements of technical requirement 4.
The circuit also establishes a TQ interlock condition to ensure a fixed positional relationship between TQ and the indicator circuit. The circuit design implements open-circuit protection and mixed-circuit protection for the start-up circuit and the indicator circuit. This makes the system a safe circuit, making it easier to implement other system functions. Implementing control and interlocking with PLC controllers is relatively easy and has been done by many people.
The starting circuit also includes a shift and maintenance switch. When the parking device is damaged, the shift switch activates, cutting off the starting circuit and indicating that the circuit meets the requirements of Article 6 of the technical requirements. This switch also functions as a maintenance switch; turning the maintenance handle disconnects the switch, allowing the parking device to be operated manually on-site. At this time, the signal tower needs to place the maintenance button in the maintenance position to prevent false alarms, meeting the requirements of Article 10 of the technical requirements. The circuit also meets other technical requirements. The requirements of Article 7 of the technical requirements can be met by setting an automatic (TZ)/manual (TS) conversion switch for the parking device. Article 8 of the technical requirements was added mainly to address the inconsistency between the stationary and reverse operating conditions of the parking device. This requirement can be met by connecting the stationary interlocking conditions and the reverse interlocking conditions to the two coil circuits of the TQ relay, respectively.
3. Interlocking and Other Aspects of Interlocking: For electrically centralized tail-end interlocking systems, relay contacts or PLC output relay contacts can be directly connected in series into the system to incorporate interlocking. For microcomputer interlocking systems, a communication interface is required; the PLC programmable controller has a communication interface. Microcomputer interlocking systems only need to exchange information via a protocol. The controllable parking device's control system adopts two control methods: microcomputer display operation and manual operation. In microcomputer operation mode one, the microcomputer communicates with the PLC through another communication interface of the PLC programmable controller. We use VB to implement the upper-level components of the system, mainly achieving the following functions: 1. User interface: Real-time display of the parking device status in the station area graphic; 2. Database management: Operation records and fault records; Operators can directly set the PLC position by clicking on the equipment on the station area graphic displayed on the microcomputer screen. The manual operation mode involves directly controlling the parking device through a manual control panel. (Continued on page 31) Before each construction phase, the engineering construction department follows the ISO9001 procedure to complete all necessary technical preparations: familiarizing themselves with the design drawings, mastering installation standards, understanding the specific site conditions, providing technical instructions to the workers, and preparing materials and tools before departure. Upon arrival at the site, the department first checks the type, model, and grade of the speed reduction jack according to the drawings and jack markings to ensure they match the drawings. If discrepancies are found, the department immediately contacts the central dispatch center, records the findings, and awaits further instructions. Next, the department checks the power supply, water supply, wiring, and rails. Construction then commences.
During construction, the installation height, location, and drilling depth were strictly checked and measured according to the drawings and installation standards. After each section was installed, a designated person conducted inspections and adjustments until the design requirements were met, and records were kept for each unit according to its number.
During construction, every task must be documented in writing, leaving a record to facilitate quality tracking and achieve the goal of quality control.
3.4.2 Quality Control of Project Acceptance Project acceptance is the final inspection of the quality of the deceleration top system. It also serves as a control measure for the quality system. User representatives, center leaders, and heads of the system technology department, business development department, and engineering construction department participate in the project acceptance.
After construction was completed, the System Technology Department and Engineering Construction Department conducted inspections, tests, and commissioning. First, according to technical requirements, the installation of each speed bump was inspected and detailed records were made, which were then countersigned by the user representative. Next, a runaway test was conducted, pushing the vehicle through the speed bump at the designed speed using combinations of vehicles of different weights. The speed at each point was measured to verify that the coupling rate and safe coupling rate met design requirements. For tracks that did not meet design requirements, adjustments were made, including adjusting the number of speed bumps, gears, and critical speeds, until the design requirements were met. Finally, both parties jointly signed the acceptance report, and the project was handed over to the user for formal operation, thus completing a high-quality project that satisfied the user.
3.5 Service Quality Control After-sales service is crucial for ensuring product quality and maintaining a good reputation. Therefore, in accordance with ISO 9001 requirements, service quality control is an important part of the quality system.
According to ISO 9001 standards, the Harbin Center rigorously trains and examines its service personnel, requiring them to hold certificates before starting work. Following the center's quality policy, quality responsibility is assigned to specific individuals. Furthermore, regulations and systems have been revised or supplemented. For example: a telephone registration system—user calls are meticulously recorded, promptly reported up the chain of command, and responses are provided within one week; a user visit system—technical service personnel are assigned specific areas, conduct regular visits, promptly address any issues discovered, record user feedback, report up the chain of command, and track the results; and an after-sales service system—on-call service is provided for any on-site issues, necessary items are shipped promptly, and any assistance requested by users is provided free of charge and quickly. Other systems include warehouse management, shipping, and personnel training. Through these various systems and regular service quality reviews, high-quality service is achieved, and service quality control is ensured. (To be continued...) (Continued from page 13) Finally, let's discuss several issues to consider when converting a PLC into an actual circuit.
The PLC input relays and output relays are isolated from each other; to avoid cross-wiring faults, the parking machine power supply is isolated. Since the PLC's COM terminal is connected to TZ (the positive terminal of the parking machine power supply), the PLC's COM terminal cannot be grounded (ungrounding is permissible); according to the method given in the PLC manual, connect the PLC's slow-release relay as shown in the diagram (15s). When the PLC relay is de-energized, a voltage holding device should be installed at the power input terminal (meeting technical requirement 8).
Apart from the above, other tasks can be performed according to the PLC programming manual, and will not be elaborated further here.
