毕业论文外文译文
学 院 自动化与电气工程学院 专 业 自动控制
Component-based Safety Computer of Railway Signal
Interlocking System
1 Introduction
Signal Interlocking System is the critical equipment which can guarantee traffic safety and enhance operational efficiency in railway transportation. For a long time, the core control computer adopts in interlocking system is the special customized Signal, and so on. Along with the rapid development of electronic technology, the customized safety computer is facing severe challenges, for instance, the the meantime, there are several explorations and practices about adopting open system architecture in avionics. The United Stated and Europe aerospace and other safety-critical fields. In recent years, it is gradually becoming a new trend that the utilization of standardized components in aerospace, industry, transportation and other safety-critical fields.
2 Railways signal interlocking system
2.1 Functions of signal interlocking system
The basic function of signal interlocking system is to protect train safety by controlling signal equipments, such as switch points, signals and track units in a station, and it interlocking regulation.
Since the birth of the railway transportation, signal interlocking system computer-based Interlocking System.
2.2 Architecture of signal interlocking system
Generally, the Interlocking System of equipments, the system can be divided to the function of equipments; the system can be divided into three layers as shown in figure1.
Man-Machine Interface layerInterlocking safety layerImplementation layerOutdoorequiptments
Figure 1 Architecture of Signal Interlocking System
3 Component-based safety computer design
3.1 Design strategy
The design concept of component-based safety critical computer is different from that of special customized computer. Our design strategy of
SIC is on a base of fault-tolerance and system integration. We separate the SIC into three layers, the standardized component unit layer, safety software layer and the system layer. Different safety functions are allocated for each layer, and the final integration of the three layers ensures the predefined safety integrity level of the whole SIC. The three layers can be described as follows:
(1) Component unit layer includes four independent standardized CPU modules. A this year.
(2) Safety software layer mainly utilizes fail-safe strategy and fault-tolerant management. The interlocking safety computing of the whole system adopts two outputs from different CPU, it can mostly ensure the diversity of software to errors of signal version and remove risks.
(3) System layer aims to improve reliability, availability and maintainability by means of redundancy.
3.2 Design of in figure 2, the SIC of four independent
component units (C11, C12, C21, C22). The fault-tolerant architecture adopts dual 2 vote 2 (2v2×2) structure, and a kind of selected as computing unit which adopts Intel X Scale kernel, 533 MHZ.
The operation of SIC is based on a dual two-layer data buses. The protocol, and the low bus is Controller Area Network (CAN). C11、C12 and C21、C22 respectively make up of two safety computing components IC1 and IC2, which are of 2v2 structure. And each component external dynamic circuit watchdog that is set for computing supervision and switching.
ConsoleDiagnosis terminalHigh bus(Ether NET)C11C12C21C22Watchdog driver&Fail-safe switch&Input modleOutput ModleLow bus(CAN)Interface
Figure 2 Hardware structure of SIC
3.3 Standardized component unit
After component module is made certain, according to the safety-critical requirements of railway signal interlocking system, we the module. The design includes power supply, interfaces and other embedded circuits.
The fault-tolerant processing, synchronized computing, and fault diagnosis of SIC mostly depend on the safety software. Here the safety software design method is differing from that of the special computer too. For dedicated computer, the software is often specially designed based on the bare object, a special scheduling program is commonly designed as
safety software for the computer, and not a universal operating system. The fault-tolerant processing and fault diagnosis of the dedicated computer are tightly a standard Linux OS.
The safety software is vital element of secondary development. It includes Linux OS adjustment, fail-safe process, fault-tolerance management, and safety interlocking logic. The them are shown in Figure 4.
Safety Interlock LogicFail-safe processFault-tolerance managementLinux OS adjustment
Figure 4 Safety software
3.4.1 Fault-tolerant model
The Fault-tolerant computation of SIC is of a multilevel model:
SIC=F1002D(F2002(Sc11,Sc12),F2002(Sc21,Sc22))
Firstly, basic computing unit Ci1 adopts one algorithm to complete the SCi1, and Ci2 finishes the SCi2 via a different algorithm, secondly 2 out of 2 (2oo2) safety computing component of SIC executes 2oo2 calculation and gets FSICi from the calculation results of SCi1 SCi2, and thirdly, according the states of watchdog and switch unit block, the result of SIC is gotten via a 1 out of 2 with diagnostics (1oo2D) calculation, which is based on FSIC1 and FSIC2.
The flow of calculations is as follows:
(1) Sci1=F ci1 (Dnet1,Dnet2,Ddi,Dfss) (2) Sci2=F ci2 (Dnet1,Dnet2,Ddi,Dfss) (3) FSICi=F2oo2 (Sci1, Sci2 ),(i=1,2) (4) SIC_OutPut=F1oo2D (FSIC1, FSIC2) 3.4.2 Safety computation
As interlocking system consists of a fixed set of task, the computational model of SIC is task-based. In general, applications may conform to a time-triggered, event-triggered or mixed computational model. Here the time-triggered mode is selected, tasks are executed cyclically. The consistency of computing states between the two units is the foundation of SIC for ensuring safety and credibility. As SIC works under a loosely coupled mode, it is different from that of dedicated algorithm is necessary for SIC.
SIC can be considered as a multiprocessor distributed system, and its computational model is essentially based on data comparing via . First, an analytical approach is used to confirm the worst-case response time of each task. To guarantee the deadline of tasks that communicate across the network, the access time and delay of communication medium is set to a fixed possible value. Moreover, the computational model must meets the real time requirements of railway interlocking system, within the system computing cycle, we set many check points Pi (i=1,2,... n) , which are small enough for synchronization, and computation result voting is executed at each point. The safety computation flow of SIC is shown in Figure 5.
Startτ0Ci1τ1P1τ2P2τnPnτn+1……T0T1T2clockStart……Ci20T0τ………τ1P1τ2P2τnPnτn+1T1T2clocki:Tasks of interlocking InitializeSynchronization Guarantee SynchronousTime trigger:Safety functionscheck pointlogic
Figure 5 Safety computational model of SIC
4. Hardware safety integrity level evaluation
4.1 Safety Integrity
As an authoritative international standard for safety-related system, IEC 61508 presents a definition of safety integrity: probability of a safety-related system satisfactorily performing the required safety functions under all the stated conditions within a stated period of time. In IEC 61508, there are four levels of safety integrity are prescribe, SIL1~SIL4. The SIL1 is the lowest, and SIL4 . The SIL of SIC can be evaluated via the probability of dangerous per of SIL about such system in IEC 61508, see table 1.
Table 1-Safety Integrity levels: target failure measures for a safety function operating
in
p
Safety level
Integrity High demand or continuous mode of Operation (Probability of a dangerous Failure per hour)
4 ≥10-9 to <10-8 3 ≥10-8 to <10-7 2 ≥10-7 to <10-6 1 ≥10-6 to <10-5
4.2 Reliability block diagram of SIC
After analyzing the structure and working principle of the SIC, we
get the bock diagram of reliability, as figure 6.
High busNET1NET220022002Logic subsystem2002Low busNET2NET1λ=1×10-7DC=99%Voting=1002D2002λ=1×10-7DC=99%Voting=1002D λ=1×10Β=2%βD=1ü=99% Voting=1002D Figure 6 Block diagram of SIC reliability
5. Conclusions
In
this
paper,
we
proposed
an
available
standardized
component-based computer SIC. Railway signal interlocking is a fail-safe system with a required probability of less than 10-9 safety critical failures per order to meet the critical constraints, fault-tolerant architecture and safety tactics are used in SIC. Although the computational model and implementation techniques are rather complex, the philosophy of SIC provides a cheerful prospect to safety critical applications, it renders in a simpler style of shorten development cycle and reduce cost. SIC put into practical application, and proven.
………………………………………………………………………………………………………
From: ),取
值很小,能实现同步,并且在每个检查点得出计算结果。SIC的安全计算流如图3.4所示。
开始τ0Ci1τ1P1τ2P2τnPnτn+1……T0T1T2时钟开始……Ci20T0τ………τ1P1τ2P2τnPnτn+1T1T2时钟保证同步时钟脉冲联锁逻辑任务初始化同步τi:图3.5 SIC的安全计算模型
4 硬件的安全完整性水平评价
4.1安全完整性
作为国际权威的安全体系方面的标准,国际电工委员会61508提出关于安全完整性方面的定义:在规定的条件下、规定的时间内,安全系统成功实现所要求的安全功能的概率。IEC61508定义了4个层次的安全完整性,SIL1 ~ SIL4。SIL1是最低的,SIL4最高。
根据IEC 61508,安全联锁计算机属于高需求或连续运行模式系统。安全联锁计算机的安全完整性级别可以通过系统每小时的潜在危险估算出来,在IEC61508中,安全完整性级别是这样定义的,如表4.1:
pi:
安全功能检查点
表4.1 高需求或连续运行模式系统在安全功能启动情况下的失效点 安全完整性水平 高需求或连续模式行动(故障概率每小时)
4 ≥10-9 to <10-8 3 ≥10-8 to <10-7 2 ≥10-7 to <10-6 1 ≥10-6 to <10-5
4.2安全联锁计算机的可靠性框图
在分析了安全完整性级别的的结构和工作原理的基础上,我们得到其可靠性的结构图,如图4.1所示。
高总线NET1NET220022002逻辑子系统 2002低总线NET2NET1λ=1×10-7DC=99%Voting=1002D2002λ=1×10-7DC=99%Voting=1002D λ=1×10Β=2%βD=1ü=99% Voting=1002D 图4.1 SIC的可靠性结构图
5结论
在本文中,我们提出了一种有效的标准模块化计算机的的安全完整性,铁路信号联锁系统是故障-安全系统,每小时的失效故障率必须要低于10-9,尽管计算模型和实施技术相当复杂,但是为了达到系统规定的参数值,安全完整性系统中必须使用容错系统结构和安全性策略。安全完整性的思想和理论给安全关键性应用展现了一个美好的应用前景。它提供一种简单的硬件组成,而且还可以缩短开发周期,降低成本。现在,安全联锁计算机已投入实际应用,其高性能、可靠性和安全性已经被证实。
…………………………………………………………………
相关推荐:
loading