1、( 此文檔為 word 格式，下載后您可任意編輯修改！)畢業(yè)論文外文譯文學(xué)院自動化與電氣工程學(xué)院專業(yè)自動控制- 1 -Component-based Safety Computer of Railway SignalInterlocking System1 IntroductionSignal Interlocking System is the critical equipment which can guarantee traffic safety and enhance operational efficiency in railway transportation. For a lon

2、g time, the core control computer adopts in interlocking system is the special customizedSignal, and so on. Along with the rapid development of electronic technology, the customized safety computer is facing severe challenges, for instance, thethe meantime, there are several explorations and practic

3、es about adopting open system architecture in avionics. The United Stated and Europe aerospace and other safety-critical fields. In recent years, it is gradually becoming a new trend that the utilization of standardized components in aerospace, industry, transportation and other safety-critical fiel

4、ds.2 Railways signal interlocking system2.1 Functions of signal interlocking systemThe basic function of signal interlocking system is to protect train safety bycontrolling signal equipments, such as switch points, signals and track units in a station, and it interlocking regulation.Since the birth

5、of the railway transportation, signal interlocking system computer-based Interlocking System.2.2 Architecture of signal interlocking systemGenerally, the Interlocking System of equipments, the system can be divided to the function of equipments; the system can be divided into three layers as shown i

6、n figure1.- 2 -Man-Machine Interface layerInterlocking safety layerImplementation layerOutdoorequiptmentsFigure 1 Architecture of Signal Interlocking System3 Component-based safety computer design3.1 Design strategyThe design concept of component-basedsafety critical computer is different from that

7、of special customized computer. Our design strategy of SIC is on a base of fault-tolerance and system integration. We separate the SIC into three layers, the standardized component unit layer, safety software layer and the system layer. Different safety functions are allocated for each layer, and th

8、e final integration of the three layers ensures the predefined safety integrity level of the whole SIC. The three layers can be described as follows:(1) Component unit layer includes four independent standardized CPU modules. A this year.(2) Safety software layer mainly utilizes fail-safe strategy a

9、nd fault-tolerant management. The interlocking safety computing of the whole system adopts two outputsfrom different CPU, it can mostly ensure the diversity of software to errors of signal version and remove risks.(3) System layer aims to improve reliability, availability and maintainability by mean

10、s of redundancy.3.2Design of in figure 2, the SIC of four independent component units (C11,C12, C21, C22). The fault-tolerant architecture adopts dual 2 vote 2 (2v2× 2) structure, and a kind of selected as computing unit which adopts Intel X Scale kernel, 533 MHZ.The operation of SIC is based o

11、n a dual two-layer data buses. Theprotocol, andthe low bus is Controller Area Network (CAN). C11 、C12 and C21、 C22respectivelymake up of two safety computing components IC1 and IC2, which are of 2v2 structure. And each component external dynamic circuit watchdog that is set for computing supervision

12、 and switching.- 3 -ConsoleDiagnosis terminalHigh bus(Ether NET)C11C12C21C22Watchdog driver&&Fail-safe switchInput modleOutput ModleLow bus(CAN)InterfaceFigure 2 Hardware structure of SIC3.3 Standardized component unitAfter component module is made certain, according to the safety-critical r

13、equirements of railway signal interlocking system, we the module. The design includes power supply, interfaces and other embedded circuits.The fault-tolerant processing, synchronized computing, and fault diagnosis of SIC mostly depend on the safety software. Here the safety software design method is

14、 differing from that of the special computer too. For dedicated computer, the software is often specially designed based on the bare object, a special scheduling program is commonly designed as safety software for the computer, and not a universal operating system. The fault-tolerant processing and

15、fault diagnosis of the dedicated computer are tightly a standard Linux OS.The safety software is vital element of secondary development. It includes Linux OS adjustment, fail-safe process,fault-tolerance management, and safety interlocking logic. The them are shown in Figure 4.Safety Interlock Logic

16、Fail-safe processFault-tolerance managementLinux OS adjustment- 4 -Figure 4 Safety softwareThe Fault-tolerant computation of SIC is of a multilevel model:SIC=F 1002D(F2002(Sc11,Sc12),F 2002(Sc21,Sc22)Firstly, basic computing unit Ci1 adopts one algorithm to complete theCi1S, and Ci2 finishes the SCi

17、2 via a different algorithm, secondly 2 out of 2 (2oo2) safety computing component of SIC executes 2oo2 calculation and getsSICiF from the calculation results of SCi1 SCi2, and thirdly, according the states of watchdog and switch unit block, the result of SIC is gotten via a 1 out of 2 with diagnost

18、ics (1oo2D) calculation, which is based onFSIC1 and FSIC2.The flow of calculations is as follows:(1) Sci1=F ci1 (D net1,Dnet2,Ddi,Dfss)(2) Sci2=F ci2 (Dnet1,Dnet2,Ddi,D fss)(3) FSICi =F2oo2 (Sci1, Sci2 ),(i=1,2)(4) SIC_OutPut=F 1oo2D (FSIC1, FSIC2 )As interlocking systemconsistsof a fixed set of tas

19、k, the computational model of SIC is task-based. In general, applications may conform to a time-triggered, event-triggered or mixed computational model. Here the time-triggered mode is selected, tasks are executed cyclically. The consistency of computing states between the two units is the foundatio

20、n of SIC for ensuring safety and credibility. As SIC works under a loosely coupled mode, it is different from that of dedicated algorithm is necessary for SIC.SIC can be considered as a multiprocessor distributed system, and its computational model is essentiallybased on data comparing via . First,

21、an analytical approach is used to confirm the worst-case response time of each task. To guarantee the deadline of tasks that communicate across the network, the accesstime and delay of communication medium is set to a fixed possiblevalue. Moreover, the computational model must meets the real time re

22、quirements of railway interlocking system, within the system computing cycle, we set many check points Pi (i=1,2,. n) , which are small enough for synchronization, and computation result voting is executed at each point. The safety computation flow of SIC is shown in Figure 5.- 5 -ttraSn nn+1 i1cloc

23、ktr12atS i2clockn nn+1 12sgnnuioksioctetnnaooozzrlnrriiiecitlnheoagticocgngpnintriiokuihyrfntlcfIcSeoeynesmhtyekeSticfnsaaTaSrTa:u:iGpFigure 5 Safety computational model of SIC4. Hardware safety integrity level evaluation4.1 Safety IntegrityAs an authoritative international standard for safety-relat

24、ed system, IEC 61508 presents a definition of safety integrity: probability of a safety-related system satisfactorily performing the required safety functions under all the stated conditions within a stated period of time. In IEC 61508, there are four levels of safety integrity are prescribe, SIL1 S

25、IL4. The SIL1 is the lowest, and SIL4 . The SIL of SIC can be evaluated via the probability of dangerous per of SIL about such system in IEC 61508, see table 1.Table 1-Safety Integrity levels: target failure measures for a safety function operating inSafety Integrity level High demand or continuous

26、mode of Operation (Probability of a dangerous Failure per hour)4-9-8 10 to 103-8-7 10 to 102-7-6 10 to 101-6-5 10 to 104.2 Reliability block diagram of SICAfter analyzing the structure and working principle of the SIC, we get the bock diagram of reliability, as figure 6.- 6 -High busLogic subsystemL

27、ow busNET12002NET220022002NET22002=1×10-7NET1DC=99%Voting=1 002D=1×10-7=1×10=2%DC=99%D=1%Voting=1 00 2DDC=99%Voting=1 002DFigure 6 Block diagram of SIC reliability5. ConclusionsIn this paper, we proposed an available standardized component-basedcomputerSIC. Railway signal interlocking

28、 is a fail-safe system with a required probability of lessthan10-9 safety criticalfailures perorderto meet the critical constraints,fault-tolerantarchitectureandsafety tactics areused inSIC.Although thecomputational modelandimplementation techniques arerathercomplex, thephilosophy of SIC provides a cheerful prospect to safety critical applications, it renders in a simpler style of shorten development cycle and reduce cost. SIC put into practical application, and proven.From:),取值很小，能實(shí)現(xiàn)