1、 外文參考文獻及譯文 英文題目 Component-based Safety Computer of Railway Signal Interlocking System 中文題目 模塊化安全鐵路信號計算機聯鎖系統 蘭州交通大學畢業設計（外文參考文獻）Component-based Safety Computer of Railway Signal Interlocking System1 IntroductionSignal Interlocking System is the critical equipment which can guarantee traffic safety and

2、 enhance operational efficiency in railway transportation. For a long time, the core control computer adopts in interlocking system is the special customized high-grade safety computer, for example, the SIMIS of Siemens, the EI32 of Nippon Signal, and so on. Along with the rapid development of elect

3、ronic technology, the customized safety computer is facing severe challenges, for instance, the high development costs, poor usability, weak expansibility and slow technology update. To overcome the flaws of the high-grade special customized computer, the U.S. Department of Defense has put forward t

4、he concept：we should adopt commercial standards to replace military norms and standards for meeting consumers demand 1. In the meantime, there are several explorations and practices about adopting open system architecture in avionics. The United Stated and Europe have do much research about utilizin

5、g cost-effective fault-tolerant computer to replace the dedicated computer in aerospace and other safety-critical fields. In recent years, it is gradually becoming a new trend that the utilization of standardized components in aerospace, industry, transportation and other safety-critical fields.2 Ra

6、ilways signal interlocking system2.1 Functions of signal interlocking systemThe basic function of signal interlocking system is to protect train safety by controlling signal equipments, such as switch points, signals and track units in a station, and it handles routes via a certain interlocking regu

7、lation.Since the birth of the railway transportation, signal interlocking system has gone through manual signal, mechanical signal, relay-based interlocking, and the modern computer-based Interlocking System.2.2 Architecture of signal interlocking system Generally, the Interlocking System has a hier

8、archical structure. According to the function of equipments, the system can be divided to the function of equipments; the system can be divided into three layers as shown in figure1.Figure 1 Architecture of Signal Interlocking System3 Component-based safety computer design3.1 Design strategyThe desi

9、gn concept of component-based safety critical computer is different from that of special customized computer. Our design strategy of SIC is on a base of fault-tolerance and system integration. We separate the SIC into three layers, the standardized component unit layer, safety software layer and the

10、 system layer. Different safety functions are allocated for each layer, and the final integration of the three layers ensures the predefined safety integrity level of the whole SIC. The three layers can be described as follows:(1) Component unit layer includes four independent standardized CPU modul

11、es. A hardware “SAFETY AND” logic is implemented in this year.(2) Safety software layer mainly utilizes fail-safe strategy and fault-tolerant management. The interlocking safety computing of the whole system adopts two outputs from different CPU, it can mostly ensure the diversity of software to hol

12、d with design errors of signal version and remove hidden risks.(3) System layer aims to improve reliability, availability and maintainability by means of redundancy.3.2Design of hardware fault-tolerant structureAs shown in figure 2, the SIC of four independent component units (C11, C12, C21, C22). T

13、he fault-tolerant architecture adopts dual 2 vote 2 (2v2×2) structure, and a kind of high-performance standardized module has been selected as computing unit which adopts Intel X Scale kernel, 533 MHZ. The operation of SIC is based on a dual two-layer data buses. The high bus adopts the standar

14、d Ethernet and TCP/IP communication protocol, and the low bus is Controller Area Network (CAN). C11、C12 and C21、C22 respectively make up of two safety computing components IC1 and IC2, which are of 2v2 structure. And each component has an external dynamic circuit watchdog that is set for computing s

15、upervision and switching. Figure 2 Hardware structure of SIC3.3Standardized component unitAfter component module is made certain, according to the safety-critical requirements of railway signal interlocking system, we have to do a secondary development on the module. The design includes power supply

16、, interfaces and other embedded circuits.The fault-tolerant processing, synchronized computing, and fault diagnosis of SIC mostly depend on the safety software. Here the safety software design method is differing from that of the special computer too. For dedicated computer, the software is often sp

17、ecially designed based on the bare hardware. As restricted by computing ability and application object, a special scheduling program is commonly designed as safety software for the computer, and not a universal operating system. The fault-tolerant processing and fault diagnosis of the dedicated comp

18、uter are tightly hardware-coupled. However, the safety software for SIC is exoteric and loosely hardware-coupled, and it is based on a standard Linux OS. The safety software is vital element of secondary development. It includes Linux OS adjustment, fail-safe process, fault-tolerance management, and

19、 safety interlocking logic. The hierarchy relations between them are shown in Figure 4. Figure 4 Safety software hierarchy of SIC3.4Fault-tolerant model and safety computation3.4.1 Fault-tolerant modelThe Fault-tolerant computation of SIC is of a multilevel model:SIC=F1002D(F2002(Sc11,Sc12),F2002(Sc

20、21,Sc22)Firstly, basic computing unit Ci1 adopts one algorithm to complete the SCi1, and Ci2 finishes the SCi2 via a different algorithm, secondly 2 out of 2 (2oo2) safety computing component of SIC executes 2oo2 calculation and gets FSICi from the calculation results of SCi1 SCi2, and thirdly, acco

21、rding the states of watchdog and switch unit block, the result of SIC is gotten via a 1 out of 2 with diagnostics (1oo2D) calculation, which is based on FSIC1 and FSIC2.The flow of calculations is as follows:(1) Sci1=F ci1 (Dnet1,Dnet2,Ddi,Dfss)(2) Sci2=F ci2 (Dnet1,Dnet2,Ddi,Dfss)(3) FSICi=F2oo2 (S

22、ci1, Sci2 ),(i=1,2)(4) SIC_OutPut=F1oo2D (FSIC1, FSIC2)3.4.2 Safety computationAs interlocking system consists of a fixed set of task, the computational model of SIC is task-based. In general, applications may conform to a time-triggered, event-triggered or mixed computational model. Here the time-t

23、riggered mode is selected, tasks are executed cyclically. The consistency of computing states between the two units is the foundation of SIC for ensuring safety and credibility. As SIC works under a loosely coupled mode, it is different from that of dedicated hardware-coupled computer. So a speciali

24、zed synchronization algorithm is necessary for SIC.SIC can be considered as a multiprocessor distributed system, and its computational model is essentially based on data comparing via high bus communication. First, an analytical approach is used to confirm the worst-case response time of each task.

25、To guarantee the deadline of tasks that communicate across the network, the access time and delay of communication medium is set to a fixed possible value. Moreover, the computational model must meets the real time requirements of railway interlocking system, within the system computing cycle, we se

26、t many check points Pi (i=1,2,. n) , which are small enough for synchronization, and computation result voting is executed at each point. The safety computation flow of SIC is shown in Figure 5.Figure 5 Safety computational model of SIC4. Hardware safety integrity level evaluation4.1 Safety Integrit

27、y As an authoritative international standard for safety-related system, IEC 61508 presents a definition of safety integrity: probability of a safety-related system satisfactorily performing the required safety functions under all the stated conditions within a stated period of time. In IEC 61508, th

28、ere are four levels of safety integrity are prescribe, SIL1SIL4. The SIL1 is the lowest, and SIL4 highest.According to IEC 61508, the SIC belongs to safety-related systems in high demand or continuous mode of operation. The SIL of SIC can be evaluated via the probability of dangerous per hour. The p

29、rovision of SIL about such system in IEC 61508, see table 1.Table 1-Safety Integrity levels: target failure measures for a safety function operating in high demand or continuous mode of operationSafety Integrity levelHigh demand or continuous mode of Operation(Probability of a dangerous Failure per

30、hour)4 10-9 to 10-83 10-8 to 10-72 10-7 to 10-61 10-6 to 10-54.2 Reliability block diagram of SIC After analyzing the structure and working principle of the SIC, we get the bock diagram of reliability, as figure 6.Figure 6 Block diagram of SIC reliability5. Conclusions In this paper, we proposed an

31、available standardized component-based computer SIC. Railway signal interlocking is a fail-safe system with a required probability of less than 10-9 safety critical failures per hour. In order to meet the critical constraints, fault-tolerant architecture and safety tactics are used in SIC. Although

32、the computational model and implementation techniques are rather complex, the philosophy of SIC provides a cheerful prospect to safety critical applications, it renders in a simpler style of hardware, furthermore, it can shorten development cycle and reduce cost. SIC has been put into practical appl

33、ication, and high performance of reliability and safety has been proven. From: - 7 - 蘭州交通大學畢業設計（譯文）模塊化安全鐵路信號計算機聯鎖系統1概述信號聯鎖系統是保證交通安全、提高鐵路運輸效率的關鍵設備。長期以來，在聯鎖系統中采用的核心控制計算機是特定的高檔安全計算機，例如，西門子的SIMIS、日本信號的EI32等。隨著電子技術的飛速發展，定制的安全計算機面臨著嚴重的挑戰，例如：高的開發成本、可用性差、弱可擴展性、和緩慢的技術更新。為了克服高檔特定計算機的缺點，美國國防部

34、提出：我們應該采用商業標準，來取代軍事準則和滿足客戶需要的標準。與此同時，有許多關于在電子設備中采用開放式系統結構的探索與實踐。美國和歐洲已經做了很多關于利用利用劃算的容錯計算機來代替專用電腦在航天和其它安全關鍵領域。近年來，在航空航天、工業、交通和其它安全關鍵領域，利用標準化部件正逐步成為一種新的趨勢。2 鐵路信號聯鎖系統2.1信號聯鎖系統的功能信號聯鎖系統的基本功能是通過控制信號設備，保護列車運行安全。如控制道岔的轉換、信號的開放和控制列車通過車站，它通過一種聯鎖處理規則控制線路。自鐵路運輸誕生以來、信號聯鎖系統已經經歷了手動信號、機械信號、繼電器聯鎖和現代計算機聯鎖系統。2.2信號聯鎖系

35、統的構架一般來說，聯鎖系統具有層次結構。根據設備的功能，系統可分為三層，如圖2.1所示。圖2.1 信號聯鎖系統的結構3 安全計算機的組件設計3.1設計策略模塊化安全關鍵計算機組件的設計理念不同于那些特殊定制的計算機。我們對安全聯鎖計算機的設計理念是基于系統的容錯性和系統的綜合需求。將其分為三層：標準化組成單元層、軟件安全層與系統層，并給每一層分配不同的安全功能，最終將三層集成，并確保系統達到預定的安全完整性水平。三層可以描述如下： (1) 標準化組成單元層包括四個獨立的標準化CPU模塊。這一層實現硬件“安全”邏輯聯鎖。 (2) 軟件安全層主要用故障-安用策略和容錯算法。由于一個完整的安全聯鎖系

36、統采用兩個不同的CPU輸出的結果，所以最能確保軟件設計某一版本，在設計時存在的多種錯誤，清除潛在的風險。 (3) 系統層，旨在提高系統的可用性和冗余系統的可維護性。3.2容錯結構的硬件設計如圖3.1，安全聯鎖計算機由四個獨立單元組成(C11，C12，C21，C22)。采用雙容錯結構設計(2×2取2)結構，計算單元選用高可靠性、高效率的模塊，采用了英特爾XScale內核，533兆赫的處理器。安全聯鎖計算機的操作基于兩層數據總線上。高速總線采用標準以太網結構和TCP / IP通信協議、低總線控制器局域網(CAN)。C11、C12和C21、C22分別組成兩個獨立的安全計算部件IC1和IC2

37、，并構成2乘2取2結構，并且每一部分都有計算機監控和外部開關電路動態監測。圖3.1 SIC硬件結構3.3標準化組成單元在研究清楚組成模塊后，根據鐵路信號聯鎖系統的臨界安全性要求，我們必須做一個二次開發的模塊。該設計主要包括電源、接口和其他嵌入式電路。安全聯鎖計算機的容錯計算、處理、故障的同步診斷主要依靠安全軟件。這個安全軟件的設計方法不同于其他專用的特殊計算機。在專用特殊計算機中，軟件通常基于單一裸露硬件而特別設計，限于計算處理能力和軟件兼容性，在電腦上特殊的調度程序一般基于安全性軟件設計，而不是一個普通的操作系統。專用計算機中容錯處理系統和故障診斷系統通過硬件耦合。然而，安全聯鎖計算機中的安

38、全軟件是開放、寬松的，它基于標準的Linux操作系統。安全軟件的二次開發是至關重要的。它包括Linux系統調整，故障-安全導向、容錯性管理，安全聯鎖的邏輯。它們之間的層次關系如圖3.3。圖3.3 SIC的安全軟件層次關系3.4容錯模型和安全估計算3.4.1 容錯模型安全聯鎖計算機的多層容錯計算模型：SIC= F1oo2D (F2oo2(SC11, S C12 ), F2oo2 (SC21,SC22)首先,根據計算單元Ci1采用一個算法來完成Sci1，Ci2計算單元通過不同的算法完成Sci2，其次，安全聯鎖計算機實行二乘二取二算法計算得到的結果和Sci1、Sci2計算，輸出到FSICi中的結果，再進行二乘二取二運算，第三，根據監視系統和開關單元塊，安全聯鎖計算機運算的結果在基于FSIC1和 FSIC2輸出的結果上，經過與門的診斷處理（2取1），就計算