模块化安全铁路信号计算机联锁系统 毕业论文外文翻译

模块化安全铁路信号计算机联锁系统 #毕业#外文翻译 外文文献翻译 基于单片机的智能DMM 院 、 部: 电气与信息工程学院 学生姓名: 指导教师: 职称 讲师 专 业: 自动化 班 级: 09级01班 完成时间: 2013.06.06 Component-based Safety Computer of Railway Signal Interlocking System 1 Introduction Signal Interlocking System is the critical equipment which can guarantee traffic safety and enhance operational efficiency in railway transportation. For a long time, the core control computer adopts in interlocking system is the special customized high-grade safety computer, for example, the SIMIS of Siemens, the EI32 of Nippon Signal, and so on. Along with the rapid development of electronic technology, the customized safety computer is facing severe challenges, for instance, the high development costs, poor usability, weak expansibility and slow technology update. To overcome the flaws of the high-grade special customized computer, the U.S. Department of Defense has put forward the concept:we should adopt commercial standards to replace military norms and standards for meeting consumers’ [1]demand. In the meantime, there are several explorations and practices about adopting open system architecture in avionics. The United Stated and Europe have do much research about utilizing cost-effective fault-tolerant computer to replace the dedicated computer in aerospace and other safety-critical fields. In recent years, it is gradually becoming a new trend that the utilization of standardized components in aerospace, industry, transportation and other safety-critical fields. 2 Railways signal interlocking system 2.1 Functions of signal interlocking system The basic function of signal interlocking system is to protect train safety by controlling signal equipments, such as switch points, signals and track units in a station, and it handles routes via a certain interlocking regulation. Since the birth of the railway transportation, signal interlocking system has gone through manual signal, mechanical signal, relay-based interlocking, and the modern computer-based Interlocking System. 2.2 Architecture of signal interlocking system Generally, the Interlocking System has a hierarchical structure. According to the function of equipments, the system can be divided to the function of equipments; the system can be divided into three layers as shown in figure1. Man-Machine Interface layer Interlocking safety layer Implementation layer Outdoor equiptments Figure 1 Architecture of Signal Interlocking System 3 Component-based safety computer design 3.1 Design strategy The design concept of component-based safety critical computer is different from that of special customized computer. Our design strategy of SIC is on a base of fault-tolerance and system integration. We separate the SIC into three layers, the standardized component unit layer, safety software layer and the system layer. Different safety functions are allocated for each layer, and the final integration of the three layers ensures the predefined safety integrity level of the whole SIC. The three layers can be described as follows: (1) Component unit layer includes four independent standardized CPU modules. A hardware “SAFETY AND” logic is implemented in this year. (2) Safety software layer mainly utilizes fail-safe strategy and fault-tolerant management. The interlocking safety computing of the whole system adopts two outputs from different CPU, it can mostly ensure the diversity of software to hold with design errors of signal version and remove hidden risks. (3) System layer aims to improve reliability, availability and maintainability by means of redundancy. 3.2 Design of hardware fault-tolerant structure As shown in figure 2, the SIC of four independent component units (C11, C12, C21, C22). The fault-tolerant architecture adopts dual 2 vote 2 (2v2×2) structure, and a kind of high-performance standardized module has been selected as computing unit which adopts Intel X Scale kernel, 533 MHZ. The operation of SIC is based on a dual two-layer data buses. The high bus adopts the standard Ethernet and TCP/IP communication protocol, and the low bus is Controller Area Network (CAN). C11、C12 and C21、C22 respectively make up of two safety computing components IC1 and IC2, which are of 2v2 structure. And each component has an external dynamic circuit watchdog that is set for computing supervision and switching. ConsoleDiagnosis terminalHigh bus (Ether NET) C11C12C21C22 Watchdog driver && Fail-safe switch Low bus Input modleOutput Modle(CAN) Figure 2 Hardware structure of SIC Interface 3.3 Standardized component unit After component module is made certain, according to the safety-critical requirements of railway signal interlocking system, we have to do a secondary development on the module. The design includes power supply, interfaces and other embedded circuits. The fault-tolerant processing, synchronized computing, and fault diagnosis of SIC mostly depend on the safety software. Here the safety software design method is differing from that of the special computer too. For dedicated computer, the software is often specially designed based on the bare hardware. As restricted by computing ability and application object, a special scheduling program is commonly designed as safety software for the computer, and not a universal operating system. The fault-tolerant processing and fault diagnosis of the dedicated computer are tightly hardware-coupled. However, the safety software for SIC is exoteric and loosely hardware-coupled, and it is based on a standard Linux OS. The safety software is vital element of secondary development. It includes Linux OS adjustment, fail-safe process, fault-tolerance management, and safety interlocking logic. The hierarchy relations between them are shown in Figure 4. Safety Interlock Logic Fail-safe process Fault-tolerance management Linux OS adjustment Figure 4 Safety software hierarchy of SIC 3.4 Fault-tolerant model and safety computation 3.4.1 Fault-tolerant model The Fault-tolerant computation of SIC is of a multilevel model: SIC=F(F(S,S),F(S,S)) 1002D2002c11c122002c21c22 Firstly, basic computing unit Ci1 adopts one algorithm to complete the S, and Ci2 Ci1 finishes the S via a different algorithm, secondly 2 out of 2 (2oo2) safety computing Ci2 component of SIC executes 2oo2 calculation and gets Ffrom the calculation results of S SICi Ci1 Sand thirdly, according the states of watchdog and switch unit block, the result of SIC is Ci2, gotten via a 1 out of 2 with diagnostics (1oo2D) calculation, which is based on F and FSIC1SIC2. The flow of calculations is as follows: (1) S=F (D,D,D,D) ci1 ci1net1net2difss (2) S=F(D,D,D,D) ci2 ci2 net1net2difss (3) F=F(S, S),(i=1,2) SICi2oo2 ci1ci2 (4) SIC_OutPut=F(F F) 1oo2D SIC1,SIC2 3.4.2 Safety computation As interlocking system consists of a fixed set of task, the computational model of SIC is task-based. In general, applications may conform to a time-triggered, event-triggered or mixed computational model. Here the time-triggered mode is selected, tasks are executed cyclically. The consistency of computing states between the two units is the foundation of SIC for ensuring safety and credibility. As SIC works under a loosely coupled mode, it is different from that of dedicated hardware-coupled computer. So a specialized synchronization algorithm is necessary for SIC. SIC can be considered as a multiprocessor distributed system, and its computational model is essentially based on data comparing via high bus communication. First, an analytical approach is used to confirm the worst-case response time of each task. To guarantee the deadline of tasks that communicate across the network, the access time and delay of communication medium is set to a fixed possible value. Moreover, the computational model must meets the real time requirements of railway interlocking system, within the system computing cycle, we set many check points P (i=1,2,... n) , which are small enough for i synchronization, and computation result voting is executed at each point. The safety computation flow of SIC is shown in Figure 5. ,……Initializeτττττnn+1n,,,,,,,,1i1Synchronization Tasks of interlocking ,,,clock2,StartGuarantee SynchronouslogicStart……Time trigger ,………i2ττnnn+1,,,τττ12,,,,,,,,, clock check pointSafety functions::ip Figure 5 Safety computational model of SIC 4. Hardware safety integrity level evaluation 4.1 Safety Integrity As an authoritative international standard for safety-related system, IEC 61508 presents a definition of safety integrity: probability of a safety-related system satisfactorily performing the required safety functions under all the stated conditions within a stated period of time. In IEC 61508, there are four levels of safety integrity are prescribe, SIL1,SIL4. The SIL1 is the lowest, and SIL4 highest. According to IEC 61508, the SIC belongs to safety-related systems in high demand or continuous mode of operation. The SIL of SIC can be evaluated via the probability of dangerous per hour. The provision of SIL about such system in IEC 61508, see table 1. Table 1-Safety Integrity levels: target failure measures for a safety function operating in high demand or continuous mode of operation Safety Integrity level High demand or continuous mode of Operation (Probability of a dangerous Failure per hour) -9-84 ?10 to ,10 -8-73 ?10 to ,10 -7-62 ?10 to ,10 -6-51 ?10 to ,10 4.2 Reliability block diagram of SIC After analyzing the structure and working principle of the SIC, we get the bock diagram of reliability, as figure 6. High busLogic subsystemLow bus NET12002 NET2 2002200220022002 NET22002-7λ=1×10 DC=99%NET1Voting=1002D λ=1×10-7λ=1×10Β=2% βDC=99%=1%DVoting=1DC=99%002D Voting=1002D Figure 6 Block diagram of SIC reliability 5. Conclusions In this paper, we proposed an available standardized component-based computer SIC. Railway signal interlocking is a fail-safe system with a required probability of less than 10-9 safety critical failures per hour. In order to meet the critical constraints, fault-tolerant architecture and safety tactics are used in SIC. Although the computational model and implementation techniques are rather complex, the philosophy of SIC provides a cheerful prospect to safety critical applications, it renders in a simpler style of hardware, furthermore, it can shorten development cycle and reduce cost. SIC has been put into practical application, and high performance of reliability and safety has been proven. 模块化安全铁路信号计算机联锁系统 1概述 信号联锁系统是保证交通安全、提高铁路运输效率的关键设备。长期以来，在联锁系统中采用的核心控制计算机是特定的高档安全计算机，例如，西门子的SIMIS、日本信号的EI32等。随着电子技术的飞速发展，定制的安全计算机面临着严重的挑战，例如:高的开发成本、可用性差、弱可扩展性、和缓慢的技术更新。为了克服高档特定计算机的缺点，美国国防部提出:我们应该采用商业标准，来取代军事准则和满足客户需要的标准。与此同时，有许多关于在电子设备中采用开放式系统结构的探索与实践。美国和欧洲已经做了很多关于利用利用划算的容错计算机来代替专用电脑在航天和其它安全关键领域。近年来，在航空航天、工业、交通和其它安全关键领域，利用标准化部件正逐步成为一种新的趋势。 2 铁路信号联锁系统 2.1信号联锁系统的功能 信号联锁系统的基本功能是通过控制信号设备，保护列车运行安全。如控制道岔的转换、信号的开放和控制列车通过车站，它通过一种联锁处理规则控制线路。 自铁路运输诞生以来、信号联锁系统已经经历了手动信号、机械信号、继电器联锁和现代计算机联锁系统。 2.2信号联锁系统的构架 一般来说，联锁系统具有层次结构。根据设备的功能，系统可分为三层，如图1所示。 人机接口层 联锁安全层 执行层 室外设备 图1 信号联锁系统的结构 3 安全计算机的组件设计 3.1设计策略 模块化安全关键计算机组件的设计理念不同于那些特殊定制的计算机。我们对安全联锁计算机的设计理念是基于系统的容错性和系统的综合需求。将其分为三层:标准化组成单元层、软件安全层与系统层，并给每一层分配不同的安全功能，最终将三层集成，并确保系统达到预定的安全完整性水平。三层可以描述如下: (1) 标准化组成单元层包括四个独立的标准化CPU模块。这一层实现硬件“安全”逻辑联锁。 (2) 软件安全层主要用故障-安用策略和容错算法。由于一个完整的安全联锁系统采用两个不同的CPU输出的结果，所以最能确保软件设计某一版本，在设计时存在的多种错误，清除潜在的风险。 (3) 系统层，旨在提高系统的可用性和冗余系统的可维护性。 3.2容错结构的硬件设计 如图2所示，安全联锁计算机由四个独立单元组成(C11，C12，C21，C22)。采用双容错结构设计(2×2取2)结构，计算单元选用高可靠性、高效率的模块，采用了英特尔XScale内核，533兆赫的处理器。 安全联锁计算机的操作基于两层数据总线上。高速总线采用标准以太网结构和TCP / IP通信、低总线控制器局域网(CAN)。C11、C12和C21、C22分别组成两个独立 的安全计算部件IC1和IC2，并构成2乘2取2结构，并且每一部分都有计算机监控和外部开关电路动态监测。 控制台监测终端高总线 (以太网) C11C12C21C22 与门驱动程序 && 故障安全开关 底总线 (CAN)输入模块输出模块 接口 图2 SIC硬件结构 3.3标准化组成单元 在研究清楚组成模块后，根据铁路信号联锁系统的临界安全性要求，我们必须做一个二次开发的模块。该设计主要包括电源、接口和其他嵌入式电路。 安全联锁计算机的容错计算、处理、故障的同步诊断主要依靠安全软件。这个安全软件的设计不同于其他专用的特殊计算机。在专用特殊计算机中，软件通常基于单一裸露硬件而特别设计，限于计算处理能力和软件兼容性，在电脑上特殊的调度程序一般基于安全性软件设计，而不是一个普通的操作系统。专用计算机中容错处理系统和故障诊断系统通过硬件耦合。然而，安全联锁计算机中的安全软件是开放、宽松的，它基于标准的Linux操作系统。 安全软件的二次开发是至关重要的。它包括Linux系统调整，故障-安全导向、容错性管理，安全联锁的逻辑。它们之间的层次关系如图3。 安全联锁逻辑 故障-安全进程 容错原理 Linux 操作系统调整 图3 SIC的安全软件层次关系 3.4容错模型和安全估计算 3.4.1 容错模型 安全联锁计算机的多层容错计算模型: SIC= F (F2oo2(S, S ), F2oo2 (S,S) 1oo2DC11C12C21C22 首先,根据计算单元Ci1采用一个算法来完成Sci1，Ci2计算单元通过不同的算法完成Sci2，其次，安全联锁计算机实行二乘二取二算法计算得到的结果和Sci1、Sci2计算，输出到F中的结果，再进行二乘二取二运算，第三，根据监视系统和开关单元块，SICi 安全联锁计算机运算的结果在基于F和 F输出的结果上，经过与门的诊断处理(2SIC1SIC2 取1)，就计算出Sci1。同样的，根据Ci2的计算结果通过不同的算法也完成Sci2。 计算流程如下: (1) Sci1=F ci1 (D net1，Dnet2，Ddi，Dfss); (2) Sci2=F ci2 (D net1，Dnet2，Ddi，Dfss); (3) FSIC1=F2oo2 (S ci1，Sci2)，(i=1，2); (4) SIC OutPut=Floo2D(FSIC1，FSIC2)。 3.4.2 安全性计算 由于联锁系统由一组固定的任务构成，故SIC的计算模型是基于任务的。通常，应用程序可符合一个时间触发、事件触发或者混合的计算模型。这里选用时间触发的计算模型，循环执行任务。为保证安全性和可信度，单元之间的计算机状态的一致性是SIC的基础。因为SIC工作在一个松散耦合的模式，它不同于专用的硬件耦合的计算机。所以SIC需要一个专业的同步算法。 SIC可以被视为是一种多处理器分布式系统，其计算模型实质上是基于通过较高的 总线通信的数据。首先，一种解析方法是用于证实每项任务的最差的响应时间。为了保证通过网络沟通的任务的最后期限，传播媒介的访问时间和延迟被设计为固定值。此外，计算模型必须满足铁路联锁系统在系统计算周期的实时要求，我们设了许多检查点P(i=1,2,…n),取值很小，能实现同步，并且在每个检查点得出计算结果。SIC的安全计i 算流如图4所示。 τττττnn+1n,,,,,,,, ,i1……时钟,,,2,1 开始开始初始化同步 τ……联锁逻辑任务 保证同步时钟脉冲 ,………i2时钟ττnnn+1,,,τττ12,,,,,,,,, 检查点安全功能 ::iip 图4 SIC的安全计算模型 4 硬件的安全完整性水平评价 4.1安全完整性 作为国际权威的安全体系方面的标准，国际电工委员会61508提出关于安全完整性方面的定义:在规定的条件下、规定的时间内，安全系统成功实现所要求的安全功能的概率。IEC61508定义了4个层次的安全完整性，SIL1 ~ SIL4。SIL1是最低的，SIL4最高。 根据IEC 61508，安全联锁计算机属于高需求或连续运行模式系统。安全联锁计算机的安全完整性级别可以通过系统每小时的潜在危险估算出来，在IEC61508中，安全完整性级别是这样定义的，如表1所示: 表1 高需求或连续运行模式系统在安全功能启动情况下的失效点 安全完整性水平 高需求或连续模式行动(故障概率每小时) -9-84 ?10 to ,10 -8-73 ?10 to ,10 -7-62 ?10 to ,10 -6-51 ?10 to ,10 4.2安全联锁计算机的可靠性框图 在了安全完整性级别的的结构和工作原理的基础上，我们得到其可靠性的结构图，如图5所示。 高总线逻辑子系统 低总线 NET12002 NET2 2002200220022002 NET22002-7λ=1×10 DC=99% NET1Voting=1002D λ=1×10-7λ=1×10Β=2% DC=99%β=1%D Voting=1002DDC=99% Voting=1002D 图5 SIC的可靠性结构图 5结论 在本文中，我们提出了一种有效的标准模块化计算机的的安全完整性，铁路信号联 -9锁系统是故障-安全系统，每小时的失效故障率必须要低于10，尽管计算模型和实施技术相当复杂，但是为了达到系统规定的参数值，安全完整性系统中必须使用容错系统结构和安全性策略。安全完整性的思想和理论给安全关键性应用展现了一个美好的应用前景。它提供一种简单的硬件组成，而且还可以缩短开发周期，降低成本。现在，安全联锁计算机已投入实际应用，其高性能、可靠性和安全性已经被证实。