-
毕业设计(论文)外文参考文献及译文
英文题目
Component-
based Safety Computer of Railway
Signal Interlocking System
中文题目
模块化安全铁路信号计算机联锁系统
学
院
自动化与电气工程学院
专
业
自动控制
姓
名
葛彦宁
学
号
200808746
指导教师
贺清
2012
年
5
月
30
日
兰州交通大学毕业设计(外文参考文献)
Component-based Safety Computer of
Railway Signal
Interlocking System
1 Introduction
Signal
Interlocking
System
is
the
critical
equipment
which
can
guarantee
traffic
safety
and enhance
operational efficiency in railway transportation.
For a long time, the core control
computer adopts in interlocking system
is the special customized high-grade safety
computer,
for
example,
the
SIMIS
of
Siemens,
the
EI32
of
Nippon
Signal,
and
so
on.
Along
with
the
rapid development of electronic
technology, the customized safety
computer
is
facing
severe
challenges,
for
instance,
the
high
development
costs,
poor
usability,
weak
expansibility
and
slow
technology
update.
To
overcome
the
flaws
of
the
high-grade
special
customized
computer,
the
U.S.
Department
of
Defense
has
put
forward
the
concept
:
we
should
adopt
commercial
standards
to
replace
military
norms
and
standards
for
meeting
consumers
’
demand
[1]
. In
the
meantime, there are several
explorations and practices about adopting open
system
architecture
in avionics. The
United
Stated and
Europe
have do
much research about
utilizing cost-effective fault-tolerant
computer to replace the dedicated computer in
aerospace
and other safety-critical
fields. In recent
years,
it
is
gradually
becoming a
new trend that the
utilization
of
standardized
components
in
aerospace,
industry,
transportation
and
other
safety-
critical fields.
2 Railways signal
interlocking system
2.1 Functions of
signal interlocking system
The basic
function of signal
interlocking system
is
to protect train safety by controlling
signal
equipments,
such
as
switch
points,
signals
and
track
units
in
a
station,
and
it
handles
routes via a certain interlocking
regulation.
Since the birth of the
railway transportation, signal interlocking system
has gone through
manual
signal,
mechanical
signal,
relay-based
interlocking,
and
the
modern
computer-based
Interlocking
System.
2.2 Architecture of signal
interlocking system
Generally,
the
Interlocking
System
has
a
hierarchical
structure.
According
to
the
function of equipments, the system can
be divided to
the
function
of equipments; the
system
-
1 -
兰州交通大学毕业设计(外文参考文献)
can be divided into three layers as
shown in figure1.
Man-
Machine Interface layer
Interlocking
safety layer
Implementation layer
Outdoor
equiptments
Figure 1 Architecture of Signal
Interlocking System
3 Component-based
safety computer design
3.1 Design
strategy
The design concept of
component-based safety critical computer is
different from that of
special
customized computer. Our design
strategy of SIC
is on a base
of
fault-tolerance and
system
integration.
We
separate
the
SIC
into
three
layers,
the
standardized
component
unit
layer, safety software
layer and the
system
layer.
Different safety
func
tions are allocated
for
each
layer,
and the
final
integration of
the three
layers ensures
the predefined safety
integrity
level of the whole
SIC. The three layers can be described as follows:
(1)
Component
unit
layer
includes
four
independent
standardized
CPU
modules.
A
hardware
“
SAFETY
AND
”
logic is implemented in
this year.
(2) Safety software layer
mainly utilizes fail-safe strategy and fault-
tolerant management.
The
interlocking
safety
computing
of
the
whole
system
adopts
two
outputs
from
different
CPU,
it
can
mostly
ensure
the
diversity
of
software
to
hold
with
design
errors
of
signal
version and remove hidden risks.
(3) System layer aims to improve
reliability, availability and maintainability by
means of
redundancy.
3.2 Design of hardware fault-tolerant
structure
As
shown
in
figure
2,
the
SIC
of
four
independent
component
units
(C11,
C12,
C21,
C22).
The
fault-
tolerant
architecture
adopts
dual
2
vote
2
(2v2
×
2)
structure,
and
a
kind
of
high-
performance
standardized
module
has
been
selected
as
computing
unit
which
adopts
Intel X Scale kernel, 533 MHZ.
The operation of SIC
is based on a dual
two-layer
data buses.
The
high bus
adopts
the
standard
Ethernet
and
TCP/IP
communication
protocol,
and
the
low
bus
is
Controller
Area
Network (CAN).
C11
、
C12 and
C21
、
C22
respectively
make
up of
two safety
computing
- 2 -
兰州交通大学毕业设计(外文参考文献)
components
IC1
and
IC2,
which
are
of
2v2
structure.
And
each
component
has
an
external
dynamic circuit watchdog that is set
for computing supervision and switching.
Console
Diagnosis
terminal
High bus
(Ether NET)<
/p>
C11
C12
C21
C22
Watchdog
driver
&
Fail-safe
switch
&
Input
modle
Output Modle
Low
bus
(CAN)
Interface
Figure 2 Hardware structure of SIC
3.3 Standardized component
unit
After component module is made
certain, according to the safety-critical
requirements of
railway
signal
interlocking
system,
we
have
to
do
a
secondary
development
on
the
module.
The design includes power supply,
interfaces and other embedded circuits.
The
fault-tolerant
processing,
synchronized
computing,
and
fault
diagnosis
of
SIC
mostly
depend
on
the
safety
software.
Here
the
safety
software
design
method
is
differing
from that of the
special
computer too. For dedicated
computer, the software
is often
specially
designed
based
on
the
bare
hardware.
As
restricted
by
computing
ability
and
application
object,
a
special
scheduling
program
is
commonly
designed
as
safety
software
for
the
computer,
and
not
a
universal
operating
system.
The
fault-tolerant
processing
and
fault
diagnosis
of
the
dedicated
computer
are
tightly
hardware-coupled.
However,
the
safety
software for SIC is exoteric and
loosely hardware-coupled, and it is based on a
standard Linux
OS.
The
safety
software
is
vital
element
of
secondary
development.
It
includes
Linux
OS
adjustment,
fail-safe process,
fault-
tolerance
management, and safety
interlocking
logic.
The
hierarchy relations
between them are shown in Figure 4.
- 3 -
兰州交通大学毕业设计(外文参考文献)
Safety Interlock Logic
Fail-
safe process
Fault-tolerance
management
Linux OS
adjustment
Figure 4 Safety
software hierarchy of SIC
3.4 Fault-
tolerant model and safety computation
3.4.1 Fault-tolerant model
The Fault-tolerant computation of SIC
is of a multilevel model:
SIC=F
< br>1002D
(F
2002
(S<
/p>
c11
,S
c12
),F
2002
(S
c21
,S
c22
))
Firstly,
basic
computing
unit
Ci1
adopts
one
algorithm
to
complete
the
S
Ci1
,
and
Ci2
finishes
the
S
Ci2
via
a
different
algorithm,
secondly
2
out
of
2
(2oo2)
safety
computing
component of SIC
executes 2oo2 calculation and gets
F
SICi
from the calculation
results of S
Ci1
S
Ci2,
and
thirdly, according
the states of
watchdog and switch
unit
block,
the result of SIC
is
gotten via a 1 out of 2 with
diagnostics (1oo2D) calculation, which is based on
F
SIC1
and F
SIC2.
The flow of calculations is as follows:
(1)
S
ci1
=F
ci1
(D
net1
,D
net2
,D
di
,D<
/p>
fss
)
(2)
S
ci2
=F
ci2
(D
net1
,D
net2
,D
di
,D
fss
)
(3)
F
SICi
=F
2oo2
(S
ci1
,
S
ci2
),(i=1,2)
(4) SIC_OutPut=F
1oo2D
(F
SIC1,
F
SIC2
)
3.4.2
Safety computation
As
interlocking system consists of a fixed
set of task, the computational
model of
SIC
is
task-based.
In
general,
applications
may
conform
to
a
time-triggered,
event-
triggered
or
mixed
computational
model.
Here
the
time-
triggered
mode
is
selected,
tasks
are
executed
cyclically.
The
consistency
of
computing
states
between
the
two
units
is
the
foundation
of
SIC
for
ensuring
safety
and
credibility.
As
SIC
works
under
a
loosely
coupled
mode,
it
is
different from that of dedicated
hardware-coupled computer. So a specialized
synchronization
algorithm is necessary
for SIC.
SIC
can
be
considered
as
a
multiprocessor
distributed
system,
and
its
computational
model is
essentially based on data comparing via high bus
communication. First, an analytical
approach
is
used
to
confirm
the
worst-case
response
time
of
each
task.
To
guarantee
the
deadline
of
tasks
that
communicate
across
the
network,
the
access
time
and
delay
of
communication
medium
is
set
to a
fixed possible
value.
Moreover,
the computational
model
must
meets
the
real
time
requirements
of
railway
interlocking
system,
within
the
system
computing
cycle,
we
set
many
check
points
P
i
(i=1,2,...
n)
,
which
are
small
enough
for
synchronization,
and
computation
result
voting
is
executed
at
each
point.
The
safety
- 4 -
兰州交通大学毕业设计(外文参考文献)
computation flow of SIC is shown in
Figure 5.
S
t
a
r
t
τ
0
C
i
1
< br>τ
1
P
1
τ
2
P
2
τ
n
P
n
τ
n+1
……
T
0<
/p>
T
1
T
2
clock
S
t
a<
/p>
r
t
……
C
i
2
0
T
0
τ
………
τ
1
P
1
τ
2
P
2
τ
< br>n
P
n
τ
n+1
T
1
T
2
clock
i
:
< br>T
a
s
k
s
o
f
i
n
t
e
r
l
o
c
k
i
n
g
I
n
i
< br>t
i
a
l
i
z
e
S
y
n
c
h
r
o
n
i
z
a
t
i
o
n
G
u
< br>a
r
a
n
t
e
e
S
y
n
c
h
r
o
n
o
u
s
T
i
m
e
t
< br>r
i
g
g
e
r
:
S
a
f
e
t
y
f
u
n
c
t
i
o
n
s
c
h
< br>e
c
k
p
o
i
n
t
l
o
g
i
c
Figure 5 Safety
computational model of SIC
4. Hardware
safety integrity level evaluation
4.1
Safety Integrity
As an
authoritative international standard for safety-
related system, IEC 61508 presents a
definition
of
safety
integrity:
probability
of
a
safety-related
system
satisfactorily
performing
the required safety
functions
under all
the stated conditions within a stated
period of
time. In
IEC
61508, there are four levels of safety integrity
are prescribe, SIL1
~
SIL4.
The SIL1 is the
lowest, and SIL4
highest.
According
to
IEC
61508,
the
SIC
belongs
to
safety-related
systems
in
high
demand
or
continuous
mode
of
operation.
The
SIL
of
SIC
can
be
evaluated
via
the
probability
of
dangerous per hour. The provision of
SIL about such system in IEC 61508, see table 1.
Table 1-Safety Integrity
levels: target failure measures for a safety
function operating in high demand or
continuous mode of operation
Safety Integrity level
High demand or continuous
mode of Operation
(Probability of a
dangerous Failure per hour)
4
≥10
-9
to
<
10
-8
3
≥10
-8
to
<
10
-7
2
≥10
-7
to
<
10
-6
1
≥10
-6
to
<
10
-5
p
- 5 -
兰州交通大学毕业设计(外文参考文献)
4.2 Reliability block diagram of SIC
After analyzing the
structure and working principle of the SIC, we get
the bock diagram
of reliability, as
figure 6.
High bus
NET1
NET2
2002
200
2
Logic
subsystem
2002
Low bus
< br>NET2
NET1
λ
=1
×
10
-7
DC=9
9%
Voting=1
00
2D
2002
λ
=1
×<
/p>
10
-7
DC=99%
< br>Voting=1
00
2D
λ
=1
×
10
Β
=2%
β
D
=1%
DC=99%
Voting=1
00
2D
Figure 6 Block diagram of
SIC reliability
5. Conclusions
In
this
paper,
we
proposed
an
available
standardized
component-based
computer
SIC.
Railway signal
interlocking
is a
fail-safe
system with a
required probability of
less
than 10-9
safety
critical
failures
per
hour.
In
order
to
meet
the
critical
constraints,
fault-tolerant
architecture
and
safety
tactics
are
used
in
SIC.
Although
the
computational
model
and
implementation
techniques
are
rather
complex,
the
philosophy
of
SIC
provides
a
cheerful
prospect
to safety critical applications,
it renders
in a simpler
style of
hardware,
furthermore,
it can shorten
development cycle and reduce cost. SIC has been
put into practical application,
and
high performance of reliability and safety has
been proven.
……………………………………………………………………
…………………………………
From:
- 6 -