-
中英文对照外文翻译
(
文档含英文原文和中文翻译
)
Component-based
Safety Computer of Railway Signal
Interlocking System
1
Introduction
Signal
Interlocking System is the critical equipment
which can guarantee traffic safety
and
enhance operational efficiency in railway
transportation. For a long time, the core control
computer adopts in interlocking system
is the special customized high-grade safety
computer,
for example, the SIMIS of
Siemens, the EI32 of Nippon Signal, and so on.
Along with the
rapid development of
electronic technology, the customized safety
computer is facing severe
challenges,
for instance, the high development costs, poor
usability, weak expansibility and
slow
technology
update.
To
overcome
the
flaws
of
the
high-grade
special
customized
computer,
the
U.S.
Department
of
Defense
has
put
forward
the
concept
:
we
should
adopt
commercial
standards
to
replace
military
norms
and
standards
for
meeting
consumers
’
demand
[1]
. In
the meantime, there are several explorations and
practices about adopting open
system
architecture in avionics. The United Stated and
Europe have do much research about
utilizing cost-effective fault-tolerant
computer to replace the dedicated computer in
aerospace
and other safety-critical
fields. In recent years, it is gradually becoming
a new trend that the
utilization
of
standardized
components
in
aerospace,
industry,
transportation
and
other
safety-critical
fields.
2 Railways signal interlocking
system
2.1
Functions of signal interlocking system
The basic function of signal
interlocking system is to protect train safety by
controlling
signal equipments, such as
switch points, signals and track units in a
station, and it handles
routes via a
certain interlocking regulation.
Since
the birth of the railway transportation, signal
interlocking system has gone through
manual signal, mechanical signal,
relay-based interlocking, and the modern computer-
based
Interlocking System.
2.2 Architecture of signal interlocking
system
Generally,
the
Interlocking
System
has
a
hierarchical
structure.
According
to
the
function of equipments, the system can
be divided to the function of equipments; the
system
can be divided into three layers
as shown in figure1.
Man-
Machine Interface layer
Interlocking
safety layer
Implementation layer
Outdoor
equiptments
Figure 1 Architecture of Signal
Interlocking System
3 Component-based
safety computer design
3.1 Design
strategy
The design concept of
component-based safety critical computer is
different from that of
special
customized computer. Our design strategy of SIC is
on a base of fault-tolerance and
system
integration.
We
separate
the
SIC
into
three
layers,
the
standardized
component
unit
layer, safety software
layer and the system layer. Different safety
functions are allocated for
each layer,
and the final integration of the three layers
ensures the predefined safety integrity
level of the whole SIC. The three
layers can be described as follows:
(1)
Component
unit
layer
includes
four
independent
standardized
CPU
modules.
A
hardware
“
SAFETY
AND
”
logic is implemented in
this year.
(2) Safety software layer
mainly utilizes fail-safe strategy and fault-
tolerant management.
The
interlocking
safety
computing
of
the
whole
system
adopts
two
outputs
from
different
CPU,
it
can
mostly
ensure
the
diversity
of
software
to
hold
with
design
errors
of
signal
version and
remove hidden risks.
(3) System layer
aims to improve reliability, availability and
maintainability by means of
redundancy.
3.2
Design of hardware fault-tolerant structure
As
shown
in
figure
2,
the
SIC
of
four
independent
component
units
(C11,
C12,
C21,
C22). The fault-
tolerant
architecture
adopts
dual 2 vote 2 (2v2
×
2)
structure, and a kind of
high-
performance
standardized
module
has
been
selected
as
computing
unit
which
adopts
Intel X Scale kernel, 533 MHZ.
The operation of SIC is
based on a dual two-layer data buses. The high bus
adopts the
standard Ethernet
and TCP/IP
communication
protocol, and the low bus
is
Controller Area
Network
(CAN). C11
、
C12 and
C21
、
C22
respectively make up of two safety
computing
components
IC1 and
IC2, which are of 2v2 structure. And
each component has an external
dynamic
circuit watchdog that is set for computing
supervision and switching.
Console
Diagnosis
terminal
High bus
(Ether NET)<
/p>
C11
C12
C21
C22
Watchdog
driver
&
Fail-safe
switch
&
Input
modle
Output Modle
Low
bus
(CAN)
Interface
Figure 2 Hardware structure of SIC
3.3 Standardized component
unit
After component module is made
certain, according to the safety-critical
requirements of
railway signal
interlocking system, we have to do a secondary
development on the module.
The design
includes power supply, interfaces and other
embedded circuits.
The
fault-tolerant
processing,
synchronized
computing,
and
fault
diagnosis
of
SIC
mostly
depend
on
the
safety
software.
Here
the
safety
software
design
method
is
differing
from that of the
special computer too. For dedicated computer, the
software is often specially
designed
based
on
the
bare
hardware.
As
restricted
by
computing
ability
and
application
object,
a
special
scheduling
program
is
commonly
designed
as
safety
software
for
the
computer,
and
not
a
universal
operating
system.
The
fault-tolerant
processing
and
fault
diagnosis
of
the
dedicated
computer
are
tightly
hardware-coupled.
However,
the
safety
software for SIC is exoteric and
loosely hardware-coupled, and it is based on a
standard Linux
OS.
The safety software is vital
element
of secondary
development.
It
includes
Linux OS
adjustment, fail-
safe process, fault-tolerance management, and
safety interlocking logic. The
hierarchy relations between them are
shown in Figure 4.
Safety
Interlock Logic
Fail-safe
process
Fault-tolerance
management
Linux OS
adjustment
Figure 4 Safety
software hierarchy of SIC
3.4 Fault-
tolerant model and safety computation
3.4.1 Fault-tolerant model
The Fault-tolerant computation of SIC
is of a multilevel model:
SIC=F
< br>1002D
(F
2002
(S<
/p>
c11
,S
c12
),F
2002
(S
c21
,S
c22
))
Firstly,
basic
computing
unit
Ci1
adopts
one
algorithm
to
complete
the
S
Ci1
,
and
Ci2
finishes
the
S
Ci2
via
a
different
algorithm,
secondly
2
out
of
2
(2oo2)
safety
computing
component of SIC
executes 2oo2 calculation and gets
F
SICi
from the calculation
results of S
Ci1
S
Ci2,
and
thirdly, according the states of watchdog and
switch unit block, the result of SIC is
gotten via a 1 out of 2 with
diagnostics (1oo2D) calculation, which is based on
F
SIC1
and F
SIC2.
The flow of calculations is as follows:
(1)
S
ci1
=F
ci1
(D
net1
,D
net2
,D
di
,D<
/p>
fss
)
(2)
S
ci2
=F
ci2
(D
net1
,D
net2
,D
di
,D
fss
)
(3)
F
SICi
=F
2oo2
(S
ci1
,
S
ci2
),(i=1,2)
(4) SIC_OutPut=F
1oo2D
(F
SIC1,
F
SIC2
)
3.4.2
Safety computation
As interlocking
system consists of a fixed set of task, the
computational model of SIC is
task-
based.
In
general,
applications
may
conform
to
a
time-triggered,
event-
triggered
or
mixed
computational
model.
Here
the
time-
triggered
mode
is
selected,
tasks
are
executed
cyclically.
The
consistency
of
computing
states
between
the
two
units
is
the
foundation
of
SIC
for
ensuring
safety
and
credibility.
As
SIC
works
under
a
loosely
coupled
mode,
it
is
different from that of
dedicated hardware-coupled computer. So a
specialized synchronization
algorithm
is necessary for SIC.
SIC
can
be
considered
as
a
multiprocessor
distributed
system,
and
its
computational
model is
essentially based on data comparing via high bus
communication. First, an analytical
approach
is
used
to
confirm
the
worst-case
response
time
of
each
task.
To
guarantee
the
deadline
of
tasks
that
communicate
across
the
network,
the
access
time
and
delay
of
communication medium is set to a fixed
possible value. Moreover, the computational model
must
meets
the
real
time
requirements
of
railway
interlocking
system,
within
the
system
computing
cycle,
we
set
many
check
points
P
i
(i=1,2,...
n)
,
which
are
small
enough
for
synchronization,
and
computation
result
voting
is
executed
at
each
point.
The
safety
computation flow of SIC is shown in
Figure 5.
S
t
a
r
t
τ
0
C
i
1
< br>τ
1
P
1
τ
2
P
2
τ
n
P
n
τ
p>
n+1
……
T
0<
/p>
T
1
T
2
clock
S
t
a<
/p>
r
t
……
C
p>
i
2
0
T
0
τ
………
τ
1
P
1
τ
2
P
2
τ
< br>n
P
n
τ
n+1
T
1
T
2
clock
i
:
< br>T
a
s
k
s
o
f
i
n
t
e
p>
r
l
o
c
k
i
n
g
I
n
i
< br>t
i
a
l
i
z
e
S
y
n
c
h
r
p>
o
n
i
z
a
t
i
o
n
G
u
< br>a
r
a
n
t
e
e
S
y
n
c
h
p>
r
o
n
o
u
s
T
i
m
e
t
< br>r
i
g
g
e
r
:
S
a
f
e
t
y
p>
f
u
n
c
t
i
o
n
s
c
h
< br>e
c
k
p
o
i
n
t
l
o
g
i
p>
c
Figure 5 Safety
computational model of SIC
4. Hardware
safety integrity level evaluation
4.1
Safety Integrity
As an
authoritative international standard for safety-
related system, IEC 61508 presents a
definition of safety integrity:
probability of a safety-related system
satisfactorily performing
the required
safety functions under all the stated conditions
within a stated period of time. In
IEC
61508, there are four levels of safety integrity
are prescribe, SIL1
~
SIL4.
The SIL1 is the
lowest, and SIL4
highest.
According to IEC 61508, the
SIC belongs to safety-related systems in high
demand or
continuous
mode
of
operation.
The
SIL
of
SIC
can
be
evaluated
via
the
probability
of
dangerous per hour. The provision of
SIL about such system in IEC 61508, see table 1.
p
Table 1-Safety Integrity
levels: target failure measures for a safety
function operating in high demand or
continuous mode of operation
Safety Integrity level
High demand or continuous
mode of Operation
(Probability of a
dangerous Failure per hour)
4
≥10
-9
to
<
10
-8
3
≥10
-8
to
<
10
-7
2
≥10
-7
to
<
10
-6
1
≥10
-6
to
<
10
-5
4.2 Reliability block diagram of SIC
After analyzing the
structure and working principle of the SIC, we get
the bock diagram
of reliability, as
figure 6.
High bus
NET1
NET2
2002
200
2
Logic
subsystem
2002
Low bus
< br>NET2
NET1
λ
=1
×
10
-7
DC=9
9%
Voting=1
00
2D
2002
λ
=1
×<
/p>
10
-7
DC=99%
< br>Voting=1
00
2D
λ
=1
×
10
Β
=2%
β
D
=1%
DC=99%
Voting=1
00
2D
Figure 6 Block diagram of SIC
reliability
5. Conclusions
In
this
paper,
we
proposed
an
available
standardized
component-based
computer
SIC.
Railway signal
interlocking is a fail-safe system with a required
probability of less than 10-9
safety
critical
failures
per
hour.
In
order
to
meet
the
critical
constraints,
fault-tolerant
architecture
and
safety
tactics
are
used
in
SIC.
Although
the
computational
model
and
implementation
techniques
are
rather
complex,
the
philosophy
of
SIC
provides
a
cheerful
prospect to safety
critical applications, it renders in a simpler
style of hardware, furthermore,