毕业设计（论文）外文参考文献及译文英文题目Component-based Safety Computer of RailwaySignal Interlocking System中文题目模块化安全铁路信号计算机联锁系统学院自动化与电气工程学院专业自动控制姓名葛彦宁学号 200808746指导教师贺清2012年5月30日Component-based Safety Computer of Railway SignalInterlocking System1 IntroductionSignal Interlocking System is the critical equipment which can guarantee traffic safety and enhance operational efficiency in railway transportation. For a long time, the core control computer adopts in interlocking system is the special customized high-grade safety computer, for example, the SIMIS of Siemens, the EI32 of Nippon Signal, and so on. Along with the rapid development of electronic technology, the customized safety computer is facing severe challenges, for instance, the high development costs, poor usability, weak expansibility and slow technology update. To overcome the flaws of the high-grade special customized computer, the U.S. Department of Defense has put forward the concept：we should adopt commercial standards to replace military norms and standards for meeting consumers’demand [1]. In the meantime, there are several explorations and practices about adopting open system architecture in avionics. The United Stated and Europe have do much research about utilizing cost-effective fault-tolerant computer to replace the dedicated computer in aerospace and other safety-critical fields. In recent years, it is gradually becoming a new trend that the utilization of standardized components in aerospace, industry, transportation and other safety-critical fields.2 Railways signal interlocking system2.1 Functions of signal interlocking systemThe basic function of signal interlocking system is to protect train safety by controlling signal equipments, such as switch points, signals and track units in a station, and it handles routes via a certain interlocking regulation.Since the birth of the railway transportation, signal interlocking system has gone through manual signal, mechanical signal, relay-based interlocking, and the modern computer-based Interlocking System.2.2 Architecture of signal interlocking systemGenerally, the Interlocking System has a hierarchical structure. According to the function of equipments, the system can be divided to the function of equipments; the systemcan be divided into three layers as shown in figure1.Figure 1 Architecture of Signal Interlocking System3 Component-based safety computer design3.1 Design strategyThe design concept of component-based safety critical computer is different from that of special customized computer. Our design strategy of SIC is on a base of fault-tolerance and system integration. We separate the SIC into three layers, the standardized component unit layer, safety software layer and the system layer. Different safety functions are allocated for each layer, and the final integration of the three layers ensures the predefined safety integrity level of the whole SIC. The three layers can be described as follows:(1) Component unit layer includes four independent standardized CPU modules. A hardware “SAFETY AND” logic is implemented in this year.(2) Safety software layer mainly utilizes fail-safe strategy and fault-tolerant management. The interlocking safety computing of the whole system adopts two outputs from different CPU, it can mostly ensure the diversity of software to hold with design errors of signal version and remove hidden risks.(3) System layer aims to improve reliability, availability and maintainability by means of redundancy.3.2 Design of hardware fault-tolerant structureAs shown in figure 2, the SIC of four independent component units (C11, C12, C21, C22). The fault-tolerant architecture adopts dual 2 vote 2 (2v2×2) structure, and a kind of high-performance standardized module has been selected as computing unit which adopts Intel X Scale kernel, 533 MHZ.The operation of SIC is based on a dual two-layer data buses. The high bus adopts the standard Ethernet and TCP/IP communication protocol, and the low bus is Controller Area Network (CAN). C11、C12 and C21、C22 respectively make up of two safety computingcomponents IC1 and IC2, which are of 2v2 structure. And each component has an external dynamic circuit watchdog that is set for computing supervision and switching.Figure 2 Hardware structure of SIC3.3 Standardized component unitAfter component module is made certain, according to the safety-critical requirements of railway signal interlocking system, we have to do a secondary development on the module. The design includes power supply, interfaces and other embedded circuits.The fault-tolerant processing, synchronized computing, and fault diagnosis of SIC mostly depend on the safety software. Here the safety software design method is differing from that of the special computer too. For dedicated computer, the software is often specially designed based on the bare hardware. As restricted by computing ability and application object, a special scheduling program is commonly designed as safety software for the computer, and not a universal operating system. The fault-tolerant processing and fault diagnosis of the dedicated computer are tightly hardware-coupled. However, the safety software for SIC is exoteric and loosely hardware-coupled, and it is based on a standard Linux OS.The safety software is vital element of secondary development. It includes Linux OS adjustment, fail-safe process, fault-tolerance management, and safety interlocking logic. The hierarchy relations between them are shown in Figure 4.Safety Interlock LogicFail-safe processFault-tolerance managementLinux OS adjustmentFigure 4 Safety software hierarchy of SIC3.4 Fault-tolerant model and safety computation3.4.1 Fault-tolerant modelThe Fault-tolerant computation of SIC is of a multilevel model:SIC=F1002D(F2002(S c11,S c12),F2002(S c21,S c22))Firstly, basic computing unit Ci1 adopts one algorithm to complete the S Ci1, and Ci2 finishes the S Ci2via a different algorithm, secondly 2 out of 2 (2oo2) safety computing component of SIC executes 2oo2 calculation and gets F SICi from the calculation results of S Ci1 S Ci2, and thirdly, according the states of watchdog and switch unit block, the result of SIC is gotten via a 1 out of 2 with diagnostics (1oo2D) calculation, which is based on F SIC1 and F SIC2.The flow of calculations is as follows:(1) S ci1=F ci1 (D net1,D net2,D di,D fss)(2) S ci2=F ci2 (D net1,D net2,D di,D fss)(3) F SICi=F2oo2 (S ci1, S ci2 ),(i=1,2)(4) SIC_OutPut=F1oo2D (F SIC1, F SIC2)3.4.2 Safety computationAs interlocking system consists of a fixed set of task, the computational model of SIC is task-based. In general, applications may conform to a time-triggered, event-triggered or mixed computational model. Here the time-triggered mode is selected, tasks are executed cyclically. The consistency of computing states between the two units is the foundation of SIC for ensuring safety and credibility. As SIC works under a loosely coupled mode, it is different from that of dedicated hardware-coupled computer. So a specialized synchronization algorithm is necessary for SIC.SIC can be considered as a multiprocessor distributed system, and its computational model is essentially based on data comparing via high bus communication. First, an analytical approach is used to confirm the worst-case response time of each task. To guarantee the deadline of tasks that communicate across the network, the access time and delay of communication medium is set to a fixed possible value. Moreover, the computational model must meets the real time requirements of railway interlocking system, within the system computing cycle, we set many check points P i(i=1,2,... n) , which are small enough for synchronization, and computation result voting is executed at each point. The safetycomputation flow of SIC is shown in Figure 5.S t a r t０clockclockS a f e t y f u n c t i o n s T a s k s o f i n t e r l o c k i n g l o g i c i :p:c h e c k p o i n t I n i t i a l i z e S y n c h r o n i z a t i o n G u a r a n t e e S y n c h r o n o u s T i m e t r i g g e rFigure 5 Safety computational model of SIC4. Hardware safety integrity level evaluation4.1 Safety IntegrityAs an authoritative international standard for safety-related system, IEC 61508 presents a definition of safety integrity: probability of a safety-related system satisfactorily performing the required safety functions under all the stated conditions within a stated period of time. In IEC 61508, there are four levels of safety integrity are prescribe, SIL1～SIL4. The SIL1 is the lowest, and SIL4 highest.According to IEC 61508, the SIC belongs to safety-related systems in high demand or continuous mode of operation. The SIL of SIC can be evaluated via the probability of dangerous per hour. The provision of SIL about such system in IEC 61508, see table 1.Table 1-Safety Integrity levels: target failure measures for a safety function operating in high demand orcontinuous mode of operationSafety Integrity levelHigh demand or continuous mode of Operation (Probability of a dangerous Failure per hour)4 ≥10-9 to ＜10-83 ≥10-8 to ＜10-72 ≥10-7 to ＜10-61 ≥10-6 to ＜10-54.2 Reliability block diagram of SICAfter analyzing the structure and working principle of the SIC, we get the bock diagram of reliability, as figure 6.Figure 6 Block diagram of SIC reliability5. ConclusionsIn this paper, we proposed an available standardized component-based computer SIC. Railway signal interlocking is a fail-safe system with a required probability of less than 10-9 safety critical failures per hour. In order to meet the critical constraints, fault-tolerant architecture and safety tactics are used in SIC. Although the computational model and implementation techniques are rather complex, the philosophy of SIC provides a cheerful prospect to safety critical applications, it renders in a simpler style of hardware, furthermore, it can shorten development cycle and reduce cost. SIC has been put into practical application, and high performance of reliability and safety has been proven. ………………………………………………………………………………………………………From: 模块化安全铁路信号计算机联锁系统1概述信号联锁系统是保证交通安全、提高铁路运输效率的关键设备。