毕业设计(论文外文参考文献及译文中文题目模块化安全铁路信号计算机联锁系统学院自动化与电气工程学院专业自动控制姓名葛彦宁学号200808746指导教师贺清2012年5月30日Component-basedSafetyComputerofRailwaySignalInterlockingSystem1IntroductionSignalInterlockingSystemisthecriticalequipmentwhichcanguaranteetrafficsafetyandenhanceoperationalefficiencyinrailwaytransportation.Foralongtime,thecorecontrolcomputeradoptsininterlockingsystemisthespecialcustomizedhigh-gradesafetycomputer,forexample,theSIMISofSiemens,theEI32ofNipponSignal,andsoon.Alongwiththerapiddevelopmentofelectronictechnology,thecustomizedsafetycomputerisfacingseverechallenges,forinstance,thehighdevelopmentcosts,poorusability,weakexpansibilityandslowtechnologyupdate.Toovercometheflawsofthehigh-gradespecialcustomizedcomputer,theU.S.DepartmentofDefensehasputforwardtheconcept:weshouldadoptcommercialstandardstoreplacemilitarynormsandstandardsformeetingconsumers’demand[1].Inthemeantime,thereareseveralexplorationsandpracticesaboutadoptingopensystemarchitectureinavionics.TheUnitedStatedandEuropehavedomuchresearchaboututilizingcost-effectivefault-tolerantcomputertoreplacethededicatedcomputerinaerospaceandothersafety-criticalfields.Inrecentyears,itisgraduallybecominganewtrendthattheutilizationofstandardizedcomponentsinaerospace,industry,transportationandothersafety-criticalfields.2Railwayssignalinterlockingsystem2.1FunctionsofsignalinterlockingsystemThebasicfunctionofsignalinterlockingsystemistoprotecttrainsafetybycontrollingsignalequipments,suchasswitchpoints,signalsandtrackunitsinastation,andithandlesroutesviaacertaininterlockingregulation.Sincethebirthoftherailwaytransportation,signalinterlockingsystemhasgonethroughmanualsignal,mechanicalsignal,relay-basedinterlocking,andthemoderncomputer-basedInterlockingSystem.2.2ArchitectureofsignalinterlockingsystemGenerally,theInterlockingSystemhasahierarchicalstructure.Accordingtothefunctionofequipments,thesystemcanbedividedtothefunctionofequipments;thesystemcanbedividedintothreelayersasshowninfigure1.Figure1ArchitectureofSignalInterlockingSystem3Component-basedsafetycomputerdesign3.1DesignstrategyThedesignconceptofcomponent-basedsafetycriticalcomputerisdifferentfromthatofspecialcustomizedcomputer.OurdesignstrategyofSICisonabaseoffault-toleranceandsystemintegration.WeseparatetheSICintothreelayers,thestandardizedcomponentunitlayer,safetysoftwarelayerandthesystemlayer.Differentsafetyfunctionsareallocatedforeachlayer,andthefinalintegrationofthethreelayersensuresthepredefinedsafetyintegritylevelofthewholeSIC.Thethreelayerscanbedescribedasfollows:(1ComponentunitlayerincludesfourindependentstandardizedCPUmodules.Ahardware“SAFETYAND”logicisimplementedinthisyear.(2Safetysoftwarelayermainlyutilizesfail-safestrategyandfault-tolerantmanagement.TheinterlockingsafetycomputingofthewholesystemadoptstwooutputsfromdifferentCPU,itcanmostlyensurethediversityofsoftwaretoholdwithdesignerrorsofsignalversionandremovehiddenrisks.(3Systemlayeraimstoimprovereliability,availabilityandmaintainabilitybymeansofredundancy.3.2Designofhardwarefault-tolerantstructureAsshowninfigure2,theSICoffourindependentcomponentunits(C11,C12,C21,C22.Thefault-tolerantarchitectureadoptsdual2vote2(2v2×2structure,andakindofhigh-performancestandardizedmodulehasbeenselectedascomputingunitwhichadoptsIntelXScalekernel,533MHZ.TheoperationofSICisbasedonadualtwo-layerdatabuses.ThehighbusadoptsthestandardEthernetandTCP/IPcommunicationprotocol,andthelowbusisControllerAreaNetwork(CAN.C11、C12andC21、C22respectivelymakeupoftwosafetycomputingcomponentsIC1andIC2,whichareof2v2structure.Andeachcomponenthasanexternaldynamiccircuitwatchdogthatissetforcomputingsupervisionandswitching.Figure2HardwarestructureofSIC3.3StandardizedcomponentunitAftercomponentmoduleismadecertain,accordingtothesafety-criticalrequirementsofrailwaysignalinterlockingsystem,wehavetodoasecondarydevelopmentonthemodule.Thedesignincludespowersupply,interfacesandotherembeddedcircuits.Thefault-tolerantprocessing,synchronizedcomputing,andfaultdiagnosisofSICmostlydependonthesafetysoftware.Herethesafetysoftwaredesignmethodisdifferingfromthatofthespecialcomputertoo.Fordedicatedcomputer,thesoftwareisoftenspeciallydesignedbasedonthebarehardware.Asrestrictedbycomputingabilityandapplicationobject,aspecialschedulingprogramiscommonlydesignedassafetysoftwareforthecomputer,andnotauniversaloperatingsystem.Thefault-tolerantprocessingandfaultdiagnosisofthededicatedcomputeraretightlyhardware-coupled.However,thesafetysoftwareforSICisexotericandlooselyhardware-coupled,anditisbasedonastandardLinuxOS.Thesafetysoftwareisvitalelementofsecondarydevelopment.ItincludesLinuxOSadjustment,fail-safeprocess,fault-tolerancemanagement,andsafetyinterlockinglogic.ThehierarchyrelationsbetweenthemareshowninFigure4.SafetyInterlockLogicFail-safeprocessFault-tolerancemanagementLinuxOSadjustmentFigure4SafetysoftwarehierarchyofSIC3.4Fault-tolerantmodelandsafetycomputation3.4.1Fault-tolerantmodelTheFault-tolerantcomputationofSICisofamultilevelmodel:SIC=F1002D(F2002(Sc11,Sc12,F2002(Sc21,Sc22Firstly,basiccomputingunitCi1adoptsonealgorithmtoco