中英文文獻(xiàn)翻譯

1、畢業(yè)設(shè)計(jì)(論文外文參考文獻(xiàn)及譯文 中文題目 模塊化安全鐵路信號(hào)計(jì)算機(jī)聯(lián)鎖系統(tǒng)學(xué) 院 自動(dòng)化與電氣工程學(xué)院專 業(yè) 自動(dòng)控制姓 名 葛彥寧學(xué) 號(hào) 200808746指導(dǎo)教師 賀清 2012年 5月 30日Component-based Safety Computer of Railway Signal Interlocking System1 IntroductionSignal Interlocking System is the critical equipment which can guarantee traffic safety and enhance operational effic

2、iency in railway transportation. For a long time, the core control computer adopts in interlocking system is the special customized high-grade safety computer, for example, the SIMIS of Siemens, the EI32 of Nippon Signal, and so on. Along with the rapid development of electronic technology, the cust

3、omized safety computer is facing severe challenges, for instance, the high development costs, poor usability, weak expansibility and slow technology update. To overcome the flaws of the high-grade special customized computer, the U.S. Department of Defense has put forward the concept :we should adop

4、t commercial standards to replace military norms and standards for meeting consumers demand 1. In the meantime, there are several explorations and practices about adopting open system architecture in avionics. The United Stated and Europe have do much research about utilizing cost-effective fault-to

5、lerant computer to replace the dedicated computer in aerospace and other safety-critical fields. In recent years, it is gradually becoming a new trend that the utilization of standardized components in aerospace, industry, transportation and other safety-critical fields.2 Railways signal interlockin

6、g system2.1 Functions of signal interlocking systemThe basic function of signal interlocking system is to protect train safety by controlling signal equipments, such as switch points, signals and track units in a station, and it handles routes via a certain interlocking regulation.Since the birth of

7、 the railway transportation, signal interlocking system has gone through manual signal, mechanical signal, relay-based interlocking, and the modern computer-based Interlocking System.2.2 Architecture of signal interlocking systemGenerally, the Interlocking System has a hierarchical structure. Accord

8、ing to the function of equipments, the system can be divided to the function of equipments; the systemcan be divided into three layers as shown in figure1. Figure 1 Architecture of Signal Interlocking System3 Component-based safety computer design3.1 Design strategyThe design concept of component-ba

9、sed safety critical computer is different from that of special customized computer. Our design strategy of SIC is on a base of fault-tolerance and system integration. We separate the SIC into three layers, the standardized component unit layer, safety software layer and the system layer. Different s

10、afety func tions are allocated for each layer, and the final integration of the three layers ensures the predefined safety integrity level of the whole SIC. The three layers can be described as follows:(1 Component unit layer includes four independent standardized CPU modules. A hardware “ SAFETY AN

11、D” logic is implemented in this year.(2 Safety software layer mainly utilizes fail-safe strategy and fault-tolerant management. The interlocking safety computing of the whole system adopts two outputs from different CPU, it can mostly ensure the diversity of software to hold with design errors of si

12、gnal version and remove hidden risks.(3 System layer aims to improve reliability, availability and maintainability by means of redundancy.3.2 Design of hardware fault-tolerant structureAs shown in figure 2, the SIC of four independent component units (C11, C12, C21, C22. The fault-tolerant architect

13、ure adopts dual 2 vote 2 (2v2×2 structure, and a kind of high-performance standardized module has been selected as computing unit which adopts Intel X Scale kernel, 533 MHZ.The operation of SIC is based on a dual two-layer data buses. The high bus adopts the standard Ethernet and TCP/IP communi

14、cation protocol, and the low bus is Controller Area Network (CAN. C11、 C12 and C21、 C22 respectively make up of two safety computingcomponents IC1 and IC2, which are of 2v2 structure. And each component has an external dynamic circuit watchdog that is set for computing supervision and switching. Fig

15、ure 2 Hardware structure of SIC3.3 Standardized component unitAfter component module is made certain, according to the safety-critical requirements of railway signal interlocking system, we have to do a secondary development on the module. The design includes power supply, interfaces and other embed

16、ded circuits.The fault-tolerant processing, synchronized computing, and fault diagnosis of SIC mostly depend on the safety software. Here the safety software design method is differing from that of the special computer too. For dedicated computer, the software is often specially designed based on th

17、e bare hardware. As restricted by computing ability and application object, a special scheduling program is commonly designed as safety software for the computer, and not a universal operating system. The fault-tolerant processing and fault diagnosis of the dedicated computer are tightly hardware-co

18、upled. However, the safety software for SIC is exoteric and loosely hardware-coupled, and it is based on a standard Linux OS.The safety software is vital element of secondary development. It includes Linux OS adjustment, fail-safe process, fault-tolerance management, and safety interlocking logic. T

19、he hierarchy relations between them are shown in Figure 4.Safety Interlock LogicFail-safe processFault-tolerance managementLinux OS adjustmentFigure 4 Safety software hierarchy of SIC3.4 Fault-tolerant model and safety computationThe Fault-tolerant computation of SIC is of a multilevel model:SIC=F10

20、02D (F2002(Sc11,S c12,F 2002(Sc21,S c22Firstly, basic computing unit Ci1 adopts one algorithm to complete the S Ci1, and Ci2 finishes the S Ci2via a different algorithm, secondly 2 out of 2 (2oo2 safety computing component of SIC executes 2oo2 calculation and gets FSICi from the calculation results

21、of SCi1 S Ci2, and thirdly, according the states of watchdog and switch unit block, the result of SIC is gotten via a 1 out of 2 with diagnostics (1oo2D calculation, which is based on FSIC1 and FSIC2. The flow of calculations is as follows:(1 Sci1=F ci1 (Dnet1,D net2,D di ,D fss (2 Sci2=F ci2 (Dnet1

22、,D net2,D di ,D fss (3 FSICi =F2oo2 (Sci1, Sci2 ,(i=1,2(4 SIC_OutPut=F1oo2D (FSIC1, FSIC2As interlocking system consists of a fixed set of task, the computational model of SIC is task-based. In general, applications may conform to a time-triggered, event-triggered or mixed computational model. Here

23、the time-triggered mode is selected, tasks are executed cyclically. The consistency of computing states between the two units is the foundation of SIC for ensuring safety and credibility. As SIC works under a loosely coupled mode, it is different from that of dedicated hardware-coupled computer. So

24、a specialized synchronization algorithm is necessary for SIC.SIC can be considered as a multiprocessor distributed system, and its computational model is essentially based on data comparing via high bus communication. First, an analytical approach is used to confirm the worst-case response time of e

25、ach task. To guarantee the deadline of tasks that communicate across the network, the access time and delay of communication medium is set to a fixed possible value. Moreover, the computational model must meets the real time requirements of railway interlocking system, within the system computing cy

26、cle, we set many check points P i (i=1,2,. n , which are small enough for synchronization, and computation result voting is executed at each point. The safetycomputation flow of SIC is shown in Figure 5.S t a r t 0clockclockS a f e t y f u n c t i o n sT a s k s o f i n t e r l o c k i n gl o g i ci

27、 :p:c h e c k p o i n tI n i t i a l i z e S y n c h r o n i z a t i o nG u a r a n t e e S y n c h r o n o u s T i m e t r i g g e rFigure 5 Safety computational model of SIC4. Hardware safety integrity level evaluation4.1 Safety IntegrityAs an authoritative international standard for safety-relate

28、d system, IEC 61508 presents a definition of safety integrity: probability of a safety-related system satisfactorily performing the required safety functions under all the stated conditions within a stated period of time. In IEC 61508, there are four levels of safety integrity are prescribe, SIL1SIL

29、4. The SIL1 is the lowest, and SIL4 highest.According to IEC 61508, the SIC belongs to safety-related systems in high demand or continuous mode of operation. The SIL of SIC can be evaluated via the probability of dangerous per hour. The provision of SIL about such system in IEC 61508, see table 1.Ta

30、ble 1-Safety Integrity levels: target failure measures for a safety function operating in high demand orcontinuous mode of operationSafety Integrity levelHigh demand or continuous mode of Operation (Probability of a dangerous Failure per hour4 10-9 to <10-8 3 10-8 to <10-7 2 10-7 to <10-6 1

31、 10-6 to <10-54.2 Reliability block diagram of SICAfter analyzing the structure and working principle of the SIC, we get the bock diagram of reliability, as figure 6. Figure 6 Block diagram of SIC reliability5. ConclusionsIn this paper, we proposed an available standardized component-based comput

32、er SIC. Railway signal interlocking is a fail-safe system with a required probability of less than 10-9 safety critical failures per hour. In order to meet the critical constraints, fault-tolerant architecture and safety tactics are used in SIC. Although the computational model and implementation te

33、chniques are rather complex, the philosophy of SIC provides a cheerful prospect to safety critical applications, it renders in a simpler style of hardware, furthermore, it can shorten development cycle and reduce cost. SIC has been put into practical application, and high performance of reliability

34、and safety has been proven.模塊化安全鐵路信號(hào)計(jì)算機(jī)聯(lián)鎖系統(tǒng)1概述信號(hào)聯(lián)鎖系統(tǒng)是保證交通安全、 提高鐵路運(yùn)輸效率的關(guān)鍵設(shè)備。 長(zhǎng)期以來, 在聯(lián)鎖 系統(tǒng)中采用的核心控制計(jì)算機(jī)是特定的高檔安全計(jì)算機(jī), 例如, 西門子的 SIMIS 、 日本 信號(hào)的 EI32等。隨著電子技術(shù)的飛速發(fā)展,定制的安全計(jì)算機(jī)面臨著嚴(yán)重的挑戰(zhàn),例 如:高的開發(fā)成本、可用性差、弱可擴(kuò)展性、和緩慢的技術(shù)更新。為了克服高檔特定計(jì) 算機(jī)的缺點(diǎn), 美國(guó)國(guó)防部提出:我們應(yīng)該采用商業(yè)標(biāo)準(zhǔn), 來取代軍事準(zhǔn)則和滿足客戶需 要的標(biāo)準(zhǔn)。 與此同時(shí), 有許多關(guān)于在電子設(shè)備中采用開放式系統(tǒng)結(jié)構(gòu)的探索與實(shí)踐。 美 國(guó)和歐洲已

35、經(jīng)做了很多關(guān)于利用利用劃算的容錯(cuò)計(jì)算機(jī)來代替專用電腦在航天和其它 安全關(guān)鍵領(lǐng)域。近年來,在航空航天、工業(yè)、交通和其它安全關(guān)鍵領(lǐng)域,利用標(biāo)準(zhǔn)化部 件正逐步成為一種新的趨勢(shì)。2 鐵路信號(hào)聯(lián)鎖系統(tǒng)2.1信號(hào)聯(lián)鎖系統(tǒng)的功能信號(hào)聯(lián)鎖系統(tǒng)的基本功能是通過控制信號(hào)設(shè)備, 保護(hù)列車運(yùn)行安全。 如控制道岔的 轉(zhuǎn)換、信號(hào)的開放和控制列車通過車站,它通過一種聯(lián)鎖處理規(guī)則控制線路。自鐵路運(yùn)輸誕生以來、 信號(hào)聯(lián)鎖系統(tǒng)已經(jīng)經(jīng)歷了手動(dòng)信號(hào)、 機(jī)械信號(hào)、 繼電器聯(lián)鎖 和現(xiàn)代計(jì)算機(jī)聯(lián)鎖系統(tǒng)。2.2信號(hào)聯(lián)鎖系統(tǒng)的構(gòu)架一般來說,聯(lián)鎖系統(tǒng)具有層次結(jié)構(gòu)。根據(jù)設(shè)備的功能,系統(tǒng)可分為三層,如圖 2.1所示。 圖 2.1 信號(hào)聯(lián)鎖系統(tǒng)的結(jié)構(gòu)

36、3 安全計(jì)算機(jī)的組件設(shè)計(jì)3.1設(shè)計(jì)策略模塊化安全關(guān)鍵計(jì)算機(jī)組件的設(shè)計(jì)理念不同于那些特殊定制的計(jì)算機(jī)。 我們對(duì)安全 聯(lián)鎖計(jì)算機(jī)的設(shè)計(jì)理念是基于系統(tǒng)的容錯(cuò)性和系統(tǒng)的綜合需求。 將其分為三層:標(biāo)準(zhǔn)化 組成單元層、 軟件安全層與系統(tǒng)層, 并給每一層分配不同的安全功能, 最終將三層集成, 并確保系統(tǒng)達(dá)到預(yù)定的安全完整性水平。三層可以描述如下:(1 標(biāo)準(zhǔn)化組成單元層包括四個(gè)獨(dú)立的標(biāo)準(zhǔn)化 CPU 模塊。這一層實(shí)現(xiàn)硬件 “ 安全 ” 邏輯聯(lián)鎖。(2 軟件安全層主要用故障 -安用策略和容錯(cuò)算法。由于一個(gè)完整的安全聯(lián)鎖系統(tǒng) 采用兩個(gè)不同的 CPU 輸出的結(jié)果,所以最能確保軟件設(shè)計(jì)某一版本,在設(shè)計(jì)時(shí)存在的 多種錯(cuò)誤,清除潛在的風(fēng)險(xiǎn)。(3 系統(tǒng)層,旨在提高系統(tǒng)的可用性和冗余系統(tǒng)的可維護(hù)性。3.2容錯(cuò)結(jié)構(gòu)的硬件設(shè)計(jì)如圖 3.1,安全聯(lián)鎖計(jì)算機(jī)由四個(gè)獨(dú)立單元組成 (C11, C12, C21, C22 。采用雙容 錯(cuò)結(jié)構(gòu)設(shè)計(jì) (2×2取 2 結(jié)構(gòu), 計(jì)算單元選用高可靠性、 高效率的模塊, 采用了英特爾 XScale 內(nèi)核, 533兆赫的處理器。安全聯(lián)鎖計(jì)算機(jī)的操作基于兩層數(shù)據(jù)總線上。 高速總線采用標(biāo)準(zhǔn)以太網(wǎng)結(jié)構(gòu)和 TCP / IP通信協(xié)議、低總線控制器局域網(wǎng) (CAN。 C11、 C12和 C21、 C22分別組成兩個(gè)獨(dú)立的安