CN101764619B - Safety redundant coding processing method for vehicle-mounted ATP system - Google Patents
Safety redundant coding processing method for vehicle-mounted ATP system Download PDFInfo
- Publication number
- CN101764619B CN101764619B CN 200910250541 CN200910250541A CN101764619B CN 101764619 B CN101764619 B CN 101764619B CN 200910250541 CN200910250541 CN 200910250541 CN 200910250541 A CN200910250541 A CN 200910250541A CN 101764619 B CN101764619 B CN 101764619B
- Authority
- CN
- China
- Prior art keywords
- variable
- rule
- judgment
- signature
- processing method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention relates to a safety redundant coding processing method for a vehicle-mounted ATP system, which comprises the following steps: (1) processing pregenerated signatures, configuration information and unsafe C language codes by an input and error detection module; (2) processing the processed pregenerated signatures, configuration information and unsafe C language codes by a precompiler of a safety redundant coding compiler to generate intermediate code files, and processing the intermediate code files by an intermediate code compiler of the safety redundant coding compiler to generate compensation constants and coded C language codes; (3) generating auxiliary language codes by a safety redundant coding optimization module; (4) processing the compensation constants, the coded C language codes and the auxiliary language codes by a general compiler and a connector to generate safety redundant codes; and (5) processing the safety redundant codes by an output and error detection module to be output. Compared with the prior art, the invention has the advantages of ensuring safety operation of the system, and the like.
Description
Technical field
The present invention relates to coding method, especially relate to a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system.
Background technology
The railway signal industry directly relates to the safe operation of train and the people's the security of the lives and property.For the safety product of railway systems, must satisfy the requirement of RAMS (reliability, availability, maintainability, fail safe).Especially for vehicle-mounted ATP system, it directly controls safe train operation, thereby must reach the system safety sophistication grade of SIL4 level.Common software and hardware environment can not guarantee the fail safe of system, and system owing to the operation mistake that inside and outside reason causes can not come to light, causes serious consequence at run duration the most at last.Introduce the safety redundant coding degree of safety grade of elevator system effectively in this field; And according to the employed basic theory of this method; The enforcement of safety redundant coding can be independent of the software and hardware environment; Not transforming hardware environment, do not change under the situation of bottom software, reach high system safety degree grade.
Summary of the invention
The object of the invention is exactly for the defective that overcomes above-mentioned prior art existence a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system to be provided.
The object of the invention can be realized through following technical scheme:
A kind of safety redundant coding processing method that is used for vehicle-mounted ATP system is characterized in that, this method may further comprise the steps:
1) generates signature, configuration information, unsafe C language codes in advance through input and error detection module processing;
2) the preparatory generation signature after will handling, configuration information, unsafe C language codes are handled the back through the precompile device of safety redundant coding compiler and are generated the intermediate code file, and the intermediate code file generates the compensation constant after through the intermediate code compiler processes of safety redundant coding compiler, the C language codes after encoding;
3) the safety redundant coding optimal module generates the auxiliary language code;
The C language codes, auxiliary language code that 4) will compensate behind constant, the coding are handled the safe redundant code of back generation through universal compiler and connector (like VC);
5) this safe redundant code output after output and error detection module are handled.
Described step 2) the related algorithmic method of redundancy encoding compiler processes process in comprises numeric coding method, arithmetic operator operation method, shift operation symbol operation method, logical operator operation method, array operation method, function method for using, the operation method of branched structure, the operation method of loop structure, the choosing method of prime number A, signature generating method.
Described numeric coding method comprises the coding method of numerical variable, the coding method of numeric constant, the coding method of Boolean variable.
Described arithmetic operator operation method comprises in add operation method, subtraction method, multiplying method, the division arithmetic in method divided by constant, the division arithmetic method divided by variable.
Described shift operation symbol operation method comprises shift right operation method, shift left operation method.
Described logical operator operation method comprises logic and operation method, logic OR operation method, logic NOT operation method.
Described array operation method comprise one-dimension array assignment operation method, one-dimension array quote operation method, Multidimensional numerical operation method.
Described function method for using may further comprise the steps:
(8a) it is classified according to the difference in functionality of function;
(8b) function is called.
The operation method of described branched structure comprises the operation method of numerical value Rule of judgment inferior division structure, the operation method of boolean's Rule of judgment inferior division structure, the operation method of mixing Rule of judgment inferior division structure.
The operation method of described loop structure comprises the operation method of loop structure under the operation method, boolean's Rule of judgment of loop structure under the numerical value Rule of judgment, the operation method of mixing loop structure under the Rule of judgment.
The choosing method of described prime number A is for to search prime number A with the selection rule of prime number A in the scope near machine word length, wherein the selection rule of prime number A comprises:
(11a) size of prime number A has determined the safe class that system can reach;
(11b) choosing of prime number A determined choosing of signature;
(11c) size of prime number A is relevant with machine word length;
(11d) value of prime number A can make integer be evenly distributed in the codomain space, and any calculating via prime number A all has certain code distance space;
(11e) the coprime property of the numerical value in the prime number A value space that guaranteed to produce via A.
Described signature generating method produces signature for adopting linear feedback congruence generator or square feedback generator with the signature create-rule, and the create-rule of wherein signing is:
(12a) signature of each variable must be different;
(12b) signature of each variable must be evenly distributed in the codomain;
(12c) there is code distance between the signature of different variablees, and code distance is checked.
Described step 2) the related processing method of safety redundant coding compiler in comprises processing method, the processing method to array and structure, the branch that is directed against multiple Rule of judgment or the processing method of Do statement of central encoder layering Processing Structure.
Safety redundant coding optimal module processing procedure in the described step 3) may further comprise the steps:
(14a) use assembler language,, replace divide operations with subtraction or add operation for various arithmetic operation results' modulo operation;
(14b) use assembler language, 64 multiply operations are reduced to 32 multiply operations, and save modulo operation;
(14c) use assembler language to simplify no symbol modulo operation.
Described step 1), step 5) input and error detection module, output and error detection module processing procedure may further comprise the steps:
(15a) encoder is encoded before processing to the variable of all inputs, wherein Boolean variable is encoded and after the joining day stabs, could get into process of compilation device processing unit, and timestamp information is provided by process of compilation device unit;
(15b) dynamic controller is responsible for checking whether the signature of all output variables is identical with the signature of prediction, and dynamic controller obtains timestamp information from process of compilation device unit;
In case (15c) signature of output variable is different with the signature of prediction, dynamic controller makes system's failure to the safe side side.
The processing method of described central encoder layering Processing Structure may further comprise the steps:
The computer data structure that (16a) becomes various grammer binary trees to represent the information processing of C language source code;
(16b) need the grammer binary tree be converted into simple basic redundancy encoding form, simple basic redundancy encoding form is converted to redundant code output.
Described processing method to array and structure may further comprise the steps:
(17a) when using Multidimensional numerical, use the addressing system that does not rely on the Computer Storage frame mode to locate data item, and carry out accessing operation the particular dimension combination;
(17b) when utilization structure or nested structure, use the addressing system that does not rely on the Computer Storage frame mode that specific data item in the structure is positioned, and carry out accessing operation;
(17c) mix under the situation about using in array and structure, the accessing operation of specific data item comprised for two steps, first step search data item position, and second step was carried out accessing operation in this position to specific data item.
Described branch or the processing method of Do statement to multiple Rule of judgment may further comprise the steps:
(18a) in branched structure, multiple Rule of judgment uses single Rule of judgment to represent, comprises and operation () or operation (||) that multiple Rule of judgment is represented with the grammer binary tree structure;
(18b) in loop structure, multiple Rule of judgment is expressed as single Rule of judgment, comprises and operation () or operation (||) that multiple Rule of judgment is represented with the grammer binary tree structure.
Compared with prior art, the present invention has the following advantages:
Realization is carried out security protection to vehicle-mounted ATP in calculating process, be lower than the designing requirement of system thereby make it can not detect the wrong probability that takes place, and then guarantee the security of operation of system.
Description of drawings
Fig. 1 is a kind of flow chart that is used for the safety redundant coding processing method of vehicle-mounted ATP system of the present invention;
Fig. 2 is a kind of numerical value redundancy encoding form figure that is used for the safety redundant coding processing method of vehicle-mounted ATP system of the present invention;
Fig. 3 is a kind of arithmetical operation redundancy encoding form figure that is used for the safety redundant coding processing method of vehicle-mounted ATP system of the present invention;
The logical operation figure of the high-order portion of the safety redundant coding processing method that Fig. 4 is used for vehicle-mounted ATP system for the present invention is a kind of;
Fig. 5 is used for the high-order redundant operation figure of logic NOT of the safety redundant coding processing method of vehicle-mounted ATP system for the present invention is a kind of;
Fig. 6 is a kind of one-dimension array assignment operation figure that is used for the safety redundant coding processing method of vehicle-mounted ATP system of the present invention;
Fig. 7 is a kind of function call procedure chart that is used for the safety redundant coding processing method of vehicle-mounted ATP system of the present invention;
Fig. 8 is a kind of if branch statement flow chart that is used for the safety redundant coding processing method of vehicle-mounted ATP system of the present invention;
Fig. 9 is a kind of while Do statement flow chart that is used for the safety redundant coding processing method of vehicle-mounted ATP system of the present invention;
Figure 10 is a kind of signature product process figure that is used for the safety redundant coding processing method of vehicle-mounted ATP system of the present invention;
Figure 11 is a kind of safety redundant coding compiler processes flow chart that is used for the safety redundant coding processing method of vehicle-mounted ATP system of the present invention;
Figure 12 is a kind of syntactic representation data structure diagram that is used for the safety redundant coding processing method of vehicle-mounted ATP system of the present invention;
The grammer Binominal Tree of the multiple Rule of judgment a<b&&c==d of the safety redundant coding processing method that Figure 13 is used for vehicle-mounted ATP system for the present invention is a kind of;
The structural representation of the safety redundant coding optimal module of the safety redundant coding processing method that Figure 14 is used for vehicle-mounted ATP system for the present invention is a kind of.
Embodiment
Below in conjunction with accompanying drawing and specific embodiment the present invention is elaborated.
Embodiment
As shown in Figure 1, a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system, this method may further comprise the steps:
Step 101 generates signature, configuration information, unsafe C language codes in advance through input and error detection module processing;
Step 104 generates safe redundant code with the C language codes behind compensation constant, the coding, auxiliary language code after universal compiler and connector (like VC) processing;
As shown in Figure 2; For having shown the method for expressing of numerical value redundancy encoding, wherein for the software systems of 32 word lengths, the data of redundancy encoding have 64 altogether; Data value that symbol is arranged of high 32 bit representations, low check value that symbol is arranged of 32 bit representations.The numerical value of high position data ordinary representation variable, low data is obtained through redundant modulo operation by high position data.Redundant modulo operation also needs the signature of variable and timestamp sign to participate in.The signature of variable has identified the characteristic of variable, and timestamp has identified the characteristic in program running cycle.Represent the high position of the redundancy encoding form of variable with XH, represent the low level of the redundancy encoding form of variable, can be expressed as for the redundancy encoding form of variable with XL:
X(XH,XL)
The calculating of low level is also relevant with prime number A, does not normally have the symbol modulo operation, and the size of prime number A has determined the level of security of whole system.Represent redundant modulo operation with codedMOD, the computational methods of low level can be expressed as:
XL=codedMOD(XH,SigX,DT)unsignedMOD?A
The coding form of constant is: a high position is the numerical value of constant, and low level is the check value of constant, and is as shown in Figure 1.The constant coding is not relevant with the cycle of operation of system, and for whole system, a constant is well-determined.In computational process, the characteristic of constant identifies unique, does not rechange.When constant moves in system with the not influence of the taking into account system cycle of operation.
The coding form of Boolean variable is divided into a high position and low level.A high position is the true value or the falsity of Boolean variable, and low level is the check value of Boolean variable, and is as shown in Figure 1.For each Boolean variable, there is one group of unique true value of confirming corresponding with this Boolean variable with falsity.In one 32 computer system, the true value of Boolean variable by two different 32 figure places is represented respectively that with falsity these two 32 figure places are fixed, and are predetermined, remain unchanged at the whole procedure run duration.The true value of a Boolean variable will be confirmed according to different input modes with falsity.If a Boolean variable reads via hardware device, the value of the true value of this Boolean variable and falsity will be decided by the design of hardware circuit so; If a Boolean variable is created by working procedure self, this Boolean variable true value and falsity will be confirmed by generating algorithm so.According to the design agreement of hardware circuit, last position of the true value of Boolean variable is 1, and last position of falsity is 0, the code distance that the maintenance between true value and the falsity is certain, and have no contact between the two.
Fig. 3 has shown the operation method of redundancy encoding arithmetical operation.When the variable behind the coding carried out arithmetic operator, high-order and low level divided opening operation.High bit arithmetic adopts general arithmetic operator.Low level adopts the redundancy encoding arithmetical operation, and the redundancy encoding arithmetical operation is the expansion of theory of finite fields sealing, combination and inversion operation, and the operator of using in each redundancy encoding all has it to be different from the coding operation method of other operators.The coding calculation step is as follows:
(1) high position of operand is carried out common operator computing;
(2) low level of operand carries out the redundancy encoding computing;
(3) result to high bit arithmetic and low bit arithmetic carries out the constant compensation, carries out the redundancy encoding compensation operation once more;
(4) result is saved as the form of high-order and low level.
Addition redundant operation method is used in add operation, and the addition redundant operation makes that add operation result's signature can be predicted.The high position of variable and low level separately carry out in add operation, show as:
ZH=XH+YH
ZL=XL+YL
Subtraction uses subtraction redundant operation method, and the subtraction redundant operation makes that subtraction result's signature can be predicted.The high position of variable and low level separately carry out in subtraction, show as:
ZH=XH-YH
ZL=XL-YL
Multiplication redundant operation method is used in multiplying; The multiplication redundant operation makes that the signature of multiplication result can be predicted; The signature that multiplication redundant operation method produces adds the computing penalty constant; This penalty constant is decided by the variable signature and the prime number A that participate in multiplying, and it is obtained through the finite field multiplier computing.The high position of variable and low level separately carry out in multiplying.
The redundant division method that division arithmetic uses is according to the difference of divisor character and difference.If divisor is a constant, divisor will be processed and convert to the redundancy encoding form and be embedded in the division redundant operation so.Divisor is that other redundant operation form match division arithmetics of division arithmetic utilization of variable are encoded.Division arithmetic result's signature can be predicted.
Described safety redundant coding algorithm implementation, the operation method that accords with to shift operation comprises: shift right operation and shift left operation.
Shift right operation is used the redundant operation method that moves to right.Shift right operation result's signature can be predicted.The step of shift right operation is following:
(1) according to moving to right the known characteristic of figure place, the figure place that will move to right is carried out redundancy encoding, and is embedded in the shift right operation;
(2) right-shift operation is converted into corresponding redundancy encoding operational form, this redundancy encoding operational form has guaranteed the fail safe of shift right operation;
(3) result to shift right operation carries out the constant compensation;
(4) preservation shift right operation result's a high position and low level.
Shift left operation is used the redundant operation method that moves to left.Shift left operation result's signature can be predicted.The step of shift left operation is following:
(1) according to moving to left the known characteristic of figure place, the figure place that will move to left is carried out redundancy encoding, and is embedded in the shift left operation;
(2) shift left operation is converted into corresponding redundancy encoding operational form, this redundancy encoding operational form has guaranteed the fail safe of shift left operation;
(3) result to shift left operation carries out the constant compensation;
(4) preservation shift left operation result's a high position and low level.
Described safety redundant coding algorithm implementation comprises to the operation method of logical operator:
A. the implementation method of logic and operation;
B. the implementation method of logic OR computing;
C. the implementation method of logic NOT computing.
Logical operation is the computing between the Boolean variable.The logic redundancy computing is divided into high-order logic redundancy computing and the computing of low level logic redundancy, and high-order logic redundancy computing is different with the operation method that the computing of low level logic redundancy is used.The step of high bit arithmetic is following:
(1) obtains the true value and the falsity of each Boolean variable of participating in computing at pretreatment stage, comprise the true value and the falsity of operation result Boolean variable;
(2) use the true value and the falsity of two operands to carry out high-order redundant operation, calculate the operand penalty constant;
(3) use the penalty constant that calculates by (2) and the true value and the falsity of operation result Boolean variable to carry out high-order redundant operation, obtain final penalty constant;
(4) currency (true value or falsity) with operand carries out high-order redundant operation with the penalty constant that is obtained by (3), obtains the high-order portion of final operation result.
Fig. 4 has shown the process of the high-order redundant operation of logical variable.
The high bit arithmetic of logical AND uses the high-order redundant operation of logical AND.The high-order redundant operation of logical AND has guaranteed that operation result is not that true value is exactly a falsity, and operation result comes to the same thing with common logic and operation.
The high bit arithmetic of logic OR uses the high-order redundant operation of logic OR.The high-order redundant operation of logic OR has guaranteed that operation result is not that true value is exactly a falsity, and operation result is identical with common logic OR operation result.
As shown in Figure 5, the high bit arithmetic of logic NOT uses the high-order redundant operation of logic NOT.The high-order redundant operation of logic NOT has guaranteed that operation result is not that true value is exactly a falsity, and operation result is identical with common logic NOT operation result.
The low level calculation step of logical operation is basic identical, as shown in Figure 3 with the high-order calculation step of logical operation.The low bit arithmetic of logical operation uses the redundant operation of logical operation low level, and what participate in computing is the redundancy encoding low portion of each operand true value and falsity.
The low bit arithmetic of logical AND uses the redundant operation of logical AND low level.The redundant operation of logical AND low level has guaranteed that operation result is not the low-value of the true value of outcome variable, is exactly the low-value of the falsity of outcome variable, and the signature of logical AND low level operation result variable can be predicted.
The low bit arithmetic of logic OR uses the redundant operation of logic OR low level.The redundant operation of logic OR low level has guaranteed that operation result is not the low-value of the true value of outcome variable, is exactly the low-value of the falsity of outcome variable, and the signature of logic OR low level operation result variable can be predicted.
The low bit arithmetic of logic NOT uses the redundant operation of logic NOT low level.The redundant operation of logic NOT low level has guaranteed that operation result is not the low-value of the true value of outcome variable, is exactly the low-value of the falsity of outcome variable, and the signature of logic NOT low level operation result variable can be predicted.
Multiple arithmetic logic refers to that a plurality of logic and operations are arranged in logical operation, logic OR computing or logic NOT computing are participated in.Multiple arithmetic logic resolves into the unity logic computing finds the solution, and step is as follows:
(1)M=A&&B||C&&D
(2)TMP1=A&&B;
(3)TMP2=C&&D;
(4)TMP3=TMP1||TMP2。
Described safety redundant coding algorithm implementation comprises to the array operation method:
A. the assignment operation of one-dimension array;
B. one-dimension array quotes computing;
C. Multidimensional numerical computing.
As shown in Figure 6, the step of one-dimension array assignment operation is following:
(1), carries out assign operation by the high position of the data item of index in the one-dimension array;
(2), carry out assign operation by the low level of the data item of index in the one-dimension array;
(3) this data item is carried out one-dimension array assignment redundant operation, the characteristic of this array is preserved;
(4) this data item low level is carried out the correction value compensation.
The step that one-dimension array is quoted computing is following:
(1), composes to variable by the high position of the data item of index in the one-dimension array;
(2), compose to variable by the low level of the data item of index in the one-dimension array;
(3) low level to variable carries out the correction value compensation.
The assignment of Multidimensional numerical is identical with the method for quoting with the same dimension group of the redundant operation of quoting use assignment.
Described safety redundant coding algorithm implementation, the method for using to function comprises:
A. according to the action mode of function, function is classified.Dissimilar functions have different functions;
B. signature is changed the influence that is produced when function declaration and function call.Dissimilar functions has different influences to the variable signature, can influence the signature of global variable, does not perhaps influence.
Function is divided into two types, and the foundation of division is: whether function has return value, and whether function can operation parameter, and whether function can operate global variable.For dissimilar functions, the method for use is also different.The function that can operate global variable can not appear in most of statement, and for the function that return value is arranged, the scope of use is bigger, and the function with parameter need carry out signature identification to function.
Function call is as shown in Figure 7, and step is following:
(1) if function has parameter, use signature functions that parameter is carried out redundant operation, parameter becomes the input variable with specific function characteristic;
(2) will preserve by the function characteristic that (1) produces;
(3) call function gets in the function body, takes out the function characteristic and the input parameter of this function and makes comparisons, and shows that more correctly function call is correct;
(4) parameter is carried out the signature functions correction, thereby can in function body, use;
(5) when function is carried out end, use signature functions that return value is carried out redundant operation, preserve the function characteristic;
(6) function call finishes, if function has return value, obtains return value.Use function flag check function call whether correctly to return.
If during function call, global variable operated in the statement in the function body, and the signature of the global variable of all minuends uses is measurable so.The parameters signatures that function body itself uses is measurable, and function body return value signature is measurable.
Described safety redundant coding algorithm implementation comprises to the method for branched structure:
A. the operation method of numerical value Rule of judgment inferior division structure;
B. the operation method of boolean's Rule of judgment inferior division structure;
The operation method of c. mixing Rule of judgment inferior division structure.
As shown in Figure 8, the calculation step of numerical value Rule of judgment is following:
(1) the Rule of judgment variable there is not the symbol modulo operation; The result of computing can be according to the numerical value of variable self and is different; If current variable is not to make comparisons with null value, use different arithmetical operations to change according to the difference of decision operation symbol so;
(2) carry out Rule of judgment and get into the different branches statement, the Rule of judgment of support has: greater than (>), less than (<), more than or equal to (>=), smaller or equal to (<=), equal (==) and be not equal to (!=), when carrying out condition judgment, the value of the variable Si of design conditions branch, Si will obtain different numerical according to the difference of conditional branching;
(3) if equal (==), be not equal to (!=) computing, during the value of design conditions variable Si, need the condition judgment variable on the occasion of participating in computing simultaneously with negative value;
(4) if get into article one branch condition; Calculating between each variable will be carried out according to various redundant operations; If get into the second branch condition; Each variable will carry out constant compensation to each result of calculation variable after carrying out redundant operation, the value of two values of the judgment variable Si that the constant of compensation is calculated by (2) and the outcome variable signature that in article one branch condition, calculates decides;
(5) after jumping out conditional branching, the value of conditional-variable Si is joined the low level of the variable of participating in the conditional branching computing.
The signature of the computing variable of numerical value Rule of judgment inferior division structure can be predicted no matter which bar branch is program carried out when operation, and the signature after jumping out branch is consistent.
The calculation step of boolean's Rule of judgment inferior division structure is following:
(1) the object difference that compares according to the Rule of judgment variable is taked different comparative approach; If the true value of Rule of judgment variable and this variable is made comparisons; Rule of judgment carries out the true value comparison operation so; If the falsity of Rule of judgment variable and this variable is made comparisons, Rule of judgment carries out the falsity comparison operation so;
(2) carry out Rule of judgment and get into the different branches statement, boolean's Rule of judgment of support has: equal (==) and be not equal to (!=), when carrying out condition judgment, the value of the variable Si of design conditions branch, Si will obtain different numerical according to the difference of conditional branching;
(3) if equal (==), be not equal to (!=) computing, during the value of design conditions variable Si, need the condition judgment variable on the occasion of participating in computing simultaneously with negative value;
(4) if get into article one branch condition; Calculating between each variable will be carried out according to various redundant operations; If get into the second branch condition; Each variable will carry out constant compensation to each result of calculation variable after carrying out redundant operation, the value of two values of the conditional-variable Si that the constant of compensation is calculated by (2) and the outcome variable signature that in article one branch condition, calculates decides;
(5) after jumping out conditional branching, the value of conditional-variable Si is joined the low level of the variable of participating in the conditional branching computing.
The signature of the computing variable of boolean's Rule of judgment inferior division structure can be predicted no matter which bar branch is program carried out when operation, and the signature after jumping out branch is consistent.
Mixing Rule of judgment is that exponential quantity is judged and boolean judges the situation about using of mixing.The processing that mixes Rule of judgment needs at first will mix Rule of judgment and resolves into numerical value judgement or boolean's judgement, handles these Rule of judgment more respectively.Mix the signature of computing variable of the branched structure of Rule of judgment and can be predicted carried out which bar branch when no matter moving, the signature after jumping out branch is consistent.The step of mixing Rule of judgment is following:
M≥b&&N>b
Be decomposed into:
T=False;
If(M≥b)
{if(N>b)T=True;
else{T=False;}
else?T=False;
Described safety redundant coding algorithm implementation comprises to the method for loop structure:
A. the operation method of loop structure under the numerical value Rule of judgment;
B. the operation method of loop structure under boolean's Rule of judgment;
C. the operation method of loop structure under the multiple Rule of judgment.
As shown in Figure 9, numerical value judges that the Do statement calculation step is following:
(1) for the variable of participating in the loop body computing, at the low level adding initialization signature mark of variable, this mark has represented that this variable will get into loop body;
(2) use in branch's Rule of judgment Rule of judgment variable processing method is differentiated whether get into loop body.Operable Rule of judgment has: greater than (>), less than (<), more than or equal to (>=), smaller or equal to (<=), equal (==) and be not equal to (!=);
(3) design conditions variable Si; This conditional-variable resulting value when getting into loop body and withdrawing from loop body is different; The method of calculating Si is identical with the method for using in the if branch condition, and this method does not have the symbol modulo operation for branch's judgment variable, compensates to obtain again;
(4) in loop body, the variable of participating in circulation carries out different redundant operations according to the form of statement in the loop body;
(5) in loop body behind the last item Statement Completion, before loop body finishes, each variable of participating in loop body is done the signature adjustment, the signature of variable is adjusted to the numerical value that gets into before the loop body;
(6) will at every turn the circulate mark value dD that carries out joins the low level of variable, and the clear variable of this marker values table has been carried out once circulation;
(7) when withdrawing from circulation time, whether the cycle labeling value that is contained in the variable that inspection is participated in circulating is identical with the actual number of times of carrying out of circulation, and the result who simultaneously the variable Si of branch is calculated at variable signs in the numerical value.
The signature of the computing variable of loop structure can be predicted under the numerical value Rule of judgment, and no matter whether program gets into circulation when operation, in loop body, has carried out how many times, and the signature after jumping out circulation is consistent.
Boolean judges that the Do statement calculation step is following:
(1) for the Boolean variable of participating in the loop body computing, at the low level adding initialization signature mark of variable, this mark has represented that this variable will get into loop body;
(2) the object difference that compares according to the Rule of judgment variable is taked different comparative approach; If the true value of Rule of judgment variable and this variable is made comparisons; Rule of judgment carries out the true value comparison operation so; If the falsity of Rule of judgment variable and this variable is made comparisons, Rule of judgment carries out the falsity comparison operation so;
(3) use in branch's Rule of judgment Rule of judgment variable processing method is differentiated whether get into loop body.Operable Rule of judgment has: equal (==) and be not equal to (!=);
(4) design conditions variable Si; This conditional-variable resulting value when getting into loop body and withdrawing from loop body is different; The method of calculating Si is identical with the method for using in the if branch condition, and this method does not have the symbol modulo operation for branch's judgment variable, compensates to obtain again;
(5) in loop body, the variable of participating in circulation carries out different redundant operations according to the form of statement in the loop body;
(6) in loop body behind the last item Statement Completion, before loop body finishes, each variable of participating in loop body is done the signature adjustment, the signature of variable is adjusted to the numerical value that gets into before the loop body;
(7) will at every turn the circulate mark value dD that carries out joins the low level of variable, and the clear variable of this marker values table has been carried out once circulation;
(8) when withdrawing from circulation time, whether the cycle labeling value that is contained in the variable that inspection is participated in circulating is identical with the actual number of times of carrying out of circulation, and the result who simultaneously the variable Si of branch is calculated at variable signs in the numerical value.
The signature of the computing variable of loop structure can be predicted under boolean's Rule of judgment, and no matter whether program gets into circulation when operation, in loop body, has carried out how many times, and the signature after jumping out circulation is consistent.
Mixing Rule of judgment is that exponential quantity is judged and boolean judges the situation about using of mixing.The processing that mixes Rule of judgment needs at first will mix Rule of judgment and resolves into numerical value judgement or boolean's judgement, handles these Rule of judgment more respectively.Mix the signature of computing variable of the branched structure of Rule of judgment and can be predicted whether get into loop body when no matter moving, the signature after jumping out circulation is consistent.
Described safety redundant coding algorithm implementation comprises to the method for choosing of prime number A:
A. the selection rule of prime number A;
B. the production method of prime number A.
The selection rule of prime number A comprises:
(1) size of prime number A has determined the safe class that system can reach;
(2) choosing of prime number A determined choosing of signature;
(3) size of prime number A is relevant with machine word length;
(4) value of prime number A can make integer be evenly distributed in the codomain space, and any calculating via prime number A all has certain code distance space;
(5) the coprime property of the numerical value in the prime number A value space that guaranteed to produce via A.
The production method of prime number A comprises:
(1) should obey the regularity of distribution of stochastic finite sequence;
(2) numerical value occurs with binary form in computer, the binary coding form of required consideration numerical value, the code distance between numerical value and 0 and 1 the rule of arranging;
(3) prime number A should occur in pairs;
(4) in scope, seek proper A near machine word length.
Described safety redundant coding algorithm implementation comprises to the generation method of signing:
The generation method of a. signing;
B. the code distance method of inspection between signing.
Shown in figure 10, the generation method of signature comprises:
(1) signature of each variable must be different;
(2) signature of each variable must be evenly distributed in the codomain;
(3) has certain code distance between the signature of different variablees;
(4) adopt linear feedback congruence generator or square feedback generator to produce signature.
Code distance inspection method between the signature comprises:
(1) use signature inspection formula to check the code distance between the signature, as follows:
(2), the signature of code distance maximum possible is selected and arranged according to signature inspection formula;
(3) inspection pick out the code distance between bearing the signature, the code word between bearing the signature should reach desired safety standard.
Shown in figure 11, safety redundant coding compiler processes flow process is following:
A. the precompile device can be resolved the C language source code file, handles the precompile instruction, and manageable precompile instruction comprises header file, conditional compilation;
B. the file that produces of intermediate code compiler processes precompile device.In the intermediate code compiler processes stage, it no longer needs with reference to other external files that comprise header file.
The related processing method of safety redundant coding compiler comprises processing method, the processing method to array and structure, the branch that is directed against multiple Rule of judgment or the processing method of Do statement of central encoder layering Processing Structure.
Method to intermediate code compiler layering Processing Structure comprises:
A. the computer data structure that becomes various grammer binary trees to represent the information processing of C language source code;
B. the grammer binary tree has comprised various C language syntax forms, need they be converted into simple basic redundancy encoding form, and simple basic redundancy encoding form can be converted to redundant code output.
Shown in figure 12, intermediate code compiler layering Processing Structure, C language data to be compiled is resolved to binary tree form, syntax messages form successively, generates redundant code at last.
Processing method to array and structure comprises:
A. when using Multidimensional numerical, used the addressing system that does not rely on the Computer Storage frame mode to locate data item, and carried out accessing operation the particular dimension combination;
B. when utilization structure or nested structure, use the addressing system that does not rely on the Computer Storage frame mode that specific data item in the structure is positioned, and carried out accessing operation;
C. mix under the situation about using in array and structure, the accessing operation of specific data item comprised for two steps, first step search data item position, and second step was carried out accessing operation in this position to specific data item.
The access of array or structure is always relevant with the position of data item in array or index, and irrelevant with other factors, and carries out redundancy encoding according to the position of data item.
Multiple Rule of judgment processing method comprises:
A. in branched structure, use single Rule of judgment to represent multiple Rule of judgment, generally include and operate () or operation (||), multiple Rule of judgment is represented with the grammer binary tree structure;
B. in loop structure, multiple Rule of judgment is expressed as single Rule of judgment, generally includes and operate () or operation (||), multiple Rule of judgment is represented with the grammer binary tree structure.
Shown in figure 13, multiple Rule of judgment can be represented with the grammer binary tree.When handling multiple Rule of judgment, at first handle the subtree condition of each grammer binary tree, handle after all subtrees, handle the father node of grammer binary tree again.
The safety redundant coding optimal module generates the auxiliary language code and comprises following flow process:
(1) uses assembler language,, replace divide operations with subtraction or add operation for various arithmetic operation results' modulo operation.Therefore can no longer need 64 bit variables to preserve result of calculation;
(2) use assembler language, 64 multiply operations are reduced to 32 multiply operations, and save modulo operation;
(3) use assembler language to simplify no symbol modulo operation, no longer need carry out type conversion.
Shown in figure 14, said input and error detection module, output and error detection module workflow are following:
(1) variable of all inputs all must be encoded before processing, after Boolean variable must be encoded and the joining day stabs, could get into process of compilation device processing unit, and timestamp information is provided by process of compilation device unit;
(2) variable of all outputs all is the coding variable, and the coding variable comprises high-order information, low level information and timestamp, and timestamp information is provided by process of compilation device unit;
(3) dynamic controller is responsible for checking whether the signature of all output variables is identical with the signature of prediction, and dynamic controller obtains timestamp information from process of compilation device unit;
(4) in case the signature of output variable is different with the signature of prediction, dynamic controller makes system's failure to the safe side side.
Claims (16)
1. a safety redundant coding processing method that is used for vehicle-mounted ATP system is characterized in that, this method may further comprise the steps:
1) generates signature, configuration information, unsafe C language codes in advance through input and error detection module processing;
2) the preparatory generation signature after will handling, configuration information, unsafe C language codes are handled the back through the precompile device of safety redundant coding compiler and are generated the intermediate code file, and the intermediate code file generates the compensation constant after through the intermediate code compiler processes of safety redundant coding compiler, the C language codes after encoding;
3) the safety redundant coding optimal module generates the auxiliary language code;
The C language codes, auxiliary language code that 4) will compensate behind constant, the coding are handled the safe redundant code of back generation through universal compiler and connector;
5) this safe redundant code output after output and error detection module are handled;
The safety redundant coding optimal module generates the auxiliary language code and comprises following flow process:
(1) uses assembler language,, replace divide operations, therefore can no longer need 64 bit variables to preserve result of calculation with subtraction or add operation for various arithmetic operation results' modulo operation;
(2) use assembler language, 64 multiply operations are reduced to 32 multiply operations, and save modulo operation;
(3) use assembler language to simplify no symbol modulo operation, no longer need carry out type conversion;
Input and error detection module, output and error detection module workflow are following:
(1) variable of all inputs all must be encoded before processing, after Boolean variable must be encoded and the joining day stabs, could get into process of compilation device processing unit, and timestamp information is provided by process of compilation device unit;
(2) variable of all outputs all is the coding variable, and the coding variable comprises high-order information, low level information and timestamp, and timestamp information is provided by process of compilation device unit;
(3) dynamic controller is responsible for checking whether the signature of all output variables is identical with the signature of prediction, and dynamic controller obtains timestamp information from process of compilation device unit;
(4) in case the signature of output variable is different with the signature of prediction, dynamic controller makes system's failure to the safe side side.
2. a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system according to claim 1; It is characterized in that described step 2) in the related algorithmic method of safety redundant coding compiler processes process comprise numeric coding method, arithmetic operator operation method, shift operation symbol operation method, logical operator operation method, array operation method, function method for using, the operation method of branched structure, the operation method of loop structure, the choosing method of prime number A, signature generating method.
3. a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system according to claim 2 is characterized in that, described numeric coding method comprises the coding method of numerical variable, the coding method of numeric constant, the coding method of Boolean variable.
4. a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system according to claim 2; It is characterized in that described arithmetic operator operation method comprises in add operation method, subtraction method, multiplying method, the division arithmetic in method divided by constant, the division arithmetic method divided by variable.
5. a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system according to claim 2 is characterized in that, described shift operation symbol operation method comprises shift right operation method, shift left operation method.
6. a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system according to claim 2 is characterized in that described logical operator operation method comprises logic and operation method, logic OR operation method, logic NOT operation method.
7. a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system according to claim 2; It is characterized in that, described array operation method comprise one-dimension array assignment operation method, one-dimension array quote operation method, Multidimensional numerical operation method.
8. a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system according to claim 2 is characterized in that, described function method for using may further comprise the steps:
(8a) it is classified according to the difference in functionality of function;
(8b) function is called.
9. a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system according to claim 2; It is characterized in that the operation method of described branched structure comprises the operation method of numerical value Rule of judgment inferior division structure, the operation method of boolean's Rule of judgment inferior division structure, the operation method of mixing Rule of judgment inferior division structure.
10. a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system according to claim 2; It is characterized in that the operation method of described loop structure comprises the operation method of loop structure under the operation method, boolean's Rule of judgment of loop structure under the numerical value Rule of judgment, the operation method of mixing loop structure under the Rule of judgment.
11. a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system according to claim 2; It is characterized in that; The choosing method of described prime number A is for to search prime number A with the selection rule of prime number A in the scope near machine word length, wherein the selection rule of prime number A comprises:
(11a) size of prime number A has determined the safe class that system can reach;
(11b) choosing of prime number A determined choosing of signature;
(11c) size of prime number A is relevant with machine word length;
(11d) value of prime number A can make integer be evenly distributed in the codomain space, and any calculating via prime number A all has certain code distance space;
(11e) the coprime property of the numerical value in the prime number A value space that guaranteed to produce via A.
12. a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system according to claim 2; It is characterized in that; Described signature generating method produces signature for adopting linear feedback congruence generator or square feedback generator with the signature create-rule, and the create-rule of wherein signing is:
(12a) signature of each variable must be different;
(12b) signature of each variable must be evenly distributed in the codomain;
(12c) there is code distance between the signature of different variablees, and code distance is checked.
13. a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system according to claim 1; It is characterized in that described step 2) in the related processing method of safety redundant coding compiler comprise the processing method of central encoder layering Processing Structure, to the processing method of array and structure, to the branch of multiple Rule of judgment or the processing method of Do statement.
14. a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system according to claim 13 is characterized in that, the processing method of described central encoder layering Processing Structure may further comprise the steps:
The computer data structure that (16a) becomes the grammer binary tree to represent the information processing of C language source code;
(16b) need the grammer binary tree be converted into simple basic redundancy encoding form, simple basic redundancy encoding form is converted to redundant code output.
15. a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system according to claim 13 is characterized in that, described processing method to array and structure may further comprise the steps:
(17a) when using Multidimensional numerical, use the addressing system that does not rely on the Computer Storage frame mode to locate data item, and carry out accessing operation the particular dimension combination;
(17b) when utilization structure or nested structure, use the addressing system that does not rely on the Computer Storage frame mode that specific data item in the structure is positioned, and carry out accessing operation;
(17c) mix under the situation about using in array and structure, the accessing operation of specific data item comprised for two steps, first step search data item position, and second step was carried out accessing operation in this position to specific data item.
16. a kind of safety redundant coding processing method that is used for vehicle-mounted ATP system according to claim 13 is characterized in that, described branch or the processing method of Do statement to multiple Rule of judgment may further comprise the steps:
(18a) in branched structure, multiple Rule of judgment uses single Rule of judgment to represent, comprises and operation or operation that multiple Rule of judgment is represented with the grammer binary tree structure;
(18b) in loop structure, multiple Rule of judgment is expressed as single Rule of judgment, comprises and operation or operation that multiple Rule of judgment is represented with the grammer binary tree structure.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910250541 CN101764619B (en) | 2009-12-15 | 2009-12-15 | Safety redundant coding processing method for vehicle-mounted ATP system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910250541 CN101764619B (en) | 2009-12-15 | 2009-12-15 | Safety redundant coding processing method for vehicle-mounted ATP system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101764619A CN101764619A (en) | 2010-06-30 |
| CN101764619B true CN101764619B (en) | 2012-12-05 |
Family
ID=42495624
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200910250541 Active CN101764619B (en) | 2009-12-15 | 2009-12-15 | Safety redundant coding processing method for vehicle-mounted ATP system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101764619B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103049269B (en) * | 2012-12-25 | 2016-02-24 | 卡斯柯信号有限公司 | A kind of diversity redundancy coding method based on double-strand |
| CN103150227B (en) * | 2013-02-04 | 2015-10-14 | 卡斯柯信号有限公司 | Based on the variable subscription uniqueness security processing of redundancy encoding |
| CN104932886B (en) * | 2015-06-12 | 2018-01-19 | 卡斯柯信号有限公司 | A kind of redundancy coding method of the various dimensions based on parallel signature uniqueness |
| EP3614268B1 (en) * | 2018-08-21 | 2021-07-07 | Siemens Aktiengesellschaft | Method and device for processing of data using coded operations |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101377665A (en) * | 2008-09-25 | 2009-03-04 | 卡斯柯信号有限公司 | Method for converting program to safe coding of vehicle mounted ATP system |
| CN101556627A (en) * | 2009-05-13 | 2009-10-14 | 中国科学院计算技术研究所 | Model abstract method in model detection used for verifying circuit and system thereof |
-
2009
- 2009-12-15 CN CN 200910250541 patent/CN101764619B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101377665A (en) * | 2008-09-25 | 2009-03-04 | 卡斯柯信号有限公司 | Method for converting program to safe coding of vehicle mounted ATP system |
| CN101556627A (en) * | 2009-05-13 | 2009-10-14 | 中国科学院计算技术研究所 | Model abstract method in model detection used for verifying circuit and system thereof |
Non-Patent Citations (1)
| Title |
|---|
| 岳朝鹏.北京八通线地面ATP编码运算.《铁路通信信号工程技术》.2006,第3卷(第4期),第46-47页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101764619A (en) | 2010-06-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Udell et al. | Convex optimization in Julia | |
| CN101764619B (en) | Safety redundant coding processing method for vehicle-mounted ATP system | |
| CN101376393A (en) | Fault tolerant safety processor in railway signaling system | |
| CN101167050A (en) | Control system for railway signalling network | |
| CN103293948B (en) | For the method for storage and propagate errors information in computer program | |
| Cauderlier et al. | Checking Zenon modulo proofs in Dedukti | |
| Tosserams et al. | A specification language for problem partitioning in decomposition-based design optimization | |
| Gallina et al. | VROOM & cC: a method to build safety cases for ISO 26262-compliant product lines | |
| CN103150227B (en) | Based on the variable subscription uniqueness security processing of redundancy encoding | |
| CN108121285B (en) | Application software collaborative compiling method and device based on continuous function diagram | |
| Oliveira et al. | Model-based safety analysis of software product lines | |
| CN108376070A (en) | A kind of method, apparatus and computer of compiling source code object | |
| Majumdar et al. | Compositional equivalence checking for models and code of control systems | |
| US20110099439A1 (en) | Automatic diverse software generation for use in high integrity systems | |
| CN103049269B (en) | A kind of diversity redundancy coding method based on double-strand | |
| Kashtanov et al. | Specifics of modern security requirements for software of electronic machine control systems | |
| CN113031954A (en) | Code compiling method and device, electronic equipment, storage medium and heterogeneous system | |
| CN107590020B (en) | Credible computing method based on differential coding and statement signature | |
| Fazekas et al. | Skolem function continuation for quantified Boolean formulas | |
| CN101377665B (en) | Method for converting program to safe coding of vehicle mounted ATP system | |
| Huang | A network reliability algorithm for a stochastic flow network with non-conservation flow | |
| Kim et al. | Research on the effects of MAAB style guidelines for weapon system embedded software reliability improvement | |
| CN108227655A (en) | A kind of quick combined modularized electric system on frock clamp | |
| Kharchenko et al. | Diversity-oriented fpga-based npp i&c systems: safety assessment, development, implementation | |
| Hakvoort | Worst-case system identification in H∞: error bounds and optimal models |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |