WO2017107665A1

WO2017107665A1 - Safety computer system for use in train control

Info

Publication number: WO2017107665A1
Application number: PCT/CN2016/103931
Authority: WO
Inventors: 王奇; 代飞; 颜光; 朱晖; 彭扶权; 贺建国; 喻文冲; 易红; 单勇腾; 罗永升; 昝壮
Original assignee: 湖南中车时代通信信号有限公司
Priority date: 2015-12-21
Filing date: 2016-10-31
Publication date: 2017-06-29
Also published as: CN105388890A

Abstract

A safety computer system for use in train control, comprising a first system (101) and a second system (102) that are mutually redundant. One of two system processing modules (104 and 107) serves as a primary processing module, while the other one serves as a backup processing module. Two system input modules (103 and 106) respectively are configured to capture an external signal, to perform a two out of two voting, and to stop working when the two out of two voting did not pass. The primary processing module and the backup processing module respectively are configured to process input data coming from a same system and to perform a two out of two voting, when the two out of two voting of the primary processing module did not pass, then the primary processing module stops working and switches over to the backup processing module having passed the two out of two voting for subsequent processing, and the backup processing module thence becomes the primary processing module. Two system output modules (105 and 108) respectively are configured to verify the validity of the data processed by the primary processing module, to perform a two out of two voting, and to stop working when the two out of two voting did not pass.

Description

A safety computer system for train control

Technical field

This invention relates to train control systems, and more particularly to a secure computer system for train control.

Background technique

With the continuous advancement of technology and the increasing requirements for safety, reliability and automation of rail transit systems, signal systems have become more and more important as the core areas of rail transit systems, and their technical complexity is also increasing. . For the on-board control equipment and ground equipment of the rail transit signal system, whether it is the urban rail transit signal system or the trunk railway signal system, there is a common key technology to ensure the safe operation of the train, which is the railway signal security computer technology.

The safety computer is a computer and communication-based train control system, which realizes the real-time control and safety protection of the train operation, ensuring that the train runs within the allowable range according to the design route and the desired speed. Therefore, the reliability and security of a secure computer system are particularly important.

System reliability refers to the ability to perform a specified function within a specified time and under specified conditions. Safety is the ability to ensure system output safety in the event of a system failure within a specified time and under specified conditions. In the prior art, security and reliability often cannot be both.

Therefore, there is a need for a secure computer system that is highly reliable, highly secure, and capable of properly controlling the amount of communication data.

Summary of the invention

In order to solve the technical problems of the input module, the communication module, the processing module, the output module reliability and the security of the traditional security computer, the present invention adopts a specific system architecture to greatly improve the reliability and security of the security computer system. The host processing module uses the main system output, and the backup system does not output, which reduces the amount of system communication data while ensuring reliability and security.

The present invention provides a secure computer system for train control.

The secure computer system includes a first system and a second system, the first system and the second system being mutually redundant, wherein:

The first system includes a first system input module, a first system transmission module, a first system processing module, and a first system output module; the second system includes a second system input module, a second system transmission module, and a second system. Department processing module, The second system is an output module; one of the first system processing module and the second system processing module is a main processing module, and the other is a standby processing module.

The first system input module and the second system input module are each configured to acquire an external signal to obtain input data and perform two-vote voting on the input data. When two votes are passed, each input module passes The corresponding transmission module sends the input data to the main processing module and the standby processing module; when the two votes are not passed, the operation is stopped.

Wherein, the input data refers to a digital analog input and a communication input.

The main processing module and the standby processing module are each configured to process input data from the same transmission module and perform two-vote voting. When the two-vote voting of the main processing module fails, the The main processing module stops working, and switches to the standby processing module that has passed the second vote for subsequent processing, and the standby processing module is now converted to the main processing module.

The main processing module is configured to select, according to requirements, data transmitted by any one of the first system transmission module and the second system transmission module as main data, and transmit data transmitted by another transmission module. As the backup data, when the main data is unavailable, the standby data can be used to continue processing in time, and the main processing module simultaneously outputs the processed data to the first system transmission module and the second system transmission module;

The standby processing module is configured to process the same primary data as the primary processing module and use data transmitted by another transmission module as backup data to enable timely use of the primary data when the primary data is unavailable. The data continues to be processed, and the standby processing module does not output the processed data to any of the transmission modules.

The first system output module and the second system output module are each configured to perform validity verification on the data processed by the main processing module and perform two-vote and two-vote, and when two or two votes are not passed, stop working.

In one embodiment, the first system input module includes a first system input unit A and a first system input unit B.

The first system input unit A is configured to acquire the external portion to obtain an acquired digital analog input.

The first system input unit B is configured to acquire the same external portion to obtain an acquired digital analog input.

The first system input unit A and the first system input unit B are each configured to exchange and compare the digital analog input signals collected by the two parties. If they are the same, the first system input module will The collected digital analog input is sent to the first transmission module; if different, the first input module stops working, and if the second input module stops working, the security The computer system enters a safe state.

In one embodiment, the second system input module includes a second system input unit A and a second system input unit B.

The second system input unit A is configured to acquire the external portion to obtain an acquired digital analog input.

The second line input unit B is configured to acquire the same external portion to obtain an acquired digital analog input.

The second system input unit A and the second system input unit B are each configured to exchange and compare the digital analog input signals collected by the two parties. If they are the same, the second system input module will The collected digital analog input is sent to the second transmission module; if different, the second input module stops working, and if the first input module stops working, the security The computer system enters a safe state.

In one embodiment, the first system transmission module is configured to aggregate the digital analog input and the communication input and transmit it directly or indirectly to the main processing module and the standby processing module; The first system transmission module is further configured to split the data processed by the main processing module into digital analog output and communication output and directly or indirectly to the first system output module.

In one embodiment, the second system transmission module is configured to aggregate the digital analog input and the communication input and transmit it directly or indirectly to the main processing module and the standby processing module; The second system transmission module is further configured to split the data processed by the main processing module into digital analog output and communication output and directly or indirectly to the second system output module.

In one embodiment, the main processing module includes a main processing unit A and a main processing unit B.

The main processing unit A is configured to process the primary data and store the standby data to enable the standby data to be processed in time when the primary data is unavailable.

The main processing unit B is configured to process the main data and store the backup data so that the backup data can be used in time to continue processing when the main data is unavailable.

The main processing unit A and the main processing unit B respectively exchange and compare the data processed by the two parties. If they are the same, the main processing module sends the processed data to the first transmission. a module and the second system transmission module, wherein the data processed by the main processing module is periodically synchronized with the standby processing module; if not, the operation is stopped, and the operation is switched to the standby processing module. The standby processing module also stops working, and the secure computer system enters a secure state.

In one embodiment, the backup processing module includes a backup processing unit A and a standby processing unit B.

The standby processing unit A is configured to process the primary data and store the standby data to enable the standby data to be processed in time when the primary data is unavailable.

The standby processing unit B is configured to process the primary data and store the standby data to enable the standby data to be processed in a timely manner when the primary data is unavailable.

The data processed by the standby processing module is not output to any transmission module, and the standby processing unit A and the standby processing unit B exchange and compare the data processed by the two parties. If they are the same, the standby processing module will The processed data is periodically synchronized with the main processing module; if not, the operation is stopped.

In one embodiment, the first system output module includes a first system output unit A and a first system output unit B.

The first system output unit A is configured to verify validity of the digital analog output from the main processing module.

The first system output unit B is configured to verify the validity of the same digital analog output.

The first system output unit A and the first system output unit B exchange and compare the data verified by the two parties. If they are the same, the verified data is output to the first system output execution device; If not, the work is stopped, and if the second system output module also stops working, the secure computer system enters a safe state.

In one embodiment, the second system output module includes a second system output unit A and a second system output unit B.

The second system output unit A is configured to verify validity of the digital analog output from the main processing module.

The second system output unit B is configured to verify the validity of the same digital analog output.

The second system output unit A and the second system output unit B exchange and compare the data verified by the two parties. If they are the same, the verified data is output to the second system output execution device; If not, the work is stopped. If the first system output module also stops working, the secure computer system enters a safe state.

In one embodiment, the first transmission unit and the second transmission unit use an Ethernet switch for data transmission or a FlexRay bus for direct data transmission.

In one embodiment, the first system input module, the first system transmission module, the first system processing module, the first system output module, the second system input module, and the second The transmission module, the second system processing module, and the second system output module are in the form of a plug-in.

In one embodiment, the primary data unavailability indicates that one or more of the input module and the transmission module of the system corresponding to the primary data cease to function (or fail).

DRAWINGS

The above summary of the present invention and the following detailed description of the invention will be better understood. It should be noted that the drawings are only illustrative of the claimed invention. In the drawings, the same reference numerals indicate the same or similar elements.

1 shows a secure computer system in accordance with an embodiment of the present invention;

2 shows a block diagram of a specific architecture of a secure computer system in accordance with an embodiment of the present invention.

detailed description

In order to improve the security and reliability of a secure computer system, redundancy must be designed as a secure computer system. In redundant systems, dual-mode redundancy is the first choice for many secure computer systems with its high reliability and low hardware cost. In the dual-mode redundant system, dual-machine comparison and dual-system hot backup are two more commonly used solutions, but each has its own advantages and disadvantages. Any failure of the two-machine comparison system will directly lead to shutdown and lead to the safe side, which has high safety, but the reliability of the system is low. The dual-system hot standby system, on the other hand, brings reliability while reducing the security of the system. Reliability and security become irreconcilable contradictions in these two structures.

Different from the prior art, the security computer system of the present invention adopts a specially designed two-by-two-two structure, which can be configured as a fail-safe redundant system from software and hardware, has high security, and basically satisfies reliability. Requirements.

The input module, the processing module and the output module of the secure computer system of the invention are connected via a FlexRay bus or a fast Ethernet. The security-related input plug-ins (such as secure digital input, frequency input, etc.) are sent to the host through the scheduling control of the host under the guarantee of the two-vote voting security policy and the secure communication protocol; the host is parsed by the protocol, Processing such as logic/arithmetic operation, output voting, etc., finally sends the output command to the output module through the communication bus, and the output module executes the output. The secure computer system has multiple interfaces for external communication capabilities, and the system outside the system can interact with the host through the communication plug-in. Through the configuration of hardware, the secure computer system of the present invention can be used for safety related equipment such as rail transit vehicle ATP, computer interlock, train control center/area controller.

The detailed features and advantages of the present invention are described in detail in the Detailed Description of the Detailed Description of the Detailed Description. The objects and advantages associated with the present invention will be readily understood by those skilled in the art.

FIG. 1 illustrates a secure computer system in accordance with an embodiment of the present invention. The secure computer system of the present invention includes a first system (I-Series) 101 and a second system (II-based) 102. The system structures of the first system 101 and the second system 102 are the same, and are mutually redundant systems. Each system includes an input module, a transmission module, a processing module, and Output modules, which can all exist as plug-ins. The first system 101 includes a first system input module 103, a first system transmission module 113, a first system processing module 104, and a first system output module 105. The second system includes a second system input module 106, a second system transmission module 114, a second system processing module 107, and a second system output module 108. The modules of the first system are redundant with the respective modules of the second system.

One of the first processing module 104 of the first system 101 of the present invention and the second processing module 107 of the second system 102 can be used as a main processing module and the other as a standby processing module. When the main processing module fails, It can be switched to the standby processing module, and the standby processing module becomes the main processing module.

There may be no distinction between the main input module and the output module of the two-line input module and the output module of the present invention, and the main processing module may be arbitrarily selected according to actual conditions. For example, when the first system processing module 104 functions as a main processing module, it can select the first system input module as its input module and process its input data, and use the input data of the second system input module as the standby data; The second system input module can be selected as its input module and its input data can be processed, and the input data of the first system input module can be used as the standby data.

Input module (103, 106)

The

input modules

103, 106 of the secure computer system of the present invention periodically acquire external signals, such as relay signals or sensor signals. The safety-related signals are collected by digital or analog input channels, and are processed by two-to-two voting to form secure input data, which is sent to the host (for example, processing module) via the communication link under the guarantee of the secure communication protocol for the host to process. Non-safety related signals are collected directly by a single CPU.

The

input modules

103, 106 of the two systems (ie, the first system and the second system) are hot standby with each other. The host adopts any system (the default is I system) to collect data and transmit it to the application development software or provide the collected data of the specified system according to the requirements of the application development software.

When the input modules of the two systems fail, are not inserted, or are not activated, the secure computer system enters a safe state.

Communication module (113, 114)

The

communication modules

113, 114 of the secure computer system of the present invention operate primarily in two parts.

First, send the input data to the host. Data transmission can be done in Ethernet mode or FlexRay mode.

For Ethernet mode, the data collected by the input module is sent to the processing module via the communication module and the Ethernet switch; for FlexRay mode, the input module sends the data directly from the FlexRay bus to the processing module. The external device of the secure computer platform sends the data to the communication module by means of communication, and then the communication module forwards it to the processing module via Ethernet or FlexRay bus.

Second, the data of the processing module is sent to the output module or an external device. Data transmission can be done in Ethernet mode or FlexRay mode.

For the Ethernet mode, the data processed by the processing module is sent to the output module through the Ethernet switch and the communication module; for the FlexRay mode, the processing module directly sends the data to the output module through the FlexRay bus. For secure computer platform external devices, the processing module sends the data from the Ethernet or FlexRay bus to the communication module, which in turn forwards it to the external device.

The security of the internal data transmission of the secure computer platform is guaranteed by the platform security communication protocol and meets the requirements of the IEC62280-1:2002 standard.

In addition, the system uses serial communication to facilitate system expansion.

Processing module (104, 107)

The processing module (or the host) 104, 107 acquires the input data or status of the internal module of the secure computer platform through the secure communication protocol, and obtains the input data of the external device of the secure computer platform through the communication protocol (determined by the application development user), and processes the data or status. After being transmitted to the application development software through the application development software interface, and processing the control command or state of the application development software, the output module is output to the internal module of the secure computer platform or an external device.

The two-system processing module receives input data from all platform internal modules and external devices simultaneously and processes them. Under normal circumstances, only the main processing module outputs data, and the standby processing module does not output data; the processing modules (hosts) of the two systems have inter-system synchronization and active/standby switching functions; when the main processing module (host) fails, the system is prepared. The processing module (host) will become the processing module (host) of the main system and output data. If the two processing modules fail at the same time, the system enters a safe state.

Output module (105,108)

The

output modules

105, 108 receive the control commands of the processing module (host), perform security verification on the data validity, and output the output through the output. The safety digital output monitors the correctness of the output through the feedback circuit. The two-line output module simultaneously receives the control commands of the processing module (host) and outputs them simultaneously.

The system outputs are connected in parallel with redundant output modules to increase system availability.

When the two series of redundant safety output modules fail, are not inserted or are not activated, the system enters a safe state.

The first system input module 103 includes a first system input unit A and a first system input unit B. The first system input module 103 collects digital analog input inputs by the first system input unit A and the first system input unit B in two ways, and each performs two and two votes.

The first system input unit A is configured to periodically acquire an external signal, such as a relay signal or a sensor signal. These signals are acquired via digital or analog input channels and are used as digital analog inputs for the first system input module. The digital analog input includes a safety related signal (eg, an acquired speed sensor signal, a current sensor signal, a voltage sensor signal, a relay signal). The first system input unit B is configured to perform the same periodic acquisition of the same external signal to obtain a digital analog input. In addition, the first system input module 103 also receives communication inputs. The communication input is an input indicating a communication method (for example, Ethernet, CAN, RS485), and the communication input can be directly transmitted to the first transmission module 113.

The first system input unit A and the first system input unit B respectively perform two-two voting on the collected two digital analog input (for example, safety-related signals) to form safety input data. That is, the first system input unit A and the first system input unit B exchange data collected by both parties. The first system input unit A and the first system input unit B then compare the data collected by themselves with the exchanged data in the respective input units. If the comparison result is the same (that is, the data collected by the two input units A, B is the same, and the two votes are passed), the collected digital analog input is transmitted to the first transmission module 113. If the two are different (that is, the data collected by the two input units A and B are not the same, and the two-vote is not taken), it indicates that the first-line input module 103 is faulty and needs to stop working. If the main processing module and the standby processing module are using the data of the first system input module as the main data for processing, then it is necessary to switch to the standby data using the second system input module for subsequent processing. If the second system input module 106 of the second system 102 also fails to take two votes, the entire secure computer system enters a secure state.

In one embodiment, the first system input module 103 can include one or more input plug-ins for acquiring the digital analog input.

The second system input module 106 includes a second system input unit A and a second system input unit B. The second system input module 106 collects digital analog input inputs by the second system input unit A and the second system input unit B in two ways, and each performs two and two voting.

The second series input unit A is configured to periodically acquire an external signal, such as a relay signal or a sensor signal. These signals are acquired via digital or analog input channels and are used as digital analog inputs for the second system input module. The digital analog input includes a safety related signal (eg, an acquired speed sensor signal, a current sensor signal, a voltage sensor signal, a relay signal). The second line input unit B is configured to be paired The same external signal is subjected to the same periodic acquisition to obtain a digital analog input. In addition, the second line input module 106 also receives communication inputs. The communication input is an input representing a communication method (e.g., Ethernet, CAN, RS485), and the communication input can be directly transmitted to the second transmission module 114.

The second system input unit A and the second system input unit B respectively perform two-two voting on the collected two digital analog input (for example, safety-related signals) to form safety input data. That is, the second system input unit A and the second system input unit B exchange data collected by both parties. The second line input unit A and the second line input unit B then compare the data collected by themselves with the exchanged data in the respective input units. If the comparison result is the same (that is, the data collected by the two input units A, B is the same, and the two votes are passed), the collected digital analog input is transmitted to the second transmission module 114. If the two are not the same (that is, the data collected by the two input units A, B are not the same, failing to take two votes), it indicates that the second-line input module 106 is faulty and needs to stop working. If the main processing module and the standby processing module are processing the data of the second system input module as the main data, then it is necessary to switch to the standby data using the first system input module for subsequent processing. If the first system input module 103 of the first system 101 also fails to take two votes, the entire secure computer system enters a secure state.

In one embodiment, the second series input module 106 can include one or more input plug-ins for acquiring the digital analog input.

The first system input module 103 of the first system 101 and the second system input module 106 of the second system 102 are redundant hot standby. That is, the two input modules work simultaneously, and the data provided by one input module is processed by the main processing module and the standby processing module as main data, and the data provided by the other input module is used by the main processing module and the standby processing module as spare data. When the input module providing the main data fails, the data provided by the other input module is converted from the standby data into the main data for processing by the main processing module and the standby processing module. If the first system input module 103 and the second system input module 106 fail, are not inserted, or are not activated at the same time, the entire secure computer system enters a secure state.

The first system transmission module 113 aggregates the digital analog input and the communication input and directly or indirectly transmits to the main processing module and the standby processing module. The first system transmission module 113 also splits the data processed by the main processing module into digital analog output and communication output, and directly or indirectly transmits to the first system output module.

The first system transmission module 113 can transmit data in an Ethernet mode or a FlexRay mode. For the FlexRay mode, the first system output module 113 sends the summarized input data directly to the main processing module and the standby processing module through the FlexRay bus, and directly transmits the split digital analog output and communication output to the FlexRay bus to the The first system is the output module. For Ethernet mode, the first system output module 113 will The summarized input data is indirectly sent to the main processing module and the standby processing module through the Ethernet switch, and the split digital analog output and the communication output are indirectly transmitted to the first system output module through the Ethernet switch.

It is worth noting that the benefit of the first-line transmission module 113 also distributing the aggregated input data to the backup processing module is that the primary processing module and the standby processing module use the same data under normal conditions (eg, from the same transmission module). The data is processed. Once the main processing module fails, the main processing module can directly switch to the standby processing module to achieve seamless switching.

In one embodiment, the first system transmission module 113 can be a communication card.

The second system transmission module 114 aggregates the digital analog input and the communication input and transmits it directly or indirectly to the main processing module and the standby processing module. The second system transmission module 114 also splits the data processed by the main processing module into digital analog output and communication output, and directly or indirectly transmits to the second system output module.

The second system transmission module 114 can transmit data in an Ethernet mode or a FlexRay mode. For the FlexRay mode, the second system output module 114 sends the summarized input data directly to the main processing module and the standby processing module through the FlexRay bus, and directly transmits the split digital analog output and communication output to the FlexRay bus to the The second system is an output module. For the Ethernet mode, the second system output module 114 sends the summarized input data to the main processing module and the standby processing module indirectly through the Ethernet switch, and passes the split digital analog output and communication output through the Ethernet switch. Indirect transmission to the second system output module.

It is worth noting that the second system transmission module 114 also distributes the aggregated input data to the backup processing module because the main processing module and the standby processing module use the same data under normal conditions (for example, from the same transmission module). The data is processed. Once the main processing module fails, the main processing module can directly switch to the standby processing module to achieve seamless switching.

In one embodiment, the second system transmission module 114 can be a communication card.

The first system processing module 104 acquires input data transmitted by the two-

line transmission modules

113, 114, selects input data transmitted by one of the transmission modules for processing, such as logic control, protocol analysis, etc., and stores input transmitted by another transmission module. The data is used as a backup. The first system processing module 104 includes a first system processor A and a first system processor B, each performing data processing and two-vote voting.

The second system processing module 107 acquires the input data transmitted by the two-

system transmission modules

113, 114, selects the input data transmitted by one of the transmission modules for processing, such as logic control, protocol analysis, etc., and stores the input transmitted by another transmission module. The data is used as a backup. The second system processing module 107 includes a second system processor A and a second system processor B, each performing data processing and two-vote voting.

As described above, one of the first processing module 104 and the second processing module 107 can function as a primary processing module and the other as a backup processing module.

The main processing module simultaneously receives data transmitted by the first system transmission module and the second system transmission module. The main processing module can select, as the main data, data transmitted by any one of the first system transmission module and the second system transmission module as required, such as logic control, protocol analysis, and the like. And the data transmitted by the other transmission module is used as the backup data, so that the standby data can be continuously processed in time when the main data is unavailable, and the main processing module simultaneously outputs the processed data to the first system transmission module and the second system transmission module. For the first system output module and the second system output module for subsequent security verification.

The standby processing module simultaneously receives data transmitted by the first system transmission module and the second system transmission module. After the main processing module determines which data is transmitted by the transmission module as the main data, the standby processing module also processes the same main data. That is, the main processing module and the standby processing module process data from the same system (or the same transmission module) at the same time. At the same time, the standby processing module uses the data transmitted by the other transmission module as the standby data, so that the standby data can be continuously processed in time when the main data is unavailable, and the standby processing module does not output the processed data to any transmission module.

The unavailability of the master data mentioned here means that one or more of the input module and the transmission module of the system corresponding to the master data are stopped or malfunctioning (for example, two votes are not passed).

The main processing module includes a main processing unit A and a main processing unit B.

The main processing unit A processes the main data and stores the spare data so that the standby data can be used for subsequent processing when the main data is unavailable.

The main processing unit B processes the same main data and stores the spare data so that the standby data can be used for subsequent processing when the main data is not available.

The main processing unit A and the main processing unit B also each perform two votes. That is, the main processing unit A and the main processing unit B each exchange the processed data and compare them. If they are the same, the main processing module sends the processed data to the first system transmission module and the second system transmission module, and simultaneously The processed data of the processing module is periodically synchronized with the standby processing module; if it is different, the operation is stopped, and the operation is switched to the standby processing module. If the standby processing module also stops working, the secure computer system enters a safe state.

The standby processing module includes a standby processing unit A and a standby processing unit B.

The standby processing unit A processes the same main data and stores the spare data so that the standby data can be used in time to continue processing when the main data is unavailable.

The standby processing unit B processes the same main data and stores the spare data so that the standby data can be used in time to continue processing when the main data is unavailable.

The standby processing unit A and the standby processing unit B each perform two votes. That is, the standby processing unit A and the standby processing unit B each exchange and compare the data processed by the two parties. If they are the same, the standby processing module periodically synchronizes the processed data with the main processing module. If they are not the same, stop working. It should be noted here that the data processed by the standby processing module is not output to any transmission module.

As can be seen from the above description, under normal circumstances, only the main processing module outputs data, and the standby processing module does not output data. The purpose of this design is that the reliability of the entire secure computer system is fully guaranteed due to the design of the three modules of input, transmission and processing. Therefore, the processing output of one system can be reduced in the output module stage (for example, standby). The processing module no longer has an output) to reduce the amount of communication data for the entire secure computer system.

In addition, the main processing module and the standby processing module perform inter-system synchronization in real time to ensure that the main processing module fails (for example, when two or two voting fails), the standby processing module can obtain synchronous and just processed security in time. The latest data is transferred to the main processing module for subsequent processing. If the two processing modules fail at the same time, the secure computer system enters a safe state.

The first system output module 105 includes a first system output unit A and a first system output unit B. For digital analog outputs (eg, safety related signal outputs), both the first system output unit A and the first system output unit B perform safety verification of their effectiveness. The first system output unit A and the first system output unit B exchange safety-verified data with each other and compare the data in the respective output units. If the two are the same, the digital analog output can be output through the output actuator. . If the two are not the same (ie, failing to take two votes), the first output module stops working. If the second system output module 108 of the second system 102 also fails to take two votes, the entire secure computer system enters a secure state.

In one embodiment, the first system collects the output for feedback to the feedback circuit for determining the correctness of the output.

The second system output module 108 includes a second system output unit A and a second system output unit B. For digital analog outputs (eg, safety related signal outputs), both the second system output unit A and the second system output unit B perform safety verification of their effectiveness. The second system output unit A and the second system output unit B exchange safety-verified data with each other and compare them in respective output units. If the two are the same, the digital analog output can be output through the execution device. If the two are not the same (ie, failing to take two votes), the second output module stops working. At this time, if the first system output module 105 also fails, the entire secure computer system enters a safe state.

In one embodiment, the second system collects the output for feedback to the feedback circuit for determining the correctness of the output.

The safety computer system of the invention is a specially designed two-by-two-two system, which not only has the advantages of high reliability and high safety, but also has the characteristics of loose coupling, and the two-system input and output modules respectively collect and output respectively. They are highly independent of each other and do not affect each other. For example, if there is a problem with any one or more of the input module, transmission module, processing module, and output module of the main system, the system can work normally as long as it is not a module that collects or drives the same object.

The terms and expressions employed herein are for illustrative purposes only and the invention is not limited to the terms and expressions. The use of these terms and expressions is not intended to be exhaustive or to limit the scope of the invention. Other modifications, changes, and replacements may also exist. Accordingly, the claims are to be construed as covering all such equivalents.

Also, it should be noted that although the present invention has been described with reference to the present embodiments, it will be understood by those skilled in the art that Various equivalent changes or substitutions may be made in the case of the spirit, and it is intended that the changes and modifications of the above-described embodiments within the scope of the spirit of the present invention fall within the scope of the claims of the present application.

Claims

A secure computer system for train control, characterized in that the secure computer system comprises a first system and a second system, the first system and the second system being mutually redundant, wherein:

The first system includes a first system input module, a first system transmission module, a first system processing module, and a first system output module; the second system includes a second system input module, a second system transmission module, and a second system. a processing module, a second system output module; one of the first system processing module and the second system processing module is a main processing module, and the other is a standby processing module;

The first system input module and the second system input module are each configured to acquire an external signal to obtain input data and perform two-vote voting on the input data. When two votes are passed, each input module passes The corresponding transmission module sends the input data to the main processing module and the standby processing module; when the two votes are not passed, the operation is stopped;

The main processing module and the standby processing module are each configured to process the input data from the same transmission module and perform two-vote and two-vote. When the two-vote voting of the main processing module fails, the The main processing module stops working, and switches to the standby processing module that passes through two votes for subsequent processing, and the standby processing module is converted to the main processing module at this time;

The first system output module and the second system output module are each configured to perform validity verification on the data processed by the main processing module and perform two-vote and two-vote, and when two or two votes are not passed, stop working.
The secure computer system according to claim 1, wherein the first system input module comprises a first system input unit A and a first system input unit B;

The first system input unit A is configured to collect the external, and obtain the digital analog input after the acquisition;

The first system input unit B is configured to collect the same external, and obtain the collected digital analog input;

The first system input unit A and the first system input unit B are each configured to exchange and compare the digital analog input signals collected by the two parties. If they are the same, the first system input module will The collected digital analog input is sent to the first transmission module; if different, the first input module stops working, and if the second input module stops working, the security The computer system enters a safe state.
The secure computer system according to claim 1, wherein said second system input module comprises a second system input unit A and a second system input unit B;

The second system input unit A is configured to collect the external, and obtain the digital analog input after the acquisition;

The second system input unit B is configured to collect the same external, and obtain the collected digital analog input;

The second system input unit A and the second system input unit B are each configured to exchange and compare the digital analog input signals collected by the two parties. If they are the same, the second system input module will The collected digital analog input is sent to the second transmission module; if different, the second input module stops working, and if the first input module stops working, the security The computer system enters a safe state.
The secure computer system of claim 2 wherein said first system transmission module is configured to aggregate said digital analog input and communication input and directly or indirectly transmit to said main processing module And the standby processing module; the first system transmission module is further configured to split the data processed by the main processing module into a digital analog output and a communication output, and directly or indirectly transmit to the A series of output modules.
The secure computer system of claim 3 wherein said second system transmission module is configured to aggregate said digital analog input and communication input and transmit directly or indirectly to said main processing module And the standby processing module; the second system transmission module is further configured to split the data processed by the main processing module into a digital analog output and a communication output, and directly or indirectly transmit to the Second-line output module.
The secure computer system of claim 1 wherein:

The main processing module is configured to select, according to requirements, data transmitted by any one of the first system transmission module and the second system transmission module as main data, and transmit data transmitted by another transmission module. As the backup data, when the main data is unavailable, the standby data can be used to continue processing in time, and the main processing module simultaneously outputs the processed data to the first system transmission module and the second system transmission module;

The standby processing module is configured to process the same primary data as the primary processing module and use data transmitted by another transmission module as backup data to enable timely use of the primary data when the primary data is unavailable. The data continues to be processed, and the standby processing module does not output the processed data to any of the transmission modules.
The secure computer system according to claim 6, wherein the main processing module comprises a main processing unit A and a main processing unit B;

The main processing unit A is configured to process the main data and store the standby data to enable the standby data to be processed in time when the main data is unavailable;

The main processing unit B is configured to process the main data, and store the backup data to enable the standby data to be processed in time when the main data is unavailable;

The main processing unit A and the main processing unit B respectively exchange and compare the data processed by the two parties. If they are the same, the main processing module sends the processed data to the first transmission. a module and the second system transmission module, wherein the data processed by the main processing module is periodically synchronized with the standby processing module; if not, the operation is stopped, and the operation is switched to the standby processing module. The standby processing module also stops working, and the secure computer system enters a secure state.
The secure computer system according to claim 6, wherein said standby processing module comprises a standby processing unit A and a standby processing unit B;

The standby processing unit A is configured to process the primary data and store the standby data to enable the standby data to be processed in time when the primary data is unavailable;

The standby processing unit B is configured to process the primary data and store the standby data to enable the standby data to be processed in time when the primary data is unavailable;

The data processed by the standby processing module is not output to any transmission module, and the standby processing unit A and the standby processing unit B exchange and compare the data processed by the two parties. If they are the same, the standby processing module will The processed data is periodically synchronized with the main processing module; if not, the operation is stopped.
The secure computer system according to claim 6, wherein the first system output module comprises a first system output unit A and a first system output unit B;

The first system output unit A is configured to verify validity of the digital analog output from the main processing module;

The first system output unit B is configured to perform validity verification on the same digital analog output;

The first system output unit A and the first system output unit B exchange and compare the data verified by the two parties. If they are the same, the verified data is output to the first system output execution device; If not, the work is stopped, and if the second system output module also stops working, the secure computer system enters a safe state.
The secure computer system according to claim 7, wherein said second system output module comprises a second system output unit A and a second system output unit B;

The second system output unit A is configured to verify validity of the digital analog output from the main processing module;

The second system output unit B is configured to perform validity verification on the same digital analog output;

The second system output unit A and the second system output unit B exchange and compare the data verified by the two parties. If they are the same, the verified data is output to the second system output execution device; If not, the work is stopped. If the first system output module also stops working, the secure computer system enters a safe state.
The secure computer system according to claim 4 or 5, wherein the first transmission unit and the second transmission unit use an Ethernet switch for data transmission or a FlexRay bus for direct data transmission.
The secure computer system according to claim 1, wherein said first system input module, said first system transmission module, said first system processing module, said first system output module, said The second system input module, the second system transmission module, the second system processing module, and the second system output module are in the form of a plug-in.
The secure computer system of claim 8 wherein said primary data unavailability indicates that one or more of an input module and a transmission module of a system corresponding to said primary data ceases to function.