Full Text

(ProQuest: ... denotes formulae omitted.)

1. Introduction

Inland railway station's interlocking system between signals and turnouts experienced three phases: first mechanical interlocking control, then electrical control, and computer control plus relay executive finally. As the development of exclusive industrial control computer, a new computer redundant technology-interlocking system based on double 2 out of 2- wins the opportunity to spread and apply in computer based interlocking system. This system infuses brand-new designing ideas and methods in various aspects such as hardware structure, breakdown security, and network communication(Akita K, Watanabe T, Nakamura H, et al., 1985; Bernardeschi C, Fantechi A, Gnesi S, et al., 1998; Bondavalli A, Nelli M, Simoncini L, et al., 2001). Moreover, the scalability of this system enables different scales of railway station yard and transportation capability in China. Computer based railway interlocking system mainly aims for giving locomotive drivers real-time, accurate, and safe signals through complicated computation of interlocking relationships among turnouts, signal controller, and track circuit(Borälv A., 1998), and should be capable of reflecting all real-time monitoring states accurately. As a result, Ministry of Railways asks for superior standards for factors such as instantaneity, reliability, and security(Chandra V, Verma M R., 1991). Because interlocking system directly affects the operating safety of train and above factors are fundamental in the selection of system(Chen G, Fan D, Wei Z, et al., 2010), it is of great importance to analyze and compare the security and reliability of interlocking systems with different redundant structures. Indeed, the study of computer based interlocking system has been continuing for years at home and abroad, and our country started to adopt computer based interlocking system in trunk railway in 1993. After 1997, the main form of interlocking structure was hot-standby, such as TYJL-II computer based interlocking system designed by China Academy of Railway Sciences, DS6-11 interlocking system designed by General Design institute, JD-IA interlocking system designed by Beijing Jiaotong University-Weilian Company, and VPI interlocking system designed by Kasco Company(Chen X, He Y, Huang H., 2011; Cimatti A, Giunchiglia F, Mongardi G, et al., 1998). Some other systems were designed on the basis of Programmable Logic Controller (PLC). A few of developed countries such as United States, Japan, Germany, and France started to study full-electronic computer based interlocking system in 1990s, then various countries began to develop toward full-electronization in succession, thus bring the system open structures, and making it smaller and smarter. Systems such as EBILOCK50 by ABB, SSI from UK, and SIMIS designed by Semen's, Germany have already replaced relay driving signals and point machines by solid state devices. These devices mostly install next to the railway(Hansen K M, Ravn A P, Stavridou V., 1998), which decreases trunk signal cables, thus decreasing the cost. As a good example, railway circuit controller by Ansaldo Company, Italy was completed by full-electronic devices.

2. Analysis of Railway Station Interlocking System Based on Double 2 Out of 2

2.1. Railway Station Interlocking System Based on Double 2 out of 2

Railway Station Interlocking System based on double 2 out of 2 possesses relatively high reliability and security (Mira-Giménez, M. J., 2015), and its overall performance is better than interlocking systems based on hot-standby structure and 3-Module redundancy structure(Haxthausen A E, Peleska J.,2000).

Similar to principle of 2 out of 3 system mentioned before, while 2 out of 2 interlocking system has better reliability and security(Ning B, Tang T, Gao Z, et al.,2006). As presented in Figure.1, the general structure of 2 out of 2 computer based interlocking system can be divided into 3 layers: monitoring layer, interlocking logical operation layer, and device interface layer.

The design of interlocking system emphasizes on interlocking logical operation layer. Not only doing interlocking logical computation, more importantly, this layer needs to ensure the system's security. On the basis of security, the system should consider reliability and maintainability to serve for availability. At present(Pataricza A, Majzik I, Huszerl G, et al., 20030, the system can be divided into centralized structure and distributed structure. And a 2 out of 2 interlocking system contains two subsystems: main interlocking system and standby interlocking system.

2.2. Operating Principle

Operator sends operating commands to monitoring layer, and shows the information of station yard through visualization. There are two sets of interlocking systems(main and standby), and each system contains 2 CPU unit. The functions of interlocking machine are listed below:

1. Two CPU units can do interlocking operation independently.

2. The results from two CPU units are transferred to 2 out of 2 voter through information channel, and the valid drive starts only when results are the same. This structure is beneficial for realizing the security of system information.

3. Exchange information between two systems(main and standby). When main voter shows that the results are different, switch to standby interlocking system.

4. When standby voter shows that the results are different, the system shuts down.

At present, most foreign double 2 out of 2 systems and 2 out of 3 systems adopt same hardware structure, even same operation system, for it makes synchronization and comparison of system easy. While if different hardware, even operation systems are adopted, the diversity between two CPUs would greatly enlarge. Moreover, if program which aims for same is developed by two sets of completely different programmers(Roanes-Lozano E, Hernando A, Alonso J A, et al., 2001), the probability of occurring security issue caused by common mode would reduce greatly. In conclusion, finding ways to realize two different algorithms in double 2 out of 2 operation platform is the key point to the further increase of security of double 2 out of 2 system.

2.3. Reliability and Safety Analysis of Double 2-Vote-2 System

In a two take two subsystem,only one module breaks down, this subsystem becomes invalid, switches to standby system and continues to work when there is no output. So we could simplify the above states and integrate related states, as Figure 2. we explain every state as table 1.

Table 1 - T System State

In above-mentioned states, system switches from state 3 to state 4, which is the key part of influencing the safety of Double-2-Vote-2 interlocking system. It indicates when modules in spare system have unpredictable malfunctions, it will make the system stay in non-malfunction safety state. According to system state transition diagram of 2*2-out-of-2 redundant structure in Figure, we could know:

1. System reliability

...(1)

2. System safety is

...(2)

Due to the reliability and safety of the above models and calculation, we could analyze further. The expressions of reliability and safety of all structure systems are:

3. t [arrow right]0 When :

...(3)

The system is reliable and safe.

4. When t [arrow right]∞, the safety is

...(4)

It shows that: when the system is completely unreliable, it safety is still decided by fault detection coverage. It is seen that although safety S(t) and reliability R(t) are related, if the value of fault detection coverage C is high enough, even the system is unreliable, high safety is still guaranteed.

Fault detection coverage indicates the fault diagnosis ability of system. According to the above analysis and calculation, the selection of its value will directly influence design plan of system. As for system maintainability, fault detection coverage is higher and closer to 1, the system could diagnose malfunction in time and handle properly, and system could effectively utilize redundant parts, finish reorganization and reconstruction of system and improve system reliability. But higher fault detection coverage necessarily increase a lot of hardware detection modules, it virtually increases the complexity of system, which not only increases the development costs of system, but also brings new problems due to complex systems; besides, current fault detection technology has higher fault detection coverage to single fault, but lower fault detection coverage to double or multiple faults. Due to low multiple fault occurrence probability, the main fault which influences the system safety is double fault.

3. Research Based on Railway Station Computer Interlocking Control System

3.1. Design Principle Of Double 2-Vote-2 Computer Interlocking System

The reliability of railway station computer interlocking control system is the measurement of finishing specified function within specified time under specified conditions ability, and the safety of railway station computer interlocking control system is the measurement of the ability of the system to produce dangerous side output without the occurrence of failure, they are closely related. The higher the reliability of the system, the smaller the probability of failure and probability of occurrence of the risk of failure occurs, which means higher safety. In general, the reliability of system is described through these two indicators, reliability R(t) and mean time between failure MTBF; the safety of system can be described as safety S(t). And, reliability means the probability of performing its functions normally within specified time under the specified conditions; mean time between failure means the average time between two successive failures within specified time under the specified conditions; safety means the probability of occurrence of a hazardous side output will not occur when a failure occurs within specified time under the specified conditions. If we use α to indicate the failure of system may result in the probability of failure of the dangerous side output, then the relations of system reliability and safety could be defined as:

...(5)

The reliability of system will directly influence system safety, we need to combine them organically. Analyze its safety based on the reliability analysis of railway station computer interlocking control system.

3.2. Design and Implementation of Double 2-Vote-2 Computer Interlocking System

As Figure 3, three computing devices consist of a 2-Vote-2 system. And A and B conduct the same logical operation independently, this logical operation is application logic related to safety, detailed logics will be confirmed by clients. C is in charge of the I/O work of the whole system, and judge the calculation results (or output results) between A and B according to certain rules and application logic request periodicity, and decide if there is output control signals according to it. For external system, the whole system indicates as single C. The communication of internal system, A, B and C is transmitted by independent digital channels.

According to analysis of requirement design and system workflow, we propose that based on general-purpose computer, 2-Vote-2 interlocking system is mainly composed of three parts: application logic layer, safety logic larger and device I/O layer.

Application logic layer. It consists of the application logic based on which users handle business data, and depends on the specific application. In order to ensure the reliability in handling business data, application logic layer needs to obtain the corresponding services provided by safety logic layer. The system doesn't make any assumption about application logic but only discusses the services and corresponding interfaces safety logic layer should provide for application logic layer. Application logic layer is divided into client side application logic (A, B) and server side application logic (C). Client side application logic's program is wrote and implemented by users, hereby we just provide the interfaces deploying safety logic layer. Users obtain related services by deploying corresponding interface functions. Server side's application logic interface is similar to client side's application interface, the system operates automatically, server repeatedly asks for and receives client side's request, performs corresponding operations according to the type of request and returns operation results to client side.

Safety logic layer. It, as the core of the project, provides services for logic layer upwards and communicates with the outside through I/O device downwards. Safety logic layer with safety strategy-interlocking data comparison strategy set inside is used to determine whether the operation of current system is safe based on which control signals are outputted to achieve guidance safety.

Application logic operates simultaneously on A and B, two totally same parts. Because safety logic layer should provide services for application logic layer, service points must be placed on A and B. Safety logic layer mainly works on the handling of the communication between client side and server side after application logic layer deploys interfaces and the handling after server receives client side's corresponding request. The composition of safety logic layer is shown in Fig 4:

1. Data transmission

Safety logic layer is linked to client sides A, B and server side C, so data transmission is needed among its different parts and the reliability of data transmission should be guaranteed. Data transmission services are vertical in network, and the setting of network protocol is horizontal at the same level of network. Seeing from the hierarchy and structure of network protocol, the system involves application layer and transmission layer and can be divided into the upper layer-the data transmission of application layer and the lower layer-the data transmission of transmission layer. The lower layer provides services for the upper layer.

2. System time

One of the features of computer-based interlocking system is the instantaneity of system which hopes that client sides A and B do the same work in the same clock cycle and is driven by the clock. The clock signals in the past computer-based interlocking system was emitted by a single relay, and limited by process level and other factors, the clock frequency of interlocking system can only meet the system design requirements by computerbased interlocking, railway station control center and other system with low loads and computation burden and can't meet the requirements by high-speed railway, which is one of the reasons that we need to develop the two out of two system simultaneous with tasks.

Device I/O layer. It reads data from the actual I/O device. We pass the data from client sides A and B on to I/O device or distribute the data from I/O device to A and B. It mainly reads the local interfaces, seals the obtained data and puts them in the input line, and asks I/O device to conduct specific reading operation or send the read data to A or B when application logic makes reading requests; output data is outputted to the outside device after safety and logic handling.

4. Simulation Computation Examples

Railway station computer-based interlocking control system is directly related to the infrastructure involving the safe operation of trains, so the one-of-a-kind system chose for the systems with different redundant structures must have good reliability and safety and its indexes and parameters should all meet the corresponding provisions in the interim conditions about computer-based interlocking control system issued by Ministry of Railways. The parameters chose for the simulation computation conducted in the reliability and safety analysis of railway station computer-based interlocking control system adopting different redundant structures and according to the standards are shown in Table 2.

The simulation computation conducted according to the above analysis is shown in Table 3. As you see, the results of simulation computation are in line with the results of the above analysis and comparison.

5. Conclusion

In conclusion, railway station computer-based interlocking control systems adopting different redundant structures have different reliability and safety. In terms of reliability,the railway station computer-based interlocking control system adopting double-machine hot-standby redundant structure is the best on reliability index and average failure interval time among the several redundant structures. In terms of safety, the railway station computer-based interlocking control systems adopting two out of three redundant structure and two out of two by two structure have dominant advantages. As you see, the railway station computer-based interlocking control systems with different redundant structures focus on different aspects. The conclusion from the comparative analysis of railway station computer-based interlocking control systems adopting different redundant structures in reliability and safety provides technical support for system choice, but in the specific model choice process, the specific requirements for reliability and safety by the system should be considered comprehensively, and the specific situations should be calculated, analyzed and compared according to different emphases to make the most reasonable choice.