Platform door control device and system based on security computer

[0025] In order to make the purpose, technical scheme and advantages of the present invention clearer, the technical scheme of the present invention will be clearly and completely described below with reference to the attached drawings. Obviously, the described embodiments are part of the embodiments of the present invention, but not all of them. Based on the embodiment of the present invention, all other embodiments obtained by ordinary technicians in the field without creative labor are within the scope of the present invention.

[0026] such as Figure 1 The embodiment of the invention provides a platform door control device based on a security computer, which comprises a security computer and an external interface module, wherein the security computer comprises a communication layer, a main control layer and an execution layer; The communication layer performs data interaction with the main control layer through the internal redundant Ethernet; The main control layer and the execution layer communicate through redundant CAN bus;

[0027] The communication layer includes two identical communication recording boards, which are used to communicate with rail transit signal systems (including ATC red network and basketball network) through redundant networks (through 408A switch), and to communicate with external control networks (such as industrial personal computers and maintenance networks) through redundant access points. Each communication recording board is connected with the external interface module through the redundant RS485 bus, and the external interface module is connected with the platform gate DCU device through the redundant CAN bus; It should be noted that the external interface module includes two independent interface modules, interface module A and interface module B. The two interface modules are respectively connected to a communication recording board, and at the same time, they are respectively connected to the platform gated DCU equipment, so as to realize the two-channel independent communication between the communication recording board and DCU equipment.

[0028] The master control layer comprises two identical motherboards, and the motherboards are used for determining the master-standby relationship after the system initialization self-test is successful, and after the two motherboards with good master-standby relationship are successfully synchronized in the system and master-standby, they perform data operation and output control instructions through the two-by-two logic; The main control board is also used for executing the fault-oriented safety logic corresponding to the preset abnormal situation when it is judged that the abnormal situation occurs; The fault-oriented safety logic includes: when it is judged that the abnormal situation is that the door opening command and the door closing command are received at the same time, the control command is not output within a preset time;

[0029] The execution layer comprises a safety IO module and a relay board group, wherein the safety IO module is used for establishing an acquisition channel, acquiring the state information of the relay board group and sending the state information to the motherboard; The safety IO module is also used for establishing a driving channel and outputting the control instruction of the main system motherboard to control the relay board group to act; The relay board group is respectively connected with the platform gate DCU equipment, the local control panel and the comprehensive backup panel.

[0030] It should be noted that, in the embodiment of the present invention, the platform door controller (system) receives the opening, closing and external isolation commands of external equipment (interlocking or vehicle-mounted system), and sends the opening and closing commands to the platform screen door through the hard-wired interface to realize the opening and closing of the platform screen door; Through the communication interface, the platform screen door of the contraposition isolation information is shielded to realize the contraposition isolation function of the platform door. The platform controller simultaneously collects that the platform screen door is closed and locked to the interlocking or vehicle-mounted system; The platform controller can receive the opening and closing commands of PSL (local control panel) and IBP (integrated backup panel) to realize the platform screen door control; At the same time, the platform door controller sends the maintenance information to the maintenance terminal and the external maintenance network. The platform door controller communicates with the interlocking system or the vehicle through the safety communication network and safety protocol meeting the requirements of EN50159.

[0031] The platform door control device based on the security computer provided by the embodiment of the invention adopts the platform door controller based on the 2-by-2 security computer, adopts redundant security IO technology to collect input signals and transmit output signals, and controls the platform door according to the preset fault-oriented security logic when any channel is abnormal. In addition, the communication recording board of the security computer forms a redundant dual-channel communication relationship with the platform gate DCU device through the external interface module, thus effectively improving the safety, reliability and usability of the platform gate control system.

[0032] In one embodiment, the fault-oriented safety logic further includes: when the door opening instruction is lost during the execution of the door opening instruction by the platform gate DCU device, outputting the current actual gate opening instruction to keep the platform door open after the door opening action is completed; When the closing instruction is lost in the process of executing the closing instruction by the platform gate DCU equipment, the current actual gate control instruction is output so that the platform door can keep the closing state after finishing the closing action.

[0033] Further, the fault-oriented safety logic further includes: when the platform gate DCU device receives the door closing instruction in the process of executing the door opening instruction, it outputs the control instruction according to the validity of the door closing instruction after the platform door completes the door opening action.

[0034] Further, the fault-oriented safety logic further includes: when the platform gate DCU device receives the door opening instruction in the process of executing the door closing instruction, it outputs the control instruction according to the validity of the door opening instruction after the platform door completes the door closing action.

[0035] It should be noted that the control technology based on the 2-by-2 security computer of the above embodiment is the foundation of the platform door control system. When some abnormality occurs, the platform door controller can control according to the preset fault-oriented security logic, thus further improving the security, usability and reliability of the door control system and ensuring the safety of passengers.

[0036] In one embodiment, the check items of the system initialization self-test include module ID check, input circuit self-test, output circuit self-test, memory self-test, code segment self-test, register self-test, ALU self-test and firmware version check.

[0037] In the embodiment of the invention, all modules of the system are self-checked by setting comprehensive inspection items, so that the reliability of the system can be ensured to the greatest extent, and further the safety, availability and reliability of the gate control system can be ensured.

[0038] In one embodiment, the intra-system synchronization process of the motherboard includes: when the intra-system dual channels complete the synchronization operation within a first preset waiting time after the system initialization self-test is successful, it is judged that the intra-system synchronization is successful; When the two channels in the system complete the synchronization operation within the second preset waiting time during periodic operation, it is judged that the synchronization in the system is successful.

[0039] In the embodiment of the invention, after the module is initialized and during the periodic operation, the motherboard needs to synchronize the dual-channel processors in the system, and the synchronization operation can be completed within the set time according to the preset waiting time, thus further ensuring the reliability of the secure computer.

[0040] In one embodiment, the main/standby synchronization process of the mainboard includes: after the intra-system synchronization is successful, the standby mainboard and the main mainboard sequentially perform initialization phase synchronization operation and application phase synchronization operation; The initialization phase synchronization operation includes version number synchronization and native state synchronization, and the application phase synchronization operation includes native state synchronization, time synchronization and application data synchronization.

[0041] Further, when the synchronization error between the master and the standby is smaller than the preset inter-system synchronization error, it is judged that the synchronization between the master and the standby is successful.

[0042] In the embodiment of the invention, after the mainboard of the main system and the standby system runs normally, the standby system needs to be synchronized with the main system. In the initialization stage and the application stage, the inter-system synchronization error is configured to ensure that the inter-system synchronization error is controlled within a certain range, thus effectively ensuring the safety and reliability of the security computer.

[0043] In one embodiment, the main board is also used for periodically running according to a preset working cycle after the initial success of the application, and if the running time of any working cycle exceeds a preset stage time, the main board enters a shutdown state; The work cycle includes an input processing stage, an application function calling stage and an output data processing stage.

[0044] In the embodiment of the invention, during periodic operation, the operation stages of the motherboard include input processing, application function calling, and data output processing, wherein the operation time of each stage needs to be completed within a preset time, and if the operation time of any stage is overtime, it will enter the shutdown state, thus ensuring the safe computer to operate within a controllable range, and further improving the safety and reliability of the safe computer.

[0045] In one embodiment, when the two-out-of-two comparison of the output data by the main system motherboard is inconsistent, the main system motherboard enters the down state, and the current standby system motherboard is switched to the main system; When the output data of the standby mainboard is inconsistent by comparing two out of two and continuously exceeds the preset tolerance period, the standby mainboard enters the down state.

[0046] In the embodiment of the invention, when the main system motherboard outputs two-out-of-two data, if the results of comparing two channels are inconsistent, it will directly enter the down state; if the results of comparing two channels are inconsistent when the standby system motherboard outputs two-out-of-two data, it will be allowed not to be down in a preset tolerance period, thus effectively ensuring the safety and reliability of the system.

[0047] See Figure 2 Based on the above scheme, in order to facilitate a better understanding of the platform door control device based on the security computer provided by the embodiment of the present invention, the following specific examples are listed for detailed explanation:

[0048] The platform door control device based on security computer provided by the embodiment of the invention is based on the control technology of 2-by-2 security computer as the core and the security IO module technology as the foundation. Security-related signal acquisition in the system (including information of platform gated DCU equipment, external control network, local control panel and comprehensive backup panel, etc.) shall adopt security redundancy design, and two independent acquisition signals with security redundancy shall be input into two independent input channels in the security input module respectively, and the security computer shall check the consistency of the two signal acquisition information. To prevent the acquisition information from being wrong due to the short circuit or open circuit fault of the acquisition signal, the input module of the security IO module has a real-time self-checking function for the acquisition channel every time it acquires.

[0049] According to the embodiment of the invention, the safety-related drive signals in the system adopt a redundant dual-channel CPU instruction comparison method, and after the comparison is consistent, the output results of the dual CPUs control the safety output module and are transmitted to the execution unit, wherein the output of each step has a corresponding output self-check and read-back, and if a fault is detected, the system is directed to the safety side and the external output is cut off.

[0050] The system of the embodiment of the invention is mainly divided into two parts:

[0051] 1. The main control unit adopts 2-by-2 secure computer and secure IO technology. The application layer adopts modular design architecture, is designed and developed according to the assembly line process, and supports various functions of platform gate control system.

[0052] 2. Execution unit, using relay combination, is connected with the input and output of safety IO through hard wire to complete the external drive and acquisition control of products.

[0053] The security computer of the platform control system is divided into three layers: communication layer, main control layer and execution layer.

[0054] Communication layer communicates with rail transit signal system through redundant network or with external control network through redundant AP(Access Point).

[0055] The main control layer communicates with the execution layer through the redundant CAN network; The security computer adopts the two-by-two technology, and is composed of redundant power boards, motherboards (two) and communication recording boards. The communication recording board and the motherboard perform data interaction through the internal redundant Ethernet; The two motherboards can communicate with each other through Powerlink bus and pulse signals.

[0056] The executive layer includes IO drive acquisition module (safety IO module) and relay board group. The motherboard communicates with IO drive acquisition module through redundant CAN bus, and IO drive acquisition module drives relay and relay group, and exchanges information with DCU, PSL, reliability system, IBP, etc. through hard wire through the node output of relay group and relay.

[0057] The communication recording board establishes a communication interface with the signal system through the Ethernet extranet, and performs data interaction on the platform door control command and the platform door state; At the same time, the communication recording board (through the industrial computer) uploads all kinds of maintenance information of platform doors to the platform door monitoring system.

[0058] The redundant RS485 bus output by the communication recording board is converted into CAN protocol through the external interface module (provided by DCU manufacturer), and then connected with DCU devices of gate controllers of the upstream and downstream platform doors, sending alignment isolation commands and receiving DCU status information of gate controllers, etc.

[0059] In the embodiment of the present invention, the working principle of the 2-by-2 security computer is that when the system is powered on and self-checking is successful, the dual-system performs the main/standby judgment and switching. After determining the relationship between active and standby, the active and standby systems all call the application software, provide the input data to the application for logical operation, compare the data output by the application by 2 out of 2, and all other modules are output by the active and standby systems. The specific functions of are as follows:

[0060] 1. initialization and self-test (main control /IO module)

[0061] The gate controller needs self-test first (self-test first and then initialization), and the test items include: module ID, input circuit self-test, output circuit self-test, memory self-test, code segment self-test, register self-test, ALU self-test and firmware version check; The self-test fails, and the platform door controller is down. After the self-check, the system cycle, communication protocol initialization, peripheral type initialization and other operations are required; Each processing unit of the platform control system needs to periodically self-check its own memory, registers, etc. If the self-check fails, the corresponding module is down and switched to the standby module.

[0062] 2. Intra-system synchronization (main control /IO module)

[0063] After the single channel initialization is successful, the module waits for synchronization with the processor of the channel, and the waiting time should be less than the "maximum waiting time" (configurable, for example, it can support at least one system working cycle and at most three system working cycles).

[0064] When the module cycle runs, the two channels need to be synchronized, and the waiting time is less than the "maximum waiting time" (configurable, for example, the minimum system cycle can be supported and the maximum system cycle can be supported).

[0065] If the synchronization of internal modules is unsuccessful, the modules will be shut down and switched to the spare modules;

[0066] 3. Master-standby synchronization (master control)

[0067]After the main and standby systems of the main control module run normally, the standby system needs to be synchronized with the main system. The contents of synchronization can be divided into initialization stage and application stage, in which the contents to be synchronized in the initialization stage include version number, local state and other information, and the contents to be synchronized in the application stage include local state, time and application data.

[0068] Synchronization error should be less than "inter-system synchronization error" (it can be configured according to specific needs).

[0069] If the synchronization between the main and standby systems is unsuccessful, the standby system is down after the preset tolerance time, and a fault prompt is given;

[0070] 4. Confirmation of successful application initialization

[0071] The gate controller calls the initialization function of the application to judge whether the application initialization is successful. The application initialization needs 2-out-of-2 dual-channel application initialization to be successful before it is considered correct. The application is unsuccessful, and the platform door controller is down;

[0072] 5. Configuration data comparison (main control module)

[0073] OC needs to compare the configuration data versions issued by the interlocking host. Only when they are consistent can the platform door controller motherboard send control instructions to the execution module. If they are inconsistent, the main control module cannot establish communication with the execution module.

[0074] 6. Work cycle control

[0075] After the application is successfully initialized, it will run periodically, input processing, call application functions, and output data processing.

[0076] During periodic operation, the platform door control system allocates a fixed time (configurable work cycle) for each of the above stages. For example, input processing accounts for 30% of the work cycle time, calling application functions accounts for 30% of the work cycle time, and output data processing accounts for 40% of the work cycle time.

[0077] 7. Work cycle supervision

[0078] After the platform control system enters the periodic operation, check whether the working cycle of each stage is within the specified range; At the same time, after the platform door control system enters the periodic operation, check whether the logical sequence of program execution is normal.

[0079] The gate controller calls the input processing, application cycle processing and output processing functions. It is necessary to check whether the functions of each stage are completed within the specified time and whether the logical sequence of program execution is correct.

[0080] The period of supervision requires mutual supervision between 2 out of 2. If any channel times out, the module goes down. You can set the allowable range of work cycle for supervision, and the time is less than 1ms.

[0081] 8. Input data processing (distribution)

[0082] The input data includes redundant data of dual-system red-blue network, which is filtered by intranet protocol;

[0083] 9. Call the application processing function

[0084] Calling the processing function of the application to judge whether the application processing is successful or not; If the processing is unsuccessful, turn to the fault processing flow; Unsuccessful call, downtime.

[0085] 10. Two-channel comparison of main system output data

[0086] The main system module of the platform controller compares the external output data by 2 out of 2, and outputs it to the outside after the comparison is consistent; If the comparison is inconsistent, the module is down;

[0087] 11. standby output data processing (master control)

[0088] It is prepared to compare the output data provided by the protocol processing by 2 out of 2, and obtain the output data of the main system after the comparison is consistent. The standby system needs to compare the output data of the main system, and tolerate two cycles. After the third cycle is inconsistent, the module is down. The device only accepts data from the execution module, and does not send data to the execution module.

[0089] The control technology based on the above two-by-two-out-of-two security computer as the foundation of the platform door controller can meet the fault-oriented security handling mechanism.

[0090] It should be noted that when some abnormalities occur, the platform door controller should follow the principle of fault-oriented safety, specifically including:

[0091] 1. At the same time, I received the order to open and close the door.

[0092] A. Function input: the platform door controller does not receive the opening/closing command, or receives the opening/closing command at the same time.

[0093] B. Basic flow of functions:

[0094] If the gate control system of the platform does not receive the door opening/closing command, or receives both the door opening and closing commands, the state of the platform door shall remain unchanged.

[0095] C. Function output: the platform door controller does not output the opening/closing command to DCU (within the preset time period).

[0096] 2. The door opening command is lost in the process of opening the door.

[0097] A. function input: after the platform door controller receives the door opening command, the door opening command becomes invalid.

[0098] B. Basic flow of functions:

[0099] In the process of DCU door opening, if the door opening command received by the platform door controller is lost, the platform door controller will output it according to the actual gate control command, and the platform door will remain open after the door opening action is completed.

[0100] C. Function output: the platform door controller outputs according to the received gate control command.

[0101] 3. When the door is opened, the closing order is received.

[0102] A. Function input: after the platform door controller receives the door opening command, it immediately receives the door closing command.

[0103] B. Basic flow of functions:

[0104] When DCU executes the door opening command, it receives the door closing command when the door opening command output by the platform door controller is not invalid, and the platform door controller outputs it according to the actual gate control command. The platform door should complete the door opening action, and then judge whether the door closing command is effective (if it is effective, it will be closed, if it is invalid, it will remain open).

[0105] C. Function output: the platform door controller outputs according to the received gate control command.

[0106] 4. The closing order is lost during the closing process.

[0107] A. function input: after the platform door controller receives the door opening command, the door opening command becomes invalid.

[0108] B. Basic flow of functions:

[0109] In the closing process of DCU, if the closing command received by the platform door controller is lost, the platform door controller will output it according to the actual gate control command, and the platform door will remain closed after closing.

[0110] C. Function output: the platform door controller outputs according to the received gate control command.

[0111] 5. The door opening command was received during the closing process.

[0112] A. Function input: the platform door controller receives the door opening command immediately after receiving the door closing command.

[0113] B. Basic flow of functions:

[0114] In the process of DCU executing the closing command, the platform door controller receives the opening command when the closing command is not invalid, and the platform door controller outputs it according to the actual gate control command. The platform door should complete the closing action, and then judge whether the opening command is valid or not.

[0115]C. Function output: the platform door controller outputs according to the received gate control command.

[0116] On the other hand, the invention also provides a platform door control system based on the security computer, which comprises an external control network, a rail transit signal system, a platform gate DCU device, a local control panel, a comprehensive backup panel and any platform door control device based on the security computer.

[0117] Finally, it should be explained that the above embodiments are only used to illustrate the technical scheme of the present invention, but not to limit it; Although the invention has been described in detail with reference to the foregoing embodiments, it should be understood by those skilled in the art that it is still possible to modify the technical solutions described in the foregoing embodiments, or to equivalently replace some technical features thereof; These modifications or substitutions do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of various embodiments of the present invention.