A method for verifying the correctness of one-key sequential control in railway power distribution based on non-homogeneous two-factor authentication
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- NANJING HENGXING AUTOMATION EQUIP
- Filing Date
- 2025-09-25
- Publication Date
- 2026-06-30
Smart Images

Figure CN121308355B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of power distribution automation control technology, and more specifically, to a method for confirming the correctness of one-click sequential control of railway power distribution based on non-homogeneous two-factor authentication. Background Technology
[0002] One-click sequential control of railway power distribution has been widely applied in stations to automatically complete switching, connection, protection setting association, and verification according to the operation ticket sequence. Existing systems mostly rely on static five-prevention interlocking rules and ticket-based simulation for process verification; when execution fails at a certain step, alarms or pauses are usually the main responses, and subsequent handling relies on manual judgment and authorization. The existing solutions have a relatively fragmented coupled modeling of ticket logic, station interlocking, power flow, and protection impact, lacking a deterministic decision chain that unifies interlocking diagrams, cause-effect graphs, invariants, and digital twin calculations; it also lacks a one-time token mechanism that strongly binds the authorization scope to the field context and impact domain, as well as a replayable audit chain and replay verification process.
[0003] The existing technology has the following shortcomings:
[0004] In the process of one-click sequential execution, when a certain step fails, how can we confirm the correctness of three types of abnormal handling—retry, skip, and manual takeover—based on two non-homologous factors: structural legality verification and digital twin bounded calculus, without manual probing? Based on this, how can we deduce the minimum available permission set, issue a one-time authorization order bound to the context packet and the hash of the affected domain, synthesize temporary interlocks and backoff linkages to implement controlled execution, and write the entire process into a replayable audit chain to achieve unified input and unified process verification?
[0005] To address the above problems, this invention proposes a solution. Summary of the Invention
[0006] In order to overcome the above-mentioned defects of the prior art, embodiments of the present invention provide a method for confirming the correctness of one-key sequential control of railway power distribution based on non-homogeneous two-factor authentication, so as to solve the problems mentioned in the background art.
[0007] To achieve the above objectives, the present invention provides the following technical solution:
[0008] The method for confirming the correctness of one-key sequential control of railway power distribution based on non-homogeneous two-factor authentication includes the following steps;
[0009] The sequence of one-click sequential control operation tickets and the associated remote signaling, telemetry, protection self-test and visual recognition data are obtained. The data are then time-stamped and coded according to a monotonic clock, standardized and outliers are pruned to obtain a unified input set and model baseline identifier for subsequent processing.
[0010] Generate a context package associated with a failure at a certain step. The context package contains a snapshot of the unified input set, the model baseline identifier, the time source quality identifier, and failure metadata. The data in the context package are then hashed in an immutable manner.
[0011] The correctness of candidate actions for handling anomalies is determined by executing non-homologous two-factor methods: the influence domain of the context package is calculated on the combined graph of the interlocking graph and the causal graph, and the structural legality is checked according to the set of invariants; bounded calculus and earliest violation search are performed on the digital twin model;
[0012] Output a one-time immediate authorization order and a set of constraint guardrail rules bound to the affected domain. The authorization order is generated based on the minimum available permission set derived from the permission capability quotient and is bound to the hash value of the context packet and the affected domain. At the same time, an audit log chain is recorded for playback verification.
[0013] In a preferred embodiment, the generation of the unified input set includes: standardizing and symbol-preserving outlier pruning of remote signaling, telemetry, protection self-testing, and visual recognition data; aggregating by alignment window and writing clock source quality identifiers; calculating the unified input set fingerprint using a hash function and merging it with the model baseline identifier for storage.
[0014] In a preferred embodiment, the edge types of the interlocking graph include dependency, prohibition, and blocking, and the causal graph records multi-hop rules for actions to topology and protection; the calculation of the influence domain is carried out along the aforementioned edges in the merged graph of the interlocking graph and the causal graph, and the maximum depth and access deduplication strategy are limited.
[0015] In a preferred embodiment, the set of invariants consists of items such as power supply segment parallel prohibition, no power and grounding release before closing, bus and branch operation limit coverage, and no voids in the protection zone; each item is implemented by a decision function and accepts the field snapshot of the context packet as input for Boolean decision.
[0016] In a preferred embodiment, the digital twin model composes a state vector from the topological state, the protection state, and the estimator. The state transition function is updated according to causal rules and the limit check is called at each step. The earliest violation search is advanced in time steps and returns the evidence chain and path identifier when the invariant is false for the first time.
[0017] In a preferred embodiment, the permission capability grid organizes permission elements in a partial order relationship, supports minimum upper bound and maximum lower bound operations; the minimum available permission set is obtained by mapping the target sensitivity level and the hit tag, and the permission scope is limited to the devices or regions covered by the influence domain and out-of-domain authorization is prohibited.
[0018] In a preferred embodiment, the one-time instant authorization order includes a minimum set of available permissions, a scope identifier, an effective time, an issuer signature, and revocation condition fields; the authorization order is simultaneously bound to the context packet hash and the affected domain hash, and automatically becomes invalid when any field of the context packet is changed.
[0019] In a preferred embodiment, the constraint fence rule set includes temporary interlocks, backoff hooks, and constraint signatures; the temporary interlocks solidify key sequence relationships into rule items, the backoff hooks set a maximum completion time for the target object, and the constraint signatures record the rule number, the object, and the time threshold.
[0020] In a preferred embodiment, the audit log chain is hashed by concatenating the previous chain head with the current record to obtain a new chain head; the current record includes at least the model baseline identifier, the context packet hash, the structure verification conclusion, the calculation result, the authorization order identifier, and the guardrail rule set number.
[0021] In a preferred embodiment, for railway traction power supply scenarios, the set of invariants and causal rules further include traction transformer and segment parallel switching, segment return path constraints, traction rectification and protection zone redrawing rules, and are registered in the digital twin model with dedicated parameter tables and equipment mapping.
[0022] The technical effects and advantages of this invention are as follows: The method for confirming the correctness of one-key sequential control of railway power distribution based on non-homogeneous two-factor authentication:
[0023] This invention establishes a single decision chain by linking the structural verification of interlocking, causality, and invariants with the earliest violation search driven by digital twins in a two-factor concatenation, outputting a deterministic conclusion on anomaly handling; it derives the minimum available permission set based on permission capability qualifiers and simultaneously issues a one-time authorization order bound to context and impact domain dual hashes, achieving consistent binding of permissions and scenarios; it synthesizes temporary interlocks and rollback linkages based on the calculated impact list, generates verifiable constraint signatures, and enforces verification during execution; it records a log chain with baseline identifiers and context packets as inputs, and achieves replayability and consistency checks of the handling process through replay verification, thereby forming a closed-loop connection of judgment, authorization, execution, and auditing. Attached Figure Description
[0024] Figure 1 This is a flowchart of the method for confirming the correctness of one-click sequential control of railway power distribution based on non-homogeneous two-factor authentication according to the present invention.
[0025] Figure 2 This is a data interaction architecture diagram of the present invention;
[0026] Figure 3 This is a timing diagram of the method of the present invention. Detailed Implementation
[0027] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments.
[0028] This invention establishes a single decision chain by linking the structural verification of interlocking, causality, and invariants with the earliest violation search driven by digital twins in a two-factor concatenation, outputting a deterministic conclusion on anomaly handling; it derives the minimum available permission set based on permission capability qualifiers and simultaneously issues a one-time authorization order bound to context and impact domain dual hashes, achieving consistent binding of permissions and scenarios; it synthesizes temporary interlocks and rollback linkages based on the calculated impact list, generates verifiable constraint signatures, and enforces verification during execution; it records a log chain with baseline identifiers and context packets as inputs, and achieves replayability and consistency checks of the handling process through replay verification, thereby forming a closed-loop connection of judgment, authorization, execution, and auditing.
[0029] Reference Figures 1 to 3 The present invention provides an overall flowchart for handling unauthorized access and verifying correctness, the method comprising the following steps:
[0030] Step S101: Obtain one-click sequential control tasks and on-site data.
[0031] This step is used to receive the operation ticket task for one-click sequential control and the real-time measurement at the power distribution site, forming a unified input set, which is denoted as the original dataset.
[0032] In an optional embodiment, the system receives operation ticket sequences from the scheduling platform, as well as data streams collected within the station, including remote signaling, telemetry, protection self-test, live display, and visual recognition conclusions. To ensure data consistency and traceability, the system uses a monotonic clock to timestamp all sampled data, forming a time-consistent raw dataset. This time-consistency mechanism is crucial for subsequent event correlation and status determination.
[0033] In an optional embodiment, the system employs standardized preprocessing to reduce the impact of noise. Any measurement is denoted as v. i Let its historical mean be denoted as μ. i Its historical standard deviation is denoted as σ. i Calculate the standardized value x i equals (v) i -μ i ) / σ i This conversion helps data of different dimensions to be equally weighted in subsequent judgments and threshold comparisons, avoiding the situation where some data have too high or too low weight in the judgment due to differences in dimensions.
[0034] In an optional embodiment, robust pruning of outliers is performed. Let the threshold τ be the value of the outlier if the absolute value |x i If the value is greater than τ, it is truncated to within τ while keeping the sign unchanged. This strategy can effectively suppress the impact of abnormal spikes on computational stability, improve data quality and model robustness.
[0035] Step S102: Construct a unified model and solidify the baseline.
[0036] This step establishes a computable semantic foundation and solidifies the model version and hash, providing a consistent environment for subsequent verification, calculation, and authorization.
[0037] In an optional embodiment, an operation ticket sequence model is constructed. The operation ticket is denoted as sequence T, and consists of several steps, with the i-th step denoted as s. i Each step comprises four sets: target device set, precondition set, prohibition condition set, and expected completion state set. Each set is represented by an executable predicate. For example, the preconditions for closing circuit breaker QF1 include "verify target bay is de-energized" and "verify grounding has been released," while the expected completion states include "circuit breaker closed position indication is true" and "bus voltage restored to true." This model-based description allows the system to automatically understand and execute the operation ticket logic.
[0038] In an optional embodiment, an interlocking graph G is constructed. The nodes of the interlocking graph are primary equipment, secondary equipment, live displays, protection devices, and electrical areas. Directed edges are divided into three categories: dependent, prohibited, and blocking. Each edge is labeled with a conditional predicate. After construction, loop detection is performed on the subgraph containing only prohibited edges, using a method of eliminating nodes with an in-degree of zero layer by layer. If any edges remain unresolved, a configuration conflict is determined, and operation is stopped. The interlocking graph is the core component ensuring operational safety; loop detection can detect potential deadlocks or unreasonable configurations.
[0039] In an optional embodiment, a causal graph C is constructed. The causal graph records the chain of influence of actions on topology, power flow, and protected areas in the form of rules. An example rule is: "The action disconnects tie switch K, causing bus B to segment, which in turn triggers the rezoning of the protected area, subsequently changing the range of relay R." Rules are stored as multi-hop mappings from action to influence, serving as the basis for subsequent calculations. The causal graph provides the logic for the dynamic changes in system state and is the foundation of digital twin computation.
[0040] In an optional embodiment, an invariant set I is defined. Invariant set I represents inviolable safety red lines, with examples including "two power sources are prohibited from parallel operation," "power must be de-energized and grounding removed before closing the circuit breaker," "bus voltage is within the permissible upper and lower limits," and "protection coverage has no gaps." Each invariant is implemented as an executable decision function, taking the current state as input and outputting either true or false. Invariants are the bottom line for the safe operation of the system, and no operation can violate them.
[0041] In an optional embodiment, a permission capability grid L is defined. The permission capability grid L is denoted by L, and examples of permission elements include "read-only status," "general execution," "critical interlock bypass," and "manual takeover." A partial order is established using refined inclusion relationships, and minimum upper bound and maximum lower bound operations are supported to automatically derive the minimum set of permissions required for a given privilege escalation. The permission capability grid provides a formal basis for refined permission management.
[0042] In an optional embodiment, a digital twin model is constructed. The digital twin model denotes the system state vector as x, which consists of topological state, protection state, and measurement estimates. A state transition function F is defined, whereby, upon inputting an action, the new state is equal to F applied to the old state and the action. This function is driven by causal rules and performs a limit check at each step. If a limit is exceeded, the corresponding protection action is synchronously recorded and the state is entered. The digital twin model is the core of bounded calculus, capable of simulating the system's behavior under different operations.
[0043] In an optional embodiment, the operation ticket, interlocking diagram, cause-effect graph, invariant set, permission capability lattice, and digital twin model are each calculated for version and hash, and combined into a baseline identifier B, which serves as the environmental fingerprint for all subsequent judgments and audits. Baseline solidification ensures that all subsequent judgments are based on a defined and tamper-proof model version, guaranteeing the consistency and traceability of decisions.
[0044] Step S103: Failure triggering and context packet generation.
[0045] When step k in the operation ticket fails, the system initiates an exception handling procedure. This step generates a context packet to ensure information consistency during the handling process.
[0046] In an optional embodiment, a field snapshot is generated. The system collects remote signaling, telemetry, live display, protection self-test, and visual recognition results related to this step. A unified timescale is established and clock source quality is recorded. An alignment window length of thirty seconds is set to ensure that the state pairs before and after the failure fall within this window. The field snapshot provides real-world environmental information at the time of the failure.
[0047] In an optional implementation, a model baseline is bound. All artifacts and hashes of baseline B are written into the context packet. This ensures that subsequent verifications and calculations are based on the same model version as when the failure occurred.
[0048] In an optional embodiment, failure metadata is populated. This failure metadata includes the exception type, such as timeout, interlock failure, state inconsistency, and communication anomaly, as well as a list of associated devices, the number of retries attempted, and channel quality metrics. This metadata helps the system understand the nature and extent of the failure.
[0049] Let the context packet be P k Sigma, including on-site snapshots k Baseline B and failure metadata. The context packet is a complete information carrier for anomaly handling decisions.
[0050] Step S104: Structural legality verification.
[0051] Before discussing risk calculation and authorization, this step first determines whether the structure allows unauthorized processing, which is the first line of defense.
[0052] In an optional embodiment, hard prohibition matching is performed. If a prohibited edge matches the target action at step k, and its condition is true within the snapshot, the structural prohibition conclusion is directly output, and the edge identifier is returned as evidence. Hard prohibition matching can quickly identify operations that violate basic safety rules.
[0053] In an optional embodiment, the influence domain is calculated. Using the target device at step k as the root, a forward reachability search is performed on the merged graph of the interlocking graph and the causal graph. The search is expanded only along four types of edges: dependency, prohibition, blocking, and causal influence, with a maximum depth limited to three layers. The set of reachable nodes is denoted as the influence domain A. k Calculating the influence domain helps to limit the scope of subsequent analysis and improve efficiency.
[0054] In an optional embodiment, an invariant pre-check is performed. Invariant determination is performed on each object covered by the affected domain. If any entry is necessarily false (i.e., skipping or taking over would violate it anyway), an invariant prohibition conclusion is output, and the entry identifier and evidence node are returned. Invariant pre-checking is crucial to ensuring that operations do not cross safety red lines.
[0055] If the prohibition is not met and the invariants are satisfied, then the structure is valid, and the domain of influence A_k is output. This indicates that the solution is permissible from the perspective of static structure and basic security rules.
[0056] Step S105: Digital twin bounded calculus.
[0057] Under the premise of structural legality, a limited-depth deterministic calculation is performed on the three candidate actions of skipping, retrying, and manual takeover in order to find the earliest violation point and form an impact list. This is the second line of defense.
[0058] In an optional embodiment, initial state mapping is performed. The field snapshot is mapped to the twin's initial state, denoted as x0. This is the starting point for digital twin calculus.
[0059] In an optional embodiment, a scenario tree is generated. Starting with a candidate unauthorized action, the tree expands sequentially along the operation tickets to depth d, with the recommended depth coverage extending to the end of the ticket. Branches that do not satisfy interlocking or topology feasibility are immediately pruned. Each state transition invokes causal rules to update the topology and protections, and performs runtime limit checks. If protection is triggered, the post-protection state is appended to the branch. The generation of the scenario tree simulates the evolution of the system state under different handling schemes.
[0060] In an optional embodiment, an earliest violation search is performed. Invariants are checked step-by-step along each path. If an invariant is false for the first time at time step t, the path, time step, and entry identifier are recorded, and the candidate action is rejected. The system uses the earliest violation as the final criterion. The earliest violation search can identify potential security risks and terminate unsafe schemes in a timely manner.
[0061] In an optional implementation, if no violations are triggered on any path, a simulation pass conclusion is output, and an impact list is compiled. The impact list includes protection items that were temporarily deactivated or triggered, available margins in operating parameters, and devices or areas that need to be isolated. For example, suppose the lower limit of the bus voltage permissible is V. min Let the minimum voltage on a certain path be V. min实际 Then the voltage margin is equal to V min实际 -V min Let the permissible upper limit of the branch current be I. max Let the maximum current on a certain path be I. max实际 Then the current margin is equal to I. max -I max实际 The impact list provides a quantitative assessment of the safety margin.
[0062] In an optional implementation, the three candidate actions are evaluated using the same framework. For example, the feasibility of skipping step k: if the set of invariants I is satisfied on all paths, then the conclusion is feasible and marked as a twin pass. If any candidate action is rejected, the earliest chain of evidence that violates it is returned.
[0063] Step S106: Derivation of the minimum available permission set and immediate authorization.
[0064] By formalizing the boundaries of unauthorized access to the minimum scope of permissions and binding them to the context, fine-grained permission management can be achieved.
[0065] In an optional embodiment, the minimum set of available permissions is derived. Permission elements are selected based on the sensitivity level at step k and the key tags they hit in the interlocking graph. For example, hitting a key interlock requires the "key interlock bypass" permission. The scope of the permission is limited to domain A. k The covered devices and areas. Let the minimum set of permissions be MP. C This on-demand permission set avoids the over-granting of permissions.
[0066] In an optional embodiment, a capability coverage determination is performed. The operator's existing set of permissions is denoted as cap. op If cap op Includes MP C If yes, the permissions are satisfied. Otherwise, proceed with the immediate authorization process.
[0067] In an optional embodiment, a one-time, instant token is issued. This token is issued by a higher-level approval entity with superior capabilities. The token fields include the minimum set of permissions, scope, validity period, and a binding to the context packet hash and the affected domain hash. If the context changes, the token automatically expires. This binding prevents token misappropriation or cross-scenario reuse, ensuring the exclusivity and timeliness of permissions.
[0068] Step S107: Guardrail generation and controlled execution.
[0069] When the structure is valid, the simulation passes, and the permissions are all true, the system synthesizes a guardrail policy and executes it in a controlled manner to ensure the safety of the operation process.
[0070] In an optional embodiment, a temporary interlock is generated. The critical priority is solidified into rules based on the impact list. For example, "Parallel closing is prohibited until the connection is broken." The temporary interlock takes effect with this execution order and automatically expires after execution. The temporary interlock provides dynamic, scenario-based security.
[0071] In an optional embodiment, a rollback hook is provided. A maximum completion time, denoted as t, is set for the critical objective. max If at t max If the desired state is not achieved within two seconds, the system automatically returns to the safe initial state. For example, if the desired state for circuit breaker closing is that the circuit breaker is in the closed position and the bus voltage is restored to true, and this is not achieved within two seconds, a tripping command is immediately issued and a return event is marked. The return hook provides an automatic recovery mechanism in case of operational failure.
[0072] In an optional embodiment, a constraint signature is synthesized. All guardrail rule numbers, their affected objects, and time thresholds are combined to form a signature, which is then issued along with a one-time execution order. Real-time verification occurs during execution; any violation of the guardrail immediately blocks the process and triggers a rollback. The constraint signature ensures the enforceability and immutability of the guardrail rules during execution.
[0073] Step S108: Audit solidification and playback verification.
[0074] This step forms an undeniable chain of evidence and supports independent playback verification, providing a basis for post-event analysis and system improvement.
[0075] In an optional embodiment, audit logs are atomically written. The logs include context packet hashes, baseline hashes, structure verification results, twin calculus results, permission determinations and token identifiers, guardrail signatures, pre- and post-execution state pairs and timestamps, and deviation and rollback events. The audit logs provide detailed information about the entire operation process.
[0076] In an optional embodiment, a log chain is formed. Let the hash of the head of the previous chain be H. 之前 Let the content of this record be L. 本次 Then the new chain head H 本次 Equals the hash operation applied to H 之前 With L 本次 The interconnected structure allows for tampering detection at any stage, ensuring the integrity and non-repudiation of audit records.
[0077] In an optional implementation, a replay verification is performed. Using the context package and baseline from the audit log as input, the structural check, twin calculus, permission deduction, and guardrail synthesis are re-executed. The conclusions should be consistent with those at the time. If inconsistent, it is marked as a replay anomaly, and a prompt is made indicating that the model and implementation need revision. The replay verification mechanism provides an independent means of verifying the correctness of the system's decision logic and implementation.
[0078] It should be noted that the system provided in the above embodiments can be deployed in hardware according to the above module division when implementing its functions, or several modules can be integrated into the same processing unit through software logic. Similarly, the module division is only for the purpose of clearly describing this solution, and the specific names and division methods of each functional module do not constitute a limitation on this application. The method embodiments and device embodiments of this application belong to the same concept, and their specific implementation process has been described in detail in the method section, and will not be repeated here.
[0079] This application also provides a computer-readable storage medium storing instructions that, when executed by a processor, cause the processor to perform the steps of the distribution network physical feasible domain sensing intervalization method described in any of the preceding claims. The computer-readable storage medium may include, but is not limited to, media capable of storing program code such as USB flash drives, read-only memory, random access memory, portable hard drives, magnetic disks, and optical discs. These instructions can be pre-programmed into the storage medium and, when installed on a device with processing capabilities, can be invoked and executed to implement the functions of the method described in this application.
[0080] It should be noted that, for the sake of brevity, the foregoing method embodiments are described as a series of actions, but this does not mean that the application limits the order of the steps. Based on the ideas of this application, some steps can be executed in different orders or in parallel without affecting the functional implementation. Secondly, those skilled in the art should also understand that the specific embodiments described in the specification are preferred embodiments of the technical solutions of this application, and not limitations on the scope of protection of this application. All equivalent improvements or substitutions made within the spirit and principles of this application should be covered within the scope of protection of this application.
[0081] In conclusion, the above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the protection scope of the present invention.
Claims
1. A method for confirming the correctness of railway power transformation and distribution one-key sequence control based on non-homologous double factors, characterized in that, Includes the following steps: The sequence of one-click sequential control operation tickets and the associated remote signaling, telemetry, protection self-test and visual recognition data are obtained. The data are then time-stamped and coded according to a monotonic clock, standardized and outliers are pruned to obtain a unified input set and model baseline identifier for subsequent processing. Generate a context package associated with a failure at a certain step. The context package contains a snapshot of the unified input set, the model baseline identifier, the time source quality identifier, and failure metadata. The data in the context package are then hashed in an immutable manner. Determine the correctness of candidate actions for handling anomalies, and determine the execution based on non-homologous two-factor methods: calculate the influence domain of the context package on the combined graph of the interlocking graph and the causal graph, and perform structural legality verification according to the set of invariants; Bounded calculus and earliest violation search are performed on the digital twin model; Output a one-time immediate authorization order and a set of constraint guardrail rules bound to the affected domain. The authorization order is generated based on the minimum available permission set derived from the permission capability quotient and is bound to the hash value of the context packet and the affected domain. At the same time, an audit log chain is recorded for playback verification.
2. The method for confirming the correctness of one-key sequential control of railway power distribution based on non-homogeneous two-factor authentication according to claim 1, characterized in that: The generation of the unified input set includes: standardizing and symbol-preserving outlier pruning of remote signaling, telemetry, protection self-testing, and visual recognition data; aggregating and writing clock source quality identifiers according to alignment windows; calculating the fingerprint of the unified input set using a hash function and merging it with the model baseline identifier for storage.
3. The method for confirming the correctness of one-key sequential control of railway power distribution based on non-homogeneous two-factor authentication according to claim 1, characterized in that: The edge types of the interlocking graph include dependency, prohibition, and blocking. The causal graph records multi-hop rules for actions to topology and protection. The calculation of the influence domain is carried out along the aforementioned edges in the merged graph of the interlocking graph and the causal graph, and the maximum depth and access deduplication strategy are limited.
4. The method for confirming the correctness of one-key sequential control of railway power distribution based on non-homogeneous two-factor authentication according to claim 3, characterized in that... ; The invariant set consists of the following entries: power supply segment parallel prohibition, no power before closing and grounding release, bus and branch operation limit coverage, and no voids in the protection zone; each entry is implemented by a decision function and accepts the field snapshot of the context packet as input for Boolean decision.
5. The method for confirming the correctness of one-key sequential control of railway power distribution based on non-homogeneous two-factor authentication according to claim 1, characterized in that: The digital twin model assembles the topological state, the protection state, and the estimator into a state vector. The state transition function is updated according to causal rules and the limit check is called at each step. The earliest violation search is advanced in time steps and returns the evidence chain and path identifier when the invariant is false for the first time.
6. The method for confirming the correctness of one-key sequential control of railway power distribution based on non-homogeneous two-factor authentication according to claim 1, characterized in that: The permission capability grid organizes permission elements in a partial order relationship and supports minimum upper bound and maximum lower bound operations; the minimum available permission set is obtained by mapping the target sensitivity level and the hit tag, and the permission scope is limited to the devices or regions covered by the influence domain and out-of-domain authorization is prohibited.
7. The method for confirming the correctness of one-key sequential control of railway power distribution based on non-homogeneous two-factor authentication according to claim 1, characterized in that: The one-time instant authorization order includes the minimum available permission set, scope identifier, validity period, issuer signature, and revocation condition fields; the authorization order is also bound to the context packet hash and the affected domain hash, and automatically becomes invalid when any field of the context packet is changed.
8. The method for confirming the correctness of one-key sequential control of railway power distribution based on non-homogeneous two-factor authentication according to claim 4, characterized in that: The constraint fence rule set includes temporary interlocks, backoff hooks, and constraint signatures; the temporary interlocks solidify key priority relationships into rule items, the backoff hooks set a maximum completion time for the target object, and the constraint signatures record the rule number, object, and time threshold.
9. The method for confirming the correctness of one-key sequential control of railway power distribution based on non-homogeneous two-factor authentication according to claim 1, characterized in that: The audit log chain is concatenated with the previous chain head and the current record, and a new chain head is obtained by hash calculation; the current record includes at least the model baseline identifier, the context packet hash, the structure verification conclusion, the calculation result, the authorization order identifier and the guardrail rule set number.
10. The method for confirming the correctness of one-key sequential control of railway power distribution based on non-homogeneous two-factor authentication according to claim 4, characterized in that: For railway traction power supply scenarios, the set of invariants and causal rules further include traction transformer and segment parallel switching, segment return path constraints, traction rectification and protection zone redrawing rules, and are registered in the digital twin model with dedicated parameter tables and equipment mapping.