Train Protection with SIL 4 Computer
A future-oriented application for train protection, like computer controlled interlocking blocks and other wayside equipment, integrates a safe computer for SIL 4 operation with complete redundancy at board level. One COTS single-board computer provides the safety of a triple redundant 2oo3 system, but is programmed like a single-CPU/memory system. Two identical SBCs are then connected to a cluster, forming a safe I/O concept. All processors run the same program in lockstep mode, performing the same tasks simultaneously, while a voter compares the output of all processors. The platform is certifiable with safe operating systems like VxWorks CERT, PikeOS or Integrity.
The solution is based on the 6U VMEbus card A602 with 3 PowerPC 750 processors. Working memory is triple redundant, ECC-secured Flash is dual redundant as are the local power supplies. All critical functions are implemented as IP cores in an FPGA that also features a triple redundant structure. Additional diagnosis mechanisms (BITE, e.g., extensive self tests) help to detect latent errors before they lead to a system error, increasing safety and availability. For the same purpose, the design is oriented towards strictly deterministic operation avoiding interrupts and DMA.
The same architecture on 6U CompactPCI is realized in the safe computer D602.
Standard Components Used in this Example
The A602 is a 6U, 64-bit VME COTS computer, certifiable up to SIL 4 and DAL-A, with triple redundancy for functional safety on a single board to achieve fail-operational, fault-tolerant behavior.
The D602 is a 6U, CompactPCI COTS computer, certifiable up to SIL 4 and DAL-A, with triple redundancy for functional safety on a single board to achieve fail-operational, fault-tolerant behavior.