CN117002562A - Vehicle-mounted platform based on embedded software redundancy - Google Patents
Vehicle-mounted platform based on embedded software redundancy Download PDFInfo
- Publication number
- CN117002562A CN117002562A CN202310976451.8A CN202310976451A CN117002562A CN 117002562 A CN117002562 A CN 117002562A CN 202310976451 A CN202310976451 A CN 202310976451A CN 117002562 A CN117002562 A CN 117002562A
- Authority
- CN
- China
- Prior art keywords
- cpu
- main
- redundancy
- standby
- control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 claims abstract description 17
- 230000002093 peripheral effect Effects 0.000 claims abstract description 7
- 238000004891 communication Methods 0.000 claims description 16
- 230000009977 dual effect Effects 0.000 claims description 15
- 238000012544 monitoring process Methods 0.000 claims description 9
- 238000013461 design Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 7
- 230000006870 function Effects 0.000 claims description 4
- 238000004092 self-diagnosis Methods 0.000 claims description 2
- 238000001514 detection method Methods 0.000 abstract description 12
- 238000011084 recovery Methods 0.000 abstract description 3
- 230000002708 enhancing effect Effects 0.000 abstract 2
- 230000005540 biological transmission Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000012546 transfer Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000000747 cardiac effect Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L15/00—Indicators provided on the vehicle or train for signalling purposes
- B61L15/0063—Multiple on-board control systems, e.g. "2 out of 3"-systems
Landscapes
- Engineering & Computer Science (AREA)
- Mechanical Engineering (AREA)
- Hardware Redundancy (AREA)
Abstract
The application provides a vehicle-mounted platform based on embedded software redundancy, which relates to the technical field of vehicle-mounted equipment and comprises a railway special annunciator body and a control board with double CPUs, wherein a set of peripheral circuits are shared, two CPUs are mutually checked by using an application layer software redundancy switching method, one CPU is one master and one slave, the information synchronization is ensured, meanwhile, fault detection is realized, and a disturbance-free switching function can be realized when a fault occurs. The application adds the embedded software redundancy into the double CPU control and applies the embedded software redundancy to the vehicle-mounted platform, thereby enhancing the fault tolerance and anti-interference capability, improving the fault recovery capability, optimizing the delay and throughput and greatly enhancing the reliability and the stability of the vehicle-mounted platform.
Description
Technical Field
The application relates to the technical field of vehicle-mounted equipment, in particular to a vehicle-mounted platform based on embedded software redundancy.
Background
The vehicle-mounted platform is important equipment for guaranteeing driving safety, realizes communication connection among a train dispatcher, a station attendant and a train driver at any time, enables the train to run under the control of the dispatcher, has very important effects on improving transportation efficiency and guaranteeing driving safety, and can be processed timely if special conditions are met.
However, most of existing vehicle-mounted platform equipment adopts a single-core processor scheme, the system is difficult to complete a specified function when a local fault occurs, the fault processing time is prolonged, the performance is extremely easy to limit under the condition that the vehicle-mounted platform needs to process a plurality of tasks, the performance is poor under the condition that quick response is needed, the overall working efficiency and the response speed are affected, and the reliability and the stability of the vehicle-mounted platform equipment are greatly reduced.
Disclosure of Invention
The application aims to provide a vehicle-mounted platform based on embedded software redundancy, which can enhance the fault tolerance and anti-interference capability of the vehicle-mounted platform during working, improve the fault recovery capability of the vehicle-mounted platform and greatly improve the working efficiency.
In order to achieve the above purpose, the present application provides the following technical solutions: a vehicle-mounted platform based on embedded software redundancy comprises a railway special annunciator body and a control board with double CPUs, wherein a set of peripheral circuits are shared, two CPUs are mutually checked by using an application layer software redundancy switching method, and a master CPU and a slave CPU are mutually checked, so that a disturbance-free switching function can be realized when a fault occurs.
In the first aspect, for the multimedia embedded software redundancy hardware platform part, a modularized design is adopted, an embedded intelligent chip is taken as a core, redundancy is realized between the double main chips, peripheral circuits are shared, a processor module and an input/output module on a control panel are designed by adopting a double CPU redundancy architecture, and all the modules are connected through a motherboard to complete interconnection and intercommunication of internal systems and power supply.
In the second aspect, for the design part of the application layer software redundancy scheme, the two machines are simultaneously on-line and mutually monitored, master control rights are judged and transferred among programs, a dual CPU identity recognition mechanism of 'first start-up as a master' is adopted, the master and standby are switched between the two CPUs, the hot standby CPU is ready at any time, and once the master control CPU fails, the master control rights are immediately acquired to be the master control CPU, so that the undisturbed switching is realized. The method mainly adopts a CPU arbitration and transfer method based on master control rights and a synchronous control method of double CPU modules, and researches a software redundancy subsystem by using a structured programming method.
Compared with the prior art, the application has the technical effects and advantages that:
1. in the application, the software redundancy is added to the vehicle-mounted platform, so that the reliability and stability of the system can be improved. The software redundancy is realized by backing up two identical CPU modules, when the main control CPU fails or is in error, the system can be automatically switched to the hot standby CPU, so that the system is prevented from crashing or stopping working, and the normal operation of the vehicle-mounted station is ensured. The redundancy of the data is increased by using a redundancy coding technology, so that the anti-interference capability of the data is improved, and the probability of data transmission errors is reduced; the fault tolerance can be improved, and even if one CPU module fails or is wrong, the vehicle-mounted platform can still continue to work, which is very important for some application scenes with high requirements on reliability (such as automatic driving, safety monitoring and the like).
2. According to the application, the vehicle-mounted platform with software redundancy can realize rapid recovery and seamless switching of faults, when the main control CPU breaks down, the system can be rapidly switched to the hot standby CPU, and a user can continue to use the vehicle-mounted platform almost without perception; the parallel transmission mode can be used for transmitting data through one communication path, so that the data transmission efficiency is greatly improved; the maintainability of the system can be improved, the vehicle-mounted station can realize hot backup and hot switching of the modules through software redundancy, the downtime of system maintenance and upgrading is reduced, and the maintainability of the system is improved. The vehicle-mounted platform has higher flexibility and expandability, and can be automatically switched to the standby module when the fault occurs through software redundancy, so that system breakdown or stop work is avoided, and user experience and satisfaction are improved.
Drawings
FIG. 1 is a block diagram of a "hot-standby" redundancy scheme;
FIG. 2 is a hardware configuration diagram of a dual CPU redundancy control software scheme;
FIG. 3 is a schematic diagram of a master-slave CPU communication;
FIG. 4 is a schematic diagram of a master/slave CPU synchronization process;
FIG. 5 is a flow chart of a dual CPU control arbitration and transfer process;
FIG. 6 is a flow chart of a dual CPU synchronization control procedure;
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application. It will be apparent that the described embodiments are only some, but not all, embodiments of the application.
As shown in fig. 1, the present application provides a technical solution: a vehicle-mounted platform based on embedded software redundancy comprises a railway special annunciator body, 1 control board containing 2 CPUs and sharing one set of peripheral circuits.
The hardware configuration is shown in fig. 2, and adopts a modular design. Under the principle of not increasing a large amount of cost, peripheral circuits are shared, only one set of parallel core processing units is added, and two CPUs are mutually checked by using an application layer software redundancy switching method, namely one main CPU and one standby CPU.
The control board is divided into a motherboard, a processor module, a communication module (CNBR), an input/output module (I/O), a power supply module (PSDA), a redundancy management module and the like, and simultaneously comprises a fault detection sub-module, a data processing sub-module and a redundancy switching sub-module. The fault detection sub-module is responsible for completing fault detection of the CPU module and comprises self-detection of the CPU module and mutual detection of the CPU module; the data processing sub-module completes the CPU output control logic according to the system input acquisition sub-module acquisition information and the fault detection result of the fault monitoring sub-module; the redundancy switching sub-module completes the control of the local load and the remote load according to the output control logic given by the system processing sub-module.
The two CPU control units on the processor module are operating synchronously during system operation. The two control units are identical and mirror images, one is a main control CPU unit, the other is a hot standby CPU unit, and the first started is the main control CPU unit. Redundant interaction channels are arranged between the main CPU control units and the standby CPU control units for data voting, system synchronization, mutual monitoring and the like.
The dual CPU control unit of the processor module has self-diagnosis capability, can detect the running state of the dual CPU control unit during running, and can timely generate a reset signal when faults occur. Meanwhile, the running states of the other parties can be mutually diagnosed between the two CPU control units, when one CPU control unit fails, the system channel can be timely found, the failure alarm can be carried out when the system channel is switched at the first time, and the safe and stable running of the system is ensured.
And the processor module and the I/O module adopt a CAN bus for data communication transmission. And an interface between the CAN protocol controller and the physical bus is added to provide differential transmission capability to the bus and differential reception capability to the CAN controller.
And a watchdog timer is added, so that the reliability and the safety of the system are improved, and the deadlock of the system is prevented. And an independent CAN controller is adopted, so that higher processing capacity and faster data transmission speed are provided, the burden of the main controller is reduced, and the complexity and development cost of the system are reduced. And the independent CAN controller CAN also provide more hardware resources and interfaces, thereby facilitating the expansion of the system and the increase of functions.
The dual-CPU identity recognition mechanism of 'primary start-up' is adopted, so that the main control CPU and the hot standby CPU have complete equality, namely the main control CPU is started up first and the hot standby CPU is started up later. The dual CPU identity recognition mechanism of the' first start-up is realized by adopting a port monitoring method. If the connection is successful, indicating that the other party is started, and marking the local machine as a hot standby CPU; the connection failure marks the local machine as a main control CPU, and the socket is bound to the communication port of the main and standby machines for monitoring. Thus, whenever the hot standby CPU is started, the main control CPU receives the connection request of the hot standby CPU and establishes connection with the hot standby CPU.
The heartbeat signals are adopted between the main CPU and the standby CPU to monitor the working state of each other and serve as an auxiliary means for diagnosing equipment faults. Once the heartbeat signal between the main control CPU and the hot standby CPU fails, the failure of one equipment is indicated, and meanwhile, the cause of the failed equipment can be primarily determined.
As shown in fig. 3, which is a flow of dual CPU communication, in order to further improve the usability of the dual CPU active/standby switching system, the dual channel adds a time stamp when the heartbeat of the other party is received. Under the condition that the heartbeat is invalid, selecting a network which receives the heartbeat finally according to the heartbeat time stamp, checking a remote detection point corresponding to the network, and if the remote detection point can be detected, indicating that the other party is down and offline, wherein the CPU is normal and can be used as a main control CPU to operate; otherwise, the CPU is marked to be down, and the CPU should work in the hot standby CPU at the moment.
As shown in fig. 4, master-slave CPU synchronization is achieved. The synchronization of the master CPU and the slave CPU not only comprises clock synchronization, but also comprises master CPU state and data synchronization. Under the condition that the main CPU and the standby CPU work normally, the main CPU and the standby CPU receive information from the network at the same time, but only the main CPU has authority to send information to the external equipment, and the standby CPU only receives the external information and is in a silent state for information sending. In order for the task initialization of the primary and secondary CPUs to begin synchronously, the primary and secondary CPUs must be powered on simultaneously. And when the main control CPU task starting instruction arrives at the first time, informing the hot standby CPU to start the task, so that the hot standby CPU enters a working mode at the same time.
The main and standby CPU fault detection and switching are carried out by adopting the following 3 measures: (1) a watchdog timer is provided in the host/slave. After the system is powered on, the processor can zero the watchdog counter at fixed time intervals during normal operation. If the main CPU or the standby CPU fails, the watchdog counter value exceeds a certain threshold value, and finally the watchdog generates a reset signal to reset the processor, so that whether the main CPU and the standby CPU fail can be judged. (2) After the main and standby CPUs are powered on, self-checking operation is carried out on the system, including memory detection, I/O equipment detection and the like, and whether the system hardware works normally can be detected when the power is on. (3) In the running process of the system, the main CPU and the standby CPU monitor the working state of each other through the state of the cardiac jumper and the state of the double networks. Because the main CPU and the standby CPU are definitely the main CPU or the standby CPU through identity recognition when the main CPU is powered on, if the main CPU detects the fault of the standby CPU in the running process of the system, the main CPU does not switch, and the main CPU keeps working continuously; if the standby CPU detects the failure of the main CPU, the switching is performed, and the standby CPU takes over the main CPU to continue working.
The working principle of the application
The system adopts a design scheme of double CPU redundancy fault tolerance, the processor module and the input/output module are designed by adopting a double CPU redundancy architecture, and all the modules are connected through a motherboard to complete interconnection and intercommunication of internal systems and power supply. The embedded control board operating system software platform adopts an Android system, and the annunciator operating system software platform adopts an Android SDK.
And placing two CPU modules with the same model on the same control board, and performing redundancy control by utilizing backboard communication. The redundant mode of the software is that only one CPU module is needed to be added, and the state monitoring and master control right transferring of the two CPU modules are realized through programming.
In the interactive communication system, an upper computer transmits data signals to a host computer, two CPUs synchronously receive related data, but only one CPU is responsible for mainly outputting signals to a lower computer, and the other CPU is in a monitoring preparation state and ready to take over work at any time. When the CPU responsible for main output fails, the other CPU takes over work to become main output, and the CPU originally responsible for main output automatically becomes standby output after the fault is repaired and stands by at any time. The method can reduce the switching frequency of the host and improve the real-time performance of the communication system.
As shown in FIG. 5, two CPUs run on line simultaneously, one is in the master control mode and the other is in the hot standby mode, and the arbitration and transfer of master control rights are completed. The CPU with the master control has I/O control, and the hot standby CPU output is forbidden, only data is collected and communication connection is maintained. The two CPU modules mutually monitor the running state and communication condition of each other, and if the main control CPU module is found to be faulty, the hot standby CPU module obtains the main control right.
As shown in fig. 6, the hot standby CPU is ready at any time, and once the master CPU fails, the master control right is immediately acquired to become the master control CPU, so that the synchronous control of the dual-CPU module is completed. The main control CPU must transmit its own state information to the hot standby CPU in real time, and the hot standby CPU must track the change of the main control CPU, keep synchronous with the main control CPU, and realize undisturbed switching when the two CPU modules transfer the main control rights.
The dual-CPU main-standby switching mode realizes real-time software redundancy, can be switched seamlessly when the main CPU fails, and ensures the continuity and reliability of the system. Meanwhile, the configuration of the double CPUs can improve the computing capacity and reliability of the system, and further enhance the effect of software redundancy.
In a word, the software redundancy is applied to the communication of the vehicle-mounted platform, so that the reliability, stability and anti-interference capability of the communication can be improved, the safe transmission of data and the normal operation of a system are ensured, and better service experience is provided for users.
The non-disclosed parts of the application are all prior art, and the specific structure, materials and working principle thereof are not described in detail. Although embodiments of the present application have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the application, the scope of which is defined in the appended claims and their equivalents.
Claims (6)
1. The utility model provides a vehicle-mounted platform based on embedded software redundancy, includes special signaler body of railway and a control panel that contains two CPUs, and peripheral circuit shares one set, its characterized in that:
(1) The mode of switching between the main CPU and the standby CPU is adopted, the control board comprises two identical CPUs, the identical tasks are executed, the consistency of data is maintained through real-time data synchronization and a decision algorithm, and when one CPU fails or is wrong, the other CPU can take over the functions in time, so that seamless switching is realized;
(2) The hardware part of the software redundancy control board adopts a modularized design, and the peripheral circuits are shared under the principle of not increasing a large amount of cost, and only one set of parallel core processing units are added, so that the embedded intelligent chip is used as a core, and the redundancy between the two main chips is realized.
2. The modular design of claim 1, wherein:
the processor module and the input/output module on the control panel are designed by adopting a double CPU redundancy architecture, and all the modules are connected through a motherboard to complete interconnection and power supply of internal systems.
3. The processor module dual CPU redundancy architecture design of claim 2, wherein:
the dual CPU control unit of the processor module has self-diagnosis capability, can detect the running state of the dual CPU control unit during running, and can timely generate a reset signal when faults occur.
4. A redundancy design as claimed in claim 3, characterized in that:
the dual computers are simultaneously on-line and mutually monitored, master control rights are judged and transferred among programs, a hot standby CPU is ready at any time by utilizing a mode of switching between the main CPU and the standby CPU, and once the main CPU fails, the master control rights are immediately acquired to be the master control CPU, so that the undisturbed switching is realized;
the method comprises the following steps: two CPUs run on line simultaneously, one is in a main control mode, the other is in a hot standby mode, the CPU with the main control right has I/O control right, the hot standby CPU is forbidden to output, and only data are collected and communication connection is kept. When the CPU responsible for main output fails, the other CPU takes over work to become main output, and the CPU originally responsible for main output automatically becomes standby output after the fault is repaired and stands by at any time.
5. The dual CPU active-standby switching mode of claim 4 wherein:
after the primary and secondary CPU is determined, the socket is bound to the communication port of the primary and secondary computers for monitoring so as to monitor the working state of the other party.
6. A method of monitoring the operational status of a counterpart as in claim 5, wherein:
the heartbeat signals are adopted between the main CPU and the standby CPU to monitor the working state of each other and serve as an auxiliary means for diagnosing equipment faults. Once the heartbeat signal between the main control CPU and the hot standby CPU fails, the failure of one equipment is indicated, and meanwhile, the cause of the failed equipment can be primarily determined.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310976451.8A CN117002562A (en) | 2023-08-04 | 2023-08-04 | Vehicle-mounted platform based on embedded software redundancy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310976451.8A CN117002562A (en) | 2023-08-04 | 2023-08-04 | Vehicle-mounted platform based on embedded software redundancy |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117002562A true CN117002562A (en) | 2023-11-07 |
Family
ID=88575794
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310976451.8A Pending CN117002562A (en) | 2023-08-04 | 2023-08-04 | Vehicle-mounted platform based on embedded software redundancy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117002562A (en) |
-
2023
- 2023-08-04 CN CN202310976451.8A patent/CN117002562A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110361979B (en) | Safety computer platform in railway signal field | |
| CN110376876B (en) | Double-system synchronous safety computer platform | |
| CN110351174B (en) | Module redundancy safety computer platform | |
| CN102103532B (en) | Safety redundancy computer system of train control vehicle-mounted equipment | |
| CN100555234C (en) | Dual redundant fault-tolerant system and redundancy switching method thereof | |
| CN201909961U (en) | Redundancy control system | |
| CN103647781A (en) | Mixed redundancy programmable control system based on equipment redundancy and network redundancy | |
| CN107634855A (en) | A kind of double hot standby method of embedded system | |
| WO2024011906A1 (en) | Master-slave redundancy control system and method | |
| CN110427283B (en) | Dual-redundancy fuel management computer system | |
| CN103853622A (en) | Control method of dual redundancies capable of being backed up mutually | |
| CN111874049B (en) | Brake control system for safety computer of train control | |
| CN103425553A (en) | Duplicated hot-standby system and method for detecting faults of duplicated hot-standby system | |
| CN110758489A (en) | Automatic protection system of train | |
| JPH0934809A (en) | Highly reliable computer system | |
| CN113791937B (en) | Data synchronous redundancy system and control method thereof | |
| CN202142052U (en) | Safe redundant computer system of train-control vehicle-mounted equipment | |
| CN101741532A (en) | Two-computer switching device for redundant server switching | |
| CN113665631A (en) | Remote restarting method and device for interlocking host equipment | |
| CN117002562A (en) | Vehicle-mounted platform based on embedded software redundancy | |
| CN115408240A (en) | Redundant system active/standby method, device, equipment and storage medium | |
| CN115328706A (en) | Comprehensive control method and system for dual-CPU redundant architecture | |
| CN115022159A (en) | Control equipment main controller redundancy backup system and method | |
| CN110162432B (en) | Multistage fault-tolerant spaceborne computer system based on ARM | |
| KR100333484B1 (en) | Fault tolerance control system with duplicated data channel by a method of concurrent writes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |