CN102123005B - Online monitoring method for safety data communication process of train control system - Google Patents

Abstract

The invention relates to an online monitoring method for the data communication process of a train control system, which belongs to the technical field of train control communication system safety monitoring. The present invention loads monitoring software on some nodes of the train control safety data communication system, or uses independent equipment loaded with monitoring software to complete online monitoring, aiming at timely discovering abnormal interference and system failures in the data communication process, and ensuring train control data Communication security; its monitoring software uses the method of sending and checking agreed test frames to determine whether there is a system failure in the process of secure data communication. The monitoring software of the present invention considers that the communication frames actually transmitted have passed the CRC check, and judges whether the degree of interference in the data communication process exceeds a predetermined level by counting the number of error frames found in the CRC check in the set sliding window. The method is simple and easy to implement, and can simultaneously monitor the abnormal interference and system failure of the train control safety communication system.

Description

Method to the safety data communication process of train control system in-service monitoring

Technical field

The method to the safety data communication process of train control system in-service monitoring that the present invention proposes belongs to the Novel Communication security monitoring technology under the guidance of functional safety theoretical method.

Background technology

Train automatically control is the Safety-Critical System that ensures safe train operation with guard system.By transducers such as transponder receiving element, vehicle speed measurements, on-vehicle safety controller, and the actuator that finishes braking action of vehicle, brake operation, secure data communication system, and the common formations such as radio block center RBC that generate the driving instruction.

Transmitting accurately and timely secure data, is the basic function of data communication system.Error code in the transmission course, repeat, lose, insert, reorder, the mistake such as time-delay, all can affect the functional safety of train control system.Require safety integrity to reach the train control system of SIL4 level, its dangerous failure rate should be less than 10 ^-8/ h.And the residual error rate of communication system proportion (or be referred to as SIL contribution rate) in the horizontal SIL of safety integrity distributes generally is no more than 1% in accordance with regulations.Remaining mistake (inefficacy) rate that is secure communication should be less than 10 ^-10/ h.Even consider and only have 1% can cause train dangerous the inefficacy to occur in the undetected message of makeing mistakes, the residual error rate of safe communication system also should be less than 10 ^-8/ h.

Row control communication system comprises the In-vehicle networking of communicating by letter between mobile unit, GSM-R wireless network between car-ground, the ground-based computer network of communicating by letter between RBC, interlocking, the scheduling, they all belong to the non-open transmission system of letter of putting, and the communication error rate of its transmission medium is generally respectively 10 ^-5, 10 ^-3, 10 ^-6Level.Must carry out CRC check to transfer encoding, and on by the basis of CRC check, make again data communication device cross the security module checking, just can make the error rate of safety application data reach desired 10 ^-8/ h level.

The functional safety of communication process not only depends on the reliability of communication equipment, depends on also interference that environment or other factors inject system threatens the expectation level when whether having exceeded design.If losing efficacy appears in the hardware and software of communication system, the predicted value when perhaps external interference has surpassed design, the functional safety of communication system will be on the hazard.And may meet with the extraordinary interference such as electromagnetic noise in the train travelling process, and the system mistakes such as communication system software and hardware inefficacy can occur, cause secure data to go wrong, train operating safety is threatened.

Summary of the invention

The purpose of this invention is to provide a kind of method to the safety data communication process of train control system in-service monitoring, in order in time find the unusual interference and the thrashing that occur in the data communication process, guarantee the communication security of row control data.

Described method comprises the steps:

A kind of method to train control system data communication process implementation in-service monitoring is characterized in that the method comprises the steps:

1) in the subnetwork node of vehicle-mounted wired segment, car-ground wireless network segment and ground Industrial Ethernet, loads respectively communication security in-service monitoring software, or utilize and to have with described network segment corresponding network interface and be loaded with the special-purpose autonomous device of communication security in-service monitoring software;

2) by Vehicle Controller or radio block center, in vehicle-mounted wired segment, car-ground wireless network segment and the ground Industrial Ethernet network segment, send respectively the test frame of have an agreement mark, agreement content by the Fixed Time Interval of agreement;

3) monitoring software is opened fixed long slip monitor window, according to the error rate of transmission medium under normal condition and length and the transmission frequency of Frame, distinguish the length of calculative determination slip monitor window for vehicle-mounted wired segment, car-ground wireless network segment and the ground Industrial Ethernet network segment:

Error rate P by transmission medium _{Error code}, the Frame length L of data link layer and the average transmission frequency f of data in link layer frame _DL, the length L of calculating slip monitor window _Win

The frame error ratio P of transmission medium _{The mistake frame}=1-(1-P _{Error code}) ^LThe length L of slip monitor window _Win=(1/P _{The mistake frame}* f _DL), allow at most to occur a CRC check erroneous frame in the monitor window that namely slides;

4) after monitoring software receives Frame, judge whether to belong to test frame:

If a) test frame, then whether the agreement mark in the checkout frame, agreement content and monitoring software time interval of receiving test frame meets and makes an appointment; If the time interval of the agreement mark of test frame, agreement content and monitoring software reception test frame meets make an appointment, then continue to accept next Frame; Do not make an appointment if meet, then whether the continuous wrong number of checkout frame arrives three, if then send the security communication function (SCF) Failure Alarm, if not, then sends the security communication function (SCF) early warning failure, and the continuous wrong number of test frame adds one, continues to accept next Frame;

B) if not test frame, check then whether the time interval that receives test frame with the monitoring software last time surpasses preestablished limit; If overstep the extreme limit, then send the security communication function (SCF) Failure Alarm; If do not overstep the extreme limit, then carry out cyclic redundancy check (CRC);

5) if cyclic redundancy check (CRC) is correct, then continue to accept next Frame:

6) if cyclic redundancy check (CRC) is found communication makes mistakes, judge then whether the wrong frame number of finding in the current residing slip monitor window surpasses one, if then send secure communication and be disturbed the warning that degree surpasses predeterminated level; If not, then continue to accept next Frame.

The present invention has the following advantages and the high-lighting effect:

The present invention is by opening the slip besel, and the method for the number of frames of makeing mistakes that CRC check is found in the statistics besel monitors that communication system is subjected to unusual annoyance level whether within predetermined scope.The present invention monitors the correct effectively ability of transmitting data frame of row control secure data communication system by transmission and inspection to the fc-specific test FC frame.

The method applied in the present invention can monitor the extraordinary interference and system mistake that are subject to of row control safe communication system simultaneously: make mistakes by the communicating by letter of CRC check discovery that monitors in the monitor window that surely slides for a long time, determine the degree that communication system is disturbed; By determining that the correct effectively ability of transmitting data frame of communication system monitors its system mistake.It is simple to have method, the characteristics that are easy to realize.

Description of drawings

Fig. 1 is the flow chart of monitoring software.

Embodiment

For clearly demonstrating method of the present invention, the below provides the method and is applied in the example that monitors the CTCS-3 safe communication system.

This method is applied in and monitors in the CTCS-3 secure data communication system, take existing row control safe communication system as the basis, in the subnetwork node of vehicle-mounted wired segment (such as MVB), car-ground wireless network segment, ground Industrial Ethernet, load respectively communication security in-service monitoring software, to realize the function of above-mentioned communication security in-service monitoring device.In addition, also can adopt the special-purpose autonomous device that has the corresponding network communication interface, is loaded with communication security in-service monitoring software, realize the function of communication security in-service monitoring device.

By Vehicle Controller or RBC (radio block center), in vehicle-mounted wired segment, car-ground wireless network segment, the ground Industrial Ethernet network segment, send respectively respectively the test frame of specific markers (such as specific numbers), certain content by the Fixed Time Interval of agreement.

Accompanying drawing 1 is the flow chart of monitoring software.

CTCS-3 train control system safety integrity level should reach SIL4 level level, and wherein the dangerous failure rate in the communication process can not surpass 1～2% to the contribution rate of the dangerous failure rate of system.Be remaining mistake (inefficacy) the rate P of secure communication _RemainingShould be less than 10 ^-10/ h.Even consider and only have 1% can cause train dangerous the inefficacy to occur in the undetected message of makeing mistakes, the residual error rate of safe communication system also should be less than 10 ^-8/ h.In this method is used, think the residual error rate P of safe communication system _RemainingEqual the frame error ratio P of data link layer _{The mistake frame}* P _Undetected, P wherein _UndetectedIt is the loss of the verification modes such as CRC check (cyclic redundancy check (CRC)), safe floor MAC verification.

Monitoring software is opened fixed long slip monitor window, according to the error rate of transmission medium and the Frame length of data link layer, calculate respectively the length of slip monitor window for vehicle-mounted wired (such as MVB) network segment, car-ground wireless network segment, the ground Industrial Ethernet network segment.

Error rate P by transmission medium _{Error code}, the Frame length L of data link layer and the average transmission frequency f of data in link layer frame _DL, the length L of calculating slip monitor window _Win

The predetermined frame error rate P of transmission medium _{The mistake frame}=1-(1-P _{Error code}) ^LThe length L of slip monitor window _Win=(1/P _{The mistake frame}* f _DL), allow at most to occur a CRC check erroneous frame in the monitor window that namely slides;

After monitoring software receives Frame, determine whether test frame:

If a) test frame, then whether the agreement mark in the checkout frame, agreement content and monitoring software time interval of receiving test frame meets and makes an appointment; If the time interval of the agreement mark of test frame, agreement content and monitoring software reception test frame meets make an appointment, then continue to accept next Frame; Do not make an appointment if meet, then whether the continuous wrong number of checkout frame arrives three, if then send the security communication function (SCF) Failure Alarm, if not, then sends the security communication function (SCF) early warning failure, and the continuous wrong number of test frame adds one, continues to accept next Frame;

B) if not test frame, check then whether the time interval that receives test frame with the monitoring software last time surpasses preestablished limit; If overstep the extreme limit, then send the security communication function (SCF) Failure Alarm; If do not overstep the extreme limit, then carry out cyclic redundancy check (CRC); If cyclic redundancy check (CRC) is correct, then continue to accept next Frame: if cyclic redundancy check error, judge then whether the cyclic redundancy check error frame number surpasses one in the current residing slip monitor window, if then send secure communication and be disturbed the warning that degree surpasses conventional levels; If not, then continue to accept next Frame.

Monitor passes through the transmission situation of monitor window in-service monitoring test frame and the quantity of the erroneous frame that the interior CRC check of sliding window is found, judge whether the secure communication process system mistake occurs, whether meet with extraordinary interference, and send corresponding alarm with regard to different situations respectively.

Claims (1)

1. the method to train control system data communication process implementation in-service monitoring is characterized in that the method comprises the steps:

1) in the subnetwork node of vehicle-mounted wired segment, car-ground wireless network segment and ground Industrial Ethernet, load respectively communication security in-service monitoring software, or utilization has and special-purpose autonomous device described network segment corresponding network interface and that be loaded with communication security in-service monitoring software;

2) by Vehicle Controller or radio block center, in vehicle-mounted wired segment, car-ground wireless network segment and the ground Industrial Ethernet network segment, send respectively the test frame of have an agreement mark, agreement content by the Fixed Time Interval of agreement;

3) monitoring software is opened fixed long slip monitor window, according to the error rate of transmission medium under normal condition and length and the transmission frequency of Frame, distinguish the length of calculative determination slip monitor window for vehicle-mounted wired segment, car-ground wireless network segment and the ground Industrial Ethernet network segment:

Error rate P by transmission medium _{Error code}, the Frame length L of data link layer and the average transmission frequency f of data in link layer frame _DL, the length L of calculating slip monitor window _Win

The frame error ratio P of transmission medium _{The mistake frame}=1-(1-P _{Error code}) ^LThe length L of slip monitor window _Win=(1/P _{The mistake frame}* f _DL), allow at most to occur a CRC check erroneous frame in the monitor window that namely slides;

4) after monitoring software receives Frame, judge whether to belong to test frame:

If a) test frame, then whether the agreement mark in the checkout frame, agreement content and monitoring software time interval of receiving test frame meets and makes an appointment; If the time interval of the agreement mark of test frame, agreement content and monitoring software reception test frame meets make an appointment, then continue to accept next Frame; Do not make an appointment if meet, then whether the continuous wrong number of checkout frame arrives three, if then send the security communication function (SCF) Failure Alarm, if not, then sends the security communication function (SCF) early warning failure, and the continuous wrong number of test frame adds one, continues to accept next Frame;

B) if not test frame, check then whether the time interval that receives test frame with the monitoring software last time surpasses preestablished limit; If overstep the extreme limit, then send the security communication function (SCF) Failure Alarm; If do not overstep the extreme limit, then carry out cyclic redundancy check (CRC);

5) if cyclic redundancy check (CRC) is correct, then continue to accept next Frame:

6) if cyclic redundancy check (CRC) is found communication makes mistakes, judge then whether the wrong frame number of finding in the current residing slip monitor window surpasses one, if then send secure communication and be disturbed the warning that degree surpasses predeterminated level; If not, then continue to accept next Frame.