Abstract: This paper studies the onboard safety computer of a maglev train, taking the Automatic Protection System (ATP) as the application background. Based on the safety requirements of the maglev train's onboard ATP system, this paper studies the dual-machine comparison mode. Using a microcontroller as the experimental platform, a safety computer system that meets the "fail-safe" principle is designed and implemented, and experimental verification is conducted on various possible failure phenomena. Keywords: Maglev train, Automatic Protection System, Dual-Machine Comparison, Safety, "Fail-Safe" With the development of science and technology, maglev trains, as a new type of transportation, have gradually entered our lives. How to ensure the reliability and safety of maglev trains has become a real problem facing researchers. The maglev train automatic protection system (MATP) is a crucial link in ensuring the reliable operation of the train. It must have high reliability. To avoid serious consequences caused by ATP system failures, a redundant structure is generally used in the design of the ATP. This paper designs a safety computer system based on the "fail-safe" principle, taking the maglev train ATP system as the application background. In redundant systems, dual-mode redundancy is the preferred choice due to its high reliability and low hardware cost. In dual-mode redundancy systems, a dual-machine comparison structure is a commonly used solution. This scheme, after startup, synchronously collects external data and compares the calculation results of the two processors. If the results are the same, a corresponding control signal is output; otherwise, the external system is redirected to the safe side. Therefore, this system is based on the "fail-safe" principle and has high security, but it lacks fault tolerance. As a public transportation tool, safety is undoubtedly paramount for maglev trains, so this system basically meets the requirements. To improve system reliability, the dual-machine comparison structure can also be configured as a "fail-safe" redundant system through software design. 1. Overall Structure Design The system mainly consists of an input circuit board, two main CPU boards, an arbitration CPU board, and an output circuit board. The system block diagram is shown in Figure 1. [align=center]Figure 1 System Structure Diagram[/align] External states are converted into data that the CPU can process via relevant circuits. This data is simultaneously latched by two processing CPUs through the input circuit to ensure the data read is identical. Each processing CPU processes the acquired signal according to its corresponding ATP algorithm, calculates the result, temporarily stores it in a buffer, and then transmits it to the arbitration CPU. The arbitration CPU compares the results. If they are the same, it outputs the result and sends a success message to both processing CPUs. Otherwise, the arbitration CPU sends a retransmission command to the processing CPUs, requesting them to resend the processing result. If the results are still different after two retransmissions, the system shuts down and alarms, directly redirecting the external system to a safe side. To prevent output bus failures that the comparison system cannot diagnose, this system also establishes a readback mechanism to reread the output signal for comparison, further verifying the system's integrity. The output circuit completes the transmission of relevant control data and latches the previously sent control signal for readback comparison. 2. Main CPU Board Design This unit is the core of the entire ATP system, primarily responsible for synchronously reading externally acquired status information, synchronously calculating ATP-related data, outputting result data for comparison by the arbitration CPU, and outputting control data. The main CPU board unit circuit structure block diagram is shown in Figure 2. [align=center]Figure 2 Main CPU Board Hardware Block Diagram[/align] This board consists of two CPUs that simultaneously read external data, process it in parallel, and then encode and send the result to the arbitration CPU for judgment after calculation. This board is crucial for the result transmission and related communication to the arbitration machine throughout the system operation; therefore, the reliability of transmission must be guaranteed. This system mainly uses dual-port RAM for data transmission, and the two processing CPUs communicate with each other via serial ports to complete synchronization tasks. To ensure communication reliability, the processing unit uses a CAN bus as communication redundancy. In the event of communication failure between the dual-port RAM and the host computer, activating the backup CAN communication link can greatly improve system reliability. When the two processing CPUs receive a command to read an external signal from the arbitration CPU, they need to latch the external signal and read it to ensure that the data read by both CPUs is the same. After reading the external signal, the two processing CPUs must send the read data to each other and compare them. If they are different, they must latch and read the data again, and then compare it again. If the comparison fails after N times (N is determined experimentally; in this system, N=5), the external system is redirected to the safe side. Otherwise, repeated read operations will inevitably cause the system to remain in a waiting state, leading to an infinite loop and preventing normal operation. 3. Arbitration CPU Board Hardware Design The arbitration CPU board is mainly responsible for determining the status of the two processors on the processor board, completing the function of exchanging data with the processing units, and controlling the output of processing CPU A through the output circuit or directly outputting the result after a successful comparison. The two main CPU boards encode the data processed by the ATP algorithm according to certain rules, and then transmit it to the arbitration CPU board through the dual-port RAM (or a spare CAN bus). After receiving information from the two processing CPU boards within a precise timeframe, the arbitration CPU board first compares the information. If the comparison results match, it controls the processing CPU A board to output safely; if the comparison results do not match, it considers the system faulty, the system shuts down, disconnects the output of the processing CPU A board, redirects the system to the safe side, and issues an alarm to notify personnel for repair. The hardware circuit of the arbitration CPU board is shown in Figure 3. [align=center]Figure 3 Arbitration Board Structure Diagram[/align] Communication between the arbitration CPU and the processing CPU is mainly achieved through dual-port RAM. When the processing CPU completes data processing, it sends the processing result to the dual-port RAM, while the arbitration CPU directly retrieves data from the dual-port RAM for processing as needed. CAN serves as a backup communication channel; if the dual-port RAM fails, the fieldbus CAN is immediately activated to complete the communication task. To achieve synchronous processing by the two processing CPUs, after receiving complete comparison data, the arbitration CPU sends an interrupt signal to both processing CPUs to send a read external data command, and then compares the calculation results of the two processing CPUs. In the entire processing flow, the data processing time of the processing CPU is much longer than the comparison and output time of the arbitration CPU. This allows the processing CPU and arbitration CPU to work in a pipelined manner, improving the system's data processing efficiency. After the arbitration CPU successfully compares the data, it still needs to send a message to both processing CPUs so that outdated data results stored in the buffer can be deleted before the next calculation result is transmitted. 4. Input and Output Board Design The input board provides digital and analog inputs. This board can latch external signals to ensure that the two processing CPU boards read external signals synchronously. It can also provide a self-test signal to the processing CPUs during system startup, helping the system to perform fault monitoring and fault location, thus improving system reliability. The output board connects the ports of processing CPUA and arbitration CPU, ensuring that control signals can be transmitted smoothly to the controller. A readback circuit is designed between this board and the arbitration board. After each control signal is sent out, the arbitration CPU reads back to ensure the correctness of the control signal. This also serves as a monitor of the output bus between the processing CPU and the output circuit. If the bus fails, the arbitration CPU can activate its own bus output with the output board, further improving system reliability. 5. System Security Design To ensure high system security, if the comparison of results between the two machines fails or a fault is detected in either machine, the system will stop operating, redirect to the safety side, and alert maintenance personnel. Fault confirmation is achieved through timed timeout technology and communication data encoding verification technology. After processing the data, the processing CPU encodes and sends the result. After sending, it waits periodically for specific status signals and external data read commands from the arbitration CPU. If the status signal is incorrect or a timeout occurs, the arbitration CPU is considered faulty, its operating status record is changed to faulty, the system stops operating, and redirects to the safety side. Due to the deterministic nature of the ATP algorithm for maglev trains, the time for each cycle can be predetermined. Thus, after receiving the first data, and after receiving two data, the arbitration CPU can wait periodically for the next data and verify each result. If a timeout or verification error occurs, it will be considered a faulty processing CPU. After receiving data from the processing CPU, the arbitration CPU immediately replies with an acknowledgment code, allowing the processing CPU to confirm the status of the arbitration CPU and preventing incorrect assumption of a faulty arbitration CPU. Through the above design arrangements, a mutual fault monitoring mechanism is established within the system. The three CPUs encode and output the status of the monitored objects, and finally integrate these three signals into the overall system status signal. A change in any internal state will cause a change in the overall system status, which in turn can be used to guide the system to the safety side. 6. Simulation Experiment Verification After the design of this safety computer device was completed, simulation tests were conducted in the laboratory. Assuming a square wave signal with a period of 1 second is input to the input board, the processing CPU board reads the data from the input board every 10 milliseconds. The two CPUs compare the data and change the state of the output relay in real time. If the comparison results are inconsistent, the output is cut off and an alarm is triggered. The system was tested under simulated fault conditions: 1. Removing one CPU simulates a CPU malfunction or processing error. The system immediately disconnects the output relay, shuts down, and no longer responds to any external signals, guiding the external system to the safety side. 2. Removing or restarting the microcontroller on the arbitration board also immediately disconnects the relay, invalidates the output, shuts down, and no longer responds to any external signals, guiding the system to the safety side. 3. Disconnecting the CAN communication controller, similar to the two situations above, the system can also be redirected to the safety side. 4. Powering off the output board, due to incorrect system readback, will also immediately shut down and redirect to the safety side. It is worth noting that the system cannot automatically recover under the above fault conditions, indicating that the system lacks online maintainability. However, the above test results meet the design requirements and basically satisfy the safety requirements of the maglev train ATP system. 7. Conclusion The innovations of this system are mainly as follows: First, output control and output data are handled by different parts, which further reduces the probability of erroneous output and facilitates the implementation of the fault-oriented safety function; second, the circuit introduces input self-testing and output readback, further increasing system reliability; third, the "fail-safe" mechanism of the dual-machine comparison system allows the system to avoid danger. Analysis of this safe computer structure using Markov theory[5] shows that its safety level is significantly higher than that of a typical dual-machine redundancy scheme. This system, applied to the maglev train ATP system, can fully meet the system design requirements. References : 1. Hu Mou. Computer Fault-Tolerant Technology. China Railway Publishing House. 1995, Beijing. 2. Li Yibin, Liu Ming, Wang Xiaoming. Arbitrator Design of Dual-Machine Fault-Tolerant System. Microcomputer Information, 1997, Vol. 13, No. 4: 71-73. 3. Wang Zhenxi. Reliability, Redundancy and Fault-Tolerant Technology. Aviation Industry Press. 1991. 4. Zhao Zhixi. Microcomputer Interlocking System Technology. China Railway Publishing House. 1995, Beijing. 5. Yan Jianping, Wang Xishi. Reliability and Safety Analysis of Two Types of Dual-Machine Hot Standby Structures. Journal of Railway Engineering. 2000, Vol. 22, No. 3: 124-127. Design and Implementation of a Safety Computer System for Maglev Trains (Downloadable Document)