IEEE 2839:2021 pdf free download – IEEE Recommended Practicefor Vital Computer for RailSafety-Related Application
According to the definition ofIEC62425, the safety integrity level for rail safety-related systems from lower tohigher are safety integrity level (SIL)l to SIL4.Safety requirements to systemic failure for SIL1 are the sameas for SIL2, and requirements for SIL3 are also the same as for SIL4.Therefore, in terms of simplification,thisrecommended practice stipulates that basic modules of VCs should satisfy SIL2 or SIL4 at least.
NOTE—The safety integrity of a safcty-related system is expressed in the form of SIL, which represents the integrity ofsystematic failure, and tolerable hazard rate (THR), which represents the integrity of random failure. In this recommendedpractice, SIL is used to describe the safety integrity of a system; it means that both requirements for systematic failure andrelevant requirements for random failure should be considered.
Safety integrity level of the basic modules or combination of them used for SIL4 application should be SIL4,and for SIL2 application it should be SIL2 at least. VCs should be capable of supporting applications whichcarry out SIL4,SIL2, and SILO functions simultaneously. In a VC system it is possible to contain SIL4,SIL2,and non-safety-related modules, and independence between modules with different SILs should be assured.
NOTE—Non-safety-related modules may not be supplied by the Vc.
For closed communication of internal modules, safety requirements from IEC 62280 should be met.For closedor open communication between VCs and external equipment, safety requirements from IEC 62280 should bemeet, generally it is achieved by application system instead of a VC, it is also possible for the VC to realize, butsafety-related communication protocol for external equipment would be constrained by a VC.
A VC should provide at least four operating modes: power-on, full operation, partial operation, and shutdown,and the VC should transform the modes on the basis of operating status.Figure l shows the modes and thetransfer among them.
– Power on: A VC should take an overall self-test for all modules in “power on”mode and transform to”“full operation”mode after completing the test correctly; “partial operation”mode should be enteredwhen minor faults are detected; “shutdown”mode should be entered when serious faults are detected.
– Full operation: Operation modc for normal conditions. In full operation mode,”partial operation”mode should be entered when minor faults are detected and “”shutdown”mode should be entered whenserious faults are detected.
– Partial operation:Operation mode in case minor faults are detected but the function of the system isnot effected,”shutdown”mode should be entered when serious faults are detected and “full operation”mode might be entered by maintaining methods.
– Shutdown: When serious faults are detected, the VC system will enter to fail-safe statc, all safety-related output should be kept in a safe state such as open or lower voltage status, and all externalcommunication should be terminated.
AVC should be capable of connecting with external modules which are not VC modules but compatible withVCs in mechanical and electric interfaces.In this case, a VC may not provide internal communication protocolto an application system, but it is possible for a VCto communicate with external modules through an externalcommunication interface.
For the purpose of improving reliability of an application system with the precondition of safety assured, a vCshould be capable of organizing systems in the form of hot-standby or parallel and assuring the same safetylevel as single system.
To a certain extent,reliability and safety of VCs depend on the design of the application system， theenvironment, and the operating and maintaining conditions. VCs should provide dependent conditions (i.e.,requirements) to application systems in the form of formal documents, so as to inform application systemdevelopers how to satisfy these requirements.For the requirements which are unable to be satisfied, applicationsystems should transfer them to final users of the VC(i.e., users of the application system).
In the aspect of mechanical requirements, IEC 60297-3-101 should be complied. Due to the fact that VCs areprovided in the form of modules(i.e., plug-in units), it is impossible to regulate the mechanical size of a rackor cabinet in which VCs exist. Taking consideration of compatibility and interchangeability of a VC in itsmechanical structure for plug-in unit, the sizes of 3U and6U are highly recommended and 4U is recommended.