IEEE Std 2839:2021 pdf free download – IEEE Recommended Practicefor Vital Computer for RailSafety-Related Application
According to the definition of IEC62425, the safety integrity level for rail safety-related systems from lower tohigher are safety integrity level(SIL)1 to SIL4.Safety requirements to systemic failure for SILl are the sameas for SIL2, and requirements for SIL3 are also the same as for SIL4.Therefore, in terms of simplification, thisrecommended practice stipulates that basic modules of VCs should satisfy SIL2 or SIL4 at least.
NOTE—The safety integrity of a safety-related system is expressed in the form of SIL, which represents the integrity ofsystematic failure, and tolerable hazard rate(THR), which represents the intcgrity of random failure. In this recommendedpractice,SIL is used to describe the safety integrity of a system; it means that both requirements for systcmatic failure andrelevant requirements for random failure should be considered.
Safety integrity level of the basic modules or combination of them used for SIL4 application should be SIL4,and for SIL2 application it should be SIL2 at least. VCs should be capable of supporting applications whichcarry out SIL4,SIL2, and SILO functions simultaneously. In a VCsystem it is possible to contain SIL4,SIL2,and non-safety-related modules, and independence between modules with different SILs should be assured.
NOTE—Non-safety-related modules may not be supplied by the Vc.
For closed communication of internal modules, safety requirements from IEC62280 should be met.For closedor open communication between VCs and external equipment, safety requirements from IEC 62280 should bemeet, generally it is achieved by application system instead of a VC, it is also possible for the VC to realize, butsafety-related communication protocol for external equipment would be constrained by a VC.
A VC should provide at least four operating modes: power-on, full operation, partial operation, and shutdown,and the VC should transform the modes on the basis of operating status.Figure 1 shows the modes and thetransfer among them.
AVC should be capable of connecting with external modules which are not VC modules but compatible withVCs in mechanical and electric interfaces.In this case,a VC may not provide internal communication protocolto an application system, but it is possible for a VC to communicate with external modules through an externalcommunication interface.
For the purpose of improving reliability of an application system with the precondition of safety assured, a VCshould be capable of organizing systems in the form of hot-standby or parallel and assuring the same safetylevel as single system.
To a certain extent,reliability and safety of VCs depend on the design of the application system， theenvironment, and the operating and maintaining conditions. VCs should provide dependent conditions (i.e.,requirements) to application systems in the form of formal documents, so as to inform application systemdevelopers how to satisfy these requirements.For the requirements which are unable to be satisfied, applicationsystems should transfer them to final users of the VC(i.e., users of the application system).
In the aspect of mechanical requirements,IEC 60297-3-101 should be complied. Due to the fact that VCs areprovided in the form of modules (i.e., plug-in units), it is impossible to regulate the mechanical size of a rackor cabinet in which VCs exist. Taking consideration of compatibility and interchangeability of a VC in itsmechanical structure for plug-in unit, the sizes of3Uand6U are highly recommended and 4U is recommended.NOTE—Symbol “U” means the increment of 44.45 mm in the vertical direction as defined in IEC 60297-3-101.
6. Function requirements
The functions of a VC should consist of fundamental functions (input, process, output, and communication)and application functions (system configuration, application developing support, diagnostics, and records).Figure 2 shows the fundamental function boundary of a vital computer. Generally, these functions aresufficient for general rail application systems except particular requirements which could be recognized by theapplication system itself and interfaced with by the VC.