| 摘要 |
A railway vital or critical application system substitutes commercial off-the-shelf (COTS) hardware and/or software for railway-domain specific product components, yet is validated to conform with railway vital system failure-free standards. The vital system uses a pair of COTS personal computers and operating systems with asymmetric communications capability. Each computer and operating system may differ for additional redundancy. Both computers receive and verify vital systems input message data and security code integrity and separately generate output data responsive to the input message. The first computer has sole capability to send vital system output messages including the output data and an output security code, but only the second computer has the capability of generating the output security code. A failure of either computer's hardware, software or processing capability results failure to transmit a vital system output message or an output message that cannot be verified by other vital systems. |
