功能安全硬件架构

功能安全硬件架构（共5篇）

篇1：功能安全硬件架构

现在市场上的防火墙、utm产品从其架构上来说，大概分为三大类，

第一类是基于x86平台的，这种平台通常使用一颗或多颗主cpu来处理业务数据，网卡芯片和cpu通过pci总线来传输数据。

由于传统的32位pci总线频率为33mhz，所以，理论通讯速率为：132 mb bytes/s即：1056 mbits/s。单从pci通讯的速率上来说是可以满足千兆防火墙的需要，但实际上pci总线在x86系统中是共享的，也就是说，如果有两个网卡同时传输数据，那么每个网卡所能获得的速率就只有 66 mb bytes/s，即：528 mbits/s ，如果有四个网口同时传输数据，则每个网卡所能获得的速度只有16 mb bytes/s，即128mbit/s。

从总线速度来看基于32位pci总线的x86平台，做为百兆防火墙的方案是没有任何问题的。但x86平台的防火墙方案，数据从网卡到cpu之间的传输机制是靠“中断”来实现的，中断机制导致在有大量数据包的需要处理的情况下(如：64 bytes的小包，以下简称小包)，x86平台的防火墙吞吐速率不高，大概在30%左右，并且cpu占用会很高。这是所有基于x86平台的防火墙所共同存在的问题。

因此，基于32位pci总线的x86平台是不能做为千兆防火墙使用的，因为32位pci总线的通讯速率不能达到千兆防火墙的要求。针对这个问题，intel提出了解决方案，可以把32位的pci总线升级到了pci-e ，即：pci-express，这样，pci-e 4x的总线的速度就可以达到 mb bytes/s，即：16gbits/s，并且pci-e各个pci设备之间互相独立不共享总线带宽，每个基于pci-e的网口可以使用的带宽为：2000mb bytes/s，即：16gbits/s，所以基于pci-e 4x的x86从系统带宽上来说，做为千兆防火墙是没有任何问题的。但是，基于pci-e的防火墙数据从网卡到cpu之间传输同样使用“中断”机制来传输数据，所以小包(64 bytes)的通过率仍然为：30-40%。

第二类，基于asic架构的防火墙、utm产品。

从上面对x86架构防火墙的分析中，我们了解到x86平台的防火墙其最大的缺点就是小包通速率低，只有30%-40%，造成这个问题的主要原因是因为x86平台的中断机制以及x86平台的防火墙所有数据都要经过主cpu处理。基于asci架构的防火墙从架构上改进了中断机制，数据从网卡收到以后，不经过主cpu处理，而是经过集成在系统中的一些芯片直接处理，由这些芯片来完成传统防火墙的功能，如：路由、nat、防火墙规则匹配等。这样数据不经过主cpu处理，不使用中断机制，理所当然，asic是做为功能简单的防火墙的最佳选择。

但随之而来的问题是，asic架构的防火墙是芯片一级的，所有的防火墙动作由芯片来处理。这些芯片的功能比较单一，要升级维护的开发周期比较长。尤其是作为多功能集成的utm网关来说，无法在芯片一级完成杀毒、垃圾邮件过滤、网络监控等比较复杂的功能，所以说，asic架构用来做功能简单的防火墙，是完全适用的，64 bytes的小包都可以达到线速。但asic架构做为utm就不是理想的选择，因为asic架构不可能把像网关杀毒、垃圾邮件过滤、网络监控等这些功能做到芯片一级去。

第三类，基于np架构的防火墙。

np架构实现的原理和asic类似，但升级、维护远远好于asic 架构。np架构在的每一个网口上都有一个网络处理器，即：npe，用来处理来自网口的数据。每个网络处理器上所运行的程序使用微码编程，其软件实现的难度比较大，开发周期比asic短，但比x86长。做为utm，由于np架构每个网口上的网络处理器性能不高，所以同样无法完成像网关杀毒、垃圾邮件、过滤、访问监控等复杂功能。

可能有人会问?asic 和 np为什么不可以把网关杀毒、和垃圾邮件过滤、访问监控等这些功能放在主cpu上来实现?这样不就可以做为utm方案使用了吗?这个问题问得很好，目前有很多基于np和asic的utm都是这样做的，但问题是asic和np架构的防火墙，其主cpu性能很低，如：intel基于ixp2400的千高端np方案，主cpu只有1.0g，处理能力还比不上celeron 1.0g，大家可以对照一下与其主频相当的x86平台的处理能力，

所以如果以asic和np架构来实现一个utm网关，只能是做为低端的方案来使用，如桌面型的utm，而并不能做为中、高端的utm来使用。

关 键 字：防火墙

篇2：功能安全硬件架构

载重传感器

鼎洲智能渣土车系统能记录渣土车载重，当超过最大载重值时，平台会显示报警并语音播报。篷布传感器

高密闭性，检测车厢是否密闭状态，密闭性完好，车辆才能启动，防止沿路抛撒滴漏。举升传感器

举升状态监测设备，可以实时获取车辆是否举升，可设置到达工地和消纳场才能举升，行驶过程中不可举升，防止随处倾倒建筑垃圾。指纹仪

驾驶员身份识别，实现一车一司机，使用指纹识别启动ACC，不是本车的驾驶员无法启动车辆。摄像头

进行视频采集，把连续的现实环境瞬间状态模拟成连续的二维静态图像，在显示设备顺序播放。一辆智能渣土车最少需要安装3个摄像头，对车内车外的各个方位进行监控。可以及时发现驾驶员疲劳驾驶、驾驶员视线盲区，及时进行提醒，可以识别空重和密闭状态。外屏

车辆违章和证件无效等信息自动推送到车载外屏，使得一线执法人员可以方便地区分出异常车辆，对异常车辆拦下盘查。内屏

司机可以看到可以运输的通行证信息，可以看到地面状况包括视线盲区位置状态。ECU控制器

电脑板控制，当渣土车违反交通规则时，可远程对车辆进行限速、限举、断油电等操作（国3除外）。渣土车载智能终端

篇3：功能安全硬件架构

A medical device is generally used in patients, and its use may be associated to potential injuries. Since the risk of use of a medical device may be associated with a severe outcome, it can result in patient injuries. It is important for medical devices to achieve the required safety by reducing potential risks. Risk management for medical equipment should be carried out in accordance to the ISO 14971 standard. This standard presents the process and framework applied to the risk management of medical devices[1]. The process includes identifying hazards associated with medical devices, estimating and evaluating risks, controlling the risks, and monitoring the effectiveness of the applied controls.

As part of the risk management activities, the safety of medical devices has to be evaluated according to the IEC 60601standard. This standard deals with the requirements that ensure the basic safety and essential performance of medical electrical equipment and systems. The IEC 60601 standard is divided into the IEC 60601-1 and the IEC 60601-2/ISO 80601-2 series.The IEC 60601-1 standard includes the general requirements that should be applied to medical devices[2]. It covers the basic safety requirements of medical electrical equipment, and serves to ensure that no single electrical, mechanical, or functional failure poses an unacceptable risk to patients and operators. The IEC 60601-2/ISO 80601-2 series account for the basic safety and essential performance requirements in accordance to the features of each medical device.

Although risk management and safety assessment have been carried out for improving medical device safety, an increased number of failures of medical devices have occurred due to the increase in their operation hours. The probability of failures is raised owing to the degradation of hardware components as a result of cumulative loading after continuous use[3]. These failures permit the patient to be exposed to intolerable risks. The methods that treat the reliability and safety of medical devices over time should be applied to the design and development phases. As one of the alternative approaches, functional safety has recently been required to be enforced to improve the safety of medical devices.

Functional safety is required for equipment under control(EUC), where the control systems depend on electrical/electronic/programmable electronic (E/E/PE) safety-related systems[4]. These control systems can be defined as being a part of the overall safety system. Kim et al[5]emphasized that the key concept of functional safety is consisted of safety functions and safety integrity. A safety function is a specific function implemented to mitigate or eliminate the risks to acceptable levels. Safety integrity is the probability that the required safety function is successfully performed by E/E/PE safety-related systems. When a selected safety function is operated with the required safety integrity, functional safety of the designated system is implemented according to the required level.

Prior research studies on functional safety have been mainly conducted using software available in the medical device field.The IEC 62304 standard includes the software development process to achieve functional safety of medical devices[6].Studies on the quality of the medical device software that was developed according to the IEC 62304 standard have already been conducted[7,8]. Investigators have sought to develop schemes for the traceability of medical software to ensure the safety and the quality[9,10]. When medical software is developed, the application of the IEC 61508 standard is inappropriate in the medical device sector[11]. MDev SPICE-Adept process is thus utilized to evaluate the software safety of medical device[12].

Several studies have been conducted to implement functional safety to medical devices at the system level. Risk analysis is conducted to enhance the safety for the wearable walking assistant robots[13]. The effect of risk reduction is compared between traditional and functional safety methods. Even though healthcare systems are in place, safety verification has not been carried out sufficiently in the development and integration phases. In order to solve the problem, functional safety must be applied in the fields of medical information and devices[14].

Although several studies related to functional safety of medical devices have been performed, previous research studies have been associated with limitations. These research studies have mainly focused on the software development process of the medical devices. Conceptual studies have been partially conducted for functional safety. The needs for functional safety in the medical field have only been emphasized in the published research studies.The specific scheme for the approach of functional safety is not provided in previous studies. Application targets and scopes of functional safety do not reflect the characteristics of the medical device sector. The subject of the functional safety is the E/E/PE system involved in safety functions. Nevertheless, previous studies are associated with errors in that the systems other than the E/E/PE systems are considered as the boundary of functional safety.The safety integrity level (SIL) has been determined not for the safety functions but for the E/E/PE systems. To solve this problem,studies related to the approach of functional safety have to be executed for medical devices.

The purpose of this study is to present a method to determine the safety functions and SIL of functional safety based on the characteristics of the safety aspects for the medical device sector. The scope and subjects are defined in order to implement the functional safety of medical devices. Functional safety analysis is performed based on the relationship of safety functions, and on the essential performance specified in the standards related to the medical device safety. The SIL of the essential performance is determined according to the potential risk levels, based on the classification rules of medical devices.As a case study, the approach is applied to the pulse oximeter.

1 ESSENTIAL PERFORMANCE OF MEDICAL DEVICES AND APPLICATION SCOPES OF FUNCTIONAL SAFETY

Risk management in accordance to the ISO 14971 standard is the highest level of activity performed to achieve the safety of medical devices. The assessment of the basic safety and essential performance is a fraction of risk management activities for medical devices. The requirements for satisfying the basic safety of medical devices are specified in the general standard IEC 60601-1, and the standard series IEC 60601-2/ISO 80601-2. The IEC 60601-1 deals with the general requirements that should be applied to the medical devices. The IEC 60601-2/ISO 80601-2 series present the requirements of basic safety and essential performance reflecting the characteristics of each medical device. Figure 1 shows the hierarchical structure of standards related to the safety of medical devices.

Basic safety means freedom from an unacceptable risk directly caused by physical hazards, when the medical equipment is used under normal and single-fault conditions[1].Essential performance is the collective capability of a clinical function related to the safety. It is not included to the range of basic safety. Essential performance is easily understood by considering whether its absence or degradation would result in an unacceptable risk[15]. The essential performance of each medical device used in the market has been selected based on the hazard analysis and risk assessment by medical device experts. The essential performance of several medical devices that are extensively used and potentially have a high potential risk is specified in the particular standard series IEC 60601-2/ISO 80601-2. Essential performance has relevance to functional safety. Therefore, an additional theoretical study should be conducted to investigate the two concepts.

Essential performance is analogous to functional safety[16].Nevertheless, essential performance should be distinguished from functional safety[17]. Essential performance is thought to correlate significantly with functional safety from the risk point of view. The application targets of these two concepts are the same as the safety-related areas that can be caused by the intolerable risk. Therefore,essential performance must be considered in the determination of the application scope of functional safety for medical devices. As shown in Figure 2, essential performance of medical devices is defined as the safety function of functional safety. In accordance to the functional safety concept, the safety function is the important feature that must be executed to reduce or prevent the risk, based on the hazard analysis and risk assessment. If the safety function of functional safety is inappropriately executed, the intolerable risk results in harm and injuries to the patients. The essential performance of the medical device is also one of the safety-related factors. If essential performance is not properly executed, harm can be incurred when a hazardous situation occurs. Therefore, the essential performance can be regarded to be equally important to the safety function, and is one of the most significant elements of functional safety.

Essential performance of medical devices is grouped into two categories: functions with E/E/PE systems, and functions without E/E/PE systems. The safety functions are categorized into two types: One is only executed to enhance safety, and the other is conducted to achieve better performance and safety simultaneously. Figure 3 shows the relevance between safety functions and essential performance. Among the variety of essential performance of medical devices, the essential performance using the E/E/PE system is only included in the safety function of functional safety. In contrast, the essential performance in cases where the E/E/PE system is not used is excluded from the application boundary of functional safety. For example, essential performance such as the energy output function of electrical surgical instruments, is included in the boundary of functional safety. However, essential performance, such as maintaining the sterilized electrode that does not use the E/E/PE system, has no relevance to the safety function of functional safety.

If the essential performance is not specified in the particular standards it should be determined based on the ISO14971 standard. The essential performance of a medical device is defined by the risk management activities. The essential performance should be checked depending on whether the E/E/PE systems are used or not. When the E/E/PE system is used for the implementation of the essential performance, it can be considered that it constitutes the safety functions of functional safety. If the E/E/PE system is not used, the essential performance is not included in the application boundary (Figure 4).

2 SAFETY INTEGRITY LEVEL OF ESSENTIAL PERFORMANCE

Safety integrity is a probability that an E/E/PE safety-related system properly performs the safety functions under specified conditions, and within a stated period of time. SIL is the measure for evaluating at which degree of reliability the safety-related function operates, as it is implemented in EUC[18].As shown in Table 1, SIL is the discrete level corresponding to the range of safety integrity values in the IEC 61508 standard,which is the typical standard of functional safety. Specifically,SIL4 is the highest level of safety integrity, and SIL1 is the lowest level[4]. The higher the SIL is required, the lower the probability that the specified safety functions of the safety-related system will fail to operate.

PFDavg:Average probability of a dangerous failure on demand of the safety function;PFH:Average frequency of a dangerous failure of the safety function.

The mode of operations has to be determined for establishing the target SIL. The mode of operations is the way of operating safety functions, according to the demand rate. It is divided into three types: low-demand mode, high-demand mode, and continuous mode[19]. If the demand rate of safety functions is no greater than one per year, the specified safety functions are considered to be in a low-demand mode. The parameter for the target SIL is selected as the average probability of a dangerous failure on demand of the safety function (PFDavg), in the low-demand mode. If the demand rate of safety functions is greater than one per year, the specified safety functions are regarded to exist in the high-demand more or in the continuous mode. The parameter for the target SIL is selected as the average frequency of a dangerous failure of the safety function (PFH), in the high-demand more or in the continuous mode. When the demand rate is unknown, PFH is used as the parameter to determine the target SIL.

Information on application areas of functional safety should be fully taken into account to conduct the risk assessment and determine the target SIL of the selected safety functions of functional safety. Although the same safety function is implemented, the SIL has different targets, depending on the application sector[20]. SIL determination should be performed by taking into account the characteristics of the medical devices sector. Medical devices are classified in accordance to the potential risk levels. As shown in Table 2, the recommended target SIL is decided according to the detailed classification scheme.

SIL:Safety integrity level;N/A:Not available.

The medical devices are classified into three classes in the United States: class Ⅰ, class Ⅱ, and class Ⅲ[21]. In Europe, the medical devices are classified into four classes: class Ⅰ, classⅡ a, class Ⅱ b, and class Ⅲ[22]. In South Korea, the regulation enacted by the Korean Ministry of Food and Drug Safety classifies medical devices into four classes, as in Europe:class 1, class 2, class 3, and class 4[23]. In every country, the classification regulations of medical devices have a similarity in that, when the risk of a medical device is high, the number assigned to each class is increased. The item list of medical devices belonging to each class is similar among the United States, European Union, and South Korea.

Based on the classification performed in South Korea,tongue depressors and manual exam tables are typical class1 medical devices. Class 1 medical devices have a low risk and a simple structure. Almost all class 1 medical devices do not carry out functions of measurement, diagnosis, or energy radiation. They do not commonly use the E/E/PE systems to operate safety functions. Therefore, class 1 medical devices are excluded from the boundary of functional safety.

The medical devices that are primarily used for diagnostic purposes are included into the class 2 boundary. Diagnostic X-ray equipment and diagnostic ultrasound are included into class 2 medical devices. Failures of class 2 medical devices enable the patient to be directly or indirectly exposed to harm.For example, excessive doses of radiation or ultrasound result in causing harm and direct damage to the tissue. The diagnostic functions cannot be executed owing to the decrease of image quality. A misdiagnosis can result due to the poor image quality of the diagnostic medical devices. The patient is exposed to a potentially hazardous situation. In this case, risk reduction activities are required. SIL1 should be established for safety functions in order to reduce potential risk and to enhance safety of class 2 medical devices.

Class 3 mainly consists of medical devices used to treat the patient or the disease. Electro–surgical systems and surgical laser are contained in class 3. Medical devices for treatment require higher electrical or mechanical energy than diagnostic medical devices of class 2. They transfer the energy to patients through the applied parts that directly contact the body. Therefore, the severity of the risk applied to the person is higher than class 2 medical devices. SIL2 should be established for safety functions to reduce the potential risk and to enhance the safety of class 3 medical devices.

Class 4 medical devices are inserted and implanted into the body to work semi-permanently, and are associated with the heart and blood vessels. Among a variety of class 4 medical devices, cardiopulmonary bypass devices, pacemakers and intra-aortic balloon pumps are operated by the E/E/PE systems.These medical devices have a high risk in regard to infections and biological portability. The risks associated with functional safety issues also lead to fatal harm and may threaten the life of the patients. Therefore, the safety functions of medical devices that belong to class 4 should be targeted as SIL3.

The SIL determination based on the classification of medical devices is not complete. The minimum guidelines are presented to define the target SIL of essential performance that is included in the functional safety boundary. The effect of malfunctions or failures of essential performance should be confirmed. SIL1 is allocated to the safety functions whose failures result in minor injuries. When the failures of the safety functions give rise to serious injuries in a few people or to curable injuries in many people, the safety function’s target is considered to be SIL2. SIL3 is targeted to the safety function for which the malfunction causes serious injuries to many people or death to a few people due to failures.The death of many people is rarely caused by the failures of the medical devices[24]. Therefore, SIL1, SIL2, or SIL3, are usually enough to establish the target of safety functions of medical devices.

Functional safety of the medical device is implemented for hardware systems by using determined safety functions and SILs. Information for the target hardware system is collected.The requirements for implementing safety functions and SILs are specified at the system level. The requirements are divided into two groups; hardware safety integrity requirements and systematic safety integrity requirements. These requirements are allocated to the subsystem level.

3 CASE STUDY

This research conducted a case study to define the safety functions of functional safety and to establish the target SIL of the safety functions. The pulse oximeter was selected as the target medical device for the case study. A pulse oximeter is the medical device used to measure blood oxygen saturation,that is, the percentage of the amount of hemoglobin bound to oxygen with respect to the total amount of hemoglobin[25].Oxygen is an essential element for metabolism in human beings. If the blood oxygen concentration decreases, people can experience an increase in their heart rate, headaches,and nausea, in mild cases. When the symptoms are severe,convulsions, morbus ceruleus, and unconsciousness can occur.Finally, cardiac arrest or brain death may occur due to a severe decrease of blood oxygen concentration. Therefore, the pulse oximeter has to operate properly in order to prevent additional damages in patients.

In accordance to the specified process of this research,the related standards of the pulse oximeter have to be checked to define the safety functions of functional safety.The essential performance is confirmed to select the safety functions of the functional safety for the pulse oximeter.The essential performance of the pulse oximeter is specified by the paticular standard ISO 80601-2-61[26]. The groups of essential performance include the accuracy of measurement,detection of error/alarms, and prevention of incorrect output.Since all essential performances of the pulse oximeter use the E/E/PE system, it is considered as a device with safety functions of functional safety. The accuracy of Sp O2and heart rate is included in the safety functions related to the measurement accuracy. The measured data have to be quickly updated to display the current measurement, and must be renewed within time intervals of 30 s or less. This function is related to the prevention function of incorrect outputs. Error detection enables the users to know that the optical sensor is disconnected from the extension cable, or that the power supply is converted from an external power into an internal power. In regard to the alarm functions, the IEC 60601-1-8standard, commonly applied to medical devices, specifies the priority of alarms considering the risk level[27]. Every essential performance of the pulse oximeter is included in the scope of functional safety. Therefore, the relationship between safety functions of functional safety and essential performance of the pulse oximeter is shown in Figure 5.

The essential performance related to the accuracy of measurement and prevention of incorrect outputs constitutes fundamental functions that are continuously performed.Therefore, the mode of operations is selected to be in continuous mode. In regard to the essential performance related to the detection of error, alarms are only activated to ensure the safety of the pulse oximeter. These functions have relatively lower demand rate compared to the primary functions. All of the essential performance operates more than at least once per year. The operating mode is determined to be in a high-demand mode or in a continuous mode of operations for the essential performance. PFH is selected as the quantitative parameter for the target SIL.

The pulse oximeter is a class 2 medical device based on item classification regulations. SIL1 should basically be assigned to the essential performance of the pulse oximeter in accordance to SIL determination rules, as shown in Table 2.Additional risk assessment is performed by considering the characteristics of the essential performance. The functions that measure the pulse rate and blood oxygen levels are closely related to human life support. If these functions do not operate properly, this may lead to serious patient injuries.The probability of patient deaths due to the malfunction of the pulse oximeter is very low. Although the alarms of the pulse oximeter are not operated normally, hospital staff visually confirms the symptoms and takes action on patients in order to avoid incidents that may lead to death.

The assigned SILs are modified by the results of risk management. The function for the power-failure alarm condition is considered to be SIL1. Even though the specified essential performance is out of the order state, the hazardous situation does not occur immediately in this case. This essential performance has a low probability of causing harm to patients. Therefore, the target of the power-failure alarm condition is established to be SIL1. In contrast, SIL2 is assigned to other functions, such as the Sp O2accuracy, pulse rate accuracy, protection against hazardous output, detection of probe and probe cable extender fault, and alarms condition priority.

When five types of essential performance are in failure occurrence situations, this can directly result in serious injuries for the patients, such as convulsions and morbus ceruleus. Therefore, the target for this essential performance is selected to be SIL 2, as shown in Table 3.

4 CONCLUSION

This study has presented the approach method of functional safety for medical devices. The analysis comparing the concept of safety function and the essential performance has been performed to approach functional safety. Essential performance of the medical device is similar to the safety function of functional safety. Therefore, the lists on the essential performance should be considered to define safety functions of functional safety. Essential performance based on E/E/PE systems is selected to define the safety function of functional safety. Information on the essential performance that is presented in particular standards permits designers and developers to efficiently define safety functions of functionalsafety. When essential performance of medical devices is used for selection of the safety function, the cost and time can be reduced, and the validity and adequacy can be ensured.

SIL:Safety integrity level.

SIL is determined in accordance to the characteristics of the medical devices sector. Medical devices are classified according to the potential risk level. Information on classification regulation and risk management of medical devices is used to determine the target SIL of essential performance. SIL1,SIL2, or SIL3 are universally applicable for the target of safety functions of medical devices. SIL3 is allocated to a high-risk essential performance of medical devices and SIL1 is targeted to a low-risk essential performance.

篇4：功能安全硬件架构

摘 要：目前，数字校园已成为我国高校乃至中小学信息化建设的重点，为真正达到教学与科研数字化、管理信息化、校园无界化，实现高质、高效的师生数字化生活体验的建设目标，本文从数字校园的概念模型出发，探讨了数字校园2.0的软硬件架构及其应用系统的设计与建设。

关键词：数字校园 软硬件架构 系统设计

中图分类号：TP302.1 文献标识码：A 文章编号：1673-8454（2009）05-0021-04

信息技术在学校教学和管理的应用已成为当今教育领域发展的必由之路。随着我国现代教育技术水平的不断提高，各种先进的教学媒体和技术手段已广泛融入到学校的日常教学和管理中。数字校园已成为我国高校乃至中小学信息化建设的重点。目前，数字校园的建设已逐步迈向数字校园2.0时代。

一、数字校园2.0

数字校园概念最早是由美国麻省理工学院在上世纪70年代提出的。1998年1月31日，美国前副总统戈尔（AL GORE）在美国加利福尼亚科学中心发表了题为“数字地球：二十一世纪认识地球的方式（The Digital Earth: Understanding our planet in the 21st Century）”的演讲，最先提出“数字地球”的概念。随后“数字校园2.0”的概念也逐步形成。我国较早定义数字校园概念的是北大、清华，以及洪恩等一些IT企业。

北京大学对数字校园的定义是：利用计算机技术、网络技术、通讯技术对学校教学科研和生活服务有关的信息资源进行全面的数字化；并用科学规范的管理对这些信息资源进行整合和集成，以构成统一的用户管理、统一的资源管理和统一的权限控制；把学校建设成面向校园内，也面向社会的一个超越时间、超越空间的虚拟大学。

清华大学沈培华教授为数字校园下的定义是：以网络为基础，利用先进的信息化手段和工具，实现从环境(包括设备、教室等)、资源(如图书、讲义、课件等)到活动(包括教学、管理、服务、办公等)的全部数字化，在传统校园的基础上，构建一个数字空间，拓展现实校园的时间和空间维度，提升传统校园的效率，扩展传统校园的功能，最终实现教育过程的全面信息化，从而达到提高教学质量、科研和管理水平的目的。[1]

新一代数字校园2.0则在原定义的基础上涵盖了三大特点：第一，以用户为核心组织信息资源与服务；第二，以信息资源的开发、共享、利用为目标建设信息系统；第三，以构建与现实校园有机衔接的数字空间为重心。[2]由此可以看出，数字校园2.0应该是面向教师、学生和社会，运用现代信息技术以及各类专业化数字设备，实现学校信息资源的优化配置，形成一个与信息社会同步发展、满足教学、科研和管理需求的数字化学习环境和数字化教学、管理模式。数字校园2.0的概念包含了理念、技术、设备、人员和应用等各种要素的校园智能化系统。建设目标是：教学与科研数字化、管理信息化、校园无界化，实现高质、高效的师生数字化生活体验。

二、数字校园的系统架构

1.数字校园概念模型

数字校园是基于高速计算机多媒体网络的虚拟教学环境，是现实校园空间的延伸和扩展。其系统架构可以形象地表示为一个同心圆形式的层次结构，概念模型如图1所示，共分为五层：

第一层为网络基础层，是数字校园2.0的硬件平台，为所有的应用服务提供可靠的高速数字链路，可存储和传输数据、语音、图像等各种信息。

第二层为基本服务层，是数字校园2.0应用软件基础服务平台，可为具体应用提供网络服务功能，如：网络身份认证、Web服务、邮件服务、FTP服务、流媒体服务等，由专门的服务器和系统软件实现。

第三层为应用层，包含学校内部各种业务应用系统，是数字校园2.0功能的具体实现，由网络教学平台、数字化图书馆、教务信息管理、办公自动化、智能广播、安防监控等分系统组成。

第四层为扩展层，主要是在应用层各系统的基础上扩展信息服务功能，是数字校园高层次应用，如数据挖掘、教学质量评估、决策支持等。

最外层为个性化门户，它是数字校园的总入口，各类用户通过门户进入数字校园，可以获得与其身份相对应的个性化信息与服务。

2.数字校园系统组成

从数字校园的弱电系统建设的具体实施过程来说，一般可划分以下功能子系统：

（１）综合布线系统：符合国际标准，综合了语音、数据、图像和控制信号，具有灵活性、可扩充性和易维护性的，且结构化、模块化的统一布线；

（2）计算机网络系统：各种网络信息服务（WWW、Email、FTP、流媒体），运行网络教学平台、教务与后勤MIS（管理信息系统）、OA（办公自动化）、数字图书馆等应用软件；

（３）校园一卡通系统：统一身份认证、消费现金结算；

（４）多媒体教学系统：多媒体课堂教学、双向教学；

（５）校园智能广播系统：教学区与生活区分区广播、背景音乐、外语听力训练；

（６）安防监控系统：校园安全防护；

（７）语音电话系统：校内语音通讯、家校通；

（８）大屏显示系统：公共信息发布。

各子系统间各自独立又相互关联，共同实现数字校园的各种业务应用。

3.数字校园从1.0到2.0

数字校园2.0与1.0相比，系统的硬件建设并未发生根本的变化，主要是在应用层面上发生的转变。数字校园服务的对象、目的和方法更加明确，更加符合Web2.0的思想。因此，数字校园2.0的设计与建设重点在于其中的应用系统间的相互关联与数据共享。

三、数字校园2.0的系统设计

1.系统功能整体性考虑

数字校园的建设包含大量的计算机硬件设备和各种应用软件。这些设备和软件所组成的应用系统（如一卡通系统、教务管理信息系统）大多是自成一体，独立运作。但在数字校园2.0的总体框架下不应是条块分割的多个系统的简单叠加与组合，而应是一个高度集成，各系统相互关联、相互协同的有机整体。要实现这一目标，必须对系统功能的实现进行统一的整体考虑。以硬件系统的互联为基础，以满足师生具体日常工作学习的业务应用需求为目的，实现各系统的数据共享和功能整合。这主要通过子系统间数据接口的标准化和中间件技术来实现，完整的系统结构如图2所示。

2.系统数据统一性考虑

要实现数字校园2.0智能化系统的各种功能的协同工作，有机结合，首先要求数据具备统一性，只有规范了统一的数据结构、数据格式和接口标准，各系统间才能在需要时方便地进行数据交换和共享。目前，在系统功能的实现上，一般的做法是各个子系统由多个供应商分别设计施工，最后由集成商统一协调实现。可以想象，这种做法独立地看各子系统，都能基本达到应用功能需求，子系统供应商也可根据学校的具体情况不断更新和升级自己的系统，但他们不会也不可能考虑到本系统与其他系统的数据交换和数据共享，最多也只能做一些数据导入、导出工作，系统间基本处于各自为政的状态。在当今教育教学理念不断更新的今天，这种现状亟待改变。从学校应用的角度考虑，在建立完善的、性能优良的校园计算机网络硬件平台的同时，也应该在学校教学、教务、管理、办公、后勤、服务等所有应用中建立和使用统一的数据平台。其具体的设计思想是：利用一卡通已有的安全性较高的卡务数据库，建立校园内的所有人员（包括教师、学生、教务、管理人员、后勤服务人员等）的身份认证数据库，运用轻量级目录访问协议（LDAP）实现数字校园的统一身份认证，对其他应用系统软件的用户管理功能模块进行简单的修改或二次开发，与校园一卡通数据库挂接。[3] 将一卡通的应用从一般意义上的后勤消费、考勤、门禁拓展到教务、办公、学籍、教学、考试等学校日常的各个领域中去，真正实现“一卡在手，走遍校园”。同时，整合教务管理数据库、教学资源数据库、办公信息数据库、网络管理数据库，建立学校统一的数据中心，各系统数据集中管理，并根据需要建立相关联接，保证应用系统间的数据共享和同步。这个设计方案从技术上讲有一定难度，实现起来也比原来分系统独立设计复杂许多，但为学校教育现代化建设带来的将是质的飞越，对于提高学校教学质量和管理水平，进一步完善教育体系起到决定性的作用。

3．系统易用性考虑

完善的数字校园2.0智能化系统将为学校师生建立起一个数字化的工作学习环境，涵盖了学校各种日常事务，因此，为师生提供方便易用的操作方法是必须重视的问题，具体可归结为：

（1）建立以一卡通为核心的身份认证和电子钱包系统，确保校园内一人一卡，自动完成各应用系统间的数据传递和同步，所有系统共用一个认证。

（2）学校内网、外网、专网互联互通，充分发挥网络优势，让学校师生不管是在校内还是校外，都能方便地利用网络工作和学习。

（3）应用系统尽可能以B/S方式开发，客户端无需安装，只需用标准的网络浏览器即可访问。

（4）应用系统用户界面可进行个性设置，用户可根据自己的实际需要和喜好自定义画面内容、组织结构和主题。

4．系统安全性考虑

当人类步入信息社会、网络社会的时候，校园也必将成为整个信息社会的一部分，校园中用于教学、管理、学习的计算机也成为局域网、Internet网的一部分，在享受网络带给我们的诸多便捷的同时，一些令人头痛的病毒、黑客攻击和不健康内容也随之而来。建立起一套完整的网络安全防护体系，保证学校应用系统安全稳定运行，确保其中与教学管理相关的信息和与师生切身利益相关的金融信息不被外界非法访问和黑客攻击是整个系统设计的重中之重。不管是硬件选型、软件规划还是各应用业务的联接和数据传输，都应充分考虑系统安全防范措施。在保证应用功能实现和网络速度的基础上，通过加装防火墙、设置代理和路由规则、实时监测网络数据包、包过滤、根据应用功能合理划分虚拟子网、用户分级权限管理、SSL认证、数据实时备份等一系列手段，最大限度建立一道道防线，确保学校重点部门应用系统的运行安全和数据安全。具体的思路和措施是：

（1）校园与Internet网通过防火墙隔离，确保从外部无法访问校内核心服务器物理地址。

（2）师生从校园网内部经代理或路由访问Internet，通过实时监测数据包，过滤不良信息，并完成计费功能。

（3）为学校教务管理和办公等专用系统设立独立子网，由交换机软件设置相应的路由规则，可在其他子网内有限地访问该子网信息，确保学校日常教学工作正常进行。

（4）与现金结算有关的一卡通独立组网，为实现一卡通数据与其他系统的共享，采用磁盘阵列实时双机镜像备份数据，并设定严格的读写权限。网络结构如图3所示。

5．系统易维护性考虑

数字校园2.0是一个结构功能复杂的、具有较高技术含量、多种软硬件综合在一起的庞大工程。其设计施工都必须由专业的技术人员来完成。但一旦建成投入运行后，将主要由本校的教师来对其进行管理和维护。因此在系统总体设计时，从最基本的技术选型、布线设计、设备选择、软件配置等方面都应以方便管理和维护为标准，努力做到：

（1）设备选型应本着标准化、通用性好、简单化、便于互换的原则。

（2）系统结构设计具有较高的灵活性，在一定程度上便于学校今后扩充调整。

（3）网络管线设计安装除满足当前需求外，还应考虑以后功能扩展，留有一定的余量。

（4）系统稳定性高、容错性好，具有较强的适应性。

（5）可自动生成运行日志，并对重要数据进行定期备份。

四、数字校园2.0的建设

数字校园2.0的建设不仅是IT企业的任务，更是学校本身发展的需要和责任。学校的师生员工才是数字校园2.0建设和使用的主体。数字校园2.0的信息资源建设与完善需要师生广泛参与。从这个意义上来说，数字校园2.0的建设可形象地概括为“修路”、“设卡”、“买车”、“备货”、“培训驾驶员”、“定规矩”六个工程。

“路”就是校园网络系统，它是校园的基础设施，包括结构化综合布线、服务器和终端机、内外连接设备（如交换机和路由器等）和系统软件平台的选择和建设。

“卡”就是校园网安全防护与身份识别机制，主要包括网络安全、病毒防范、系统应用权限和个人身份验证等方面功能，以此保证整个校园数字化系统的安全、稳定和有序的工作。

“车”就是运行在校园网系统上的应用系统，主要包括教务MIS系统、办公自动化、网络多媒体教学、师-生交流平台、信息服务、资源库、后勤保障及校园安防等。

“货”就是应用系统上的基础数据，如学生信息、教师信息、课程信息、管理信息、多媒体课件、电子图书、音视频素材等教育教学信息。

“驾驶员”就是校园信息系统的使用人员，这些人员可分为四类：学校领导、专业技术人员、师生和其他使用人员。

“规矩”就是新型数字化教育模式下的学校管理、培训、评估和激励机制。

“路”、“卡”、“车”的建设在前面已做了较详细的论述。“货”则是在数字校园2.0的长期运行过程中，需要使用主体——“驾驶员”不断添加和完善的。这也就进一步说明，转变“驾驶员”的思想观念、培养其信息技术能力同样对数字校园2.0的建设起着非常关键的作用。而如何激发广大师生的积极性、提高他们的参与度，使数字校园2.0系统安全高效运行，真正发挥其在现代教育教学中的优势作用，相关的政策法规和评估激励机制将是重要的保证。

参考文献：

[1]沈培华.数字校园[J].信息系统工程，2002(8).

[2]王左利.数字校园2.0时代来临[J].中国教育网络，2008(4).

篇5：调度主站系统的硬件架构

配电管理自动化主站计算机系统是配电自动化系统的一个子系统, 它完成信息处理和加工任务, 是整个配电自动化的核心。调度计算机系统主要由计算机硬件、网络、各类软件和通信设备组成。配电自动化主站系统的核心是计算机系统。

1 调度计算机系统的配置

目前的配电自动化主站系统的普遍采用分布式的计算机网络。分布式系统是把系统的各项功能分散到多台计算机中去, 各台计算机之间用局域网相连并通过局域网高速交换数据。人机联系处理机以工作站方式接在局域网上。目前调度自动化系统普遍采用的模式是单机单网典型配置和双机双网典型配置。

单机单网系统当一台设备出现故障时, 调度主站的运行被迫中断, 因此可靠性不高。该模式的主站往往用在对可靠性要求不高的系统中, 或管理的系统规模较小。一般重要的配电网, 因调度主站系统实现对电力系统的监视控制, 而配电网对可靠性要求很高, 要求配电调度主站, 运行要求为7×24小时运行模式, 系统一旦启动, 要求长期稳定运行, 当电力系统出现故障或异常, 主站系统应在尽可能短的时间内将异常信息报告给调度员或系统维护人员。

分布式系统采用标准的接口和介质, 把整个系统按功能分解分布在网络的各个节点上, 提高了系统整体性能, 降低了对单机的性能要求, 提高了系统的安全性和可靠性, 且系统的可扩充性增强。

调度主站设备分为3类:计算机设备、网络设备、通信设备, 其它还包括调度显示屏幕、UPS电源、调度电话交换机等。

计算机网络中的工作站分为三类:前置工作站、服务器、Web服务器、工作站。工作站包括:调度员工作站、维护工作站, 转发工作站等, 为人机联系设备。

网络设备主要指调度交换机。

通信设备包括传输设备和接入设备。

2 各类设备的功能

2.1 人机联系设备

配电网管理采用配电调度自动化系统后, 要求调度人员利用这一系统全面、深入和及时地掌握配电网的运行状况, 做出正确的决策和发出各种控制命令, 以保证配电系统的安全、经济运行。

为了能够完成上述各项任务, 调度自动化系统必须能够实现人机对话。调度自动化主站系统中的人机联系设备就是为了实现人机对话而设置的, 它是配电调度自动化系统中操作人员和计算机之间交换信息的输入和输出设备。

这类设备分为通用和专用两种。通用的人机联系设备是指供配电调度计算机系统管理和维护人员、软件开发所使用的控制台、打印机等。

专用的人机联系设备是指专门供配电调度人员用以监视和控制配电系统运行的人机联系设备, 调度员工作站。非交互型的调度模拟屏和计算机驱动的各类记录设备及其它设备等。

2.2 服务器

调度系统的核心设备。接收前置机的信息, 并进行处理和存储, 根据建立的电网模型进行各种分析计算, 各种信息发送到调度员工作站。接收调度员工作站的命令, 并转发到前置机。系统运行时, 涉及到大量的实时性要求很高的数据的存储和处理。而数据库系统是实现有组织、动态地存储大量电网数据, 方便多用户访问的系统。以上任务的完成必须有一套快速、完善的数据库管理系统提供服务。因此, 设备上运行两套数据库系统, 实时数据库和历史数据库。

实时数据库必须具有联网功能, 以便管理全网分布式的数据, 保证全网数据的一致性。一般实时数据库管理系统都是各自开发的, 速度虽然可以保证快速实时的需要, 但接口标准化程度低, 不能完全符合各种通用的数据库接口国际标准, 这样的系统是比较封闭的。

调度系统的各种配置信息:配电网的基本信息, 基本管理信息。以及历史记录等信息用历史数据库存储。历史数据库选择商用数据库。

调度自动化系统的数据库分为实时数据库和历史数据库。实时数据库主要用于实时数据的储存, 由于其对实时性要求较高, 一般采用专用的数据库。历史数据库主要用于对历史数据的储存, 一般采用商用数据库。实时数据库管理系统与商用数据管理系统有机地结合起来, 使用户在使用时根本感觉不到有两套数据库管理系统的存在, 做到了完全透明。

2.3 Web服务器

将调度的各类信息, 通过建立的Web服务程序, 和服务器通信得到系统的各类数据。发布的信息和调度员工作站得到的信息一致。

2.4 前置机

调度自动化主站系统的数据采集与处理子系统, 常称为前置机 (Front-end Processor) 系统。前置机系统是各配电子站和变电站远动信息和主站进行信息交换的关口。

接收现场配电子站和变电站自动化的信息、是前置机的主要功能。由于系统中的配电子站和变电站自动化系统可能是不同厂家、不同型号的产品。前置机对不同厂家的设备送远动信息时, 可能采用不同的规约。

2.5 调度大屏和调度模拟屏

先进的配电自动化管理中心, 设置有调度大屏。大屏分为投影式, 和显示器式两种方式。先进的调度大屏可将, 任意一台工作站或多台的信息完整的显示在大屏上。最简单的大屏的信号来自一台调度员工作站。

传统调度模拟屏在调度控制台对面的墙壁上, 用以集中宏观地显示整个电力系统的运行情况。模拟屏一般采用各种模型元件组成系统的单线图。其中的断路器、隔离开关是用灯光的颜色表示其分合位置, 在事故跳闸时相应的断路器图形闪光。在各线上还镶嵌有电流或功率的指示仪或数字显示器。这样, 整个电力系统当前的结构状态、运行参数及潮流分布都能一目了然。模拟屏与彩色屏幕显示器配合使用, 给调度人员提供了极大的方便。

2.6 GPS时钟设备

GPS设备通过一定方式接在前置机上。GPS得到卫星时钟信息和前置机进行对时, 前置机和主站其它计算机实现对时, 前置机和所接的配电子站实现对时。

2.7 安全隔离设备

系统对外通信的连接设备。特殊的通信方式。

2.8 交换机

用于各种计算机信息的交换。

2.9 通信接入设备

包括路由器、调制解调器、光通信接入设备等。主要完成与调度厂站端的通信。

3 结论

配电网自动化系统是一个涵盖面广, 用于运行管理配电网的综合自动化系统, 其中包含了配电网中的变电站、馈线网路及用户管理、监控、运行优化等功能的系统。因此, 其硬件构成也相对复杂, 涉及领域较多。如何保证硬件架构有序的运行对于电网安全可靠运行有着至关重要的作用。

摘要：本文结合调度主站系统, 分析了在配电自动化主站中的核心地位, 讨论了调度计算机系统的典型配置, 详细阐述了各类设备的主要功能及要求。

关键词：电力系统,配电自动化主站,硬件构成

参考文献