A Resilient SIL 2 Driver Machine Interface for Train Control Systems

In railway train-borne equipment, the Driver Machine Interface (DMI) acts like a bridge between the train driver and the onboard automatic train control system (European Vital Computer, EVC). While the DMI is required to operate in a critical context, current DMIs have no safety requirements. This implies that the EVC may automatically stop the train whenever the DMI is suspected to misbehave, leading to delay of the train, inconvenience for passengers and consequent possible profit loss. For these reasons a DMI with higher safety requirements is worth to be taken into account, even if it implies higher costs. The SAFEDMI European project aims at developing (i) a DMI at Safety Integrity Level 2 (SIL 2) using off-the-shelf components and a simple hardware architecture to reduce costs, and (ii) a SIL 2 wireless communication support for maintenance. This paper describes the architecture of a DMI which satisfies these objectives. The main hardware and software characteristics will be shown, including the proposed error detection techniques and the related fault handling (characterized by a new operational mode that allows DMI to restart silently, thus reducing unexpected train stops).