Why does the Baseline 3.6.0 ETCS standard require a SIL2 DMI (train display)?

17 April 2023

The DMI informs the driver about the attitude he has to adopt: speed to be respected and the distance to be covered to the target point.

The train receives a “motion domain” which it can exceed if its speed is below the “release speed” for the target point. In order to allow the approach to be as close as possible to this target point, the guaranteed braking curves are no longer applied below the release speed and emergency braking is only triggered if the limit is exceeded by more than the location inaccuracy, which is not limited. The safety of these movements is therefore based on the driver from the information displayed by the DMI, which is one reason (among others) why it has to be SIL2.

The question of safety also arises when the train is in “On Sight” (OS) mode. When the driver is allowed to run on sight, he must acknowledge that he is “aware” that he is responsible for adapting his speed on sight to avoid collision with a train ahead. This acknowledgement is made thanks to the DMI. The SIL2 safety level of the DMI guarantees this acknowledgement and therefore that the protection is provided by the driver (acknowledged running on sight), and not by the ERTMS system.

Sometimes, the driver may also have to cross a closed signal (“override”); he is only allowed to do this with the explicit authorization of the trackside signalman and then performs a manipulation on the DMI, which is sufficient to neutralize the target point associated with the closed signal without intervention by the trackside computers. The necessary safety then is to ensure that the DMI does not switch to this mode unintentionally, as there would then be no more control without anyone knowing.

Finally, the DMI allows the safe input of safety-relevant train characteristics, such as length, type, speed limit, or the safe validation of default settings. A distortion of these parameters introduced by the DMI would be sufficient to produce erroneous braking curves, leading to accident risks.

CLEARSY is an expert in the ability to justify by reasoning that the safety levels are relevant, and proves this reasoning through mathematical proof techniques and the use of the ATELIER B tool. It also sells a SIL2 certified DMI by CERTIFER.