What do the remote control and monitoring system for fire safety systems developed for RATP, an ETCS driver-machine interface (DMI) and the automatic train supervision system (ATS+) deployed by Siemens for SNCF Reseau have in common? All three are critical SIL2 level systems whose display functions are secured by CLEARSY.
Human-machine interfaces define the means and tools implemented so that a human can control a system and communicate with it. When they are critical, these systems are equipped with secure interfaces, i.e. they deliver secure information. Securing an interface means securing (making reliable) the information delivered (alarm feedback and passing of safety commands, train speed, train position, signal status, etc.) and their display. Two approaches are possible depending on whether the equipment used is safe or not.
Erwan Mottin, Activity Director at CLEARSY: When working with non-secure equipment that is commercially available, and this is the case for the fire supervisor we developed for the RATP, the security solution consists of ensuring the detection of errors related to the interface. And this involves, in part, securing the display software. A hardware-independent security system. Customer benefits: greatly reduced acquisition and maintenance costs. One of the means of error detection used for the HMI of the fire supervision system (SIL2 EN61508) as well as for the DMI (SIL2 EN50128) developed in partnership with Centralp, is the dual display. Example: a needle counter and digits display the train speed in the ETCS system HMI. In this configuration, says Erwan Mottin, it is up to the train driver to check that the two pieces of equipment communicate the same data. But when there are several dozen pieces of information to be secured on a system, the user must be able to do without. This is why we have implemented innovative techniques for computer comparison and automatic control of the consistency of the display.
Securing the HMI of the ATS+ (Automatic Train Supervision) solution from Siemens required further measures. We were working in a system context – i.e. an HMI context – that was developed prior to the safety control, so something else had to be found, explains Erwan Mottin. Something else, such as a software library of safety plug-ins that could be reused in similar projects. Independent of the historical display software, it doesn’t affect it. In this case, the information (train position, signal status) and its display are secured in parallel with the display: a CLEARSY innovation that makes it possible to secure this interface at a SIL2 level.