Navigation path

Decrease textIncrease textDividerPrint versionRSSDivider

Safe Driver Machine Interface (DMI) for ERTMS automatic train control

SAFEDMI’s objective is to design and develop an ERTMS-compliant safe (at least SIL2) driver machine interface with safe wireless communication interfaces for configuration, software and firmware downloading and diagnostic purposes to respond to the increasing safety level needs in the automatic train control systems of high-speed rail lines.

Tags: Rail


The railway’s automatic train control (ATC) systems are based on both trackside and onboard systems. The increasing level of train traffic and the spread of high-speed rail lines are now demanding an increasing safety level in the ATC systems. In order to ensure compatibility and interoperability between the ATC systems produced in Europe, the European Rail Traffic Management System (ERTMS) programme has been set up to provide unique functional and non-functional standard requirements.

The ERTMS architecture for the onboard ATC encompasses a driver machine interface (DMI) component whose functions and ergonomic requirements are defined so as to satisfy all the CENELEC (European Committee for Electrotechnical Standardisation) related requirements.

However, such requirements do not yet include safety, despite the fact that the DMI is required to operate (as a slave) in quite critical contexts. In fact many railway operators are starting to require DMIs from their providers which satisfy the high requirement of being a safe man-machine interface (MMI), reaching at least SIL2 (safety integrity level 2) according to the CENELEC specifications.

The safety requirement has come about by the increased complexity of ATC onboard systems generated by ever-higher demanding requirements on railway line capacities, exacerbated by the requirement of avoiding possible loss of driver attention caused by the amount of information displayed.


The objective of the SAFEDMI project is to design and develop a DMI system that distinguishes itself from other train-borne DMIs currently available on the market by being able to satisfy at least SIL2 (safety integrity level 2) according to the CENELEC specifications (with all the related implications), and to integrate safe wireless communication interfaces for configuration, software and firmware downloading and diagnostic purposes.

The proposed detailed objectives are:

  1. to design and develop a safe DMI integrated with the current onboard ERTMS systems and developed according to the ERTMS interface specifications
  2. to study and develop all the hardware and software solutions to properly address the safety and fault tolerance issues generated by the SIL 2 requirements
  3. to integrate safe wireless communication interfaces in the DMI for configuration, software and firmware downloading and diagnostic purposes
  4. to design and develop a hardware and software tool infrastructure to support automatic test execution, simulating a driver’s actions.

The safety issues to be tackled by the SAFEDMI project are related to visualisation, driver input data acquisition, data communication between onboard system components, data processing and wireless communication interface.

Description of work

The work is organised into five technical work packages (WP). Two additional work packages will deal with dissemination and exploitation (WP6) and project management (WP0).

WP1 will investigate the railway scenarios that will serve as a source of requirements for the project, identifying the technical challenges, threats and resilience requirements that will be addressed by the design, evaluation and testing solutions to be developed in the project. It will also assess the risks to be considered to be SIL2 compliant according to CENELEC.

WP2 focuses on the design of hardware and software architectural constructs and fault tolerance mechanisms.

WP3 is aimed at developing safe and non-safe protocols for wireless communication.

WP4 will develop a comprehensive quantitative evaluation methodology encompassing analytical modelling, simulation and experimental techniques, aimed at assessing the dependability and resilience of applications, and a testing framework targeted at the removal of design and malicious faults. The framework will be used to evaluate the technical solutions developed in WP2 and WP3 and analyse their efficiency.

WP5 will build an experimental prototype integrating building blocks from the other work packages, together with a suitable application, to illustrate the feasibility of the technical solutions developed in SAFEDMI and analyse their efficiency using controlled experiments.


SAFEDMI will deliver the following results:

  1. the requirements and constraints to be considered to be compliant with SIL2
  2. the SAFEDMI architecture, a preliminary hardware and software specification, the selected wireless communication technology, the communication architecture and a preliminary quantitative evaluation methodology
  3. the SIL2-compliant final prototype to be evaluated and validated.

SAFEDMI will directly contribute to the CENELEC Technical Body CLC/SC 9XA ‘Communication, signalling and processing systems’ and in particular to the standardisation activities dealing with ‘Railway applications – Communication, signalling and processing systems – European Rail Traffic Management System – Driver-Machine Interface’.

SAFEDMI will also contribute to CENELEC TC9X-WG12 ‘Electrical and electronic applications for railways’, in the Working Group 12 (WG12) dealing with ‘Communication means between safety equipment and Man Machine Interface (MMI)’.