Safe Driver Machine Interface (DMI) for ERTMS automatic train control (SAFEDMI)

István Majzik

Duration of the project:

September 1, 2006 - August 31, 2008


  • Ansaldo Segnalamento Ferroviario S.P.A. (ASF), Italy
  • Consiglio Nazionale delle Ricerche - Istituto di Scienza e Technologie dell' Informazione (ISTI), Italy
  • Budapest University of Technology and Economics (BME), Hungary
  • AZD Praha s.r.o. (AZD), Czech Republic
  • Aalborg University, Center for TeleInFrastruktur (AAU), Denmark

Project aim:

SAFEDMI objective is to design and develop a ERTMS-compliant safe (at least SIL2) DMI with safe wireless communication interfaces for configuration, SW and firmware downloading and diagnostic purposes to respond to the increasing safety level needs in the ATC systems of high-speed rail lines.


Railway automatic train control (ATC) systems are based both on trackside and on-board systems. The increasing level of train traffic and the spread of high-speed rail lines are now demanding an increasing safety level in the ATC systems. In order to ensure compatibility and interoperability between the ATC systems produced in Europe, the European Rail Traffic Management System (ERTMS) programme has been set up to provide unique functional and non-functional standard requirements.

The ERTMS architecture for the on-board ATC encompasses a Driver Machine Interface (DMI) component whose functions and ergonomic requirements are defined so to satisfy all the CENELEC related requirements.

However, such requirements do not include yet safety despite the DMI is required to operate (as a slave) in a quite critical context. In fact many railway operators do start requiring from their providers DMIs which satisfy the strong requirement of being a safe MMI reaching at least SIL2 (Safety Integrity Level 2) according to CENELEC specifications.

The safety requirement is generated by the increased complexity of ATC on-board systems generated by more and more high demanding requirements on railways line capacities exacerbated by the requirement of avoiding possible loss of driver attention caused by the amount of information displayed.


The objective of the SAFEDMI project is to design and develop a DMI system that distinguishes itself from other trainborne DMIs currently available on the market by being able to satisfy at least SIL2 (Safety Integrity Level 2) according to CENELEC specifications (with all the related implications) and to integrate in such safe DMI safe wireless communication interfaces for configuration, SW and firmware downloading and diagnostic purposes.

The detailed proposed objectives are:

  • to design and develop a safe DMI integrated with the current on-board ERTMS systems developed according to the ERTMS Interface specifications;
  • to study and develop all the HW and SW solutions to properly address the safety and fault tolerance issues generated by the SIL 2 requirements;
  • to integrate in the safe DMI safe wireless communication interfaces for configuration, SW and firmware downloading and diagnostic purposes;
  • to design and develop a HW and SW tool infrastructure to support automatic test execution, simulating driver’s action.

The safety issues to be tackled by the SAFEDMI project are related to: visualization, driver input data acquisition, data communication between on-board system components, data processing and wireless communication interface.

Expected results:

  • SAFEDMI will deliver the following results: (1) the requirements and constraints to be considered to be compliant with SIL2; (2) the SAFEDMI architecture, a preliminary HW and SW specification, the selected wireless communication technology, the communication architecture and a preliminary quantitative evaluation methodology; (3) the SIL2-compliant final prototype to be evaluated and validated.
  • SAFEDMI will directly contribute to the CENELEC Technical Body CLC/SC 9XA "Communication, signalling and processing systems" and in particular to the standardisation activities dealing with "Railway applications - Communication, signalling and processing systems - European Rail Traffic Management System - Driver-Machine Interface".
  • SAFEDMI will also contribute to CENELEC TC9X-WG12 "Electrical and electronic applications for railways", in the Working Group 12 (WG12) dealing with "Communication means between safety equipment and Man Machine Interface (MMI)".