A train passenger trusts the driver who, in turn, trusts the train control technology and those in authority who have approved it. They place their trust in test regulations and the development and production team. The developers trust their product having identified, correctly analysed and evaluated all possibilities for error, their harmful effects on the system and rendered them harmless with appropriate countermeasures.
The use of every machine, every piece of equipment and every vehicle is based on the belief that all necessary measures have been taken to exclude safety-critical errors, or at least to minimise these so that no serious damage can occur and there is no threat to life and limb.
The visualisation of safety-critical systems such as Automatic Train Protection (ATP) and Automatic Train Stop (ATS) in train cabs and control centres is typically done on complex driver-machine interfaces. The flexibility of software to adapt to different customer, country and project-specific requirements results in an increasing number of variants for railway application.
Blind faith in technology is insufficient for safety-relevant applications. The chain of trust which finishes with the end-user begins in the early concept phase of a product. The design of display devices for a driver’s desk is based on a complex development process with defined verification and validation processes. Additional measures like FTA (Fault Tree Analysis) and FMECA (Failure Mode and Effects and Criticality Analysis) accompany safety-critical parameters.
Reliance on the display
The cause of an error may be the display of false information which the train driver cannot validate in real time, such as faulty technical data transfer, an error in the display or its associated software, the operating system or the microprocessor itself. With existing control instruments, the driver cannot fully appreciate these.
The possibility for error in safety-relevant applications demonstrates the significance of such failures – at best the system can be damaged or breaks down; at worst people’s lives are put in danger. No matter how unlikely an incident is, it has to be addressed unless redundancy systems completely rule it out, particularly as the chance of the error being discovered by the driver is very low whilst ever he sees just one display.
Appropriate countermeasures for display error recognition are therefore indispensable for every safety-relevant, manually-operated display and control system. These can range from expensive, complex designs with redundant hardware and software systems to the simple integration of electronic monitoring circuits in display devices. Most system designs for control panels and workstations concentrate on the validation of the electronic process control computer according to SIL requirements (Safety Integrity Level) and the SSAS>0 software development process.
For train drivers, the most important information is whether the ATP system is working correctly, as shown on a display. This is the icon “FS” (Full Supervision) in an ETCS-ERTMS system or equivalent in other ATP. If it’s on, the driver can rely on the ATP/ATS, with braking distances and signalling information being continuously evaluated. In critical situations, the ATP system can take full control and stop the vehicle. If the “FS” icon is off then the driver has to take partial or even full control. Beneath the icon, most of the displayed icons and widgets are not safety-critical because corrupt displayed data will not result in hazardous events.
As the driver’s display is his most important interface to the vehicle computer and the train protection system, hazardous situations can clearly result if the icon information it is showing is wrong.
Almost limitless applicability
Before the advent of the new IconTrust® technology, any requests for changes by the network or train operator could be met with reluctance from a product developer, or at least in a long and expensive process of revision, including assessments. A hardware change, such as for reasons of obsolescence, requires a repetition of the validation process, including an assessor to update the safety case.
But an alternative is the simple integration of the safe circuit IconTrust® into the display device. This continuously monitors dedicated areas on the TFT panel and can distinguish between safety-relevant and non-safety-relevant information.
In a first project with an ETCS application, IconTrust® can simultaneously and independently monitor over 100 areas on the display; these can be overlapping. When anomalies occur, an alert is triggered. For each individual area in every image refresh cycle, the displayed image is analysed and compared with the value of the respective input signal. The patent pending system ensures the information is demonstrably up-to-date and correct without the actual application for displaying the information being subject to a verification procedure. Because of this independence, IconTrust® enjoys almost limitless applicability.
The safety case of SIL approval with IconTrust® technology is independent of the operating system, software development tools or hardware configuration. It is even possible to reuse existing software modules and upgrade them to ‘SIL equipment’. The result is an economic advantage in retrofit projects with new SIL requirements.
The typical 15-30 year lifetime of a project is much longer than any availability of electronic components. Due to obsolescence, the processor/chipsets have to be changed several times. The effect on projects with SIL requirements is significantly reduced by the IconTrust® technology because devices such as processors and chipsets do not have to be defined in the safety case.
IconTrust® can be used with a panel PC, TFT monitor or projector. In signalling centres, large TFT screens are used to display track, train and signal information. An ongoing discussion about the safety relevance of this information may result in future requirements for SIL levels>0. To achieve this, IconTrust® can also be integrated as an add-on or designed into existing devices. It can be an important step change towards SIL>0 approved control centres.
If required, it is possible to allow different screen representations for one and the same value of the same input signal (equivalent representations). Alongside, the configuration of an error counter for the delayed triggering of an alert at permitted display tolerances can be selected. As a rule, IconTrust® can be easily retrofitted into displays and applications so that functional safety requirements up to SIL4 are achievable and verifiable.
The realisation of SIL display equipment is a technical and economic challenge; IconTrust® provides a flexible way of meeting project goals and customer needs.