SIST-TP CLC/TR 50542-1:2014

SLOVENSKI STANDARD
SIST-TP CLC/TR 50542-1:2014
01-december-2014
1DGRPHãþD
SIST-TP CLC/TR 50542:2010
Železniške naprave - Krmilnik vlakovnega prikazovalnika v strojevodjevem
prostoru - 1. del: Splošna arhitektura
Railway applications - Driver's cab train display controller (TDC) - Part 1: General
architecture
Ta slovenski standard je istoveten z: CLC/TR 50542-1:2014
ICS:
35.240.60 Uporabniške rešitve IT v IT applications in transport
transportu in trgovini and trade
45.020 Železniška tehnika na Railway engineering in
splošno general
SIST-TP CLC/TR 50542-1:2014 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST-TP CLC/TR 50542-1:2014

---------------------- Page: 2 ----------------------

SIST-TP CLC/TR 50542-1:2014


TECHNICAL REPORT CLC/TR 50542-1

RAPPORT TECHNIQUE

TECHNISCHER BERICHT
October 2014
ICS 35.240.60; 45.020 Supersedes CLC/TR 50542:2010
English Version
Railway applications - Driver's cab train display controller (TDC)
- Part 1: General architecture



This Technical Report was approved by CENELEC on 2014-06-30.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.



European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
 Ref. No. CLC/TR 50542-1:2014 E

---------------------- Page: 3 ----------------------

SIST-TP CLC/TR 50542-1:2014
CLC/TR 50542-1:2014 - 2 -
Contents Page
Foreword . - 3 -
Introduction . - 4 -
1 Scope . - 6 -
2 Normative references . - 7 -
3 Terms and definitions . - 7 -
4 Symbols and abbreviations . - 8 -
5 Functions . - 9 -
5.1 Definitions . - 9 -
5.1.1 General . - 9 -
5.1.2 From TDC to connected systems . - 9 -
5.1.3 From connected systems to TDC . - 10 -
5.1.4 Delays . - 10 -
5.2 Function analysis. - 12 -
5.2.1 Function failure modes and failure effects . - 12 -
5.2.2 Failure modes and effects . - 13 -
6 Safety targets . - 16 -
7 Certification . - 18 -
8 TDC general description . - 18 -
8.1 General . - 18 -
8.2 Information destination . - 18 -
8.3 Second source . - 19 -
8.4 TDC maintenance and LCC . - 19 -
8.5 Safety and reliability targets . - 20 -
8.6 TDC DMI redundancy management . - 20 -
8.7 TDC recommended architecture . - 20 -
8.7.1 Constraints . - 20 -
8.7.2 TDC architecture examples . - 21 -
Annex A (informative) Actions . - 24 -
A.1 Introduction . - 24 -
A.2 From TDC to connected systems . - 25 -
Bibliography . - 26 -

---------------------- Page: 4 ----------------------

SIST-TP CLC/TR 50542-1:2014
- 3 - CLC/TR 50542-1:2014
Foreword
This document (CLC/TR 50542-1:2014) has been prepared by CLC/TC 9X "Electrical and electronic
applications for railways".
This document supersedes CLC/TR 50542:2010.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CENELEC [and/or CEN] shall not be held responsible for identifying any or all such patent rights.

This document has been prepared under a mandate given to CENELEC by the European Commission and
the European Free Trade Association.

---------------------- Page: 5 ----------------------

SIST-TP CLC/TR 50542-1:2014
CLC/TR 50542-1:2014 - 4 -
Introduction
The purpose of this Technical Report is to propose harmonisation for communication between the DMIs and
the train systems on the driver’s desk.
The need for this harmonisation has grown out of several trends.
One trend is that the rolling stock is being computerised more and more, enabling sophisticated functions
within the rolling stock and various subsystems of the train.
1
Furthermore, the driver’s desk of such rolling stock is built around one or several computer screens . These
allow the driver to interact with the computerised rolling stock functions. The user interfaces are typically user
friendly, featuring e.g. graphics and colours.
In case of degraded situation (screen failure) and with several screens available on the desk, it should be
possible to relocate important information to a screen that is still working. This improves operational
availability.
Another trend is the harmonisation of onboard signalling safety equipment.
For ERTMS/ETCS onboard, the driver-machine interface is also based on computerised screen(s).
The ERTMS/ETCS defines the concept of Specific Transmission Module STM, allowing the integration of
national control-command systems into the ERTMS/ETCS onboard system via a standardised interface.
Since desk space is a limited resource, the STM concept allows national onboard control-command systems
to use the driver machine interface resources of ERTMS/ETCS. For this purpose the ERTMS/ETCS driver
machine interface allows the driver to interact with any of the installed STMs connected by STMs specification
or/and ERTMS/ETCS onboard.
A third trend is that a European market is opened for control-command and TCMS equipments as well as
rolling stock.
Traditionally, control-command systems were generally linked to a country, and rolling stock was equipped
with one or more national control-command systems. This has effectively limited the rolling stock to operate
within a limited number of countries.
The ERTMS/ETCS, in combination with STMs enables cross-border traffic, freeing rolling stock from this
barrier.
The combination of the above trends leads to the conclusion that during train operation, TCMS need to have
access to the screens on the desk. Furthermore, it is desirable to maintain the advantages of multi-screen
installations, allowing the ability to switch to another screen in case of screen failure for information to be still
displayed. Thus a certain level of integration and harmonised communication is demanded.
Another motivation for this Technical Report is related to Life Cycle Cost. The recommendations written here
simplify the replacement of screens and desk equipment through the lifetime of the vehicle, independent of the
supplier.

1
In this Introduction the term “screen” is used in a popular sense, implying e.g. touch screen or other means of input from driver.

---------------------- Page: 6 ----------------------

SIST-TP CLC/TR 50542-1:2014
- 5 - CLC/TR 50542-1:2014

This document is the first one of a series of three documents:
CLC/TR 50542-1 Railway applications — Driver's cab Train Display Controller (TDC) — General architecture
pr TR50542-2 Railway applications — Driver's cab Train Display Controller (TDC) — Display systems FIS
pr TR50542-3 Railway applications — Driver's cab Train Display Controller (TDC) — Other systems FIS

---------------------- Page: 7 ----------------------

SIST-TP CLC/TR 50542-1:2014
CLC/TR 50542-1:2014 - 6 -
1 Scope
In accordance with the ERTMS/ETCS specifications, Subset 121, UIC 612 leaflet, ERA ERTMS-015560 3.3.0
document, EN 50126 and EN 61375 series requirements, this Technical Report describes the Train Display
System (TDS) in the driver’s cab, and the link between the TDS/TDC and some of its interfaces (Blue box and
blue links only):
Figure 1 — Terms and definitions
The scope of the Train Display System (TDS) thus includes:
a) Functions, except functions defined in the ETCS Subset 121. These functions describe exchanges between
TDC and the connected display systems;
b) Performance allocation (RAMS included as per EN 50126): for each function defined in item a), defining the
performances needed and the degraded modes recovering;
c) Needs for certification: description of special requirements to avoid ETCS recertification after other display
system modification;
d) Train Display Controller (TDC):
• Redundancy management;
• Architecture;

e) For each system connected (except those defined in ETCS Subset 121): the Functional Interface
Specification (FIS).
This Technical Report excludes the following items:
• Communication protocols (e.g. EN 61375 series);
• Ergonomic aspects;
• Interface with ETCS (Subset 121);
• Train functions;
• GSMR EIRENE functions;

---------------------- Page: 8 ----------------------

SIST-TP CLC/TR 50542-1:2014
- 7 - CLC/TR 50542-1:2014
• Use of the displays as terminals for maintenance purpose.

2 Normative references
Not applicable.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
Driver Machine Interface
display used to give information to the driver. It contains the hardware and software means to support inform
the driver
Note 1 to entry: Information is carried through this interface in the form of visual (light), acoustic and tactile (driver’s
pressing of buttons).
3.2
button event
pressing or releasing a button
3.3
button
operating element for interaction with the cab display (hard key, soft key, sensitive area)
3.4
cab display
hardware device or system that shows text and/or graphic information to the user
3.5
hard key
physical key with permanent marking and not part of the screen area

Note 1 to entry: This permanent marking may be alpha and/or numeric and/or a symbol.
3.6
indicator
element designed to draw attention to a cab system status which requires a response
3.7
sensitive area
enabled area on a touchscreen on which a physical action is possible in order to give input to the cab display
3.8
soft key
context-dependent key consisting of a combination of a hard key and an associated screen label (text or
symbol)

Note 1 to entry: This key is for multifunctional use.

---------------------- Page: 9 ----------------------

SIST-TP CLC/TR 50542-1:2014
CLC/TR 50542-1:2014 - 8 -

3.9
label
symbol or text indication on or close to an indicator or a button
3.10
Train Display Controller (TDC)
equipment used to manage information between displays on the driver's desk and the train
Note 1 to entry: TDC is called DCU (Display Control Unit) in UIC 612 leaflet series. See bibliography.
3.11
Train Display System (TDS)
TDS consists of the TDC and the related interfaces. Dotted line in Figure 1 — Terms and definitions,
represents the limit between driver and the TDS

4 Symbols and abbreviations
CCD Control Command Display
DMI  Driver Machine Interface
ERTMS European Rail Traffic Management System
ETCS European Train Control System
ETD Electronic Timetable Display
EVC European Vital Computer
FMEA Failure Mode and Effects Analysis
FIS  Functional Interface Specification
FSV  Function/Task Supervision
HW  Hardware
LCC Life Cycle Cost
MTBF Mean Time Between Failures
RAM(S) Reliability, Availability, Maintainability, (Safety)
SIL  Safety Integrity Level
STM Specific Transmission Module
SW  Software
TCMS Train Control and Monitoring System
TDC Train Display Controller
TDD Technical and Diagnostic Display

---------------------- Page: 10 ----------------------

SIST-TP CLC/TR 50542-1:2014
- 9 - CLC/TR 50542-1:2014
TDS Train Display System
THR Tolerable Hazard Rate
TRD Train Radio Display

5 Functions
5.1 Definitions
5.1.1 General
The functions described in this document are managed by the TDC and its connected systems. The following
subclauses give the list of those functions.
The functions below should be implemented in the interface between the TDC and the connected systems.
The interface may contain other functions not described in this document.

5.1.2 From TDC to connected systems
Button request: TDC request to connected system to give driver access to the related button.
Button deletion request: TDC request to connected system to remove driver access to the related button.
Indicator request: TDC request to connected system to display the related indicator.
Indicator deletion request: TDC request to connected system to remove the related indicator.
Text message request: TDC request to connected system to display a text message. The request can
consist of a reference to a text, or it can include the text itself.
Text message deletion: TDC request to connected system to remove a text message.
Sound on request: TDC request to connected system to start playing acoustic information to the driver.
Sound off request: TDC request to connected system to stop playing acoustic information to the driver.
Data entry request: TDC request to connected system to ask the driver to enter one or several data. The
request can contain one or more data values (e.g. default or current values) that can be modified by the driver,
and a text identifying the data for the driver.
Data confirmation request: TDC request to connected system to ask the driver to confirm one or several
data. The request can contain one or more unconfirmed data values (e.g. recently given by the driver).
Dataview request: TDC request to connected system to display data to the driver.
Dataview deletion request: TDC request to connected system to remove data from the display.
Continuous dataview request: TDC request to connected system to display continuously changing data (e.g.
speed, target distance).
Continuous dataview deletion request: TDC request to connected system to remove continuously changing
data (e.g. speed, target distance) from the display.

---------------------- Page: 11 ----------------------

SIST-TP CLC/TR 50542-1:2014
CLC/TR 50542-1:2014 - 10 -
Picture request: TDC request to connected system to display the related picture. The picture can consist of a
reference to a pre-loaded picture in the connected system, or a description of the picture itself, or a file.
Picture deletion request: TDC request to connected system to remove the related picture.
Picture upload request: TDC request to connected system to upload a picture in a display memory.
Status Reqest: TDC request status to connected system.

5.1.3 From connected systems to TDC
Button event report: connected system reports button event to TDC.
Ack: connected system reports (driver) acknowledgement to TDC. Ack can be performed by means of
acknowledgement of a text message, or by means of pressing a button, depending on the context.
General data input: connected system (train) provides data to TDC.
Data entry reply: connected system reports (driver) data entry to TDC.
Data confirmation reply: connected system reports (driver) confirmation or rejection of displayed data to
TDC.
Status answer: connected system reports its status to TDC.
5.1.4 Delays
For each function, a maximum delay is recommended (Tables 1 and 2). The following delays are defined for
the TDS (the time includes all the delays between displays and TDC external boundary, including displays and
TDC inner delays).

---------------------- Page: 12 ----------------------

SIST-TP CLC/TR 50542-1:2014
- 11 - CLC/TR 50542-1:2014
Table 1 - Delays from TDC boundary to display
from TDC to display Delay (ms)
500
button request
indicator request 250
text message request 500
text message deletion 1000
sound on request 250
sound off request 500
data entry request 500
data confirmation request 500
dataview request 1000
continuous dataview request 250
picture request 500
picture deletion request 500
status request 250

Table 2 - Delays from connected system to TDC boundary
from connected system to TDC Delay (ms)
button event report 250
ack 250
general data input (from starting of data) 1000
data entry reply 1000
data confirmation reply 1000
status answer 250

NOTE For special data, the delays given in the previous tables can be exceeded.

---------------------- Page: 13 ----------------------

SIST-TP CLC/TR 50542-1:2014
CLC/TR 50542-1:2014 - 12 -
5.2 Function analysis
5.2.1 Function failure modes and failure effects
5.2.1.1 General
The TDC is considered as category 2 system, according to EN 50159, due to the interaction with train
systems.
TDC should guarantee separation of safety data and non safety data as explained in EN 50159:2010, 7.2.2.
The failures defined for the TDC functions are defined in EN 50159:2010, 7.4.2, Table 1:
 REP: repetition
 DEL: deletion
 INS: insertion
 RES: re-sequencing
 COR: corruption
 DYD: delayed
The details of the relevant failure effects are given in the documents Railway applications — Driver's cab Train
Display Controller (TDC) — Part 2: Display systems FIS and Railway applications — Driver's cab Train
Display Controller (TDC) — Part 3: Other train systems FIS. Those documents list the consequences of each
of those effects on the interfaces.
5.2.1.2 General protection techniques
The reference for general protection techniques is EN 50159:2010, 7.4.
Applying Table B.1 of EN 50159:2010 to the TDC system leads to define it as a category 2 system. As a
consequence, Table B.2 of EN 50159:2010 induces not to consider the "MASQUERADE" as a threat (failure
mode).
...