In safety-critical environments where electronic visual displays are used, such as the operator's cab of a public transport vehicle, measures are taken to prevent such displays from misleading the operator by displaying a corrupted value when a failure occurs. In the particular case of a railway vehicle, safety-critical information to be displayed to the operator includes vehicle speed, brake pressure, engine temperature, closure status of doors and coupling status of the train set.
Consider an input signal encoding the value of a physical quantity (measured by a sensor provided in the vehicle, computed from measured values or read from a data register or the like) to be presented in human-readable format on a visual display. The display is controlled during operation by a display drive signal indicating the value of each pixel of the display image. As is known to those skilled in the art, the display image perceived by the viewer is a stream of images (frames) displayed sequentially at the update frequency of the visual display. Thus, as used herein, a display drive signal encodes the values of all pixels in a frame by enumerating them in some predefined order, and then starts over with the pixels of the next frame. In a composite display drive signal, values of more than one pixel may be enumerated at a time. In a digitally controlled visual display, the pixel values are chosen from a predefined discrete pixel value range with a finite number of elements. An element in the pixel value range may for instance correspond to a particular pixel colour to be produced by the visual display.
In a failure scenario, an error (e.g., a runtime error, a programming error or other systematic error) occurs in the process of generating the display drive signal on the basis of the input signal. This process may imply several steps, such as converting the information encoded by the input signal to a different number format, rounding off to a desired number of digits, converting to a suitable unit of the physical quantity, typesetting the number as a bitmap text image, colouring the text image (possibly in a manner dependent on the value, to warn the operator of out-of-range values), aligning the text image and adding constant graphical elements such as frames, logotypes, notations of quantities and units etc.
Visual displays of this type and corresponding safety measures have been described in the prior art. For instance, the applicant's own application published as EP 2254039 A1 discloses a visual display module according to the preamble of the independent claims in this application. EP 2273369 A1 and EP 2353089 A1 describe visual display modules having verification functionalities adapted to discover errors occurring in the processing steps by which the display drive signal is generated.
US 2007/0046680 A1 describes an aircraft instrument flight display, wherein a video graphics processor intermittently produces a display drive signal for rendering a predefined test page. An integrity checking function extracts a checksum from the display drive signal values for the test page, which are stored in a memory, and compares this with an expected checksum value for the test page.
US 2004/0249522 A1 describes a system for transmitting information onboard an aircraft. In a first implementation disclosed in this document, a checksum is transmitted from an avionics device acting as data source to an interface means for displaying the information. The interface means compares the received checksum with a checksum computed on the basis of the information as received. In an alternative implementation, the checksum computed in the interface means is transmitted back to the avionics device, in which the comparison takes place. In both implementations, either checksum is transmitted over the same data link as the information to be displayed.
U.S. Pat. No. 6,839,055 B1 discloses a system for providing an error indication of video data, in which a diagnostic routine generates a set of test video data and compares the generated error indication with a standard error indication to determine an error condition. If an error condition is determined to exist, a message to this effect is displayed on a display.
These known devices may be improved from the point of view of computational efficiency, such as by modifications or improvements allowing them to reach an equivalent verification or, as the case may be, a failure indication at less computational expense.
Furthermore, US 2011/157222 A1 relates to a system comprising a first, more secure domain, a second, less secure domain, and a monitor which is adapted to display data originating from the domains. A domain is defined as an embedded aircraft electronics system. In accordance with the different security levels of the domains, the system is adapted to display corresponding data either in an active or an inactive zone of the display, wherein user input is received only through the active zones. The system may adapt the number and extent of the active zones to command windows and similar input means as they are displayed on the monitor. The more secure domain controls the displayable colours for each zone and may select a visually distinct colour configuration in inactive zones than in active zones. The operation may be controlled by a display management computer including a fusion module, wherein an integrity control arranged between the fusion module and the domains may be used in order to strengthen the security, e.g., by preventing the fusion module from receiving data whose origin is not authorized and passing these on to the monitor.