Guidance on Safety Requirements for Cab Signalling Systems

Transcription

1 Guidance on Safety Requirements for Cab Signalling Systems Synopsis This document provides guidance on meeting the requirements of Railway Group Standard GE/RT8026. Signatures removed from electronic version This Guidance Note has been produced by Anne Blakeney Standards Project Manager Authorised by Brian Alston Controller, Railway Group Standards This document is the property of Railtrack PLC. It shall not be reproduced in whole or in part without the written permission of the Controller, Railway Group Standards, Railtrack PLC. Published by: Safety & Standards Directorate Railtrack PLC Evergreen House 160 Euston Road London NW1 2DX Copyright 2000 Railtrack PLC

2 This page has been left blank intentionally

3 forcab Signalling Systems Page 1 of 1 Contents Section Description Page Part A Issue Record 2 Technical Content 2 Application 2 Health and Safety Responsibilities 2 Supply 2 Part B 1 Purpose 3 2 Scope 3 3 Definitions 3 4 System Overview 4 5 General Safety Requirements Life Cycle System Safety 11 6 Modes of Operation Permitted Modes 15 7 Authorising and Protecting Train Movements Providing Movement Authorities Compatibility of Trains with Infrastructure Route Holding for an Authorised Movement Protection against Unsafe Events and Conditions 24 8 Controlling the Risks of Overrun and Excessive Speed Controlling and Mitigating Unauthorised Movements Controlling and Mitigating Excessive Speed 30 9 Driver s Interface (MMI) Provision of Movement Authority Information General Requirements For Information Displayed to Drivers Non-Driver Interfaces Signaller s Interface (MMI) Protection for Trackworkers and Engineering Work Level Crossings Control of unwanted System/non-System Interactions System Management System Maintenance System Operation Work Affecting System Operation 55 Appendix A Other Signalling Standards Relevant to RTMCS Requirements 58 References 60 RAILTRACK 1

4 Page 2 of 2 for Cab Signalling Systems Issue Record Part A This document will be updated when necessary by distribution of a complete replacement. Issue Date Comments One December 2000 Original Document Technical Content Approved by: Francis How, Principal Signal & Telecomms Engineer, Railtrack S&SD Richard Evans, Principal, Operations, Railtrack S&SD Keith Rose, Principal Vehicles Engineer, Railtrack S&SD Enquires to be directed to the Industry Safety Liaison Dept Tel: Application s are non-mandatory documents providing helpful information relating to the control of hazards and often set out a suggested approach, which may be appropriate for Railway Group members to follow. Health and Safety Responsibilities In issuing this document, Railtrack PLC makes no warranties, express or implied, that compliance with all or any document published by the Safety & Standards Directorate is sufficient on its own to ensure safe systems of work or operation. Each user is reminded of its own responsibilities to ensure health and safety at work and its individual duties under health and safety legislation. Supply Controlled and uncontrolled copies of this document may be obtained from the Industry Safety Liaison Dept, Safety and Standards Directorate, Railtrack PLC, Evergreen House, 160 Euston Road, London, NW1 2DX. 2 RAILTRACK

5 forcab Signalling Systems Page 3 of 3 1 Purpose 2 Scope 3 Definitions Part B The purpose of this document is to provide guidance on, and explanation of, the safety requirements for rail traffic management and control systems which make use of cab signalling. These safety requirements are defined in GE/RT8026 (hereafter referred to as the Standard). The Scope of this document is the same as that of the Standard. Cab Signalling A system of signalling whereby a set of visual display devices, fitted in the driving cab of the train, conveys instructions and information regarding the driver s authority to proceed. Degraded Modes Any mode of operation which is used to keep trains moving under System failure conditions, when normal operational modes are not available. Dynamic Data Data which changes without direct human action during the day to day operation of the System. It includes data such as train speed, train position etc. Dual Signalled Lines Parts of the railway where lineside signals are provided for controlling the movement of conventional trains and the System controls the movement of cabsignalled trains in the same geographical area. End of Movement Authority End of Movement Authority (EoA) is the location to which the train is permitted to proceed and where the target speed of the train is zero. European Rail Traffic Management System/European Train Control System European Rail Traffic Management System/European Train Control System (ERTMS/ETC) is the functional requirements specification and the UNISIG System Requirements Specification, reference Subset-026. Exposed Groups Groups of persons whose safety may be affected by the System. This includes passengers, railway workers, neighbours, users of level crossings, etc. Fixed Infrastructure Element (of the System) Those elements of the train control system which are located at the trackside and which perform high integrity safety functions. These elements are controlled by, and provide information back to, the interlocking and movement authority subsystems. Fixed Operational Data Data which configures the generic System design for a specific application. It does not change during the day to day operation of the System. It includes data such as gradients, speed limits (track and train), infrastructure layout data, default braking data etc. Movement Authority Movement Authority (MA) is an instruction given to a train or driver (usually by the System) which allows a train movement to be carried out, under the conditions of that MA (eg speed, direction, etc). RAILTRACK 3

6 Page 4 of 4 for Cab Signalling Systems Man Machine Interface Man Machine Interface (MMI) is the interface device which indicates information to the operator (user) and which is used by the operator for the purpose of operating the associated system(s). Overlap A protected length of track ahead of an EoA provided to mitigate the consequences of a train exceeding its EoA. System This refers to the rail traffic management and control system, which comprises both the train control system and the associated control centre systems. Train Borne Element (of the System) Those elements of the train control system which are located on the train and which perform high integrity safety functions. These elements are controlled by, and provide information back to, the interlocking and movement authority subsystems. These elements include associated sub-systems such as odometry where safety is dependent upon such sub-systems. Variable Operational Data Data which can be directly changed by operators and drivers during the day to day operation of the System. It includes data such as temporary speed restrictions, temporary prohibitions on the setting of routes, train length, train braking capability, etc. Note: All technical terms and abbreviations contained in this document, other than those listed above, are defined in GK/RT Introduction 4.1 Overview GE/RT8026 mandates the core safety requirements for train control systems which utilise cab signalling. The train control system requirements are based upon ERTMS/ETCS levels 2 and 3 functional requirements, but make few assumptions about the system architecture or technology. These systems are currently in the development stage and this document may be subject to refinement as the systems are developed. This section of this document provides a descriptive overview of the System. Guidance on compliance with the mandatory requirements of GE/RT8026 is set out in sections 5 to Structure of this Document The structure of this document is based upon six key areas associated with rail traffic management and control systems, namely: a) Modes of Operation; b) Movement Authorities; c) Train Speed Control; d) Driver s Man Machine Interface (MMI); e) Non-Driver Interfaces; and f) System Management. For each of these key areas, a number of principal safety requirements have been developed, together with a number of more detailed requirements. A diagram of the Safety Requirements Structure and Hierarchy is provided on page 8. 4 RAILTRACK

7 forcab Signalling Systems Page 5 of 5 The safety requirements are specified in a manner which is intended to facilitate compliance with the EC Directive on Interoperability, 96/48/EC, and all associated derivative specifications. RAILTRACK 5

8 Page 6 of 6 for Cab Signalling Systems 4.3 Main Functions of the System The main functions of the System are to: a) facilitate the efficient use of the track for the purposes of moving trains; b) facilitate achievement of the timetable and recovery from train service perturbations; c) ensure safety in the significant accident scenarios (see section 4.4). 4.4 Accident Scenarios Controlled by the System The significant accident scenarios controlled by the System are: a) collisions between trains (rear end, head on, same direction converging); b) buffer stop collisions; c) derailments and overturning of trains; d) accidents at level crossings; and e) accidents involving personnel working on the railway. 4.5 Hazards Mitigated by the System The System has the potential to reduce the level of risk in some key areas compared with conventional signalling systems, notably: a) passing the EoA (via Automatic Train Protection [ATP]); b) overspeeding (via ATP); c) exposure of trackside workers to hazards (less lineside equipment and better warning/access control); and d) vandalism (less lineside equipment). The System also provides the potential for mitigating the effects of other hazards which are not directly within the scope of the System s purpose. This arises largely because of the potential for revoking a MA and stopping a train more promptly than is possible with conventional lineside signalling. For these purposes, the System will be provided with inputs from other detection mechanisms (which are outside the scope of the System), to which it then responds accordingly. 6 RAILTRACK

9 forcab Signalling Systems Page 7 of Hazards Potentially Introduced by the System The System has the potential for introducing new hazards or increased levels of risk compared with conventional signalling systems, including: a) difficulties of proving train complete where train detection systems are not track-based; b) potential errors in, or lack of knowledge about, train position information, particularly following catastrophic System failure where track circuits are not used; c) the need for extensive input and modification of safety-critical data as part of the routine operation and use of the System; d) greater difficulties in managing train movements in the event of a catastrophic System failure; e) lack of broken rail detection where track circuits are not used; f) controlling the movements of trains leaving possessions; g) loss of trackside telephones; and h) cultural changes and other human factors associated with changing from a lineside signalling system. This document contains safety requirements that address these hazards. 4.7 System Description A diagram of the outline System architecture is provided on page 9. This diagram, and the description given in sections to below, are not definitive or mandatory. The mandatory safety requirements, set out in Sections 5 to 11 of this document, make few assumptions about the System architecture. However, the diagram serves to illustrate the general scope/boundaries of the System and the broad partitioning of the safety functions between the main sub-systems. The System comprises: Interfaces for the Signaller and Others who Operate the System These will typically include: a) visual display units showing the movements of trains and status of the infrastructure, in pictorial and/or tabular form; b) push-button control panels, keyboards and other devices for controlling the infrastructure and the train movements, controlling access for engineering work, etc; and c) other interfaces such as Closed Circuit Television (CCTV) monitors for controlled level crossings and hot axle box detection reporting systems. The signallers and other operators are considered to be a key element in the safe operation of the System, and therefore the likelihood of human error, the development of procedures, ergonomic issues and competency requirements are addressed by the requirements. RAILTRACK 7

10 Page 8 of 8 for Cab Signalling Systems Train Routing and Regulation Sub-Systems It is envisaged that normal train running will be handled automatically by the System, with relatively little need for the signaller to intervene. Typically, subsystems will be provided for: a) the automatic setting of routes in accordance with timetable data and decision-making criteria; and b) regulating the flow of trains (eg for energy-efficiency purposes or optimisation of throughput). In addition to facilities for automatic train routing and routing initiated by the signaller, facilities may also be provided for trains to initiate route requests automatically (eg before they reach their EoA, or when waiting to depart from a station). Where trains are following closely in moving block operation, the EoA for each train can be advanced incrementally, with reference to the rear of the train in front (allowing a suitable margin for safety). The giving of a MA, whether by the signaller or automatically, is based on the assumption that any train ahead is stationary, whether or not it is moving in practice Interlocking and Movement Authority Sub-Systems These sub-systems perform the core safety functions of the fixed infrastructure. They comprise: a) interlockings, which set, lock, prove and hold routes for the passage of trains in response to commands from the signaller and train routing and regulation sub-systems; b) sub-systems which generate and receive/process data messages transmitted to/from the trackside equipment, the control centre, other interlockings and the trains. These sub-systems have access to data about the fixed infrastructure and the trains which is necessary in order for correct MA and speed-related information to be given to the trains Trackside Equipment The trackside equipment comprises items such as: a) point operating mechanisms; b) balises/loops (for train position determination and/or passing supplementary information to trains); c) level crossings; d) in dual-signalled areas, other conventional equipment such as signals, train detection equipment; Automatic Warning System (AWS), Train Protection and Warning System (TPWS); and e) track-based train detection systems. These items are controlled by, and/or provide information back to, the interlocking and MA sub-systems. 8 RAILTRACK

11 forcab Signalling Systems Page 9 of Train-Borne Sub-Systems The train-borne equipment comprises: a) the driver s MMI; b) sub-systems which receive/process and generate data messages transmitted from/to the fixed infrastructure; c) ATP sub-system; and d) train position and train integrity equipment. As with the interlocking and MA sub-systems, the train-borne sub-systems need to possess, or have access to, data about both the train and the fixed infrastructure. It should be noted that the safety requirements do not make assumptions about where in the System this data is held, nor which part of the System uses the data for calculating MAs, speed information, etc. Train drivers are a key element in the safe operation of the System, and therefore the likelihood of human error, the development of procedures, ergonomic issues and competency requirements are addressed by the requirements Other Equipment The requirements also make provision for the System to accept inputs from ancillary systems such as hot axle box detectors, dragging equipment detectors, etc. These are not regarded as part of the System itself, however. In addition, the communication links between the various parts of the fixed infrastructure and trains are not necessarily part of the System. In many cases these will be open systems and transparent to the data, where the integrity of the System is independent of the communication links. Other related train-borne systems, such as the train braking systems, train health monitoring systems, etc are key to the safe operation of the train, but are not regarded as part of the System. RAILTRACK 9

12 Page 10 of 10 for Cab Signalling Systems 6 MODES OF OPERATION 6.1 Permitted Modes 5 GENERAL SAFETY REQUIREMENTS 5.1 LIFECYCLE SYSTEM SAFETY 7 AUTHORISING AND PROTECTING TRAIN MOVEMENTS 8 CONTROL OF OVERRUN AND EXCESSIVE SPEED 9 DRIVER'S INTERFACE (MMI) 7.1 Providing Movement Authorities 8.1 Controlling and Mitigating Unauthorised Movements 9.1 Provision of Movement Authority Information 7.2 Compatibility of Trains with Infrastructure 8.2 Controlling and Mitigating Excessive Speed 9.2 Train Movements on Dual Signalled Lines and at Transitions 7.3 Route Holding for an Authorised Movement 9.3 General Requirements for Information Displayed to Drivers 7.4 Protection against Unsafe Events and Conditions Safety Requirements Structure and Hierarchy The numerical references shown refer to the clause identities of the Requirements within this document. 10 NON-DRIVER INTERFACES 10.1 Signaller's Interface (MMI) 10.2 Protection for Trackworkers and Engineering Work 10.3 Level Crossings 10.4 Control of Unwanted System/Non-System Interactions 11 SYSTEM MANAGEMENT 11.1 System Maintenance 11.2 System Operation 11.3 Work affecting System Operation 10 RAILTRACK

13 forcab Signalling Systems Page 11 of 11 Train Routing and Regulation Sub-Systems Signaller's Controls/Display Sub-Systems Engineering and Operations Controls Sub-Systems Fixed Communication Links Interlocking and MA Sub-System Fixed Communication Links Track/Train Communication Links Trackside Equipment Track/Train Transmitters and Receivers Outline System Architecture Trainborne Sub-Systems Track/Train Communication Links RAILTRACK 11

14 Page 12 of 12 for Cab Signalling Systems 5 General Safety Requirements 5.1 Life Cycle System safety The overall level of safety associated with the use of the System shall be established and subsequently sustained throughout its operational life at a level which meets the requirements of legislation and the reasonable expectations of exposed groups. Explanation: The "level of safety associated with the use of the System" should be understood to mean not just the safety provided by the System itself, but also includes the contribution from the procedures which are applied in the use of the System, and should take account of the manner in which the system is used (traffic speeds, traffic densities, regulation and timetabling issues). The term "exposed groups" includes consideration of the safety of all passengers, railway workers, neighbours, users of level crossings etc. The subject of "reasonable expectations" of exposed groups is further developed in section Guidance: European Standard pren50126 provides a process for establishing and sustaining safety (and non-safety) requirements throughout the life cycle of railway systems. Related sections: System Life Cycle Management Railway Group members shall agree their respective responsibilities and implement suitable arrangements for System design and for controlling the System configuration and safety performance throughout the System life cycle. Explanation: Suitable arrangements should include resources, organisational structures, defined responsibilities, processes and procedures. Guidance: This requirement addresses the need for a "System Authority" or equivalent, supported by other organisations with defined roles, to provide for the safe management of the System throughout its life cycle, from concept to decommissioning. Key elements of the System Authority role are to ensure that the following activities are discharged: - Specifying the System requirements; - System and sub-system acceptance; - System maintenance; - Safety performance monitoring and corrective action; - Configuration management; - Change control. European Standard pren50126 addresses some of the life cycle management issues relevant to this requirement Definition of Scope and Functionality of the System The scope, functionality, proposed use and expected life of the System shall be defined sufficiently for the purposes of developing the detailed safety requirements of the System. Guidance: The identification of the scope and functionality includes consideration of: - the System architecture, including the hardware and software which comprises the System; - the principal functions that the System is required to perform. This includes specific safety functions (eg the provision of ATP) and functional requirements (eg the types of train movements which the System must be able to support); - the geographical scope of the System; 12 RAILTRACK

15 forcab Signalling Systems Page 13 of 13 - the operational parameters which the System is required to meet or support (eg train speeds, train lengths, train braking capabilities; traffic types; traffic densities; timetabling and regulation requirements). In some cases (eg train braking capabilities) tolerances or ranges may be placed on these parameters, within which the System must continue to operate safely; - other systems and entities with which the System is required to interface, operate or be compatible (ie other systems and equipment which form part of the fixed infrastructure, and trains); - the human interfaces; - the physical environment within which the System is required to operate; - hardware and software tools which are required in order to support the safe design, testing, operation, maintenance and modification of the System. In respect of the operational parameters, it should not be assumed that these are "givens" for which the System design has to provide appropriate solutions. In some cases it may be necessary to modify elements such as the track layout, traffic patterns, etc in order that a System with an acceptably low level of risk can be designed. European Standard pren50126 provides further guidance on the development of the scope and functionality requirements, under the life cycle phases of "Concept" and "System Definition and Application Conditions". Related sections: 5.1.3; 10.4, Development of Detailed Safety Requirements Detailed System requirements, which are relevant to safety, shall be established for the purposes of System design, testing and acceptance. Explanation: The term "System requirements" should be understood in this context to include all those requirements which are relevant to the safety performance of the System. This includes: - functional requirements relating to the purposes for which the System is provided; - specific safety requirements (both functional and non-functional); - Reliability, Availability, Maintainability and Safety (RAMS) targets; - integrity levels (SILs); Guidance: The requirements should be traceable to, and demonstrably compliant with, the core safety requirements specified in GE/RT8026. It will also be necessary to identify requirements in other RGSs which are applicable or relevant to the development of the detailed Safety Requirements (see Appendix A). Requirements should be partitioned between the various sub-systems that comprise the System. This may also include the need to partition safety responsibility" between the System and people who use/operate the System. The requirements should address the wider concept of "fitness for purpose". This term includes reliability, availability and maintainability, and also embraces the concept of the System being suitable for use. The design and construction should be such that the System is user-friendly and ergonomically appropriate. By so doing, its full and proper use will be promoted. Conversely, a system which is not user-friendly or ergonomically appropriate may result in it being used improperly, which could in turn affect safety. European Standard pren50126 provides further guidance on the development of the System requirements, under the life cycle phases of "Risk Analysis", "System Requirements" and "Apportionment of System Requirements". The System shall comply with relevant UK and EC legislation and HMRI Safety Principles. RAILTRACK 13

16 Page 14 of 14 for Cab Signalling Systems EC legislation includes: - EC Directive on Interoperability, 96/48/EC, and all derivative specifications thereof; - Cenelec Standards (including those with pren and ENV status), notably 50121, 50126, 50128, and Some of these Standards relate to processes for System development, design and life-cycle management, and are not confined simply to the System requirements; - ETCS Functional Requirements Specification, reference A 200/FRS , dated 27/08/96. Related sections: 5.1.2; Development of Operational Procedures The associated rules/procedures for the safe operation of the railway shall be developed in conjunction with the System requirements. Guidance: Human factors analysis should be undertaken to facilitate the development of operational rules and procedures. Related sections: 6.1.3; Safety Targets The totality of risk associated with the operation of the System, and where appropriate the particular level of risk associated with sub-systems and elements of the System, shall be: a) tolerable; and b) As Low As Reasonably Practicable (ALARP); and c) no worse than at present. Guidance: There should be clarity as to what hazards are controlled by the System, and whether the control of each hazard is achieved entirely by the System, or is dependent upon other control measures outside the System. So far as is possible, the contribution made by the System in controlling each hazard should be quantified. The "totality of risk" should take into account not only the hazards relating to the System itself (malfunction etc) but also the risks associated with the use of the System. Included within this latter category are: track layout; train speeds; traffic densities; movements onto occupied lines; rules and procedures for operation and maintenance etc. The requirement for risk to be "no worse than at present" should be interpreted as meaning that the overall level of risk should be no worse (and ideally substantially lower) than the level which existed with the conventional signalling that the System replaces, even though speeds might be increased and the traffic density greater. This requires a whole railway approach to risk apportionment and management. Further guidance on the assessment and management of risk is provided in the Engineering Management System, Issue 3 (Yellow Book 3). Special attention should be given to the identification and mitigation of hazards arising from the change from a conventional signalling system to one based on in-cab signalling. Two key areas for consideration are those of "lost benefits" and "human factors": - Lost benefits include factors such as: the loss of track circuiting (rail breaks are consequentially less readily detected and track circuit operating clips are ineffective); the loss of lineside "landmarks" (signals, etc) for on-track personnel 14 RAILTRACK

17 forcab Signalling Systems Page 15 of 15 to use for locating their position; loss of trackside telephones. - Human factors issues include: the major cultural changes associated with changing from a lineside signalling system (affecting operators, maintainers, emergency services, etc); assumptions inherent in ways of working which are no longer valid in for an in-cab System; the capability of people to manage the railway under normal, degraded and total failure conditions. The System should be designed so that no credible failure mode exists which could lead to a hazard resulting in an unacceptable level of risk. Situations where hazards arise may include, but are not necessarily confined to: - exceeding an EoA by an extent which jeopardises safety (see section 8.1); - travelling at unsafe speed (see section 8.2); - issuing/displaying a MA for a movement which it is not safe to make (see section 7.1 and section 7.3); - issuing a MA to the wrong train (see section 9.1); - jeopardising an authorised train movement (see section 7.3); - inability to revoke a MA in an emergency (see section 7.4); - inadequate protection of pedestrians and vehicular traffic at level crossings (see section 10.3); - inadequate protection of trains and trackworkers when engineering work is taking place (see section 10.2); - loss of control resulting in heavy dependency upon Degraded Modes of operation (see section 6.1); - loss of route inhibition facilities (see section 10.1). The term "failure modes" includes modes whereby hidden failures, in combination with other subsequent failures, could lead to a hazardous situation. Formal hazard identification and risk assessment will be necessary in order to determine those hazards that present an unacceptable level of risk and therefore require controlling. The measures applied are likely to address both causes and consequences of the hazards, rather than focussing solely on either prevention or mitigation. Consideration should be given to the choice of data transmission protocols, to ensure that the overall System safety performance cannot be jeopardised by faults or errors within the various data transmission sub-systems. Related sections:5.1; 6.1; 6.1.1; 7.1; 7.3; 7.4; 8.1; 8.2; 9.1; 10.1; 10.2; Compliance with Standards for Conventional Signalling Where the System is provided in conjunction with conventional lineside signalling systems, the requirements for the lineside signalling system are set out in Railway Group Standard GK/RM0501. Explanation: The reference to GK/RM0501 should be understood to refer to all Standards that apply to lineside signalling. These Standards are listed in the introductory sections to GK/RM0501. Guidance: Typical scenarios include transitions between lineside signalling and the System, and dual-signalled areas. Lineside signals on dual signalled lines may be, but do not have to be, equipped with ATP. They do, however, have to be equipped with a train protection system in accordance with the requirements of the Railway Safety Regulations System Life Cycle Design The System shall be designed so as to ensure that it can be constructed, installed and tested, and subsequently operated, maintained, modified and decommissioned safely. RAILTRACK 15

18 Page 16 of 16 for Cab Signalling Systems Guidance: This requirement addresses the need for designers to design for continuing safety throughout the System life cycle. This involves consideration of safety issues affecting trains, the public and personnel who use or work on the System. Amongst the issues to be addressed through this requirement are: 6 Modes of Operation - obsolescence of hardware and software; - appropriate architecture and design of hardware and software in order to minimise the level of risk associated with modifications; - provision of diagnostic aids to support maintenance. 6.1 Permitted Modes The permitted modes of operation associated with the use of the System shall be defined for both normal and credible failure conditions. Explanation: The term "modes of operation" refers to the different ways in which drivers and signallers use and interact with the System. For a driver, these may include the modes listed below. Modes also need to be defined for the signaller, and possibly for other users. Operational modes for drivers (this list is provided for example purposes only, and is not necessarily exhaustive): - off; - undergoing self-test/initialisation; - on but inactive; - active and providing full driver supervision for running movements; - active and providing driver supervision for shunting movements; - failed (no driver supervision but cab signalling operational); - failed (partial driver supervision but cab signalling operational); Guidance: For System design purposes, it may also be appropriate to define System modes. However, these will not necessarily correspond to operational modes, and in some cases may not have any real "meaning" for a user of the System. Related sections: Safety levels for individual modes For each normal and degraded mode of operation, the overall level of safety achieved and the apportionment of safety responsibility between the System and the users shall be clearly defined. Guidance: The overall level of safety shall take into account both the safety provided through operational procedures, and that provided by the System. It is important, for each mode, that the degree of responsibility for safety placed upon the users (drivers and signallers) is clearly understood. Related sections: Transitions Between Modes The permitted transitions between the various modes of operation (both normal and degraded) shall be defined. Guidance: It is important for safety that there are defined conditions to be met before a change can be made from one mode of operation to another. These conditions will determine in part the procedural requirements (see section 6.1.3), and may also determine aspects of the System design. It will not normally be possible to make a transition from any one mode to all other modes. Only some transitions will be permitted. 16 RAILTRACK

19 forcab Signalling Systems Page 17 of 17 Related sections: 6.1.3; Procedures and Rules for Modes Rules and procedures shall be defined and implemented, and relevant supporting information provided for: a) each normal and degraded mode of operation; b) the means of transition from one mode to another; and c) recovery from credible failure conditions. Explanation: "Procedures and supporting information" includes: Rule Book, signallers' and drivers' instructions etc, which tell users how they are to perform, and what their responsibilities are. Guidance: This requirement also points to the need for ancillary information (particularly for ensuring safety when operating in degraded modes), such as; lineside position markers, point end identifiers on the track for use by route setting Agents, route setting tables and track layout diagrams for signallers. Particular attention will need to be paid to the integrity of variable operational data (eg prohibitions) and dynamic data (eg train positions) during the process of restoration from credible failure conditions. RGS GO/RT3437 specifies the requirements for taking trains out of service in the event of a failure of a train-borne sub-system. Related sections: 5.1.4; 6.1.2; 6.1.6; ; ; System Availability for Normal Modes The reliability and availability of the System shall be such as to avoid, so far as is reasonably practicable, the need to use degraded modes of operation instead of normal modes. Guidance: High reliability/availability at the operational level may be achieved by high inherent sub-system reliability, coupled with additional measures such as redundancy, other suitable standby arrangements and graceful degradation mechanisms. Related sections: Hierarchy of Degraded Modes The degraded modes of operation shall be arranged in a hierarchy, so that modes in which safety is ensured principally by the System are used in preference to those that depend principally upon human action. Guidance: The hierarchy of modes, and the conditions for entry to them, should be such as to prevent, so far as is achievable, the System failing to an unpredictable or unsafe state. So far as is reasonably practicable, the degradation of the System from normal modes through its degraded modes should be designed so as to be "graceful". So far as reasonably practicable, the System should continue to provide the following functionality in degraded modes of operation: - conflicting/opposing movements should not be authorised; - level crossings should be proved to be safe for the passage of trains and the stopping of road traffic; - points should be proved to be in the correct position and prevented from moving; - restricted MAs (eg for movements at low speed) should be issued to trains by RAILTRACK 17

20 Page 18 of 18 for Cab Signalling Systems the System, in preference to the use of verbal instructions; 18 RAILTRACK

21 forcab Signalling Systems Page 19 of 19 - movements should continue to be made under the protection of ATP (even if the ATP is operating in a partial supervision mode); - the route ahead should be clear of trains. Degraded modes of operation may include the use of release facilities to permit the signaller to override controls within the System. However, such facilities should be used in conjunction with suitable protection measures which prevent errors in their use. Related sections: Design for Recovery from Degraded Modes The design of the System shall facilitate safe recovery from credible failure conditions and degraded modes. Guidance: So far as is reasonably practicable, the design of the System should provide information to help users with recovery from failure conditions, and also incorporate checks so as to avoid errors when undertaking the recovery process, where such errors could lead to a loss of safety. Related sections: 6.1.3; 10.1; Authorising and Protecting Train Movements 7.1 Providing Movement Authorities The MA shall not be given to a train unless the status/condition of the infrastructure and the positions/movements of other trains are such that the intended train movement can be made safely. Guidance: This requirement is to be complied with both for movements made entirely within the control area of the System, and for movements which cross boundaries between the System and other train control systems. It is permissible for a MA to be given for a restricted (eg low speed) movement under certain normal and degraded modes of operation. In these circumstances, some of the supporting sections for this section may be waived. Related sections: 5.1.5; ; Position of Points The MA shall not be given to the train unless all points and other items of moveable infrastructure over which the train is to pass, and those which provide protection against unauthorised conflicting train movements, are proved to be in their required position. Guidance: "Points and other items of movable infrastructure" includes points operated from ground frames, if provided, although the use of ground frames within an area controlled by the System is not generally considered necessary or desirable. Related sections: 7.1.5; Conflicting Train Positions The MA shall not be given to the train if any other trains, or portions of trains, are occupying the track over which the train is to pass, or are positioned foul of the track over which the train is to pass. Guidance: This requirement may be waived, or applied only to a limited extent, for certain modes of operation (eg degraded modes, joining movements, movements into sidings, movements into possessions where engineering trains are working, etc). In such cases, a restricted MA may be given. RAILTRACK 19

22 Page 20 of 20 for Cab Signalling Systems This requirement provides protection against both legitimately positioned trains on the track ahead and trains that have overrun their EoA Conflicting Routes The MA shall not be given to the train if a conflicting MA has been issued which permits another train to occupy the track over which the train is to pass, or which permits another train to occupy a track where it would be positioned foul of the track over which the train is to pass. Guidance: None Level Crossings The MA shall not be given to the train unless all manned and automatic level crossings over which the train is to pass are safe for the passage of the train. Explanation: Manned and automatic level crossings include signaller-operated (ie controlled) crossings, automatic half barrier crossings, automatic open crossings and miniature stop light crossings. Guidance: Controlled level crossings must be set and locked for the passage of the train. So far as is reasonably practicable, automatic level crossings should be proved to be capable of working (ie there should be no known faults which would prevent safe operation when the train approaches). Related sections: 7.3.2; 7.3.3; ; Proving and Locking of Overlaps Where an overlap is provided, then before the MA is given to the train, the overlap shall: a) be proved to be free of trains (both on and foul of the overlap); and b) have no MAs issued which make use of the overlap; and c) have all points that are within or that protect the overlap proved to be in the required position. Guidance: The requirements for the provision of an overlap are to be found in sections and The reference to points includes points operated from ground frames (see also section 7.1.1). It is implicit within the second bullet point of this requirement that shared overlaps are not permitted. Related sections: 7.1.1; 7.3.1; 8.1.7; Position of End of Movement Authority If it is likely that the train will be brought to a stand at the EoA, then the EoA shall not usually be positioned where an inappropriate level of risk could arise. Explanation: Examples of a position where "an inappropriate level of risk could arise" include in a tunnel or on a viaduct, or with the train standing partially alongside a platform, or where a road user's visibility of the railway at a userworked or open crossing would be obstructed by the stationary train. The word "usually" is an acknowledgement of the fact that compliance may not always be practicable. In some cases a greater level of risk may arise if the train is not stopped at one of these locations. Related sections: RAILTRACK

23 forcab Signalling Systems Page 21 of Engineering Work The MA shall not be given to the train if engineering work has been authorised to take place which could jeopardise the safety of the train movement. Explanation: "Engineering work" includes work on the System itself. Guidance: The imposition of a temporary/emergency speed restriction does not of itself constitute engineering work, for the purposes of this section. A restricted MA may be given for the purposes of gaining access to a possession (see section ). Related sections: ; Prohibitions on Route Setting The MA shall not be given to the train if a prohibition relevant to the intended movement has been entered into the System. Explanation: A prohibition has the effect of preventing trains from moving over a portion of track. A prohibition could also be applied for other circumstances, eg to permit trains to run over a set of points in one position only, or to permit trains to run over a portion of track in one direction only. Related sections: ; Operational Data The MA shall not be given to the train if changes are at the same time being made to the operational data within any part of the fixed infrastructure element of the System which could thereby jeopardise the safety of the train movement. Guidance: This includes the imposition or removal of speed restrictions, possessions, prohibitions etc. However, it does not include engineering work which affects fixed operational data (this is covered by section ). Related sections: 7.3.5; Unsafe Events or Conditions The MA shall not be given to the train if an unsafe event or condition has occurred which may jeopardise the safety of the train movement and for which protection is provided through the train control system. Explanation: Examples of unsafe conditions may include broken rails, unauthorised conflicting train movements, prohibition on trains passing in tunnels or on bridges, a detectable fault within the System itself, etc. For further examples, see section 7.4. Related sections: Provision of Data to Train The MA shall not be given to the train unless all the data that originates from the fixed infrastructure element of the System can be made available to the train when required for the train movement to be made safely. Explanation: The 'data' includes data required by the driver interface and data required for the ATP sub-system. Guidance: This does not necessarily mean that data must be made available for the whole of the train movement up to the EoA at the time that the MA is given to the train. It is permissible for data to be issued which comprises a non-zero target speed and distance to go (to the point at which the target speed applies), with the EoA beyond the target speed point. The train then either receives further data before reaching the target speed point to enable it to complete the RAILTRACK 21

24 Page 22 of 22 for Cab Signalling Systems movement or, if no such data is received the train is brought to a stand with a service brake application at or before the EoA. Where this approach to the provision of data is adopted, the target speed must be such that the train can be brought to a stand in the distance between the target speed point and the EoA. Related sections: Compatibility of Trains with Infrastructure Control measures shall be applied to prevent a train from being given a MA if the train is not compatible with the infrastructure over which it is to move. Explanation: This requirement addresses the need for: - physical compatibility; - electrical compatibility; - compatibility and operational availability of the train borne elements of the System with the fixed infrastructure elements of the System System Requirements for Trains Entering an Area Controlled by the System A train shall be permitted to enter or commence service within an area controlled by the System only if: a) the train is fitted with sub-systems which are compatible with the fixed infrastructure element of the System, are operational, and are configured for the train; and b) the fixed infrastructure element of the System is in possession of data associated with the train which is required for safety of the train movement. Explanation: The train-borne sub-systems referred to in this document also include associated sub-systems such as odometry and train integrity, where the overall safe operation of the System is dependent upon such sub-systems. A train is regarded as commencing service when it is powered up, or if any operation is performed which necessitates changing the variable operational data associated with the train (eg attaching/detaching vehicles, change of driving ends). Guidance: The term "operational" includes the need for the train-borne systems to be working and communicating correctly with the fixed infrastructure. The term "configured" includes the need for the train to be in possession of trainborne operational data such as train length, braking capability, etc. The "data associated with the train" which the fixed infrastructure element of the System requires for safety purposes may include:- - train position; - train length (where train detection makes use on train-borne sub-systems, rather than track-based detection); - train speed, direction of travel, braking capability, etc (where the train is entering an area). Although lineside signals and/or signs will usually be the means by which a driver is given permission to enter an area under control of the System, it may be necessary to supplement these by the use of over-run protection measures such as Train Protection Warning System (TPWS) to prevent unsuitable trains from entering the area. Exceptionally, arrangements may be provided for trains to enter/commence service in an area controlled by the System when full compliance with this 22 RAILTRACK

25 forcab Signalling Systems Page 23 of 23 supporting requirement is not possible. Typically these would be degraded mode conditions, or in response to an emergency (eg a rescue train). There will need to be a defined procedure for the preparation of a train to commence service in order to ensure compliance with this requirement. Related sections: 7.2.3; Physical and Electrical Compatibility of Trains A train shall be permitted to enter or commence service within an area controlled by the System only if the physical and electrical characteristics of the train are compatible with the fixed infrastructure. Guidance: In general, compatibility requires consideration of three types of factors: - fixed factors, such as the structure gauge/train envelope compatibility; - variable (but predictable) factors such as train length; - variable (and unpredictable) factors such as failures of equipment/systems on the train. Physical compatibility includes consideration of safety-related issues such as kinematic envelope (including those related to tilting trains); stepping distances; train length; train nose overhang, operation of train detection equipment, etc. Electrical compatibility includes issues such as electric traction requirements; electrical interference with signalling and other systems; operation of train detection equipment, etc. It may also be necessary to prevent a train from entering an area if the train has credible fault conditions which could make the train incompatible with the infrastructure (eg failure of a tilt mechanism or of part of the traction power control system). It may be necessary to have special arrangements to permit out-of-gauge loads (eg special freight trains, tilting trains that have suffered potentially unsafe tilt failure) to be moved. Related sections: ; Intentional Splitting of Trains Where a train is intentionally divided within an area controlled by the System, all portions shall be maintained at a stand and treated as a single train (so far as their identity within the System is concerned) until each is: a) either recognised by the System as an operational and complete train in its own right; or b) protected from collision by other means. Explanation: An example of the intentional dividing of trains includes splitting for the purposes of creating two or more trains. Protection from collision may be by track-based train detection systems, or by other means which form part of the functionality of the System. Guidance: In order for a train to be "operational and complete" it must meet the requirements of section There will need to be a defined procedure for the division of trains in order to ensure compliance with this requirement. Related sections: RAILTRACK 23