GKRT0207 Design Requirements

This document is the property of Railtrack PLC. It shall not be reproduced in whole or in part without the written permission of the Controller, Railway Group Standards, Railtrack PLC. Published by: Safety & Standards Directorate Railtrack PLC Railtrack House DP01 Euston Square London NW1 2EE © Copyright 2000 Railtrack PLC

Railway Group Standard GK/RT0207 Issue One Date August 2000

Signalling Design Production

Synopsis This document sets out the mandatory requirements for the production of designs for the provision of new signalling systems and the alteration of existing systems.

Signatures removed from electronic version

Submitted by Elizabeth Fleming Standards Project Manager

Authorised by Brian Alston Controller, Railway Group Standards

Uncontrolled When Printed

This page has been left blank intentionally



R A I L T R A C K 1

Railway Group Standard GK/RT0207 Issue One Date August 2000 Page 1 of 21

Contents Section Description Page

Part A

Issue Record 2 Responsibilities 2 Compliance 2 Health and Safety Responsibilities 2 Supply 2

Part B

1 Purpose 3 2 Scope 3 3 Definitions 4 4 Design Management 5 5 Design Development 6 6 Design Verification 13 7 Design Approval 13 8 Modifications to Designs 15 9 Control of Design Documents and Software/Data 16 10 Assessment and Demonstration of Safety 17 11 Use of Design Support Tools 18 12 Special Cases of Design Production 19

References 21



2 R A I L T R A C K


Part A Issue Record

This document will be updated when necessary by distribution of a complete replacement.

Revisions in the reissued document will be marked by a vertical black line in the right hand margin adjacent to the revision.

Issue Date Comments One August 2000 Original Document.

Replaces withdrawn documents GK/RT0004, GK/RT0110, GK/RT0115, GK/RT0116, GK/RT0201, GK/RT0202 and GK/RT0205.

GK/GN0600, GK/RC0701 and GK/RH0710 are also hereby withdrawn.

Responsibilities

Railway Group Standards are mandatory on all members of the Railway Group * and apply to all relevant activities that fall into the scope of each individual’s Railway Safety Case. If any of those activities are performed by a contractor, the contractor’s obligation in respect of Railway Group Standards is determined by the terms of the contract between the respective parties. Where a contractor is a duty holder of a Railway Safety Case then Railway Group Standards apply directly to the activities described in the Safety Case.

* The Railway Group comprises Railtrack and the duty holders of the Railway Safety Cases accepted by Railtrack.

Compliance

The provisions in this document are to be complied with in respect of all signalling design work from 7 October 2000.

Health and Safety

Responsibilities In issuing this document, Railtrack PLC makes no warranties, express or implied, that compliance with all or any documents published by the Safety & Standards Directorate is sufficient on its own to ensure safe systems of work or operation. Each user is reminded of its own responsibilities to ensure health and safety at work and its individual duties under health and safety legislation.

Supply

Controlled and uncontrolled copies of this document may be obtained from the Industry Safety Liaison Dept, Safety and Standards Directorate, Railtrack PLC, Railtrack House, DP01, Euston Square, London, NW1 2EE.



R A I L T R A C K 3


Part B 1 Purpose

The purpose of this document is to set out the mandatory requirements for the processes whereby designs for signalling systems are produced, to ensure that such designs are safe and fit for purpose.

2 Scope The overall scope of Railway Group Standards is as specified in Appendix A of GA/RT6001.

This document contains requirements which are applicable to the duty holder of the following category of railway safety case:

• Infrastructure Controller

Specifically the contents of this document apply to signalling design processes for:

• the site-specific design of new signalling systems which are to form part of Railtrack Controlled Infrastructure;

• alterations to, and the abolition (also known as “recovery”) of, existing signalling systems which are part of Railtrack Controlled Infrastructure.

The scope is restricted to infrastructure for systems that utilise lineside signals or fixed block cab signalling.

The scope does not include:

• the functional, operational and safety performance requirements for signalling systems and equipment (these are addressed in other Railway Group Standards);

• processes for the capture of user requirements prior to the commencement of signalling system design;

• design of moving block signalling systems; • minor alterations where the design, functionality and configuration of the

signalling system is essentially unaltered and for which engineering details are not necessary (eg. re-allocation of a cable core or relay contact; repositioning of an item within an apparatus case);

• design of products that are used as part of a signalling system (see GI/RT7002);

• design of train-borne signalling systems and equipment; • operational telecommunications links and networks that are used to provide

data communications between parts of the signalling system; • design considerations relevant to the occupational safety of persons who

install, test, maintain or operate the systems and equipment (except in respect of staff protection and warning systems, which are within the scope of this document – see definition of signalling systems and equipment);

• legislative requirements relevant to design work, such as the Construction (Design and Management) Regulations 1994 and the Railways and Other Transport Systems (Approval of Works, Plant and Equipment) Regulations 1994.



4 R A I L T R A C K


3 Definitions Application Requirements Rules, conditions and constraints relevant to the safety of a product in its proposed application.

Approval in Principle Approval by a competent person or body that the concept design of the signalling system will meet the Infrastructure Controller’s requirements, and that appropriate standards and design criteria are proposed for the engineering details.

Concept Design A suite of documents that constitute the proposals for how the safety and operational requirements for the signalling part of a project are to be met. They provide the basis for the production of the engineering details. See clause 5.1.3 for a list of concept design documents.

Design Production Organisation An organisation that undertakes the preparation of signalling designs.

Engineering Details A suite of documents that provide the detailed information necessary for the construction/installation of the signalling system. It may also include application-specific software/data for the signalling system, where it is produced as a part of the design process. See clause 5.5.4 for a list of engineering detail documents.

Infrastructure Records The definitive records of the signalling system which reflect the actual configuration of the installed equipment, wiring and software. Such records are created and retained in accordance with GI/RT7001, and may be physical drawings or electronically stored data.

Product Any of the following within the scope of this document; system; sub-system, equipment, component, materials.

Scheme Plan A plan of the railway layout that depicts the proposed provision of (or alterations to) signalling.

Signalling Systems and Equipment Systems and equipment used for:

• authorising and safeguarding the movement of trains; and • providing protection and warnings for trackside personnel, where such

systems and equipment form part of the whole signalling system.

The definition includes software and data, as well as equipment and wiring.

Technical Approval Approval by a competent person or body that:

• the engineering details of the signalling system meet the Infrastructure Controller’s requirements; and

• appropriate standards and design criteria have been used; and • competent persons have used reasonable care in preparing the design; and • the safety of railway operations and safe interworking have not been

compromised.



R A I L T R A C K 5


4 Design Management 4.1 Management Systems and Procedures 4.1.1 The Infrastructure Controller shall:

• have management, organisational and procedural arrangements in place to control the production of signalling designs; and

• ensure that design production organisations have management, organisational and procedural arrangements in place that are appropriate for the particular design activities and type(s) of signalling design work they are required to undertake.

4.1.2 The Infrastructure Controller shall ensure that the specific management, organisational and procedural arrangements to be applied to the signalling design phase of each project are documented (eg. in the form of a safety plan, procedures, method statements or specifications) insofar as is necessary for the purposes of producing safe designs. The documented arrangements shall include (but are not necessarily limited to):

a) the responsibilities, levels of authority and reporting lines of individuals and organisations involved in the design process(see section 4.3); and

b) the selection and use of competent personnel (see section 4.2); and c) the procedures to be applied in the production of the designs (including any

special arrangements – see section 12); and d) the arrangements for verification and approval of the designs (see sections 6

and 7); and e) the associated activities to be undertaken (eg. safety analysis, site

assessments, correlation); and f) the control of documents and software/data (see section 9); and g) the use of design support tools (see section 11); and h) any requirements for the audit of the processes.

The Infrastructure Controller shall review those documents produced by the design production organisations in order to be satisfied that the proposed arrangements provide an acceptably safe means of producing the designs.

4.2 Competency 4.2.1 The Infrastructure Controller shall ensure that its own organisation and the design production organisations engaged on a project have personnel assigned to the work who collectively possess, or have the capability to acquire:

• the necessary knowledge in respect of the design processes and procedures (including the use of design support tools, where used); and

• the necessary knowledge for the particular signalling system being designed (including knowledge of the associated signalling principles, and of the equipment which comprises the system).

4.2.2 The Infrastructure Controller shall ensure that its own organisation, and the design production organisations engaged on a project, have processes in place for deploying their personnel in a manner which achieves compatibility between the design tasks they are required to undertake and the competencies that the individuals possess.

4.3 Control of Organisational Interfaces 4.3.1 Where more than one design production organisation is involved in design production, the Infrastructure Controller shall ensure that their interactions are controlled so as to avoid any overlap, inconsistency or omission in the designs



6 R A I L T R A C K


that could subsequently jeopardise the safe operation of the signalling system. Circumstances where this applies include (but are not limited to):

• the use of sub-contractors to produce parts of the design; • the use of multiple contractors to produce parts of the design, but not working

in a contractor/sub-contractor relationship; • separate projects with potentially conflicting or overlapping design work; • the use of other organisations to produce non-signalling designs (eg.

permanent way layouts) where there is a dependency between such designs and the signalling designs.

4.3.2 The Infrastructure Controller shall ensure that interactions between the design production organisation(s) and the signalling installation and testing organisations are controlled so that:

• all of the design (including any modifications) is correctly installed and fully tested before being commissioned; and

• the infrastructure records, when updated, accurately reflect the commissioned system.

4.3.3 The Infrastructure Controller shall ensure that requirements for interactions with other organisations are identified, and those interactions controlled, insofar as it is relevant to the production of safe designs. Other organisations include, but are not limited to:

• procurement and manufacturing groups; • train operators; • other infrastructure controllers; • Her Majesty’s Railway Inspectorate; • highway authorities.

5 Design Development 5.1 Options Identification, Feasibility Analysis and Concept Design The commencement of the design process depends upon the provision of a set of requirements (or specification) that defines what the infrastructure is required to do, both operationally and from a safety perspective. The identification, or capture, of such requirements, is not the subject of this document. Railway Group Standard GK/RT0206 sets out the mandatory requirements relating to the specification of reliability, availability, maintainability and safety (RAMS) for signalling systems.

5.1.1 Options shall be identified and evaluated for the design of new/altered systems at the commencement of a project, in order to establish signalling arrangements which are both practicable and achieve a level of safety, reliability and availability that meets specified requirements (see GK/RT0206).

Where practicable signalling arrangements that achieve adequate levels of safety cannot be provided, then the following elements shall be re-evaluated, and modified if necessary, so that an acceptably safe solution is found:

• the remit for, and scope of, the signalling work; • the proposed/actual track layout (eg. junction configurations); • other infrastructure (eg. platforms, structures); • the proposed operational use (eg. timetabling, permissive working).

Layout risk assessment forms a key part of the optioneering phase of a project. Requirements for this activity are set out in Railway Group Standard GK/RT0078 (see references).



R A I L T R A C K 7


5.1.2 The selected option for the signalling arrangements shall be documented in the form of a concept design. The concept design documentation shall, as a minimum, contain sufficient information for the purposes of:

• Approval in Principle (see section 7.1); and • statutory approval by HMRI; and • signal sighting (see GK/RT0037); and • producing the engineering details (see section 5.5).

5.1.3 The documentation listed below shall be considered for inclusion as part of the concept design:

a) Information regarding the overall design objectives and proposals.

b) Scheme Plans and, where appropriate, other related layout plans such as signalling facilities diagrams for each stage of the project (not mandatory where there is no alteration to the existing signalling plan).

c) Information regarding new signalling systems and equipment to be provided, including the product acceptance status of such equipment.

d) Information regarding existing signalling systems and equipment affected by the project, including any to be decommissioned.

e) Identification of, and information regarding, the design of interfaces with:

• existing signalling systems; and • other infrastructure; and • trains; and • signallers and maintainers.

f) A list of the Railway Group Standards (including issue numbers) with which the Scheme Plan conforms, together with details of non-compliances.

g) A list of other Railway Group Standards (including issue numbers) with which the engineering details are proposed to conform, together with outline details of non-compliances (where known at this phase of the design process).

h) Proposed staging of the work, where not all the work is being commissioned together.

i) Proposed strategy for testing and commissioning the signalling, insofar as it is relevant to the design and the staging of the work.

j) An initial demonstration that the safety requirements for the system can be met by the proposed design.

k) Any safety analysis that is necessary at the concept design phase (eg. for overrun control and mitigation) – see section 10.

l) An explanation of the rationale for the design decisions and choices.

m) Any assumptions, calculations etc, that have been made.

5.1.4 The processes used in the production of the concept design documents shall be adequate to ensure that the proposed signalling arrangements are:

• compliant with the requirements of relevant Railway Group Standards and any other relevant safety requirements and targets (see GK/RT0206); and



8 R A I L T R A C K


• practicable and fit for purpose, in both engineering and operational terms.

5.1.5 The Infrastructure Controller shall consult with train operators during the feasibility and design conception phase, to ensure that their views are considered, particularly in respect of:

• the provision, position and aspects/indications of signals; and • signalling arrangements for the despatch of trains from platforms; and • transitions between different types of signalling; and • train protection systems.

5.2 Site Assessments, Surveys and Signal Sighting 5.2.1 Where the installation work will involve making alterations or additions to, or could affect the safe operation of, the existing signalling systems and equipment, then a site assessment shall be undertaken. The purpose of such assessments is to identify hazards associated with the existing equipment which may present a risk during the installation phase of the project or during the operational life of the system.

5.2.2 The findings of the site assessments shall be recorded. Where necessary, the concept design documentation, method statements and technical specifications shall be amended to take account of the findings of the site assessments.

5.2.3 Insofar as is reasonably practicable, the hazards identified by the site assessment shall be eliminated or mitigated by an appropriate choice of design.

5.2.4 Where a hazard is identified that presents a serious and imminent risk to the safety of the operational railway, the Infrastructure Controller shall ensure that appropriate action is taken to address the problem (without waiting for the project to address the problem through the design work).

5.2.5 Other site surveys shall be undertaken where necessary to determine positions of existing/new equipment, locations of buried services, critical dimensions and clearances, etc, in order to facilitate the production of the engineering details.

The requirements for signal sighting are set out in GK/RT0037.

5.3 Correlation 5.3.1 Where the installation work will involve making alterations or additions to existing signalling systems, the details shown on the existing infrastructure records of those parts of the system affected by the work shall, except in the circumstances described below, be checked (correlated) for accuracy and completeness (or produced, where they do not already exist) against the actual wiring and equipment on site.

Correlation need not be carried out if:

a) the existing infrastructure records are known to be accurate and complete; or

b) the condition of the equipment or wiring is such that the correlation work would itself present a serious risk to the safety of the operational railway; or

c) the risks arising if correlation is not carried out are low, and the costs of correlation are assessed as being grossly disproportionate to any further benefit in risk reduction; or



R A I L T R A C K 9


d) the equipment and wiring is to be entirely abolished (recovered), without any stagework alterations affecting it prior to abolition.

5.3.2 Where discrepancies are found as a result of the correlation work, they shall be checked, investigated and documented to the extent necessary for design purposes.

5.3.3 Updated versions of the infrastructure records shall be generated, for use as the basis for the production of the engineering details.

The amended versions of the infrastructure records shall be checked to verify that they have been made in accordance with the findings of the correlation process.

5.3.4 Where discrepancies are found which could jeopardise the safe maintenance of the infrastructure, copies of the updated records and/or the findings of the correlation shall be made available to the maintainer.

5.3.5 Where discrepancies are found which indicate the potential for a failure that could jeopardise the safety of the operational railway, the Infrastructure Controller shall ensure that appropriate action is taken to rectify the problem (without waiting for the project to address the problem through the design work).

5.3.6 Where it is proposed not to carry out correlation out for any of the reasons stated in 5.3.1, the proposal shall be subject to the approval of the Infrastructure Controller. In the case of 5.3.1(b), and so far as is reasonably practicable in the case of 5.3.1(c), alternative measures shall be applied to control the risk of a discrepancy giving rise to an unsafe situation during, or after, installation. The alternative measures shall be documented in the safety plan or method statements for the design, installation or testing phases of the work, as appropriate.

In practice, in the circumstances described in clause 5.3.1(b), it is likely that the proposed design will have to be changed so that it does not involve alterations to wiring and equipment that is in poor condition (see also clauses 5.2.1 and 5.2.3).

5.4 Technical Specifications 5.4.1 Where necessary, specifications shall be produced which provide additional technical information required to translate the concept design into engineering details.

5.5 Production of Engineering Details 5.5.1 Except where permitted by section 12 of this document, production of engineering details shall not commence until:

a) Approval in Principle of the concept design has been given (see section 7.1); and

b) infrastructure records (as mandated by GI/RT7001) affected by the design have been updated to show any previous work on the same infrastructure, including earlier stages of the same project (see section 9.3); and

c) site assessments have been completed, where such assessments are required (see section 5.2); and

d) correlation work has been completed (see section 5.3); and



1 0 R A I L T R A C K


e) signal sighting activities have been completed (see GK/RT0037).

In respect of activities (b) to (e), these need be completed only to the extent that they are relevant to the portion of the project for which engineering details are being produced.

5.5.2 The processes used in the production of the engineering details shall be adequate to ensure that the proposed signalling arrangements:

a) meet the requirements of the concept design documents, including the referenced Standards; and

b) take account of findings from site assessments and surveys; and

c) incorporate the recommendations and requirements of signal sightings; and

d) conform to any safety requirements derived through safety analysis (see section 10); and

e) make use of products for which product acceptance has been (or is in the process of being) secured, and in conformance with the relevant associated application requirements (see GI/RT7002); and

f) are physically and electrically compatible with other infrastructure (track, structures, electrification, telecomms etc.), with trains and with the environment; and

g) are capable of being contructed/installed and maintained without exposing the operational railway to unacceptable levels of risk; and

h) are compatible with the proposed testing strategy and phasing of the work; and

i) are capable of delivering the safety requirements and targets throughout the operational life of the system.

5.5.3 Engineering details shall be unambiguous in intent and of adequate clarity and presentational quality for the purposes of:

• construction and installation; • testing and commissioning; • producing final infrastructure records. 5.5.4 The documentation and software/data listed below shall be considered for inclusion as part of the engineering details:

a) control tables (or an equivalent) which define the required interlocking and interdependencies between parts of the signalling system (points, tracks, signals etc);

b) details of new systems, equipment and wiring to be provided (including, where important for safety, the type/model/version number; modification state; configuration/coding information);

c) details of existing systems, equipment and wiring to be modified, removed or taken out of use but not removed;

d) details of interfaces between existing and new systems/equipment, and of interfaces with signallers and maintainers;



R A I L T R A C K 1 1


e) application-specific software and data that forms part of the signalling system;

f) details of test rigs and other temporary arrangements;

g) details of buildings, apparatus cases, fixtures, fittings, etc. relevant to the housing and environmental/physical protection of equipment;

h) details of earthing arrangements;

i) physical dimensions, equipment positions, alignments etc. where important for safety;

j) electrical ratings and values (eg. maximum voltages, currents etc.) where important for safety;

k) any other installation details relevant to safety (eg. installation specifications and Codes of Practice to be applied; types of materials to be used; setting up procedures; manufacturers’ instructions; equipment specifications; standard drawings). It is permissible for such documents to be referenced by the engineering details, rather than included as part of the design itself.

The design documentation and software/data shall also depict/include any other work (eg. other stages of the same project) that are not yet installed / commissioned, but which will be by the time that the engineering details currently under consideration are to be installed.

5.5.5 Details shall be recorded of:

• the rationale for the design (except where it is self-evident); and • any assumptions made; and • any calculations made in order that testers, maintainers and designers (who may subsequently need to alter the system during its service life) can understand the thinking and logic behind the engineering details.

5.5.6 It is permissible for engineering details to omit information about some features of the installation (eg. the exact position of an item of equipment within an apparatus case, or the precise voltage setting for a power supply). However, such instances shall be limited to those cases where all of the following criteria are met:

• it is not practicable to provide comprehensive information; • it is reasonable to expect competent installation personnel to be able to make

decisions on site regarding the details which have been omitted; • no major risk would arise if the installation personnel made a decision which

was incorrect or, if they did, such an error would be revealed (eg. during subsequent testing) before an unsafe situation could arise.

Wherever applicable, the engineering details shall state any limits relevant to the omitted information (eg. a voltage shall be selected to be within specified maximum and minimum values).

Where important for safety, the Infrastructure Controller shall ensure that precise positions, voltages and other parameters determined on site are subsequently recorded on the infrastructure records (see GI/RT7001).





5.6 Provision of Ancillary Information 5.6.1 In association with the production of the engineering details, documentation and information shall be provided, as required, for the following purposes:

• to inform operating staff, drivers (and others, where necessary) about the introduction of the new/altered signalling (see GO/RT3209); and

• so that operating staff (and others, where necessary) have supporting instructions and information for the operational use of the new/altered signalling (eg. signal box instructions – see GO/OT0018; route lists – see GK/RT0026; Sectional Appendices – see GO/RT3206).

5.6.2 Information and instructions shall be provided to the maintainers of the signalling system prior to the commissioning, to facilitate maintenance. This is additional to the requirements of clause 9.3.2.

5.7 Design Presentational Standards 5.7.1 The Infrastructure Controller shall define and document standard presentational formats, symbols and nomenclature for engineering details which, subject to the provisions of clauses 5.7.2, shall be applied to all signalling designs, in order to minimise the risk of misinterpretation by installers, testers, maintainers and, where relevant, operators. Presentational standards shall be provided for, as a minimum:

a) control tables; and

b) symbols and associated nomenclature (for use on signalling plans, wiring diagrams etc); and

c) differentiating between equipment/wiring to be:

• installed and commissioned; • installed but not yet to be commissioned; • installed and now to be commissioned; • removed; • taken out of use but not removed.

5.7.2 It is permissible for the Infrastructure Controller to authorise the use of non-standard presentations in the following circumstances:

• where safety could be jeopardised during construction, testing or maintenance because of confusion between standard and non-standard presentations on records of existing infrastructure where non-standard presentations have previously been used; or

• where novel or uncommon equipment is to be used, for which presentational standards have yet to be defined.

5.7.3 The meaning of symbols, nomenclature and abbreviations used shall be specified in a legend associated with any document where:

• non-standard symbols, nomenclature or abbreviations are used; or • users of the documents may not be familiar with the symbols shown (eg. on

operating notices for drivers).

5.8 Changes to Standards during Project Life 5.8.1 Procedures shall be in place for the review of Railway Group Standards which are issued after design work commences, but whose compliance dates are earlier





than the commissioning date(s), to assess their relevance to the signalling design phase of each project. All such reviews shall be documented.

Section 8 of this document specifies the requirements for managing modifications to the design resulting from changes to Railway Group Standards.

Where such a review demonstrates that a change in the design to achieve compliance is either impracticable or would introduce increased risk, the situation shall be regularised (GA/RT6001, 6004 and 6006 refers).

6 Design Verification 6.1 Principle 6.1.1 The concept design and engineering details shall be subject to independent verification to ensure, so far as possible, that any design deficiencies are eliminated.

6.2 Verification Process 6.2.1 The verification shall take the form of a systematic check of the design documentation and software/data listed in clauses 5.1.3, 5.4.1, 5.5.4, 5.5.5 and 5.6.1. The degree of independence of the persons undertaking the verification from those who prepared the designs shall be commensurate with the safety-criticality of the systems being designed. No reliance shall be placed on subsequent testing activities to reveal any design deficiencies.

6.2.2 Persons who perform the verification shall:

• assess the extent to which the design meets the relevant requirements of sections 5.1 (for concept design), 5.5 and 5.6 (for engineering details), and 5.7 (applicable to both concept design and engineering details); and

• identify, so far as is practicable, all errors, omissions and unwanted functionality in the design; and

• check that the design has been produced in accordance with the documented arrangements for the work (see clause 4.1.2).

6.2.3 Design deficiencies shall be notified to the producer of the design in order for corrections to be made. The persons undertaking the verification shall ensure that the producers of the design understand the nature of any deficiencies, but shall not make any corrections themselves. Corrections shall be subject to re-verification, to ensure that:

• each deficiency has been fully addressed and all affected designs and software/data corrected; and

• no unsafe side effects have been introduced as a result of the correction.

7 Design Approval 7.1 Approval in Principle 7.1.1 The concept design documentation (as listed in clause 5.1.3) shall be subject to Approval in Principle (see GC/RT5101). In order to give approval, the Infrastructure Controller shall undertake a review of the concept design so as to be satisfied that:

• the proposals are acceptably safe, practicable and fit for purpose; and • the design has been produced in accordance with the management

requirements mandated by section 4 of this document.





The rigour with which the review is conducted (eg. whether calculations are re-checked, and whether all elements of a scheme plan are individually scrutinised) shall take into account factors such as:

• the complexity and degree of novelty of the design; • the extent to which other engineering disciplines are involved; • the competency of the design personnel undertaking the design and

verification activities.

7.1.2 Approval in Principle shall not be given until:

• the concept design documentation has been verified in accordance with section 6; and

• where applicable to the concept design, non-compliances or derogations against Railway Group Standards have been authorised; and

• the review described in clause 7.1.1 has been successfully completed.

7.1.3 Approval in Principle shall be given by persons in the Infrastructure Controller’s organisation who are competent to do so. The giving of Approval in Principal shall not be delegated to any other organisation, although it is permissible for the review activities to be delegated, provided that the integrity of the approval process is not thereby compromised.

7.2 Technical Approval of Engineering Details for Construction Purposes 7.2.1 The engineering details (as listed in clause 5.5.4) shall be subject to Technical Approval. Technical Approval shall take the form of an assessment of the engineering details, taking into account the objectives and factors for consideration set out in GC/RT5101, and additionally ascertaining that the design has been produced in accordance with the management requirements set out in section 4 of this document.

The rigour with which the assessment is conducted (eg. whether all engineering detail documents are assessed, or just a sample of them) shall take into account factors such as:

• the complexity and degree of novelty of the design; • the extent to which other engineering disciplines are involved; • the competency of the design personnel undertaking the design and

verification activities.

7.2.2 Technical Approval shall not be given until:

a) the engineering details have been verified in accordance with section 6; and

b) relevant associated engineering details produced by other design production organisations (including those for other engineering disciplines) have been produced and verified by the appropriate engineers in those disciplines, and confirmed as being compatible with the signalling designs; and

c) where applicable to the engineering details, non-compliances or derogations against Railway Group Standards have been authorised; and

d) any safety analysis necessary for the design and for products which form part of the design (see section 10) has been developed sufficiently that installation work can proceed without risk to the operational railway; and

e) the assessment described in clause 7.2.1 has been successfully completed.





7.2.3 The Infrastructure Controller shall ensure that Technical Approval is given by a competent engineer in the Infrastructure Controller’s organisation, or by another competent engineer to whom authority has been delegated by the Infrastructure Controller (provided that the integrity of the approval process is not thereby compromised).

8 Modifications to Designs

8.1 General Requirements 8.1.1 Where a change to the concept design or engineering details becomes necessary after the design has been verified as correct but before the signalling is commissioned, consideration shall be given to:

• whether, in the case of a design error, it is an isolated example or indicative of a systematic error; and

• the implications for other parts of the design; and • the implications for the installation and testing work.

8.1.2 The amended design shall indicate clearly details of any changes required to equipment and wiring that has already been installed in accordance with the previously issued version(s) of the design. This applies whether or not the installed wiring and equipment that requires modification has been commissioned.

8.1.3 Where necessary, consequential alterations to designs produced by other design production organisations (including those for other engineering disciplines) shall also be made.

8.2 Re-verification and Re-approval 8.2.1 Where the design documents and software/data have already been verified, the modifications and any other design documents and software/data affected by the modifications shall be subject to re-verification in accordance with section 6.

8.2.2 Where the design documents and software/data have already been approved, the modifications shall be subject to re-approval in accordance with section 7 if the nature or scale of the change invalidates the basis of the original approval.

8.3 Records of Design Modification Proposals and Requests 8.3.1 Summary records of all design modifications shall be maintained throughout the project, so as to enable identification of:

• the origins or originator of the modification proposal or request; and • the date of the proposal or request; and • whether or not the proposal/request is accepted or rejected; and • the documents and software/data affected (including the version); and • the status of the design modification work (produced, verified, issued etc); and • the reason for each modification. The records shall include all modifications arising from changed requirements and from problems/errors encountered during installation and testing. Design deficiencies identified during verification do not need to be included in these summary records.





9 Control of Design Documents and

Software/Data 9.1 Identification of Design Documents and Data 9.1.1 A system of version control shall be applied to all design documents and software/data so as to enable unambiguous identification of:

• all the items (documents, software, data etc) affected by the work, both for reference purposes during the project, and for the purposes of records management during the operational life of the signalling system (see GI/RT7001); and

• the project (and stage of a project, where relevant) to which each item relates; and

• the status of each item (produced, verified, issued, superseded, etc); and • the producer and verifier of each item (including the organisation for which

they work); and • the date of production and verification of each item. 9.1.2 Where design documents and software/data are modified during the design work (see section 8), it shall be possible to identify by reference to each document or item of software/data:

• which modifications (as detailed in the summary records of modifications – see clause 8.3.1) have been applied to the document or software/data; and

• the status of the design modification (produced, verified, issued, etc); and • the producer and verifier of each modification (including the organisation for

which they work); and • the date of production and verification of each modification.

9.2 Control of Issue of Design Documents and Software/Data 9.2.1 Except where permitted by clause 12.2, engineering details (as listed in clause 5.5.4) shall not be released for construction and installation purposes until Technical Approval has been given.

9.2.2 Design documents and software/data (and any modifications to them) shall be issued for installation and testing purposes in a controlled manner, so as to:

• ensure that recipients are in possession of the most up to date set of designs; and

• ensure that it is clear to whom the documents are issued and the purposes for which they have been issued; and

• facilitate traceability of issued documents, software and data.

9.2.3 Arrangements shall be in place to enable installation and testing personnel to verify that the engineering details in accordance with which they have completed their work are the most up-to-date versions of the designs produced by the design production organisation (eg. by the use of closure lists).

9.2.4 Copies of design documents and software/data issued by the design production organisation shall be faithful reproductions of the master versions.

The arrangements for the transport/transmittal of design documents and software/data between the design production organisation and any other organisation shall be sufficiently secure so as not to result in loss or corruption of the design information/data.





9.3 Control, Updating and Issue of Records 9.3.1 A set of records (including drawings, CAD files, software and data) that accurately depict the existence and configuration of the current operational signalling systems shall be maintained securely throughout the design, installation and testing phases of a project. It is permissible for these records (the “security set”) to be either the master versions of the infrastructure records (see GI/RT7001) or copies of them.

Where commissioning takes place in stages, an updated security set of records shall be generated promptly after the completion of each stage, and shall replace the previous set.

9.3.2 Records of the new/altered signalling system (“as commissioned”) shall be made available to maintainers as soon as the signalling is commissioned. Where the commissioning takes place in stages, records shall be made available immediately after each stage.

Where the records issued to maintainers are of a temporary nature, final records shall be issued as soon as practicable.

9.3.3 When each commissioning of the new/altered signalling has been completed, a new/updated set of infrastructure records shall be generated as quickly as practicable (except where permitted by section 12.3), in order to meet the requirements of GI/RT7001. Superseded records shall be disposed of in accordance with the requirements of the same Railway Group Standard.

9.3.4 The records of the signalling system that are to be retained in accordance with GI/RT7001 shall include not only the infrastructure records, but also any supporting documentation generated during the design process which may be relevant for the subsequent safe use, maintenance, modification and eventual decommissioning of the systems and equipment. In determining the records to be retained, consideration shall be given to all the documentation and software/data listed in clauses 5.1.3, 5.4.1, 5.5.4, 5.5.5 and 10.1.4 of this document.

10 Assessment and Demonstration of Safety

10.1 General Requirements for Safety Analysis 10.1.1 An analysis of safety (usually involving risk assessment) shall be carried out in association with signalling design work in the following circumstances:

• where products and/or their application require assessment and acceptance (see GI/RT7002);

• where other Railway Group Standards relevant to the design mandate a risk assessment (eg. GK/RT0206, GK/RT0078, GK/RT0044);

• where non-compliances or derogations to Railway Group Standards are being sought (see GA/RT6001, GA/RT6004, GA/RT6006).

10.1.2 The rigour of the analysis shall be commensurate with the risk. In determining the required degree of rigour, the following shall be taken into account:

• the complexity of the design and its interactions with the rest of the railway, and the consequential predictability of its safety performance in its proposed application; and

• the extent to which the design is novel; and





• the safety contribution that the part of the design under consideration is required to make in achieving the overall safety requirements and targets for the signalling system.

10.1.3 Where major change or innovation is involved, and in other circumstances at the Infrastructure Controller’s discretion, the safety analysis shall be performed in accordance with the general requirements of European Standards EN50126, EN50129 (where relevant) and UK rail industry best practice (eg. the Engineering Safety Management “Yellow Book”).

10.1.4 All risk assessments and other forms of safety analysis shall be documented.

10.2 Review and Endorsement of Safety Analysis 10.2.1 The Infrastructure Controller shall review and endorse the safety analysis in the following circumstances:

• where safety analysis is mandated by a Railway Group Standard (eg. GK/RT0206, GK/RT0078, GK/RT0044, but excluding GI/RT7002 which specifies its own requirements for the review of product risk assessments);

• where non-compliances or derogations to Railway Group Standards are being sought (see GA/RT6001, GA/RT6004, GA/RT6006);

• where a formal Safety Case has been prepared.

11 Use of Design Support Tools

11.1 Software-based Design Tools 11.1.1 Software-based design support tools (eg. CAD systems, data preparation workstations, EPROM blowers, spreadsheets for design calculations, risk assessment models) used for the production and verification of design documentation and software/data shall be of an integrity appropriate to their application (see EN50128). In determining the integrity required, account shall be taken of:

• the safety criticality of the elements of the signalling system for which the design documentation or software/data is being produced; and

• the contribution made by other processes and procedures associated with the design activity which may help to ensure that the final design is correct (but no reliance shall be placed on the testing activity in this context).

11.1.2 Software-based design support tools and the procedures associated with their use shall be assessed in order to demonstrate that they meet the required integrity requirements. In determining the required degree of rigour of the assessment, the following shall be taken into account:

• the safety criticality of the elements of the signalling system for which the design support tool is being used to generate designs; and

• the complexity of the design support tool and the consequential predictability of its performance; and

• the extent to which the design support tool and its proposed application is novel.

11.1.3 Software-based design tools shall be used only for the applications for which they have been assessed as suitable.





11.1.4 Version control shall be applied to all software, data, templates etc, that form part of a software-based design support tool, so as to:

• ensure that only permitted versions and combinations of hardware, software, data, templates etc, are used in the production of designs; and

• facilitate compatibility between existing records which are stored electronically (eg as CAD files or software/data) and the design support tools used to make alterations to those records.

11.2 Other Design Support Tools 11.2.1 Other design support tools shall be selected, used and maintained as appropriate to the safety criticality of their application. Such tools include, but are not limited to:

• measuring devices; • printers, plotters and copiers; • calculators.

12 Special Cases of Design Production

12.1 Projects Commissioned in Stages 12.1.1 Where a project is to be commissioned in separate stages, each stage shall be treated as a separate alteration of the infrastructure, for the purposes of producing the designs. A separate set of engineering details shall be produced for each stage, irrespective of the time-scale between stages.

12.2 Permitted Variations to the Order of Design Activities 12.2.1 It is permissible for the Infrastructure Controller to authorise variations to the mandated order in which design activities are undertaken. Examples of such variations may include (but are not limited to):

• production of engineering details before Approval in Principle has been given for the concept design;

• correlation while design production is in progress; • issuing of engineering details for off-site construction purposes before

Technical Approval has been given.

12.2.2 Such authorisation shall be given only if the risks of producing an unsafe set of engineering details have been assessed, and appropriate measures put in place to control those risks.

No reliance shall be placed on testing activities to reveal any design deficiencies arising from a variation to the mandated order of design activities.

Examples of measures to control the risks may include, (but are not limited to):

• a tracking system to ensure that any changes required to the design and/or records arising as a consequence of the variation are incorporated into the engineering details;

• designated “hold points” in the design process beyond which work must not progress until any deficiencies arising from the variation have been identified and eliminated;

• an appropriate organisational structure to ensure unified design management, where the reason for the variation is to allow design for one project (or stage of a project) to proceed before another overlapping project (or stage) has been commissioned.





12.2.3 Before design documentation and software/data is issued for installation and testing purposes, all activities up to and including verification that could have a bearing on the accuracy of the designs shall be satisfactorily completed, and any deficiencies and inconsistencies arising from the variations to the mandated order shall be identified and eliminated.

12.3 Temporary Work 12.3.1 Where the design is for work of a temporary nature, it is permissible for the Infrastructure Controller to authorise that the infrastructure records are not updated (see clause 9.3.3). Examples of temporary work include (but are not limited to):

• work for temporary speed restrictions; • release of controls (to facilitate train movements during a signalling failure -

see Section E of the Rule Book, GO/RT3000); • emergency work (eg. plain lining of points after a derailment); • short duration stages of work (typically lasting less then three months) that

are progressing towards the overall finished project.

12.3.2 Such authorisation shall be given only if:

• copies of the design for the temporary work are kept securely until the wiring and equipment is restored to its original configuration; and

• the maintainer is provided with appropriate information about the temporary work; and

• controls are in place to ensure that designers undertaking any other work that could be affected by (or affect) the temporary work are aware of the existence of the temporary work and take it into account when producing their engineering details.

12.4 Recovery of Redundant Wiring and Equipment 12.4.1 Engineering details shall usually indicate that all redundant wiring and equipment is to be removed, and the infrastructure records shall similarly reflect the removal of that wiring and equipment. However, where it is known at the design phase of a project that some wiring and equipment cannot be removed (eg. because it is unsafe to do so, or because it is not possible to do so until a later stage in the project), it shall be shown on the engineering details as required to be taken out of use but not physically removed.

The infrastructure records shall similarly show the existence of redundant wiring and equipment that has not been removed.





References

Railway Group Standards

GA/RT6001 Railway Group Standards Change Procedures

GA/RT6004 Temporary Non-Compliance with Railway Group Standards

GA/RT6006 Derogations from Railway Group Standards

GC/RT5101 Technical Approval Requirements for Changes to the Infrastructure

GI/RT7001 Management of Safety Related Records of Elements of the Infrastructure

GI/RT7002 Acceptance of Systems, Equipment and Materials for Use on Railtrack Controlled Infrastructure

GK/RT0026 Signallers' Route Lists

GK/RT0037 Signal Sighting

GK/RT0044 Controls for Signalling a Train onto an Occupied Line

GK/RT0078 Overrun Protection and Mitigation (to be superseded by GI/RT7006 and GK/RT0064)

GK/RT0206 Signalling and Operational Telecommunications Design: Safety Requirements

GO/OT0018 Provision of Operations Instructions for Signal Boxes and Other Locations

GO/RT3000 The Rule Book

GO/RT3206 Format and Content of the Sectional Appendix

GO/RT3209 Format and Content of the Weekly Operating Notice

The Catalogue of Railway Group Standards and the Railway Group Standards CD-ROM give the current issue number and status of documents published by the Safety & Standards Directorate.

Other References

Construction (Design and Management) Regulations 1994

Engineering Safety Management (“Yellow Book”) ISBN 0 9537595 1 2

European Standard EN50126: Railway Applications: The specification and demonstration of dependability - RAMS

European Standard EN50128: Railway Applications: Software for Railway Control and Protection Systems

European Standard EN50129: Railway Applications: Safety-related Electronic Systems for Signalling

Railways and Other Transport Systems (Approval of Works, Plant and Equipment) Regulations 1994


GKRT0207 Design Requirements

Documents

Transcript of GKRT0207 Design Requirements