GK/GN0612. Guidance on Signalling Lockout Systems to Protect Railway. Undertaking Personnel. Railway Group Guidance for GK/RT0212.

Similar documents
GI/GN7520. Guidance on Lighting of Railway Premises. Railway Group Guidance Note

Control Of Points. Withdrawn Document Uncontrolled When Printed. Railway Group Standard. Issue One Date July 1997

B) Addressing TSI open points: National requirements where there are no TSI requirements. None None None. None None None.

Warning Signs & Labels Fitted to Electrical Equipment on Rail Mounted Vehicles

Hot Axle Box Detectors - Siting

For the Design, Installation, Commissioning & Maintenance of Fire Detection and Fire Alarm Systems

Substation Signage. Document Number: 1-11-FR-12

Facing Point Lock and Detection Testing

RIS RIS-7700-INS. Rail Industry Standard for Station Infrastructure. Issue 1 December 2007 Rail Industry Standard

Information Bulletin

Australian/New Zealand Standard

NOTTINGHAM CITY HOMES

For the Design, Installation, Commissioning & Maintenance of Fire Detection and Fire Alarm Systems

IMAS nd Edition Director, United Nations Mine Action Service (UNMAS), DC2 0650, United Nations, New York, NY 10017, USA

Guidance from the Group of Notified Bodies for the Construction Products Regulation 305/2011/EU

CIRCUIT BREAKER FAIL PROTECTION

High Speed Rail (London- West Midlands)

Health and Safety Policy. Version Author Revisions Made Date 1 Colin Campbell First Draft March 2014

Technical Paper. Functional Safety Update IEC Edition 2 Standards Update

Interim Advice Note 76 / 06 ASSESSMENT PART 1 AIMS AND OBJECTIVES OF ENVIRONMENTAL ASSESSMENT. Contents

Fire Safety Protocol

Alarm Signalling Equipment: Connection Requirements (Victoria) TAN 06. Technical Advisory Note. Version 1 October 2018

FIRE SAFETY POLICY. Executive Management Team. Health, Safety and Fire Steering Group.

CONDITIONS OF SERVICE - NBN SERVICES 1. ABOUT

INTERNATIONAL STANDARD

INTERNATIONAL STANDARD

Circuit Breakers JANUARY The electronic pdf version of this document found through is the officially binding version

INTELLIGENT FIRE TECHNOLOGY. Twinflex and Multipoint V3. User Guide (TO BE RETAINED BY USER) Issue 3

COMPILATION OF COMMUNITY PROCEDURES ON INSPECTIONS AND EXCHANGE OF INFORMATION

Building Standards Division. Whisky Maturation Warehouses Storage Buildings (Class 1) Automatic Fire Suppression Systems

Design & Use of Ground Based Pumps Guidance Document

Health and Safety Services. Safety Guide 5. Fire drills

Design Standard DS70-02

Road Safety Impact Assessment

Fire Safety Management

Audible Track Warning Signals - Rules 1

Australian Standard. Water mist fire protection systems System design, installation and commissioning AS

IMAS Marking mine and ERW hazards

Cookham Parish Council s Response to The Draft Local Borough Plan

Public Notice of Amendment to New Shoreham General Ordinances Chapter 5 Fire Prevention and Protection New Article IV Fire Alarm Ordinance

Australian/New Zealand Standard

PART 3-O REQUIREMENTS FOR SPRINKLER SYSTEMS MAINTENANCE AND SUPERVISION. 3-O Introduction O.1 Scope of Maintenance and Supervision...

Australian Standard. Emergency escape lighting and exit signs for buildings. Part 1: System design, installation and operation AS 2293.

PROCEDURE FOR HANDLING RAPID ALERTS AND RECALLS ARISING FROM QUALITY DEFECTS

Fire Evacuation Procedure Stroud Campus

This chapter shall be known as the "City of Bayfield Alarm Systems Ordinance."

FIRE SAFETY POLICY Revised March 2013

Australian/New Zealand Standard

Infrastructure Projects Signalling - Shared Learning. 18/02: March 2018 December Dec-18 / 1

Standard Development Timeline

INTERNATIONAL STANDARD

Dear Customer. Section Old F8 January 2017 Amendment 4. Replace with new title page and document history pages 1 2B

COMPETENCE. Lead Fire Warden. Standard Title Lead Fire Warden Competence Assessment Standard Lead Fire Warden Competence Assessment Standard

South Australian Regulatory Requirements

AE PV Heating Element. Screwing in Heating Unit. Installation Manual. Version 01.6

Logbook. Precept EN Fire Detection/Alarm Panel. & Precept EN Repeater

INTERNATIONAL STANDARD

ORDINANCE NO

CO-ORDINATION OF NOTIFIED BODIES PPE Regulation 2016/425 RECOMMENDATION FOR USE

Shipboard incinerators with capacities up to 4000 kw

Management Standard: Fire Safety

Guide to Membership Assessments

Medical electrical equipment

EXTINGUISHER MAINTENANCE METHOD STATEMENT.

BT SECURITY SECURITY: BEST PRACTICE GUIDE FOR NON-BT PEOPLE

INTERNATIONAL STANDARD

INTERNATIONAL STANDARD

AS/NZS :2008

Corporate Services. CCTV Code of Practice

Audit Mapping Document

Fire alarm provisions for alerting the Fire Service

INFORMATION BULLETIN No. 150

Australian/New Zealand Standard

POLICY FOR FIRE SAFETY MANAGEMENT

Specification for Portable Traffic Signal Control Equipment for use at Roadworks

CHAPTER 91: ALARM SYSTEMS

Information Bulletin

Security Systems and Alarms Inspection Board. Code of Practice For Vacant / Void Property Alarm Systems

Simplex Panel Interface Guide

Testing coated fabrics

Security Systems and Alarms Inspection Board. Code of Practice For Scaffold Alarm Systems

Fire detection and alarm

INTERNATIONAL STANDARD

Technical Bulletin CE marking: from 1st July 2013

TECHNICAL SPECIFICATION

Electrical Management

Background information

Australian Standard. Fire detection, warning, control and intercom systems System design, installation and commissioning

INTERNATIONAL STANDARD

Australian/New Zealand Standard

Electrical Safety Policy and Management System

Loss Prevention Standard

INTERNATIONAL STANDARD

Dispute over the requirement for fire door signage to hotel suites at 124 Devon Street West, New Plymouth

Membership Scanning your card or entering your card number when in store or shopping Online Earning Member Benefits

Australian Standard. Closed circuit television (CCTV) Part 4: Remote video AS AS

AS/NZS :1995. Emergency escape lighting and exit signs for buildings AS/NZS :1995. Part 2: Inspection and maintenance

INTERNATIONAL STANDARD

FAQs Radio Equipment Directive (RE-D)

ite the correct module for the programme for which they have registered. 1 April in first semester and 1 September in second semester

Transcription:

GN Published by Rail Safety and Standards Board Evergreen House 160 Euston Road London NW1 2DX Copyright 2007 Rail Safety and Standards Board Limited GK/GN0612 Issue One: August 2007 Railway Group Guidance for GK/RT0212

Issue Record Issue Date Comments One August 2007 Original document Superseded documents Supply This Railway Group Guidance Note does not supersede any other Railway Group documents. Controlled and uncontrolled copies of this Railway Group Guidance Note may be obtained from the Corporate Communications Department, Rail Safety and Standards Board, Evergreen House, 160 Euston Road, London NW1 2DX, telephone 020 7904 7518 or e-mail enquiries@rssb.co.uk. Railway Group Standards and associated documents can also be viewed at www.rgsonline.co.uk. Page 2 of 25 RAIL SAFETY AND STANDARDS BOARD

Contents Section Description Page Part 1 Introduction 4 1.1 Purpose and structure of this document 4 1.2 Copyright 4 1.3 Approval and authorisation of this document 4 Part 2 Guidance on signalling lockout systems to protect railway undertaking personnel 5 2.1 Hazards that need to be managed when railway undertaking personnel work on or near the line 5 2.2 Guidance on signalling lockout system requirements 7 Appendices 17 Appendix A Interface specification for signalling lockout systems 17 A.1 Boundary hazard 1: Complete or partial loss of legibility of the lockout system identification 17 A.2 Boundary hazard 2: Safety related failure of the signalling system could result in a signaller setting a route (resulting in the issue of a movement authority to a train) into an area for which a release has already been given by a signalling lockout system 18 A.3 Boundary hazard 3: Safety related failure of the signalling lockout system could result in a key being released when protection is not established 18 A.4 Boundary hazard 4: Failure to adhere to a proper sequence of operation in terms of releasing the protection may lead to an adverse situation 19 A.5 Boundary hazard 5: An indicator on the keylock device may give a false perception that protection is available to the user under certain failure conditions 20 A.6 Boundary hazard 6: Failure to adhere to a proper sequence of operation in terms of returning the protection may lead to an adverse situation 21 A.7 Boundary hazard 7: Where the number of keys available to the user exceeds the minimum number of keys required to cancel the protection, there is a possibility that protection may be given up before work is complete 21 Appendix B Typical signalling lockout system 23 Definitions 24 References 25 Figures Figure 1 Diagram of a typical signalling lockout system 23 RAIL SAFETY AND STANDARDS BOARD Page 3 of 25

Part 1 Introduction 1.1 Purpose and structure of this document This document has been published by Rail Safety and Standards Board to give guidance on how to control the hazards that arise when signalling lockout systems are used to protect railway undertaking personnel who work on or near the line, in particular: a) Guidance on the technical requirements in Railway Group Standard GK/RT0212 Signalling Lockout Systems to Protect Railway b) Guidance on the related technical and operational requirements contained in other Railway Group Standards: GE/RT8000, GE/RT8048, GI/RT7006, GK/RT0011, GK/RT0025, GK/RT0060 and GK/RT0206 c) Recommending the technical and operational features that should be included within infrastructure manager safety management systems d) Recommending the operational features that should be included within railway undertaking safety management systems. The specific requirements in the standards listed above are not reproduced in full because it would be detrimental to the clarity of this Guidance Note. Specific responsibilities and compliance requirements are laid down in the Railway Group Standards. 1.2 Copyright Copyright in the Railway Group documents is owned by Rail Safety and Standards Board Limited. All rights are hereby reserved. No Railway Group document (in whole or in part) may be reproduced, stored in a retrieval system, or transmitted, in any form or means, without the prior written permission of Rail Safety and Standards Board Limited, or as expressly permitted by law. RSSB Members are granted copyright licence in accordance with the Constitution Agreement relating to Rail Safety and Standards Board Limited. In circumstances where Rail Safety and Standards Board Limited has granted a particular person or organisation permission to copy extracts from Railway Group documents, Rail Safety and Standards Board Limited accepts no responsibility for, and excludes all liability in connection with, the use of such extracts, or any claims arising there-from. This disclaimer applies to all forms of media in which extracts from Railway Group Standards may be reproduced. 1.3 Approval and authorisation of this document The content of this document was approved by: CCS Standards Committee on 15 February 2007 This document was authorised by RSSB on 7 March 2007 Page 4 of 25 RAIL SAFETY AND STANDARDS BOARD

Part 2 Guidance on signalling lockout systems to protect railway undertaking personnel 2.1 Hazards that need to be managed when railway undertaking personnel work on or near the line 2.1.1 Provision of signalling lockout systems 2.1.1.1 A range of methods, including signalling lockout systems, are used by the infrastructure manager to protect personnel who carry out duties on or near the line, in order to comply with GE/RT8000 (the Rule Book). 2.1.1.2 Where signalling lockout systems are used to protect its own personnel, the infrastructure manager is solely responsible for establishing the technical and operational requirements that provide for safe working within its safety management system. 2.1.1.3 In some circumstances, railway undertakings require their personnel to go on or near the line to carry out routine work, typically: servicing of stationary rolling stock within station areas or sidings. In such cases, a railway undertaking may, as part of its safety management system, decide to make arrangements with the infrastructure manager to provide facilities for staff protection in the form of a signalling lockout system. The decision to carry out such work on or near the line should be justified by the railway undertaking to demonstrate that risk has been reduced to ALARP. 2.1.1.4 Where facilities are provided by the infrastructure manager, the railway undertaking relies upon the safety integrity of the signalling lockout system to establish a safe system of work for its own personnel and specifies its use within its own safety management system. 2.1.1.5 The technical and operational interfaces between the infrastructure manager and railway undertaking are within the scope of Railway Group Standards. It is also necessary to align the safety management systems of the infrastructure manager and railway undertaking at the duty-holder interface to ensure that all of the hazards are sufficiently controlled. The interfaces associated with a typical lockout system are shown in Appendix B. 2.1.1.6 The primary function of signalling lockout systems, used by railway undertakings, is to prevent the issue of signalled movement authorities for all train movements into, out of, or within a pre-defined protection area. The protection provided by signalling lockout systems is dependent upon the safe control of train movements within the limits of signalled movement authorities and the safe actions of drivers, signallers and users. 2.1.1.7 The particular signalling lockout system requirements set out in GK/RT0212 provide for the transfer of an authority to use protection between the infrastructure manager and railway undertaking in the form of a physical key. All of the safety requirements contained in this Guidance Note should be put in place to ensure that a key can only be transferred from one duty-holder to the other (in either direction) when it is safe to do so. 2.1.1.8 Because signalling lockout systems cannot provide protection from un-signalled train movements (for example, during degraded railway operations and engineering possessions), or unauthorised train movements (for example, a SPAD), additional arrangements should also be put in place to address these scenarios. RAIL SAFETY AND STANDARDS BOARD Page 5 of 25

2.1.2 The system level hazard 2.1.2.1 The system level hazard when railway undertaking personnel work on or near the line is: lines are open to traffic while the railway undertaking personnel are on or near the line. 2.1.2.2 The system level hazard is present when the sub-system safety requirements have been violated (pre-conditions, post-conditions and invariants) during all railway operational conditions, whenever railway undertaking personnel work on or near the line. The operational conditions that should be considered include: a) Normal railway operations provided for by the signalling system b) Abnormal railway operations, for example, wrong direction signalled moves c) Degraded railway operations, for example, hand-signalled train movements d) Emergency conditions, for example, unauthorised or uncontrolled movements. 2.1.2.3 The particular arrangements put in place for signalling lockout systems should be designed and operated to control the system level hazard during normal railway operations and those abnormal railway operations that are provided for in the signalling system. 2.1.2.4 Additional methods of staff protection should also be established to control the system level hazard during degraded railway operations and emergency conditions. This may include operational rules that prohibit the use of signalling lockout systems when un-signalled movement authorities are taking place, and emergency warning arrangements. 2.1.2.5 Movement authorities that are totally under the control of a railway undertaking, such as movements under the direction of shunters, should be addressed as part of the railway undertaking safety management system. 2.1.3 Particular hazards associated with signalling lockout systems 2.1.3.1 A number of hazards arise at the duty-holder boundary between the infrastructure manager and the railway undertakings as a consequence of implementing and operating signalling lockout systems. These hazards can be described as boundary hazards. 2.1.3.2 Failure to control all of the boundary hazards would mean that the system level hazard would not be controlled. 2.1.3.3 Analysis of signalling lockout systems used by railway undertakings has identified a set of requirements that, if implemented, mitigate the risk arising at the duty-holder interface. The complete set of requirements is presented as a system interface specification (see Appendix A), which addresses: a) Technical requirements and operational rules applicable to the infrastructure manager (pre-conditions and post-conditions) b) Operational rules applicable to the railway undertaking (pre-conditions and post-conditions) c) Technical requirements and operational rules at the duty-holder interface (invariant requirements that are applicable to both the infrastructure manager and railway undertakings). Page 6 of 25 RAIL SAFETY AND STANDARDS BOARD

2.1.3.4 The technical requirements and operational rules at the duty-holder interface (see clause 2.1.3.3c) above) are provided for by complying with the Railway Group Standards, but these are insufficient on their own to control the system level hazard. Each of the boundary hazards can only be mitigated when the infrastructure manager and railway undertakings establish safety management systems that are compatible with each other and also provide for compliance with Railway Group Standards. This Guidance Note provides guidance on what should be included in the safety management systems to ensure compatibility. 2.1.3.5 The technical and operational requirements applicable to infrastructure manager safety management systems, including guidance on compliance with Railway Group Standards, are set out in section 2.2. 2.1.3.6 The operational requirements applicable to railway undertaking safety management systems are set out in section 2.2. 2.2 Guidance on signalling lockout system requirements 2.2.1 Provision of signage, labelling and operating instructions 2.2.1.1 The first boundary hazard associated with signalling lockout systems is: Complete or partial loss of legibility of the lockout system identification. 2.2.1.2 GE/RT8000 (the Rule Book) requires the person responsible for setting up a safe system of work to ensure it is adequate. Inadequate or degraded signalling lockout system signage and labelling could result in a user misinterpreting the scope of protection provided by a system, which could lead the user to set up inadequate protection arrangements. Guidance for infrastructure managers and railway undertakings 2.2.1.3 Each signalling lockout system should be designed and configured by the infrastructure manager to meet the operational requirements of the railway undertaking. The scope of protection provided by each signalling lockout system should be agreed between the infrastructure manager and the railway undertaking and be included in a system design specification. The following items should be considered: a) The geographical limits that need to be protected b) The types of activity that take place under the protection c) The number of people and separate work groups that use the system d) The times of day that the system is used e) The access arrangements to and from the protection area f) The methods of communication between the user and the signaller g) The movement authorities that are prohibited when the protection is established h) The lines adjacent to the protection area and the movements that can still take place when the protection is established. Guidance for infrastructure managers 2.2.1.4 The infrastructure manager should produce and implement a set of system operating instructions to provide for the safe operation of each signalling lockout system. The operating instructions should be compatible with the requirements in GE/RT8000 (the Rule Book) and set out the co-ordinated sequence of operations that need to be carried out by the signaller and the user. RAIL SAFETY AND STANDARDS BOARD Page 7 of 25

2.2.1.5 The instructions should set out: a) The sequence of operations required when: i) Protection is established ii) iii) Protection is used Protection is given up b) The identity and permitted scope of use of the signalling lockout system. 2.2.1.6 The particular content in the instructions should include the guidance contained in sub-sections 2.2.1 to 2.2.6. 2.2.1.7 The instructions should be agreed with, and made available to, the railway undertaking before the signalling lockout system is taken into operational use. The arrangements for publishing local instructions are set out in GE/RT8004. 2.2.1.8 The infrastructure manager should ensure that: a) Every signalling lockout system is provided with fit for purpose signage that is compliant with GK/RT0212 sub-section 2.1.1 b) Operational signalling lockout systems are maintained as part of an asset management system to ensure that signage is legible to the user whenever the system needs to be operated c) Arrangements are put in place to ensure that permission to use signalling lockout systems is withheld when signs are missing or illegible, until corrective action has been completed d) Signallers are competent to operate signalling lockout systems. Guidance for railway undertakings 2.2.1.9 Railway undertakings should ensure that: a) Personnel who use signalling lockout systems understand, and have access to, signalling lockout system operating instructions b) Signalling lockout systems are only used to provide protection for the scope of work for which they have been specified in accordance with the system operating instructions c) Personnel who use signalling lockout systems are competent and understand that the protection afforded by the particular lockout system is compatible with the work that needs to be protected d) Personnel report any difficulty in reading the signage or interpreting the scope of protection provided by the signalling lockout system, in accordance with the requirements for reporting failures set out in GE/RT8000 (the Rule Book) e) Personnel do not use defective lockout systems. 2.2.2 Signalling control and display system 2.2.2.1 The second boundary hazard associated with signalling lockout systems is: Safety related failure of the signalling system could result in a signaller setting a route (resulting in the issue of a movement authority to a train) into an area for which a release has already been given by a signalling lockout system. 2.2.2.2 There is a possibility that, under certain signalling failure conditions, an incorrect movement authority could be issued to a train that would result in a violation of the protection provided by a signalling lockout system. Page 8 of 25 RAIL SAFETY AND STANDARDS BOARD

Guidance for infrastructure managers 2.2.2.3 Signalling lockout system operating instructions should include a requirement that the user informs the signaller as soon as the first lockout key is withdrawn from the key release device. 2.2.2.4 The infrastructure manager should ensure that: a) Signallers are aware that a signalled route should not be requested into a protected area when a signalling lockout release has been issued b) Signallers are competent and vigilant in order to be able to detect signalling failures that could result in loss of protection c) Signallers are capable of taking the appropriate necessary action in the event of loss of protection due to a signalling failure or signal passed at danger d) Operating instructions should require the signaller to check that signalling lockout system protection is not being used before issuing an authority to a driver to pass a protecting signal at danger. Guidance for railway undertakings 2.2.2.5 The railway undertaking should ensure that: a) Drivers are competent and vigilant, in order to be able to detect signalling irregularities b) Personnel using the protection provided by a signalling lockout system establish a safe system of work that addresses all railway operating conditions. 2.2.3 Voice communication requirements 2.2.3.1 The third boundary hazard associated with signalling lockout systems is: Safety related failure of the signalling lockout system could result in a key being released when protection is not established. 2.2.3.2 There is a possibility that, under certain signalling failure conditions, a key could be unlocked and removed by a user when the protection is not available. Guidance for infrastructure managers 2.2.3.3 The infrastructure manager should ensure that all signalling lockout systems provided for use by a railway undertaking include a facility to enable the signaller and user to communicate with each other for the purposes of requesting, confirming and cancelling the protection arrangements. 2.2.3.4 The communication arrangements provided with each signalling lockout system should be agreed with the railway undertaking, and may typically comprise a dedicated lineside operational telephone adjacent to the key release instrument connected to the telephone concentrator in the signal box. 2.2.3.5 The technical requirements for the communication system are set out in GE/RT8048 Positioning and Labelling of Lineside Telephones, and GK/RT0206 Signalling and Operational Telecommunications Systems : Safety Requirements. 2.2.3.6 The requirements for operational voice messages communicated by the signaller are set out in GE/RT8000 (the Rule Book). 2.2.3.7 Lockout system operating instructions should include a procedure for the sequence of communication and operations including: a) A user requesting a release from the signaller to establish protection b) The signaller confirming with the user that the protection is available RAIL SAFETY AND STANDARDS BOARD Page 9 of 25

c) The user confirming with the signaller that the protection has been taken, as soon as the first key has been withdrawn d) The user confirming with signaller that the protection is no longer required e) The signaller confirming with the user that the release has been cancelled. 2.2.3.8 The infrastructure manager should ensure that: a) Signallers communicate verbal messages with the user in accordance with the protocol set out in GE/RT8000 (the Rule Book) b) Signallers understand how to communicate with the user of the protection in emergency conditions c) Voice communication systems provided as part of signalling lockout systems are maintained within an asset management system to ensure that they are fit for purpose whenever the system needs to be used. Guidance for railway undertakings 2.2.3.9 The requirements for operational voice messages communicated by the user are set out in GE/RT8000 (the Rule Book). 2.2.3.10 The railway undertaking should ensure that: a) Users communicate verbal messages with the signaller in accordance with the protocol set out in GE/RT8000 (the Rule Book) when requesting, confirming and giving up protection b) Users confirm with the signaller that a release has been given before attempting to withdraw a key, irrespective of any indication provided within the key release device c) Users inform the signaller as soon as the first lockout key is withdrawn from the key release device d) Users confirm with the signaller when protection is no longer required. 2.2.4 Signalling lockout system release available controls 2.2.4.1 The fourth and fifth boundary hazards associated with signalling lockout systems are: a) Failure to adhere to a proper sequence of operation in terms of releasing the protection may lead to an adverse situation, and b) An indicator on the keylock device may give a false perception that protection is available to the user under certain failure conditions. 2.2.4.2 The integrity of the protection provided by the signalling lockout system is dependent on: a) The configuration of the interlocking arrangements that control the signalling lockout system release function, the protecting signals and overrun protection functions b) The safe control of train movements by the driver, within the limits authorised by the signalling system c) The correct withdrawal and retention of the key by the user, when it is safe to do so, as a means of preventing the issue of signalled movement authorities to trains whenever the protection is being used. Page 10 of 25 RAIL SAFETY AND STANDARDS BOARD

Guidance for infrastructure managers 2.2.4.3 The infrastructure manager should design and implement a signalling interlocking system that ensures that a control to unlock a key can only be issued to a key release device when there is no possibility of authorised train movements into, out of, or within the protection area, and that protecting signals can only transmit proceed movement authorities when the protection has not been taken. 2.2.4.4 The interlocking system should fulfil the requirements contained in GK/RT0206 Signalling and Operational Telecommunications Systems: Safety Requirements, and GK/RT0060 Interlocking Principles. The particular requirements associated with signalling lockout systems are set out in GK/RT0212 sub-section 2.1.2. 2.2.4.5 GK/RT0212 clause 2.1.2.1a) requires that a release is only issued after the signaller responsible for operating the lockout release control has decided that it is safe to grant the protection and requested the particular release by operating the relevant control device on the signalling control system. 2.2.4.6 In order to be able to decide whether a release can be safely operated, the signaller should be provided with: a) Information about the position of trains relative to the protection area b) Information about the status of signal routes and movement authorities that conflict with the protection area c) A facility to normalise all of the signal routes and prevent the issue of movement authorities that conflict with the protection area d) A device to control the lockout release e) Information about the status of the lockout release. 2.2.4.7 This can be achieved by providing a signalling control and indication system that is compliant with GK/RT0025 Signalling Control Centres. 2.2.4.8 GK/RT0212 clause 2.1.2.1b) requires that the interlocking provided for all signal routes into, within and out of the defined protection area is normal and free of approach locking before a lockout available control can be issued by the interlocking. 2.2.4.9 The signalling system should be configured so that the interlocking provided for all relevant signal routes is proved to be normal and locked before the interlocking for the signalling lockout release can be unlocked and reversed. 2.2.4.10 Approach locking should be provided on all signal routes that extend into, within or out of the defined protection area. 2.2.4.11 GK/RT0212 clause 2.1.2.1c) requires that a lockout available control shall only be issued by the interlocking when the train detection system has detected that: a) There are no trains between the protecting signals and the boundaries of the defined protection area, and b) Any train that has been admitted into the defined protection area is detected to be stationary in a position agreed with the railway undertaking. 2.2.4.12 A train detection system, compliant with GK/RT0011 Train Detection, should be provided between all protecting signals and the end of each signal route that conflicts with the protection area. RAIL SAFETY AND STANDARDS BOARD Page 11 of 25

2.2.4.13 On bi-directional lines, additional controls may be provided to allow a lockout available control to be issued when trains between the protecting signals and defined protection area are proved to be going away from the protection area. 2.2.4.14 GK/RT0212 clause 2.1.2.1d) requires that the signal overrun mitigation arrangements associated with the signalling lockout system are effective, for example, points that provide trapping protection are locked and detected in the required position. 2.2.4.15 Appropriate SPAD mitigation measures should be determined and applied to each protecting signal by providing signalling controls that are derived from compliance with GI/RT7006 Prevention and Mitigation of Overruns Risk Assessment. 2.2.4.16 The overrun protection facilities selected should be proportionate to the risk of an unauthorised train movement entering a protection area that is being used. In circumstances where the track and signalling arrangements permit, it may be sufficient to control and lock facing points between the protecting signal and the protection area to provide trapping protection against unauthorised train movements. Where this is not practicable, other methods of overrun protection should be considered, including provision of TPWS. 2.2.4.17 GK/RT0212 clause 2.1.2.2 requires that the interlocking for all signal routes into, within and out of the protection area shall be normal and locked from the time that a lockout available control is transmitted to the key release device, until the interlocking for the lockout release control is normal. 2.2.4.18 The interlocking system should be configured to ensure that: a) All signal routes associated with protecting signals are locked normal at all times that the interlocking provided with the signalling lockout release is in the reverse position b) The interlocking associated with infrastructure that is used to provide overrun protection, for example, points are locked at all times that the interlocking provided with the signalling lockout release is in the reverse position c) The interlocking for functions that provide protection is only released after the interlocking provided with the release control has been proved to be locked normal. 2.2.4.19 GK/RT0212 clause 2.1.3.1a) requires the infrastructure manager to provide a key release device that ensures that keys are captive within the device at all times that the defined protection area is not available to the railway undertaking. 2.2.4.20 Keys should be securely held within the key release device at all times, unless a release available control has been transmitted by the interlocking. Typically this can be achieved through incorporating an electro-mechanical key locking mechanism within the key release device. 2.2.4.21 The key locking mechanism should only be unlocked and free to operate when a release available control is transmitted from the interlocking to the key release device. This should enable a user to unlock and withdraw one or more keys. 2.2.4.22 It is good practice to incorporate an economiser device within the key release mechanism that requires the user to positively unlock a key before it can be withdrawn. Page 12 of 25 RAIL SAFETY AND STANDARDS BOARD

2.2.4.23 An illuminated indication may be provided within the key release device, but this should only be intended to advise the user when permission to use the protection is available on request from the signaller. Such an indication should typically be extinguished when a release is not available and illuminate only when the key is unlocked. The illumination of the indication should indicate the status of the locking mechanism, and failure of the indication should not influence the integrity of the protection. 2.2.4.24 The infrastructure manager should ensure that interlocking and signalling lockout systems are maintained as part of an asset management system to ensure that they are fit for purpose whenever the systems need to be used. Guidance for railway undertakings 2.2.4.25 Railway undertakings should ensure that: a) Users only attempt to withdraw the first key after verbally confirming with the signaller that it is safe to use the protection and when a release is issued by the interlocking b) Users retain the withdrawn keys on their person at all times when the protection is required c) A signalling lockout system is only used to support a safe system of work when it is compatible with the activity that needs to be protected d) Competent drivers are employed to control the movement of all trains within the limits of the movement authorities issued by the infrastructure manager. 2.2.5 Signalling lockout system release cancellation controls 2.2.5.1 The sixth boundary hazard associated with signalling lockout systems is: Failure to adhere to a proper sequence of operation in terms of returning the key may lead to an adverse situation. 2.2.5.2 Because the integrity of the protection is dependent on the railway undertaking personnel withdrawing and retaining possession of a key, it is necessary to ensure that protection can only be withdrawn by the signaller when: a) The user has replaced all withdrawn keys in the key release instrument b) The signalling lockout system detects that the designated number of correctly configured keys are replaced into the key release device c) The user confirms with the signaller that it is safe to cancel the release. Guidance for infrastructure managers 2.2.5.3 GK/RT0212 clause 2.1.2.3 requires that the the interlocking for the release shall only be normalised when: a) The lockout cancellation control has received information that the required number of keys are locked in the key release device, and b) The signaller has operated a system-specific control device on the signalling control system to cancel the release. 2.2.5.4 The interlocking should be configured to ensure that the signalling lockout release can only be normalised when: a) The required number of keys are detected to be locked within the key release device RAIL SAFETY AND STANDARDS BOARD Page 13 of 25

b) The locking mechanism within the key release device is proved to be locked c) The lockout available control is no longer being transmitted by the interlocking d) The signaller operates the control to cancel the release. 2.2.5.5 An illuminated indication may be provided on the signalling control panel, but this should only be used to advise the signaller when the release is ready to be cancelled. The illumination of the indication should indicate the status of the release, and failure of the indication should not influence the integrity of the protection. 2.2.5.6 The infrastructure manager should ensure that: a) Signallers only attempt to cancel the protection when the user has confirmed that the protection provided by the signalling lockout system is no longer required, irrespective of any indication provided on the signalling control panel b) Signallers are competent to operate the signalling lockout system c) Signalling lockout systems are only adjusted and reset by competent and authorised personnel under controlled conditions, for example during planned maintenance or in order to return the asset to operational use following a failure, when it is confirmed by the signaller that it is safe to do so. Guidance for railway undertakings 2.2.5.7 Railway undertakings should ensure that: a) Users only replace keys into the keylock mechanism when all personnel and equipment are known to be clear of the defined protection area and are in the designated position of safety b) Users only use the correct, authorised keys to operate the lockout system c) Users communicate with the signaller to confirm that the protection provided by the signalling lockout system is no longer required d) Users are competent to operate the signalling lockout system. 2.2.6 Compatibility between key release devices and keys 2.2.6.1 The seventh boundary hazard associated with signalling lockout systems is: Where the number of keys available to the user exceeds the minimum number of keys required to cancel the protection, there is a possibility that protection could be given up before the work is complete. Guidance for infrastructure managers 2.2.6.2 GK/RT0212 sub-section 2.1.3 requires the infrastructure manager to provide a key release device that will only transmit a lockout cancellation control to the interlocking sub-system when the designated, correctly configured, keys are replaced into the key release device. 2.2.6.3 Key release instruments should be configured to: a) Prevent incompatible keys from being used to cancel the release Page 14 of 25 RAIL SAFETY AND STANDARDS BOARD

b) Detect that the required number of keys have been correctly and fully inserted and locked into the keyway before the release cancellation is transmitted to the interlocking c) Be constructed in a manner that prevents unauthorised adjustment. 2.2.6.4 GK/RT0212 sub-section 2.1.4 requires the infrastructure manager to ensure that: a) The total number of keys within the operational signalling lockout system shall not exceed the minimum number of keys required to cancel the release, and b) The keys for each signalling lockout system shall be uniquely configured to their associated key release device. 2.2.6.5 The number of keys provided with each key release device should be determined by the infrastructure manager as part of the system design specification to meet the operational needs of the railway undertaking. Typically, the total number of keys within a signalling lockout system should match the maximum number of users of the protection at any one time. This ensures that each user (person responsible for protecting a work group) can retain a key as a guarantee of protection until the protection is no longer required. 2.2.6.6 If it is necessary, for system availability and reliability purposes, to provide spare keys, these should be securely stored by the infrastructure manager and only entered into the operational system when the signaller is satisfied that it is safe to do so. If a mislaid key is subsequently located or a damaged key is repaired, the number of keys within the operational system should be restored to the minimum number required to cancel a release. 2.2.6.7 The infrastructure controller should implement a procedure for managing spare keys as part of the operating instructions provided with each signalling lockout system. 2.2.6.8 Keys should be clearly identified to help users match the key with the respective key release device. This may include colour coding or clear labelling to describe the protection area that they authorise protection for. 2.2.6.9 The keylock mechanism should be of robust construction and designed to prevent unauthorised operation. The key locking mechanism and the associated electrical controls should be secured, separated and shielded from the user to prevent unauthorised operation, with controlled access being provided to support maintenance requirements. Guidance for railway undertakings 2.2.6.10 Railway undertakings should ensure, as part of a safety management system, that: a) Personnel remain within the limits of the defined protection area for which the lockout system has been specified b) The person responsible for each worksite checks that all personnel and equipment are clear of the protection area and in a position of safety before replacing the key in the key release device c) All personnel remain in a position of safety and do not re-enter the protection area after the protection has been given up d) Personnel who use the protection only have access to keys that are within the operational system RAIL SAFETY AND STANDARDS BOARD Page 15 of 25

e) Personnel only operate the keylock device in accordance with the operating procedures f) Mislaid or damaged keys are reported to the signaller in accordance with GE/RT8000 (the Rule Book). Page 16 of 25 RAIL SAFETY AND STANDARDS BOARD

Appendix A Interface specification for signalling lockout systems Generic safety management issues, for example competence management, are not listed. A.1 Boundary hazard 1: Complete or partial loss of legibility of the lockout system identification A.1.1 Infrastructure manager sub-system requirements (pre-conditions) A.1.1.1 The infrastructure manager safety management system shall ensure fit for purpose identification signs and labels on keylock mechanisms. A.1.1.2 A.1.1.3 A.1.1.4 The infrastructure manager safety management system shall ensure that sufficient technical and operational information about lockout systems is available to users. The infrastructure manager safety management system shall include an asset maintenance regime that includes a check that equipment identification signs and labels are fit for purpose at the time that the lockout facility is used. The infrastructure manager safety management system shall include a failure management process that ensures that defective lockout systems cannot be used (including the ability to detect where missing labels could result in the wrong protection being taken). A.1.2 Railway undertaking sub-system requirements (pre-conditions) A.1.2.1 The railway undertaking safety management system shall ensure that personnel who use lockout systems understand their scope of work activity and the requirements of the task to be performed before using a lockout system. A.1.2.2 A.1.2.3 The railway undertaking safety management system shall ensure that personnel who use lockout systems report any difficulty in reading or using the label. The railway undertaking safety management system shall ensure that personnel who use lockout systems can recognise defects and report failures to the infrastructure manager. A.1.3 Safety requirements at the duty-holder interface (invariant) A.1.3.1 The infrastructure manager shall provide keylock devices that are clearly labelled with the keylock identification. The identification sign shall include: a) A unique keylock identity descriptor, and b) A diagram that describes the scope of protection and identifies the limits of protection provided by that keylock. A.1.3.2 A.1.3.3 A.1.3.4 The identification label parameters shall provide for legibility to all intended users at all times. Illumination shall be provided where necessary. The identification shall be legible from the position that the keylock device is operated. The railway undertaking personnel requiring the protection shall ensure that the scope of protection afforded by the lockout system matches the scope of work that is to be carried out. A.1.4 Infrastructure manager sub-system requirements (post-conditions) A.1.4.1 None. RAIL SAFETY AND STANDARDS BOARD Page 17 of 25

A.1.5 Railway undertaking sub-system requirements (post-conditions) A.1.5.1 The railway undertaking safety management system shall ensure that personnel requesting protection know that the protection provided by the lockout system is appropriate for the task to be performed. A.1.5.2 The railway undertaking safety management system shall ensure that personnel do not use defective lockout systems. A.2 Boundary hazard 2: Safety related failure of the signalling system could result in a signaller setting a route (resulting in the issue of a movement authority to a train) into an area for which a release has already been given by a signalling lockout system A.2.1 Infrastructure manager sub-system requirements (pre-conditions) A.2.1.1 The infrastructure manager safety management system shall ensure that the design of the signalling control system provides for the signaller to apply reminder appliances to signal control functions. A.2.1.2 The infrastructure manager safety management system shall ensure that the signaller is provided with a mechanism to detect a wrong side failure, is competent to understand the implications of a wrong side failure and is capable of taking the appropriate action. A.2.2 A.2.3 Railway undertaking sub-system requirements (pre-conditions) A.2.2.1 None. Safety requirements at the duty-holder interface (invariant) A.2.3.1 The infrastructure manager shall provide a signalling control facility that is used by a signaller to place a reminder device on a signal control device as soon as the railway undertaking personnel informs the signaller that a release has been taken. A.2.3.2 The railway undertaking personnel inform the signaller as soon as the release is taken (then first key is withdrawn from the keylock device). A.2.4 Infrastructure manager sub-system requirements (post-conditions) A.2.4.1 The infrastructure manager safety management system shall ensure the signaller is aware at all times that a route shall not be requested into a protection area when the release has been taken. A.2.4.2 The infrastructure manager safety management system shall require the signaller to place a reminder device, at the time the lockout release is given, on the control functions that would be operated, in order to set signalled routes into the protection area. The reminder device shall remain in place until the lockout release is cancelled. A.2.5 Railway undertaking sub-system requirements (post-conditions) A.2.5.1 The railway undertaking safety management system shall ensure that personnel implement a safe system of work for the duration that the protection is required. A.3 Boundary hazard 3: Safety related failure of the signalling lockout system could result in a key being released when protection is not established A.3.1 Infrastructure manager sub-system requirements (pre-conditions) A.3.1.1 The infrastructure manager safety management system shall ensure that a communication facility is available for use between the signaller and the person who uses the lockout system. Page 18 of 25 RAIL SAFETY AND STANDARDS BOARD

A.3.1.2 The infrastructure manager safety management system shall ensure that the communication system is fit for purpose and in normal working order. A.3.1.3 The infrastructure manager safety management system shall ensure that the signaller is competent to understand how to issue an emergency message to the railway undertaking personnel. A.3.2 A.3.3 Railway undertaking sub-system requirements (pre-conditions) A3.2.1 The railway undertaking safety management system shall ensure that personnel who use lockout systems are competent to use the communication system and understand the communication protocol to be used. Safety requirements at the duty-holder interface (invariant) A.3.3.1 Railway undertaking personnel shall request a release before attempting to remove a key. A.3.3.2 Infrastructure manager and railway undertaking personnel shall communicate verbal messages using the protocol set out in GE/RT8000 (the Rule Book). A.3.4 A.3.5 Infrastructure manager sub-system requirements (post-conditions) A.3.4.1 The infrastructure manager safety management system shall ensure the signaller communicates the decision on whether to operate the lockout release to the person requesting protection. Railway undertaking sub-system requirements (post-conditions) A.3.5.1 The railway undertaking safety management system shall ensure that the person who has requested a release understands that a release has been given before attempting to remove a key from the key release instrument. A.4 Boundary hazard 4: Failure to adhere to a proper sequence of operation in terms of releasing the protection may lead to an adverse situation A.4.1 Infrastructure manager sub-system requirements (pre-conditions) A.4.1.1 The infrastructure manager safety management system shall provide a signalling control system that includes a lockout release control function for the use of the signaller. A.4.1.2 A.4.1.3 A.4.1.4 A.4.1.5 A.4.1.6 The infrastructure manager safety management system shall ensure that all movement authorities into and out of the protected area are under the control of the signaller who controls the release. The infrastructure manager safety management system shall ensure that adequate overrun protection facilities are provided on all signals to mitigate SPAD risk. The infrastructure manager safety management system shall ensure that a method of train protection is provided between all protecting signals and the protected area. The infrastructure manager safety management system shall ensure that a keylock device is provided at a location that provides for safe access, egress and operation by the user from a position of safety. The infrastructure manager safety management system shall ensure that all signalling equipment is fit for purpose and in normal working order. A.4.2 Railway undertaking sub-system requirements (pre-conditions) A.4.2.1 The railway undertaking safety management system shall ensure that train drivers are competent and control trains within the limits of movement authority. A.4.2.2 The railway undertaking safety management system shall ensure that personnel requiring to work on or near the line are competent to use the lockout system. RAIL SAFETY AND STANDARDS BOARD Page 19 of 25

A.4.3 Safety requirements at the duty-holder interface (invariant) A.4.3.1 Protecting signals display stop aspects when the release has been operated. A.4.3.2 A.4.3.3 A.4.3.4 A lockout release function can only be issued to the lockout instrument when the signaller operates the release control function and: a) All signal routes into, within and out of the protection area are normal and free of approach locking b) Overrun protection is effective for the protecting signals c) There are no trains between the protecting signals and the protection area unless they are going away from the defined protection area. Railway undertaking personnel only take the release when it is safe to do so. Train drivers stop trains at protecting signals. A.4.4 A.4.5 Infrastructure manager sub-system requirements (post-conditions) A.4.4.1 The infrastructure manager safety management system shall ensure that the signalling system prevents the issue of movement authorities into, within or out of the protected area when the release has been given. Railway undertaking sub-system requirements (post-conditions) A.4.5.1 The railway undertaking safety management system shall ensure that personnel retain the key at all times that access to the protected area is required. A.4.5.2 The railway undertaking safety management system shall ensure that personnel carry out their work within the constraints specified for the lockout system. A.5 Boundary hazard 5: An indicator on the keylock device may give a false perception that protection is available to the user under certain failure conditions A.5.1 Infrastructure manager sub-system requirements (pre-conditions) A.5.1.1 The infrastructure manager safety management system includes a design process that ensures that the design of the keylock device provides for integrity of the lock mechanism as the primary safety control, so that a key cannot be withdrawn until the release has been given, irrespective of the perception of release status provided by the indicator. A.5.2 A.5.3 Railway undertaking sub-system requirements (pre-conditions) A.5.2.1 The railway undertaking safety management system shall ensure that personnel are competent to use the system and competent in the rules. Safety requirements at the duty-holder interface (invariant) A.5.3.1 The keylock device shall only release a key when the appropriate release control has been transmitted by the interlocking. A.5.3.2 Railway undertaking personnel shall remove and retain a key from the appropriate keylock device, in order to confirm that the protection has been issued. A.5.4 A.5.5 Infrastructure manager sub-system requirements (post-conditions) A.5.4.1 None. Railway undertaking sub-system requirements (post-conditions) A.5.5.1 The railway undertaking personnel carry out work on or near the line within the constraints specified for the lockout system (physical boundaries and activities). Page 20 of 25 RAIL SAFETY AND STANDARDS BOARD

A.6 Boundary hazard 6: Failure to adhere to a proper sequence of operation in terms of returning the protection may lead to an adverse situation A.6.1 Infrastructure manager sub-system requirements (pre-conditions) A.6.1.1 None. A.6.2 A.6.3 Railway undertaking sub-system requirements (pre-conditions) A.6.2.1 The railway undertaking safety management system shall ensure that the personnel responsible for the worksite check that all personnel and equipment are clear of the protection area and in a position of safety. Safety requirements at the duty-holder interface (invariant) A.6.3.1 The lockout release can only be cancelled when all of the keys are correctly replaced in the keylock device. A.6.3.2 Railway undertaking personnel replace all of the keys in the keylock device and advise the signaller that the release can be cancelled. A.6.4 A.6.5 Infrastructure manager sub-system requirements (post-conditions) A.6.4.1 The infrastructure manager safety management system shall ensure that the signaller is competent to safely cancel the release. Railway undertaking sub-system requirements (post-conditions) A.6.5.1 The railway undertaking safety management system shall ensure that personnel remain in a position of safety and do not re-enter the protection area after the release has been cancelled. A.7 Boundary hazard 7: Where the number of keys available to the user exceeds the minimum number of keys required to cancel the protection, there is a possibility that protection may be given up before work is complete A.7.1 Infrastructure manager sub-system requirements (pre-conditions) A.7.1.1 The infrastructure manager safety management system includes a design process that provides for correct and secure configuration of the keylock device with the specified number of keys. A.7.2 A.7.3 Railway undertaking sub-system requirements (pre-conditions) A.7.2.1 The railway undertaking safety management system shall ensure that personnel only have access to the correct authorised keys. Safety requirements at the duty-holder interface (invariant) A.7.3.1 The keylock device shall be configured to ensure that a release can only be cancelled when the designated number of correctly configured keys are fully replaced. A.7.3.2 A.7.3.3 A.7.3.4 A.7.3.5 A.7.3.6 The configuration of the keylock device can only be adjusted or reset by authorised persons. The total number of keys within the operational system shall not exceed the number of keys required to operate the keylock device. The keys for each instrument shall be uniquely configured to that instrument. Railway undertaking personnel only shall replace the correct authorised keys in the keylock device. Spare keys shall only be released by the infrastructure manager when assurance has been given that the line is clear. RAIL SAFETY AND STANDARDS BOARD Page 21 of 25

2024 © homedocbox.com Privacy Policy | Terms of Service | Feedback