etcs system requirements specification 4 - rssb€¦ · 1.8 27/05/15 restructured to align content...

Reference: NEPT/ERTMS/REQ/0005

Issue/ver: 4.0

Date: 31st March 2017

NETWORK RAIL of 48

Electronic Version

CCMS Reference: 11246028

Version History

Issue Date Comments

1.0 12/11/10 First Draft for Review

1.1 17/11/10 For Information Only in support of the HNIF ITT

1.2 05/06/13 Update to support Tender Process

1.3 09/06/14 Update from Reference Design for Internal Review

1.4 30/03/15 Update from Technical Author and Reference Design inputs

1.5 13/04/15 Updated for informal internal review

1.6 13/04/15 Updated from review comments

1.7 05/05/15 Review document with track changes enabled

1.8 27/05/15 Restructured to align content with European SRS

2.0 27/05/15 Unsigned Preliminary Draft Issue

3.0 31/03/15 First Issue

3.1 29/04/16 Update following Reference Design requirement harmonisation

3.2 18/08/16 Update for SRSG

3.3 28/08/16 Update from SRSG

3.4 22/09/16 Update for SRSG

3.5 30/09/16 Release for ESB / OSG review

3.6 17/02/17 Update from ESB / OSG review for commenter review

3.7 17/03/17 Updated from further comment review. DOORS update version.

3.8 20/03/17 Further comments

4.0 31/03/17 Formal issue

Disclaimer

Network Rail has used its best endeavours to ensure that the content, layout and text of this document are accurate, complete and suitable for its stated purpose. It makes no warranties, expressed or implied, that compliance with the contents of this document shall be sufficient to ensure safe systems of work or operation. Network Rail will not be liable to pay compensation in respect of the content or subsequent use of this document for any purpose other than its stated purpose or for any purpose other than that for which it was prepared except where it can be shown to have acted in bad faith or there has been wilful default.


Issue/ver: 4.0


NETWORK RAIL of 48

Contents

1 INTRODUCTION .............................................................................................................. 5

1.1 Purpose of this Document ............................................................................................................................ 5

1.2 Scope ................................................................................................................................................................... 5

1.3 Context ................................................................................................................................................................ 6

1.4 Abbreviations .................................................................................................................................................... 6

1.4.1 Specific Terminology ......................................................................................................................... 6

1.5 Requirements: Formal, Applicability and Identification ..................................................................... 6

1.5.1 Requirement Functionality .............................................................................................................. 6

1.5.2 Basic Requirement Form ................................................................................................................. 7

1.5.3 Safety Requirement ........................................................................................................................... 7

1.5.4 Unique ETCS System Requirement-Identifier (ESR-Identifier) ......................................... 7

1.5.5 Normative / Application-Specific / Preferred status ............................................................... 7

1.5.6 Topics ..................................................................................................................................................... 8

1.6 Requirements Assurance ............................................................................................................................. 8

1.7 Requirements Change .................................................................................................................................. 8

1.8 Areas for Development ................................................................................................................................. 8

2 SYSTEM REQUIREMENTS ............................................................................................ 9

2.1 Scheme Design Requirements .................................................................................................................. 9

2.2 Movement Authority, Modes & Levels .................................................................................................. 11

2.2.1 Appropriate Supervision Level ................................................................................................... 12

2.2.2 Movement Authorities .................................................................................................................... 12

2.2.3 Full Supervision Movement Authorities ................................................................................... 13

2.2.4 Start of Mission ................................................................................................................................. 13

2.2.5 Degraded Starts ............................................................................................................................... 14

2.2.6 Routing Information ........................................................................................................................ 14

2.2.7 Speed Restrictions .......................................................................................................................... 14

2.2.8 Possessions ...................................................................................................................................... 15

2.2.9 Shunting .............................................................................................................................................. 15

2.2.10 Occupied Sections .......................................................................................................................... 16

2.2.11 Level Crossings................................................................................................................................ 17


Issue/ver: 4.0


NETWORK RAIL of 48

2.3 Degraded and Emergency ........................................................................................................................ 17

2.4 Signs and Indicators .................................................................................................................................... 18

2.5 Other Systems ............................................................................................................................................... 19

2.5.1 Class B Systems.............................................................................................................................. 19

2.5.2 Traction Switching ........................................................................................................................... 20

2.5.3 Onboard .............................................................................................................................................. 21

2.5.4 Data ...................................................................................................................................................... 21

2.6 Safety ................................................................................................................................................................ 22

2.7 Security ............................................................................................................................................................ 22

2.8 People Issues ................................................................................................................................................ 24

2.8.1 Workload/People/Training ............................................................................................................ 24

2.8.2 Driver Interface ................................................................................................................................. 25

2.9 Whole Life Management ............................................................................................................................ 26

2.9.1 Life Cycle Management ................................................................................................................ 26

2.9.2 Reliability, Availability, Maintainability (RAM) ....................................................................... 29

2.9.3 Maintenance ...................................................................................................................................... 29

2.9.4 Diagnostics ........................................................................................................................................ 30

2.10 Implementation Requirements ................................................................................................................ 32

2.10.1 Transitions .......................................................................................................................................... 32

2.10.2 Implementation and Migration .................................................................................................... 36

2.10.3 Future Enhancements ................................................................................................................... 37

2.10.4 Design Rules ..................................................................................................................................... 38

2.11 Requirements for GB Rail Processes ................................................................................................... 39

2.12 Requirements for the Control Layer ...................................................................................................... 41

APPENDIX A: ABBREVIATIONS ........................................................................................... 44

APPENDIX B: LIST OF REFERENCES ................................................................................. 46

APPENDIX C: TOPICS LOOKUP TABLE ............................................................................. 47

APPENDIX D: AREAS FOR DEVELOPMENT (OPEN POINTS)......................................... 48


Issue/ver: 4.0


NETWORK RAIL of 48

1 INTRODUCTION 1.1 Purpose of this Document

This document provides a specification that is intended to promote effective implementation of the ETCS. It is applicable to ETCS installations and provides requirements that are optimised for operation on the GB rail network.

As stated in the industry-agreed and issued National ETCS Requirements Management Strategy [RD1] and Plan [RD2], the document provides the requirements which have been developed as part of a suite of ETCS requirements covering all elements required to optimise performance and operation of an ETCS railway. The document can be used as a standalone specification for the System aspect of the ETCS; further details of the requirements that drive the development of this specification are included within the Sub-system Requirements (Trackside, Onboard (Retrofit & New Trains), Telecoms and Operations [RD3], [RD4], [RD5], [RD6] & [RD7]).

This Specification for the ETCS has been written to complement the Command, Control and Signalling Technical Specification for Interoperability (CCS TSI) and European Union Agency for Railways (known as ‘The Agency’) specifications for Baseline 3 ETCS1 [RD8] & [RD9]. Every effort has been made to avoid conflict with the CCS TSI and Baseline 3 specification but, in case of conflict, the CCS TSI (including the UK specific cases) and Baseline 3 specification take precedence.

The document is set out in the form of standard requirements with the ETCS System Requirement (ESR) identifier, followed by rationale and guidance notes, where appropriate.

1.2 Scope

This document consists of requirements which describe the functionality and application of the ETCS optimised for application on the GB rail network at all required levels of operation.

These requirements are not expected to prevent the ETCS operating in conjunction with an Automatic Train Operation (ATO) system. Requirements will be added at a later date once the European specification for adding ATO to an ETCS has been finalised. Projects are encouraged to seek advice from the ERTMS Systems Body (ESB) if there is a wish to facilitate early introduction of ATO.

These requirements are not expected to prevent the ETCS operating in conjunction with a Traffic Management (TM) system. No specific TM requirements have been identified for inclusion to date.

Specific requirements and domain knowledge for a particular application are not included within this document and will need to be defined by the Contracting Entity or their appointed Agent.

Nothing in this document obviates any legal requirement with which any of the parties must comply. Furthermore, it does not preclude operation of a TSI-compliant vehicle on the GB rail network, or a vehicle compliant to this specification operating on TSI-compliant infrastructure outside the GB rail network.

1 Note: This suite of requirements has been written to meet Baseline 3 Release 2, although the ETCS DOORS requirements database has the capability of producing a suite of requirements to meet Baseline 3 Maintenance Release 1. Should a suite of Baseline 3 Maintenance Release 1 requirements be needed, or if any background information be required for any specific requirement then an e-mail with specifics should be sent to: [email protected]


Issue/ver: 4.0


NETWORK RAIL of 48

1.3 Context

This document has been developed from a number of sources.

Input from the ETCS programme, ETCS suppliers, and the wider rail industry has been used to develop the requirements. A series of workshops and industry consultations have identified new requirements for addition. Guidance has been added to justify changes.

Requirements amended and deleted through this development process have been captured within the requirements database, along with justification for their amendment or removal.

1.4 Abbreviations

Abbreviations are explained in full where used in Requirements. A fuller explanation of Terms and Abbreviations can be found in Appendix A: and the ETCS Glossary [RD10].

1.4.1 Specific Terminology Specific terms are used within the requirements contained within this document:

1. ETCS solution This requirements specification has avoided identifying solutions as there is an opportunity for providing the ETCS functionality anywhere. Therefore, instead, the supplier will be identifying their own solution to the required functionality apportionment, and so the term ETCS solution has been used.

2. rail vehicle and / or train Installation of the ETCS functionality will be expected in all rail vehicles and trains.

3 Onboard This refers to the ETCS Onboard functionality.

4 on-board / on board This refers to any functionality on board the rail vehicle or train apart from the ETCS Onboard solution e.g. ‘the on-board TPWS’ or ‘the Class B systems on board the train’.

5 ETCS Programme team These ETCS System Requirements need to be applied across many projects (routes, and rail vehicle or train), but there are some requirements that transcend this level and need to be undertaken and satisfied at a central level such that there will be commonality of use across all projects. The term ‘ETCS Programme Team’ is used for the organisation that will undertake this work.

1.5 Requirements: Formal, Applicability and Identification

1.5.1 Requirement Functionality

Requirements may be functional or non-functional:

Functional Requirements - Technical details that define what a system needs to accomplish, i.e. how suppliers’ equipment will be applied, what it needs to do, and what processes, procedures and rules need to be in place to achieve it.

Non-Functional Requirements - Constraints on the design or implementation, such as performance, security, competence, training, and reliability requirements.

Functional requirements have been derived through the Reference Design generation process [RD11], whereas non-functional requirements have mostly been derived from the Cambrian Requirements suite and supplemented by workshop input [RD12].


Issue/ver: 4.0


NETWORK RAIL of 48

1.5.2 Basic Requirement Form

All requirements are in the following form:

Status: Normative/Application-Specific/Preferred (See Section 1.5.5 below).

Rationale: Shows applicability of the requirement.

Guidance: Supplementary information to support Requirement interpretation and satisfaction.

Topics: Reference Design Topics (if applicable) (See Section 1.5.6 below).

1.5.3 Safety Requirement

Where a requirement has been associated with a Safety Measure, this is identified.

1.5.4 Unique ETCS System Requirement-Identifier (ESR-Identifier) Each requirement has been identified uniquely. The requirement numbers have been generated automatically within the DOORS database, which means that the requirement numbering may be neither sequential nor gap-free.

1.5.5 Normative / Application-Specific / Preferred status

Each requirement within this document is identified as one of: normative, preferred, or application-specific. These are defined as follows:

Normative

o Necessary to achieve compatibility or optimisation of the system in relation to the GB rail network, or

o A system feature that is deemed to be cost-effective and universally beneficial.

Satisfaction of normative requirements in compliance with this document is expected to be a requirement of individual delivery contracts.

Application-Specific

o A requirement which may not be relevant or applicable to every implementation of the ETCS. It is expected that, where a requirement is applicable, it will be applied.

Satisfaction of application-specific requirements in compliance with this document is expected to be a requirement of individual delivery contracts, as appropriate to the implementation being considered.

Preferred

o A requirement of lower importance which, whilst not essential, the industry would prefer were satisfied. It is expected that, where a requirement is applicable, it will be applied.

Satisfaction of preferred requirements in compliance with this document is not expected to be a requirement of individual delivery contracts unless explicitly

Safety

Requirement text. Unique ESR-Identifier


Issue/ver: 4.0


NETWORK RAIL of 48

specified within the relevant contract.

1.5.6 Topics

Where applicable, the Reference Design Topic has been identified, as detailed in the Topics Lookup Table in Appendix C:. The Topic has been broken down, where applicable, into Options and Variants, e.g. Topic N1-2 refers to Topic N, Option 1, Variant 2.

Where the Reference Design Topic has not yet achieved Release Version status, the requirements are marked (Provisional).

1.6 Requirements Assurance

Requirements assurance has been explained in the ETCS Requirements Assurance Statement [RD13].

1.7 Requirements Change

The ETCS Requirements Change Control Process [RD14] will be used to raise Change Requests (CRs) to amend existing requirements or add new requirements.

1.8 Areas for Development

Noting that this document represents the best understanding of the needs of the GB rail network at the time of publishing, it is recognised that there are a number of areas where the document may be deficient. New deficiencies may be identified as understanding of the ETCS develops, as well as areas being closed out through further work being undertaken. The current known areas of deficiency are listed in Appendix D:.


Issue/ver: 4.0


NETWORK RAIL of 48

2 SYSTEM REQUIREMENTS 2.1 Scheme Design Requirements

This section contains specific requirements relating to the scheme design for individual routes.

Lineside signals shall be provided or retained where essential. ESR-3

Status: Normative

Rationale: There may be occasions when lineside signals are required to support operations.

Guidance: Where it is not possible to provide a Movement Authority on the Driver Machine Interface (DMI) for regular moves (e.g. shunting), then a lineside signal should be considered.

Topics: N1-2, O1

The ETCS application design shall not generate unwanted system braking interventions. ESR-11

Status: Normative

Rationale: The odometer is corrected each time the Last Relevant Balise Group (LRBG) changes. It is possible that the change in location data could result in the application of brakes if the train is closer to the End of Authority (EOA) than the old reading had suggested.

Guidance: The timing of messages (such as alterations in speed profile or track condition) from the Trackside could result in sudden changes in momentum if not considered as part of the overall system design. Other sources of unwanted brake interventions, such as on-train faults, should also be considered.

Topics: A1-1, A1-2, J3, J4, J5, Y1

Measures shall be taken to mitigate the risk arising from trains stopping in undesirable locations.

ESR-276

Status: Normative

Rationale: To reduce the secondary risks to people or performance that may arise if a train stops in certain locations.

Guidance: Undesirable locations will be determined on an application-specific basis. The risks that might arise in the event that a train stops in, or attempts to restart from certain locations, should be considered and mitigated. Examples of potentially undesirable stopping locations include tunnels, viaducts and neutral sections.

Topics: J4

A train with an ETCS Movement Authority shall be supervised on the approach to buffer stops such that the potential collision speed is within that defined for the buffer stop.

ESR-281

Status: Normative

Rationale: At many locations, the buffer stops will already have been installed with an expectation of approach speed which is based on a designed approach speed. The ETCS can improve safety mitigation on the approach to buffer stops by supervising the train to this speed.

Guidance: It is expected that the approach speed will be consistent with the current rules for the Train Protection and Warning System (TPWS).


Issue/ver: 4.0


NETWORK RAIL of 48

Topics: E1

Where conventional Proceed on Sight Authority (PoSA) functionality exists, ETCS with signals implementation shall provide equivalent functionality.

ESR-372

Status: Normative

Rationale: So that the existing flexibility under conventional signalling is not lost.

Topics: G2, S5-3

Each ETCS application shall minimise the amount of bespoke design for projects and maximise the opportunity for automated design.

ESR-636

Status: Normative

Rationale: To reduce whole life costs.

Topics: None

It shall be possible for trains to approach within 2m of a buffer stop. ESR-646

Status: Normative

Rationale: To maximise the available standage capacity in terminal platforms and sidings.

Guidance: At many locations, the length of terminal platforms and sidings are only just sufficient for operational needs. It is therefore important for trains to be able to get close to the buffer stops when operating under the ETCS to provide adequate capacity for present and future operational needs.

Topics: E1

The ETCS shall provide the functionality and Quality of Service levels necessary to support the safety performance targets for the route.

ESR-383

Status: Normative

Rationale: ETCS Level 2 will provide the functionality to improve safety levels.

Guidance: The safety performance targets for the route will be specified on an application basis.

Topics: None

The ETCS shall provide the functionality and quality of train service levels necessary to support the operational performance targets for the route.

ESR-327

Status: Normative

Rationale: ETCS Level 2 will provide the functionality to improve performance levels.

Guidance: The operational train service performance targets should include reliability, punctuality, journey time and capacity, and these will be specified on an application basis.

Topics: None

Lineside equipment required to provide or support ETCS functionality shall be kept to a minimum.

ESR-558

Status: Normative

Rationale: Part of the business case for the introduction of the ETCS is improved safety and


Issue/ver: 4.0


NETWORK RAIL of 48

reduced maintenance costs as a result of the reduction in lineside equipment when compared to conventional signalling.

Guidance: Some lineside equipment, such as balises, is unavoidable but track access and cost risks can be managed by keeping the numbers as low as possible whilst providing the requisite functionality and system safety levels.

Topics: None

The location of announcements to, and acknowledgements by, the driver shall be determined for each site.

ESR-99

Status: Application-Specific

Rationale: A number of factors need to be taken into account when establishing the location of the announcement, border and acknowledgement.

Guidance: Factors to be considered include: driver workload; advising the driver that they are routed into a depot / non-ETCS facility; enabling the driver to stop and challenge a misrouting; and the requirement for the driver to check that the track is clear and that the points are set into a non-ETCS facility.

Topics: G1-2, G2, H1, H2, N1-1, N2-1, O2-1, O2-2, O3, V1, V2

National Values shall be determined and assigned to GB National Areas (i.e. NID_C) via a formal process.

ESR-573

Status: Normative

Rationale: To meet the safety and performance requirements of the application.

Guidance: The process is currently contained within GE/RT8408 [RD15] but will be replaced by a Rail Industry Standard (RIS) in due course. This requirement remains extant until that RIS is issued.

Topics: KK

The ETCS shall be configured to provide bi-directional capability on all lines. ESR-657

Status: Normative

Rationale: To ensure that the infrastructure gains the maximum benefits from ETCS deployment, that degraded mode working is not worsened, and that historic constraints are avoided.

Guidance: As a minimum, a bidirectional route would exist between locations where trains could enter / leave the normally unidirectional line. Where a business case exists, then extra sections/capacity could be introduced.

Topics: None

2.2 Movement Authority, Modes & Levels

This section contains specific requirements relating to the GB operational basis for mode and level selection.

The ETCS shall be able to send a request to shorten a Movement Authority if it will not lead to an immediate brake application.

ESR-817

Status: Normative

Rationale: To avoid re-planning activities resulting in the application of braking.

Guidance: This functionality is to be used by the signaller for route cancellation in situations other than emergencies.


Issue/ver: 4.0


NETWORK RAIL of 48

Topics: J5

2.2.1 Appropriate Supervision Level

This section contains specific requirements relating to the level of supervision on the train.

The ETCS solution shall be configured, operated and maintained to enable the highest level of supervision practicable for the type of operation being undertaken.

ESR-611

Status: Normative

Rationale: The ETCS is designed to monitor a vehicle's movement and avoid overspeeding and overrunning the Movement Authority. However, some modes of operation do not provide this level of supervision. Therefore, the safety and operational requirements need to be considered.

Guidance: Sometimes it is desirable for movement not to be fully supervised, such as when shunting in a possession, or to keep trains moving in degraded operations. Modes of operation that are not fully supervised should only be applied where essential.

Topics: A2-1, A2-2, B, G1-1, G1-2, G2, G4-1, H1, I

On Sight (OS) shall be available at all ETCS Level 2 locations. ESR-670

Status: Normative

Rationale: 1) To ensure that the protection and supervision provided by OS can be utilised across the ETCS Level 2 application.

2) To meet operational needs and give flexibility.

Topics: A1-1, A1-2, G2, U2

Entry into SR shall only be achieved using the 'Override' function. ESR-381

Status: Normative

Rationale: Following safety analysis and experience on Cambrian, it is considered that the driver should make a conscious act to take sole responsibility for the management of the train movements in Staff Responsible (SR).

Guidance: A consistent rule is required to ensure that authorisation is necessary for any use of Staff Responsible (SR), which includes the driver receiving authority from a responsible person (normally the signaller) and operating the override control to enter SR. The driver instructions also need to cover situations where further operations of the override control may be required to pass stop markers.

Topics: G3-1, U6

2.2.2 Movement Authorities

The correct Movement Authority shall be issued to the correct train. ESR-76

Status: Normative

Rationale: A critical function of the ETCS as train safety depends on it.

Guidance: This will be achieved through a combination of technical and operational rules.

Topics: A1-1, A1-2, A2-1, A2-2, G1-1, G1-2, G2


Issue/ver: 4.0


NETWORK RAIL of 48

Movement Authority (MA) updates shall be issued by the Trackside sufficiently early to ensure that the driver does not have to respond to an indication point for braking unnecessarily.

ESR-78

Status: Normative

Rationale: MA updates should happen as seamlessly as possible and without the driver being aware of the process.

Guidance: MA updates should occur sufficiently early to avoid the driver having to consider the possibility of braking.

Topics: A1-1

The operational and technical requirements for each mode shall be specified. ESR-655

Status: Normative

Rationale: The operational and technical requirements for each mode are not fully specified in the Control, Command and Signalling (CCS) [RD8] and Operation and Traffic Management (OPE) [RD16] TSIs.

Guidance: This will require integration of the ETCS Radio Block Centre (RBC) and interlocking controls.

Topics: U1, U2, U3, U4, U5, U6, U7

2.2.3 Full Supervision Movement Authorities

Full Supervision shall not require the driver to confirm that the route is safe. ESR-374

Status: Normative

Rationale: To clarify the division of responsibilities between the signalling system and the driver for establishing that the route is clear when operating in Full Supervision (FS).

Guidance: The driver should not be expected to check anything that the signalling system can prove to be safe.

Topics: G1-1, U1, JJ6

The ETCS shall send a Full Supervision Movement Authority to a train authorised to move in Staff Responsible as soon as the necessary conditions have been met.

ESR-90

Status: Normative

Rationale: The train should always be operating in the highest level of supervision available.

Guidance: Trains will be in SR due to a system failure, such as a communications fault or indeterminate train position; once this issue is resolved, then ETCS Full Supervision (FS) must be re-established.

Topics: A2-1, A2-2

2.2.4 Start of Mission

The Track Ahead Free (TAF) facility shall be implemented where operationally required. ESR-27

Status: Normative

Rationale: At all times, the ETCS should be under the highest level of supervision available.

Guidance: Track Ahead Free enables the driver to confirm to the RBC that the line ahead is free (as far as a marked location), enabling the train to be granted a Full Supervision (FS) Movement Authority.


Issue/ver: 4.0


NETWORK RAIL of 48

Topics: A2-2, G1-2

The driver shall be able to undertake Start of Mission (SoM) at all locations. ESR-813

Status: Normative

Rationale: To meet operational needs, and for flexibility.

Topics: None

2.2.5 Degraded Starts

A safe starting procedure for the train shall be provided if the ETCS cannot provide a Movement Authority (MA).

ESR-21

Status: Normative

Rationale: Provision of an MA for a Full Supervision (FS) or On Sight (OS) movement is the preferred option for moving a train, but it must be possible to move a train where the preferred options are not available and the system will cater for this.

Guidance: Options may have different combinations of technical and procedural safeguards.

Topics: A4, G3-1, G3-3, G3-4

2.2.6 Routing Information

The ETCS solution shall provide facilities to mitigate misrouting. ESR-625

Status: Normative

Rationale: The provision of supplementary information to the driver via the ETCS will assist them in identifying possible routing errors and offer the opportunity to stop the train before an undesirable situation occurs.

Guidance: Trains are sometimes routed in error onto lines with which they are not compatible. With the ETCS, some existing methods of mitigating these errors will be lost. Where site-specific conditions dictate, then the facilities will be identified and implemented.

Topics: V1, V2

2.2.7 Speed Restrictions

A facility shall be provided for temporarily applying speed limits through the ETCS at any given time.

ESR-162

Status: Normative

Rationale: Issues identified during the course of maintenance or due to climatic conditions that involve decreasing speed limits associated with sections of track and classes of train need to be addressed swiftly.

Guidance: It must be possible to apply and change Temporary Speed Restrictions (TSRs) and Emergency Speed Restrictions (ESRs) at any time during the life of the system.

Topics: F1, F2

The ETCS shall enable Infrastructure Managers to implement alterations to Permanent Speed Restrictions throughout the life of the system.

ESR-481

Status: Normative


Issue/ver: 4.0


NETWORK RAIL of 48

Rationale: Speed restrictions may change as a result of changes to the infrastructure or rolling stock and the ETCS needs to be flexible enough to implement those changes.

Guidance: Speed restrictions may increase due to improved capability of the infrastructure or rolling stock, or may decrease in response to maintenance issues (e.g. track deficiencies).

Topics: Y3

Driveability shall be considered when designing speed profiles. ESR-672

Status: Normative

Rationale: Frequent changes in speed can add to driver workload. Successive reductions in speed are particularly challenging for freight trains due to the delays in the braking system.

Guidance: The design of the speed profile should consider the impact of the changes in speed on driveability or driver workload, e.g. regular changes in speed will cause an increase in the demands on the driver to monitor the system and react to the changes, and these may impact on other tasks the driver has, causing competing demands and an increased likelihood of error.

Topics: A4

There shall be a technical system and processes to manage Temporary Speed Restrictions. ESR-815

Status: Normative

Rationale: To ensure that temporary and emergency speed restrictions are planned, implemented and managed accurately, safely and with due regard to performance.

Topics: F1, F2

2.2.8 Possessions

The levels and modes of ETCS-fitted trains that enter a possession and move within it shall be the same on fitted and unfitted infrastructure.

ESR-157

Status: Normative

Rationale: To maintain consistency and avoid confusion when operating in possessions, drivers should have only one level to select and one process to apply whether operating on conventional, overlay or ETCS-only lineside.

Topics: B

2.2.9 Shunting

The limits of shunting movements into an ETCS-fitted area from an unfitted area shall be marked and supervised.

ESR-53

Status: Normative

Rationale: A train in Shunting (SH) has a supervised speed but is not issued a Movement Authority. An alternative method is therefore required to constrain the area in which movements may be undertaken.

Guidance: For designed shunt routes (such as into sidings or stabling locations, or for reversing a train onto a line returning in the direction from which it has come), the ETCS provides a ‘Danger for Shunting information’ packet that can be


Issue/ver: 4.0


NETWORK RAIL of 48

permanently included in a balise message.

Topics: N1-2

Shunting (SH) shall only be authorised when appropriate interlocking controls and operational restrictions are in place.

ESR-380

Status: Normative

Rationale: Movements in SH are largely unconstrained by the ETCS and require additional protection.

Guidance: This includes both ETCS-controlled areas and areas outside ETCS control. Authorisation may be achieved by technical or procedural means.

Topics: B, G4-1, G4-2, G4-3, U5

2.2.10 Occupied Sections

The ETCS shall permit vehicle movements into occupied sections. ESR-30

Status: Normative

Rationale: This allows for recovery of trains, movements into platforms to join trains as required by the timetable, and moves into stabling sections that can berth multiple vehicles.

Guidance: In principle, moves into occupied sections should be in On Sight (OS) as the highest level of supervision available and should be possible anywhere on the railway (as failed trains could occur anywhere).

Topics: G2, H1, I

The ETCS shall facilitate attaching and detaching as required for operational purposes. ESR-111


Rationale: Vehicles are required to be attached or detached in various operating scenarios, and these moves will be undertaken in the highest level of supervision available, where possible.

Guidance: Movements in Standby (SB) negate the need for data entry.

Topics: I

The ETCS shall not authorise more than one train to move within the same train detection section at the same time unless required under specific arrangements.

ESR-240

Status: Normative

Rationale: To maintain the safest conditions for the operation being undertaken.

Guidance: Two moving trains in the same section should be exceptional. Normal permissive working will involve one moving train entering a section occupied by a stationary train. Permissive freight lines are an example of where it could be permissible for two moving trains to occupy the same section.

Topics: B, G2, H2

Passenger trains entering an occupied section shall have a target stopping location that is stationary.

ESR-378

Status: Normative

Rationale: To avoid collisions due to misjudgements in the handling of the train entering an


Issue/ver: 4.0


NETWORK RAIL of 48

occupied section.

Guidance: Incidents have occurred where drivers have failed to realise until too late that a moving train has stopped - unlike road vehicles, trains do not have brake lights.

Topics: H1, I, U2

The ETCS shall permit more than one train to depart in opposite directions from a single section simultaneously.

ESR-571

Status: Normative

Rationale: This permits trains that have been detached in platforms to depart in opposite directions to meet timetable needs. It also provides flexibility where a recovered train that was unable to continue because of a failure in the unit at one end could, once pulled or pushed out, continue under its own power to the depot facility if driven from the unit at the other end.

Topics: I

2.2.11 Level Crossings

The ETCS solution shall provide effective integration with level crossing controls. ESR-606


Rationale: There will be locations on the GB Railway where conventional signalling interfaces with level crossings must be supplemented or replaced with ETCS functionality.

Topics: JJ1, JJ2, JJ5, JJ6

When in On Sight (OS), the driver shall only be responsible for checking that the route is clear of obstructions and checking the status of locally-monitored level crossings.

ESR-659

Status: Normative

Rationale: The driver shall only be responsible for checking that the route is clear of obstructions and checking the status of locally-monitored level crossings with respect to the OS Movement Authority.

Topics: A1-2, G2, U2, JJ5, JJ8

2.3 Degraded and Emergency

This section contains requirements specific to degraded and emergency working.

The ETCS shall support the driver in stopping the train in the correct location for an emergency evacuation of a train within a tunnel.

ESR-153


Rationale: To be able to respond to emergency situations within a tunnel.

Guidance: Whilst the functionality has to be provided, this requirement can only be met in full where tunnels have been configured to support evacuation.

Topics: J2

The ETCS shall support the safe movement of trains in abnormal, degraded and emergency operations.

ESR-245

Status: Normative


Issue/ver: 4.0


NETWORK RAIL of 48

Rationale: The risk of human error in abnormal, degraded and emergency conditions must be reduced by the ETCS.

Guidance: Human involvement in safety operation systems increases risk, which the ETCS should be used to mitigate so far as is reasonably practicable. Examples of mitigation methods are implementing speed supervision if this is still functional or demanding brake intervention where Movement Authorities are exceeded.

Topics: G2, G3-1, G3-4, G5, U2, U6

The ETCS shall be able to support abnormal, degraded and emergency operations on approach to, across and beyond the RBC-RBC handover border.

ESR-303

Status: Normative

Rationale: To maintain the operation of trains when operating in degraded situations.

Topics: R1

The driver and signaller shall be provided with information that supports the accurate and unambiguous identification of the train and of the location at which the train is stopped.

ESR-368

Status: Normative

Rationale: This requirement supports the safety-critical conversation between the driver and the signaller. If a Movement Authority cannot be issued because of degraded conditions, and the line ahead is clear, the signaller needs to be able to provide an authorisation to move under written instructions.

Guidance: In situations where routes cannot be proved, the expectation is that trains will normally be stopped at an EOA. Where the ETCS stop markers or location markers are provided lineside to mark EOAs, these are required to have unique identity plates to support identification of the train position. Drivers of trains stopped at unmarked EOAs may have access to geographic position information, kilometre posts or mileposts, etc. Signallers should have access to the same information in a manner that supports the accurate and unambiguous determination of the train's position.

Topics: A4, E2, JJ3

2.4 Signs and Indicators

This section contains requirements specific to signs and indicators.

Where a train dispatch risk assessment identifies the need for platform dispatch staff, tools shall be provided to advise staff that the train dispatch process may commence.

ESR-547

Status: Normative

Rationale: Under conventional signalling, if there is no line of sight between the train dispatcher and the signal aspect, OFF indicators are provided. Under ETCS signalling, there will be no signal aspect to inform train dispatchers that the train has a Movement Authority.

Guidance: The provision of Train Ready To Start (TRTS), Close Doors (CD) and Right Away (RA) facilities is unchanged by the use of ETCS. The choice of the method of train dispatch is the responsibility of the Railway Undertaking and Station Infrastructure Manager. The risk assessment will be conducted in accordance with RIS-3703-TOM Issue 2 [RD16].

Topics: D1


Issue/ver: 4.0


NETWORK RAIL of 48

Where a train dispatch risk assessment identifies the need for platform staff to inform the driver that safety checks are complete, tools operated by platform staff shall be provided.

ESR-548

Status: Normative

Rationale: Under conventional signalling, if there is no line of sight between the train dispatcher and the train driver, Right Away indicators are provided and, in many cases, these are interlocked with the signal aspect.

Guidance: The RA indicators indicate that the dispatch process is complete and the train may proceed. The risk assessment will be conducted in accordance with RIS-3703-TOM Issue 2 [RD16].

Topics: D3

Lineside signage shall be provided or retained where essential. ESR-4

Status: Normative

Rationale: There may be occasions when lineside signage is required to support operations.

Topics: F2, AA1, AA2, AA3, AA4, AA5

2.5 Other Systems

2.5.1 Class B Systems

This section contains requirements specific to Class B systems.

Non-ETCS train protection systems shall not impact on the train or driver when they are operating under ETCS supervision.

ESR-280

Status: Normative

Rationale: Non-ETCS train protection systems should only be active when driving in Level NTC.

Guidance: The ETCS does not supervise the train in Level NTC (the Onboard simply stands ready to transition to a level under which it will supervise the train when commanded by the Trackside). In Level NTC SH, the Class B system may be suppressed.

Topics: B, N1-1, N2-1, N2-2, T2

The system shall support Level NTC, NID_NTC=21, displayed as 'TPWS' on the ETCS Driver Machine interface (DMI), where required for competence and training purposes.

ESR-562


Rationale: The extra Level NTC allows the driver to select whether transitions to ETCS levels will take place on entering overlay areas.

Guidance: See NSR-57 and NSR-101.

Topics: T1

ETCS modes and levels shall be compatible with other active on-board train protection systems.

ESR-563


Rationale: The ETCS can operate in Level NTC with other Class B systems undertaking train protection functionality. It is also possible for the ETCS to be made unavailable when another Automatic Train Protection (ATP) system is active.


Issue/ver: 4.0


NETWORK RAIL of 48

Guidance: This requirement has been created with Great Western ATP in mind but may be relevant to other Class B systems. When ATP is selected, any on-board Automatic Warning System (AWS)/TPWS must also be enabled.

Topics: T2

2.5.2 Traction Switching

This section contains requirements specific to traction switching.

The ETCS shall be capable of supporting traction changeover while the train is at a stand or moving at the required speed.

ESR-140


Rationale: There are locations where it is necessary to switch over at a stand because it is not feasible to do this on the move.

Guidance: The ETCS does not control the traction changeover but has the ability to export commands to the on-board traction system based on trackside commands.

Traction changeover covers all possible power sources.

Topics: M1

The ETCS shall permit automated electrical control on trains with one or more electrical traction supply system(s).

ESR-614


Rationale: The ETCS must be integrated with the traction supply system on the train to raise and lower pantographs, open and close circuit breakers, and switch to and from shoe collection as required on the route.

Topics: None

The implementation of the ETCS shall continue to support the automatic opening and closing of vehicle supply in-feed circuit breakers as a train passes through a neutral section, regardless of the ETCS operating level or mode.

ESR-143


Rationale: To maintain the current level of automation through neutral sections available on the GB railway.

Guidance: The ETCS 'powerless section with main power switch to be opened' track condition functionality is only available in modes: Full Supervision (FS); Limited Supervision (LS); On Sight (OS); (Non Leading (NL); Post Trip (PT) and Trip (TR). In other operating modes, the automatic control of vehicle supply in-feed circuit breakers must still be supported.

Topics: M1

The ETCS shall be designed so that the symbols for raising / lowering pantographs can be displayed at the correct trackside location.

ESR-669

Status: Normative

Rationale: A stalled vehicle in a dead section with its pantographs lowered could cause long delays to service. The display of traction information at the correct geographical location is essential to avoid damage to train or infrastructure.

Topics: None


Issue/ver: 4.0


NETWORK RAIL of 48

2.5.3 Onboard

This section contains requirements specific to Onboard capability.

The ETCS shall release radio channels promptly when they are no longer required. ESR-18

Status: Normative

Rationale: The Global System for Mobile Communications – Railway (GSM-R) has a limited number of channels available. The concern is that trains coming out of service that keep channels open may prevent trains entering service from setting up a session with the Radio Block Centre (RBC).

Topics: C, I, O2-1, O2-2

Where ETCS controls other on-board systems, the timing of controlled events shall be optimised by design.

ESR-318

Status: Normative

Rationale: Timing of events could affect performance.

Guidance: As an example, timely management of traction controls results in the best performance.

Topics: None

2.5.4 Data

This section contains requirements specific to data.

The values of configurable data shall be determined to provide optimum service performance whilst providing mitigation of hazards as far as is reasonably practicable.

ESR-6

Status: Normative

Rationale: Subject to safety and capacity constraints, parameters must be configured for maximum system performance.

Guidance: These optimum values could be determined through experience, or possibly through bench-marking against other railways. Analysis is required to ensure that required capacity and system capability are optimised whilst hazards are mitigated as far as is reasonably practicable.

Topics: None

Information and interface requirements shall be defined to clarify the data that the ETCS must exchange with external systems.

ESR-198

Status: Normative

Rationale: To exchange data for planning and passenger information, etc.

Guidance: Train performance information is extremely useful for businesses and passengers (particularly in times of perturbations and degraded working). This information should be made available in accordance with a defined set of requirements.

Topics: JJ1, JJ2, JJ3, JJ4

Suitably rigorous validation methods shall be applied to data upon which the safe operation of the ETCS is dependent.

ESR-274

Status: Normative


Issue/ver: 4.0


NETWORK RAIL of 48

Rationale: The data required by the ETCS sub-systems is, at a minimum, safety-related and frequently safety-critical.

Guidance: Methods of validation (static and dynamic) are to be determined as part of detailed operational safety and human factors analysis. Data within the scope of this principle includes:

(a) Train data (for Onboard data entry and system configuration);

(b) Infrastructure data (Temporary Speed Restriction (TSR) & Emergency Speed Restriction (ESR) data, RBC configuration data, and balise telegrams);

(c) Security data (Cryptographic keys); and

(d) Onboard and Trackside event recorder information.

Topics: F1, F2, Y1, Y2, Y3, Z1-1, Z1-2

The system shall minimise the risk of incorrect train data entry. ESR-561

Status: Normative

Rationale: The data affects the brake model and hence the safety of the ETCS supervision system. Errors in preparation or entry of data can lead to safety hazards.

Topics: Z1-1, Z1-2

2.6 Safety

This section contains requirements specific to safety.

Existing safety measures shall be retained if any risks mitigated by them are not adequately mitigated by the ETCS.

ESR-275

Status: Normative

Rationale: The ETCS should not degrade safety over that provided by other systems.

Topics: None

Measures shall be taken to mitigate the risk of trains failing to stop when or where required to do so.

ESR-286

Status: Normative

Rationale: To prevent, or mitigate the risk of, a train collision or derailment.

Guidance: This will be achieved through layout design, odometry correction when needed, and operational rules.

Topics: U5, U6

2.7 Security

This section contains requirements specific to security.

The ETCS solution shall be sufficiently robust to withstand intentional or unintentional threats that may result in damage or corruption.

ESR-629

Status: Normative

Rationale: Physical and cybersecurity measures are required to ensure that intentional damage or corruption can be avoided. Additionally, the design needs to be such that unintended damage or corruption can be avoided by mitigating human errors and considering risks to installations.


Issue/ver: 4.0


NETWORK RAIL of 48

Guidance: Damage includes physical damage to system components and interfaces, and corruption includes any software-based threats, such as incorrect data or network flooding with messages.

The NR Security Assurance Framework [RD18] uses a standardised risk management methodology to assess GB operational rail system risk through a rail safety and systems engineering approach.

Topics: II

The risk of malicious or accidental intervention leading to an unsafe state shall be reduced to an acceptable level.

ESR-236

Status: Normative

Rationale: The ETCS is a safety-related system with safety-critical elements and its performance levels, with respect to safety and service delivery, must be maintained throughout its life.

Guidance: System security applies to system data and operational information, as well as equipment, and includes the definition and implementation of a national key management strategy. Targets should be developed as part of any threat analysis undertaken to derive detailed security requirements. Details of security requirements will need to be captured in a security policy.

The NR Security Assurance Framework [RD18] uses a standardised risk management methodology to assess GB operational rail system risk through a rail safety and systems engineering approach.

Topics: None

Physical system interfaces shall be protected to avoid unauthorised access to equipment functionality and stored data.

ESR-293

Status: Normative

Rationale: For system safety and to protect system availability.

Guidance: Access to systems must be controlled to avoid unauthorised access (either unintentional or deliberate).

Topics: R1, II

The ETCS maintenance system shall be secured with sufficient physical, procedural and technical controls to minimise security risks.

ESR-389

Status: Normative

Rationale: As the ETCS is software-based and uses open systems interconnection protocols it could be a target for attack.

Guidance: The NR Security Assurance Framework [RD18] uses a standardised risk management methodology to assess GB operational rail system risk through a rail safety and systems engineering approach.

Topics: None

The ETCS shall be designed, built and implemented using Secure Software Development Lifecycle (SSDL) methodologies to mitigate security risks appropriately.

ESR-388

Status: Normative

Rationale: As the ETCS is software-based and uses open systems interconnection protocols, it could be a target for attacks.


Issue/ver: 4.0


NETWORK RAIL of 48

Guidance: SSDL processes include Microsoft SDL, Atsec and SafeCODE.

Topics: None

End-to-end ETCS security testing shall be conducted by an independent assessor that is a National Cyber Security Centre (NCSC) approved or certified service provider.

ESR-387

Status: Normative

Rationale: Using an independent assessor should provide a realistic view of the security resilience of the ETCS.

Guidance: For increased assurance, more than one assessment could be undertaken from different, independent NCSC-approved or certified service providers but there will be an associated cost implication with that.

Topics: None

Protection shall be afforded against vandalism and accidental damage. ESR-291

Status: Normative

Rationale: Physical security is required to prevent damage.

Guidance: The railway is frequently targeted by vandals and thieves.

Consideration should also be given to the following: protection against accidental spillage of fluids (e.g. coffee and tea), or the design of buttons and other operating devices to avoid them being wedged in position by using paper or some other material.

Topics: II

2.8 People Issues

2.8.1 Workload/People/Training

This section contains requirements specific to people.

Processes shall be in place to assess staff competence and maintain it at the level required for staff to carry out their roles and responsibilities in operating and maintaining the ETCS.

ESR-301

Status: Normative

Rationale: A process of continuous monitoring of staff competence is necessary to enable the system to be operated and maintained safely.

Guidance: The correct level of staff competency will keep the system in its design performance levels throughout its service life.

Topics: None

Processes shall be in place to assess staff workload and maintain it at the level required for staff to carry out their roles and responsibilities in operating and maintaining the ETCS.

ESR-968

Status: Normative

Rationale: A process of continuous monitoring of staff workload is necessary to enable the system to be operated and maintained safely.

Guidance: The correct level of staff workload will keep the system in its design performance levels throughout its service life.

Topics: None


Issue/ver: 4.0


NETWORK RAIL of 48

The ETCS shall neither lead nor predispose the operational user to make an error. ESR-220

Status: Normative

Rationale: The first recourse to mitigate potential for human error is in the design. This requirement generalises mitigation of the referenced hazards into a design principle.

Guidance: The complete operation of the ETCS will need to be considered from sourcing information, through data entry to operator actions.

This requirement will be updated with a cross-reference to the relevant entry in the national ETCS hazard log in a future version of this document.

Topics: None

Necessary and sufficient training support facilities shall be provided to carry out staff training. ESR-179

Status: Normative

Rationale: Evidence of successful training will be required before staff can work on the equipment.

Guidance: Successful training will require course modules to be developed and accompanied by notes that can be used as a reference in future by delegates.

Topics: None

2.8.2 Driver Interface

This section contains requirements specific to the driver's interface.

The information displayed to the driver shall support safe and efficient driving. ESR-14

Status: Normative

Rationale: It must be possible for the driver to maintain consistent control over the train movement without unwanted brake intervention as a result of the data provided to the train.

Guidance: This includes speed and gradient profile data transmitted to the train, the Onboard characteristics, and the brake model.

Topics: A1-1, A1-2, V1, V2, Y1

The ETCS shall limit the demands on the attention of the driver during critical driving phases where the driver is required to be particularly alert to events outside the cab.

ESR-228

Status: Normative

Rationale: Derived requirement from Cambrian hazard cause analysis (HL-3915, HL-3928 and HL-3930) concerned with driver error relating to level crossings. This requirement generalises this into a design principle.

Guidance: This requirement will be updated with a cross-reference to the relevant entry in the national ETCS hazard log in a future version of this document. This requirement captures the principle of avoiding competing visual tasks at critical phases of the driving task as a requirement.

Topics: H1, H2, I, O2-1, O2-2, V1, V2

The train shall display on the Driver Machine interface (DMI) the units of speed appropriate to the location and train operation.

ESR-107


Issue/ver: 4.0


NETWORK RAIL of 48

Status: Normative

Rationale: GB mainline speed restrictions in existing conventionally-signalled areas are in miles per hour. The ETCS operates on kilometres per hour and the GB mainline is gradually converting to km/h for locational information trackside, and in design, maintenance and installation documentation.

Guidance: ERA_ERTMS_015560 – ERTMS/ETCS Driver Machine Interface [RD20] section 8.2.1.1.4 states that: '[t]he speed dial shall be circular and shall indicate speeds from 0 km/h to the maximum value of the pre-configured Onboard range.' The requirements for the switching between speed units and the form of the mph speed display are defined in GE/RT8402 [RD21].

Topics: F2, Z2

The crossing of National Area borders shall be operationally transparent to the driver. ESR-650

Status: Normative

Rationale: To enable smooth transition from one National Area to another.

Topics: None

2.9 Whole Life Management

2.9.1 Life Cycle Management

This section contains requirements specific to life cycle management.

The ETCS shall be able to update its Baseline 3 software in line with Baseline 3 Releases in a reasonable timescale following the instruction for their implementation.

ESR-165

Status: Normative

Rationale: The ETCS is a software-based system defined by a core European specification; the GB Programme is deploying the baseline of this specification known as Baseline 3 Release 2. During the life of the system, system updates or further Baseline 3 Releases will be required to fix errors, implement compatible functionality, and act upon feedback from that and other projects. This means that the system version deployed on an installation will need to change during the lifetime of the system to allow incorporation of the updates, and should be formalised contractually between owner / operator and supplier.

Guidance: A 'reasonable timescale' will be agreed between operator and supplier after assessment of the content of the release and consideration of its impact on individual fleet operation. Compliance with this requirement would be judged on when first authorisation took place, when maintenance releases were issued, whether they had been deployed and, if not, checking that plans were in place to deploy, accompanied by the appropriate contracts and processes.

ETCS components shall enable software revisions to be loaded with the minimum of disruption to the operation of the railway.

ESR-166

Status: Normative

Rationale: Upgrade of software must be possible without having to make parts of the system unavailable.

Guidance: It should be possible to load software during traffic hours for it to become active as part of a commissioning process (that may be undertaken outside of traffic hours) without having any impact on the operational system.

Topics: None


Issue/ver: 4.0


NETWORK RAIL of 48

It shall be possible for software-based systems to be reverted to previous configuration states.

ESR-167

Status: Normative

Rationale: To support testing and commissioning activities of software upgrades or maintenance patches.

Guidance: If any problems are encountered during the process of testing and commissioning, it must be possible to have a working railway the following traffic day ('over and back' testing and commissioning).

Topics: None

Installation and decommissioning documentation for the ETCS components shall be provided and maintained under configuration control for the whole life of the system.

ESR-386

Status: Normative

Rationale: It may be necessary to install or decommission components at any time during the life of the ETCS.

Topics: None

The ETCS solution shall consider the whole life needs of the railway, including future needs for replacement and upgrade of assets.

ESR-626

Status: Normative

Rationale: Upgrades already under consideration are: ETCS Level 3 and Automatic Train Operation. The solution should not place unnecessary constraints on the ability to accommodate future needs.

Guidance: The European Union Agency for Railways (‘The Agency’) is coordinating efforts to understand the specific requirements to enable upgrades to ETCS Level 3 and Automatic Train Operation. Each element of the life cycle should be considered in the context of the total life cycle.

Topics: None

Existing constraints in the conventionally-signalled railway shall only be retained for the ETCS solution where it has been demonstrated that there is a safety, functional and commercial imperative for doing so.

ESR-628

Status: Normative

Rationale: Existing methods and technology have often been developed to mitigate the limitations of older systems. Retaining old methods, and the technology that underpins them, can result in reduced benefit to the GB Railway.

Topics: None

Each ETCS application shall minimise on-site verification and testing by the use of off-site facilities.

ESR-634

Status: Normative

Rationale: To reduce the level of performance risk through the introduction of new technology.

Guidance: It is the intention that as much system validation as possible be undertaken in a factory and laboratory environment, and as early as possible in the programme, to minimise the impact on the operational railway.


Issue/ver: 4.0


NETWORK RAIL of 48

Topics: None

The ETCS shall be designed to ensure that corrective maintenance of components can be undertaken with minimum disruption to the operation of the railway.

ESR-188

Status: Normative

Rationale: It should be possible to respond to faults and rectify failures without any major impact on the service.

Guidance: Wherever possible, maintainers should be able to replace faulty components without system functionality being lost, so that the faulty equipment can be analysed off-line and the cause of the failure determined.

Topics: None

Infrastructure Managers and Railway Undertakings shall together review and identify any changes required to procedures and documentation when ETCS equipment is introduced.

ESR-330

Status: Normative

Rationale: The cooperative review will result in optimisation of ETCS operations.

Guidance: The ETCS application may introduce functionality uniquely to a specific route or section of route, and the processes and procedures must therefore be reviewed accordingly. This covers initial introduction and subsequent updates.

Topics: None

Efficient systems and processes with a suitable level of rigour shall be established by the IM and RU for the management of the ETCS solution in normal, abnormal, emergency and degraded modes of operation.

ESR-180

Status: Normative

Rationale: The ETCS is a safety-related system with safety-critical elements and its performance levels, with respect to safety and service delivery, must be maintained throughout its life.

Guidance: Systems within the scope of ETCS implementation deliverables may include: fault diagnosis; recovery and assistance; Configuration Management; Design Management; and System Safety Management. Other systems outside the scope of the ETCS, but needing to include ETCS functionality, may include: fault allocation; Data Recording, Analysis and Corrective Action System (DRACAS).

Topics: None

The ETCS Programme team, IMs and RUs shall establish efficient systems and processes, with a suitable level of rigour, for the collation and management of all data required by and from the ETCS sub-systems.

ESR-182

Status: Normative

Rationale: The data required by the ETCS sub-systems is at least safety-related and frequently safety-critical. It is therefore important that it is complete and correct.

Guidance: Determination of the 'suitable level of rigour' and what constitutes 'efficient' is part of delivering this requirement.

Topics: II


Issue/ver: 4.0


NETWORK RAIL of 48

2.9.2 Reliability, Availability, Maintainability (RAM)

This section contains requirements specific to Reliability, Availability and Maintainability.

The ETCS solution shall meet the Reliability, Availability and Maintainability (RAM) targets specified in the ERTMS Reliability Specification NR/AM/SA/SPE/00147 version A07 [RD19].

ESR-218

Status: Normative

Rationale: Both safety and service performance are dependent upon equipment operating within its design parameters.

Guidance: The RAM requirements will be achieved under the general railway environmental conditions as stated in EN50125 [RD23]. The RAM requirements will be achieved for all local operating conditions, e.g. traffic levels, and train loadings and speed, throughout the operational life of the system.

Topics: None

ETCS implementation shall not adversely affect the Reliability, Availability and Maintainability (RAM) performance of existing systems.

ESR-332

Status: Normative

Rationale: Both safety and service performance are dependent upon equipment operating within its design parameters.

Guidance: Equipment failures, maintenance activities and power supply failures in the ETCS should not affect existing systems. The two systems must not share equipment such that work on the one affects the other. This also means that the functioning of the ETCS in all operating conditions must have no effects whatsoever on the RAM performance of the existing systems.

Topics: None

2.9.3 Maintenance

This section contains requirements specific to maintenance.

The ETCS solution shall minimise the need for personnel to access the lineside environment. ESR-635


Rationale: To reduce the likelihood of exposure to lineside hazards.

Topics: None

The IM and RU shall agree any additional depot facilities and procedures required to check that the trainborne ETCS is fit to enter service.

ESR-556


Rationale: The ETCS supplier and rolling stock maintainer need an early understanding of the constraints introduced by their respective designs and facilities on checking that trains are fit to enter service.

Guidance: As depots would normally have a number of trains to bring into service each morning (some from remote locations such as sidings), these checks need to be as quick and simple as possible. The ETCS Implementation Team need to provide coordination between the supplier and the maintainer to ensure that optimum use is made of any automated self-test functionality, and that any ETCS-specific external test facilities required by the depot are identified and procured / installed prior to the introduction of ETCS-fitted rolling stock into


Issue/ver: 4.0


NETWORK RAIL of 48

service.

Topics: P2, HH

ETCS equipment maintenance shall be optimised to provide a cost-effective and efficient regime that meets the operational capability requirements for the route.

ESR-184

Status: Normative

Rationale: It is necessary to balance the capital cost of the system against the whole life cost implications to maintain it.

Guidance: Effective Reliability, Availability and Maintainability (RAM) analysis will identify the optimum balance between high reliability equipment, provision of redundant pairs to improve on availability, and the level of planned maintenance required to keep the system at its peak. The location of the maintenance teams and their method of travelling to site are considerations with regard to reactive maintenance.

Topics: None

Suitable facilities for the maintenance of the ETCS equipment shall be provided. ESR-185

Status: Normative

Rationale: The facilities required to maintain ETCS equipment are likely to differ from the existing facilities that are required to maintain conventional signalling.

Guidance: The maintenance facilities that will be required will be dependent upon the types of components in the system and could include anything from lifting equipment to Electrostatic Discharge (ESD) workbenches.

Topics: None

Ease of maintenance of ETCS components shall be a consideration of the design. ESR-324

Status: Normative

Rationale: Ease of maintenance and installation contributes to whole life cost reduction.

Guidance: The design should enable ease of installation and facilitate maintenance activities for rapid fault resolution. This reinforces the 2015 CDM Regulations [RD24] as these do not apply to the whole of the railway system.

Topics: None

Trains used to perform infrastructure monitoring and measurement shall be able to monitor ETCS lineside equipment.

ESR-814

Status: Normative

Rationale: To ensure that a measurement train is equipped and able to monitor and measure the ETCS and related lineside equipment.

Topics: None

2.9.4 Diagnostics

This section contains requirements specific to diagnostic facilities.

The ETCS shall provide fault indications in a manner that allows for prompt remedial action to be undertaken in order to restore safe and efficient operation.

ESR-191

Status: Normative


Issue/ver: 4.0


NETWORK RAIL of 48

Rationale: It is necessary to maintain the functioning of the system in order to maintain the performance of the service.

Guidance: Fault indications should be: specific, to make it possible to identify the cause quickly; appropriately prioritised, based on the nature and potential impact of the fault; worded succinctly, whilst clearly indicating the nature and location of the fault; directed at the most suitable person to address the fault; and delivered promptly.

Topics: II

Alerts shall be provided for non-critical ETCS faults. ESR-192

Status: Normative

Rationale: The need to attend to such faults may not be urgent, but they still need to be notified to the maintainer to permit them to plan for their rectification before any issue escalates.

Guidance: Non-critical faults are those with the potential to have minor impact on performance or safety, or which would result in significant impact in combination with another fault. If there are redundant elements of the system, consideration needs to be given to how these will be tested to ensure that latent faults do not go unnoticed.

Topics: II

The ETCS shall record system event data suitable for use in monitoring system performance and investigating incidents effectively.

ESR-229

Status: Normative

Rationale: Speedy investigation and resolution of incidents is critical to keep the service running.

Guidance: It must be possible to understand how the whole system has behaved (including those who operate it) in order to determine what the underlying cause/s of the incident or performance failure is/are. Therefore, data must be collected and synchronised from the Onboard, the Trackside and the GSM-R sub-systems. Information relating to the human element would be managed through review of written records and interviews, as well as actions at the human machine interfaces recorded by sub-systems.

Topics: None

As far as is reasonably practicable, the ETCS shall display sufficient information to the user to enable them to detect a failure of the system and carry out the appropriate action.

ESR-253

Status: Normative

Rationale: To allow the operator to detect and respond to failures that may not be detected internally by the system.

Guidance: An example of this is in conventional control systems, where track circuit failures are often identifiable by sections of track appearing occupied in sections where no train is identified.

Topics: None

During start-up, the ETCS shall run all available self-tests, reporting failures to the relevant user.

ESR-555

Status: Normative


Issue/ver: 4.0


NETWORK RAIL of 48

Rationale: Self-testing at start-up provides an early indication of ETCS availability.

Guidance: Self-testing should include any interfaces and sub-system components, the failure of which could have a detrimental impact on safety and performance. This requirement applies equally to trainborne and trackside ETCS equipment.

Topics: K1, K2, HH

2.10 Implementation Requirements

2.10.1 Transitions

The ETCS design shall provide effective integration with neighbouring signalling and train protection systems.

ESR-36

Status: Normative

Rationale: To facilitate a smooth transition between Level 2 and Level NTC (and vice versa) as trains cross the boundary between the areas.

Guidance: Trains operating on Class B-fitted routes will need to be equipped with Class B train protection systems in addition to the ETCS. When the ETCS is active, the Class B system must be suppressed, and when not operating in ETCS Levels 0-3, the Class B system must be available. NB The GB proposal for ETCS operation is to use Level 2 for normal operation and Level 0 in possessions.

The TSI [RD8] defines a method of integrating a Class B system into the ETCS using a Specific Transmission Module (STM); however, management of the Class B system can be achieved by other means. The ETCS will manage the suppression, or otherwise, of the Class B system as the train undertakes transitions to and from Level NTC.

Topics: N1, N2, N3, O1, O2-1, O2-2, O3

The speed of trains approaching a running transition into or out of an ETCS cab-signalled area shall be managed so that they do not exceed the maximum permissible speed beyond the transition border given the prevailing track and train constraints.

ESR-40

Status: Normative

Rationale: To minimise the risk of overspeed or unexpected brake interventions after the transition.

Guidance: Account should be taken of the driving policies for lineside signalling areas, the aspect displayed at the lineside, potential speeds, and the Onboard-calculated brake curve of the trains authorised to use the route. Careful design is required to ensure that these factors do not create a conflict that leads to unexpected brake interventions; this can be a particular issue for freight trains.

Topics: N2-1, N2-2, O2-1, O2-2

All fitted trains intending to enter a Level 2 ETCS cab-signalled only area via a running transition shall possess a valid Movement Authority for the Level 2 area before reaching the entrance to the area.

ESR-61

Status: Normative

Rationale: The transition between signalling systems should not impact on the ability to run the train at its full line speed. The train therefore needs to be prepared to transition before entering the Level 2 ETCS cab-signalled only area.

Topics: N2-1


Issue/ver: 4.0


NETWORK RAIL of 48

The process for transitioning between levels shall be integrated with other priority driving tasks.

ESR-64

Status: Normative

Rationale: To avoid driver distractions, which could lead to errors.

Guidance: For example, there is a risk that the driver's attention may be divided between observation of lineside signals and response to the Level Transition Announcement on the Driver Machine Interface (DMI) if the timing is not properly considered.

Topics: N2-1, N2-2, O2-1, O2-2

The driver shall be able to select manually all ETCS operating levels that may be required during a journey.

ESR-359

Status: Normative

Rationale: To allow for manually-initiated level transitions that may be required for normal or degraded operations.

Guidance: Manual selection of operating level may be required in certain degraded situations on overlay implementations or in situations where running transition arrangements are not provided.

Topics: G3-4, N3, O1

Users shall be provided with information that enables them to understand the ETCS levels in which trains will be operating during complete journeys.

ESR-360

Status: Normative

Rationale: To enable users to confirm that the train is starting in the correct level at SoM, and that the level being offered on the Driver Machine interface (DMI) at a transition matches the level in which they are expected to operate. It also enables drivers to undertake manual selection of operating level when required.

Guidance: Manual selection of operating level may be required during degraded operations, or at sites where the trackside has not been configured to initiate the transition.

Topics: N3, O1

The capability shall be provided for Level 1 to be used as an intermediate step in the process of transitioning to Level 2.

ESR-658


Rationale: To facilitate trains entering ETCS operation at locations where infrastructure constraints mean that the actions necessary for a running transition into Level 2 may not be completed reliably without impacting on performance.

Guidance: This use of Level 1 as an intermediate stage is referred to as 'L1 launch'. Examples of where 'L1 Launch' might be utilised include at the exits from depots or sidings onto a Level 2 fitted line (Level 2 only or overlay) where there is insufficient distance on the approach to the signal authorising entry to the Level 2 fitted line for a train reliably to establish a communications session with the RBC.

Topics: N1-1


Issue/ver: 4.0


NETWORK RAIL of 48

At outlets onto the ETCS-fitted mainline at which Level 1 launch is provided, and where Shunt (when supervised by lineside signals) onto the main line is available, movements into or through the ETCS area shall be made in Level NTC SH.

ESR-50


Rationale: If shunt routes are available at the same outlet as routes that join the mainline, then Shunt moves need to be in Level NTC SH so that the train does not automatically transition to a higher ETCS level and mode.

Guidance: The ETCS area is that area where non-shunting movements are carried out in ETCS Levels 1 or 2.

Topics: N1-2

Where a Level 1 launch capability is provided, trains shall only transition to Level 1 at the entrance to an overlay area if they commence the movement in Level NTC National System (SN) with NID_NTC not equal to 21.

ESR-46


Rationale: To ensure that train data and an authorised driver are present on the train before it enters ETCS supervision.

Guidance: Where the driver selects NID_NTC = 21, the transition should not occur. If the train is in Shunting (SH), there is no train data, so the system does not allow transitions to be actioned immediately. The use of Level 1 launch allows the train to enter the ETCS area with a Movement Authority prior to a connection being established with the RBC.

Topics: N1-1, N1-2, T1

The ETCS shall facilitate recovery from a failed level transition. ESR-62

Status: Normative

Rationale: This is a degraded mode that needs to be addressed in the design (preferably with a technical solution, but a fallback operational solution is also required).

Topics: N1-1, N2-1, N2-2, O2-1, O2-2

The likelihood of the transition between fitted and unfitted lines leading to an unsafe condition shall be reduced to an acceptable level.

ESR-277

Status: Normative

Rationale: Clear and consistent procedures are required to reduce the risk of unsafe conditions that could arise during transitions.

Guidance: The potential for confusion will be minimised if both fitted and non-fitted operation is undertaken in a consistent manner.

Topics: O1, O2-1, O2-2, O3

Trains that are unable to make the Level 2 transition on arrival at the entrance to a Level 2 ETCS cab-signalled only area shall be presented with a stop aspect.

ESR-55

Status: Normative

Rationale: To prevent a proceed aspect from being displayed at the entrance to an ETCS-fitted area from an unfitted area if the train cannot be controlled by the ETCS.

Guidance: Trains unable to make the transition include unfitted trains and fitted trains which cannot establish communications with the RBC.


Issue/ver: 4.0


NETWORK RAIL of 48

Topics: N2-1

Trains that are unable to make a Level 2 transition shall not be affected by the Level 2 transition procedure at the entrance to an overlay area.

ESR-66

Status: Normative

Rationale: In overlay, trains can still operate in the ETCS area; therefore, the only reason to bring them to a halt should be because it is not safe to permit them to proceed and not because the design of the ETCS prevents it.

Guidance: Trains unable to make the transition include unfitted trains, trains driven by a driver who is not authorised to drive under ETCS Level 2 supervision, and fitted trains which cannot establish communications with the RBC.

Topics: N2-2

The ETCS shall inhibit transition to Level 1 or Level 2 at the entrance to an overlay area if the driver has selected Level NTC (NID_NTC=21).

ESR-101

Status: Normative

Rationale: To manage phased authorisation of drivers to drive under ETCS supervision.

Guidance: This assumes that the driver has been given sufficient training to permit them to drive in Level NTC on a railway on which both the ETCS signalling system and the system over which it is overlaid are commissioned and operational.

Driver training requires several days per driver and, once trained, drivers need to gain experience for the training to become assimilated. As a result, it is likely that there will be a period of time when some drivers are authorised and others are not.

Topics: N1-1, N2-2, T1

Unfitted railway vehicle access to ETCS-signalled infrastructure shall be controlled so as to minimise the risk of entry, unless authorised by the signaller.

ESR-287

Status: Normative

Rationale: The ETCS will not be aware of the presence of ETCS-unfitted vehicles.

Guidance: Railway vehicles include engineering plant as well as passenger and freight trains. Methods of preventing access may be procedural as well as technical. It is possible for vehicles to join and leave the railway at Road Rail Access Points (RRAPs).

Topics: None

The ETCS shall be capable of managing running transitions at speeds up to the maximum permissible speed for the track in the vicinity of the transition border.

ESR-643

Status: Normative

Rationale: To minimise the impact of the transition on capacity, journey time and user experience.

Guidance: It should not be necessary for trains routinely to travel at speeds below the maximum permissible speed in order to achieve a successful transition.

Topics: N2-1, N2-2, O2-1, O2-2


Issue/ver: 4.0


NETWORK RAIL of 48

2.10.2 Implementation and Migration

This section contains requirements specific to implementation and migration.

The System Version for the GB implementation shall be 2.1. ESR-816

Status: Normative

Rationale: It has been identified that packet switched data communications and online key management are required for the GB application and these are only available with a system version of 2.1 as defined in Subset-026.

Guidance: The provision of packet switched data support in the trackside will be an application-specific decision based on the traffic requirements within an RBC control area.

NB The Version is specified by Subset-026 Chapter 6 Section 6.4 Envelope of legally operated system versions. Refer to the GSM-R Baseline 1 (EIRENE 8/16) for Packet Switching functionality.

Topics: None

The ETCS solution shall provide improved application of speed restrictions on the GB railway when compared with application of speed restrictions under conventional signalling.

ESR-161

Status: Normative

Rationale: The applicable speed profile is often limited by the spacing of signals and the number of different speeds which may be displayed to the driver. The ETCS must remove the constraints of signalling and allow trains to operate at the maximum speed compatible with the infrastructure (track and structures) without being restricted to the current speed categories.

Guidance: The ETCS Onboard equipment can determine, from values based on the train characteristics it stores and route characteristics sent from the Trackside, the most appropriate speed restriction to be adhered to at any given time. This means that some trains may be permitted to run faster under ETCS signalling than under conventional signalling.

Topics: F1, F2

The ETCS Track Condition functionality shall be tailored to optimise service performance across the GB railway.

ESR-199


Rationale: Some Track Condition functions are not applicable in the GB domain; others may be used to improve overall performance on a route.

Guidance: There are several packets that may be sent by the Trackside under the ETCS protocol. Analysis of these will indicate how they can be used to optimise performance for a given route.

Topics: J2, LL

The ETCS shall enable trains to enter areas with different National Values (NV) without safety or performance impact.

ESR-305

Status: Normative

Rationale: Where more than one NID_C is applied on the GB railway, the impact of changes in National Values needs to be considered.

Topics: R3, KK


Issue/ver: 4.0


NETWORK RAIL of 48

The system shall provide the correct National Values on the approach to a new National Area (i.e. NID_C).

ESR-572

Status: Normative

Rationale: To enable the system parameters required for the mission.

Guidance: Redundancy should be provided through the use of RBC and balise groups.

Topics: KK

Operational and technical constraints shall be considered during migration planning for the implementation of the ETCS solution.

ESR-627

Status: Normative

Rationale: Operational constraints cover the need to maintain an acceptable level of service whilst taking operational staff away from the front line to train them in changes to accommodate the new system.

Guidance: Operational staff include signallers, drivers, station staff and maintainers. As regards drivers, the current railway is operating with sufficient trained drivers to provide the timetabled service. The introduction of a new system requires either that those drivers are all upgraded or that new drivers are employed and trained. In either event, this implies the need for a larger pool of drivers to cover the existing service, whilst allowing some to come off the roster for training purposes.

Topics: None

2.10.3 Future Enhancements

This section contains requirements specific to future enhancements.

Where the facility for movements in RV is provided, the driver shall not be required to confirm that the route is safe.

ESR-379

Status: Normative

Rationale: Reversing (RV) mode permits the train to be driven from the rear cab contrary to its original direction in order to escape from an emergency situation. Thus the driver will neither have the time nor the visibility to determine that the points are set and there are no obstacles on the line.

Guidance: This is not normally expected to be required for GB application. Any proposal to utilise RV for specific applications will require a full review of hazards and operational rules as this has not been undertaken during the development of the Reference Design process.

Topics: U4

As far as is reasonably practicable, the implementation of the ETCS shall support the capability for a simple, cost-effective, safe and timely migration path to ETCS Level 3.

ESR-392

Status: Normative

Rationale: The initial ETCS level is expected to be upgraded in the future to Level 3 as this provides the most benefits.

Guidance: Initial implementation must take into consideration the migration to Level 3 so that this may be done at as low a cost as is practicable.

Topics: None


Issue/ver: 4.0


NETWORK RAIL of 48

The provision of a migration path to ETCS Level 3 shall not adversely impact the performance of the GB railway prior to the implementation of Level 3.

ESR-487


Rationale: The initial ETCS level is expected to be upgraded in the future to Level 3 as this provides the most benefits.

Topics: None

2.10.4 Design Rules

The National Values published as the standard values for GB shall be applied unless a specific risk assessment has been undertaken.

ESR-809

Status: Normative

Rationale: The Reference Design and underpinning safety analysis and arguments are based on the published National Value (NV). Any changes from those values will require a full safety impact analysis.

Guidance: The risk assessment should include a review of the impact at National Value boundaries. Industry published standards on the management of National Values should be followed.

Topics: KK

A degraded route shall be available at all entries into the ETCS indicated to the driver by use of a Proceed on Sight Authority (PoSA) aspect.

ESR-810

Status: Normative

Rationale: The provision of a PoSA reduces the occurrence of Class B system and ETCS overrides and the frequency of the requirement to obtain signaller authorisation for a move over the transition border.

Guidance: The setting of a degraded route will nominally result in a Movement Authority being issued that includes an On Sight (OS) profile.

Topics: N2-1, N2-2

System integration shall consider other sub-system boundaries when establishing the location of RBC-RBC boundaries.

ESR-811

Status: Normative

Rationale: To ensure that the RBC-RBC handover is not adversely affected by transitions in other sub-systems, leading to a loss of connectivity or performance.

Guidance: Other sub-system boundaries to consider include those with GSM-R cells, Interlockings, and signaller's control areas.

Topics: R1

The system shall enable trains to operate in Full Supervision through an area where GSM-R coverage is unavailable due to the failure of a single cell.

ESR-812

Status: Normative

Rationale: The extent of the area where GSM-R coverage is unavailable may exceed the length of Movement Authority normally issued to a train and the loss of data radio coverage could lead to an Onboard reaction.

Guidance: On many parts of a route, away from major conurbations, cells are likely to


Issue/ver: 4.0


NETWORK RAIL of 48

provide coverage over more than 6km. It is assumed that the telecoms network design will be such that a single failure in the network will not lead to multiple, consecutive cells being out of action.

Topics: U1, U2

2.11 Requirements for GB Rail Processes

Effective migration planning shall be undertaken from the outset on any proposed ETCS application.

ESR-549


Rationale: If plans for migration are not effective and revisited regularly to reaffirm suitability, there is a significant risk of rework, and cost and time overrun. Interim stages, if required, will need to be safe and operable.

Guidance: Migration planning and interface identification should include the requisite changes to operations and maintenance during the transition to each technical migration phase. It will be necessary to understand the interfaces affected by the proposed changes, the risks those interfaces present, and the methods of mitigation (including, where necessary, the introduction of short-term interim interfaces).

Topics: None

The ETCS implementation shall enable a migration path to Automatic Train Operation (ATO). ESR-541

Status: Normative

Rationale: The introduction of Automatic Train Operation is included within GB future business strategy.

Topics: None

The ETCS solution shall facilitate the density of traffic required to meet business needs. ESR-640

Status: Normative

Rationale: To meet the application-specific operational requirements for the project.

Guidance Each route will determine the requirements for density of traffic. The overall system design, which includes the ETCS, will need to facilitate this requirement.

Topics: None

The ETCS Programme team shall develop a process for projects to select the right ETCS features to deliver the performance they need.

ESR-470

Status: Normative

Rationale: The requirements can sometimes be met by a variety of potential solutions.

Guidance: Selecting solutions on a site-by-site basis will enable optimisation of design and performance.

Topics: None

Tools shall be provided to aid personnel placing of speed restriction boards in order to achieve consistency with ETCS speed restrictions details.

ESR-648

Status: Normative

Rationale: To provide consistent information for both Level 2 and Level NTC operated trains.


Issue/ver: 4.0


NETWORK RAIL of 48

Guidance: The location of the speed boards and the position of an ETCS speed restriction may not be aligned due to trackside conditions.

Topics: F2

The ETCS Programme team shall develop a process for projects to select the appropriate requirements for system and sub-system availability for their ETCS solution.

ESR-471

Status: Normative

Rationale: Expenditure on availability needs to be considered against the impact of loss of service on the route.

Topics: None

The ETCS Programme team shall develop a process for projects to select the appropriate requirements for system and sub-system reliability.

ESR-479

Status: Normative

Rationale: Expenditure on reliability needs to be considered against the impact of loss of service on the route.

Topics: None

ETCS duty holders shall provide appropriate processes and procedures to manage and maintain ETCS configuration and configuration data.

ESR-484

Status: Normative

Rationale: To identify the status of all items in operation or intended for operation, and whether they have been validated/accepted (for example, for maintenance purposes).

Guidance: Configuration data to be defined will include hardware, software, configuration, and documentation. The level of detail required is that needed to ensure that repairs, modifications or upgrades to ETCS assemblies or their interfacing systems are traceable and change-controlled.

The ETCS Configuration Management Strategy [RD24] provides additional guidance.

Topics: None

The working environment during abnormal or degraded working shall allow incidents / problems to be dealt with effectively while not creating undue additional or excessive workload.

ESR-222

Status: Normative

Rationale: Excessive workload can result in human performance issues such as slower task performance and errors such as slips, lapses or mistakes.

Guidance: Factors to be considered in the design of the workplace are the audio and visual stimulation from alerts and alarms (and any discomfort that they may create). The frequency and priority of notifications to the operator should also be considered. Arguably, low priority matters should not be brought to the attention of the operator during degraded working but may be beneficial in maintaining situational awareness and focus during normal operations.

Topics: None


Issue/ver: 4.0


NETWORK RAIL of 48

All tasks shall be designed to maintain workload in normal conditions so that users are not subject to periods of overload or underload.

ESR-221

Status: Normative

Rationale: The first recourse to mitigate potential for human error is in the design.

Guidance: Underload can lead to human performance issues such as loss of situation awareness and reduced alertness as a direct result of boredom. Excessive workload can result in human performance issues such as slower task performance and slips (unintentionally taking the wrong action) and lapses (forgetting the intended action). Both overload and underload can result in poor decision-making.

Topics: None

Train modelling and simulation shall be used to validate the application of a national ETCS solution across the network.

ESR-633

Status: Normative

Rationale: To reduce the level of performance risk through the introduction of new technology.

Guidance: Additional guidance is provided within the ETCS Train Modelling Strategy [RD25].

Topics: None

Interaction between sub-systems within the ETCS and between the ETCS and other systems, equipment, processes and people shall not give rise to unacceptable safety risks.

ESR-336

Status: Normative

Rationale: To ensure that the complete system of systems is safe.

Guidance: ‘Interaction’ includes environmental compatibility and electromagnetic compatibility. It includes both interactions where there is an intentional interface with other systems, and equipment and interaction where there is no intentional interface. 'Other systems and equipment' includes other railway infrastructure systems and non-railway systems.

Topics: None

2.12 Requirements for the Control Layer

The signaller shall be provided with the functionality to request Movement Authorities to be shortened, which will be actioned if it will not lead to an immediate brake application.

ESR-654

Status: Normative

Rationale: To avoid re-planning activities resulting in a braking application.

Guidance: This functionality is to be used by the signaller for cancelling a route in situations other than emergencies.

Topics: J5

A facility shall be provided to allow the signaller to release a locked route. ESR-651

Status: Normative

Rationale: The release of route locking following a failure allows alternative degraded routes to be set, avoiding the use of SR.

Guidance: GE/RT8071 [RD26] contains guidance on the conditions for route release.


Issue/ver: 4.0


NETWORK RAIL of 48

Topics: None

The ETCS solution shall provide all authorised operators with the necessary controls and information to carry out their roles and responsibilities in achieving safe and efficient operation.

ESR-617

Status: Normative

Rationale: So that users can perform their required activities safely and efficiently. The ETCS provides functionality for additional information to be presented to users, and the use and presentation of this information should be supportive of the tasks that require it.

Guidance: Users and their interactions with the system or other users will have to be assessed to determine what information is required to perform a task, and how this information should be presented to ensure that activities are carried out in a safe and efficient manner.

Examples include:

(a) maintainers being provided with adequate system failure indications and alarms to support timely diagnosis;

(b) signallers being provided with clear indications of when a Movement Authority (MA) has been transmitted to and/or received by train; and

(c) drivers being presented with the information required to control the train safely within the constraints of the MA.

Topics: U5, V1, V2, JJ3, JJ4, JJ7

Measures shall be taken to mitigate the risk of a train moving into a section of line for which the train is not compatible.

ESR-385

Status: Normative

Rationale: To reduce the risk of damage to the train or infrastructure where they are not compatible.

Guidance: Compatibility includes loading gauge, axle load and traction supply.

Topics: V1, V2

A means shall be provided to prevent train movements over obstructed level crossings. ESR-475


Rationale: To enable the signaller to prevent automatic route setting over the crossing whilst retaining the controls necessary to allow a train to cross in On Sight (OS).

Guidance: This has implications for the RBC and how it is integrated with the interlocking logic.

Topics: JJ7

The ETCS design shall include the capability of issuing ‘Emergency Stop’ to multiple trains simultaneously.

ESR-244

Status: Normative

Rationale: A facility must be available for the signaller to stop multiple trains in an emergency.

Guidance: This may enable the signaller to prevent collisions or derailment in situations where there are obstacles on the line or other potential sources of derailment. In an overlay area, the group replacement of signals by the signaller will send an


Issue/ver: 4.0


NETWORK RAIL of 48

ETCS stop command to trains entering, or within, the pre-defined area. This will also provide consistency for drivers and a contingency arrangement in an overlay area where Global System for Mobile Communications - Railway (GSM-R) communication may be momentarily unavailable.

Topics: J3


Issue/ver: 4.0


NETWORK RAIL of 48

APPENDIX A: ABBREVIATIONS

The following abbreviations are used within this document, and can also be found in the ETCS Glossary [RD8].

Abbreviation Definition

ATO Automatic Train Operation

ATP Automatic Train Protection

AWS Automatic Warning System

CCS Control, Command and Signalling

CDM Construction (Design and Management)

CR Change Request

DMI Driver Machine Interface

DRACAS Data Recording, Analysis and Corrective Action System

EOA End of Authority

ERTMS European Rail Traffic Management System

ESB ERTMS Systems Body

ESD Electrostatic Discharge

ESR Emergency Speed Restriction

ESR-Identifier (Unique) ETCS System Requirement-Identifier

ETCS European Train Control System

FS Full Supervision

GSM-R Global System for Mobile Communications - Railway

L-NTC Level NTC

LRBG Last Relevant Balise Group

LS Limited Supervision

MA Movement Authority

NCSC National Cyber Security Centre

NL Non Leading

NV National Values

OPE Operation and Traffic Management

OS On Sight

PoSA Proceed on Sight Authority

PT Post Trip

RAMS Reliability, Availability, Maintainability and Safety

RBC Radio Block Centre

RIS Rail Industry Standard

RRAP Road Rail Access Point


Issue/ver: 4.0


NETWORK RAIL of 48

Abbreviation Definition

RV Reversing

SB Standby

SH Shunting

SN System National

SoM Start of Mission

SR Staff Responsible

SSDL Secure Software Development Life Cycle

STM Specific Transmission Module

TAF Track Ahead Free

TM Traffic Management

TPWS Train Protection and Warning System

TR Trip

TRTS Train Ready to Start

TSI Technical Specification for Interoperability

TSR Temporary Speed Restriction

.


Issue/ver: 4.0


NETWORK RAIL of 48

APPENDIX B: LIST OF REFERENCES

Note: Unless otherwise stated, reference should be made to the most recent authorised version of the document.

[RD1] National ETCS Requirements Management Strategy, NEPT/ERTMS/REQ/0003

[RD2] ETCS Requirements Management Plan, NEPT/ERTMS/REQ/0001

[RD3] ETCS – Baseline 3 – GB Trackside Subsystem Requirements Specification, NEPT/ERTMS/REQ/0006

[RD4] ETCS – Baseline 3 – GB Onboard Retrofit Subsystem Requirements, NEPT/ERTMS/REQ/0007

[RD5] ETCS – Baseline 3 – GB Onboard New Trains Subsystem Requirements, NEPT/ERTMS/REQ/0038

[RD6] ETCS – Baseline 3 – GB Telecoms Subsystem Requirements, NEPT/ERTMS/REQ/0008

[RD7] ETCS – Baseline 3 – GB Operations Subsystem Requirements, NEPT/ERTMS/REQ/0009

[RD8] Commission Regulation (EU) 2016/919 of 27 May 2016 on the technical specification for interoperability relating to the ‘control-command and signalling’ subsystems of the rail system in the European Union

[RD9] Baseline 3 Release 2 (CCS TSI Annex A set of specifications #3)

[RD10] ETCS Programme Glossary of Terms, NEPT/ERTMS/ADM/0002

[RD11] ERTMS Reference Design, NEPT/ERTMS/SYS/0032

[RD12] National ETCS Requirements Consolidation Process, CCMS: 64883540

[RD13] ETCS Requirements Assurance Statement, CCMS No: 65842637

[RD14] ETCS Requirements Change Management Process, NEPT/ERTMS/REQ/0013

[RD15] GE/RT8408 ERTMS/ETCS National Values

[RD16] Commission Regulation (EU) 2015/995/EU of 8 June 2015 concerning the technical specification for interoperability relating to the ‘operation and traffic management’ subsystem of the rail system in the European Union.

[RD17] RIS-3703-TOM Issue 2 - Rail Industry Standard for Passenger Train Dispatch and Platform Safety Measures

[RD18] NR Security Assurance Framework, NRT/SY/2015/036

[RD19] ERTMS Reliability Specification, NR/AM/SA/SPE/00147 version A.07

[RD20] ERA ERTMS 015560 – ERTMS/ETCS Driver Machine Interface

[RD21] ETCS Configuration Management Strategy, NEPTR/ERTMS/SYS/0018

[RD22] GE/RT8402, ERTMS/ETCS DMI National Requirements

[RD23] EN50125:2014 - Environmental conditions for equipment. Rolling stock and on-board equipment

[RD24] Construction (Design and Management) Regulations 2015

[RD25] ETCS Train Modelling Strategy, NEPT/ERTMS/TRN/0003

[RD26] GE/RT8071, Proceed-on-Sight Authorities

The TSI and Class 1 Specifications are obtainable from the European Union Agency for Railways.


Issue/ver: 4.0


NETWORK RAIL of 48

APPENDIX C: TOPICS LOOKUP TABLE

Topic ID Topic Title Version

A Continuing Movement 3.0

B Operation in a Possession 6.0

C End of Mission 2.0

D Train Dispatch 2.0

E Stopping at an End of Authority (EOA) 3.0

F Applying Speed Restrictions 3.0

G Starting 3.1

H Permissive Moves 3.0

I Attaching and Detaching 3.0

J Stopping Trains 3.0

K Changing Driver ID and TRN mid-journey 3.0

L ETCS Route Release 3.0

M Neutral Sections, Traction Changeover and Pantograph Management 5.0

N Entering ETCS 3.0

O Exiting ETCS (Leaving Level 2 and 3) 3.0

R Boundaries 4.0

S5 Degraded or Abnormal Working, Route Not Proved 5.0

T Inhibition of Transition 5.0

U System Controls for Issue of Movement Authorities 4.0

V Provision of Routing Information 5.0

Y Miscellaneous 4.0

Z Non Trackside 2.0

AA Consistent Provision of Lineside Signage 4.0

CC Utilisation of Packet 44 in ETCS Areas 3.0

EE Key Management 2.7

HH Train Maintenance and Testing 4.0

II Balise Configuration Rules 4.0

JJ Level Crossing Operation and Protection 5.0

KK Transmission of National Values 3.0

LL Use of Track Condition Functions 5.0


Issue/ver: 4.0


NETWORK RAIL of 48

APPENDIX D: AREAS FOR DEVELOPMENT (OPEN POINTS)

No. Issue Description Identified in

version

Closed in version

1 Reference Design

The Specification Requirements need to be updated to incorporate the latest requirements from the Release Versions of the Reference Design Topics Z and EE, which are identified as (Provisional).

3.4

2 Automatic Train Operation

When Automatic Train Operation has been developed and European standards published, further requirements may need to be included.

3.4

3 ETCS Level 3 When ETCS Level 3 has been developed and European standards and GB application rules published, further requirements may need to be included.

3.4

4 SH in Level NTC (L-NTC)

Requirements need to take into account the ETCS switching AWS/TPWS to cold standby.

3.5

5 Remaining comments from Industry Review

Remaining comments from the Industry review need to be closed out.

4.0

6 Operational Test Scenario input

There will be consequential amendments required arising from the output from the OTS work.

4.0

etcs system requirements specification 4 - rssb€¦ · 1.8 27/05/15 restructured to align content...

Documents