Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Railway Industry Standard RIS-0212-CCS Issue One
Date 01 September 2018
Signalling Lockout Systems to Protect Railway Undertaking Personnel
Synopsis This document sets out requirements and guidance for signaling lockout systems provided for railway undertaking personnel to use.
This document contains one or more pages which contain colour. Copyright in the Railway Group documents is owned by Rail Safety and Standards Board Limited. All rights are hereby reserved. No Railway Group document (in whole or in part) may be reproduced, stored in a retrieval system, or transmitted, in any form or means, without the prior written permission of Rail Safety and Standards Board Limited, or as expressly permitted by law.
RSSB members are granted copyright licence in accordance with the Constitution Agreement relating to Rail Safety and Standards Board Limited.
In circumstances where Rail Safety and Standards Board Limited has granted a particular person or organisation permission to copy extracts from Railway Group documents, Rail Safety and Standards Board Limited accepts no responsibility for, nor any liability in connection with, the use of such extracts, or any claims arising therefrom. This disclaimer applies to all forms of media in which extracts from Railway Group documents may be reproduced.
Published by:
RSSB
© Copyright 2018 Rail Safety and Standards Board Limited
Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Rail Industry Standard RIS-0212-CCS Signalling Lockout Systems Issue One to Protect Railway Date 01 September 2018 Undertaking Personnel ______
Issue record
Issue Date Comments One 01 September 2018 Replaces Railway Group Standard GKRT0212 issue one, and its associated Guidance Note GKGN0612 issue one, as it could not be retained as a National Technical Rule and is therefore reclassified as a Rail Industry Standard.
Superseded or replaced documents
The following Railway Group documents are superseded or replaced, either in whole or in part as indicated:
Superseded documents Sections Date when superseded sections are superseded GKRT0212 Signalling Lockout Systems to All 01 December Protect Railway Undertaking Personnel, 2018 issue one GKGN0612 Guidance on Signalling Lockout All 01 December Systems to Protect Railway Undertaking 2018 Personnel, issue one
Supply
The authoritative version of this document is available at www.rssb.co.uk/railway-group- standards. Enquiries on this document can be submitted through the RSSB Customer Self- Service Portal https://customer-portal.rssb.co.uk/.
Page 2 of 43 RSSB
Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Signalling Lockout Systems Railway Industry Standard RIS-0212-CCS to Protect Railway Issue One Undertaking Personnel Date 01 September 2018 ______
Contents
Section Description Page
Part 1 Introduction 4 1.1 Purpose 4 1.2 Application of this document 4 1.3 Health and Safety responsibilities 4 1.4 Approval and authorisation of this document 4
Annex A Content of GKRT0212, Issue One 5
Annex B Content of GKGN0612, Issue One 16
Definitions 42
References 43
RSSB Page 3 of 43
Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Rail Industry Standard RIS-0212-CCS Signalling Lockout Systems Issue One to Protect Railway Date 01 September 2018 Undertaking Personnel ______
Part 1 Introduction Purpose 1.1.1 The Railways and Other Guided Transport Systems (Safety Regulations) 2006 (ROGS) places obligations on railway operators and infrastructure managers to cooperate in controlling risk. RIS-0212-CCS can assist Duty-Holders in discharging this obligation.
1.1.2 Regulation (EU) 402/2013 on a Common Safety Method for Risk Evaluation and Assessment (CSM RA) requires Proposers to identify the hazards arising from planned changes and apply three risk acceptance principles to confirm that the risk arising from the hazards is controlled to an acceptable level.
1.1.3 The requirements in RIS-0212-CCS describe a signalling lockout system technology configuration that is applied and used at some locations on the GB mainline railway where railway undertaking (RU) personnel need to work on or about the line.
1.1.4 The requirements in RIS-0212-CCS are also relevant in applying the risk acceptance principle: comparison with a similar reference system before a signalling lockout system using different technology is put into use.
1.1.5 RIS-0212-CCS, which replaces GKRT0212 and GKGN0612, reproduces the text of GKRT0212 in its entirety in Annex A and GKGN0612 in Annex B.
Application of this document 1.2.1 Compliance requirements and dates have not been specified because these are the subject of internal procedures or contract conditions.
1.2.2 If you plan to do something that does not comply with a requirement in this RIS, you can ask a Standards Committee to comment on your proposed alternative. If you want a Standards Committee to do this, please submit your deviation application form to RSSB. You can find further advice in the ‘Guidance to applicants and members of Standards Committee on using alternative requirements’, available from the RSSB website www.rssb.co.uk.
Health and safety responsibilities 1.3.1 Users of documents published by RSSB are reminded of the need to consider their own responsibilities to ensure health and safety at work and their own duties under health and safety legislation. RSSB does not warrant that compliance with all or any documents published by RSSB is sufficient in itself to ensure safe systems of work or operation, or to satisfy such responsibilities or duties.
Approval and authorisation of this document 1.4.1 The content of this document was approved by the Control Command and Signalling Standards Committee on 07 June 2018.
1.4.2 This document was authorised by RSSB on 24 July 2018.
Page 4 of 43 RSSB
Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Signalling Lockout Systems Railway Industry Standard RIS-0212-CCS to Protect Railway Issue One Undertaking Personnel Date 01 September 2018 ______
Annex A Content of GKRT0212, issue one, Signalling Lockout Systems to Protect Railway Undertaking Personnel
RSSB Page 5 of 43
Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018 Railway Group Standard GK/RT0212 Issue One Date August 2007
Signalling Lockout Systems to Protect Railway Undertaking Personnel
Synopsis This document mandates the technical parameters that apply to signalling lockout systems provided for railway undertaking personnel to use.
Copyright in the Railway Group Standards is owned by Rail Safety and Standards Board Limited. All rights are hereby reserved. No Railway Group Standard (in whole or in part) may be reproduced, stored in a retrieval system, or transmitted, in any form or means, without the prior written permission of Rail Safety and Standards Board Limited, or as expressly permitted by law.
RSSB Members are granted copyright licence in accordance with the Constitution Agreement relating to Rail Safety and Standards Board Limited.
In circumstances where Rail Safety and Standards Board Limited has granted a particular person or organisation permission to copy extracts from Railway Group Standards, Rail Safety and Standards Board Limited accepts no responsibility for, and excludes all liability in connection with, the use of such extracts, or any claims arising therefrom. This disclaimer applies to all forms of media in which extracts from Railway Group Standards may be Content approved by: reproduced.
Published by: CCS Standards Committee on 15 February 2007 Rail Safety and Standards Board Evergreen House
160 Euston Road London NW1 2DX
© Copyright 2007 Rail Safety and Authorised by RSSB on 7 March 2007 Standards Board Limited
Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018 Railway Group Standard GK/RT0212 Issue One Signalling Lockout Systems to Protect Date August 2007 Railway Undertaking Personnel
Issue record
Issue Date Comments One August 2007 Original document
Superseded documents
This Railway Group Standard does not supersede any other Railway Group documents. Supply
Controlled and uncontrolled copies of this Railway Group Standard may be obtained from the Corporate Communications Department, Rail Safety and Standards Board, Evergreen House, 160 Euston Road, London NW1 2DX, telephone 020 7904 7518 or e-mail [email protected]. Railway Group Standards and associated documents can also be viewed at www.rgsonline.co.uk.
Page 2 of 10 RAIL SAFETY AND STANDARDS BOARD Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018 Railway Group Standard GK/RT0212 Signalling Lockout Systems to Protect Issue One Railway Undertaking Personnel Date August 2007
Contents
Section Description Page
Part 1 Purpose and Introduction 4 1.1 Purpose 4 1.2 Introduction 4
Part 2 Requirements for signalling lockout systems 6 2.1 Signalling lockout system parameters 6
Part 3 Application of this document 8 3.1 Application – infrastructure managers 8 3.2 Application – railway undertakings 8 3.3 Health and safety responsibilities 8
Definitions 9
References 10
Figures Figure 1 Train detection system 6
RAIL SAFETY AND STANDARDS BOARD Page 3 of 10 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018 Railway Group Standard GK/RT0212 Issue One Signalling Lockout Systems to Protect Date August 2007 Railway Undertaking Personnel
Part 1 Purpose and Introduction 1.1 Purpose 1.1.1 This document mandates requirements for signalling lockout systems that are provided by the infrastructure manager for the particular use of railway undertaking personnel, typically persons requiring protection when work is taking place on stationary rail vehicles. 1.2 Introduction 1.2.1 Background 1.2.1.1 The Rule Book (GE/RT8000) sets out requirements for a safe system of work applicable to railway undertaking personnel who need to work on stationary rail vehicles, while on or near the line. Signalling lockout systems are in some cases provided by the infrastructure manager for use by the railway undertaking as part of a safe system of work.
1.2.1.2 The measures contained within this standard, when read in conjunction with the system operating requirements for signallers and track workers that are set out in the Rule Book, mitigate the risk that arises at the interface between infrastructure managers and railway undertakings for signalling lockout systems.
1.2.1.3 The scope of protection provided by each signalling lockout system and the safe method of operation is subject to an agreement between the railway undertaking and the infrastructure manager before it is taken into operational use. The agreement includes the limits of protection, the scope of work and the personnel that need to be protected.
1.2.2 Principles 1.2.2.1 The design intention of a signalling lockout system is to prevent the issue of signalled movement authorities within, into or out of a defined protection area, as set out in the mandatory requirements of this standard (see Part 2).
1.2.2.2 The infrastructure manager makes the defined protection available to the railway undertaking when the signaller operates a control to release a key from a key release device. The lockout system is interlocked with the signalling system so that a release can only be given when it is safe to do so.
1.2.2.3 The railway undertaking takes the available protection by extracting one or more keys from the key release device, when it is safe to do so, as set out in the system operating instructions.
1.2.2.4 When a key is removed from the key release device, the protection afforded by the system is established and maintained by the signalling interlocking.
1.2.2.5 The protection cannot be withdrawn by the infrastructure manager until the railway undertaking confirms that the protection is no longer being used. This is done when all of the keys are replaced into the key release device.
1.2.2.6 When all of the keys are correctly replaced in the key release device, the signaller can operate a control to cancel the release. This locks the keys into the key release device, by which means the infrastructure manager withdraws the protection available to the railway undertaking.
Page 4 of 10 RAIL SAFETY AND STANDARDS BOARD Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018 Railway Group Standard GK/RT0212 Signalling Lockout Systems to Protect Issue One Railway Undertaking Personnel Date August 2007
1.2.3 Related requirements in other documents 1.2.3.1 The following Railway Group Standards contain requirements that are relevant to the scope of this document:
GE/RT8000 The Rule Book GI/RT7006 Prevention and Mitigation of Overruns – Risk Assessment GI/RT7033 Lineside Operational Safety Signs
GK/RT0025 Signalling Control Centres GK/RT0206 Signalling and Operational Telecommunications Systems: Safety Requirements
1.2.4 Supporting documents 1.2.4.1 The following Railway Group documents support this Railway Group Standard:
GK/GN0612 Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel
RAIL SAFETY AND STANDARDS BOARD Page 5 of 10 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018 Railway Group Standard GK/RT0212 Issue One Signalling Lockout Systems to Protect Date August 2007 Railway Undertaking Personnel
Part 2 Requirements for signalling lockout systems 2.1 Signalling lockout system parameters 2.1.1 Signalling lockout system identification 2.1.1.1 The infrastructure manager shall provide a lineside operational safety sign at the point of use of each signalling lockout system. The sign shall clearly identify the lockout system to the authorised user.
2.1.1.2 The sign shall include:
a) A lockout system identity that is unique to the signalling control area, which includes the wording: ‘Lockout system for system identity’, and
b) An engraved diagram that depicts the limits of protection provided by the lockout system when the defined protection is taken (the movements, lines and locations).
2.1.1.3 The sign shall be legible to the authorised user when the lockout system key release device is used to establish or give up the defined protection.
2.1.2 Signalling lockout system controls 2.1.2.1. The interlocking shall only transmit a ‘lockout available’ control to the key release device when all of the following conditions are true:
a) The signaller has requested the particular release by operating the relevant control device on the signalling control system
b) The interlocking provided for all signal routes into, within and out of the defined protection area is normal and free of approach locking
c) The train detection system has detected that (see Figure 1):
i) There are no trains between the protecting signals and the boundaries of the defined protection area, and
ii) Any train that has been admitted into the defined protection area is detected to be stationary in a position agreed with the railway undertaking
d) The signal overrun mitigation arrangements associated with the signalling lockout system are effective, for example, points that provide trapping protection are locked and detected in the required position.
Defined Protection Area CA.T
AA.T AB.T
BA.T BB.T
Figure 1 Train detection system
Page 6 of 10 RAIL SAFETY AND STANDARDS BOARD Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018 Railway Group Standard GK/RT0212 Signalling Lockout Systems to Protect Issue One Railway Undertaking Personnel Date August 2007
2.1.2.2 The interlocking for all signal routes into, within and out of the protection area shall be normal and locked from the time that a ‘lockout available’ control is transmitted to the key release device, until the interlocking for the lockout release control is normal.
2.1.2.3 The interlocking for the release shall only be normalised when:
a) The ‘lockout cancellation' control has received information that the required number of keys are locked in the key release device, and
b) The signaller has operated a system-specific control device provided on the signalling control system to cancel the release.
2.1.3 Signalling lockout system key release device configuration 2.1.3.1 The infrastructure manager shall provide a single key release device at the point of use of each signalling lockout system. Each key release device shall be configured so that:
a) Keys are captive within the device at all times that the defined protection area is not available to the railway undertaking
b) The railway undertaking personnel can only withdraw keys from the key release device when the ‘lockout available’ control is transmitted by the controlling interlocking
c) Only correctly configured keys can be replaced into the device.
2.1.3.2 The construction of the key release device shall prevent unauthorised adjustment of the device configuration and key release mechanism.
2.1.4 Signalling lockout system key configuration 2.1.4.1 The infrastructure manager shall provide each signalling lockout system with a defined number of keys. The total number of keys within the operational signalling lockout system shall not exceed the minimum number of keys required to cancel the release.
2.1.4.2 The keys for each signalling lockout system shall be uniquely configured to their associated key release device.
2.1.4.3 The infrastructure manager shall securely retain all spare keys and keep a register of keys in use.
2.1.5 Signalling control system 2.1.5.1 The signalling control system used to operate the signalling lockout system and the protecting signals shall include an indication of the status of the lockout system.
2.1.6 Safety integrity level 2.1.6.1 The safety integrity level for the technical part of the signalling lockout system shall be commensurate with that of the interlocking at that location.
RAIL SAFETY AND STANDARDS BOARD Page 7 of 10 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018 Railway Group Standard GK/RT0212 Issue One Signalling Lockout Systems to Protect Date August 2007 Railway Undertaking Personnel
Part 3 Application of this document 3.1 Application – infrastructure managers 3.1.1 Scope 3.1.1.1 The requirements of this document apply to all new and existing equipment used for the protection of railway undertaking personnel who require access to stationary rail vehicles.
3.1.1.2 The requirements of this document apply to all work that affects signalling lockout systems to protect persons working on trains on Network Rail controlled infrastructure, whether new or alteration.
3.1.1.3 Where it is known, or becomes known, that existing signalling lockout systems to protect persons working on trains do not comply with the requirements of this document, action to bring them into compliance is required by 31 December 2008.
3.1.2 Exclusions from scope 3.1.2.1 There are no exclusions from the scope specified in sub-section 3.1.1 for infrastructure managers.
3.1.3 General compliance date for infrastructure managers 3.1.3.1 This Railway Group Standard comes into force and is to be complied with from 6 October 2007, except as specified in sub-section 3.1.4. Where the dates specified in sub-section 3.1.4 are later than the above date, this is to allow infrastructure managers sufficient time to achieve compliance with the specified exceptions.
3.1.3.2 After the compliance dates or the date by which compliance is achieved, if earlier, infrastructure managers are to maintain compliance with the requirements set out in this Railway Group Standard. Where it is considered not reasonably practicable to comply with the requirements, authorisation not to comply should be sought in accordance with the Railway Group Standards Code.
3.1.4 Exceptions to general compliance date 3.1.4.1 There are no exceptions to the general compliance date specified in sub-section 3.1.3 for infrastructure managers.
3.1.4.2 Existing signalling lockout systems to protect persons working on trains shall be checked for compliance with the requirements of this document. Action shall be taken to bring all key release protection systems into compliance by 31 December 2008. 3.2 Application – railway undertakings 3.2.1 There are no requirements applicable to railway undertakings. 3.3 Health and safety responsibilities 3.3.1 Users of documents published by RSSB are reminded of the need to consider their own responsibilities to ensure health and safety at work and their own duties under health and safety legislation. RSSB does not warrant that compliance with all or any documents published by RSSB is sufficient in itself to ensure safe systems of work or operation or to satisfy such responsibilities or duties.
Page 8 of 10 RAIL SAFETY AND STANDARDS BOARD Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018 Railway Group Standard GK/RT0212 Signalling Lockout Systems to Protect Issue One Railway Undertaking Personnel Date August 2007
Definitions
Defined protection area The defined area within which users are to be provided with protection by the signalling lockout system.
Key A form of guaranteed permission provided by the infrastructure manager to the railway undertaking to use the defined protection, issued by the signaller to the user via the signalling lockout system in the form of a removable, portable key (token or similar physical authority).
Key release device A device that includes a mechanism to lock and unlock a defined number of keys available to the user, which is controlled via an interface with the controlling interlocking.
‘Lockout available’ control The function of the interlocking, which transmits a control to the key release device to unlock a key.
Protection system Any system that allows a user to prevent or restrict the signalling of rail traffic in some way to provide for the protection of persons on or near the line.
Signaller For the purposes of this document, the signaller is understood to be a person in charge of train movements.
Signalling lockout system A type of protection system that is interlocked with the signalling system to ensure that movement authorities cannot be issued into the defined protection area when the protection is being used.
User The railway undertaking personnel requiring the protection afforded by the protection system.
RAIL SAFETY AND STANDARDS BOARD Page 9 of 10 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018 Railway Group Standard GK/RT0212 Issue One Signalling Lockout Systems to Protect Date August 2007 Railway Undertaking Personnel
References
The Catalogue of Railway Group Standards and the Railway Group Standards CD-ROM give the current issue number and status of documents published by RSSB. This information is also available from www.rgsonline.co.uk. Documents referenced in the text RGSC 01 The Railway Group Standards Code Railway Group Standards GE/RT8000 The Rule Book GI/RT7006 Prevention and Mitigation of Overruns – Risk Assessment GI/RT7033 Lineside Operational Safety Signs GK/RT0025 Signalling Control Centres GK/RT0206 Signalling and Operational Telecommunications Systems: Safety Requirements
RSSB documents GK/GN0612 Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel
Page 10 of 10 RAIL SAFETY AND STANDARDS BOARD Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Rail Industry Standard RIS-0212-CCS Signalling Lockout Systems Issue One to Protect Railway Date 01 September 2018 Undertaking Personnel ______
Annex B Content of GKGN0612 Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel, Issue One
Page 16 of 43 RSSB
Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018 GN
Railway Railway
0212 /RT K
2007
Signalling Lockout Systems to Systems Protect Lockout Signalling
Published by August
: Rail Safety and Standards Board Evergreen House
160 Euston Road One London NW1 2DX
© Copyright 2007 Rail Safety and Standards Board Limited GK/GN0612 Guidance on Personnel Undertaking Issue G for Guidance Group Railway Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel Issue Record
Issue Date Comments One August 2007 Original document
Superseded documents
This Railway Group Guidance Note does not supersede any other Railway Group documents. Supply
Controlled and uncontrolled copies of this Railway Group Guidance Note may be obtained from the Corporate Communications Department, Rail Safety and Standards Board, Evergreen House, 160 Euston Road, London NW1 2DX, telephone 020 7904 7518 or e-mail [email protected]. Railway Group Standards and associated documents can also be viewed at www.rgsonline.co.uk.
Page 2 of 25 RAIL SAFETY AND STANDARDS BOARD GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel Contents
Section Description Page
Part 1 Introduction 4 1.1 Purpose and structure of this document 4 1.2 Copyright 4 1.3 Approval and authorisation of this document 4
Part 2 Guidance on signalling lockout systems to protect railway undertaking personnel 5 2.1 Hazards that need to be managed when railway undertaking personnel work on or near the line 5 2.2 Guidance on signalling lockout system requirements 7
Appendices 17 Appendix A Interface specification for signalling lockout systems 17 A.1 Boundary hazard 1: Complete or partial loss of ‘legibility’ of the lockout system identification 17 A.2 Boundary hazard 2: Safety related failure of the signalling system could result in a signaller setting a route (resulting in the issue of a movement authority to a train) into an area for which a release has already been given by a signalling lockout system 18 A.3 Boundary hazard 3: Safety related failure of the signalling lockout system could result in a key being released when protection is not established 18 A.4 Boundary hazard 4: Failure to adhere to a proper sequence of operation in terms of releasing the protection may lead to an adverse situation 19 A.5 Boundary hazard 5: An indicator on the keylock device may give a false perception that protection is available to the user under certain failure conditions 20 A.6 Boundary hazard 6: Failure to adhere to a proper sequence of operation in terms of returning the protection may lead to an adverse situation 21 A.7 Boundary hazard 7: Where the number of keys available to the user exceeds the minimum number of keys required to cancel the protection, there is a possibility that protection may be given up before work is complete 21 Appendix B Typical signalling lockout system 23
Definitions 24
References 25
Figures Figure 1 Diagram of a typical signalling lockout system 23
RAIL SAFETY AND STANDARDS BOARD Page 3 of 25 GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel Part 1 Introduction 1.1 Purpose and structure of this document This document has been published by Rail Safety and Standards Board to give guidance on how to control the hazards that arise when signalling lockout systems are used to protect railway undertaking personnel who work on or near the line, in particular:
a) Guidance on the technical requirements in Railway Group Standard GK/RT0212 Signalling Lockout Systems to Protect Railway Undertaking Personnel
b) Guidance on the related technical and operational requirements contained in other Railway Group Standards: GE/RT8000, GE/RT8048, GI/RT7006, GK/RT0011, GK/RT0025, GK/RT0060 and GK/RT0206
c) Recommending the technical and operational features that should be included within infrastructure manager safety management systems
d) Recommending the operational features that should be included within railway undertaking safety management systems.
The specific requirements in the standards listed above are not reproduced in full because it would be detrimental to the clarity of this Guidance Note.
Specific responsibilities and compliance requirements are laid down in the Railway Group Standards. 1.2 Copyright Copyright in the Railway Group documents is owned by Rail Safety and Standards Board Limited. All rights are hereby reserved. No Railway Group document (in whole or in part) may be reproduced, stored in a retrieval system, or transmitted, in any form or means, without the prior written permission of Rail Safety and Standards Board Limited, or as expressly permitted by law.
RSSB Members are granted copyright licence in accordance with the Constitution Agreement relating to Rail Safety and Standards Board Limited.
In circumstances where Rail Safety and Standards Board Limited has granted a particular person or organisation permission to copy extracts from Railway Group documents, Rail Safety and Standards Board Limited accepts no responsibility for, and excludes all liability in connection with, the use of such extracts, or any claims arising there-from. This disclaimer applies to all forms of media in which extracts from Railway Group Standards may be reproduced. 1.3 Approval and authorisation of this document The content of this document was approved by:
CCS Standards Committee on 15 February 2007
This document was authorised by RSSB on 7 March 2007
Page 4 of 25 RAIL SAFETY AND STANDARDS BOARD GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel Part 2 Guidance on signalling lockout systems to protect railway undertaking personnel 2.1 Hazards that need to be managed when railway undertaking personnel work on or near the line 2.1.1 Provision of signalling lockout systems 2.1.1.1 A range of methods, including signalling lockout systems, are used by the infrastructure manager to protect personnel who carry out duties on or near the line, in order to comply with GE/RT8000 (the Rule Book).
2.1.1.2 Where signalling lockout systems are used to protect its own personnel, the infrastructure manager is solely responsible for establishing the technical and operational requirements that provide for safe working within its safety management system.
2.1.1.3 In some circumstances, railway undertakings require their personnel to go on or near the line to carry out routine work, typically: servicing of stationary rolling stock within station areas or sidings. In such cases, a railway undertaking may, as part of its safety management system, decide to make arrangements with the infrastructure manager to provide facilities for staff protection in the form of a signalling lockout system. The decision to carry out such work on or near the line should be justified by the railway undertaking to demonstrate that risk has been reduced to ALARP.
2.1.1.4 Where facilities are provided by the infrastructure manager, the railway undertaking relies upon the safety integrity of the signalling lockout system to establish a safe system of work for its own personnel and specifies its use within its own safety management system.
2.1.1.5 The technical and operational interfaces between the infrastructure manager and railway undertaking are within the scope of Railway Group Standards. It is also necessary to align the safety management systems of the infrastructure manager and railway undertaking at the duty-holder interface to ensure that all of the hazards are sufficiently controlled. The interfaces associated with a typical lockout system are shown in Appendix B.
2.1.1.6 The primary function of signalling lockout systems, used by railway undertakings, is to prevent the issue of signalled movement authorities for all train movements into, out of, or within a pre-defined protection area. The protection provided by signalling lockout systems is dependent upon the safe control of train movements within the limits of signalled movement authorities and the safe actions of drivers, signallers and users.
2.1.1.7 The particular signalling lockout system requirements set out in GK/RT0212 provide for the transfer of an authority to use protection between the infrastructure manager and railway undertaking in the form of a physical key. All of the safety requirements contained in this Guidance Note should be put in place to ensure that a key can only be transferred from one duty-holder to the other (in either direction) when it is safe to do so.
2.1.1.8 Because signalling lockout systems cannot provide protection from un-signalled train movements (for example, during degraded railway operations and engineering possessions), or unauthorised train movements (for example, a SPAD), additional arrangements should also be put in place to address these scenarios.
RAIL SAFETY AND STANDARDS BOARD Page 5 of 25 GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel 2.1.2 The system level hazard 2.1.2.1 The system level hazard when railway undertaking personnel work on or near the line is: ‘lines are open to traffic while the railway undertaking personnel are on or near the line’.
2.1.2.2 The system level hazard is present when the sub-system safety requirements have been violated (pre-conditions, post-conditions and invariants) during all railway operational conditions, whenever railway undertaking personnel work on or near the line. The operational conditions that should be considered include:
a) Normal railway operations provided for by the signalling system
b) Abnormal railway operations, for example, wrong direction signalled moves
c) Degraded railway operations, for example, hand-signalled train movements
d) Emergency conditions, for example, unauthorised or uncontrolled movements.
2.1.2.3 The particular arrangements put in place for signalling lockout systems should be designed and operated to control the system level hazard during normal railway operations and those abnormal railway operations that are provided for in the signalling system.
2.1.2.4 Additional methods of staff protection should also be established to control the system level hazard during degraded railway operations and emergency conditions. This may include operational rules that prohibit the use of signalling lockout systems when un-signalled movement authorities are taking place, and emergency warning arrangements.
2.1.2.5 Movement authorities that are totally under the control of a railway undertaking, such as movements under the direction of shunters, should be addressed as part of the railway undertaking safety management system.
2.1.3 Particular hazards associated with signalling lockout systems 2.1.3.1 A number of hazards arise at the duty-holder boundary between the infrastructure manager and the railway undertakings as a consequence of implementing and operating signalling lockout systems. These hazards can be described as boundary hazards.
2.1.3.2 Failure to control all of the boundary hazards would mean that the system level hazard would not be controlled.
2.1.3.3 Analysis of signalling lockout systems used by railway undertakings has identified a set of requirements that, if implemented, mitigate the risk arising at the duty-holder interface. The complete set of requirements is presented as a system interface specification (see Appendix A), which addresses:
a) Technical requirements and operational rules applicable to the infrastructure manager (pre-conditions and post-conditions)
b) Operational rules applicable to the railway undertaking (pre-conditions and post-conditions)
c) Technical requirements and operational rules at the duty-holder interface (invariant requirements that are applicable to both the infrastructure manager and railway undertakings).
Page 6 of 25 RAIL SAFETY AND STANDARDS BOARD GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel 2.1.3.4 The technical requirements and operational rules at the duty-holder interface (see clause 2.1.3.3c) above) are provided for by complying with the Railway Group Standards, but these are insufficient on their own to control the system level hazard. Each of the boundary hazards can only be mitigated when the infrastructure manager and railway undertakings establish safety management systems that are compatible with each other and also provide for compliance with Railway Group Standards. This Guidance Note provides guidance on what should be included in the safety management systems to ensure compatibility.
2.1.3.5 The technical and operational requirements applicable to infrastructure manager safety management systems, including guidance on compliance with Railway Group Standards, are set out in section 2.2.
2.1.3.6 The operational requirements applicable to railway undertaking safety management systems are set out in section 2.2. 2.2 Guidance on signalling lockout system requirements 2.2.1 Provision of signage, labelling and operating instructions 2.2.1.1 The first boundary hazard associated with signalling lockout systems is: ‘Complete or partial loss of “legibility” of the lockout system identification’.
2.2.1.2 GE/RT8000 (the Rule Book) requires the person responsible for setting up a safe system of work to ensure it is adequate. Inadequate or degraded signalling lockout system signage and labelling could result in a user misinterpreting the scope of protection provided by a system, which could lead the user to set up inadequate protection arrangements.
Guidance for infrastructure managers and railway undertakings 2.2.1.3 Each signalling lockout system should be designed and configured by the infrastructure manager to meet the operational requirements of the railway undertaking. The scope of protection provided by each signalling lockout system should be agreed between the infrastructure manager and the railway undertaking and be included in a system design specification. The following items should be considered:
a) The geographical limits that need to be protected
b) The types of activity that take place under the protection
c) The number of people and separate work groups that use the system
d) The times of day that the system is used
e) The access arrangements to and from the protection area
f) The methods of communication between the user and the signaller
g) The movement authorities that are prohibited when the protection is established
h) The lines adjacent to the protection area and the movements that can still take place when the protection is established.
Guidance for infrastructure managers 2.2.1.4 The infrastructure manager should produce and implement a set of system operating instructions to provide for the safe operation of each signalling lockout system. The operating instructions should be compatible with the requirements in GE/RT8000 (the Rule Book) and set out the co-ordinated sequence of operations that need to be carried out by the signaller and the user.
RAIL SAFETY AND STANDARDS BOARD Page 7 of 25 GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel 2.2.1.5 The instructions should set out:
a) The sequence of operations required when:
i) Protection is established
ii) Protection is used
iii) Protection is given up
b) The identity and permitted scope of use of the signalling lockout system.
2.2.1.6 The particular content in the instructions should include the guidance contained in sub-sections 2.2.1 to 2.2.6.
2.2.1.7 The instructions should be agreed with, and made available to, the railway undertaking before the signalling lockout system is taken into operational use. The arrangements for publishing local instructions are set out in GE/RT8004.
2.2.1.8 The infrastructure manager should ensure that:
a) Every signalling lockout system is provided with ‘fit for purpose’ signage that is compliant with GK/RT0212 sub-section 2.1.1
b) Operational signalling lockout systems are maintained as part of an asset management system to ensure that signage is legible to the user whenever the system needs to be operated
c) Arrangements are put in place to ensure that permission to use signalling lockout systems is withheld when signs are missing or illegible, until corrective action has been completed
d) Signallers are competent to operate signalling lockout systems.
Guidance for railway undertakings 2.2.1.9 Railway undertakings should ensure that: a) Personnel who use signalling lockout systems understand, and have access to, signalling lockout system operating instructions b) Signalling lockout systems are only used to provide protection for the scope of work for which they have been specified in accordance with the system operating instructions c) Personnel who use signalling lockout systems are competent and understand that the protection afforded by the particular lockout system is compatible with the work that needs to be protected d) Personnel report any difficulty in reading the signage or interpreting the scope of protection provided by the signalling lockout system, in accordance with the requirements for reporting failures set out in GE/RT8000 (the Rule Book) e) Personnel do not use defective lockout systems.
2.2.2 Signalling control and display system 2.2.2.1 The second boundary hazard associated with signalling lockout systems is: ‘Safety related failure of the signalling system could result in a signaller setting a route (resulting in the issue of a movement authority to a train) into an area for which a release has already been given by a signalling lockout system’.
2.2.2.2 There is a possibility that, under certain signalling failure conditions, an incorrect movement authority could be issued to a train that would result in a violation of the protection provided by a signalling lockout system.
Page 8 of 25 RAIL SAFETY AND STANDARDS BOARD GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel Guidance for infrastructure managers 2.2.2.3 Signalling lockout system operating instructions should include a requirement that the user informs the signaller as soon as the first lockout key is withdrawn from the key release device.
2.2.2.4 The infrastructure manager should ensure that:
a) Signallers are aware that a signalled route should not be requested into a protected area when a signalling lockout release has been issued
b) Signallers are competent and vigilant in order to be able to detect signalling failures that could result in loss of protection
c) Signallers are capable of taking the appropriate necessary action in the event of loss of protection due to a signalling failure or signal passed at danger
d) Operating instructions should require the signaller to check that signalling lockout system protection is not being used before issuing an authority to a driver to pass a protecting signal at danger.
Guidance for railway undertakings 2.2.2.5 The railway undertaking should ensure that:
a) Drivers are competent and vigilant, in order to be able to detect signalling irregularities
b) Personnel using the protection provided by a signalling lockout system establish a safe system of work that addresses all railway operating conditions.
2.2.3 Voice communication requirements 2.2.3.1 The third boundary hazard associated with signalling lockout systems is: ‘Safety related failure of the signalling lockout system could result in a key being released when protection is not established’. 2.2.3.2 There is a possibility that, under certain signalling failure conditions, a key could be unlocked and removed by a user when the protection is not available.
Guidance for infrastructure managers 2.2.3.3 The infrastructure manager should ensure that all signalling lockout systems provided for use by a railway undertaking include a facility to enable the signaller and user to communicate with each other for the purposes of requesting, confirming and cancelling the protection arrangements. 2.2.3.4 The communication arrangements provided with each signalling lockout system should be agreed with the railway undertaking, and may typically comprise a dedicated lineside operational telephone adjacent to the key release instrument connected to the telephone concentrator in the signal box. 2.2.3.5 The technical requirements for the communication system are set out in GE/RT8048 Positioning and Labelling of Lineside Telephones, and GK/RT0206 Signalling and Operational Telecommunications Systems : Safety Requirements. 2.2.3.6 The requirements for operational voice messages communicated by the signaller are set out in GE/RT8000 (the Rule Book). 2.2.3.7 Lockout system operating instructions should include a procedure for the sequence of communication and operations including:
a) A user requesting a release from the signaller to establish protection
b) The signaller confirming with the user that the protection is available
RAIL SAFETY AND STANDARDS BOARD Page 9 of 25 GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel c) The user confirming with the signaller that the protection has been taken, as soon as the first key has been withdrawn
d) The user confirming with signaller that the protection is no longer required
e) The signaller confirming with the user that the release has been cancelled.
2.2.3.8 The infrastructure manager should ensure that:
a) Signallers communicate verbal messages with the user in accordance with the protocol set out in GE/RT8000 (the Rule Book)
b) Signallers understand how to communicate with the user of the protection in emergency conditions
c) Voice communication systems provided as part of signalling lockout systems are maintained within an asset management system to ensure that they are fit for purpose whenever the system needs to be used.
Guidance for railway undertakings 2.2.3.9 The requirements for operational voice messages communicated by the user are set out in GE/RT8000 (the Rule Book).
2.2.3.10 The railway undertaking should ensure that:
a) Users communicate verbal messages with the signaller in accordance with the protocol set out in GE/RT8000 (the Rule Book) when requesting, confirming and giving up protection
b) Users confirm with the signaller that a release has been given before attempting to withdraw a key, irrespective of any indication provided within the key release device
c) Users inform the signaller as soon as the first lockout key is withdrawn from the key release device
d) Users confirm with the signaller when protection is no longer required.
2.2.4 Signalling lockout system ‘release available’ controls 2.2.4.1 The fourth and fifth boundary hazards associated with signalling lockout systems are: a) ‘Failure to adhere to a proper sequence of operation in terms of releasing the protection may lead to an adverse situation’, and
b) ‘An indicator on the keylock device may give a false perception that protection is available to the user under certain failure conditions’.
2.2.4.2 The integrity of the protection provided by the signalling lockout system is dependent on:
a) The configuration of the interlocking arrangements that control the signalling lockout system release function, the protecting signals and overrun protection functions
b) The safe control of train movements by the driver, within the limits authorised by the signalling system
c) The correct withdrawal and retention of the key by the user, when it is safe to do so, as a means of preventing the issue of signalled movement authorities to trains whenever the protection is being used.
Page 10 of 25 RAIL SAFETY AND STANDARDS BOARD GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel Guidance for infrastructure managers 2.2.4.3 The infrastructure manager should design and implement a signalling interlocking system that ensures that a control to unlock a key can only be issued to a key release device when there is no possibility of authorised train movements into, out of, or within the protection area, and that protecting signals can only transmit proceed movement authorities when the protection has not been taken.
2.2.4.4 The interlocking system should fulfil the requirements contained in GK/RT0206 Signalling and Operational Telecommunications Systems: Safety Requirements, and GK/RT0060 Interlocking Principles. The particular requirements associated with signalling lockout systems are set out in GK/RT0212 sub-section 2.1.2.
2.2.4.5 GK/RT0212 clause 2.1.2.1a) requires that a release is only issued after the signaller responsible for operating the lockout release control has decided that it is safe to grant the protection and ‘requested the particular release by operating the relevant control device on the signalling control system’.
2.2.4.6 In order to be able to decide whether a release can be safely operated, the signaller should be provided with:
a) Information about the position of trains relative to the protection area
b) Information about the status of signal routes and movement authorities that conflict with the protection area
c) A facility to normalise all of the signal routes and prevent the issue of movement authorities that conflict with the protection area
d) A device to control the lockout release
e) Information about the status of the lockout release.
2.2.4.7 This can be achieved by providing a signalling control and indication system that is compliant with GK/RT0025 Signalling Control Centres.
2.2.4.8 GK/RT0212 clause 2.1.2.1b) requires that ‘the interlocking provided for all signal routes into, within and out of the defined protection area is normal and free of approach locking’ before a ‘lockout available’ control can be issued by the interlocking.
2.2.4.9 The signalling system should be configured so that the interlocking provided for all relevant signal routes is proved to be normal and locked before the interlocking for the signalling lockout release can be unlocked and reversed.
2.2.4.10 Approach locking should be provided on all signal routes that extend into, within or out of the defined protection area.
2.2.4.11 GK/RT0212 clause 2.1.2.1c) requires that a ‘lockout available’ control shall only be issued by the interlocking when ‘the train detection system has detected that:
a) There are no trains between the protecting signals and the boundaries of the defined protection area, and
b) Any train that has been admitted into the defined protection area is detected to be stationary in a position agreed with the railway undertaking’.
2.2.4.12 A train detection system, compliant with GK/RT0011 Train Detection, should be provided between all protecting signals and the end of each signal route that conflicts with the protection area.
RAIL SAFETY AND STANDARDS BOARD Page 11 of 25 GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel 2.2.4.13 On bi-directional lines, additional controls may be provided to allow a ‘lockout available’ control to be issued when trains between the protecting signals and defined protection area are proved to be going away from the protection area.
2.2.4.14 GK/RT0212 clause 2.1.2.1d) requires that ‘the signal overrun mitigation arrangements associated with the signalling lockout system are effective, for example, points that provide trapping protection are locked and detected in the required position’.
2.2.4.15 Appropriate SPAD mitigation measures should be determined and applied to each protecting signal by providing signalling controls that are derived from compliance with GI/RT7006 Prevention and Mitigation of Overruns – Risk Assessment.
2.2.4.16 The overrun protection facilities selected should be proportionate to the risk of an unauthorised train movement entering a protection area that is being used. In circumstances where the track and signalling arrangements permit, it may be sufficient to control and lock facing points between the protecting signal and the protection area to provide trapping protection against unauthorised train movements. Where this is not practicable, other methods of overrun protection should be considered, including provision of TPWS.
2.2.4.17 GK/RT0212 clause 2.1.2.2 requires that ‘the interlocking for all signal routes into, within and out of the protection area shall be normal and locked from the time that a “lockout available” control is transmitted to the key release device, until the interlocking for the lockout release control is normal’.
2.2.4.18 The interlocking system should be configured to ensure that:
a) All signal routes associated with protecting signals are locked normal at all times that the interlocking provided with the signalling lockout release is in the reverse position
b) The interlocking associated with infrastructure that is used to provide overrun protection, for example, points are locked at all times that the interlocking provided with the signalling lockout release is in the reverse position
c) The interlocking for functions that provide protection is only released after the interlocking provided with the release control has been proved to be locked normal.
2.2.4.19 GK/RT0212 clause 2.1.3.1a) requires the infrastructure manager to provide a key release device that ensures that ‘keys are captive within the device at all times that the defined protection area is not available to the railway undertaking’.
2.2.4.20 Keys should be securely held within the key release device at all times, unless a ‘release available’ control has been transmitted by the interlocking. Typically this can be achieved through incorporating an electro-mechanical key locking mechanism within the key release device.
2.2.4.21 The key locking mechanism should only be unlocked and free to operate when a ‘release available’ control is transmitted from the interlocking to the key release device. This should enable a user to unlock and withdraw one or more keys.
2.2.4.22 It is good practice to incorporate an economiser device within the key release mechanism that requires the user to positively unlock a key before it can be withdrawn.
Page 12 of 25 RAIL SAFETY AND STANDARDS BOARD GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel 2.2.4.23 An illuminated indication may be provided within the key release device, but this should only be intended to advise the user when permission to use the protection is available on request from the signaller. Such an indication should typically be extinguished when a release is not available and illuminate only when the key is unlocked. The illumination of the indication should indicate the status of the locking mechanism, and failure of the indication should not influence the integrity of the protection.
2.2.4.24 The infrastructure manager should ensure that interlocking and signalling lockout systems are maintained as part of an asset management system to ensure that they are fit for purpose whenever the systems need to be used.
Guidance for railway undertakings 2.2.4.25 Railway undertakings should ensure that:
a) Users only attempt to withdraw the first key after verbally confirming with the signaller that it is safe to use the protection and when a release is issued by the interlocking
b) Users retain the withdrawn keys on their person at all times when the protection is required
c) A signalling lockout system is only used to support a safe system of work when it is compatible with the activity that needs to be protected
d) Competent drivers are employed to control the movement of all trains within the limits of the movement authorities issued by the infrastructure manager.
2.2.5 Signalling lockout system ‘release cancellation’ controls 2.2.5.1 The sixth boundary hazard associated with signalling lockout systems is: ‘Failure to adhere to a proper sequence of operation in terms of returning the key may lead to an adverse situation’.
2.2.5.2 Because the integrity of the protection is dependent on the railway undertaking personnel withdrawing and retaining possession of a key, it is necessary to ensure that protection can only be withdrawn by the signaller when:
a) The user has replaced all withdrawn keys in the key release instrument
b) The signalling lockout system detects that the designated number of correctly configured keys are replaced into the key release device
c) The user confirms with the signaller that it is safe to cancel the release.
Guidance for infrastructure managers 2.2.5.3 GK/RT0212 clause 2.1.2.3 requires that the ‘the interlocking for the release shall only be normalised when:
a) The “lockout cancellation” control has received information that the required number of keys are locked in the key release device, and
b) The signaller has operated a system-specific control device on the signalling control system to cancel the release.’
2.2.5.4 The interlocking should be configured to ensure that the signalling lockout release can only be normalised when:
a) The required number of keys are detected to be locked within the key release device
RAIL SAFETY AND STANDARDS BOARD Page 13 of 25 GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel b) The locking mechanism within the key release device is proved to be locked
c) The ‘lockout available’ control is no longer being transmitted by the interlocking d) The signaller operates the control to cancel the release.
2.2.5.5 An illuminated indication may be provided on the signalling control panel, but this should only be used to advise the signaller when the release is ready to be cancelled. The illumination of the indication should indicate the status of the release, and failure of the indication should not influence the integrity of the protection.
2.2.5.6 The infrastructure manager should ensure that:
a) Signallers only attempt to cancel the protection when the user has confirmed that the protection provided by the signalling lockout system is no longer required, irrespective of any indication provided on the signalling control panel
b) Signallers are competent to operate the signalling lockout system
c) Signalling lockout systems are only adjusted and reset by competent and authorised personnel under controlled conditions, for example during planned maintenance or in order to return the asset to operational use following a failure, when it is confirmed by the signaller that it is safe to do so.
Guidance for railway undertakings 2.2.5.7 Railway undertakings should ensure that:
a) Users only replace keys into the keylock mechanism when all personnel and equipment are known to be clear of the defined protection area and are in the designated position of safety
b) Users only use the correct, authorised keys to operate the lockout system
c) Users communicate with the signaller to confirm that the protection provided by the signalling lockout system is no longer required
d) Users are competent to operate the signalling lockout system.
2.2.6 Compatibility between key release devices and keys 2.2.6.1 The seventh boundary hazard associated with signalling lockout systems is: ‘Where the number of keys available to the user exceeds the minimum number of keys required to cancel the protection, there is a possibility that protection could be given up before the work is complete’.
Guidance for infrastructure managers 2.2.6.2 GK/RT0212 sub-section 2.1.3 requires the infrastructure manager to provide a key release device that will only transmit a ‘lockout cancellation’ control to the interlocking sub-system when the designated, correctly configured, keys are replaced into the key release device.
2.2.6.3 Key release instruments should be configured to:
a) Prevent incompatible keys from being used to cancel the release
Page 14 of 25 RAIL SAFETY AND STANDARDS BOARD GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel b) Detect that the required number of keys have been correctly and fully inserted and locked into the keyway before the ‘release cancellation’ is transmitted to the interlocking
c) Be constructed in a manner that prevents unauthorised adjustment.
2.2.6.4 GK/RT0212 sub-section 2.1.4 requires the infrastructure manager to ensure that:
a) ‘The total number of keys within the operational signalling lockout system shall not exceed the minimum number of keys required to cancel the release’, and
b) ‘The keys for each signalling lockout system shall be uniquely configured to their associated key release device.’
2.2.6.5 The number of keys provided with each key release device should be determined by the infrastructure manager as part of the system design specification to meet the operational needs of the railway undertaking. Typically, the total number of keys within a signalling lockout system should match the maximum number of users of the protection at any one time. This ensures that each user (person responsible for protecting a work group) can retain a key as a guarantee of protection until the protection is no longer required.
2.2.6.6 If it is necessary, for system availability and reliability purposes, to provide spare keys, these should be securely stored by the infrastructure manager and only entered into the operational system when the signaller is satisfied that it is safe to do so. If a mislaid key is subsequently located or a damaged key is repaired, the number of keys within the operational system should be restored to the minimum number required to cancel a release.
2.2.6.7 The infrastructure controller should implement a procedure for managing spare keys as part of the operating instructions provided with each signalling lockout system.
2.2.6.8 Keys should be clearly identified to help users match the key with the respective key release device. This may include colour coding or clear labelling to describe the protection area that they authorise protection for.
2.2.6.9 The keylock mechanism should be of robust construction and designed to prevent unauthorised operation. The key locking mechanism and the associated electrical controls should be secured, separated and shielded from the user to prevent unauthorised operation, with controlled access being provided to support maintenance requirements.
Guidance for railway undertakings 2.2.6.10 Railway undertakings should ensure, as part of a safety management system, that:
a) Personnel remain within the limits of the defined protection area for which the lockout system has been specified
b) The person responsible for each worksite checks that all personnel and equipment are clear of the protection area and in a position of safety before replacing the key in the key release device
c) All personnel remain in a position of safety and do not re-enter the protection area after the protection has been given up
d) Personnel who use the protection only have access to keys that are within the operational system
RAIL SAFETY AND STANDARDS BOARD Page 15 of 25 GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel e) Personnel only operate the keylock device in accordance with the operating procedures
f) Mislaid or damaged keys are reported to the signaller in accordance with GE/RT8000 (the Rule Book).
Page 16 of 25 RAIL SAFETY AND STANDARDS BOARD GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel Appendix A Interface specification for signalling lockout systems
Generic safety management issues, for example competence management, are not listed.
A.1 Boundary hazard 1: Complete or partial loss of ‘legibility’ of the lockout system identification A.1.1 Infrastructure manager sub-system requirements (pre-conditions) A.1.1.1 The infrastructure manager safety management system shall ensure ‘fit for purpose’ identification signs and labels on keylock mechanisms.
A.1.1.2 The infrastructure manager safety management system shall ensure that sufficient technical and operational information about lockout systems is available to users.
A.1.1.3 The infrastructure manager safety management system shall include an asset maintenance regime that includes a check that equipment identification signs and labels are fit for purpose at the time that the lockout facility is used.
A.1.1.4 The infrastructure manager safety management system shall include a failure management process that ensures that defective lockout systems cannot be used (including the ability to detect where missing labels could result in the wrong protection being taken).
A.1.2 Railway undertaking sub-system requirements (pre-conditions) A.1.2.1 The railway undertaking safety management system shall ensure that personnel who use lockout systems understand their scope of work activity and the requirements of the task to be performed before using a lockout system.
A.1.2.2 The railway undertaking safety management system shall ensure that personnel who use lockout systems report any difficulty in reading or using the label.
A.1.2.3 The railway undertaking safety management system shall ensure that personnel who use lockout systems can recognise defects and report failures to the infrastructure manager.
A.1.3 Safety requirements at the duty-holder interface (invariant) A.1.3.1 The infrastructure manager shall provide keylock devices that are clearly labelled with the keylock identification. The identification sign shall include:
a) A unique keylock identity descriptor, and
b) A diagram that describes the scope of protection and identifies the limits of protection provided by that keylock.
A.1.3.2 The identification label parameters shall provide for legibility to all intended users at all times. Illumination shall be provided where necessary.
A.1.3.3 The identification shall be legible from the position that the keylock device is operated.
A.1.3.4 The railway undertaking personnel requiring the protection shall ensure that the scope of protection afforded by the lockout system matches the scope of work that is to be carried out.
A.1.4 Infrastructure manager sub-system requirements (post-conditions) A.1.4.1 None.
RAIL SAFETY AND STANDARDS BOARD Page 17 of 25 GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel A.1.5 Railway undertaking sub-system requirements (post-conditions) A.1.5.1 The railway undertaking safety management system shall ensure that personnel requesting protection know that the protection provided by the lockout system is appropriate for the task to be performed.
A.1.5.2 The railway undertaking safety management system shall ensure that personnel do not use defective lockout systems.
A.2 Boundary hazard 2: Safety related failure of the signalling system could result in a signaller setting a route (resulting in the issue of a movement authority to a train) into an area for which a release has already been given by a signalling lockout system A.2.1 Infrastructure manager sub-system requirements (pre-conditions) A.2.1.1 The infrastructure manager safety management system shall ensure that the design of the signalling control system provides for the signaller to apply reminder appliances to signal control functions.
A.2.1.2 The infrastructure manager safety management system shall ensure that the signaller is provided with a mechanism to detect a wrong side failure, is competent to understand the implications of a wrong side failure and is capable of taking the appropriate action.
A.2.2 Railway undertaking sub-system requirements (pre-conditions) A.2.2.1 None.
A.2.3 Safety requirements at the duty-holder interface (invariant) A.2.3.1 The infrastructure manager shall provide a signalling control facility that is used by a signaller to place a reminder device on a signal control device as soon as the railway undertaking personnel informs the signaller that a release has been taken.
A.2.3.2 The railway undertaking personnel inform the signaller as soon as the release is taken (then first key is withdrawn from the keylock device).
A.2.4 Infrastructure manager sub-system requirements (post-conditions) A.2.4.1 The infrastructure manager safety management system shall ensure the signaller is aware at all times that a route shall not be requested into a protection area when the release has been taken.
A.2.4.2 The infrastructure manager safety management system shall require the signaller to place a reminder device, at the time the lockout release is given, on the control functions that would be operated, in order to set signalled routes into the protection area. The reminder device shall remain in place until the lockout release is cancelled.
A.2.5 Railway undertaking sub-system requirements (post-conditions) A.2.5.1 The railway undertaking safety management system shall ensure that personnel implement a safe system of work for the duration that the protection is required.
A.3 Boundary hazard 3: Safety related failure of the signalling lockout system could result in a key being released when protection is not established A.3.1 Infrastructure manager sub-system requirements (pre-conditions) A.3.1.1 The infrastructure manager safety management system shall ensure that a communication facility is available for use between the signaller and the person who uses the lockout system.
Page 18 of 25 RAIL SAFETY AND STANDARDS BOARD GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel A.3.1.2 The infrastructure manager safety management system shall ensure that the communication system is fit for purpose and in normal working order.
A.3.1.3 The infrastructure manager safety management system shall ensure that the signaller is competent to understand how to issue an emergency message to the railway undertaking personnel.
A.3.2 Railway undertaking sub-system requirements (pre-conditions) A3.2.1 The railway undertaking safety management system shall ensure that personnel who use lockout systems are competent to use the communication system and understand the communication protocol to be used.
A.3.3 Safety requirements at the duty-holder interface (invariant) A.3.3.1 Railway undertaking personnel shall request a release before attempting to remove a key.
A.3.3.2 Infrastructure manager and railway undertaking personnel shall communicate verbal messages using the protocol set out in GE/RT8000 (the Rule Book).
A.3.4 Infrastructure manager sub-system requirements (post-conditions) A.3.4.1 The infrastructure manager safety management system shall ensure the signaller communicates the decision on whether to operate the lockout release to the person requesting protection.
A.3.5 Railway undertaking sub-system requirements (post-conditions) A.3.5.1 The railway undertaking safety management system shall ensure that the person who has requested a release understands that a release has been given before attempting to remove a key from the key release instrument.
A.4 Boundary hazard 4: Failure to adhere to a proper sequence of operation in terms of releasing the protection may lead to an adverse situation A.4.1 Infrastructure manager sub-system requirements (pre-conditions) A.4.1.1 The infrastructure manager safety management system shall provide a signalling control system that includes a lockout release control function for the use of the signaller.
A.4.1.2 The infrastructure manager safety management system shall ensure that all movement authorities into and out of the protected area are under the control of the signaller who controls the release.
A.4.1.3 The infrastructure manager safety management system shall ensure that adequate overrun protection facilities are provided on all signals to mitigate SPAD risk.
A.4.1.4 The infrastructure manager safety management system shall ensure that a method of train protection is provided between all protecting signals and the protected area.
A.4.1.5 The infrastructure manager safety management system shall ensure that a keylock device is provided at a location that provides for safe access, egress and operation by the user from a position of safety.
A.4.1.6 The infrastructure manager safety management system shall ensure that all signalling equipment is fit for purpose and in normal working order.
A.4.2 Railway undertaking sub-system requirements (pre-conditions) A.4.2.1 The railway undertaking safety management system shall ensure that train drivers are competent and control trains within the limits of movement authority.
A.4.2.2 The railway undertaking safety management system shall ensure that personnel requiring to work on or near the line are competent to use the lockout system.
RAIL SAFETY AND STANDARDS BOARD Page 19 of 25 GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel A.4.3 Safety requirements at the duty-holder interface (invariant) A.4.3.1 Protecting signals display stop aspects when the release has been operated.
A.4.3.2 A lockout release function can only be issued to the lockout instrument when the signaller operates the release control function and:
a) All signal routes into, within and out of the protection area are normal and free of approach locking b) Overrun protection is effective for the protecting signals c) There are no trains between the protecting signals and the protection area unless they are going away from the defined protection area. A.4.3.3 Railway undertaking personnel only take the release when it is safe to do so.
A.4.3.4 Train drivers stop trains at protecting signals.
A.4.4 Infrastructure manager sub-system requirements (post-conditions) A.4.4.1 The infrastructure manager safety management system shall ensure that the signalling system prevents the issue of movement authorities into, within or out of the protected area when the release has been given.
A.4.5 Railway undertaking sub-system requirements (post-conditions) A.4.5.1 The railway undertaking safety management system shall ensure that personnel retain the key at all times that access to the protected area is required.
A.4.5.2 The railway undertaking safety management system shall ensure that personnel carry out their work within the constraints specified for the lockout system.
A.5 Boundary hazard 5: An indicator on the keylock device may give a false perception that protection is available to the user under certain failure conditions A.5.1 Infrastructure manager sub-system requirements (pre-conditions) A.5.1.1 The infrastructure manager safety management system includes a design process that ensures that the design of the keylock device provides for integrity of the lock mechanism as the primary safety control, so that a key cannot be withdrawn until the release has been given, irrespective of the perception of release status provided by the indicator.
A.5.2 Railway undertaking sub-system requirements (pre-conditions) A.5.2.1 The railway undertaking safety management system shall ensure that personnel are competent to use the system and competent in the rules.
A.5.3 Safety requirements at the duty-holder interface (invariant) A.5.3.1 The keylock device shall only release a key when the appropriate release control has been transmitted by the interlocking.
A.5.3.2 Railway undertaking personnel shall remove and retain a key from the appropriate keylock device, in order to confirm that the protection has been issued.
A.5.4 Infrastructure manager sub-system requirements (post-conditions) A.5.4.1 None.
A.5.5 Railway undertaking sub-system requirements (post-conditions) A.5.5.1 The railway undertaking personnel carry out work on or near the line within the constraints specified for the lockout system (physical boundaries and activities).
Page 20 of 25 RAIL SAFETY AND STANDARDS BOARD GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel A.6 Boundary hazard 6: Failure to adhere to a proper sequence of operation in terms of returning the protection may lead to an adverse situation A.6.1 Infrastructure manager sub-system requirements (pre-conditions) A.6.1.1 None.
A.6.2 Railway undertaking sub-system requirements (pre-conditions) A.6.2.1 The railway undertaking safety management system shall ensure that the personnel responsible for the worksite check that all personnel and equipment are clear of the protection area and in a position of safety.
A.6.3 Safety requirements at the duty-holder interface (invariant) A.6.3.1 The lockout release can only be cancelled when all of the keys are correctly replaced in the keylock device.
A.6.3.2 Railway undertaking personnel replace all of the keys in the keylock device and advise the signaller that the release can be cancelled.
A.6.4 Infrastructure manager sub-system requirements (post-conditions) A.6.4.1 The infrastructure manager safety management system shall ensure that the signaller is competent to safely cancel the release.
A.6.5 Railway undertaking sub-system requirements (post-conditions) A.6.5.1 The railway undertaking safety management system shall ensure that personnel remain in a position of safety and do not re-enter the protection area after the release has been cancelled.
A.7 Boundary hazard 7: Where the number of keys available to the user exceeds the minimum number of keys required to cancel the protection, there is a possibility that protection may be given up before work is complete A.7.1 Infrastructure manager sub-system requirements (pre-conditions) A.7.1.1 The infrastructure manager safety management system includes a design process that provides for correct and secure configuration of the keylock device with the specified number of keys.
A.7.2 Railway undertaking sub-system requirements (pre-conditions) A.7.2.1 The railway undertaking safety management system shall ensure that personnel only have access to the correct authorised keys.
A.7.3 Safety requirements at the duty-holder interface (invariant) A.7.3.1 The keylock device shall be configured to ensure that a release can only be cancelled when the designated number of correctly configured keys are fully replaced.
A.7.3.2 The configuration of the keylock device can only be adjusted or reset by authorised persons.
A.7.3.3 The total number of keys within the operational system shall not exceed the number of keys required to operate the keylock device.
A.7.3.4 The keys for each instrument shall be uniquely configured to that instrument.
A.7.3.5 Railway undertaking personnel only shall replace the correct authorised keys in the keylock device.
A.7.3.6 Spare keys shall only be released by the infrastructure manager when assurance has been given that the line is clear.
RAIL SAFETY AND STANDARDS BOARD Page 21 of 25 GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel A.7.3.7 Where spare keys are provided to replace lost keys, the spare keys shall be secured so that they are only used when specially authorised to replace missing or damaged keys. Spare keys shall be returned to secure storage when a missing key is found or a damaged key is repaired.
A.7.4 Infrastructure manager sub-system requirements (post-conditions) A.7.4.1 The infrastructure manager safety management system provides a signalling system that detects that all removed keys have been replaced and determines that a release can be cancelled.
A.7.5 Railway undertaking sub-system requirements (post-conditions) A.7.5.1 The railway undertaking safety management system shall ensure that personnel remain in a position of safety and do not re-enter the protection area after the release has been cancelled.
Page 22 of 25 RAIL SAFETY AND STANDARDS BOARD GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel Appendix B Typical signalling lockout system
Figure 1 describes a typical signalling lockout system, including the interfaces between infrastructure managers (IM) and railway undertakings (RU)
Railway Undertaking Infrastructure Manager
Interface: operational communications signaller
IM Defined Protection Area
lockout identification sign signalling control and display system IM IM
User interface
person working on train User interface key release device interlocking
RU IM IM
User interface
train key
RU IM
driver Interface: movement authority signal
RU IM
Figure 1: Diagram of a typical signalling lockout system
RAIL SAFETY AND STANDARDS BOARD Page 23 of 25 GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel Definitions Defined protection area The defined area within which users are to be provided with protection by the signalling lockout system.
Key A form of guaranteed permission provided by the infrastructure manager to the railway undertaking to use the defined protection, issued by the signaller to the user via the signalling lockout system in the form of a removable, portable key (token or similar physical authority).
Key release device A device that includes a mechanism to lock and unlock a defined number of keys available to the user, which is controlled via an interface with the controlling interlocking.
‘Lockout available’ control The function of the interlocking, which transmits a control to the key release device to unlock a key.
Protection system Any system that allows a user to prevent or restrict the signalling of rail traffic in some way to provide for the protection of persons on or near the line.
Signaller For the purposes of this document, the signaller is understood to be a person in charge of train movements.
Signalling lockout system A type of protection system that is interlocked with the signalling system to ensure that movement authorities cannot be issued into the defined protection area when the protection is being used.
User The railway undertaking personnel requiring the protection afforded by the protection system.
Page 24 of 25 RAIL SAFETY AND STANDARDS BOARD GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel References
The Catalogue of Railway Group Standards and the Railway Group Standards CD-ROM give the current issue number and status of documents published by RSSB. This information is also available from www.rgsonline.co.uk. Documents referenced in the text RGSC 01 The Railway Group Standards Code Railway Group Standards GE/RT8000 Rule Book GE/RT8048 Positioning and Labelling of Lineside Telephones GI/RT7006 Prevention and Mitigation of Overruns – Risk Assessment GK/RT0011 Train Detection GK/RT0025 Signalling Control Centres GK/RT0060 Interlocking Principles GK/RT0206 Signalling and Operational Telecommunications Systems: Safety Requirements GK/RT0212 Signalling Lockout Systems to Protect Railway Undertaking Personnel
RAIL SAFETY AND STANDARDS BOARD Page 25 of 25 GK/GN0612 Issue One: August 2007 Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Rail Industry Standard RIS-0212-CCS Signalling Lockout Systems Issue One to Protect Railway Date 01 September 2018 Undertaking Personnel ______
Definitions
Relevant definitions are given in Annex A, and are not reproduced here.
Page 42 of 43 RSSB
Uncontrolled when printed Replaces withdrawn documents GKRT0212 Iss 1 and GKGN0612 Iss 1 with effect from 01/09/2018
Signalling Lockout Systems Railway Industry Standard RIS-0212-CCS to Protect Railway Issue One Undertaking Personnel Date 01 September 2018 ______
References
The Catalogue of Railway Group Standards give the current issue number and status of documents published by RSSB. This information is also available from www.rssb.co.uk/railway-group-standards
RGSC 01 Railway Group Standards Code RGSC 02 Standards Manual
Documents referenced in the text
Railway Group Standards GKRT0212 Signalling Lockout Systems to Protect Railway Undertaking Personnel (ceases to be in force on 01 December 2018) RSSB documents GKGN0612 Guidance on Signalling Lockout Systems to Protect Railway Undertaking Personnel (ceases to be in force on 01 December 2018)
Other relevant documents
Other references CSM RA Common Safety Method for Risk Evaluation and Assessment (Commisson Regulation (EU) No 402/2013)
RSSB Page 43 of 43