Fundamental Requirements for Operations and Signalling (version 4)

The following fundamental requirements support the overall purpose of a signalling

system. They are an amplified set of the requirements set out in the Institution of
Railway Signal Engineers’ Signalling Philosophy Review [1]. Train control systems
include people, processes and supporting technology.

1. Core operational requirements for a train control system on the national

UK railway

1.1 The signalling system should facilitate efficient and effective use of the
infrastructure (track and stations) by trains.
[The system should meet the needs of operators in terms of- permitted train movements (normal
running; joining/splitting; platform sharing, shunting etc) ; permitted routing of trains;
capacity utilisation; and flexibility of operations].

1.2 The intrusiveness of the signalling system into the efficient and effective
running of the railway in performing its safety function should be minimised.
[The need for safety in the design of the signallin g system can conflict with the need to facilitate
efficient and effective operations. In seeking safety, designers of the system should consider the
impact that their proposed design might have on the operability of the railway].

1.3 Signalling facilities should be provided to enable trains to move when elements
of the signalling system have failed, so as to avoid over -reliance on human
intervention.
[This includes the provision of graceful degradation “degraded modes” of operation . The
arrangements should also facilitate timely recovery to normal operations after rectification of
the defect].

1.4 The reliability, availability and maintainability of the signalling system should
be sufficient for it to fulfil the operational requirements for which it is provided.

2. Fundamental safety objectives for train control systems on the national UK

railway

2.1 The level of safety performance of the system should meet specified targets.
[Targets should be commensurate with, or better than, levels of safety performance of systems
already in service, and meet the reasonable expectations of users].

2.2 Before a train is given authority to move onto the section of line:
a) the line should be proved to be secure (to prevent derailment and potential
conflict with other authorised movements), and
b) the line should be proved to be clear of other traffic (to prevent collision) ,
except in special circumstances where a train is permitted to enter an
occupied section of line, and
c) where the train is stationary at a station, all platform duties (doors closed
etc) should be completed.
[The term “secure” actually refers to a limited set of safety requirements, primarily relating to
the positions and locking of points, and the routing of other trains. The signalling system does
 not, for instance, prove that the line is clear of all physical obstructions, or that the track gauge
is correct].
[The special circumstances for movements onto occupied lines include platform sharing,
coupling of trains, permissive working of freight lines, and shunting. ].

2.3 After authority to move onto the section of the line has been given, the security
of the line should subsequently be maintained until :
a) the train has passed clear, or
b) the authority has been rescinded and it is proved that the train has come to
a stand, or has sufficient space to come to a stand, short of the start of the
section of line.

2.4 The train driver (or automatic train operation system) should be given
unambiguous, consistent and timely information that enables him (or the system)
to control his train safely.
[This covers the requirement to give the driver clear proceed/stop information; the provision of
warning information regarding the approach to a stop signal where necessary (ie caution
signals or equivalent); the provision of speed information, which may be by th e signalling
system itself, or by the use of signs, route information etc.]

2.5 Sufficient space should be provided between following trains, to allow each
train to brake to a stand safely. This space should be calculated on the
assumption that the train ahead is stationary.
[ie motorway-style driving is not allowed]

2.6 Controls should be in place to prevent and/or mitigate the consequences of:
a) drivers passing the limit of the movement authority given to them; and
b) drivers exceeding the maximum permitted speed for the train.
[This requirement covers overlaps, train protection systems, flank protection, etc. It also
includes other measures, eg. train driving procedures, driver competence etc.]

2.7 Facilities should be provided to stop a train in an emergency.

[This requirement could be met by the use of radio communication, rather than by use of the
signalling system itself; the speed and reliability with which a message can be given to a train to
stop needs to be commensurate with the risks associated with the emergency ]

2.8 Protection should be provided for the public and trains at level crossings.
[Not all level crossings are necessarily protected by the signalling system itself; in simple cases
an independent means of protection may be provided].

3. Supporting safety require ments for train control systems on the national UK
railway

3.1 The signaller should be provided with unambiguous, consistent and timely
information, and suitable control facilities, to enable safe authorisation of train
movements.
[This includes the informatio n required under failure and degraded mode conditions, so far as
possible. The term signaller also includes other personnel who may have responsibility for
authorising train movements]
3.2 The means should be provided for communication between signallers and others.
[This includes not only driver-signaller communication, but also communication, for example,
between signallers in neighbouring control centres, and between signallers and emergency
services].
[The nature of the communications systems should be appropriate for the purposes to which
they are to be put, taking into account both normal operations and failure/degraded mode
situations]

3.3 The system should have facilities for protecting engineering work and personnel
working on the track.
[This should include facilities for: preventing trains from entering sections of line where work
is taking place or where safety has been reduced as a result of engineering work ; restricting the
speed of trains; warning trackside workers of the approach of trains. All types of engineering
work are included, not just work affecting the train control system itself , and the purpose of the
protection is three-fold – to protect operational trains; to protect worksites; to protect workers ].

3.4 In the event of a failure of the signalling system, the system should remain in, or
revert to, a state which preserves the safety of trains.
[Modern signalling systems classically revert to a safe state, such as signals reverting to danger,
although this may not always be necessary, and indeed m echanical signalling systems did not do
this].

3.5 The signalling system should not be subject to, nor the cause of, unsafe
interactions with other systems and equipment.
[This includes environmental compatibility and electromagnetic compatibility. It includes both
interactions where there is an intentional interface with other systems and equipment, and
interaction where there is no interface. The “other systems and equipment” refers to other
railway infrastructure, trains and non-railway systems and equipmen t]

3.6 The system should be designed so as to facilitate maintenance and modification

of the system, so as to ensure its continuing safe operation.
[It should be possible for the maintenance activities to be performed without undue risk to either
the operational railway or the personnel carrying out the work.]

3.7 The system and the associated operating rules should be compatible with each
other.
[The system and the associated operating rules together constitute the wider train control
system. Their compatibility and completeness is essential to the safe operation of the railway
under normal, degraded and emergency conditions..]

1. Institution of Railway Signal Engineers : Signalling Philosophy Review, London, April 2001.

NOTE: Requirements do not at present in clude any controls to prevent a train being
wrongly routed onto a line with which they are not compatible.