ERTMS/ETCS Baseline 3 Onboard Subsystem Requirements: New ... Iss 1.pdf · ERTMS/ETCS Baseline 3 onboard subsystem to new rail vehicles that will operate on the GB mainline railway

Rail Industry StandardRIS-0798-CCSIssue: OneDate: September 2018

ERTMS/ETCS Baseline 3Onboard SubsystemRequirements: NewTrains

Synopsis

This document sets out the industryagreed requirements and guidance forthe GB application of the ERTMS/ETCSBaseline 3 onboard subsystem to newbuild rolling stock that will operate onthe GB mainline railway.

Copyright in the Railway Group documents is owned by RailSafety and Standards Board Limited. All rights are herebyreserved. No Railway Group document (in whole or in part)may be reproduced, stored in a retrieval system, ortransmitted, in any form or means, without the prior writtenpermission of Rail Safety and Standards Board Limited, or asexpressly permitted by law.

RSSB members are granted copyright licence in accordancewith the Constitution Agreement relating to Rail Safety andStandards Board Limited.

In circumstances where Rail Safety and Standards BoardLimited has granted a particular person or organisationpermission to copy extracts from Railway Group documents,Rail Safety and Standards Board Limited accepts noresponsibility for, nor any liability in connection with, the useof such extracts, or any claims arising therefrom. Thisdisclaimer applies to all forms of media in which extractsfrom Railway Group documents may be reproduced.

Published by RSSB

© Copyright 2018Rail Safety and Standards Board Limited

Uncontrolled when printed Document effective from 01/09/2018

Issue Record

Issue Date Comments

One 01/09/2018 Original document, derived from Digital Railwaysource document NEPT/ERTMS/REQ/0038 version2.2.

This document will be updated when necessary by distribution of a completereplacement.

Supply

The authoritative version of this document is available at www.rssb.co.uk/railway-group-standards. Enquiries on this document can be submitted through the RSSBCustomer Self-Service Portal https://customer-portal.rssb.co.uk/


ERTMS/ETCS Baseline 3 OnboardSubsystem Requirements: New Trains

Page 2 of 112 RSSB


http://www.rssb.co.uk/railway-group-standards


https://customer-portal.rssb.co.uk/

Contents

Section Description Page

Part 1 Purpose and Introduction 61.1 Purpose 61.2 Application of this Document 81.3 Health and Safety Responsibilities 81.4 Structure of this Document 81.5 Approval and Authorization 8

Part 2 ETCS Onboard Subsystem Requirements 92.1 Subsystem level requirements 92.2 Configuration management 11

Part 3 ETCS Onboard Subsystem Functionality 143.1 Braking 143.2 Traction power cut-off 163.3 ETCS onboard isolation 203.4 ETCS reset 223.5 Tandem working 253.6 Dead hauling 263.7 Multiple working 273.8 Operations in possessions 273.9 On-track machine operation 283.10 Power supply 293.11 Cab detection 313.12 Self-test 333.13 ETCS DMI 353.14 Data entry and interaction 443.15 Set Speed function 503.16 Speed display 513.17 Odometry and tachometry system 523.18 Eurobalise reader 533.19 Cold Movement Detection 543.20 Data radio 563.21 Key management 573.22 Ancillary systems 593.23 Driver training 61



RSSB Page 3 of 112


Part 4 National systems 624.1 General 624.2 AWS/TPWS 624.3 Standalone AWS/TPWS 674.4 TVM/KVB/Crocodile 684.5 CBTC 684.6 TASS 69

Part 5 Rail Vehicle Interface Requirements 735.1 Fault tolerance 735.2 Future provisions 735.3 Additional (driver training) display 755.4 ATO 76

Part 6 Installation Design 796.1 General requirements 796.2 Contamination 796.3 Vandalism and accidental damage 80

Part 7 Maintenance 817.1 General 817.2 Diagnostic tools 837.3 Failure reporting and data recording 857.4 Diagnostic information 867.5 System security 90

Part 8 Process and Procedure 948.1 System support 94

Appendices 96Appendix A Appendix A: Hazards Relevant to the ETCS Onboard Subsystem 96Appendix B Appendix B: Issues Still Under Development 101

Definitions 105

References 110



Page 4 of 112 RSSB


List of Tables

Table 1: ETCS onboard system hazards 96

Table 2: ETCS onboard subsystem: Issues under development 101



RSSB Page 5 of 112


Part 1 Purpose and Introduction

1.1 Purpose

Purpose

1.1.1 This document sets out the industry agreed requirements for the fitment of theERTMS/ETCS Baseline 3 onboard subsystem to new rail vehicles that will operate onthe GB mainline railway.

1.1.2 This document is part of a wider suite of requirements that are intended to optimisethe performance and operation of an ERTMS/ETCS railway. It is complementary tothe European Union Agency for Railways (ERA) specifications for ETCS Baseline 3Release 2, which are set out in the Control, Command and Signalling TechnicalSpecification for Interoperability (CCS TSI).

1.1.3 This document can be adopted by rolling stock owners (ROSCOs), suppliers andrailway undertakings (RUs) under their respective safety/quality management systemor when specifying products and services.

Background

1.1.4 The requirements set out in this document were developed by Digital Railway inaccordance with an industry-agreed National ETCS Requirements ManagementStrategy and Plan. The technical content is consistent with the requirementspublished in Digital Railway document NEPT/ERTMS/REQ/0038 ETCS Baseline 3 - GBOnboard New Trains Systems Requirements Specification version 2.2, July 2017 andENTOSS change request #6.

1.1.5 Some of the requirements, rationale and guidance in this RIS are identical to thecontent in RIS-0797-CCS, which was derived from NEPT/ERTMS/REQ/0007 ETCSBaseline 3 - GB Onboard Retrofit Systems Requirements Specification. In these cases,the content is referenced to NEPT/ERTMS/REQ/0007.

1.1.6 Any changes to the requirements contained within this RIS may require engagementwith Digital Railway to assess the impact of the proposed change on the rest of theETCS.

Scope

1.1.7 The requirements in this document describe the ETCS-related functionality andapplication of the ETCS onboard subsystem optimised for application on the GBmainline railway at all required levels of operation.

1.1.8 Requirements relating to Traffic Management (TM) systems, Automatic TrainOperation (ATO), the Connected Driver Advisory System (C-DAS), CombinedPositioning Alternative Signalling System (COMPASS), and ETCS Level 3 are not fullyincluded at this time.

1.1.9 Rail vehicle type specific requirements and domain knowledge for particular rollingstock fleets are not included. Those requirements are expected to be defined by theContracting Entity or their appointed Agent.



Page 6 of 112 RSSB


How these requirements are intended to be used

1.1.10 The requirements can be used in the specification of new rail vehicles thatincorporate an ERTMS/ETCS onboard subsystem.

1.1.11 Each requirement is assigned to one of the following categories, which is intended tohelp users identify which requirements to specify in contracts:

a) Normative: Conformity with the normative requirements supports technicalcompatibility of the ETCS onboard subsystem with the ETCS trackside subsystemand optimisation in relation to the GB mainline railway, or supports a subsystemfeature that is deemed to be cost effective and in the long-term interests of therailway industry. Satisfaction of normative requirements is expected to be arequirement of individual delivery contracts.

b) Application specific: Conformity with application specific requirements might notbe relevant or applicable to every implementation of an ETCS onboard subsystemto every rail vehicle. Conformity is expected where an application-specificrequirement is applicable. Conformity with application-specific requirements isexpected to be a condition of individual delivery contracts, if it is appropriate tothe implementation being considered.

c) Preferred: A requirement of lower importance which, whilst not essential, theindustry would prefer were satisfied. Conformity with preferred requirements isexpected to be a requirement of individual delivery contracts if they areconsidered within individual delivery scope.

Why conformity is necessary

1.1.12 Every requirement has a supporting rationale, which describes why conformity isnecessary. The rationales cover the following:

a) Technical compatibility; necessary to support technical compatibility with the GBmainline railway network or the route(s) on which the rail vehicle(s) will beoperated. Further requirements for route technical compatibility assessment areset out in RIS-8270-RST.

b) Integration with train operations, the rail vehicle or another CCS system; so thatthe rail vehicle is capable of being operated as part of a train on the GB mainlinerailway, including the interfaces with the train driving task.

c) Performance; necessary to support the overall performance of the railway systemin the operational context.

d) Safe integration; necessary to control one or more of the hazards listed inAppendix A.

e) Economic; necessary to realise cost efficiencies.f) Reliability; necessary to meet reliability targets.g) Availability; necessary to meet availability targets.h) Asset management; necessary to support rail vehicle asset management

processes, including maintenance, repair and faulting tasks.i) Efficiency; necessary to reduce waste and support future rail vehicle or CCS

subsystem enhancementsj) Train driver learning; necessary to support migration to an ERTMS/ETCS railway.



RSSB Page 7 of 112


Open points

1.1.13 Some of the requirements published in Digital Railway document NEPT/ERTMS/REQ/0038 ETCS Baseline 3 - GB Onboard New Train Systems Requirements Specificationversion 2.2, July 2017 are shown to be 'provisional'. These requirements describeproposed solutions that are not yet confirmed as industry agreed requirements.

1.1.14 This document incorporates provisional requirements as 'open points'. Informationabout each provisional requirement is included as guidance so that a Proposer mayuse the provisional requirement in deciding what action is needed to close the openpoint.

1.1.15 Appendix B provides further information about the open points and other knownopen issues relevant to the ETCS onboard subsystem requirements.

1.2 Application of this Document

1.2.1 Compliance requirements and dates have not been specified because these are thesubject of internal procedures or contract conditions.

1.2.2 If you plan to do something that does not comply with a requirement in this RIS, youcan ask a Standards Committee to comment on your proposed alternative. If youwant a Standards Committee to do this, please submit your deviation applicationform to RSSB. You can find further advice in the ‘Guidance to applicants andmembers of Standards Committee on using alternative requirements’, available fromRSSB’s website www.rssb.co.uk.

1.3 Health and Safety Responsibilities

1.3.1 Users of documents published by RSSB are reminded of the need to consider theirown responsibilities to ensure health and safety at work and their own duties underhealth and safety legislation. RSSB does not warrant that compliance with all or anydocuments published by RSSB is sufficient in itself to ensure safe systems of work oroperation or to satisfy such responsibilities or duties.

1.4 Structure of this Document

1.4.1 This document sets out a series of requirements that are sequentially numbered. Thisdocument also sets out the rationale for the requirement, explaining why therequirement is needed and its purpose and, where relevant, guidance to support therequirement. The rationale and the guidance are prefixed by the letter ‘G’.

1.4.2 Some subjects do not have specific requirements but the subject is addressed throughguidance only and, where this is the case, it is distinguished under a heading of‘Guidance’ and is prefixed by the letter ‘G’.

1.5 Approval and Authorization

1.5.1 The content of this document was approved by Control Command and SignallingStandards Committeeon 05 July 2018.

1.5.2 This document was authorised by RSSB on 30 July 2018.



Page 8 of 112 RSSB


http://www.rssb.co.uk

Part 2 ETCS Onboard Subsystem Requirements

2.1 Subsystem level requirements

2.1.1 ETCS onboard subsystem: Technical compatibility with ETCS trackside subsystems

2.1.1.1 The ETCS onboard subsystem shall be fully compliant with the mandatoryspecifications for ETCS Baseline 3 Release 2, listed in (EU) 2016/919 CCS TSI AnnexA, Table A 2.3. (Normative)

Rationale

G 2.1.1.2 Network technical compatibility: The ETCS comprises the trackside subsystem andonboard subsystems, which have to be compatible in order for the system to operatecorrectly.

G 2.1.1.3 Integration with train operations: An ETCS onboard subsystem that is incompatiblewith the ETCS trackside subsystem might not be capable of being integrated into theGB mainline railway.

Guidance

G 2.1.1.4 It is planned to fit the GB mainline railway with the ETCS trackside subsystem againstBaseline 3 Release 2 of the ETCS specifications.

G 2.1.1.5 Previous releases of the Baseline 3 specifications might not be forward compatiblewith Baseline 3 Release 2. If the infrastructure on the route where the rail vehicle willbe operated does not support compatibility with a current legal version of the ETCSonboard subsystem, the contract may specify an alternative version of the ETCSonboard subsystem.

G 2.1.1.6 This requirement is derived from NEPT/ERTMS/REQ/0007 version 3.2 EOSS-1.

2.1.2 ETCS onboard subsystem: Reliability and availability targets

2.1.2.1 The ETCS onboard subsystem shall, as a minimum, meet the Mean Time BetweenService Affecting Failure (MTBSAF) targets for the onboard subsystem, specified inthe ERTMS Reliability Specification NR/AM/SA/SPE/00147. (Normative)

Rationale

G 2.1.2.2 Reliability & Availability: The MTBSAF achieved by the ETCS onboard subsysteminfluences the overall reliability and availability of the ETCS.

G 2.1.2.3 Integration with train operations: An unreliable ETCS onboard subsystem is apotential hazard, which would need to be managed as part of the process of safeintegration of an ETCS fitted rail vehicle into the GB mainline railway.

Guidance

G 2.1.2.4 NR/AM/SA/SPE/00147 defines the reliability, availability and maintainability targetsfor the ETCS, which are then apportioned to the respective elements of the onboardand trackside sub-systems.



RSSB Page 9 of 112


G 2.1.2.5 Meeting the MTBSAF targets specified in NR/AM/SA/SPE/00147 means that the ETCSonboard subsystem will be at least as reliable as the existing Class B systems used onthe GB mainline railway. Any increase in failures associated with an ETCS onboardsubsystem might result in overall performance losses in conventionally signalled orETCS overlay areas.

G 2.1.2.6 Hours operating in Isolation (IS) will not be counted as contributing to the MTBSAFrequirements.


2.1.3 ETCS onboard subsystem: Maximum time from No Power (NP) to Standby (SB)

2.1.3.1 The ETCS onboard subsystem shall take no more than 60 s to go from No Power (NP)to being ready to accept data entry in Standby (SB) (Status S0). (Normative)

Rationale

G 2.1.3.2 Availability: The time taken to initialise the ETCS onboard subsystem has operationalimplications, for example, it influences how long it takes to make a train ready tostart a new journey when it reverses at a terminal station.

G 2.1.3.3 Performance: Significantly increasing the time taken to make trains ready to startcould impact on the ability to deliver the train timetable.

Guidance

G 2.1.3.4 The 60 s limit includes all of the time needed to undertake any self-test functionswhen the ETCS onboard subsystem is operating correctly.

G 2.1.3.5 This time value is applicable to both ETCS Start of Mission (SoM), when the railvehicle is being powered-up, and after an ETCS reset when the ETCS onboardsubsystem has been de-powered and re-powered manually (as a result of systemfailure or otherwise).

G 2.1.3.6 Status S0 is defined within Subset-026 Chapter 5.


2.1.4 ETCS onboard subsystem: Maximum time to Standby (SB)

2.1.4.1 Upon cab closure, the ETCS onboard subsystem shall take no more than 5 s to enterSB from any other available mode, when all other necessary conditions for thetransition are met. (Normative)

Rationale

G 2.1.4.2 Performance: Significantly increasing the time taken to enter SB would bedetrimental to system performance.



Page 10 of 112 RSSB


Guidance

G 2.1.4.3 Closing the cab when in an operational mode (Full Supervision (FS), Staff Responsible(SR), On Sight (OS) etc.) will cause the ETCS onboard subsystem to transition back toSB.

G 2.1.4.4 Passive Shunt (PS) can be enabled after desk closure.


2.1.5 ETCS onboard subsystem: Level 3 capability

2.1.5.1 The ETCS onboard subsystem shall be capable of operating in ETCS Level 3.(Normative)

Rationale

G 2.1.5.2 Economic: Including ETCS Level 3 capability when the ETCS onboard subsystem isfitted to a rail vehicle will provide efficiencies and simplify the migration path to ETCSLevel 3 operations.

G 2.1.5.3 The Digital Railway includes ETCS Level 3 within its future migration states.

Guidance

G 2.1.5.4 ETCS Level 3 will require on-board train integrity proving systems. It is expected thatthese systems will be Safety Integrity Level (SIL) 4 compliant. Whilst developing aTrain Integrity Monitoring System (TIMS) for mixed formation trains might bedifficult, it is expected that locomotives fitted with an ETCS Onboard system that areused for mixed formation trains will facilitate simple connection of TIMS at a laterdate.

G 2.1.5.5 This requirement is derived from NEPT/ERTMS/REQ/0038 version 2.2 ENTOSS-10.

2.2 Configuration management

2.2.1 ETCS onboard subsystem: LRU labelling

2.2.1.1 The part number, serial number and modification version of all line-replaceable units(LRUs) shall be labelled. (Normative)

2.2.1.2 The label shall be positioned so that the information can be read with the LRUinstalled in its normal operating position. (Normative)

Rationale

G 2.2.1.3 Asset management: Maintenance and faulting staff read the label to understand themodification version of the LRU installed in the rail vehicle.

Guidance

G 2.2.1.4 The modification version of an LRU will relate to its software, firmware, hardware andparameter versions, as appropriate. Recording this modification version on LRUs



RSSB Page 11 of 112


should assist in distinguishing between LRUs during replacement activities or duringstorage.


2.2.2 ETCS onboard subsystem: LRU identification

2.2.2.1 The part number, serial number and modification version of all software driven linereplaceable units (LRUs) shall be available to be viewed electronically. (Preferred)

Rationale

G 2.2.2.2 Asset management: The ability to display the configuration of the LRUs allows forrapid verification of the modification state; this is particularly useful during amodification programme.

Guidance

G 2.2.2.3 Such functionality could be provided using either:

a) the ETCS onboard systemb) an integrated solution using the onboard train management system.

G 2.2.2.4 'Software driven' LRUs include all equipment that can feasibly report its status to thetrain, but excludes 'hardware-only' LRUs without such intelligence.


2.2.3 ETCS onboard subsystem: Configurable data

2.2.3.1 The ETCS onboard subsystem shall be implemented so that a railway undertaking(RU) authorised person can modify the configurable data that describes theperformance and dimensions of the rail vehicle or train. (Normative)

Rationale

G 2.2.3.2 Asset management: The RU is responsible for maintaining the relevant configurableparameters within the rail vehicle or train data and presets, so that they remainconsistent with the technical and operational parameters of the rail vehicle or train.The ETCS onboard subsystem includes functionality to allow this to be done.

Guidance

G 2.2.3.3 Rail vehicles or trains can be modified, and their operations can be amended, over thecourse of their life.

G 2.2.3.4 An RU authorised person (for example, a maintainer) needs a facility to amendrelevant parameters within the train data and presets. It is not expected that thetrain driver will be able to do this through train data entry.

G 2.2.3.5 Permanent modifications that might require a change to parameters within the traindata and presets include, for example:

a) Re-gearing a locomotive, which can change its maximum design speed.



Page 12 of 112 RSSB


b) Adding extra equipment, which might affect axle loadings.

G 2.2.3.6 Some train operations might require a temporary modification of parameters withinthe train data, for example, adjusting the front end position of the train to accountfor a snow plough, or an officer’s saloon being propelled.


2.2.4 ETCS onboard subsystem: Train data modification

2.2.4.1 It shall be possible to configure the range of values over which an authorised personcan modify the ETCS train data. (Normative).

Rationale

G 2.2.4.2 Safe integration: This is to prevent hazards caused by an authorised person mis-entering data (extra digit, incorrect decimal point position etc).

G 2.2.4.3 This requirement is used to control Hazard OB-H008.

Guidance

G 2.2.4.4 This requirement relates to the modification of data within the European VitalComputer (EVC). It does not apply to data amended by the train driver using theETCS DMI.

G 2.2.4.5 Whilst flexibility to amend train data is needed, freedom to enter values which areoutside of realistic or safe bounds is prevented, to avoid problems caused by mis-entered data.




RSSB Page 13 of 112


Part 3 ETCS Onboard Subsystem Functionality

3.1 Braking

3.1.1 ETCS onboard subsystem: Service brake application

3.1.1.1 The ETCS onboard subsystem shall be able to apply the service brake. (Normative)

Rationale

G 3.1.1.2 Integration with train operations: A brake application can be invoked as part oftrackside braking reactions (for example, M_NVCONTACT). Non-provision of theservice brake interface would result in an emergency brake application, which is anexcessive response that the train driver cannot avoid. The service brake interfaceavoids such scenarios.

Guidance

G 3.1.1.3 The conditions under which the ETCS can command a service brake application canbe configured using National Values. Default Values are specified in the CCS TSI.

G 3.1.1.4 The GB implementation of ETCS will inhibit the service brake application for targetspeed monitoring, but allow it for ceiling speed monitoring. In doing so, the First Lineof Intervention (FLOI) in target speed monitoring will be enforced by the emergencybrake and will occur later than if the service brake is enabled. This mitigates thepotential performance loss associated with the service brake intervention curve beingmore restrictive than the emergency brake.

G 3.1.1.5 The ETCS onboard subsystem can be interfaced with the rail vehicle service brake, sothat the ETCS can command its application when required. This interface is optionalwithin the System Requirement Specification (SRS) (Subset-26); however, it isbeneficial to train operations on the GB mainline railway and will be implemented.


3.1.2 ETCS onboard subsystem: Service brake application rate

3.1.2.1 A service brake application initiated by the ETCS onboard subsystem shall be appliedat a rate, and with a response time equivalent to that achieved by a train driver-initiated full service brake application. (Normative)

Rationale

G 3.1.2.2 Integration with train operations: The braking response time and application rateinfluences the total train stopping distance (and time).

G 3.1.2.3 Applying the service brake too abruptly can cause injury, buffer locking, and damageto on-train equipment or freight payloads.

Guidance

G 3.1.2.4 The ETCS brake model and parameters are defined within the Technical Specificationfor Interoperability (TSI) requirements. However, the method of interfacing the ETCS



Page 14 of 112 RSSB


to the rail vehicle or train is specific to the type or class. The rate chosen will take intoaccount the effects of any enhanced service braking system.


3.1.3 ETCS onboard subsystem: Emergency brake application rate

3.1.3.1 An emergency brake application initiated by the ETCS onboard subsystem shall beapplied at a rate, and with a response time, equivalent to that achieved by a traindriver initiated emergency brake application. (Normative)

Rationale

G 3.1.3.2 Integration with train operations: Applying the emergency brake too abruptly mayresult in passenger and staff injury, buffer locking and damage to on-train equipmentor freight payloads.

G 3.1.3.3 Safe integration: The braking response time and application rate influences the totaltrain stopping distance (and time).

G 3.1.3.4 This requirement is used to control Hazards OB-H016a and OB-H016b.

Guidance

G 3.1.3.5 The rate achieved through this interface provides equivalence that which a traindriver can achieve from an emergency brake application. The method of interfacingthe ETCS to the rail vehicle or train is specific to the type or class.

G 3.1.3.6 The rate chosen will take into account the effects of any enhanced emergencybraking where that system provides a guaranteed application under emergency brakeapplications.


3.1.4 ETCS onboard subsystem: Derivation of service and emergency braking rates

3.1.4.1 The service and emergency braking rates used within the ETCS brake model shall bemodified automatically from detection of the operational status of any special brakesystems used. (Preferred)

Rationale

G 3.1.4.2 Integration with train operations: To enable the most accurate braking rate input tothe ETCS brake model.

Guidance

G 3.1.4.3 Special brakes include any regenerative, eddy current or magnetic shoe brakes thatwill operate on the rail vehicle.




RSSB Page 15 of 112


3.1.5 ETCS onboard subsystem: ETCS Kdry value

3.1.5.1 The train brake system shall have an ETCS Kdry (99%) value in excess of 0.95 at allspeeds. (Preferred)

Rationale

G 3.1.5.2 Performance: A higher value of Kdry results in better performance under the ETCS.

Guidance

G 3.1.5.3 The tolerance and reliability of the brake system is captured within the ETCSparameter Kdry, which has a direct impact on the assumed deceleration of the train.


3.1.6 ETCS onboard subsystem: ETCS Kwet value

3.1.6.1 The train brake system shall have an ETCS Kwet value in excess of 0.85 at all speeds.(Preferred)

Rationale

G 3.1.6.2 Performance: A higher Kwet value results in better performance under the ETCS.

Guidance

G 3.1.6.3 The braking performance of the train under representative wet rail conditions (asprescribed by EN15595) has a direct impact on the assumed deceleration of the train.


3.2 Traction power cut-off

3.2.1 ETCS traction power cut-off command

3.2.1.1 The traction power cut-off command and interface referenced in Subset-026 Section3.13.2.2.8 shall be implemented. (Normative)

Rationale

G 3.2.1.2 Performance: Implementing the traction power cut-off command and interface isintended to mitigate the performance impact that would arise from delays in cuttingoff traction after an ETCS intervention.

Guidance

G 3.2.1.3 The ETCS onboard subsystem may be directly interfaced with the traction system orvia the on-board Train Management System, provided this has an appropriate safetyand security integrity level, and that minimal delay is introduced.




Page 16 of 112 RSSB


3.2.2 ETCS traction power cut-off when operating in multiple

3.2.2.1 The traction power cut-off command shall cut power to all traction units operating inmultiple within the train. (Normative)

Rationale

G 3.2.2.2 Integration with train operations: So that, if the braking curves are calculated on thebasis of a traction power cut-off being implemented, they are correct for the trainwhen traction units are operating in multiple.

Guidance

G 3.2.2.3 In the same way as for a train driver-initiated removal of traction power, the cut-offcommand removes traction power from all rail vehicles operating in multiple underthe control of a single train driver within the train. This is expected to be achievedthrough existing rail vehicle functionality.


3.2.3 ETCS traction power cut-off rate

3.2.3.1 Rail vehicle traction shall be cut in response to the traction cut-off command from theETCS onboard subsystem at a rate equivalent to a train driver-initiated command.(Normative)

Rationale

G 3.2.3.2 Integration with train operations: Cutting the traction power from full effort to zeroquickly will assist train performance; however doing so abruptly, when the train passesthe ETCS warning limit, might result in personal injury, power unit overspeed trips,buffer locking, or damage to on-train equipment or freight payloads.

Guidance

G 3.2.3.3 The equivalent rate of traction cut-off achieved by train drivers can depend upon thetraction type and human reaction delays. The time taken to initiate a traction cut-offwill ignore any train driver reaction delays.

G 3.2.3.4 It is envisaged that conformity with this requirement will be achieved through designof the ETCS interface to the rail vehicle braking systems, not via bespoke on-boardcommands.


3.2.4 Using ETCS to limit traction current demand

3.2.4.1 The rail vehicle traction system shall be configured to respond to track condition datafrom the ETCS Onboard subsystem to limit the traction current demand. (Applicationspecific)



RSSB Page 17 of 112


Rationale

G 3.2.4.2 Integration with rail vehicle traction systems: The rail vehicle can be operated on lineswhere the ETCS trackside system is used to provide track condition data to a train tolimit the traction current demand from the ENE system.

Guidance

G 3.2.4.3 This function prevents traction systems drawing excessive current from theinfrastructure traction power supply system; it simplifies the implementation of newstock on routes where the traction supply requires upgrade without then inhibitingrolling stock performance on other route sections.

G 3.2.4.4 Packet 40 (change of allowed current consumption) or Packet 44 (external data) willbe used to provide track condition data to vehicle systems to limit the traction currentthat can be consumed.

G 3.2.4.5 3.22.1 sets out further requirements for conveying track-condition information andexternal data using ETCS data packets.


3.2.5 'Change of traction system’ announcement

3.2.5.1 For manual traction changeover systems, the ‘change of traction system’announcement shall be displayed on the ETCS Driver Machine Interface at a time sothat the train driver can complete the task of switching over to the correct tractionsystem before the train reaches the traction changeover boundary. (Applicationspecific)

Rationale

G 3.2.5.2 Integration with train operations: The train driver needs enough time to complete thetraction changeover task before the train reaches the changeover boundary.

Guidance

G 3.2.5.3 The announcement provides the train driver with the information needed tounderstand the traction changeover task that needs to be performed. The timing ofthe announcement takes account of the train driving task at that location, including:

a) the time needed for the train driver to complete any traction changeoverfunctions in the operational context

b) the traction power equipment switchover requirements.

G 3.2.5.4 This requirement implies a site specific assessment because the time needed by thetrain driver is influenced by the operational context.

G 3.2.5.5 It is expected that the ‘change of traction system’ announcement will be displayed atleast 5 seconds before the switchover location is reached.




Page 18 of 112 RSSB


3.2.6 Using ETCS to inhibit traction power regeneration

3.2.6.1 The rail vehicle traction system shall be configured to respond to track condition datafrom the ETCS Onboard subsystem to inhibit traction power regeneration.(Application specific)

Rationale

G 3.2.6.2 Integration with rail vehicle traction systems: The rail vehicle can be operated on lineswhere the ETCS trackside system is used to provide track condition data to a train toinhibit traction power regeneration on routes where the traction supply is notdesigned for regeneration without then inhibiting the regeneration function on otherroute sections. This provides greater opportunity to derive business benefits from theregenerative function of the train.

Guidance

G 3.2.6.3 Packet 68 (track conditions) or Packet 44 (external data) can provide track conditiondata to vehicle systems to prevent the traction system from regenerating electricityunder braking and feeding that back into the Overhead Line Equipment (OLE) / 3rdrail.

G 3.2.6.4 3.22.1 sets out further requirements for conveying track-condition information andexternal data using ETCS data packets.


3.2.7 ETCS DMI: displayed symbols

3.2.7.1 The ETCS Driver Machine Interface (DMI) shall only display symbols that are relevantto the traction type and braking systems available for use on, or currently in use by,the train (Normative).

Rationale

G 3.2.7.2 Integration with train operations: Presenting information on the ETCS DMI that is un-necessary or irrelevant to the train driving task would increase train driver workload.

Guidance

G 3.2.7.3 The ETCS onboard subsystem has the capability of displaying all specified symbols.

G 3.2.7.4 ERA_ERTMS_015560 contains symbols that are displayed to the train driver whentrack conditions change, for example: lowering of pantograph, change of tractionsystem, inhibition of regenerative brake. Displaying these symbols is needed onlywhen they are applicable to the operational context at that location and time.

G 3.2.7.5 Some trains are capable of operating with multiple traction sources, for example, 750V DC and 25 kV AC, or 25 kV AC and diesel.




RSSB Page 19 of 112


3.3 ETCS onboard isolation

3.3.1 ETCS isolation control

3.3.1.1 An ETCS isolation control shall be provided for the train driver to place the ETCSonboard subsystem into IS. (Normative)

Rationale

G 3.3.1.2 Integration with train operations: The ETCS onboard subsystem will sometimes needto be physically isolated from other rail vehicle equipment and systems (for example,the braking system).

Guidance

G 3.3.1.3 The isolation control may be a switch, button, Train Management System function, oranother facility of the appropriate safety and security integrity level.

G 3.3.1.4 The requirements for the ETCS isolation switch are set out in Subset-026 section 4.4.3and Railway Group Standard GMRT2185 section B5.

G 3.3.1.5 Some trains use a ‘Safety Systems Isolated’ indicator, provided in the cab, to complywith the requirements set out in GMRT2185 for visibility of isolation status. Isolationof the ETCS onboard subsystem should be indicated to the train driver, but not in sucha way as to make the train unfit for service.

G 3.3.1.6 Locating the isolation control so that it is out of reach of the train driver in the normaldriving position can be used to prevent ETCS onboard subsystem isolation whilst thetrain is moving.

G 3.3.1.7 This requirement is derived from NEPT/ERTMS/REQ/0038 version 2.2 ENTOSS-23

3.3.2 ETCS isolation control provision

3.3.2.1 The ETCS isolation control shall be provided within each driving cab. (Applicationspecific)

Rationale

G 3.3.2.2 Integration with train operations: The train driver uses the isolation control to isolatethe ETCS onboard subsystem without leaving the driving cab.

Guidance

G 3.3.2.3 Though provision is made to allow the isolation of the ETCS onboard subsystem fromany cab, it should only be functional in the active cab. The isolation control will belocated beyond the reach of the driver when in the normal driving position.


3.3.3 ETCS isolation control function

3.3.3.1 The ETCS isolation control shall only act upon one ETCS onboard subsystem.(Normative)



Page 20 of 112 RSSB


Rationale

G 3.3.3.2 Performance: This is to retain the ability for ETCS operation from a non-isolated cabon trains that have more than one ETCS onboard subsystem. This allows normaloperation for certain recovery moves following failure (that is, if one ETCS onboardsubsystem fails and a second is available in a different cab, then any recovery movesperformed from that cab can still be done under ETCS control).

Guidance

G 3.3.3.3 Where a rail vehicle is fitted with more than one European Vital Computer (EVC) (e.g.long trains where the economics dictate that to be the most effective option), thenoperation of the isolation control should only act upon a single ETCS onboardsubsystem. This retains the ability for ETCS operation from the remaining non-isolated cab.


3.3.4 ETCS de-isolation control key

3.3.4.1 A controlled method of de-isolating the ETCS onboard subsystem shall be used.(Normative)

Rationale

G 3.3.4.2 Integration with train operations: After the ETCS onboard subsystem has beenisolated from the other rail vehicle equipment and systems, the key is a part of thecontrolled method to ensure that ETCS de-isolation is only performed by anauthorised person.

G 3.3.4.3 Safe integration: This requirement is used to control Hazard OB-H002.

Guidance

G 3.3.4.4 In this context, a controlled key is one whose distribution can be restricted to onlythose who require it (for example, the maintainer, but not the train driver). A 'T' keyor a train driver’s key does not meet the criteria of a controlled key.

G 3.3.4.5 The RU will decide who is authorised to de-isolate the ETCS, and is subsequentlyissued with the controlled key or code.


3.3.5 ETCS de-isolation process

3.3.5.1 De-isolation of the ETCS onboard subsystem shall not require complex procedures.(Normative)

Rationale

G 3.3.5.2 Integration with train operations: Complexity is a cause of human error. A de-isolation process that is familiar and easy to follow is more likely to result in thedesired outcome.



RSSB Page 21 of 112


Guidance

G 3.3.5.3 De-isolation of the ETCS onboard subsystem could use a mechanical key, anelectronic key, or a reset code.

G 3.3.5.4 De-isolation procedures that require configuration (for example, using a laptopcomputer), or take excessive time to perform, are undesirable . The mechanism to de-isolate the ETCS should be no more complex than that used to de-isolate any Class Bsystems.


3.3.6 Train operation in IS

3.3.6.1 It shall be technically possible to operate the train indefinitely in revenue-earningservice, in ETCS overlay and unfitted areas, with the ETCS onboard subsystem in IS.(Application specific)

Rationale

G 3.3.6.2 Integration with train operations: In some cases it is necessary to operate a train withthe ETCS onboard subsystem isolated.

Guidance

G 3.3.6.3 To facilitate or support continued service operation in IS, on infrastructure equippedwith lineside signals and alternative train protection systems, Class B train protectionsystems need to remain available when the ETCS is isolated.

G 3.3.6.4 Considerations include:

a) How conformity with this requirement can be achieved when the Class B trainprotection system is integrated into the ETCS DMI.

b) The positioning and size of the speedometer so that the train driver can use it forcontinuous operation.

G 3.3.6.5 This requirement does not infer that indefinite operation in IS is either commerciallyacceptable or the intended approach for operation on non-ETCS fitted infrastructure.


3.4 ETCS reset

3.4.1 ETCS reset control

3.4.1.1 The ETCS onboard subsystem shall include a reset control that allows the train driverto remove and reinstate power to the ETCS in order to force the system to transitionto NP and then SB. (Normative)

Rationale

G 3.4.1.2 Performance: The reset function is intended to provide an efficient means of resettingthe ETCS onboard subsystem in the event of a failure, without the need to shut downand restart other systems on the rail vehicle.



Page 22 of 112 RSSB


Guidance

G 3.4.1.3 It is envisaged that the reset control will remove the power for a short duration. Thereset control will not remain in the 'off' position. A self-restoring switch could be usedto provide this function.


3.4.2 ETCS reset method

3.4.2.1 Special tools or equipment shall not be necessary to reset the ETCS onboardsubsystem. (Normative)

Rationale

G 3.4.2.2 Integration with train operations: Resetting the ETCS onboard subsystem using asingle control, that does not affect anything else, avoids unnecessary performanceimplications.

Guidance

G 3.4.2.3 This requirement applies to all ETCS onboard subsystem reset controls.


3.4.3 ETCS reset control

3.4.3.1 Resetting the ETCS onboard subsystem shall not necessitate operation of any otherrail vehicle systems. (Normative)

Rationale

G 3.4.3.2 Integration with train operations: Resetting the ETCS onboard subsystem using asingle control that does not affect anything else avoids unnecessary performanceimplications.

Guidance

G 3.4.3.3 This requirement can be met by providing a dedicated ETCS onboard subsystem resetcontrol, which could be a function that removes power from the ETCS onboardsubsystem only (for example, a switch, button, Train Management System option).

G 3.4.3.4 Use of other functions or operations that simultaneously remove power from theETCS and other rail vehicle systems (e.g. open the battery switch, power masterswitch) are not preferred because they could extend the time taken to restore thevehicle to a condition where it is ready to be moved or cause inconvenience topassengers.


3.4.4 ETCS reset control protection

3.4.4.1 The ETCS reset control shall be protected against accidental operation. (Normative)



RSSB Page 23 of 112


Rationale

G 3.4.4.2 Integration with train operations: Resetting the ETCS onboard subsystem when thetrain is being driven would constitute a breach of the Railway Safety Regulations1999 if it resulted in a train being operated without a functional train protectionsystem. It could also result in the train driver not being presented with informationnecessary for the train driving task, increasing the likelihood of error or hazardoussituations.

G 3.4.4.3 Safe integration. Accidental reset of the ETCS onboard subsystem during theoperation of a train would affect performance and increase risk.


Guidance

G 3.4.4.5 Example design solutions to prevent accidental use include:

a) In the case of a physical switch, providing a safety cover.b) In the case of a virtual control, incorporating a prompt for the train driver to

confirm that a reset in needed.


3.4.5 ETCS reset control provision

3.4.5.1 The ETCS reset control shall be provided in each cab and shall only be functional inthe active cab. (Normative)

Rationale

G 3.4.5.2 Integration with train operations: The train driver needs to be able to reset the ETCSwithout leaving the active cab.

Guidance


3.4.6 ETCS reset control position

3.4.6.1 It shall not be possible for the train driver to reset the ETCS onboard subsystem whilstthe rail vehicle or train is in motion (Normative).

Rationale

G 3.4.6.2 Integration with train operations. Resetting the ETCS onboard subsystem when atrain is being driven could increase risk.

Guidance

G 3.4.6.3 Inhibiting the ETCS reset function when the train is moving can also prevent improperuse.




Page 24 of 112 RSSB


3.4.7 ETCS reset action

3.4.7.1 Each ETCS Onboard subsystem shall be reset independently (Normative)

Rationale

G 3.4.7.2 Integration with train operations: The ETCS reset function is used to reset an ETCSonboard subsystem that has failed. In this case, there is no need to reset more thanone subsystem at a time.

Guidance

G 3.4.7.3 In most cases, the need to reset the ETCS onboard subsystem should be limited to asingle ETCS onboard subsystem. Where a train is fitted with more than one EVC (forexample, long trains where the economics dictate that to be the most effectiveoption), operation of the ETCS reset control should act upon only one of the ETCSonboard subsystems.

G 3.4.7.4 This requirement is derived from NEPT/ERTMS/REQ/0038 version 2.2 ENTOSS-37A.

3.4.8 ETCS reset data recording

3.4.8.1 Operation of the ETCS reset control shall be recorded on the rail vehicle data recorder.(Normative)

Rationale

G 3.4.8.2 Integration with train operations: The use of the ETCS reset control is recorded tosatisfy RIS-2472-RST.

Guidance

G 3.4.8.3 RIS-2472-RST sets out the requirements for the data to be recorded. In this context,‘data recorder’ may be the juridical recorder unit (JRU), existing on-train monitoringand recording (OTMR) equipment, or combined JRU/OTMR equipment.


3.5 Tandem working

3.5.1 ETCS interface: 'allow non-leading mode'

3.5.1.1 The ‘allow non-leading mode’ vehicle interface shall be implemented. (Applicationspecific)

Rationale

G 3.5.1.2 Integration with train operations: The ‘allow non-leading mode’ rail vehicle interfaceenables the Non-Leading (NL) function, which will be used for tandem working,banking and rescue operations.



RSSB Page 25 of 112


Guidance

G 3.5.1.3 Implementing the ‘allow non-leading mode’ rail vehicle interface on locomotivesworking in variable consist trains is highly recommended. Providing this interface onother types of rail vehicle might also be an advantage.


3.5.2 ETCS interface: 'passive shunting permitted'

3.5.2.1 The ETCS ‘Passive Shunting Permitted’ interface shall be implemented. (Applicationspecific)

Rationale

G 3.5.2.2 Integration with train operations: The ‘passive shunting permitted’ interface enablesthe PS function, which will be used for 'top and tail' working where the trailinglocomotive is unmanned yet left running.

Guidance

G 3.5.2.3 Implementing the ‘passive shunting permitted’ rail vehicle interface on locomotivesworking in variable consist trains is highly recommended. Providing this interface onother types of rail vehicle might also be an advantage.


3.6 Dead hauling

3.6.1 ETCS interfaces : dead hauling rail vehicles

3.6.1.1 It shall be possible to move the rail vehicle in No Power (NP). (Normative).

Rationale

G 3.6.1.2 Integration with train operations: Dead hauling of rail vehicles is sometimes used tomove a failed train, or to transit the rail vehicle over certain routes.

Guidance

G 3.6.1.3 This requirement can be met if the brakes can be released and the rail vehicle can bemoved without requiring power to the ETCS onboard subsystem, or isolation of theETCS onboard subsystem.

G 3.6.1.4 GERT8000 Rule Book Module TW1 sets out the operating requirements for trains thatincorporate dead locomotives or units. Isolating the brakes so that they do notfunction is not an acceptable solution.

G 3.6.1.5 Subset 026 clause 4.4.4.3.3 states: ‘If it is required to move a loco in No Power (NP) asa wagon, ETCS brake command must be overridden by external means’.




Page 26 of 112 RSSB


3.7 Multiple working

3.7.1 ETCS interfaces: multiple working

3.7.1.1 The ETCS onboard subsystem shall not prevent multiple working between electricallycoupled rail vehicles or units. (Normative)

Rationale

G 3.7.1.2 Integration with train operations: Train operations on the mainline railwaysometimes rely on working in multiple.

Guidance

G 3.7.1.3 Where the rail vehicle is capable of coupling electrically to another, the trailing unit(s)operates in Sleeping (SL) in order to move the train. The transition to SL is dependentupon the ‘Sleeping requested’ signal being received.


3.7.2 Operation of trains when the ETCS is not operating in a trailing unit

3.7.2.1 An isolated or failed ETCS Onboard subsystem in a trailing coupled unit shall notadversely impact the operation of the train. (Normative)

Rationale

G 3.7.2.2 Integration with train operations: It would be detrimental to service operation for afailed ETCS onboard subsystem in a trailing coupled unit to prevent the operation ofthe train where the train is being supervised by the ETCS onboard subsystem in theleading rail vehicle.

Guidance

G 3.7.2.3 When the ETCS onboard subsystem in the leading unit is supervising the operation ofthe train, the fact that the trailing unit incorporates an isolated or failed ETCSonboard subsystem does not impact on the capability of the train to be safelyoperated. It should be possible for a unit with a failed ETCS onboard subsystem toprovide traction power to the train if demanded by the leading unit, and not tointerfere with the control from the leading unit.


3.8 Operations in possessions

3.8.1 ERTMS/ETCS Level 0

3.8.1.1 The ETCS onboard subsystem default list for supported levels shall be configured sothat Level 0 is enabled. (Normative)



RSSB Page 27 of 112


Rationale

G 3.8.1.2 Integration with train operations: This is necessary so that Level 0 can be selected bythe train driver when the trackside supported level is not available onboard. Thedefault list is configured onboard.

Guidance

G 3.8.1.3 The default list configured onboard is used when trackside supported levels are notavailable; the relevant requirement is set out in the ETCS Driver Machine InterfaceSpecification clause 11.3.2.8.


3.9 On-track machine operation

3.9.1 ETCS functionality on OTMs

3.9.1.1 When an on-track machine (OTM) is changed into working mode, it shall cause theETCS Onboard subsystem to enter Sleeping (SL). (Normative)

Rationale

G 3.9.1.2 Efficiency: SL enables the OTM to be moved when in working mode, without the needto isolate the ETCS onboard subsystem.

Guidance

G 3.9.1.3 The ETCS onboard subsystem is not required to control movements when anengineering train is in working mode.

G 3.9.1.4 Transition to SL will automatically be initiated when the ETCS onboard subsystemdetects that a driving desk in a coupled engineering train has been opened.

G 3.9.1.5 If the ETCS sub-system is put into Standby (SB), the OTM would be prevented frommoving by the ETCS onboard subsystem.

G 3.9.1.6 'Working mode' in this context refers to OTM functionality; it is not an ETCS mode.When some OTMs are in working mode, within a possession, both driving cabs areclosed and the OTM operator uses a separate workstation (for example, an unslungcab or platform), from which the OTM may be moved.


3.9.2 ETCS functionality on OTMs

3.9.2.1 It shall not be necessary to isolate the ETCS onboard subsystem when an OTM isperforming its intended track maintenance functions. (Application specific)

Rationale

G 3.9.2.2 Integration with train operations: Some OTMs are authorised to work outside of apossession. In this case, the expectation is that the OTM will operate with the ETCS inShunting (SH) Mode.



Page 28 of 112 RSSB


G 3.9.2.3 Efficiency: Isolating the ETCS onboard subsystem when an OTM is performing itsintended track maintenance functions within a possession, the requirement for anauthorised person to be available to de-isolate the ETCS onboard subsystem and theadditional time needed to restart the system might result in delays to the OTM beingable to clear the line for traffic.


Guidance

G 3.9.2.5 Conformity with this requirement is strongly recommended. OTMs that work onlywithin a possession might be operated with an active ETCS onboard subsystem (forexample, Non Leading (NL), Passive Shunting (PS)).

G 3.9.2.6 Also, OTMs may undertake reverse movements and operate automatically in workingmode.


3.10 Power supply

3.10.1 ETCS onboard subsystem: temporary power supply interruptions

3.10.1.1 The ETCS onboard subsystem shall be tolerant of being de-energised before it hasfully initialised. (Normative)

Rationale

G 3.10.1.2 Availability: The capability of the ETCS onboard subsystem to withstand temporarypower supply interruptions during start-up/shut-down sequences has a direct impacton the availability of the ETCS onboard subsystem. The availability of the ETCSonboard subsystem influences the availability of the ETCS as a whole.

Guidance

G 3.10.1.3 It is feasible that electronic train systems will be energised temporarily during start-up/shutdown sequences or power supply disturbances, meaning that they do not gothrough their full power-up sequence.

G 3.10.1.4 Conformity with this requirement can be achieved by designing the ETCS onboardsubsystem so that:

a) it will not be energised temporarily during start-up / shutdown sequences or powersupply disturbances, or

b) it can tolerate such scenarios without being damaged or entering System Failure(SF).


3.10.2 ETCS onboard subsystem: automatic energisation

3.10.2.1 The ETCS onboard subsystem shall energise automatically only when the primarysource of power is available. (Normative)



RSSB Page 29 of 112


Rationale

G 3.10.2.2 Reliability and Availability: Preventing the ETCS onboard subsystem from startingautomatically when only battery power is available reduces the likelihood of the railvehicle batteries becoming discharged.

G 3.10.2.3 Starting the ETCS automatically removes the need for a separate ‘ETCS start’ button.

Guidance

G 3.10.2.4 The specific trigger for this automatic energisation will be rail vehicle class-specific. Inthe context of this requirement, the primary source of power is a 25 kV AC / 750 V DCenergy (ENE) subsystem supply, or when engines are running.


3.10.3 ETCS onboard subsystem - manual energisation

3.10.3.1 It shall be possible to energise the ETCS onboard subsystem manually without theprimary source of power being applied. (Normative)

Rationale

G 3.10.3.2 Asset management: This function provides the ability to energise parts of the ETCSonboard subsystem manually for some maintenance activities, as well as givingfurther scope for train rescue in the event of engine / electric failure.

Guidance

G 3.10.3.3 In the context of this requirement, the primary source of power is a 25 kV AC / 750 VDC energy (ENE) subsystem supply, or when engines are running. Conformity with thisrequirement implies that a back-up power supply is available (for example, a battery).


3.10.4 ETCS onboard subsystem: resiliance to loss of primary power supply

3.10.4.1 The ETCS onboard subsystem shall remain active for at least 10 minutes after loss ofprimary power. (Normative)

Rationale

G 3.10.4.2 Integration with train operations: 10 minutes provides time for:

a) the train driver to decide the train stopping positionb) the train to reach that location after the primary power is lost.

G 3.10.4.3 Performance: 10 minutes is intended to mitigate the performance risk from themajority of unplanned interruptions in electrical power supply or rail vehicle engineoperation.

Guidance

G 3.10.4.4 Common causes of temporary power supply interruptions include:



Page 30 of 112 RSSB


a) Conductor rail system gapsb) Overhead Line Equipment (OLE) nuetral sectionsc) ENE system tripsd) Temporary shutdown of engines

G 3.10.4.5 Failures of the primary source of power that last significantly longer than 10 minutesare expected to be infrequent and result in sutuations where the additional delay ofrestarting the ETCS onboard subsystem is less significant.


3.10.5 ETCS onboard subsystem: maintaining essential services

3.10.5.1 In the event of a loss of primary power, the ETCS onboard subsystem shall be loadshed before the rail vehicle's unsupported back-up power voltage becomes criticallylow. (Normative)

Rationale

G 3.10.5.2 Reliability and Availability: Maintaining only essential services reduces the likelihoodof the rail vehicle batteries becoming discharged by the ETCS after loss of primarypower.

Guidance

G 3.10.5.3 In the context of this requirement, critically low unsupported back-up power voltagemeans an inability to power other higher priority rail vehicle systems for the requiredduration, for example, emergency lighting, voice radio, or the ability to re-start thevehicle engine. ‘Critically low’ is a rail vehicle-specific definition.


3.11 Cab detection

3.11.1 Remote closing of a cab

3.11.1.1 The ETCS onboard subsystem shall be configured so that an open desk can be closedfrom another cab within the same rail vehicle or train, subject to certain conditionsbeing met. (Application specific)

Rationale

G 3.11.1.2 Integration with train operations: Remotely closing the desk means that a train driverdoes not need to access multiple driving cabs in order to close an open desk whenopening the cab that will be used to drive the train.

Guidance

G 3.11.1.3 Examples of applicable conditions include:

a) by enabling the cab active signal within another cab of the trainb) by operating the driving controls within another cab of the train.



RSSB Page 31 of 112


G 3.11.1.4 Likewise, certain circumstances may prevent the active cab being remotely cancelled.For example:

a) The rail vehicle is movingb) A direction is still selected in the original cab

G 3.11.1.5 Such a method of remotely closing the desk means that the ‘cab open’ functionmight be better served by a push button or Train Management System option, ratherthan a physical switch or key that cannot be remotely reset.


3.11.2 Automatic cab closure

3.11.2.1 The ETCS onboard subsystem shall be configured so that an open desk willautomatically close after a configurable time delay, subject to certain conditionsbeing met. (Application specific)

Rationale

G 3.11.2.2 Integration with train operations: The train driver might need to leave the cab for anunspecified time period to deal with an unplanned event. This facility allows a trainoperator to control the hazard of an open cab desk without the train driver beingpresent.

Guidance

G 3.11.2.3 Whilst desk closure is beneficial for security, there are operational benefits to leavingit open in certain circumstances.

G 3.11.2.4 Applicable conditions include those that are consistent with the train driver havingexited the cab, for example:

a) the rail vehicle is stationaryb) no direction is selectedc) there has been no human interaction with the Driver Machine Interface (DMI) or

controls for a predetermined time period.

G 3.11.2.5 The time delay will be determined by the train operator. For example, 30 minutesmight be needed to account for the train driver leaving the cab to attend to anincident.


3.11.3 Cab security

3.11.3.1 The ETCS Onboard subsystem shall be configured so that it is possible to secure a railvehicle or train from unauthorised operation whilst retaining the cab active signal.(Normative)



Page 32 of 112 RSSB


Rationale

G 3.11.3.2 Integration with train operations: The train driver might need to leave the cab duringa journey. Retaining the cab active signal avoids the need to reopen the cab and re-establish the movement authority before the train can continue.

Guidance

G 3.11.3.3 The train driver may be required to attend to issues on the rail vehicle or train, whichshould preferably be done without losing the Movement Authority.


3.11.4 Indicating an isolated cab

3.11.4.1 Where there is only one ETCS onboard subsystem provided on a rail vehicle or unit, anindication shall be provided in the active cab so that the train driver can see that theETCS onboard subsystem has been isolated from the other cab. (Application specific)

Rationale

G 3.11.4.2 Safe integration: The train driver uses the indication to confirm the status of the ETCSonboard subsystem.


Guidance

G 3.11.4.4 The indication could be displayed on the ETCS Driver Machine Interface.


3.12 Self-test

3.12.1 ETCS onboard subsystem status indications

3.12.1.1 The ETCS onboard subsystem shall automatically indicate to the train driver whether,upon start-up, the ETCS is functioning safely and correctly. (Normative)

Rationale

G 3.12.1.2 Integration with train operations: The train driver needs to confirm that the ETCS isfunctioning safely and correctly before it is used to control the rail vehicle or trainmovement.

G 3.12.1.3 Safe integration: An ETCS onboard subsystem that is not functioning safely andcorrectly could compromise the safety or performance of train operations.


Guidance

G 3.12.1.5 The indication can be displayed using the ETCS Driver Machine Interface during theStart of Mission (SoM) procedure.



RSSB Page 33 of 112



3.12.2 Indicating multiple ETCS onboard subsystems

3.12.2.1 Where two ETCS Onboard subsystems exist on a rail vehicle or unit, an indication asto the status of both ETCS Onboard subsystems shall be indicated in both cabs.(Application specific)

Rationale

G 3.12.2.2 Safe integration: . This requirement is used to control Hazard OB-H003.

Guidance

G 3.12.2.3 This applies to a single vehicle or unit where two ETCS onboard subsystems arepresent.

G 3.12.2.4 The indication can be displayed using the ETCS Driver Machine Interface in each cab.

G 3.12.2.5 This requirement is derived from NEPT/ERTMS/REQ/0038 version 2.2 ENTOSS 415.

3.12.3 ETCS onboard subsystem self-test routine

3.12.3.1 The ETCS onboard subsystem shall be capable of performing any power-upinitialisation or self-test routine without the presence of specific ETCS tracksideinfrastructure. (Normative)

Rationale

G 3.12.3.2 Integration with train operations: In some cases it will be necessary to initialise theETCS onboard subsystem, or run the self-test routine, when the rail vehicle is locatedaway from infrastructure fitted with the ETCS.

Guidance


3.12.4 ETCS onboard subsystem self-test routine - remote vehicle starting

3.12.4.1 The ETCS onboard subsystem shall be capable of performing any power-upinitialisation or self-test routine without the presence of an operator during the courseof the test. (Normative)

Rationale

G 3.12.4.2 Integration with train operations: In some cases, the ETCS onboard subsystem, orself-test routine, will use remote vehicle starting, allowing the unit to be prepared forStart of Mission (SoM) before the train driver is present in the cab.

Guidance




Page 34 of 112 RSSB


3.12.5 ETCS onboard subsystem: self-test result indications

3.12.5.1 The results of any ETCS onboard subsystem initialisation or self-test shall bedisplayed in a succinct, intuitive form. (Normative)

Rationale

G 3.12.5.2 Integration with train operations: The appearance of the presented informationimpacts on the ability of the train driver to interpret the results of the tests. A displaythat is difficult to interpret might adversely affect safety or performance.

Guidance

G 3.12.5.3 Displaying information using concise plain English text will support train drivers'understanding of the test results. Displaying information using non-English languagesor as a series of fault codes which need to be translated or interpreted would notmeet the requirement.


3.13 ETCS DMI

3.13.1 ETCS default level list: Level NTC (NID_NTC=20 and 21)

3.13.1.1 Level NTC (NID_NTC=20 and 21) shall be included in the default list configured in theETCS onboard subsystem. (Normative)

Rationale

G 3.13.1.2 Integration with train operations: This is necessary so that Level NTC (NID_NTC=20and 21) can be selected by the train driver when the trackside supported level is notavailable on-board. The default list is configured onboard.

Guidance

G 3.13.1.3 Level NTC, NID_NTC=20 and 21, is described in 4.2.


3.13.2 ETCS DMI indications: Level NTC, NID_NTC=20

3.13.2.1 Level NTC, NID_NTC=20, shall be displayed as 'L2/NTC' on the ETCS DMI.(Normative)

Rationale

G 3.13.2.2 Integration with train operations: Displaying distinctive, consistent, informativeindications supports train driver knowledge retention and learning.

Guidance

G 3.13.2.3 Level NTC, NID_NTC=20 is described in 4.2.

G 3.13.2.4 This requirement is derived from NEPT/ERTMS/REQ/0038 version 2.2 ENTOSS-62A



RSSB Page 35 of 112



3.13.3.1 Level NTC, NID_NTC=14 shall be displayed as 'TVM' on the ETCS DMI. (Applicationspecific)

Rationale

G 3.13.3.2 Integration with train operations: Displaying distinctive, consistent, informativeindications support train driver knowledge retention and learning.

Guidance

G 3.13.3.3 Level NTC, NID_NTC=14 is described in 4.4.

G 3.13.3.4 This requirement is derived from NEPT/ERTMS/REQ/0038 version 2.2 ENTOSS 62B.

3.13.4 ETCS DMI indications: Level NTC (CBTC)

3.13.4.1 Level NTC (CBTC) shall be displayed as 'CBTC' on the ETCS DMI. (Applicationspecific)

Rationale


Guidance

G 3.13.4.3 Level NTC (Communication-based Train Control (CBTC)) is described in 4.5.

G 3.13.4.4 A NID_NTC value for CBTC has not yet been defined in ERA_ERTMS_040001.

G 3.13.4.5 his requirement is derived from NEPT/ERTMS/REQ/0038 version 2.2 ENTOSS-62C.


3.13.5.1 Level NTC, NID_NTC=21, shall be displayed as 'TPWS' on the ETCS DMI. (Normative)

Rationale


Guidance

G 3.13.5.3 Level NTC, NID_NTC=21 is described in 3.23 and 4.2. This requirement applies onlywhen Level NTC NID_NTC=21 is implemented.

G 3.13.5.4 This requirement is derived from NEPT/ERTMS/REQ/0038 version 2.2 ENTOSS-62D.

3.13.6 The location and arrangement of ETCS DMI displays and controls

3.13.6.1 The ETCS DMI shall comply with the principles set out in BS EN 894-1:1997 Chapter4. (Preferred)



Page 36 of 112 RSSB


Rationale

G 3.13.6.2 Integration with train operations: The location and arrangement of DMI displays andcontrols, influences the likelihood of human error during train operations.

Guidance

G 3.13.6.3 BS EN 894-1:1997 Chapter 4 sets out ergonomic requirements for the location andarrangement of displays and control actuators in order to avoid hazards associatedwith their use with poor design.

G 3.13.6.4 The requirements are complementary to the ERTMS/ETCS specifications published bythe ERA, including ERA_ERTMS_015560. Conformity with the ERA specificationstakes precedence.

G 3.13.6.5 The ETCS DMI is the primary train driver control and speedometer as set out inGMRT2161.

G 3.13.6.6 Consultation on the proposed design with end-users is essential in reaching aconclusion that the ETCS DMI can be integrated with train operations.


3.13.7 ETCS DMI: physical input devices

3.13.7.1 The ETCS DMI shall comply BS-EN ISO 9241-400:2007 section 4.2. (Preferred).

Rationale

G 3.13.7.2 Integration with train operations: The design of ETCS DMI displays and controls,influences the likelihood of human error during train operations.

Guidance

G 3.13.7.3 ISO 9241-400:2007 section 4.2 sets out design requirements for physical inputdevices. The requirements are complementary to the ERTMS/ETCS specificationspublished by the ERA, including ERA_ERTMS_015560.

G 3.13.7.4 Conformity with the ERA specifications takes precedence.


3.13.8 ETCS DMI: useability of visual display

3.13.8.1 The ETCS DMI shall conform to the requirements set out in BS-EN ISO 9241-11:1998Table B2, for the usability objectives. (Preferred).

Rationale

G 3.13.8.2 Integration with train operations: The useability of ETCS DMI displays and controls,influences the likelihood of human error during train operations.



RSSB Page 37 of 112


Guidance

G 3.13.8.3 BS-EN ISO 9241-11:1998 sets out guidance on useability of visual display terminals.The guidance is complementary to the ERTMS/ETCS specifications published by theERA, including ERA_ERTMS_015560. Conformity with the ERA specifications takesprecedence.

G 3.13.8.4 The usability objectives are:

a) Meets needs of trained users.b) Minimisation of support requirements.c) Learnability.d) Error tolerance.e) Legibility.


3.13.9 ETCS DMI: legibility

3.13.9.1 The ETCS DMI installation shall meet the requirements for legibility in the cabenvironment set out in BS-EN 894-2:1997. (Preferred)

Rationale

G 3.13.9.2 Integration with train operations: The legibility of ETCS DMI displays and controls,influences the likelihood of human error during train operations.

Guidance

G 3.13.9.3 BS-EN 894-2:1997 refers to the real life clarity of the artefacts on the displaycompared with the display background once factors such as lighting, backlighting,reflections and vibration are taken into account. It recommends a contrast ratio of6:1 between letters, symbols, numbers etc and their immediate backgrounds, with aminimum contrast ratio of 3:1.

G 3.13.9.4 The requirements are complementary to the ERTMS/ETCS specifications published bythe ERA, including ERA_ERTMS_015560. Conformity with the ERA specificationstakes precedence.


3.13.10 Position of ETCS DMI displays and controls

3.13.10.1 The ETCS DMI position in the cab for ‘detection’ and ‘monitoring’ tasks by the traindriver shall be at least ‘acceptable’, as set out in BS-EN ISO 9241-11:1998 section 4.1.(Preferred)

Rationale

G3.13.10.2

Integration with train operations: The position of ETCS DMI displays and controlsrelative to the train driver, influences the likelihood of human error during trainoperations.



Page 38 of 112 RSSB


Guidance

G3.13.10.3

The requirements are complementary to the ERTMS/ETCS specifications published bythe ERA, including ERA_ERTMS_015560. Conformity with the ERA specificationstakes precedence.

G3.13.10.4

This requirement is derived from NEPT/ERTMS/REQ/0007 version 3.2 EOSS-67.

3.13.11 ETCS DMI: response time

3.13.11.1 The ETCS DMI shall respond to any manual input within 100 ms. (Normative)

Rationale

G3.13.11.2

Integration with train operations: The ETCS DMI response time, influences thelikelihood of human error during train operations. A response time greater than100 ms might be perceived as a delay by the train driver and cause a distraction.

Guidance

G3.13.11.3

Typically available touch screen displays offer feedback times of around 100 ms.BS EN ISO 9241-420:2011 Table H.131 recommends feedback in under 20 ms for anaction with a touch screen display; this represents the ultimate target to limit theperception of delay.

G3.13.11.4

The 100 ms limit does not include delays in DMI to European Vital Computer (EVC)data exchange.

G3.13.11.5


3.13.12 ETCS DMI: display rendering

3.13.12.1 Graphical objects on the ETCS DMI shall be fully rendered and displayed within 20 msof the DMI display being commanded to present them. (Normative)

Rationale

G3.13.12.2

Integration with train operations: The rendering and display time influences thelikelihood of human error during train operations. A response time greater than 20 msmight be distracting to the train driver (owing to blurred information) and could resultin the train driver acting on an incorrect DMI state.

Guidance

G3.13.12.3

A typical LCD panel has a response time of less than 20 ms for the pixels of the screento change to the required state once commanded to do so.

G3.13.12.4




RSSB Page 39 of 112


3.13.13 ETCS DMI: cab position

3.13.13.1 The ETCS DMI shall be positioned in the cab so that the train driver can interact withthe ETCS DMI display area from the normal driving position, without being impededby other cab equipment, controls or structures. (Preferred)

Rationale

G3.13.13.2

Integration with train operations: The train driving task includes train driverinteraction with the ETCS DMI at any time. Any driving cab features that obscure theDMI screen or make interaction more difficult would influence the likelihood ofhuman error during train operations.

Guidance

G3.13.13.3

Potential train driver errors include:

a) Misreading or misinterpreting a display presented on the DMI.b) Accidental operation of the DMI while using adjacent vehicle controls.

Further guidance on cab layouts is set out in BS EN 16186-2.

G3.13.13.4


3.13.14 ETCS DMI: luminance

3.13.14.1 The ETCS DMI luminance shall adjust automatically in response to changing cablighting levels. (Normative)

Rationale

G3.13.14.2

Integration with train operations: ETCS DMI luminance is one of the factors thatsupports and influences readability of the presented displays. Cab lighting levelchanges are influenced by ambient and environmental conditions. It is not practicalto expect the train driver to be able to adjust the ETCS DMI brightness manually forquickly changing cab lighting levels (for example, on entering a tunnel).

Guidance

G3.13.14.3

Readability of the ETCS DMI can be managed by tailoring the automatic luminancesettings to the rail vehicle cab environment.

G3.13.14.4


3.13.15 ETCS DMI: manual luminance adjustment

3.13.15.1 Manual ETCS DMI luminance adjustment shall be simple to achieve whilst the railvehicle is being driven. (Normative)



Page 40 of 112 RSSB


Rationale

G3.13.15.2

Integration with train operations: The train driver uses the manual luminanceadjustment to fine tune the brightness around the automatic set point. Easyadjustment minimises the impact on the train driving task.

Guidance

G3.13.15.3

Simple external controls (set out as options in ERA_ERTMS_015560), or minimalmenu navigation can support the train driving task. Adjusting the luminance usingmultiple DMI menus would be a distraction to the train driving task.

G3.13.15.4


3.13.16 ETCS DMI: minimum luminance setting

3.13.16.1 The ETCS DMI shall be configured so that the train driver cannot reduce the DMIdisplay luminance to the point where the visual information being presented cannotbe reliably read. (Normative)

Rationale

G3.13.16.2

Integration with train operations: The train driving task includes reading andinterpreting the information visually presented on the ETCS DMI and the traindrivers' ability to do this is dependent upon the luminance settings.

G3.13.16.3

Safe integration: This requirement is used to control Hazard OB-H007

Guidance

G3.13.16.4

The process for assessing, determining, setting and adjusting the minimum ETCS DMIdisplay luminance that a train driver can select includes:

a) Restricting the permissions to authorised personnel.b) Using a controlled method, such as the use of a reset code or special key; the use

of a standard T key or train driver’s key would not be considered to be anadequately controlled solution.

G3.13.16.5


3.13.17 ETCS DMI: loudspeaker volume adjustment

3.13.17.1 Manual ETCS DMI loudspeaker volume adjustment shall be simple to achieve whilstthe rail vehicle is being driven. (Normative)

Rationale

G3.13.17.2

Integration with train operations: ETCS DMI loudspeaker volume supports andinfluences audibility of the presented indications. Easy adjustment minimises theimpact on the train driving task.



RSSB Page 41 of 112


Guidance

G3.13.17.3

Simple external controls (set out as options in ERA_ERTMS_015560), or minimalmenu navigation can support the train driving task. Adjusting the volume usingmultiple ETCS DMI menus would be a distraction to the train driving task.

G3.13.17.4


3.13.18 ETCS DMI: minimum volume setting

3.13.18.1 The ETCS DMI shall be configured so that the train driver cannot reduce the ETCSDMI loudspeaker volume to the point where the audible information being presentedcannot be reliably interpreted. (Normative)

Rationale

G3.13.18.2

Safe integration: The train driving task includes hearing and interpreting theinformation audibly presented by the ETCS DMI and the train driver's ability to dothis is dependent upon the loudspeaker volume settings.

G3.13.18.3

This requirement is used to control Hazard OB-H005.

Guidance

G3.13.18.4

The process for assessing, determining, setting and adjusting the minimumloudspeaker volume that a train driver can select includes:

a) Restricting the permissions to authorised personnel.b) Using a controlled method, such as the use of a reset code or special key; the use

of a standard T key or train driver’s key would not be acceptable.

G3.13.18.5


3.13.19 Cab indication luminance

3.13.19.1 The brightness of the ETCS DMI and cab indications shall be sufficiently adjustable tobe viewed comfortably over the full range of ambient cab lighting levels. (Normative)

Rationale

G3.13.19.2

Integration with train operations: ETCS DMI and cab indication luminance are factorsthat support and influence readability of the presented displays. The range ofadjustment is needed to accommodate the range of ambient light levels.

Guidance

G3.13.19.3

Previous experience of ETCS onboard subsystems has shown that the brightness ofthe cab indications and ETCS DMI needs to be sufficiently variable to accommodatea wide range of ambient lighting levels, as well as train driver preference. This is



Page 42 of 112 RSSB


especially important for dark conditions where excessive luminance can affect thetrain driver's night vision.

G3.13.19.4

Good practice is to undertake an analysis of suitable display screens before a type isselected because technology is frequently improving. Evidence from currentexperience suggests that a display using Light-Emitting Diode (LED) backlittechnology provides benefits including:

a) Low maintenance cost.b) Low heat emission.c) A suitable range of luminance.

G3.13.19.5


3.13.20 ETCS DMI: audible alarm levels

3.13.20.1 The ETCS DMI alarms shall be audible above background noise at all speedsthroughout the operational context applicable to the rail vehicle to which it is fitted.(Normative)

Rationale

G3.13.20.2

Safe integration: The train driving task includes hearing and interpreting audiblealarms presented by the ETCS DMI.

G3.13.20.3


Guidance

G3.13.20.4

Alarm audibility in the operational context is supported and influenced by theposition and alignment of the alarm loudspeaker and the volume settings.

G3.13.20.5

The following sources of ambient noise can adversely affect alarm audibility:

a) The wheel : rail interface.b) Wind, rain etc.c) Reflected sound from tunnels etc.

G3.13.20.6

An option is to provide audible alarms that automatically adjust the volume inresponse to the background noise level detected in the cab.

G3.13.20.7

LOC & PAS TSI clause 4.2.9.3.4 (5) includes a requirement that 'audible informationgenerated by on-board equipment inside the cab for the driver shall be at least 6dB(A) above the noise level in the cab.'

G3.13.20.8

Restricting the minimum sound level setting can help to provide alarms that areaudible above the background noise level in the cab in all operating conditions.

G3.13.20.9




RSSB Page 43 of 112


3.13.21 ETCS DMI: failure indication

3.13.21.1 The ETCS DMI shall not freeze or otherwise fail without the train driver being madeaware. (Normative)

Rationale

G3.13.21.2

Safe integration: The train driver needs to be aware that the ETCS DMI informationcan no longer be relied upon.

G3.13.21.3


Guidance

G3.13.21.4

Should the DMI freeze during operation or start-up, it might not be immediatelyapparent to the train driver. Delays in recognising this failure could adversely affecttrain operations. Conformity with this requirement can be achieved by eithereradicating failure modes that result in a DMI freeze and hidden failure, or byproviding a positive indication of the DMI function at all times (for example, aheartbeat, rotating icons).

G3.13.21.5


3.14 Data entry and interaction

3.14.1 ETCS DMI: data entry process

3.14.1.1 The ETCS DMI data entry process shall minimise the likelihood of train driver errorwhen selecting the train type or entering parameters. (Normative)

Rationale

G 3.14.1.2 Safe integration: The train driver is responsible for selecting train type andparameters. Correct data entry is essential for safe and optimal performance.

G 3.14.1.3 This requirement is used to control hazard OB-H008.

Guidance

G 3.14.1.4 Clear and intuitive labelling of train types and range-checking of flexible data entryparameters can contribute to meeting this requirement.

G 3.14.1.5 Specification ERA_ERTMS_015560 section 10.3.4 sets out requirements for datachecks to verify correct entry of data.


3.14.2 ETCS DMI: data entry completion time

3.14.2.1 The ETCS DMI data entry process shall be configured to enable data entry to becompleted within 60s of the ETCS onboard subsystem being ready to accept dataentry in Standby (SB) (Status S0). (Preferred)



Page 44 of 112 RSSB


Rationale

G 3.14.2.2 Efficiency: Minimising the time taken to complete ETCS data entry reduces the overalltime taken to prepare the train to start a journey.

Guidance

G 3.14.2.3 Specification ERA_ERTMS_015560 specifies the DMI data entry process; however,there are certain elements which can be configured to minimise train driver workload,including:

a) Rationalisation of DMI presets to an easily interpreted set.b) Auto-population of some aspects of train data where it is fixed or known from

other systems.c) Non-display of data options that are not appropriate to that installation of the

ETCS onboard subsystem.

G 3.14.2.4 This requirement is derived from NEPT/ERTMS/REQ/0007 version 3.2 EOSS-81A.

3.14.3 ETCS DMI: fixed, variable or switchable data entry

3.14.3.1 The ETCS onboard subsystem shall be implemented so that an authorised person canconfigure the ETCS DMI for fixed, variable or switchable data entry. (Normative)

Rationale

G 3.14.3.2 Integration with train operations: This capability has operational benefit because itenables a rail vehicle fitted with an ETCS onboard subsystem to be transferred to adifferent train operator or be used for different operational contexts during its lifecycle.

Guidance

G 3.14.3.3 ERA_ERTMS_015560 permits fixed, flexible and switchable train data entry.

G 3.14.3.4 It is prudent to allow the maintainer (or authorised person) to change the type oftrain data entry available to the train driver in the event of rail vehicle operationschanging.

G 3.14.3.5 This requirement assumes that train data is entered via an ETCS Driver MachineInterface (DMI), rather than automatically populated from on-board systems.


3.14.4 ETCS DMI: definition of presets

3.14.4.1 [Open point]. (Application specific)

Rationale

G 3.14.4.2 Integration with train operations: The use of presets reduces the likelihood of datatranscription errors.



RSSB Page 45 of 112


Guidance

G 3.14.4.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long-term solution, pending the completionof other work streams relating to train data entry: 'Information provided by therailway undertakings that operate the rail vehicle shall be used to define presets forregular train formations'.

G 3.14.4.4 It is beneficial to provide presets for multiple unit and fixed formation trains. Presetscould also be defined for predictable degraded operations and other train formations.


3.14.5 ETCS DMI: number and naming of preset options

3.14.5.1 [Open point]. (Application specific)

Rationale

G 3.14.5.2 Integration with train operations: Train drivers need to be able to reliably read andinterpret the preset information to decide what action to take.

Guidance

G 3.14.5.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long-term solution, pending the completionof other work streams relating to train data entry: 'The preset options shall bedesigned to control the likelihood of train driver error'.

G 3.14.5.4 The number of presets displayed at any time is limited and the amount of text whichcan be displayed (and be readable) is also limited. Train driver frustration ormisreading could lead to errors.


3.14.6 ETCS DMI: data range limits

3.14.6.1 The ETCS onboard subsystem shall be designed so that an authorised person can pre-configure the ETCS onboard subsystem to place limits on the range of values for theETCS train data. (Normative)

Rationale

G 3.14.6.2 Integration with train operations: The inclusion of constraints on acceptable valuesprotects against human error during data entry.

Guidance

G 3.14.6.3 Where the train driver enters data, rather than selecting it from a preset (e.g. flexibledata entry), it should be possible to restrict the range of values that the driver canselect to realistic values only. For example, upper and lower limits may be specified fortrain length or lambda value.



Page 46 of 112 RSSB


G 3.14.6.4 This restriction on data entry may be placed within the ETCS onboard subsystem oran external system (e.g. the Train Management System), depending upon whichsystem drives the train data entry.


3.14.7 ETCS DMI: data entry timeout

3.14.7.1 The ETCS onboard subsystem shall not impose a timeout limit on the data entry task.(Normative)

Rationale

G 3.14.7.2 Integration with train operations: Timeout restrictions on this task would create anunnecessary distraction that may lead to erroneous data entry.

Guidance


3.14.8 ETCS DMI: automatic population of train data

3.14.8.1 Where the ETCS data is known, it shall be populated automatically for the train driverto accept or modify. (Application specific)

Rationale

G 3.14.8.2 Integration with train operations: Automatic data population controls the likelihoodof human error during manual data input.

Guidance


3.14.9 Train Running Number (TRN) and Driver Identity (ID) data entry

3.14.9.1 There shall be a single, unified point of data entry for entering the Train RunningNumber (TRN) and Driver Identity (ID) into on-board systems. (Normative)

Rationale

G 3.14.9.2 Integration with train operations: Duplicate entry of data is inefficient and can leadto data mismatch.

Guidance

G 3.14.9.3 The ETCS specifications permit the population of the GSM-R TRN and ID numberfrom the ETCS data entry process. Furthermore, it is possible that the train driver willenter the TRN and ID into the Train Management System.

G 3.14.9.4 Data will be entered using one system and transmitted to other systems forsubsequent train driver validation. The primary system used for entry of the TRN andID is specific to the rail vehicle and its proposed operations.



RSSB Page 47 of 112


G 3.14.9.5 The exact specification for the design of any interface to the GSM-R voice radio willneed to be confirmed with the cab radio supplier and Network Rail Telecoms (NRT)before implementing a solution.


3.14.10 Numeric and Alphanumeric entry of the Train Running Number

3.14.10.1 The ETCS Onboard subsystem shall support numeric and alphanumeric entry of theTrain Running Number (Normative).

Rationale

G3.14.10.2

Integration with train operations: The CCS TSI includes a GB specific case thatpermits the use of alphanumeric entry of the Train Running Number on the GBmainline railway.

Guidance

G3.14.10.3

The GB mainline railway currently uses alphanumeric Train Running Numbers todescribe the train, unlike the standard numeric method employed within the ETCS. Inorder to retain operational consistency between ETCS-fitted and non ETCS-fittedtrains, the ETCS will allow acceptance of alphanumeric train running numbers (whichare convertible to numeric train running numbers via defined algorithms) in additionto numeric train running numbers.

G3.14.10.4

GERT8402 sets out the requirements for implementing the specific case.

G3.14.10.5

This requirement is derived from NEPT/ERTMS/REQ/0038 version 2.2 ENTOSS 84A.

3.14.11 ETCS train type data label configuration

3.14.11.1 ETCS train-type data set labels shall be a configurable part of the data set.(Normative)

Rationale

G3.14.11.2

Integration with train operations: A rail vehicle fitted with an ETCS onboardsubsystem can be transferred to a different train operator or be used for differentoperational contexts during its life cycle. This will allow the rail vehicle owner,operator or maintainer to modify the train type data without recourse to the supplier.

Guidance

G3.14.11.3

The process of modifying train type data includes restricting permissions toauthorised personnel.

G3.14.11.4




Page 48 of 112 RSSB


3.14.12 ETCS data entry menu levels

3.14.12.1 The ETCS train type data entry process shall use no more than five menu levels.(Preferred)

Rationale

G3.14.12.2

Integration with train operations: An excessive number of menu levels increases thelikelihood of human error during the train type data entry process.

Guidance

G3.14.12.3

Train type menus can be presented as a series of nested lists (that is, where selectionof one train type on the first list presents a second list of subtypes etc). Humanfactors research suggests that the train driver would not be able to manage the dataentry process if more than five layers of nested lists were present.

G3.14.12.4


3.14.13 ETCS data entry menu constraint

3.14.13.1 A menu shall not be shown where there are one or zero data sets on that menu level.(Preferred)

Rationale

G3.14.13.2

Integration with train operations: An excessive number of menus increases thelikelihood of human error during the train type data entry process.

Guidance

G3.14.13.3

This requirement applies to train data sets; it is not applicable to menu levelsintended only ever to have one option for confirmation, for example, 'override'window.

G3.14.13.4


3.14.14 ETCS DMI: driver vigilance interface

3.14.14.1 The vigilance timer in the cab shall be reset whenever the train driver presses anyvalid button on the ETCS DMI associated with a genuine DMI interaction. (Preferred)

Rationale

G3.14.14.2

Integration with train operations: This facilitates the safety purpose of the timerwhilst minimising the train driving task in resetting the vigilance timer.

Guidance

G3.14.14.3




RSSB Page 49 of 112


3.15 Set Speed function

3.15.1 ETCS DMI: display of 'Set Speed'

3.15.1.1 When a ‘Set Speed’ automatic speed control function is active, the speed set pointshall be displayed on the ETCS DMI speed dial. (Application specific)

Rationale

G 3.15.1.2 Integration with train operations: The set speed indication reminds the train driverthat set speed is active during the train driving task.

Guidance


3.15.2 'Set Speed' disengagement

3.15.2.1 Any automatic 'Set Speed' control shall be disengaged immediately when the ETCScommands a brake intervention. (Application specific)

Rationale

G 3.15.2.2 Safe integration: It is possible that, on entering target speed monitoring, a 'SetSpeed' control could cause an intervention. This requirement is intended to eliminatethe possibility that, when ETCS stops the intervention (because the train speed isbelow the permitted speed), the 'Set Speed' control does not try and increase speedto the previous level.


Guidance

G 3.15.2.4 This requirement is only applicable to rail vehicles fitted with a ‘Set Speed’ system.For rail vehicles fitted with a 'Set Speed' system, this functionality is the mostappropriate.


3.15.3 'Set Speed' units

3.15.3.1 The units used on the 'Set Speed' system shall be the same as those of the currentspeed displayed to the train driver. (Application specific)

Rationale

G 3.15.3.2 Safe integration: Showing different or inconsistent units of measurement on the 'SetSpeed' device and the speedometer increases the likelihood that a train driver willselect an incorrect speed.




Page 50 of 112 RSSB


Guidance

G 3.15.3.4 If the 'Set Speed' control is configured in discrete steps, consideration should begiven to the suitability of the step interval for the units of measurement in use. Forexample, a 'Set Speed' control configured only in 5mph steps will not generally alignto commonly used speed limit values on lines operated in km/h.

G 3.15.3.5 This requirement is only applicable to rail vehicles fitted with a ‘Set Speed’ system;for rail vehicles where such a system exists, this functionality is deemed to be themost appropriate.


3.16 Speed display

3.16.1 Consistency of speed displays

3.16.1.1 Where multiple speedometers are active simultaneously within a cab, the speeddisplayed shall be consistent on all displays visible to the train driver in the normaldriving position. (Normative)

Rationale

G 3.16.1.2 Safe integration: Providing multiple speedometers showing different speed valueswould adversely impact on interpretability of the train speed.


Guidance

G 3.16.1.4 Conformity with this requirement can be achieved by either:

a) Providing consistent displays on multiple speedometers, orb) Concealing or deactivating all but the primary speed display in normal operation.


3.16.2 Displaying speed information when the ETCS onboard subsystem is isolated

3.16.2.1 The rail vehicle shall present speed information to the train driver whilst the ETCSonboard subsystem is isolated. (Application specific)

Rationale

G 3.16.2.2 Safe integration: The train driver needs train speed information to inform the traindriving task, which may include operating the train when the ETCS onboardsubsystem is isolated.


Guidance

G 3.16.2.4 A speed display being available to the train driver when the ETCS onboard subsystemis isolated mitigates risks associated with having no ETCS speedometer due to ETCS



RSSB Page 51 of 112


failure; it also assists the driver training programme in being able to run trains onunfitted lines, irrespective of ETCS driver training.

G 3.16.2.5 Conformity with this requirement can be achieved either:

a) Using the ETCS DMI to provide speed information, if a speed source can beprovided when the broader ETCS functionality is isolated. This solution may be themore practical option (due to space / packaging constraints)

b) Using an Additional Speed Display (ASD) that is independent of the ETCS onboardsubsystem. This option is non-preferred.

RIS-2004-RST sets out requirements for the accuracy of speed indicating systems.


3.16.3 ETCS DMI: displayed speed units in Isolation

3.16.3.1 The speed displayed to the train driver in Isolation (IS) shall be in the correct units forthe operating location. (Normative)

Rationale

G 3.16.3.2 Integration with train operations: Presenting speed information using units that aredifferent to those usually used for that location would adversely impact on the traindriving task.

Guidance

G 3.16.3.3 Where the speed display in IS is provided via the Driver Machine Interface (DMI), itneeds to be capable of showing the correct units for the location in which the railvehicle is operating – noting that mph and km/h signage may be used on differentparts of the network as the ETCS is rolled out.


3.17 Odometry and tachometry system

3.17.1 Odometry error limit

3.17.1.1 The ETCS onboard subsystem shall determine its position with an error of no more1% of distance travelled from the last balise when operating at constant speed.(Preferred)

Rationale

G 3.17.1.2 Performance: Excessive positional error within the odometry system results in areduction in train performance.

Guidance

G 3.17.1.3 Whilst the positional error might increase to 5%+/-5m over the range of trainconditions (acceleration, braking, slip, slide), it is reasonable to expect betterperformance in steady state conditions.



Page 52 of 112 RSSB



3.17.2 Automatic odometry recalibration

3.17.2.1 The ETCS Odometry shall automatically recalibrate in response to wheel wear.(Preferred)

Rationale

G 3.17.2.2 Asset management: Automatic calibration avoids the potential for human error, ismore efficient and can be effected more frequently, with a consequential trainperformance benefit.

Guidance

G 3.17.2.3 Manual measurement of the wheel diameters is not preferred.


3.17.3 ETCS odometry calibration: infrastructure constraints

3.17.3.1 ETCS odometry calibration shall not require specific additions or changes to therailway infrastructure on the GB mainline railway network. (Normative)

Rationale

G 3.17.3.2 Economic: An odometry system that required enhanced infrastructure provision couldadversely impact on the cost of railway infrastructure provision and maintenanceoperations.

Guidance

G 3.17.3.3 The infrastructure manager for the GB mainline railway is not currently intending tomake any special provision to facilitate an automatic calibration system for the ETCSonboard subsystem. Automatic calibration systems can rely only upon the ETCSinfrastructure that would otherwise be available.

G 3.17.3.4 Balises will not be located to any greater accuracy than that stated againstQ_NVLOCACC or Q_LOCACC; however, the value for Q_LOCACC is expected to bemore accurate in ATO areas.

G 3.17.3.5 Infrastructure contained wholly within the confines of a train maintenance facility isexcluded from this requirement.


3.18 Eurobalise reader

3.18.1 Eurobalise reader system: adjustment

3.18.1.1 The Eurobalise reader system shall not require adjustment during periodicmaintenance in order to operate on the train to which it is fitted. (Normative)



RSSB Page 53 of 112


Rationale

G 3.18.1.2 Economic: Manual re-calibration or re-positioning of the Eurobalise reader system orother intrusive maintenance would adversely impact on the cost of rail vehiclemaintenance operations and therefore the economics of railway operations.

Guidance

G 3.18.1.3 Conformity with this requirement means that manual re-calibration or re-positioningof the Eurobalise reader system, or other intrusive maintenance, is not necessaryduring the life of the equipment on any given rail vehicle. Other intrusivemaintenance includes: adjustment to accommodate wheel turning, wheelset change,ride height change etc.


3.18.2 Eurobalise reader system: ETCS onboard subsystem start-up

3.18.2.1 The ETCS onboard subsystem shall be tolerant of the Eurobalise reader beingpositioned directly over a balise during start-up. (Normative)

Rationale

G 3.18.2.2 Performance: It is not practicable to stop trains so that one or both Eurobalise readersare never located directly above a balise.

Guidance

G 3.18.2.3 This requirement also applies to the situation of powering up the ETCS onboardsubsystem when one or both Eurobalise readers are located directly above a balise.


3.19 Cold Movement Detection

3.19.1 Cold Movement Detection system

3.19.1.1 The ETCS onboard subsystem shall include a Cold Movement Detection system.(Normative)

Rationale

G 3.19.1.2 Integration with train operations: Cold Movement Detection serves to revalidate thetrain position upon leaving NP, subject to the train not having moved.

G 3.19.1.3 Maintenance of a valid position helps to reduce the dependency on operationalprocedures that result from degraded operation when starting with an invalidposition.

G 3.19.1.4 Hazards associated with operational procedures are likely to increase if multiple trainsare affected, for example when resuming service after a major infrastructure failure.



Page 54 of 112 RSSB


Guidance

G 3.19.1.5 The requirement is derived from NEPT/ERTMS/REQ/0038 version 2.2 ENTOSS-107.

3.19.2 Cold Movement Detection: stored information validation

3.19.2.1 The ETCS Cold Movement Detection function shall only be used to validate storedinformation if the information was known to be correct upon entry to NP.(Normative)

Rationale

G 3.19.2.2 Safe integration: The ETCS onboard subsystem might not correctly record changes tothe rail vehicle position when in IS. If the ETCS onboard subsystem subsequentlytransitioned from IS to NP, and then back to SB, the stored position data might beinvalid.


Guidance

G 3.19.2.4 Cold Movement Detection is only active when the ETCS onboard subsystem is in NP.


3.19.3 Cold Movement Detection: maximum distance for revalidating position

3.19.3.1 The ETCS Cold Movement Detection function shall invalidate the stored ETCSposition information for any movement in excess of 5 m. (Normative)

Rationale

G 3.19.3.2 Integration with train operations: Moving a rail vehicle up to 5 m is considered to bethe maximum acceptable distance allowance for revalidating train position uponleaving NP.

Guidance

G 3.19.3.3 The position information is stored in the EVC.

G 3.19.3.4 This requirement specifies the sensitivity of the Cold Movement Detection system,which is used to guarantee that the position information will be invalidated if the railvehicle moves by 5 m or more.

G 3.19.3.5 The response of the ETCS Cold Movement Detection system to movement ofbetween 1 m and 5 m is not specified; this response is supplier-specific.


3.19.4 Cold Movement Detection: minimum distance for invalidating position

3.19.4.1 The ETCS Cold Movement Detection function shall not invalidate the stored ETCSposition information for a movement of less than 1 m. (Normative)



RSSB Page 55 of 112


Rationale

G 3.19.4.2 Performance: Coupling/uncoupling operations or buffering can move a stationary railvehicle by up to 1 m. This minimum tolerance is applied so that these normal,expected operations do not invalidate the rail vehicle position report held in the EVC.

Guidance

G 3.19.4.3 The position information is stored in the EVC.

G 3.19.4.4 The response of the ETCS Cold Movement Detection system to movement ofbetween 1 m and 5 m is not specified; this response is supplier-specific.


3.19.5 Cold Movement Detection: detection of absolute movement

3.19.5.1 The ETCS Cold Movement Detection function shall monitor absolute movement ofthe rail vehicle. (Normative)

Rationale

G 3.19.5.2 Integration with train operations: Moving a rail vehicle onto an adjacent line orturning it around and returning it to the original location means that the rail vehicleposition report held in the EVC is invalidated.

Guidance

G 3.19.5.3 Rail vehicles can be shunted onto adjacent tracks, or be returned to the same positionbut facing the opposite direction.


3.20 Data radio

3.20.1 Data radio

Guidance

G 3.20.1.1 The main applications of the current radio system, as defined in the CCS TSI, areconsidered as reference and co-existence with these applications is necessary.However, the radio system may need to consider the capability for supporting futurechanges and extensions of the applications covered by the CCS TSI and other TSIs, aswell as railway-related applications outside the TSIs.

3.20.2 Data radio redundancy

3.20.2.1 In the event of failure or degradation of one of the ETCS Data Only Radios, the ETCSonboard subsystem shall use the remaining available radio to maintain ETCSfunctionality. (Preferred)



Page 56 of 112 RSSB


Rationale

G 3.20.2.2 Performance: Using an alternative data radio can enable the train to continue to beoperated using the ETCS.

Guidance

G 3.20.2.3 If an ETCS Data Only Radio fails when a train is in service, it is preferable to optimisetrain operation using the remaining radio capability.

G 3.20.2.4 The ETCS application can make use of either of the two radio mobiles within theETCS data radio for optimum performance during cell handover or Radio Block Centre(RBC) transition.


3.21 Key management

3.21.1 Key management solution

3.21.1.1 The ETCS on-line key management solution shall not require any maintenance staffintervention. (Normative)

Rationale

G 3.21.1.2 Economic: Requiring maintenance staff intervention would adversely impact on thecost of key management and therefore the economics of railway operations.

Guidance

G 3.21.1.3 Maintenance staff intervention to be avoided includes distribution, deletion orupdating of any key entry.

G 3.21.1.4 RIS-0743-CCS sets out the requirements for the key management process.


3.21.2 Key management: fall back mechanism

3.21.2.1 [Open point]. (Normative)

Rationale

G 3.21.2.2 Performance: To provide a fall-back mechanism for the secure and efficientdistribution of authentication keys.

Guidance

G 3.21.2.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long-term solution pending the completionof other work streams relating to key management: 'Each ETCS onboard subsystembelonging to the GB Key Management (KM) domain shall be able to accept an uploadof off-line encrypted authentication keys via transfer media, as appropriate'.

G 3.21.2.4 Transfer media includes: compact discs and memory sticks.



RSSB Page 57 of 112



3.21.3 Key management: receipt of keys without interruption to service


Rationale

G 3.21.3.2 Performance: A key can be uploaded to the rail vehicle when it is operating in service.

Guidance

G 3.21.3.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long-term solution pending the completionof other work streams relating to key management: 'Each ETCS onboard subsystembelonging to the GB Key Management (KM) Domain shall receive keys in accordancewith Subset-137 without interruption to service'.


3.21.4 Key management: Transport keys


Rationale

G 3.21.4.2 Asset management: This reduces the consequences of a compromised key.

Guidance

G 3.21.4.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long-term solution pending the completionof other work streams relating to key management: 'The ETCS onboard subsystembelonging to the GB Key Management (KM) Domain shall support unique transportkeys for their Key Management Centre (KMC) – ETCS entity relationship (e.g. KMC –Onboard Unit (OBU))'.


3.21.5 Key management: authentication keys


Rationale

G 3.21.5.2 Asset management: This reduces the consequences of a compromised key.

Guidance

G 3.21.5.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long-term solution pending the completionof other work streams relating to key management: 'Each ETCS onboard subsystem



Page 58 of 112 RSSB


belonging to the GB Key Management (KM) Domain shall support uniqueauthentication keys for each relevant radio block centre (RBC)'.


3.21.6 Key management: validity period


Rationale

G 3.21.6.2 Asset management: Downloaded keys will have a validity period which needs to beobeyed by the ETCS onboard subsystem.

Guidance

G 3.21.6.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long-term solution pending the completionof other work streams relating to key management: 'The ETCS onboard subsystemshall store and action downloaded key data in accordance with its validity period'.


3.21.7 Key management: periodicity for online update requests


Rationale

G 3.21.7.2 Asset management: The periodicity of online update requests needs to be modifiableby an authorised person.

Guidance

G 3.21.7.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long term solution pending the completionof other work streams relating to key management: 'The ETCS onboard subsystemshall be designed so that the rail vehicle maintainer can set the periodicity for onlineupdate requests from an ETCS onboard subsystem belonging to the GB KeyManagement (KM) Domain'.


3.22 Ancillary systems

3.22.1 ETCS onboard subsystem: ETCS track conditions related to ancillary systems

3.22.1.1 The ETCS Onboard subsystem shall be capable of processing and acting upon ETCStrack condition information relating to ancillary rail vehicle systems on board thetrain. (Normative)



RSSB Page 59 of 112


Rationale

G 3.22.1.2 Integration with train operations: Integrating the operation of ancilliary rail vehiclesystems with the ETCS could provide train performance benefits and reduce theworkload associated with the train driving task.

Guidance

G 3.22.1.3 The ETCS track conditions facilities are provided in case it is deemed useful to utilisethem.

G 3.22.1.4 Track condition information on ancillary vehicle systems includes:

a) Pantograph raising or loweringb) Shoegear raising or loweringc) Traction circuit breakers opening or closingd) Change of traction power supply sourcee) Change of allowed traction current consumptionf) Inhibition or enablement of regenerative brakeg) Station platform information for door controlh) Specified Packet 44 information

G 3.22.1.5 The ETCS Onboard subsystem will be capable of receiving such information, and willeither action the track condition function directly or export the data to other trainsystems, as appropriate.


3.22.2 Facility for authorised person to control ETCS track condition information

3.22.2.1 The ETCS onboard subsystem shall include a facility for an authorised person toinhibit and enable the defined response to ETCS track condition information.(Normative)

Rationale

G 3.22.2.2 Integration with train operations: The operational context may include specificrestrictions or requirements on which track condition facilities will be used.

Guidance

G 3.22.2.3 If a certain track condition needs to be implemented, a competent authorised personwill be able to enable the facility.


3.22.3 DMI neutral section symbols

3.22.3.1 The ETCS Onboard subsystem shall be configured so that the neutral section symbolsdisplayed on the ETCS Driver Machine Interface (DMI) are those indicatingautomatic control of the rail vehicle in-feed circuit breakers. (Application-Specific)



Page 60 of 112 RSSB


Rationale

G 3.22.3.2 Integration with train operations: The train driver interprets the DMI symbol forautomatic control of the in-feed circuit breakers to understand that action is neededto ramp down traction prior to reaching the neutral section.

Guidance

G 3.22.3.3 Vehicle in-feed circuit breakers will open automatically on the GB mainline railway.


3.22.4 ETCS onboard subsystem: traction power down-time

3.22.4.1 The ETCS onboard subsystem shall not extend the time during which traction power islost when crossing neutral sections beyond that already experienced through theoperation of the existing rail vehicle systems. (Application specific)

Rationale

G 3.22.4.2 Performance: Extending the time that traction power is lost whilst traversing neutralsections would adversely impact on train performance.

Guidance


3.23 Driver training

3.23.1 Level NTC, NID_NTC=21: functionality

3.23.1.1 Level NTC, NID_NTC=21, shall be functionally identical to Level NTC, NID_NTC=20.(Application specific)

Rationale

G 3.23.1.2 Integration with train operations: The consistent appearance and functionality of theAWS/TPWS supports operational consistency where the same Class B CCS system isrequired to be active in different operating levels.

Guidance

G 3.23.1.3 This applies only where Level NTC, NID_NTC=20 is implemented.

G 3.23.1.4 With the exception of the level indication, the operation and train driver interface forAWS/TPWS are the same in Levels NTC, NID_NTC= 20 and 21 (that is, functionallyand visually identical, apart from the indication on the ETCS DMI of which level isselected).

G 3.23.1.5 This requirement is derived from NEPT/ERTMS/REQ/0007 version 3.2 EOSS-131B.



RSSB Page 61 of 112


Part 4 National systems

4.1 General

4.1.1 Introduction to National Systems

Guidance

G 4.1.1.1 The requirements in section 4 only apply if the rail vehicle will be fitted with the ETCSalongside existing Class B systems in order to operate in both an ETCS environmentand a conventionally-signalled environment.

G 4.1.1.2 Where a rail vehicle will be constrained to operate only on an ETCS-fitted railway, therequirements within Section 4 are not applicable.

4.1.2 Class B system: status indications

4.1.2.1 The train driver shall be provided with the information needed to understand theavailability / non-availability of the Class B systems fitted to the rail vehicle.(Normative)

Rationale

G 4.1.2.2 Integration with train operations: The train driver needs to know which Class Bsystems are operational in order to conform with the operating rules.

Guidance

G 4.1.2.3 This requirement could be satisfied on a traction-specific basis.


4.2 AWS/TPWS

4.2.1 Background to AWS/TPWS

Guidance

G 4.2.1.1 Document ERA/TD/2011-11 List of Class B Systems, published by the European UnionAgency for Railways (EUAR), records that ‘TPWS’ is a UK Class B system applicable tothe whole network. In this context, ‘TPWS’ includes AWS.

G 4.2.1.2 The CCS TSI section 3.1 states that ‘The requirements for Class B systems are theresponsibility of the relevant Member State’. GERT8075 and RIS-0775-CCS, fulfil thatresponsibility by setting out the GB industry agreed requirements for ‘TPWS’ on theGB mainline railway.

G 4.2.1.3 AWS is provided to give train drivers in-cab warnings of the approach to signals,reductions in permissible speed and temporary / emergency speed restrictions, and toapply the brakes in the event that a train driver does not acknowledge cautionarywarnings given by the system within the specified time.



Page 62 of 112 RSSB


G 4.2.1.4 TPWS is a train protection system compliant with the train protection requirements ofthe Railway Safety Regulations: 1999. The primary purpose of TPWS is to minimisethe consequence of a train passing a TPWS fitted signal at danger and a trainoverspeeding at certain other locations.

G 4.2.1.5 AWS and TPWS are the principal warning and train protection systems which areinstalled on most Network Rail lines and on most rolling stock operating over them.The only exceptions are certain lines which are fitted with mechanical trainstops, linesfitted with ETCS, and trains which operate only over those lines.

Guidance: AWS/TPWS integration with the ETCS onboard subsystem

G 4.2.1.6 AWS/TPWS can be integrated as follows:

a) As a standalone system, with rudimentary interfaces to the ETCS for suppression.b) Partially or fully integrated into the ETCS DMI.c) Integrated as a fully compliant Specific Transmission Module (STM).

G 4.2.1.7 Operationally, all of these configurations are ETCS Level NTC (AWS/TPWS).

G 4.2.1.8 The ERTMS/ETCS reference architecture shown in 2.5.3 of Subset 026 allows fornational systems to be integrated with the ETCS onboard subsystem using acompliant STM or another solution. The principle of an STM is that it allows thenational system to access some of the functions controlled by the ETCS onboardsubsystem and information from on-board. The ETCS controls whether the STM isactive or not, based on level and, in some cases, mode. The most common STMapplication is to interface an ATP system to the ETCS where similar principles ofsupervision (distance to go and speed profile) are applied.

G 4.2.1.9 AWS/TPWS is not an ATP system; it operates by detecting intermittent transmissionsfrom trackside objects – there is no requirement for information from the ETCSonboard subsystem, such as odometry.

G 4.2.1.10 When operating in Level NTC (NID_NTC=20 or 21), trains on GB mainline passengerlines have active AWS/TPWS on-board equipment in all modes in which the train mayoperate. Where the control of the Class B system is not via an STM, AWS/TPWSactivation and suppression is achieved on the basis of ETCS Level. If it is chosen toutilise an STM, then arrangements need to be made such that SH is not available forselection/operation in the appropriate NTC Levels.

G 4.2.1.11 For new-build rail vehicles, the option to integrate the AWS/TPWS DMI with the ETCSDMI might be preferable in order to optimise the cab layout. However, the AWS/TPWS will ultimately be withdrawn, so the economics of integrating it into the ETCSDMI should be considered.

G 4.2.1.12 If the ETCS DMI is considered to be a SIL 0 component of the ETCS onboardsubsystem, its applicability for use within other Class B systems needs to beconsidered.

G 4.2.1.13 The requirements in this section only apply to AWS/TPWS implemented separately tothe ETCS and when interfaced to the ETCS onboard subsystem. Subset-035 specifiesmuch of the functionality required when a Class B system is interfaced as an STM.



RSSB Page 63 of 112


G 4.2.1.14 Conformity with the requirements in this document may require an upgrade to theAWS/TPWS onboard subsystem in order to provide the specified functionality. Theserequirements assume conformity with GERT8075 and RIS-0775-CCS.

4.2.2 Configured to include Level NTC, NID_NTC = 20 and 21.

4.2.2.1 The ETCS Onboard solution shall be configured to include Level NTC, NID_NTC=20and 21. (Application-Specific)

Rationale

G 4.2.2.2 Integration with train operations: The system needs to be able to support all ETCSLevels.

Guidance

G 4.2.2.3 This requirement is derived from NEPT/ERTMS/REQ/0038 version 2.2 ENTOSS 131A.

4.2.3 Class B system operation on non-ETCS fitted infrastructure

4.2.3.1 The ETCS Onboard solution shall work in conjunction with any applicable Class Bprotection systems so as to allow the rail vehicle to operate correctly on non ETCS-fitted infrastructure. (Application specific)

Rationale

G 4.2.3.2 Integration with train operations: The train needs to be able to operate on non-ETCS-fitted infrastructure.

Guidance


4.2.4 AWS/TPWS onboard subsystem suppression

4.2.4.1 The AWS/TPWS shall be suppressed when the ETCS onboard subsystem is operatingin all levels other than Levels NTC, NID_NTC=20 and 21. (Normative)

Rationale

G 4.2.4.2 Integration with Class B CCS systems: When the ETCS is operating in a level otherthan Level NTC, NID_NTC=20 and 21, the train protection function is provided by theETCS. In this case, the AWS/TPWS train protection function is suppressed.


Guidance

G 4.2.4.4 In accordance with the strict definition of the ETCS Levels, only Level NTC,NID_NTC=20 and 21 requires that the AWS/TPWS is energised. Whilst AWS/TPWScould be energised in Level 0, suppression aligns more correctly with the intent of theCCS TSI.



Page 64 of 112 RSSB



4.2.5 AWS/TPWS onboard subsystem unsuppression

4.2.5.1 The ETCS onboard subsystem shall unsuppress the AWS / TPWS when operating inLevels NTC, NID_NTC=20 or 21. (Normative)

Rationale

G 4.2.5.2 Integration with Class B CCS systems: The Class A train protection functionalityprovided by the ETCS is not available when the train is operated in Level NTC. TheClass B system AWS/TPWS provides the train protection functionality when operatingin Levels NTC, NID_NTC=20 or 21.


Guidance


4.2.6 AWS/TPWS in Non Leading (NL) and Sleeping (SL)

4.2.6.1 The AWS/TPWS shall be suppressed when the ETCS onboard subsystem is operatingin NL and SL. (Normative)

Rationale

G 4.2.6.2 Safe integration: Not suppressing the AWS/TPWS system when operating in NL or SLcould result in unnecessary brake applications.


Guidance

G 4.2.6.4 This is an exception to 4.2.5; when tandem working, it is necessary to isolate theAWS / TPWS on conventional lines. Therefore, it would be beneficial for the ETCS tosuppress it automatically for such operations (including in Level NTC, NID_NTC=20).


4.2.7 AWS/TPWS in Isolation (IS)

4.2.7.1 The AWS/TPWS shall be unsuppressed when the ETCS onboard subsystem isoperating in IS. (Normative)

Rationale

G 4.2.7.2 Safe integration: When the ETCS onboard subsystem is isolated, the AWS/TPWS canprovide the train protection functionality necessary for the train to continue tooperate on ETCS overlay and unfitted lines.




RSSB Page 65 of 112


Guidance

G 4.2.7.4 This is an exception to 4.2.4 to account for failure situations.


4.2.8 AWS/TPWS suppression timing

4.2.8.1 The AWS/TPWS shall be suppressed no later than 5s after the point of level transitionfrom Level NTC, NID_NTC=20 or 21. (Normative)

Rationale

G 4.2.8.2 Technical compatibility with the ETCS trackside subsystem: No AWS/TPWS tracksideequipment will be positioned within 5 s of the transition border at the permissiblespeed.

G 4.2.8.3 Safe integration: This requirement is used to control Hazard N-H051.

Guidance

G 4.2.8.4 The AWS/TPWS is expected to be suppressed at the transition border from Level NTC,NID_NTC=20. To ensure that the train is not inadvertently tripped, no AWS/TPWStrackside equipment is positioned within 5 s (at permissible speed) of the border inoverlay areas.


4.2.9 AWS/TPWS 'Operational Ready' state timing

4.2.9.1 The AWS/TPWS system shall be in the 'Operational Ready' state no later than 5 safter the point of level transition to Level NTC, NID_NTC=20 or 21. (Normative)

Rationale

G 4.2.9.2 Technical compatibility with the ETCS trackside subsystem: No AWS/TPWS tracksideequipment will be positioned within 5 s of the border at the permissible speed.

Guidance

G 4.2.9.3 RIS-0775-CCS specifies the 'Operational Ready' state. The 'Operational Ready' stateis equivalent to the ‘Data Available’ state in Subset-035.

G 4.2.9.4 Class A: Class B train protection system transitions will be configured so that trainsmoving at the permissible speed will not reach an interface with the AWS/TPWStrackside subsystem within 5 s of passing the point of level transition to Level NTC,NID_NTC=20 or 21.


4.2.10 AWS/TPWS 'black and yellow' indication

4.2.10.1 The AWS shall display a black and yellow visual indicator upon transitioning fromLevel 0, 1, 2 or 3 to Level NTC (NID_NTC=20 or 21). (Normative)



Page 66 of 112 RSSB


Rationale

G 4.2.10.2 Safe integration: The AWS/TPWS black and yellow visual indication is used by thetrain driver to confirm that the AWS/TPWS is responding to the transition from theClass A to Class B train protection system.


Guidance

G 4.2.10.4 Further requirements for the AWS visual indications are set out in RIS-0775-CCS.


4.2.11 AWS/TPWS: failure indication

4.2.11.1 The cab shall include functionality that draws the train driver's attention to a failed ormalfunctioning AWS/TPWS system, before, or upon, the train transitioning from anylevel to Levels NTC, NID_NTC=20 or 21. (Normative)

Rationale

G 4.2.11.2 Safe integration: The train driver needs to understand when the AWS/TPWS is notoperating correctly in order to conform with the rules for operating the train.


Guidance


4.3 Standalone AWS/TPWS

4.3.1 Temporary isolation of the AWS/TPWS

4.3.1.1 Temporary isolation of the AWS/TPWS shall not prevent the selection or use of anETCS Level where the AWS/TPWS is required to be active. (Normative)

Rationale

G 4.3.1.2 Integration with train operations: It is sometimes necessary to temporarily isolate theAWS/TPWS to pass a failed signal or to operate the train within a possession.

Guidance

G 4.3.1.3 The use of Level NTC (NID_NTC=20) is being considered for movements in apossession and should, therefore, be available, irrespective of any temporary isolationof the Class B system. Further requirements for the AWS visual indications are set outin RIS-0775-CCS.




RSSB Page 67 of 112


4.3.2 AWS visual indicator display

4.3.2.1 During operation in levels other than Level NTC, NID_NTC=20 or 21, the AWS visualindicator shall display ‘all black’. (Normative)

Rationale

G 4.3.2.2 Integration with train operations: The information provided by the AWS black andyellow visual indication is only relevant to the train driving task when the train isbeing operated in Level NTC (NID_NTC=20 or 21)

Guidance

G 4.3.2.3 This assumes that the AWS indicator is provided separately to the ETCS DriverMachine Interface as a hardware item, and so is still visible when the ETCS is not inLevel NTC, NID_NTC=20 or 21.


4.3.3 (BR-ATP)/ETCS control device functionality

4.3.3.1 The British Rail Automatic Train Protection (BR-ATP)/ETCS control device shall enablethe appropriate train protection system (BR-ATP or ETCS) and disconnect the othersystem. (Application specific)

Rationale

G 4.3.3.2 Integration with train operations: Train operations on the GB mainline railwayrequires one of the ATP systems provided on the rail vehicle to be activated at anytime. Activating the ETCS and the BR-ATP at the same time might result inunnecessary brake applications or other unwanted effects.

Guidance


4.4 TVM/KVB/Crocodile

4.4.1 Integration requirements for TVM/KVB/Crocodile systems

4.4.1.1 [Open Point].

Guidance

G 4.4.1.2 Further information can be obtained from Digital Railway.

4.5 CBTC

4.5.1 Integration requirements for CBTC

4.5.1.1 [Open Point].



Page 68 of 112 RSSB


Guidance

G 4.5.1.2 Further information can be obtained from Digital Railway.

4.6 TASS

4.6.1 Guidance (for TASS)

Guidance

G 4.6.1.1 The ETCS integration requirements for TASS systems are open points. A proposal tointegrate TASS with ETCS can follow the guidance on closing the open points, whichis based on a set of provisional requirements that are yet to be agreed by RSSBmembers. It is beneficial to consult with ERTMS/ETCS stakeholders to confirm thatwhat is proposed is an acceptable solution.

4.6.2 Transmitting tilt authorisation command where tilting functionality is integratedinto the ETCS onboard subsystem

4.6.2.1 [Open Point]. (Application specific)

Rationale

G 4.6.2.2 Integration with train operations: The TASS system provides tilt authorisationcommands to the train tilting system based on data received from the tracksidewhich is configured to ensure that the train only tilts where tilting can be supportedwithout gauge infringement. An integrated tilt function is required to mimic thisfunctionality. Integrating tilt authorisation with the ETCS onboard subsystem allowsfor the TASS system to be replaced.

Guidance

G 4.6.2.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long-term solution pending the completionof other work streams relating to the TASS: 'Where tilt authorisation is integrated intothe ETCS, the ETCS onboard subsystem shall transmit the tilt authorisation commandto the tilt system'.

G 4.6.2.4 An option is for tilt commands received from either the RBC or balises to beprocessed / interpreted by the ETCS onboard subsystem which will control the tiltmechanism. The ETCS onboard subsystem will need to be able to undertake the fullfunctionality of the current TASS system (speed supervision and tilt authorisation)when in Level NTC using the balise reader provided for the ETCS. When operating inETCS Levels 2/3, the ETCS onboard subsystem will only need to utilise the Packet 44data sent by the RBC.


4.6.3 Integrating 'tilt healthy' signal monitoring into the ETCS onboard subsystem




RSSB Page 69 of 112


Rationale

G 4.6.3.2 Integration with train operations: Using the ETCS onboard subsystem to select theappropriate speed profile can provide train performance benefits if the tilt system ishealthy. If the system is unhealthy, the train speed supervision reflects the lowerpermissible speed.

Guidance

G 4.6.3.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long-term solution, pending the completionof other work streams relating to the TASS: 'On trains where tilt is selectivelyauthorised, the ETCS onboard subsystem shall monitor and correctly interpret a "tilthealthy" signal from the tilt system'.

G 4.6.3.4 The availability of the tilt system enables the ETCS onboard subsystem to supervisethe train to the correct speed in ETCS Levels 2/3 by selecting the appropriate speedprofile. If the system is unavailable due to a fault or isolation, then the speed of thetrain will be restricted by the ETCS.

G 4.6.3.5 Changes in the ‘tilt healthy’ signal will be managed as a change in train categoryfrom a source other than the train driver, in accordance with 5.17 of Subset 026. Achange in state requires the train to be at a stand or be brought to a stand.


4.6.4 Managing TASS data where the tilting functionality is not integrated into theETCS onboard subsystem

4.6.4.1 [Open Point] (Application specific)

Rationale

G 4.6.4.2 Integration with train operations: In order to retain the performance benefits oftilting trains.

Guidance

G 4.6.4.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long-term solution, pending the completionof other work streams relating to the TASS: 'On trains where tilting functionality is notintegrated into the ETCS onboard subsystem, the ETCS onboard subsystem shall passall Packet 44 data relating to Tilt Authorisation and Speed Supervision (TASS)received via RBC or balise to the external TASS'.

G 4.6.4.4 On trains where tilting functionality is not integrated into the ETCS onboardsubsystem, this open point can be closed if the ETCS onboard subsystem passes allPacket 44 data relating to TASS received via RBC or balise to the external TASSsystem.

G 4.6.4.5 TASS is currently implemented using a simplified ETCS architecture with a balisereader and restricted functionality EVC.



Page 70 of 112 RSSB



4.6.5 Speed supervision in ETCS Levels 2/3

4.6.5.1 [Open Point]. (Normative)

Rationale

G 4.6.5.2 Integration with train operations: Train operations on the GB mainline railway requireone of the ATP systems provided on the rail vehicle to be activated at any time.Supervision by ETCS and TASS at same time might result in unnecessary brakeapplications or other unwanted effects.

Guidance

G 4.6.5.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long-term solution, pending the completionof other work streams relating to the TASS: 'In ETCS Levels 2/3, speed supervisionshall be undertaken solely by the ETCS onboard subsystem'.

G 4.6.5.4 The ETCS onboard subsystem will select the appropriate speed profile based onwhether the tilt system is healthy or not.

G 4.6.5.5 The RBC will transmit a set of speed profiles relevant to trains which are able tooperate with different amounts of cant deficiency. To avoid two systems attemptingto manage the traction and the brake, an external TASS must have its speedsupervision isolated from the train system when the train is operating using the ETCS.


4.6.6 Indicating the health status of the tilt system


Rationale

G 4.6.6.2 Integration with train operations: The train driver needs to know whether the tiltsystem is available for use.

Guidance

G 4.6.6.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long-term solution, pending the completionof other work streams relating to the TASS: 'The train driver shall be provided withinformation about the health status of the tilt system in all levels'.

G 4.6.6.4 The information could be provided via a separate indicator or combined within theETCS DMI.




RSSB Page 71 of 112


4.6.7 Indicating tilt authorisation


Rationale

G 4.6.7.2 Integration with train operations: The train driver needs to know when tilting isauthorised, primarily, in Level NTC.

Guidance

G 4.6.7.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long-term solution, pending the completionof other work streams relating to the TASS: 'The train driver shall be provided withinformation about the authorisation of tilt in all levels'.

G 4.6.7.4 The indication could be a separate indicator or combined within the ETCS DMI.


4.6.8 Isolating the tilt system


Rationale

G 4.6.8.2 Integration with train operations: The control provides a means of isolating a tiltsystem that has a fault, thus enabling continued train operations without tilt.

Guidance

G 4.6.8.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long-term solution, pending the completionof other work streams relating to the TASS: 'The train driver shall be able to isolatethe tilt system'.

G 4.6.8.4 The control should be separate to the ETCS DMI and apply to the whole train.Operation of the control in one cab will result in a loss of tilt system health indicationsin both cabs.




Page 72 of 112 RSSB


Part 5 Rail Vehicle Interface Requirements

5.1 Fault tolerance

5.1.1 ETCS onboard subsystem: input error tolerance

5.1.1.1 The ETCS onboard subsystem shall not enter SF or NP as a result of any erroneousETCS input that might reasonably occur on the rail vehicle. (Normative)

Rationale

G 5.1.1.2 Reliability and availability: System availability is supported and influenced by itscapability to tolerate erroneous input.

Guidance

G 5.1.1.3 Examples of likely erroneous input includes: closure of a cab desk whilst it is running aself-test; rapid opening and closing of cabs.


5.1.2 ETCS onboard subsystem: fault tolerance to component readiness mismatch

5.1.2.1 Faults caused solely by a temporary mismatch in the readiness or status of individualETCS-related devices during the train power-up or power-down sequence shall notoccur. (Normative)

Rationale

G 5.1.2.2 Reliability and availability: System reliability and availability is supported andinfluenced by its capability to tolerate component readiness.

Guidance

G 5.1.2.3 The ETCS onboard subsystem is expected to be robust and not fail due to sub-systemcomponents not matching their readiness time. This mismatch should not occur.


5.2 Future provisions

5.2.1 Provision for ETCS system upgrade

5.2.1.1 The ETCS onboard subsystem shall incorporate a minimum of five spare digital inputand output slots. (Application specific)

Rationale

G 5.2.1.2 Economic: Provision for system upgrade to accommodate anticipated futurefunctionality.



RSSB Page 73 of 112


Guidance

G 5.2.1.3 Provision is needed for external data connections to interface with future on-boardsystems. The supplier can provide more than five spares. Any innovative solutions arewelcomed.


5.2.2 Provision for future train systems

5.2.2.1 Provision shall be made for an external data connection for interfacing with futuretrain systems. (Preferred)

Rationale

G 5.2.2.2 Economic: Provision for future system upgrade.

Guidance

G 5.2.2.3 As it is unclear what interfaces will be required for future systems (for example, doorcontrol, pantograph control, train management etc), a spare slot which canaccommodate a variety of interface cards, or an existing interface based on arailway-compatible data standard, should be provided. This could be used to exportPacket 44 data and/or train data from the ETCS onboard subsystem to the attachedsystem.


5.2.3 Provision for remote population of train data

5.2.3.1 Provision shall be made for an external data connection to be used for the remotepopulation of train data. (Application specific)

Rationale

G 5.2.3.2 Economic: Provision for future system upgrade to populate the ETCS onboardsubsystem with data from other remote systems through the addition of furtherequipment at a later date.

Guidance

G 5.2.3.3 The term ‘remote’, in this context, means a data source external to the DMI orEuropean Vital Computer (EVC). This may be from other train systems, or from asource external to the train. Research is being undertaken into the risks andpracticality of ETCS DMI entry for train data.

G 5.2.3.4 The train driver data entry process might not be robust enough, so it is expected thatthere will be a future need to be able to upload the train data that would normally beentered on the DMI and enter it via other means (for example Over the Air (OTA),swipe card etc).

G 5.2.3.5 Subset-119 provides details of how such an external data interface might bespecified. Although not formally issued, the principles within it provide a solidfoundation.



Page 74 of 112 RSSB



5.2.4 Spare inter-vehicle jumper cable capacity

5.2.4.1 Where inter-vehicle jumper cables are added as part of the ETCS onboard subsystemdesign, a minimum spare capacity of 20% shall be included. (Application specific)

Rationale

G 5.2.4.2 Economic: Spare inter-vehicle jumper cable capacity is provided to accommodatepotential future modifications

Guidance

G 5.2.4.3 Inter-vehicle jumper cables are likely to be needed on multiple units.

G 5.2.4.4 The jumper cable spare wiring capacity might also be beneficial in facilitating futurefunctionality expansion; therefore, consideration should be given to providingadditional capacity to appropriate looms as part of the installation design.


5.3 Additional (driver training) display

5.3.1 Facility for connecting an additional or portable display unit

5.3.1.1 Provision shall be made for an additional display unit to be temporarily fitted andviewed from a non-driving seat in the cab unless the ETCS DMI indications can beread by the occupant of a non-driving seat in the cab. (Application specific)

Rationale

G 5.3.1.2 Train driver learning: The additional display unit will be used by a train driverinstructor to observe movement authorities and other ETCS DMI data, whenmonitoring train driver performance during training and service conditions.

Guidance

G 5.3.1.3 The additional display unit will show indications only.

G 5.3.1.4 The facility for connecting an additional or portable display unit will be used if theETCS DMI cannot be reliably observed from a non-driving seat.

G 5.3.1.5 Provision includes the appropriate power and signal connections, and a mountingbracket.




RSSB Page 75 of 112


5.4 ATO

5.4.1 Guidance (for ATO)

Guidance

G 5.4.1.1 The ATO requirements are open points. A proposal to integrate ATO with ETCS canfollow the guidance on closing the open points, which is based on a set of provisionalrequirements that are yet to be agreed by RSSB members. It is beneficial to consultwith ERTMS/ETCS stakeholders to confirm that what is proposed is an acceptablesolution.

G 5.4.1.2 The intention will be to implement ATO and the ETCS together as a complete ATO /ETCS system. This will allow automatic driving on the GB Rail Network. Due tomigration constraints arising from Route strategic requirements, ATO may bedelivered independently of ETCS. These requirements allow the ETCS to operate inconjunction with an Automatic Train Operation (ATO) system up to Grade ofAutomation 2 (GoA2) as explained in STE/ATO/REQ/002, ATO System RequirementsSpecification. Projects are encouraged to seek advice from the Digital Railway if thereis a wish to facilitate introduction of ATO. The requirements in this section will stillenable any new train fitted with ETCS to be delivered ATO-ready.

5.4.2 ATO / ETCS onboard subsystem (FFFIS)

5.4.2.1 [Open Point]. [Application Specific]

Rationale

G 5.4.2.2 To allow the ETCS onboard subsystem to be capable of interfacing with an ATOOnboard solution, as defined in Subset-130.

Guidance

G 5.4.2.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long term solution pending the completionof other work streams relating to the ATO: "The ETCS Onboard solution shall includethe ATO / ETCS Onboard Form, Fit, Function Interface Specification (FFFIS)."


5.4.3 ATO operational mode - Automatic driving mode

5.4.3.1 [Open Point]. [Application Specific]

Rationale

G 5.4.3.2 To allow the ETCS Onboard solution to be capable of enabling AD when interfacedwith an ATO Onboard solution, in accordance with Subset-125.

Guidance

G 5.4.3.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long term solution pending the completion



Page 76 of 112 RSSB


of other work streams relating to the ATO: "The ETCS Onboard solution shall includethe ATO operational mode (Automatic Driving (AD) mode)".

G 5.4.3.4 If the ETCS Onboard solution is ATO-ready, then the ATO Onboard solution can beintegrated at a later date without the need to modify or upgrade the ETCS on-board.Copies of Subset-125 can be obtained from the Digital Railway Programme inadvance of their publication in the Technical Specification for Interoperabilityrelating to Control, Command and Signalling (CCS TSI).


5.4.4 ATO/ETCS integrated solution


Rationale

G 5.4.4.2 It may prove beneficial to deliver ATO and ETCS together as a single integratedOnboard solution in certain applications. This requirement provides an alternative forconsideration in procurement processes that can be compared with the supply ofETCS and ATO as separate systems via the Form, Fit, Function Interface Specification(FFFIS) as defined in Subset-130.

Guidance

G 5.4.4.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long term solution pending the completionof other work streams relating to the ATO: "Where it can be shown to be beneficial,the ATO Onboard solution shall be delivered as an integrated ATO / ETCS Onboardsolution rather than as a separate ATO Onboard solution interfaced to a separateETCS Onboard solution."

G 5.4.4.4 The ATO Onboard solution must still comply with the ATO System RequirementsSpecification (Subset-125) and the ATO track to Train Interface Specification(Subset-126) in order to be an interoperable solution. Copies of Subset-125, -126 and-130 can be obtained from the Digital Railway Programme in advance of theirpublication in the Technical Specification for Interoperability relating to Control,Command and Signalling (CCS TSI).


5.4.5 Provision for ATO controls on driver's desk


Rationale

G 5.4.5.2 To allow the ETCS Onboard solution to be capable of operating automatic drivingwith an ATO on-board system, in accordance with Subset-125.



RSSB Page 77 of 112


Guidance

G 5.4.5.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long term solution pending the completionof other work streams relating to the ATO: " Provision shall be made on the Driver’sdesk for the necessary ATO controls, including interfacing to the integrated ETCS /ATO Driver Machine Interface (DMI)".

G 5.4.5.4 If the ATO Onboard solution is not being delivered at the same time as the ETCS thenprovision for ATO buttons and controls need to be made in the Driver’s desk to avoidexpensive rework and retro-fitting. The ATO controls on the Driver’s desk and theintegrated ETCS / ATO DMI specifications are described in Subset-125. Provisionneeds to be made for:

a) an ATO interface on the DMIb) an ATO selector switchc) an ATO start/engage button(s) andd) an ATO stop/disengage button.

G 5.4.5.5 Copies of Subset-125 can be obtained from the Digital Railway Programme inadvance of their publication in the Technical Specification for Interoperabilityrelating to Control, Command and Signalling (CCS TSI).


5.4.6 Physical provision for equipment to support ATO


Rationale

G 5.4.6.2 If ATO is not being delivered at the same time as the ETCS then provision for the ATOhardware needs to be made to avoid expensive rework and retro-fitting.

Guidance

G 5.4.6.3 The following requirement text has been proposed to close this open point but hasnot been confirmed by the industry as the long term solution pending the completionof other work streams relating to the ATO: "Physical provision shall be made for theadditional equipment needed to support the ATO Onboard solution".

G 5.4.6.4 As a minimum, provision needs to be made for the following:

a) space and power for the ATO Onboard solutionb) an additional packet switching (EDGE capable) mobile (this will be in addition to

the 2 ETCS Data Only Radios (EDORs) required for the ETCS) andc) connection to an antenna (noting that the antenna could be shared with another

application, but not the ETCS).




Page 78 of 112 RSSB


Part 6 Installation Design

6.1 General requirements

6.1.1 ETCS onboard subsystem: modularity

6.1.1.1 The ETCS onboard subsystem shall incorporate modularity and the facility to upgradeor replace parts of the system separately. (Preferred)

Rationale

G 6.1.1.2 Asset management: A modular configuration supports efficiencies in assetmanagement by enabling parts of the system to be replaced or upgraded.

Guidance


6.2 Contamination

6.2.1 ETCS onboard subsystem: tolerance to cleaning

6.2.1.1 All equipment shall be tolerant of cleaning using the typical range of cleaningmaterials and processes used in the railway environment. (Normative)

Rationale

G 6.2.1.2 Reliability and availability: Rail vehicle asset management processes will expose ETCSonboard subsystems to materials and interventions that could cause cosmeticdamage as well as adversely affecting system reliability and availability.

Guidance

G 6.2.1.3 This requirement applies to:

a) Driving cab equipment (including the ETCS DMI and all other controls andindicators).

b) Saloon-mounted equipment.c) Exterior equipment.

G 6.2.1.4 Cleaning these items should not be an issue or require additional provisions to theprocesses currently used.

G 6.2.1.5 Acid and/or alkaline cleaning chemicals will be applied to exterior equipment atpressure or forcibly through brushing action. High-pressure hot water, with or withoutdetergent, or steam might also be applied to the exterior of the rail vehicle.




RSSB Page 79 of 112


6.3 Vandalism and accidental damage

6.3.1 ETCS onboard subsystem: protection from vandalism and accidental damage

6.3.1.1 The ETCS onboard subsystem shall be designed to afford protection from vandalismand accidental damage. (Normative)

Rationale

G 6.3.1.2 Reliability and availability: The environmental conditions in which trains are operatedwill expose the ETCS onboard subsystem to potential sources of intentional andunintentional damage and abuse that could adversely affect system reliability andavailability.

Guidance

G 6.3.1.3 Damage could arise from actions of train crew, other railway staff and members ofthe public.


6.3.2 ETCS onboard subsystem: tolerance to environmental conditions in which trainsare operated

6.3.2.1 Externally-mounted equipment shall be designed to continue to function whensubjected to the conditions and impacts reasonably expected in normal serviceoperation. (Normative)

Rationale

G 6.3.2.2 Reliability and availability: The environmental conditions in which trains are operatedwill expose the ETCS onboard subsystem to potential sources of impact damage thatcould adversely affect system reliability and availability.

Guidance

G 6.3.2.3 It is reasonable to expect that external equipment will be impacted by flying ballast,snow and ice build-up, and minor flood waters during normal operation. On-trackmachines (OTMs) might be exposed to harsher environments – ballast dust, grindingcinders etc.

G 6.3.2.4 Any ETCS component that needs to be mounted externally should function asseamlessly as any other external train component.




Page 80 of 112 RSSB


Part 7 Maintenance

7.1 General

7.1.1 ETCS underbody-mounted equipment: Mean Active Repair Time (MART)

7.1.1.1 The ETCS onboard subsystem shall, as a minimum, meet the Mean Active Repair Time(MART) requirements for underbody-mounted equipment specified in the ERTMSReliability Specification (NR/AM/SA/SPE/00147). (Normative)

Rationale

G 7.1.1.2 Reliability and availability: The MART influences the availability performance of theERTMS/ETCS as a whole.

Guidance

G 7.1.1.3 NR/AM/SA/SPE/00147 defines reliability and availability targets for the ETCS, whichare then apportioned to the respective elements of the onboard and tracksidesubsystems.


7.1.2 ETCS interior-mounted equipment: MART

7.1.2.1 The ETCS onboard subsystem shall, as a minimum, meet the MART requirements forinterior-mounted equipment specified in the ERTMS Reliability Specification(NR/AM/SA/SPE/00147). (Normative)

Rationale

G 7.1.2.2 Reliability and availability: The MART influences the availability performance of theERTMS/ETCS as a whole.

Guidance

G 7.1.2.3 NR/AM/SA/SPE/00147 defines reliability and availability targets for the ETCS, whichare then apportioned to the respective elements of the Onboard and Trackside.


7.1.3 ETCS onboard subsystem: component delimitation and marking

7.1.3.1 ETCS line-replaceable units (LRUs) shall be clearly delimited and marked to supporttraceability, and prevent subdivision or loss of configuration. (Normative)

Rationale

G 7.1.3.2 Asset management: Clarity in LRU configuration supports efficiencies in rail vehicleasset management



RSSB Page 81 of 112


Guidance

G 7.1.3.3 This is important for equipment within which staff may exchange components duringfault-finding, resulting in loss of configuration and traceability.


7.1.4 ETCS DMI replacement

7.1.4.1 The ETCS onboard subsystem shall be implemented so that the ETCS DMI can bereplaced, configured and tested by a single trained person within 15 minutes.(Application specific)

Rationale

G 7.1.4.2 Asset management: The ETCS DMI is expected to need replacing more frequentlythan other components. It is expected that DMIs will be exchanged by station-basedmaintenance staff while the train is in service; therefore, the time needed to change aDMI is an important maintenance factor.

Guidance


7.1.5 ETCS onboard subsystem: maintenance environment

7.1.5.1 Specialist anti-static bench test or clean room precautions shall not be required tomaintain the ETCS onboard subsystem. (Normative)

Rationale

G 7.1.5.2 Asset management: Rail vehicles fitted with an ETCS onboard subsystem are likely tobe maintained and serviced in existing maintenance depots. Minimising the impacton existing rail vehicle maintenance processes supports efficiencies in rail vehicleasset management.

Guidance

G 7.1.5.3 The low projected failure rate of the ETCS onboard subsystem does not indicate aneed for specialist equipment or technicians in depots. A separate clean and dry storefor electronic equipment is permissible.


7.1.6 Identification of ETCS onboard failure during maintenance

7.1.6.1 Failure of redundant ETCS Onboard solution elements shall be easily identifiableduring maintenance. (Normative)



Page 82 of 112 RSSB


Rationale

G 7.1.6.2 Reliability and availability: Maintaining the effectiveness of designed levels of systemredundancy supports continued system operations when primary systems experiencea fault.

Guidance

G 7.1.6.3 It is common practice to use switches and contacts (in serial or parallel, dependingupon the implementation) to reduce the chance of a single switch failure causing ahazard or immobilizing failure of the rail vehicle or train. If latent failures ofequipment in such circuits are not identified, it may eventually lead to a hazard or asystem failure.

G 7.1.6.4 This function may be achieved through monitoring of back contacts (either by theTrain Management System or separate ‘tell-tale’ indicators), or European VitalComputer test cycles that independently test any parallel output at an appropriatejuncture. A dedicated test tool may be deemed acceptable if it is simple to operateand requires limited intrusion into the vehicle systems.


7.2 Diagnostic tools

7.2.1 Guidance - definition

Guidance

G 7.2.1.1 Diagnostic tools include maintenance, download, fault-finding, interrogation andanalysis tools.

7.2.2 ETCS onboard subsystem: diagnostic tools ease of use

7.2.2.1 Diagnostic tools shall be simple to operate and interpret. (Normative)

Rationale

G 7.2.2.2 Asset management: Providing diagnostic tools that are easy to use supportsefficiencies in rail vehicle asset management.

Guidance

G 7.2.2.3 Diagnostic tools include maintenance, download, fault finding, interrogation andanalysis tools.

G 7.2.2.4 Complex diagnostic tools can lead to error or delay in determining faults.


7.2.3 ETCS onboard subsystem: diagnostic software

7.2.3.1 Software-based diagnostic tools shall be designed for use on standard, modernoperating systems. (Preferred)



RSSB Page 83 of 112


Rationale

G 7.2.3.2 Asset management: Providing diagnostic tools that use standard operating systemssupports efficiencies in rail vehicle asset management.

Guidance

G 7.2.3.3 The software should not rely on legacy operating systems for its operation; it shouldfunction correctly within modern commercially available operating systems. Thesemay include, but are not limited to: Windows, iOS, Linux and Android systems.


7.2.4 ETCS onboard subsystem: manual diagnostic procedures

7.2.4.1 Software-based diagnostic tools shall not require complex procedures for manualinput and recording of output. (Normative)

Rationale

G 7.2.4.2 Asset management: A software diagnostic tool that requires complex use or specialistknowledge to input data or record the output would increase asset managementcosts.

Guidance


7.2.5 ETCS onboard subsystem: diagnostic download integrity

7.2.5.1 Software-based diagnostic tools shall not cause data or software corruption duringdownload. (Normative)

Rationale

G 7.2.5.2 Asset management: Corruption during download can lead to error or delay ininterpretation.

Guidance


7.2.6 ETCS onboard subsystem: diagnostic interfaces

7.2.6.1 Software-based diagnostic tools shall use modern, universally available interfaces forcommunicating with the ETCS onboard subsystem. (Preferred)

Rationale

G 7.2.6.2 Asset management: Utilising Ethernet, Universal Serial Bus (USB) and other commonelectronic interfaces would minimise potential obsolescence issues with the devicehardware.



Page 84 of 112 RSSB


Guidance

G 7.2.6.3 Legacy interfaces to be avoided include RS232 and RS485.


7.2.7 ETCS onboard subsystem: remote diagnostic download

7.2.7.1 Functionality shall be provided to download ETCS diagnostic information stored on-board remotely while the train is in service. (Application specific)

Rationale

G 7.2.7.2 Asset management: The ability to identify ETCS faults with the ETCS onboardsubsystem from locations remote to the rail vehicle supports efficiencies in rail vehicleasset management.

Guidance

G 7.2.7.3 Conformity with this requirement can include exporting system fault logs at definedintervals, or on demand, via a remote communication medium.


7.3 Failure reporting and data recording

7.3.1 ETCS onboard subsystem: data recording spare channels

7.3.1.1 Any new data recorder fitted shall be provided with at least 20% spare channelsabove those needed to comply with the requirements of RIS-2472-RST and the ETCSJRU. (Normative)

Rationale

G 7.3.1.2 Economic: Providing additional capacity is intended to avoid additional future cost ifadditional requirements for monitoring are introduced.

Guidance

G 7.3.1.3 RIS-2472-RST specifies the minimum requirements for on-board monitoring andrecording.

G 7.3.1.4 This requirement is not applicable to existing data recorders that are retained on therail vehicle.

G 7.3.1.5 In this context ‘data recorder’ may be either an independent JRU, or combinedJRU/On-Train Monitoring and Recording (OTMR) equipment.


7.3.2 ETCS onboard subsystem: remote data downloading

7.3.2.1 Functionality shall be provided to download JRU data remotely from the ETCSonboard subsystem while the train is in service. (Application specific)



RSSB Page 85 of 112


Rationale

G 7.3.2.2 Asset management: The ability to identify ETCS faults with the ETCS onboardsubsystem from locations remote to the rail vehicle supports efficiencies in rail vehicleasset management and incident investigations.

Guidance

G 7.3.2.3 Conformity can be achieved by exporting JRU logs at defined intervals, or on demand,via a remote communication medium. The data to be available for download needsto be sufficient for the requirements of the train operator. It may be acceptable foronly a subset of the data to be available for download whilst the train is in motion.

G 7.3.2.4 The requirements is derived from NEPT/ERTMS/REQ/0038 version 2.2 ENTOSS-211.

7.3.3 ETCS onboard subsystem: data download format

7.3.3.1 Downloads from ETCS equipment shall be available in an easily readable and usableformat. (Normative)

Rationale

G 7.3.3.2 Asset management: Providing data downloads that are easy to use supportsefficiencies in rail vehicle asset management.

Guidance


7.4 Diagnostic information

7.4.1 ETCS onboard subsystem: diagnostic information

7.4.1.1 The ETCS onboard subsystem shall provide diagnostic information sufficient forauthorised people to confirm that the ETCS onboard subsystem is operational andfunctioning correctly. (Normative)

Rationale

G 7.4.1.2 Asset management: Providing suitable and sufficient diagnostic information supportsefficiencies in rail vehicle asset management.

Guidance

G 7.4.1.3 Diagnostic information is particularly important after corrective or preventivemaintenance has been carried out. Authorised people are determined by railwayundertakings in accordance with their safety management system. Relevant rolesinclude: technicians, fitters, train drivers, maintainers, etc.




Page 86 of 112 RSSB


7.4.2 ETCS onboard subsystem: diagnostic information granularity

7.4.2.1 The ETCS onboard subsystem shall provide diagnostic information sufficient forauthorised people to diagnose faults to a single line-replaceable unit. (Normative)

Rationale

G 7.4.2.2 Asset management: Providing suitable and sufficient diagnostic information supportsefficient corrective actions and efficiencies in rail vehicle asset management.

Guidance

G 7.4.2.3 Authorised people are determined by RUs in accordance with their safetymanagement system. Relevant roles include: technicians, fitters, train drivers,maintainers etc.


7.4.3 ETCS onboard subsystem: diagnostic information accessibility

7.4.3.1 ETCS onboard subsystem diagnostic information shall be displayed to authorisedpeople without the need for equipment other than access keys. (Preferred)

Rationale

G 7.4.3.2 Asset management: Providing authorised people with easy access to diagnosticinformation supports efficient corrective actions and efficiencies in rail vehicle assetmanagement.

Guidance

G 7.4.3.3 Conformity with this requirement can be met if a maintainer can interrogate theETCS diagnostic information from displays/interfaces integrated within the ETCSonboard subsystem without needing to use maintenance tools or laptop-basedinterrogation software. Access keys may be necessary if the diagnostic information isnot located in a secure area.


7.4.4 ETCS onboard subsystem: diagnostic information time stamp

7.4.4.1 Diagnostic information shall be recorded with a time stamp with sufficient resolutionto identify all events accurately. (Normative)

Rationale

G 7.4.4.2 Asset management: A time stamp enables correlation of all recorded information andsupports the implementation of a Defect Recording Analysis and Corrective ActionSystem (DRACAS) for ERTMS/ETCS.

Guidance




RSSB Page 87 of 112


7.4.5 ETCS onboard subsystem: recording safety-critical faults

7.4.5.1 The details and nature of safety-critical faults within the ETCS onboard subsystemshall be recorded on board the rail vehicle. (Normative)

Rationale

G 7.4.5.2 Asset management: Safety-critical faults will be downloaded for later evaluation.

G 7.4.5.3 This requirement supports the implementation of a Defect Recording Analysis andCorrective Action System (DRACAS) for ERTMS/ETCS.

Guidance


7.4.6 ETCS onboard subsystem: LRU fault monitoring

7.4.6.1 The ETCS onboard subsystem shall be able to identify malfunctioning line-replaceable units (LRUs) to an authorised person before they cause a service failure.(Preferred)

Rationale

G 7.4.6.2 Reliability and availability: Identification of potential service-affecting failuresenables the LRU to be proactively replaced.

Guidance

G 7.4.6.3 Examples of malfunctioning equipment include:

a) Partial failure of redundant system.b) Tolerable, but unusual, activity (for example, abnormal data errors, dropped

connections, inconsistent ETCS input and software watchdog resets).

G 7.4.6.4 Indication of failures in unmonitored hardware (wiring degradation, sticking relaysetc) cannot reasonably be expected before a failure occurs.


7.4.7 ETCS onboard subsystem: faults relating to trackside equipment

7.4.7.1 Faults reported by the ETCS onboard subsystem that relate to trackside equipmentissues shall be supported with information on the location and nature of the failure.(Normative)

Rationale

G 7.4.7.2 Asset management: This requirement supports the efficient and timely correction oftrackside faults, minimises the need for trackside fault identification andinvestigation and supports the implementation of a Defect Recording Analysis andCorrective Action System (DRACAS) for ERTMS/ETCS.



Page 88 of 112 RSSB


Guidance

G 7.4.7.3 Location information could be derived from the Last Relevant Balise Group anddistance, or other relevant co-ordinates if supported. ERA specificationERA_ERTMS_015560 section 15 sets out requirements for system status messages.


7.4.8 ETCS onboard subsystem: presenting ETCS fault indications

7.4.8.1 Information about ETCS faults that require immediate train driver attention shall bepresented to the train driver in an unambiguous, operationally meaningful manner.(Normative)

Rationale

G 7.4.8.2 Integration with train operations: Some ETCS faults require train driver action.Providing information that is easy to identify and interpret supports the train drivingtask.

Guidance


7.4.9 ETCS onboard subsystem: ETCS fault acknowledgment

7.4.9.1 Information about ETCS faults that require immediate train driver attention shallrequire acknowledgement. (Normative)

Rationale

G 7.4.9.2 Integration with train operations: The acknowledgement of the ETCS fault conditionis intended to prevent the condition being ignored or overlooked by the train driver.

Guidance

G 7.4.9.3 ERA_ERTMS_015560 sets out the requirements for display and acknowledgement oftext messages related to the system requirements specification (SRS) defined systemstatus. The objective is for these messages to demand acknowledgement by the traindriver. The precise form of acknowledgement of supplier-specific text messagesinforming of faults within the ETCS onboard subsystem is not specified.

G 7.4.9.4 This requirement is derived from NEPT/ERTMS/REQ/0007 version 3.2 EOSS 221.

7.4.10 ETCS onboard subsystem: maintaining ETCS fault indications

7.4.10.1 Information about faults that require immediate train driver attention shall persistafter acknowledgement. (Normative)



RSSB Page 89 of 112


Rationale

G 7.4.10.2 Integration with train operations: Continuing to present the information afteracknowledgement is intended to remind the train driver and reinforce train drivermemory.

Guidance

G 7.4.10.3 ‘End of display’ determines whether the message is deleted after acknowledgementor is retained in a list that can be accessed by scrolling. Where a message requires thetrain driver's immediate attention, it is appropriate for it to remain in the scrolling listof text messages.


7.4.11 ETCS onboard subsystem: information about fault cause

7.4.11.1 Detailed information about the cause of faults, and appropriate action to take, shallbe provided via the ETCS DMI, or exported to train control systems. (Preferred)

Rationale

G 7.4.11.2 Asset management: This information is needed by maintainers and ease of access tocauses of fault conditions supports maintenance processes.

Guidance

G 7.4.11.3 When the rail vehicle is fitted with train control systems that report faults directly totrain drivers, or to maintainers remotely, the ETCS fault logging system can beintegrated with the rail vehicle system, if this is economical. The failure of one systemin an integrated solution should not affect the fault logging of other systems.


7.5 System security

7.5.1 ETCS onboard subsystem: controlling access

7.5.1.1 An access control system for ETCS onboard subsystem configuration settings anddata shall be provided. (Normative)

Rationale

G 7.5.1.2 Safe integration: An access control restricts modifications to the configuration ofsettings and data to authorised personnel.


Guidance

G 7.5.1.4 Access control incorporates user identifications and appropriate access levels. ‘SystemSecurity’ refers to security against unauthorised access to the ETCS onboardsubsystem settings, configuration data, cryptographic keys and software.



Page 90 of 112 RSSB


G 7.5.1.5 Before entering service, the ETCS onboard subsystem will have ETCS cryptographickeys installed that are compatible with any ETCS Level 2 or Level 3 infrastructure onwhich it is required to operate.

G 7.5.1.6 RIS-0743-CCS sets out requirements for the management of ETCS cryptographickeys. Subset-037 sets out how the cryptographic keys are used.


7.5.2 ETCS onboard subsystem: cyber security

7.5.2.1 The ETCS onboard subsystem shall be designed to reduce the risk from cyberattack toan acceptable level. (Normative)

Rationale

G 7.5.2.2 Safe integration: To allow the RU to fulfil its obligations in controlling the risk ofcyberattack on train operations.


Guidance

G 7.5.2.4 Hazards to consider include:

a) The possibility of malicious remote operation of the European Vital Computer(EVC).

b) Remote editing of data within the EVC.c) Remote disabling of the ETCS.d) Unauthorised use of access keys to ETCS onboard equipment.

G 7.5.2.5 Further information about the rail industry strategy for managing cyber security riskcan be obtained from the Rail Delivery Group (RDG).

G 7.5.2.6 The level of risk from a cyberattack is agreed with the Centre for the Protection ofNational Infrastructure (CPNI).


7.5.3 ETCS onboard subsystem: fail safe functionality

7.5.3.1 Any ETCS onboard equipment that is not contained within a secure enclosure shall befail-safe in the event of tampering. (Normative)

Rationale

G 7.5.3.2 Safe integration: This requirement is used to control Hazard OB-H024

Guidance




RSSB Page 91 of 112


7.5.4 ETCS onboard subsystem: equipment access

7.5.4.1 The ETCS onboard subsystem equipment enclosure shall only be accessible using arelevant tool. (Normative)

Rationale

G 7.5.4.2 Safe integration: To mitigate the risk from malicious or accidental entry to theequipment enclosure.

Guidance

G 7.5.4.3 The 'relevant tool' will vary depending upon the fleet being fitted, but can be selectedto align with the existing access arrangements for the particular fleet. This is alsorelevant to cyber security.

G 7.5.4.4 Examples include:

• Gated 8 mm hex recess - maintainers (access to equipment cabinets).• Gated 8 mm square driver - drivers (access to circuit breakers).• Gated 7 mm triangle - driver manager (access to JRU and repeater ETCS DMI).

G 7.5.4.5 Where both maintainers and train drivers / train preparers need to access equipment,two separate locked areas can be provided so that they have access only to theappropriate parts of the system, using different keys as appropriate.


7.5.5 ETCS onboard subsystem: access for maintenance and fault finding

7.5.5.1 Status or fault indicators, and download ports necessary for maintenance and fault-finding, shall be accessible using access keys only. (Normative).

Rationale

G 7.5.5.2 Integration with train operations: Maintenance and fault-finding indications that arenot necessary for the train driving task might distract the train driver.

Guidance


7.5.6 ETCS onboard subsystem: visibility of status and fault indications

7.5.6.1 Status or fault indicators necessary for operations shall be visible without the need togain entry using access keys. (Normative)

Rationale

G 7.5.6.2 Integration with train operations: The train driver needs to be able to easily access allindications that are necessary for the train driving task.



Page 92 of 112 RSSB


Guidance

G 7.5.6.3 If personnel need to observe an indicator in an unauthorised area, a window can beused that allows visibility from an authorised area.




RSSB Page 93 of 112


Part 8 Process and Procedure

8.1 System support

8.1.1 ETCS onboard subsystem: Life-cycle management plan

8.1.1.1 The ETCS onboard subsystem shall be supported by a life-cycle management planwhich is in place on first authorisation of an installation. (Normative)

Rationale

G 8.1.1.2 Asset management: A life-cycle management plan is part of the acceptance andstrategy process on the GB railway.

Guidance

G 8.1.1.3 The Onboard Life-cycle Management Plan links into a life-cycle management strategyfor the ETCS on the GB mainline network to enable effective management ofconfiguration and reliability management through the industry DRACAS processes.Digital Railway can provide further guidance in this area.

G 8.1.1.4 Standard life-cycle support arrangements are also expected to be established andmay include but not be limited to:

a) Arrangements for update of equipment, including for obsolescence.b) Spares provision.c) Test equipment.d) Endemic and epidemic faults.e) Warranty support.f) Ongoing training.g) Repair processes.h) Documentation updates.i) Decommissioning and disposal.j) Support to DRACAS processes.k) Configuration management (including use of existing train operator systems, for

example, component tracker).l) Reliability.m) Monitoring and trend analysis for all relevant applications of the contractor’s

ETCS systems and interoperable constituents.n) Safety monitoring and reporting for all safety related incidents for all relevant

applications of the contractor’s ETCS systems and inter-operable constituentsanywhere in Europe or the rest of the world.


8.1.2 ETCS onboard subsystem: Baseline 3 maintenance release updates

8.1.2.1 The ETCS onboard subsystem shall have its Baseline 3 software updated withBaseline 3 maintenance releases in a reasonable timescale following the instructionfor their implementation. (Normative)



Page 94 of 112 RSSB


Rationale

G 8.1.2.2 Asset management: The ETCS is a software based system defined by a core Europeanspecification, and the GB Programme is deploying the baseline of this specificationknown as Baseline 3. During the lifetime of the system, system updates ormaintenance releases will be required to fix errors, implement compatiblefunctionality, and act upon feedback from that and other projects. This means thatthe system version deployed on an installation will need to change during the lifetimeof the system to allow incorporation of the updates, and should be formalisedcontractually between owner/operator and supplier.

Guidance

G 8.1.2.3 Software upgrades are to be expected throughout the lifetime of the ETCS. A'reasonable timescale' will be agreed between operator and supplier afterassessment of the content of the release and consideration of its impact on individualfleet operation.

G 8.1.2.4 Compliance to this requirement will be judged on when first authorisation took place,when maintenance releases were issued, whether they had been deployed and, if not,checking that plans were in place to deploy, supported by the appropriate contractsand processes.




RSSB Page 95 of 112


Appendices

Appendix A Appendix A: Hazards Relevant to the ETCS OnboardSubsystem

A.1 Some of the requirements in this document can be used to control safety hazards.The relevant requirements have an associated 'safe integration' rationale thatincludes a reference to one or more of the hazards listed in Table 1 (ETCS Onboardsystem hazards). This hazard information is an extract from the ETCS Hazard Logversion 20, which is maintained by Digital Railway.

Hazard ID Description Cause Consequence

M1-H001 Driver doesnot removetraction powerwhen requiredto

Driver Error - Distraction

Lack of information providedto the driver

Loss of route knowledge due tofamiliarity with driving underETCS

Brake snatching / traindivision / buffer locking etc

Excessive jerk due to tractiondemand when ICB is opened/closed leading to passengerdiscomfort

N-H051 AWS / TPWS isnotsuppressed

Suppression failure Failure to suppress could leadto ETCS on-board assumingthat AWS / TPWS has failed,which could cause problemswhen exiting ETCS - thoseproblems could be a failure totransition or a lack of safetysystems after transition

Train tripped by TPWS looppresent in new area - leadingto passenger slips, trips / falls

Driver does not respondtimeously to AWSacknowledgment requests ifAWS magnets in new area,resulting in brake application -leading to passenger slips,trips / falls



Page 96 of 112 RSSB



OB-H001 Cabergonomicsnot optimised

Incorrect isolation of ETCS Train proceeds along routeunprotected leading to acollision / derailment at linespeed

OB-H002 Incorrect reset of ETCS Sudden brake application(Freight - brake snatching) -leading to passenger slips, tripsand falls

OB-H003 Indication of ETCS isolationnot optimised for ergonomics(for example, position /luminance)

Train proceeds along routeunprotected leading to acollision / derailment at linespeed

OB-H004 No indication that the ETCS isunfit for service at start ofmission

No consequence identified

OB-H005 Inadequate alarm volume

Alarm tone conflict

Existing non-ETCS alarms

Sudden brake application(Freight - brake snatching) -leading to passenger slips, tripsand falls

OB-H006 Not evident that the DMI hasfrozen

OB-H007 Poor legibility of controls andindications / DMI not readable

DMI susceptible to vibration

OB-H008 Train fails tostop atintendedlocation

DMI data entry error

Inappropriate access toconfiguration settings

Incorrect data preparation

Collision between trains ortrain derailment due toinsufficient braking curves

OB-H009 Driverconfused ordistracted

Poor integration with othersystems


OB-H010 AWS indications integratedwith DMI

Operations delay



RSSB Page 97 of 112



OB-H011 Excessiveelectromagnetic emissionsfrom system

Excessive EMC emissions Sudden brake application(Freight - brake snatching) -leading to passenger slips, tripsand falls

OB-H012 System hasinsufficientimmunityfromelectromagnetic interference

Inadequate EMC immunity Sudden brake application(Freight - brake snatching) -leading to passenger slips, tripsand falls

OB-H013 Potential forinjury carryingoutmaintenanceactivities

Inadequate protection of liveequipment.

Inadequate safety guards

Electrocution / electric shockinjury following contact withlive terminals

OB-H014 Potential forslip/trip/fall

ETCS equipment introducesslip / trip / fall risk

Slip / trip / fall



Page 98 of 112 RSSB




ETCS fitment compromisesbrake system

Brake failure leading tocollision / derailment at linespeed

OB-H016a ETCS emergency / servicebrake not applied at rate, andresponse time, equivalent tothat achievable by a driver-initiated application


OB-H016b ETCS emergency / servicebrake not applied at rate, andresponse time, equivalent tothat achievable by a driver-initiated application

ETCS on-board system cutstraction effort to the train tooquickly

Sudden brake application(Freight - brake snatching) -leading to passenger slips, tripsand falls

OB-H018 ETCS on-board system doesnot disengage the set speedcontrol automatically duringbrake intervention

Driver inattention

OB-H019 Cold movement detector failsto detect movement


OB-H020 ETCS on-board system fails tosuppress AWS/TPWS whenrequired

Unexpected brake applications- leading to passenger slips,trips / falls

OB-H021 ETCS on-board systemsuppresses AWS/TPWS whennot required to do so

Ability to select SH in LevelsNID_NTC=20 and 21

The AWS / TPWS system not'Operational Ready' whenrequired

Train proceeds along routeunprotected - leading to acollision / derailment at linespeed

OB-H022 ETCS on-board systemsuppresses AWS/TPWS whennot required to do so



RSSB Page 99 of 112




Class B system in-servicemonitoring suppressedincorrectly by ETCS on-boardsystem

Class B system failure /isolation not handled correctly


OB-H024 Inappropriate access toconfiguration settings

Inappropriate access toequipment

Cyberattack

OB-H025 Trainoverspeeds

Incorrect speed units displayedon DMI

Confusion over 'set speed'units

Potential overspeed leading toa derailment

OB-H026 Incorrect speed indicated todriver

Multiple speedometers presentshowing different speeds

Poor ride quality resulting inslips, trips, falls etc

Table 1: ETCS onboard system hazards



Page 100 of 112 RSSB


Appendix B Appendix B: Issues Still Under Development

B.1 Table 2 sets out a list of the ETCS onboard subsystem issues that are still beingdeveloped, some of which are shown as open points in this RIS. The table reflects thecontent in NEPT/ERTMS/REQ/0007 issue 3.2, Appendix D.

No Issue Description

6 Online key management Online Key Managementhas been identified as arequirement for GB rollingstock owing to thedifficulties that wouldappear for key updatesusing a purely offlinesolution. Somerequirements have beenidentified and these areconsidered adequate tocover the ETCS onboardsubsystem – it is the widersystem aspects that needto be resolved. Work is stillongoing within the ETCSteam and the ERA to closethe system-wide aspects

8 Integration with Class Bsystems other than AWS /TPWS

The requirements forinterfacing with the AWS /TPWS are defined withinthe document; however,integration with otherClass B systems has notbeen fully addressed atthis stage



RSSB Page 101 of 112



9 AWS brake application The SRS requirements forthe lambda braking modelsuggest that an ETCSbrake application affectedby the AWS system maynot be acceptable. Work isbeing undertaken withinthe ERTMS ProgrammeTeam to verify this. If it isshown that the AWS willwork, the requirements forthe brake interface systemwill be amended to allow it

10 The Agency categorisationof requirements

Work is being undertakenbetween the ETCSProgramme Team and theERA to re-categorise theEOSS requirements interms of their purposerather than their necessity.This categorisation will notaffect the document, otherthan providing furtherinformation as to why arequirement has beengenerated

11 JRU recording capacity A minimum recordingcapacity (expressed intime) has been identifiedas a worthwhilerequirement forstandardisation acrossfleets. No suchrequirement is includedwithin this specification






15 Remote JRU / fault logdownload

Whilst it is acknowledgedthat the ability todownload remotely theJRU, fault logs or systemstatus, what ‘remotely’means is not fullyspecified. Continuousremote monitoring inservice will need adifferent solution todiscrete remote downloadat defined locations

16 Standardisation of DMIfault codes

Standardised fault codesand messages wouldenable a common set ofoperational procedures tobe developed that coverthe way onboard faults aredealt with across fleets ofdifferent types. Furtherwork in this area isongoing

17 ETCS Level 3 When ETCS Level 3 hasbeen developed, andEuropean standards andGB application rulespublished, furtherrequirements may need tobe included

18 Class B systemrequirements

To transfer out some ofthe Class B requirementsinto National TechnicalRules

19 Split-screen DMI To identify newrequirements should thesplit-screen DMI solutionbe accepted






21 Plain text messages A new requirement isneeded to limit plain textmessages to just thoserequired by the DMISpecification, routing andStart of Mission (SOM),and fault indications

22 Remaining commentsfrom industry review

Remaining commentsfrom the industry reviewneed to be closed out

23 Operational test scenario(OTS) input

There will beconsequentialamendments required toaccommodate the outputfrom the OTS work

Table 2: ETCS onboard subsystem: Issues under development





Definitions

APC Automatic Power Control.

ATO Automatic Train Operation.

Authorised person A person authorised to carry out one or more duties set out in asafety management system.

Automatic Train Protection(ATP)

ATP is a system that continualy checks that a train does not exceedthe permitted speed or distance allowed by the signalling system.

Automatic Warning System(AWS)

A system that gives train drivers in-cab warnings of the approachto signals, reductions in permissible speed and temporary /emergency speed restrictions, and to apply the brakes in the eventthat a train driver does not acknowledge cautionary warnings givenby the system within the specified time. Source: GERT8075.

Baseline A set of specifications that forms a recognised legal version ofERTMS/ETCS.

CCS Control, Command and Signalling.

Class B systems Existing non-ETCS national signalling systems. For list of Class Bsystems, see European Union Agency for Railways technicaldocuments 'List of CCS Class B systems, ERA/TD/2011-11, version3.0'.

Defect Any fault(s) in a component, or assembly, which may prevent thecomponent, or assembly, from fulfilling its design purpose.

Drive / Train driving The human tasks and processes necessary to control themovement of a train in accordance with operating rules andprocedures.

Driver Machine Interface(DMI)

A HMI for the driver.

EDOR ETCS Data only Radio.

ElectromagneticCompatibility (EMC)

The ability of equipment or a system to function satisfactorily in itselectromagnetic environment without introducing intolerableelectromagnetic disturbances to anything in that environment.

ERTMS European Rail Traffic Management System.

ETCS onboard subsystemdiagnostic tools

Tools that support the following processes for the ETCS onboardsubsystem: maintenance, fault-finding, data download, dataanalysis and data interrogation.

European Train ControlSystem (ETCS)

The signalling, control and train protection part of the EuropeanRail Traffic Management System designed to provideinteroperability and standardisation across European railways.

EVC European Vital Computer.





Fault [Software] A fault is an incorrect software system state that prevents it fromperforming as required. It may result from failures in systemcomponents, design errors, environmental interference, or operatorerrors.

Fault [Electrical] A situation where an abnormal electric current is generated. Forexample, a short circuit due to dewirement is a fault in whichcurrent bypasses the normal load. In practice, the protectionsystems have a sufficiently fast response time to clear the fault in<1s and so the risk of EMF exposure is considered tolerable as thetime at risk is very small. This may be further refined in the futurefollowing the publication of additional guidance from the HSE andEU.

Full Supervision mode (FS) ERTMS/ETCS on-board equipment mode giving full protectionagainst overspeed and overrun.

Gauge Set of rules, including a reference contour and its associatedcalculation rules allowing defining the outer dimensions of thevehicle and the space to be cleared by the infrastructure. ENE TSI.

Note: According to the calculation method implemented,the gauge will be a static, kinematic or dynamic.

GB mainline railway Mainline railway has the meaning given to it in the Railways andOther Guided Transport Systems (Safety) Regulations 2006 (asamended) and the associated exclusions. GB Mainline Railway isthe mainline railway network excluding any railway in NorthernIreland, the Channel Tunnel, the dedicated high speed railwaybetween London St Pancras International Station and the ChannelTunnel, and any other exclusions determined by the member state.

General Packet RadioService (GPRS)

GPRS is a method of sending data from the train to the tracksideand vice versa, via packets.

Global Navigation SatelliteSystem (GNSS)

A generic term to describe the technology of navigation by satelliteto all such systems, for example, GPS.

Global System for MobileCommunications - Railway(GSM-R)

The European Standard specific to railway applications for thetransmission by radio of voice and data between train andtrackside installations. Source: GERC8517 Iss 1.

GSM-R Global System for Mobile Communications - Railway.

Hazard A condition that could lead to an accident. Source: CSM RA.

Human Machine Interface(HMI)

HMI is the graphical interface device which indicates informationto the operator (user) and which is used by the operator for thepurpose of operating the associated system(s).

Interpret / interpreting(signalling system displays)

The action of understanding the information conveyed by thesignal aspect or indication after it has been read (for example,understanding that a red signal aspect means ‘limit of MA’).





Isolation mode (IS) ETCS Isolation Mode. When the ERTMS/ETCS on-board equipmentis disconnected from the vehicle braking system. Isolation isindicated to the driver.

Juridical Recording Unit(JRU)

A device to record actions and exchanges relating to the operationof trains, sufficient for off line analysis of events.

Key Management System(KMS)

Collective term for the personnel, equipment and procedures usedto manage ERTMS keys in the ERTMS key management domain.

Leading vehicle A vehicle permitted to operate at the head of a train. Unpoweredvehicles which are used at the head of a train only when followingthe rules for propelling movements are excluded.

Line replaceable unit (LRU) A modular component of a structural system or subsystem that isdesigned to be replaced quickly.

MA Movement authority.

Multiple unit A fixed formation of one or more vehicles capable of operationunder their own traction power; the formation may be capable ofworking in multiple with other similar formations.

No Power mode (NP) ERTMS/ETCS on-board equipment mode in which the on-boardequipment is not powered and the emergency brake iscommanded.

Non Leading mode (NL) ERTMS/ETCS on-board equipment mode when it is connected to anactive cab which is not in the leading engine of the train.

On Sight mode (OS) ERTMS/ETCS on-board equipment mode that gives the train driverpartial responsibility for the safe control of their train. In this modethe train possesses a movement authority but the track aheadmight be occupied by another train.

Passive Shunting mode (PS) ERTMS/ETCS on-board equipment mode that allows the on-boardof a slave engine to be part of a shunting consist; or to carry on ashunting movement with a single engine fitted with one on-boardequipment and two cabs, when the driver has to change the drivingcab.

Railway Undertaking (RU) Any private or public undertaking the principal business of which isto provide rail transport services for goods and/or passengers, witha requirement that the undertaking must ensure traction; this alsoincludes undertakings which provide traction only. Source: Article 3(a) of Directive 2004/49/EC.

RBC Radio Block Centre.

Reliability The ability of an item to perform a required function under givenenvironmental conditions for a given period of time. Source: BS EN50128:2011.

Reversing mode (RV) ERTMS/ETCS on-board equipment mode that allows the driver tochange the direction of movement of the train whilst controllingthe train from the same cab.





Risk The combination of the likelihood of occurrence of harm and theseverity of that harm (specifically defined in CSM RA regulation as:the frequency of occurrence of accidents and incidents resulting inharm (caused by a hazard) and the degree of severity of thatharm).

Route The physical path of a journey to be undertaken by a vehicle or acollection of vehicles, where the path is comprised of a number oftrack sections, each of which has individually definedcharacteristics.

Safe integration According to Commission Recommendation 2014/897/EU (2b) onmatters related to the placing in service and use of structuralsubsystems and vehicles under Directives 2008/57/EC and2004/49/EC, ‘safe integration’ means the action to ensure theincorporation of an element (for example, a new vehicle type,network project, subsystem, part, component, constituent,software, procedure, organisation) into a bigger system, does notcreate an unacceptable risk for the resulting system.

Shunting mode (SH) ERTMS/ETCS on-board equipment operating mode which allowsthe train to move in shunting, without available train data.

SIL Safety Integrity Level.

Sleeping mode (SL) ERTMS/ETCS on-board equipment mode that is used for the on-board equipment in slave engines controlled by a leading engine.

Specific TransmissionModule (STM)

Device allowing the ERTMS/ETCS onboard equipment to beinterfaced with the onboard part of an existing National TrainControl system. It allows smooth transitions from/to the NationalSystem and gives access to some ERTMS/ETCS on-board resources(e.g. DMI). Source: ERTMS_and_ETCS Glossary of Terms UNISIGSubset-023 v3.1.0 dated 12/05/2014: UNISIG Subset-023 v3.1.0dated 12/05/2014.

Staff Responsible mode(SR)

ETCS Staff Responsible mode.

Stand By mode (SB) ERTMS/ETCS on-board equipment mode that is a default modewhen the on-board equipment is powered up or that is enteredwhen shunting or non-leading mode is left or when the active cab isclosed.

STM Specific Transmission Module.

Subsystem One of the subsystems (of the European railway system) identifiedby the Interoperability Directive. Subsystems can be structural orfunctional.

Supplier The generic term for any organisation or individual that provides,supplies, or seeks to supply, products and services. The wordContractor may be used to mean the same, particularly withregards to construction.





Technical compatibility Technical compatibility means an ability of two or more structuralsubsystems or parts of them which have at least one commoninterface, to interact with each other while maintaining theirindividual design operating state and their expected level ofperformance. Source: 2014/897/EU.

Train A train is defined as (a) traction unit(s) with or without coupledrailway vehicles, including light locomotive and self-propelled railvehicle operating in rail mode, with train data available operatingbetween two or more defined points.

Train formation A group of vehicles which may include individual vehicles or unitsformed to make up the operational train.

Train protection andwarning system (TPWS)

Train Protection and Warning System (TPWS) is a systemmitigating Signals Passed At Danger and non-respect ofpermissible speeds.

TSI Technical Specification for Interoperability.

Vehicle An individual vehicle or car of any train formation.

Wheelset A complete unit comprising an axle and two complete wheelstogether with any gear wheels, brake discs, etc, but without axlebearings and their end caps, spacers, seals and other associatedfittings. The wheels may be either tyred or monobloc.





References

The Standards Catalogue gives the current issue number and status of documents published byRSSB. This information is available from http://www.rssb.co.uk/railway-group-standards.

RGSC 01 Railway Group Standards Code

RGSC 02 Standards Manual

Documents referenced in the text

Railway Group Standards

GERT8075 AWS and TPWS Interface Requirements

GERT8402 ERTMS/ETCS DMI National Requirements

GMRT2161 Requirements for Driving Cabs of Railway Vehicles

GMRT2185 Train Safety Systems

GMTT0088 Permissible Track Forces for Railway Vehicles

RSSB Documents

GKGN0602 Guidance on Train Rooftop Antenna Positioning

GMGN2460 Guidance on Compliance with Noise and Vibration Legislation inthe Railway Environment

RIS-0743-CCS ERTMS Key Management

RIS-0775-CCS AWS and TPWS Application Requirements

RIS-2004-RST Rail Vehicle Maintenance

RIS-2472-RST Requirements for Data Recorders on Trains

RIS-8270-RST Route Level Assessment of Technical Compatibility betweenVehicles and Infrastructure

RSSB research report T088 Vibration environment for rail vehicle mounted equipment

Other References

BS EN 15595:2009 Railway applications. Braking. Wheel slide protection.

BS EN 16186-2 Railway applications. Driver's cab. Integration of displays, controlsand indicators

BS EN 60529:1992 Degrees of protection provided by enclosures (IP code)

BS EN 894-1:1997 Safety of machinery. Ergonomics requirements for the design ofdisplays and control actuators. General principles for humaninteractions with displays and control actuators

BS EN 894-2:1997 Safety of machinery. Ergonomics requirements for the design ofdisplays and control actuators.






BS-EN ISO 9241-11:1998 Ergonomic requirements for office work with visual displayterminals (VDTs). Guidance on usability

BS-EN ISO 9241-400:2007 Ergonomics of human-system interaction. Principles andrequirements for physical input devices

CCS TSI COMMISSION REGULATION (EU) on the technical specification forinteroperability relating to the ‘control-command and signalling’subsystems of the rail system in the European Union

Change request #4 EOSS-83, CR#4, version 1.2, CCMS no: 66355116

Change request #5 EOSS, CR#5, version 1.0, CCMS no: 66355116

Change request #6 ENTOSS, CR#6, version 1.0 , ref no: 66355115

CSM RA Common Safety Method for Risk Evaluation and Assessment.COMMISSION REGULATION (EU) No 2015/1136 of 13 July 2015amending Implementing Regulation (EU) No 402/2013 on thecommon safety method for risk evaluation and assessment.

EN 15892:2011 Railway applications. Noise emission. Measurement of noise insidedriver's cabs

EN 50125-1:2014 Railway applications. Environmental conditions for equipment.Rolling stock and on-board equipment

EN 50155:2007 Railway applications: Electronic equipment used on rolling stock

EN 50155:2017 Railway applications. Rolling stock. Electronic equipment

EN 61373:2010 Railway applications. Rolling stock equipment. Shock and vibrationtests

EN 61375-1:2012 Electronic railway equipment. Train communication network (TCN).General architecture

EN ISO 9241-420:2011 Ergonomics of human-system interaction: Selection of physicalinput devices

ERA_ERTMS_015560 ERA DMI specification version 3.6.0 June 2016

ERA_ERTMS_040001 ASSIGNMENT OF VALUES TO ETCS VARIABLES

ERA/TD/ 2011-11 LIST OF CLASS B SYSTEMS

ETCS Hazard Log version 20

IEC 60509:1989 Degrees of protection provided by enclosures (IP code)

IEC 61508:2010 Functional Safety

ISO 9241-210:2010 Ergonomics of human-system interaction -- Part 210: Human-centred design for interactive systems

LOC & PAS TSI COMMISSION REGULATION (EU) on the technical specification forinteroperability relating to the ‘rolling stock - locomotives andpassenger rolling stock’ subsystem of the rail system in theEuropean Union





NEPT/ERTMS/REQ/0007 ETCS Baseline 3 - GB Onboard Retrofit Systems RequirementsSpecification, version 3.2, July 2017

NEPT/ERTMS/REQ/0038 ETCS Baseline 3 - GB Onboard New Trains SubsystemRequirements Specification, version 2.2, July 2017

Noise TSI (Rolling Stock) COMMISSION REGULATION (EU) on the technical specification forinteroperability relating to the subsystem ‘rolling stock - noise’

NR/AM/SA/SPE/00147 ERTMS Reliability Specification, Issue A07

Railway Safety Regulations1999

RIA12 GENERAL SPECIFICATION FOR PROTECTION OF TRACTION &ROLLING STOCK ELECTRONIC EQUIPMENT FROM TRANSIENTS &SURGES IN DC CONTROL SYSTEMS

STE/ATO/REQ/002 ATO System Requirements Specification

Subset-026 ERTMS/ETCS Class 1 System Requirements Specification, version3.6.0

Subset-027 ERTMS/ETCS FIS Juridical Recording

Subset-035 ERTMS/ETCS Specific Transmission Module FFFIS

Subset-037 EuroRadio FIS

Subset-119 Train Interface FFFIS

Subset-125 ATO Over ETCS System Requirements Specification

Subset-126 ATO-OB / ATO-TS Interface Specification

Subset-130 ATO-ON / ETCS-OB Interface Specification

Subset-137 On-line Key Management FFFIS

The Control of Noise atWork Regulations 2005

The Control of Vibration atWork Regulations 2005

The Electricity at WorkRegulations

The Management of Healthand Safety at Work Act

UFF/Cullen Report The Southall and Ladbroke Grove Joint Inquiry into TrainProtection Systems



