key train requirements issue 4 - rssb · · 2017-05-311.4 braking systems ... (electromagnetic...

Key Train Requirements

issue 4

Prepared by: David Polhill

ATOC Senior Rolling Stock Engineer - Interfaces

On behalf of: V/V SIC KTR Sub-group

Key Train Requirements – Issue 4 Page 1

AMENDMENT RECORD

KTR Issue Dated Notes

One January 2011

First Issue

Two February 2013

Updated issue incorporating industry feedback following publication of Issue One

Three September 2014

Addition of Operational aspects, new suggestions and comments. Title changed from Key Technical Requirements for Rolling Stock to Key Train Requirements

Four June 2016

Additional and new items added. New appendices included.

Note: Vertical lines to the right of text and titles indicate changes and additions from the

previous version.

Have you got some suggestions for new or revised requirements or want more

information?

Send your idea, request and your details by email to [email protected]

mailto:[email protected]?subject=Suggestion%20from%20KTR%20document


Contents Introduction to Key Train Requirements (KTR) ....................................................................................... 6

Why use this document? .................................................................................................................... 6

How to use this document? ................................................................................................................ 6

Document structure ............................................................................................................................ 7

Background to KTR .................................................................................................................................. 8

1. Key Requirements - Technical ......................................................................................................... 9

1.1 Vehicle Mass ........................................................................................................................... 9

1.2 Track/Train Interface .............................................................................................................. 9

1.3 Couplers .................................................................................................................................. 9

1.4 Braking Systems .................................................................................................................... 11

1.5 Brake application on door release ........................................................................................ 12

1.6 Sanding Systems.................................................................................................................... 12

1.7 Consumable Tank Capacities and Servicing Requirements .................................................. 13

1.8 Windscreen Wiper Systems .................................................................................................. 14

1.9 Electrical Connectors and Cable Idents................................................................................. 14

1.10 Bonded Components ............................................................................................................ 14

1.11 Reliability ............................................................................................................................... 15

1.12 Meteorological Effects .......................................................................................................... 15

1.13 Availability ............................................................................................................................. 16

1.14 Maintainability ...................................................................................................................... 17

1.15 Design life and obsolescence management .......................................................................... 18

1.16 Vehicle Gauging Information ................................................................................................ 18

1.17 Electrical collector systems ................................................................................................... 19

1.17.1 Future Proofing of Third Rail (750V DC) Rolling Stock .................................................. 19

1.17.2 750V DC Shoegear in icy weather ................................................................................. 19

1.17.3 Overhead line and pantographs ................................................................................... 19

1.17.4 Pantograph automatic dropping device (ADD) ............................................................. 20

1.17.5 Supplies at neutral sections .......................................................................................... 20

1.18 Systems Architecture ............................................................................................................ 20

1.19 Global Navigation and Satellite System (GNSS) on-board .................................................... 21

1.20 Train Location and Movements (GPS) Project ...................................................................... 21

1.21 Speed set ............................................................................................................................... 21

1.22 Sight glasses .......................................................................................................................... 22


1.23 Equipment fixing and access ................................................................................................. 22

1.24 Critical and non-critical systems and supplies ...................................................................... 22

1.25 Load Shedding Strategy ........................................................................................................ 22

1.26 Mobile phone reception ....................................................................................................... 22

1.27 Pressure limits ....................................................................................................................... 22

1.28 Bi-mode powered trains ....................................................................................................... 23

1.29 Train Management System (TMS) – Design .......................................................................... 23

2 Key Requirements – Performance & Environmental .................................................................... 25

2.1 Aerodynamic Efficiency ......................................................................................................... 25

2.2 Propulsion ............................................................................................................................. 25

2.3 Sustainability ......................................................................................................................... 25

2.4 Energy Efficiency & Traffic Management .............................................................................. 27

2.5 Auxiliary Power ..................................................................................................................... 29

2.6 Pneumatic air supply ............................................................................................................. 29

2.7 Transposition of EMF (Electromagnetic Field) Directive ...................................................... 29

3 Key Requirements - Passenger Facing .......................................................................................... 30

3.1 Heating Ventilation and Air Conditioning (HVAC) ................................................................. 30

3.2 Passenger Security ................................................................................................................ 31

3.3 Passenger Ergonomics .......................................................................................................... 32

3.4 Ride Quality ........................................................................................................................... 34

3.5 Sound, noise and vibration levels ......................................................................................... 34

3.6 Passenger Counting............................................................................................................... 35

3.7 Passenger Information System (PIS) ..................................................................................... 35

3.8 Seat Reservation Systems ..................................................................................................... 37

3.9 Provision of Luggage Storage ................................................................................................ 37

3.10 Toilets .................................................................................................................................... 38

3.11 Cleanability ............................................................................................................................ 39

3.12 Vandalism Mitigation ............................................................................................................ 39

3.13 Interior Panels ....................................................................................................................... 40

3.14 Flooring ................................................................................................................................. 40

3.15 Interior Powered Doors (excluding toilet doors) .................................................................. 40

3.16 Buggy Space, Cycle Store or Multi-use Storage .................................................................... 41

3.17 Passenger power supplies ..................................................................................................... 41

3.18 Lighting .................................................................................................................................. 42


3.19 Interiors “Miscellany” ........................................................................................................... 42

3.19.1.1 Window blinds .......................................................................................................... 43

3.19.1.2 Litter Bins .................................................................................................................. 43

3.19.1.3 Provision of Handholds ............................................................................................. 43

3.19.1.4 Provision of Tip-Up Seats .......................................................................................... 43

3.19.1.5 Fixed Tables ............................................................................................................... 43

3.19.1.6 Seat Back Tables ........................................................................................................ 43

3.19.1.7 Cup Holders ............................................................................................................... 44

3.19.1.8 Table Surfaces ........................................................................................................... 44

3.19.1.9 Coat Hooks ................................................................................................................ 44

3.19.1.10 Seat rails .................................................................................................................... 44

3.19.1.11 Bodyside windows .................................................................................................... 44

3.20 Platform train interface ........................................................................................................ 44

3.21 Wheelchair ramp design ....................................................................................................... 45

3.22 Mobility scooter access ......................................................................................................... 45

3.23 External access doors ............................................................................................................ 45

4 Key Requirements - Operational ................................................................................................... 47

4.1 Driver Only Operation (Passenger) (DOO(P)) ........................................................................ 47

4.2 Selective Door Operation (SDO) ........................................................................................... 47

4.3 Location of Driver Resettable Controls and Isolation of Equipment .................................... 48

4.4 Cab Design and interfaces ..................................................................................................... 48

4.5 Human Factors Mitigation - Design of Control Systems ....................................................... 51

4.6 Supply System Changeovers ................................................................................................. 51

4.7 Reminder of number of vehicles in a train ........................................................................... 51

5 Key Requirements - Communications and Diagnostics ................................................................ 53

5.1 Software security .................................................................................................................. 53

5.2 Open Source Software .......................................................................................................... 53

5.3 European Rail Traffic Management System (ERTMS) ........................................................... 53

5.4 Remote Condition Monitoring (RCM) Systems ..................................................................... 54

5.5 Diagnostics ............................................................................................................................ 56

5.6 Mobile Communications Reception ...................................................................................... 56

5.7 Passenger internet access ..................................................................................................... 56

5.8 On Train Data Recorders (OTDR) .......................................................................................... 57

5.9 Global System for Mobile Communications – Railway (GSM-R) ........................................... 57


Appendix A – Items intentionally excluded from KTR – Issue 4............................................................ 59

Appendix B – List of research and innovation sources ......................................................................... 60

Appendix C - Toilet design requirements .............................................................................................. 61

C.1 Toilet Controls ....................................................................................................................... 61

C.2 Doors and Door Controls ...................................................................................................... 62

C.3 Tank Capacities and Range ................................................................................................... 64

C.4 Ease of Manufacture / Maintainability ................................................................................. 65

C.5 Customer Facing Ancillary Equipment .................................................................................. 66

C.6 Resistance to Misuse / Vandalism ........................................................................................ 67

C.7 Health and Hygiene ............................................................................................................... 68

Appendix D – Software security ............................................................................................................ 70

D.1 Introduction .......................................................................................................................... 70

D.2 System Architecture .............................................................................................................. 70

D.2.1 Security Requirements .................................................................................................. 70

D.2.2 Communication Traffic Monitoring .............................................................................. 71

D.2.3 End point device security .............................................................................................. 72

D.3 Secure Development Practices ............................................................................................. 73

D.4 Third party supplied systems/software/modules ................................................................. 74

D.5 Documentation and Tracking of Vulnerabilities ................................................................... 74

D.6 Security Risk Assessment ...................................................................................................... 75

D.7 Full systems software identification/classification & impact assessment ............................ 75

D.8 All software ........................................................................................................................... 76


Introduction to Key Train Requirements (KTR)

Why use this document?

This document is intended to assist rolling stock procurers, manufacturers and system suppliers. It

captures experience that has emerged from historic rolling stock projects and highlights areas where

new developments are taking place that will potentially need to be considered when requirements

are being specified and trains being designed to operate in the UK.

The purpose of the document is to capture aspects of train design that are recognised as industry good

practice but cannot, due to the clearly defined scope for mandatory Standards, be covered by the

usual contractual requirement to “comply to all applicable Standards”. In addition, where clear

recommendations have emerged from industry research, but these have yet to be incorporated into

Standards, the opportunity is taken in this document to bring such items to the attention of relevant

industry parties.

In addition to procurement of new rolling stock, some of these train requirements are equally

applicable to vehicle refurbishment or continued service operation (life extension) projects. The KTRs

of relevance will be confined to the scope of work content in this case.

The drafting group consists of representatives from manufacturers, leasing companies, TOCs, Network

Rail and technical specialists and is led by ATOC.

How to use this document?

Firstly, this document is not intended to be sent to a manufacturer or supplier as a whole for them to

quote against. This would be costly and achieve little. It is intended to be used as an aid to preparing

a specification and only the relevant clauses should be selected.

It is clear that, for many of the items covered in this document, a decision will need to be made by

those specifying and designing trains as to whether there is a business case for incorporating the

requirement. In these cases it is recommended that this document should be used to complement a

high level business specification which defines the nature of the service to be provided (e.g. route

capacity and journey times) whilst leaving some flexibility for future redeployment. It must therefore

be stressed that each individual project will need to consider carefully the applicability of each of these

KTRs and their impact on whole system, whole life costs in order to identify solutions that represent

best value for money to the industry. It is recommended that, as an absolute minimum, the following

factors should be taken into account when evaluating whole life, whole system costs:

Initial train procurement cost

Cost of in-service failures (e.g. proven reliability of sub-systems, systems redundancy)

Cost of non-availability due to planned or unplanned maintenance (e.g. ease of changing key

components, systems diagnostics, condition based maintenance approach)

Cost of maintenance and overhaul (e.g. modular sub-systems, corrosion resistance)

Energy costs (e.g. vehicle mass, traction drive efficiency, energy recovery, energy efficient

auxiliary systems)

Track wear and tear (e.g. unsprung mass, bogie rotational stiffness)


Document structure

Whilst acknowledging the comments above regarding business case, many of the requirements listed

simply represent industry best practice and should be seen as necessary requirements for any train.

In these cases the requirements are generally introduced by “shall…” , indicating that they should be

seen as essential for any design of train and that there should be NO valid business justification for

non-inclusion.

This document is sub-divided into five sections of key requirements for rolling stock as follows:

Section 1: Key Requirements - Technical

Section 2: Key Requirements - Performance

Section 3: Key Requirements - Passenger Facing

Section 4: Key Requirements - Operational

Section 5: Key Requirements - Communications and Diagnostics

Note that all hyperlinks to RSSB research projects have been changed to reflect the new RSSB website

(www.rssb.co.uk). In some cases a login to RSSB’s SPARK may be required in order to see the

information.

Contact RSSB at http://www.sparkrail.org/authentication/pages/register-info.aspx for more details.

References to work in progress or are due to start, e.g. RSSB Research Projects, have been included in

this document for information. Suitable outputs from the work will be included in future KTR updates.

http://www.sparkrail.org/authentication/pages/register-info.aspx


Background to KTR In 2009 the Technical Strategy Advisory Group (TSAG) remitted the Vehicle/Vehicle System Interface

Committee (V/V SIC) to develop guidance on key technical requirements for new trains. These

requirements represented best practice that experience has demonstrated not to be adequately

covered by mandatory standards. The initial version of the document (KTR v1) was published in

January 2011, with a second version in February 2013 and a third version in September 2014.

This updated document, now called Key Train Requirements (KTR v4), is issued under the auspices of

the Technical Strategy Leadership Group (TSLG) and includes an expanded coverage of operational

aspects.

In KTR v2, an appendix A (Items Intentionally Excluded from KTR) was added. This appendix has been

updated in subsequent versions.

New Appendix B has useful links to current research and innovation programmes, which provide

additional information to support the KTR.

New Appendix C covers requirements relating to toilet design. This has incorporated input from train

operators, owners and manufacturers; as well as from Transport Focus.

New Appendix D covers software and cyber security. Its scope is broader than design, as it helps with

updating or actions following cyber-attack.


1. Key Requirements - Technical

1.1 Vehicle Mass

1.1.1 Targets that optimise the mass of rolling stock to deliver lowest whole life cost to the “railway

system” shall be specified. Mass reduction through intelligent / innovative design is clearly

beneficial, but this should not be pursued as an end in itself.

Note: It is recommended that the outputs of Railway Safety and Standards Board (RSSB)

Project “T712: Research into Trains with Lower Mass in Britain” are used to inform any

decisions as to the target mass for new builds of rolling stock - details of this project

can be found at:

http://www.rssb.co.uk/library/research-development-and-innovation/research-brief-

t712.pdf

1.2 Track/Train Interface

1.2.1 Rolling stock shall be specified so that the vehicle / track interface is optimised using an

industry recognised whole life, whole system vehicle / track interaction model e.g. the RSSB

Vehicle / Track Interaction Strategic Model (VTISM) - details of this project can be found at:


t353.pdf

1.2.2 The specification of active suspensions (mechatronics) should be considered subject to an

assessment of the maturity of the technology and the robustness of the supporting business

case.

Note: It is recommended that the work being led by V/T SIC on behalf of the Technology

Strategy Leadership Group (TSLG) is used to inform any decisions as to the

appropriateness of mechatronics.

1.3 Couplers

1.3.1 There is currently no agreed standard coupler configuration for UK passenger rolling stock and

this creates a barrier to the interworking of vehicles supplied by different manufacturers.

Note: In order to address this issue, RSSB Project “T1003: Standardisation of Coupling

Arrangements” reported in April 2014 that there is a business case for mechanical and

full electrical compatibility in couplers. The project will continue creating

specifications for both cases.

http://www.rssb.co.uk/library/research-development-and-innovation/research-brief-t712.pdf





The research brief for Phase 1 can be found at:

http://www.rssb.co.uk/library/research-development-and-innovation/research-brief-T1003.pdf

1.3.2 The ability for interworking with subsets of existing designs of rolling stock should be specified

- recognising the aspirations for the long term use of the vehicles.

1.3.3 To facilitate interworking and stock cascade, specifications for rolling stock couplers shall be

as follows:

High Speed Trains: compatibility with coupler type “Scharfenberg Type 10”

Electrical Multiple Units: compatibility with coupler type “Dellner 12”

Diesel Multiple Units: compatibility with coupler type “BSI compact” or “Dellner 12”

Note that the “Type 10” is offered by other companies under licence than Voith, who now

own the Scharfenberg design.

1.3.4 To facilitate rescue of stranded trains an “emergency - limited functionality” mode of

communication between the stranded and rescue train should be considered. As a minimum

this would provide:

Emergency brake

Full service brake application

Traction Control

Door Control and Interlock

Crew to Crew Communication

Public Address

Passenger Communication Emergency Alarm

1.3.5 Design features to ensure that couplers continue to function reliably in difficult environmental

conditions (e.g. snow and ice; dead flies or other contamination) should be considered taking

into account the anticipated frequency of coupling operations. Design features that may be

appropriate include:

1.3.5.1 Protection of the coupler when not in use.

1.3.5.2 Automatic heating of the electrical head to prevent the build-up of ice.

1.3.5.3 Protection of the pneumatic and electrical connections by a tight cover when not

coupled.

1.3.5.4 Features to ensure that the coupler pocket remains free from the build-up of snow

and ice.




Note: It is recommended that the outputs of RSSB Project “T958: Ensuring Automatic Coupler Reliability During Ice and Snow” are used to inform any decisions with respect to the design of new builds of rolling stock - details of this project can be found at:

http://www.rssb.co.uk/library/research-development-and-innovation/research-

brief-t958.pdf

1.4 Braking Systems

1.4.1 Designs of dynamic braking systems shall optimise the system cost, weight and energy

recovery.

1.4.2 For rolling stock with electric traction the ability to brake regeneratively shall be provided.

1.4.3 The ability of trains to provide predictable braking performance under all conditions has been

recognised as a significant factor in enabling reductions in headways and hence maximising

route capacity. It is recommended that, where new trains are intended for operation on routes

where capacity is a critical factor, the potential for using such braking systems (e.g. track

brakes) should be explored with the infrastructure manager and the train manufacturers.

1.4.4 Brake blending shall give a barely discernible change between dynamic and friction braking in

order to give a comfortable ride. A maximum jerk rate of 0.5m/s3 is recommended, but a

facility should be provided to adjust this to suit operational needs.

1.4.5 Subject to achieving compliance with mandatory standards to ensure sufficient braking

capacity under all circumstances, consideration should be given to leaving an axle(s) unbraked

to deliver unambiguous speed signals. This reduces wheelset damage, gives a consistent and

reliable speed signal, and conditions the rail for following, more heavily braked, axles.

1.4.6 Magnetic Track Brakes are in use on heavy rail in Continental Europe at speeds up to 200kph.

A RSSB research project “T1099: Enabling Magnetic Track Brakes on Network Rail managed

infrastructure” has therefore commenced, with the aim to understand and demonstrate

compatibility of magnetic track brakes with existing Network Rail infrastructure. It will provide

information for the development of GB compatible infrastructure.

1.4.7 Brake redundancy using a Master/Slave concept for the Brake Control Unit (BCU) should be

considered. This should include the ability to isolate brakes per bogie and for the BCU to be

able to compensate to maintain brake performance.




1.5 Brake application on door release

1.5.1 Operators should consider the train to platform interface with respect to management of train

movement relative to the platform. Depending on the nature of the operation and the safety

management system in place, an operator may specify a functional requirement in a similar

form to that below:

"The train shall not be able to move, relative to the platform, once it has come to a stop and

door interlock has been released. Under this condition, the train shall only be able to move

again once door interlock is achieved".

1.6 Sanding Systems

1.6.1 The monitoring of sand levels in the vehicle sand box should be considered.

1.6.2 Additional functionality shall be considered to provide an indication to the driver in the event

of an empty sand box.

1.6.3 Additional functionality should be considered to provide an indication to the maintenance

staff of the level of sand in the box.

1.6.4 Consideration should be given to providing an indication to the driver when sand levels are

low such that manual sanding for traction should be avoided so that there is sufficient sand

available for braking.

1.6.5 Long term water tightness of sand hoppers and filling orifice covers shall be considered.

1.6.6 Sanding nozzles can often become blocked and consideration should be given to fitting heated

nozzles.

1.6.7 On the depot, human factors such as accessibility, height/size/shape of filling orifice etc. shall

be considered when designing and locating sand hoppers.

1.6.8 RSSB Project T1046: “Optimising the ability of industry to deal with low wheel-rail adhesion

and the use of sanders on train” has produced guidance for best practice for sanders (retrofit

or new build):

Sanding at multiple locations, rather than just axle no 3, so long as there are sufficient

axles after the last sanding location to clear any residual sand from the rail head – this

applies to both single, fixed formation units and units in multiple formation.

Fixed rate sanders should be designed to deliver as near as possible to the maximum

deposition rated permitted by the RGS, but not exceed it.

Fitment of speed dependent variable rate sanders.

(A suggested delivery rate of 7.5 grams/metre per axle, whilst moving, and never

exceeding 2kg/min per axle down to a speed of 10 mph or higher).


Note 1: Current features that T1046 recommends, require the granting of deviations

against Railway Group Standard (RGS) “GMRT2461 issue 1 Sanding Equipment

Fitted to Multiple Units and On-Track Machines”. Two Deviations have been

authorised so that individual applications are no longer required. These are for

multiple units with tread brakes units (Deviation 15/060/DEV) and multiple units

with disc brakes (Deviation 15/061/DEV).

Once GMRT2461 is reissued (expected in September 2016), these deviations will

be withdrawn.

Note 2: RSSB Project T797: “Performance and installation criteria for sanding systems”

mentioned in issue 3 of the KTR, did some initial work which was expanded by

T1046.

1.7 Consumable Tank Capacities and Servicing Requirements

1.7.1 Proposed rolling stock duty cycles need to inform the provided capacities of fuel tanks; toilet

water tanks; toilet Controlled Emission Toilet (CET) tanks; windscreen washer tanks and sand

hoppers. Such “consumables” capacities shall be designed for operational compatibility. This

means that sufficient capacity shall be provided for all such systems to avoid the need for ad-

hoc intermediate replenishment between planned visits to depots or servicing points. Whilst

providing larger water and waste tanks for toilets clearly utilises valuable space and increases

vehicle weight, recent experience of new trains’ procurement is that underestimating tank

capacity requirements leads to problems in service. (See section 3.10 and Appendix C for

further requirements related to toilet provision).

1.7.2 Consumables that, if low, would prevent normal operation of the train (e.g. fuel, washer fluid

etc.) should be flagged to the driver. These together with items such as toilet tanks that are

not service critical should send a message to the Control room so that action can be taken to

mitigate the effect of the low consumable.

1.7.3 Such consumables shall be easy to replenish / discharge without the need to position the

rolling stock over a depot pitted road and it shall be possible to completely replenish such

systems from either side of the vehicle.

1.7.4 It should be possible to connect shore supplies and replenish consumables from both platform

and track level.

Note 1: Some operators currently struggle to access such connections when vehicles are

stabled adjacent to platforms.

Note 2: This is equally applicable to equipment isolation switches e.g. Battery Isolators; and

level indicators; e.g. coolant and fuel.

1.7.5 Protective caps on consumable replenishment connectors e.g. Controlled Emission Toilet

(CET) tank caps shall be fitted with secondary retention devices. These secondary retention

devices shall be of sufficient strength to cater for dynamic forces should the cap become loose

in service.


1.8 Windscreen Wiper Systems

1.8.1 Dynamic effects on windscreen wiper systems shall also be considered to ensure windscreen

wipers remain effective throughout the attainable speed range of the rolling stock.

Note: This is applicable whether the driving cab is open ended or intermediate within a

train consist. Historically, with certain designs of rolling stock, there have been

instances of intermediate windscreen wipers becoming damaged as a result of

aerodynamic effects lifting wipers away from the windscreen when running at

speed.

1.8.2 Electrically powered wipers are considered more reliable and their use is recommended.

1.8.3 The use of variable speed wipers should be considered, including an intermittent setting.

1.9 Electrical Connectors and Cable Idents

1.9.1 Electrical connectors (plugs and sockets) should be designed to operate reliably for the life of

the vehicle. This includes ensuring they are positioned remotely from potential sources of

water ingress and oriented to avoid water traps and also ensuring the sealing arrangements

will not degrade over time.

1.9.2 Electrical wiring identification labels (idents) shall be specified to withstand normal wear and

tear without significant physical degradation in order to remain legible for the life of the

vehicle.

Note: An example of best practice in this area is colour coding of wiring idents.

1.10 Bonded Components

1.10.1 To avoid problems with the use of adhesives in an uncontrolled depot environment, the design

philosophy should be that no in-situ bonding is required to maintain or repair the vehicle.

1.10.2 All Line Replaceable Units (LRUs) shall be mechanically attached to the vehicle. For example

glazing units shall be supplied bonded to a frame which is then mechanically fastened to the

vehicle structure (see section 1.14.3).

Note: Designs where windows are bonded directly to the vehicle structure are not compliant

with this requirement since it cannot be guaranteed that depot temperature or

humidity will be within the specified ranges to ensure a satisfactory bond. There have

been instances where rolling stock has had to remain out of service with broken

windows since the depot temperature was outside the range specified to undertake

the bonding process.


1.11 Reliability

1.11.1 It is always the aspiration that the frequency and impact of failures should be minimised.

However, reliability targets (frequency of failure) should be established taking into account

the benefits to the operation and the costs (technical and commercial) of providing a

particular level of performance. It is recommended that RSSB Project “T782: Maximising

Future Rolling Stock Reliability” is used to inform any decisions taken with respect to setting

contractual reliability targets - details of this project can be found at:


t782.pdf

1.11.2 Reliability shall be specified in terms of the agreed current industry key performance

indicators (KPIs). In addition, it may also be appropriate to specify a measure that reflects the

effectiveness of the rolling stock design in assisting train crew to minimise the consequences

of a failure (i.e. delay) once it has occurred.

Note: The current KPIs are MTIn (Miles per Trust Incident number) and DPI (Delay Per

Incident).

1.11.3 When rolling stock is operating in “degraded mode” as a result of the failure of a key system

(e.g. auxiliary converter), the control systems shall automatically reconfigure so that the

impact on critical systems (e.g. external lighting and windscreen wipers) is kept to an absolute

minimum enabling the rolling stock to remain in service.

1.12 Meteorological Effects

1.12.1 Rolling stock systems shall be designed to operate reliably under all kinds of environmental

conditions expected to be experienced in the UK during the life of the vehicle. This is especially

pertinent with respect to the impact of climate change and the associated predictions of more

frequent instances of extreme weather conditions. Rolling stock of the future shall therefore

be designed to provide more resilience to foreseeable extremes of heat, rainfall and cold -

considering the impact on whole life cost.

1.12.2 In line with the above principles, particular consideration should be given to the following

design features to ensure continued reliable operation during snow and ice conditions:

1.12.2.1 Suitable protection shall be provided for electrical equipment to prevent the ingress

and build-up of dirt, moisture or snow.

Note: An example of good practice in this area is sealed equipment cases reliant

on external heatsinks. These heatsinks should be designed to not clog or

should be easy to clean without lots of equipment having to be removed to

gain access.

1.12.2.2 Placement of equipment ventilation louvers at roof level in order to significantly

reduce the dynamic effects of snow.




1.12.2.3 Measures to protect critical systems (e.g. warning horns [including heating them

and preventing snow ingress]; cab and passenger doors; windscreen wipers; DOO

cameras; couplers [see also 1.3.5] and head, tail and marker lights) from the effects

of the build-up of snow and ice

1.12.2.4 Provision of splash guards in the vicinity of brake discs to minimise the effects of the

build-up of snow and ice.

1.12.2.5 Making the underside of the train as smooth and continuous as possible as this

reduces the under-pressure below the train and hence the vulnerability to a build-

up of snow and ice.

1.12.3 A RSSB research project to look at the effects of trains operating through flood water “T1052:

Review of the Rules for the Operation of Trains Through Flood Water” was recently completed

and is awaiting publication. A link to the research brief can be found at:


T1052.pdf

1.13 Availability

1.13.1 The precise requirements for availability targets shall be developed in terms of whole life costs

of the rolling stock. Unrealistically high availability targets might initially seem attractive (as a

result of purchasing fewer vehicles) but it must be borne in mind that overhaul programmes

and unexpected damage (e.g. from vandalism or collisions) can rapidly erode any maintenance

allocation leading to subsequent difficulties maintaining service cover. Therefore the provision

of “strategic spares” should be considered. For example, components that do not form part

of the maintenance and overhaul plan requirements, but would be expensive or time

consuming to manufacture after the train-build is complete.

1.13.2 When specifying fleet size, availability requirements that are not related to maintenance e.g.

driver training and collision damage should also be considered.

Examples of good practice to optimise availability (primarily for multiple units) are:

ensuring the end vehicles are identical to facilitate unit reforming in the event of

collision damage

the provision of “shunt” controls where long fixed formation sets can be split to

facilitate subsequent unit reforms.




1.14 Maintainability

1.14.1 Where new trains are to be introduced to service, whether under a train service provision

agreement with the manufacturer or to be maintained by the train operator, the objective

should be to reduce routine inspection activities to a minimum.

Examples of good practice in this area are that:

rolling stock should be designed to facilitate the use of infrastructure based remote

condition monitoring equipment to undertake automatic vehicle inspection; e.g.

measuring brake pad thickness and wheel tread wear,

on-board condition monitoring systems capable of downloading data to intelligent

analytical tools that are able to recommend maintenance interventions in order to

prevent in-service failures from occurring.

1.14.2 Systems should be designed to minimise the amount of maintenance required.

Examples of good practice in this area are that:

electronic modules are specified with “plug and play” connectivity (to remove the

need for manual configuration upon component replacement),

parts of rolling stock that are vulnerable to impact damage (e.g. front fairings) are

easy to replace.

1.14.3 Where maintenance is required, systems shall be designed to facilitate such maintenance and

to minimise the vehicle downtime. It shall be possible for all planned maintenance to be

completed during an agreed specified timeframe allocated for maintenance.

1.14.4 The provision of comprehensive and accurate drawings, maintenance manuals, spares lists

and fault finding guides is an essential element in ensuring maintainability. Searchable

electronic formats are preferred. Irrespective of the contractual structure agreed for train

maintenance, a Design Authority shall be identified at the time of train procurement, with

specific responsibilities for ensuring that all of the documentation listed is not only provided

when the trains are delivered, but also kept up to date to reflect subsequent engineering

changes.

1.14.5 Areas that may trap and retain water should be avoided. This applies to corrugations on the

roofs, flat areas e.g. for jumpers or pantograph wells where a fall should be included and

drains to allow the water to flow away.


1.14.6 Equipment covers and access panels

1.14.6.1 Lower bodyside and roof mounted covers and panels shall be fitted with secondary

locking catches such that panels cannot open in service. These retention catches

shall be obvious when they are not engaged. Their orientation to show open or

locked shall be consistent throughout the train.

1.14.6.2 These access panels shall also not infringe the vehicle gauge when open. A retention

catch could be fitted.

1.14.6.3 Roof mounted equipment that requires frequent maintenance activities, for

example, filters, shall be designed so that access can be gained from below, possibly

from within the vehicle.

1.14.7 Following some issues with poorly and incorrectly assembled axleboxes, bearings and end

covers, RSSB are considering some work on the human factors involved in maintenance of

bearings “T1096: Human factors influences in axle bearing installation and maintenance”.

Currently only a research idea “R647: Review of Wheelset Axle End Secondary Locking

Arrangements” will look at improving the fixing arrangements to reduce loosening and

simplify assembly. These two items are added for information.

1.15 Design life and obsolescence management

1.15.1 Although a train has historically been expected to have a design life of 30-35 years, sub-

systems may require overhaul or replacement to achieve this. The supplier shall provide the

design lives of these sub-systems to enable planning of when future overhaul or replacement

will be required.

1.15.2 Obsolescence management shall be covered by contractual arrangements for the design life

of the vehicle.

Note: This is especially the case for electronic equipment and includes all rolling stock

related software, operating systems and IT hardware.

1.16 Vehicle Gauging Information

1.16.1 Certain vehicle manufacturers are reluctant to state their actual vehicle profiles (claiming it is

their Intellectual Property). As a result they only declare their vehicle profiles in accordance

with standard vehicle gauges, although in many areas the actual vehicles are smaller. When

the stock is cascaded a route compatibility assessment will potentially identify more “foul

structures” than would be the case if the actual vehicle profile was known. Indeed, there is

the potential for infrastructure works being identified that are not actually required. This

practice imports avoidable cost to the industry and places unnecessary restrictions on route

availability in the event of emergency diversionary routes being required. Vehicle


manufacturers shall be contractually required to provide vehicle gauging data in accordance

with the format developed by the Vehicle / Structures System Interface Committee.

1.16.2 Gauging information should be supplied in a format compliant with “RIS-2773-RST: Format for

Vehicle Gauging Data”.

1.17 Electrical collector systems

1.17.1 Future Proofing of Third Rail (750V DC) Rolling Stock

1.17.1.1 Specifications for future designs of 750V DC third rail rolling stock should consider

the implications of a future increase in the nominal supply to 900V DC.

Manufacturers should be requested to state the modifications that would be

required in order to accommodate such a change in supply voltage.

1.17.1.2 It has been suggested that the long term aim of the industry should be the

replacement of the 750V DC third rail system with the 25kV Overhead line system.

New DC rolling stock should include provision for the inexpensive retrofit of 25kV

equipment.

Note 1: In this context “inexpensive” means that the design has made the

provision for the fitment of equipment by the designer purposely

allocating free space; power supply and consideration of cabling to the

relevant location(s).

Note 2: The case for the replacement of the 750V DC system with 25kV Overhead

was the subject of RSSB Project “T950: Investigating the economics of the

3rd rail DC system compared to other electrification systems” - details of

this project can be found at:


brief-t950.pdf

1.17.2 750V DC Shoegear in icy weather

Consideration should be given to providing a means to ensure that, in icy conditions, an

appropriate minimum current can be drawn to maintain the best possible shoe contact to the

rail. This can be achieved by a selectable "ice mode" which may also encompass changes to

permissible electrical interference levels subject to an agreed safety case.

1.17.3 Overhead line and pantographs

The use of polymeric insulators for supporting the pantograph is recommended. The RAIB

report R062013 (i.e. the Littleport incident when a Class 365 Pantograph detached following

the fracture of the ceramic insulators) recommends their fitment as they are considered to

better absorb energy in the event of a pantograph incident.




A RSSB research project “T1060: Understanding the forces and energy in the electrification

system during de-wirements” is now nearing completion. Useful information may be available

in due course from this research and will be included in future issues of the KTR.

1.17.4 Pantograph automatic dropping device (ADD)

A facility for the driver to isolate the ADD on the pantograph shall be included.

Occasionally an ADD operates and, without a means to isolate it, the pantograph cannot be

raised. Although the train may not move if there is damage to the pantograph, a supply to the

train can be maintained for HVAC purposes. Similarly, if there is minor damage to a carbon,

the train could be moved at reduced speed to a place where passengers can be detrained.

1.17.5 Supplies at neutral sections

When passing through neutral sections there shall be no adverse effects on passenger facing

equipment or need for staff intervention in normal operation.

1.18 Systems Architecture

1.18.1 Vehicle manufacturers shall be required to provide electrical equipment (at the Line

Replaceable Unit level) that has been specified with a modular, open architecture (based on

the application of Internet Protocol communications functionality) and to use open source

software.

1.18.2 Separate Ethernet backbones shall be provided for train safety systems/information systems

and those intended for passenger access. There is an increased risk of cyber-attacks if

passengers are permitted access to a network used for train systems.

1.18.3 Cat 7 cables should be used to maximise data transfer rather than Cat 5. Whichever Category

of cable is used, thought should be given to its durability, band-width potential, future

upgrading, and suitability for a railway environment.

Note: Some versions of Cat 7 cables may not be suitable for use in jumper cables between

vehicles as it is relatively brittle and susceptible to failure with repeated flexing.

1.18.4 For more information on system architecture security, see Appendix D.


1.19 Global Navigation and Satellite System (GNSS) on-board

1.19.1 Any new train shall be fitted with a Global Navigation and Satellite System (GNSS).

Consideration should be given to fitting a single GNSS to a train; this will limit the proliferation

of antennae on a train’s roof. The location (as well as date and time stamp information)

derived by this one system should then be fed to all the on-board train systems that require

position information, such as PIS (Passenger Information Systems), on-board data recording

etc.

1.19.2 The selection of GNSS and any augmentations will depend on its intended purpose.

Note: RSSB research project “T892: Data and Analysis for a cost-effective GPS-based locator

with simple augmentations” provides some good practice, details of this project can

be found at:


T892.pdf

1.19.3 In order to provide software security and resilience where GPS/GNSS is deployed,

consideration should be given to a secondary/backup source that is technically different to

GNSS, especially if functions are associated with operations.

1.20 Train Location and Movements (GPS) Project

1.20.1 The Train Location and Movements (TLM) Project is part of the Customer Information Strategy

programme of projects based on research work from National Rail Enquiries and a Network

Rail and ATOC Proof of Concept Project.

1.20.2 To achieve the quickest rollout and provision of a useable customer information service the

project seeks to reuse where possible existing equipment especially on-train GPS and to bring

it up to a preferred standard over time.

1.20.3 The specification “ATOC/EC/GN/005 Customer Information Strategy: Train Location and Movements (GPS) Project” will be published soon:.

Please contact ATOC at the email address on page 1, should you want a copy.

1.21 Speed set

1.21.1 Where provided, any speed set system shall prevent vehicle overspeed in the event of the

vehicle descending a gradient. A suggested tolerance is +/- 2 mph.




1.22 Sight glasses

1.21.1 When positioning gearbox, or other, sight glasses ensure they are easily viewable by

maintenance staff but also protected from flying ballast or other detached items.

1.23 Equipment fixing and access

1.23.1 Equipment that is bolted in position and needs checking during maintenance shall be

accessible and visible.

1.24 Critical and non-critical systems and supplies

1.24.1 Systems of a non-critical nature and their supplies shall be kept separate from critical systems

so that spurious faults cannot cause the critical system to fail in an unsafe manner. An example

of this is a passenger information system and a door system sharing the same power supply

leading to a cross-feed.

1.25 Load Shedding Strategy

1.25.1 In the event of perturbation and loss of electrical supply a load shedding strategy shall be

defined. This should consider how long systems such as lighting, air-conditioning, ventilation,

toilets, internal emergency signposting, announcement system, Wi-Fi and communication

system are kept available in order to maximise the essential services.

1.26 Mobile phone reception

1.26.1 Vehicle bodyshells/glazing should be designed such that public 3G/4G mobile data and voice

signals are not degraded (e.g. via Faraday Cage effects) in passing through these – signal

boosters should be considered for each vehicle if this is unavoidable.

1.27 Pressure limits

1.27.1 In tunnels the change of pressure can affect a person’s health, this limit is 10kPa and is quoted

in standards. However as a comfort level a level of 2.5 to 3kPa should be considered.

Further explanation can be found on the RSSB website at:

http://www.rssb.co.uk/library/groups-and-committees/2015-12-report-aural-pressure-

comfort-limits-in-tunnels.pdf

http://www.rssb.co.uk/library/groups-and-committees/2015-12-report-aural-pressure-comfort-limits-in-tunnels.pdf

http://www.rssb.co.uk/library/groups-and-committees/2015-12-report-aural-pressure-comfort-limits-in-tunnels.pdf


1.28 Bi-mode powered trains

1.28.1 A bi-mode train is one that can obtain traction from more than one source in order to operate

in service. This has advantages on routes which are partially electrified, or in the process of

being electrified during the lifespan of the rolling stock, enabling fleets to use a wider range

of diversionary routes and to move in depots and sidings which are not electrified. Through

trains can be run on non-electrified branch lines and electrified main lines, bringing customer

benefits. They also enable electric trains to operate when traction power is temporarily or

permanently unavailable (for example at a tunnel or a bridge).

1.28.2 There may be depot safety improvements if electrification is not needed. However, facilities

to fully test the train in each mode will be required, and shore supply points may be needed.

1.28.3 Examples of bi-mode are:

Electric/diesel

Electric/battery or other energy storage devices.

1.28.4 When considering bi-mode the following factors shall be evaluated:

Proportion of the planned duty cycle under each type of traction

Amount of energy storage on board for each mode

The train performance under each type of traction (i.e. reduced performance may be

acceptable in certain circumstances)

Performance in normal operation versus performance where a secondary power source

is provided for ‘a get home’ or ‘a last mile’ mode

Whether there is a static or dynamic changeover is required between modes. Dynamic

changeover is preferred as this reduces journey time

Infrastructure changes may be required to support charging if electrical energy storage is

used.

1.28.5 More information can be found in the following IEC standard to be published summer 2016,

“IEC 62864 part 1: Railway applications - Rolling stock - Power supply with onboard energy

storage system - Part 1: Series hybrid system.”

1.29 Train Management System (TMS) – Design

1.29.1 A master/slave concept for the TMS data bus should be considered. This could be a second

TMS bus rather than a relay switched system.

1.29.2 Information for the driver is important, but it is essential that it is only relevant to the situation. Therefore the driver’s display should show relevant information using easily understood terminology. This should also apply under train fault conditions. It is expected that more in-depth information will be provided for depot staff or control as necessary.

1.29.3 The ability for drivers to isolate defective essential equipment through the TMS should be

considered. The driver then need not pass through a train nor exit the train to walk on the

track. This facility may also apply to train crew where TMS is available to them.


1.29.4 A TMS can carry vital/critical data and information. It is important that these functions are

protected and that the system is separated as much as possible from any passenger facing

system and has a secure architecture.

1.29.5 For more information on software design and security, see Appendix D.


2 Key Requirements – Performance & Environmental

2.1 Aerodynamic Efficiency

2.1.1 Aerodynamic efficiency should be optimised in terms of whole life cost.

Note: Aerodynamic efficiency only becomes a significant issue at speeds greater than

100mph.

2.2 Propulsion

2.2.1 The amount of redundancy provided by the propulsion system shall take account of the

demonstrated service reliability of existing equivalent systems. Some examples of redundancy

are traction convertors being split per bogie, the ability to isolate motors per bogie, auxiliary

convertors able to compensate for failures and cross feeds of auxiliary circuits from an

adjacent vehicle for continuity of supply.

2.2.2 The number of components that can cause a single point failure in the traction system should be minimised.

2.2.3 For propulsion systems that feature a low level of redundancy, consideration should be given

to the remaining functional propulsion system equipment being designed to provide

enhanced performance in the event of a propulsion package failure.

2.2.3 Propulsion systems shall be designed to be capable of rescuing a completely failed train (of

the same design), assuming the rescue train is free from defects.

2.2.4 Consideration should be given to designing the rolling stock to accommodate potential future

line speed enhancements.

2.3 Sustainability

2.3.1 Rail is an environmentally sustainable means of transport, and has a major role to play in

encouraging modal shift from less sustainable modes. However, it does have environmental

impacts, and efforts need to be made at the design stage to minimise these for the entire life

of the vehicle.

2.3.2 The industry has developed 10 Sustainable Rail Principles including three related to the

environment which are 'reducing our environmental impact' (Principle 5), 'carbon smart'

(Principle 6) and 'Energy Wise' (Principle 7). See “Sustainable Rail Programme. (2011) The Rail

Industry Sustainable Development Review” on the RSSB website at:

http://www.rssb.co.uk/Library/improving-industry-performance/2011-report-rail-industry-

sustainable-development-review.pdf.

http://www.rssb.co.uk/Library/improving-industry-performance/2011-report-rail-industry-sustainable-development-review.pdf

http://www.rssb.co.uk/Library/improving-industry-performance/2011-report-rail-industry-sustainable-development-review.pdf


2.3.3 The RSSB website also has some useful information, of which the document above is a part,

at:

http://www.rssb.co.uk/improving-industry-performance/sustainable-

development/sustainable-rail-programme

2.3.4 A whole life environmental impact assessment in line with “ISO 14040: Environmental

management - Life cycle assessment - Principles and framework” shall be undertaken in line

with waste hierarchy principles. This should cover rolling stock construction, manufacture,

delivery, operation, maintenance/overhaul, and end-of-life. Environmental impacts to be

considered include energy usage, emissions, water usage, materials usage, waste, pollution,

and noise and vibration.

2.3.5 A description of how design for disassembly principles as described in “BS 8887 series: - Design

for manufacture, assembly, disassembly and end-of-life processing (MADE)” are used is to be

provided, including issues such as the marking of plastics and avoiding the blending of

materials.

2.3.6 A list of legally restricted materials in the UK shall be provided and confirmation that they are

not used on the rail vehicle and spare parts. The use of hazardous materials during

manufacturing should be minimised, however, where these are used, each instance must be

listed by part number and a risk assessment must be provided to justify it.

2.3.7 An inventory of all materials by type, including their weights, is to be provided. This shall cover

all parts in the rail vehicles and spare parts. The percentage weight of the rail vehicle that shall

comprise recycled parts shall be provided.

The following page on the UNIFE website has some useful links and includes a template for

the provision of this information in a common format at:

http://www.unife-database.org/material_declaration.php

2.3.8 The train maintenance and repair plan shall be designed to maximise the life of components

and minimise the use of consumables.

2.3.9 Based on the terms defined in “IS0 22628: Road vehicles - Recyclability and recoverability -

Calculation method”, targets for end of life recyclability and recovery shall be stated. The

aspiration is that the fleet should achieve 85% re-use and recyclability, and 95% re-use and

recoverability by mass. An End of Life Manual shall be provided detailing the disassembly,

identification and segregation methods. This should show the end of life disposal methods for

each component. UNIFE has developed this further for the rail industry, see their document

at:

http://unife.org/component/attachments/?task=download&id=326

Note: For information, ISO TC 269 are also preparing a standard on recyclability and

recoverability of rolling stock.

http://www.rssb.co.uk/improving-industry-performance/sustainable-development/sustainable-rail-programme

http://www.rssb.co.uk/improving-industry-performance/sustainable-development/sustainable-rail-programme

http://www.unife-database.org/material_declaration.php

http://unife.org/component/attachments/?task=download&id=326


2.3.10 The supplier shall provide an “Environmental Product Declaration” in line with UNIFE 495

Product Category Rules for Rail Vehicles or other externally verified certification. If this is not

available the supplier shall describe their policy in this area. More information can be found

at:

http://www.environdec.com/en/PCR/Detail/pcr2009-05

2.3.11 Depots, stations and sidings are often located near residential areas, and efforts should be

made to reduce the adverse impacts of rolling stock on neighbours through design for

operation.

Note: For information, Eurospec are producing a specification on stationary noise which will

include in railway depots and stations.

2.4 Energy Efficiency & Traffic Management

2.4.1 Rolling stock systems shall be optimised for energy efficiency taking into account the whole

life cost to the “railway system.”

2.4.2 Electrically powered rolling stock shall be capable of providing energy use data of an integrity

level suitable for billing.

2.4.3 Consideration should be given to specifying a Driver Advisory System (DAS), which provides

energy efficient driving advice to the driver, typically by showing a recommended maximum

speed and when to coast, such that the train arrives at the next timing point on the journey at

the scheduled time. The DAS should be able to communicate remotely with a base station

such that updates (timetable changes, temporary speed restrictions, etc.) can be uploaded

onto the train and feedback of response to the advice given transmitted back to the base

station. The system should also facilitate subsequent analysis of driving style and have the

future capability of accepting real-time traffic regulation information.

2.4.4 A C-DAS (Connected Driver Advisory System) is being proposed, so consideration for its

inclusion should be made to ensure that interfaces are compatible with other current

protocols and systems. More information can be found at:

http://www.rssb.co.uk/Library/groups-and-committees/2015-report-c-das-concept-of-

operation.pdf

2.4.4.1 Other related documents for C-DAS on non ETCS-fitted trains can be obtained from

[email protected], or the email on page 1 of this document.

Note that this email address is included, as there is currently no web-based file

location for these documents.

2.4.4.2 Work for C-DAS on ETCS-fitted trains is in progress.

http://www.environdec.com/en/PCR/Detail/pcr2009-05

http://www.rssb.co.uk/Library/groups-and-committees/2015-report-c-das-concept-of-operation.pdf

http://www.rssb.co.uk/Library/groups-and-committees/2015-report-c-das-concept-of-operation.pdf

mailto:[email protected]?subject=Request%20for%20C-DAS%20information%20via%20KTR%20document


2.4.5 Rolling stock should be designed with intelligent power management systems. On-board

systems should therefore only be energised when absolutely necessary.

Note: An example of good practice in this area is the intelligent control of diesel engines

that shut-down when not required to provide useful power to the train.

2.4.6 Rolling stock should be designed to minimise whole life energy consumption. Consideration

should be given to the following design features:

2.4.6.1 Rolling stock to revert to “stabling mode” (following an appropriate time delay)

following a driver de-energising the driving cab. Typically such a “stabling mode”

would switch off selected loads such as the heating, ventilation and air conditioning

(HVAC). Lighting systems should revert to emergency lighting only.

Note: Frost protection systems should remain active and lighting circuits should be

designed to facilitate local switch on (for cleaning purposes).

Similarly a high temperature detection device should be considered so that

the passenger and traincrew accommodation enters service at an

appropriate temperature.

2.4.6.2 Remote switch on of HVAC (both cab and saloon) and lighting (saloon only) to facilitate

train preparation and override in an emergency.

Note: As an enhancement to the above functionality, this remote switch-on could

be achieved by the process of allocating trains to diagrams with a sufficient

“warm up / cool down time” incorporated to ensure the train enters service

at the correct on-board temperature.

2.4.6.3 On diesel rolling stock where the heating is provided from the engine it is essential

that some heating is also provided to warm the train prior to the engine warming up.

This is most important for driving cabs where heat is often required soon after the

engine is started and where the area to be heated is small. An electric heater may be

more practicable. The implication of not heating cabs in this way is that the driver

could refuse to take the train even though the cab would eventually warm up.

2.4.6.4 Low energy consumption lighting e.g. Light Emitting Diode technology should be

considered.

2.4.6.5 Interior lighting that automatically adjusts in response to ambient light levels.

Note: ATOC have published a guidance document titled “Energy and Carbon: A 20

Point Programme to help Rail Operators to improve their Energy Efficiency and

reduce CO2 Emissions”. Whilst this document suggests ways of improving

energy efficiency in a holistic manner i.e. also encompassing buildings and

operations, it includes sections of direct relevance to rolling stock.

Copies of the document can be obtained by the email address on page 1.


2.4.7 Consideration should be given to designing rolling stock with provision for retrofit of energy

storage equipment (if cost effective and practicable).

2.4.8 In order to compare proposed train designs and identify the most energy efficient proposal,

manufacturers should be required to provide energy consumption data for a representative

diagram over representative routes.

2.4.9 Consideration should be given for some means to measure levels in fuel tanks of diesel engine

trains and to measure consumption rates.

2.5 Auxiliary Power

2.5.1 Auxiliary power supplies shall be designed at the outset to provide sufficient spare capacity

for the life of the rolling stock to allow the flexibility for the future installation of ERTMS (see

5.3) and additional equipment that may be required to support future business needs.

Note: Historically a figure of 10% spare capacity has been used and is viewed as

appropriate.

2.6 Pneumatic air supply

2.6.1 Air supplied by the train shall be clean, dry and free of oil to slow deterioration of components

and limit the likelihood of freezing in cold weather.

2.7 Transposition of EMF (Electromagnetic Field) Directive

2.7.1 This Directive, 2013/35/EU, is transposed into UK law in July 2016 and must be complied with

from then.

2.7.2 RSSB are to produce a guidance note "GLGN1620: Guidance on the Application of the Control

of Electromagnetic Fields at Work Regulations” which will be published in mid-2016.


3 Key Requirements - Passenger Facing

3.1 Heating Ventilation and Air Conditioning (HVAC)

3.1.1 The control regime for heating and cooling shall take account of passenger comfort; expected

operational and environmental scenarios; ambient temperature ranges likely to be

encountered in the UK (see section 1.12.1) and whole life cost.

3.1.2 The rolling stock HVAC system should function as follows:

3.1.2.1 The HVAC system should control the fresh air intake quantity proportional to the passenger loading.

3.1.2.2 The passenger comfort system shall be capable of maintaining the passenger

compartment at the envelope temperatures with allowed variations as specified in

“EN 13129-1: Railway applications. Air conditioning for main line rolling stock.

Comfort parameters”.

3.1.2.3 The heating set point shall be independently adjustable by maintenance staff from 21 - 23oC.

3.1.2.4 On particularly hot days, the HVAC system should maintain a temperature

differential to ambient rather than trying to attain a “set point temperature.” This

reduces the system load and the “thermal shock” effect for passengers boarding and

alighting.

Note: It is considered that the way that existing HVAC systems are designed with

a targeted set point temperature that the system endeavours to maintain

(irrespective of system rating) is a key contributory factor to HVAC failures

on days when high ambient temperatures are experienced. It is believed

that the systems are trying to deliver an unrealistic set point and therefore

become overloaded. Altering the control algorithms in this manner should

go a long way to alleviating this problem.

3.1.2.5 The HVAC system should have automatic systems to determine an optimal balance

between temperature and CO2 levels during degraded modes of its operation.

3.1.3 On diesel multiple units the HVAC fresh air intake shall have a good separation from exhausts.

3.1.4 The design of the HVAC fresh air intake should consider prevention of drawing in of dust and smells during braking.

3.1.5 HVAC systems shall be designed to ensure consistency of temperatures throughout the

passenger saloon e.g. the avoidance of perceived “hot” or “cold” spots. Consideration should

be given to compliance with the comfort zone permissible velocities specified in the

“EN 13129 suite” of standards.


3.1.6 Whilst in “stabling mode” (see 2.4.6.1) frost protection shall remain available when needed in

the event of low ambient temperatures.

3.1.7 Functionality to allow traincrew to alter the setting of saloon HVAC should not be provided.

3.1.8 Consideration should be given to the provision of individual controls for ventilation for

passengers for inter-urban or intercity rolling stock, similar to those on aircraft.

3.1.9 HVAC systems shall be designed to provide a level of emergency ventilation in the event of a

loss of traction supply. Ideally, emergency ventilation should be provided by the HVAC system

(powered by the vehicle batteries) for 90 minutes.

Note: The interior CO2 levels and external ambient temperature should be taken into

consideration in the design.

3.1.10 HVAC system issues cause real problems to train operators the world over. To make inroads

into improving this, European Operators have jointly developed some common

requirements for HVAC that should encourage suppliers to improve their products across

Europe. These requirements have been captured in a “EuroSpec Specification for air

conditioning of Railway Vehicles”.

Note: The Association of Train Operating Companies (ATOC) is a partner in the EuroSpec

consortium. Copies of the EuroSpec can be obtained via the EuroSpec website at

www.eurospec.eu.

3.2 Passenger Security

3.2.1 Closed Circuit Television (CCTV)

3.2.1.1 CCTV that monitors the passenger accessible areas (excluding toilets), including areas

used for storage of luggage, cycles etc. shall be fitted to all rolling stock.

Note: The National Rail CCTV Steering Group have published the following

guidance “National Rail & Underground Closed Circuit Television (CCTV)

Guidance Document” that should be considered.

A copy of this document can be found at:

http://www.atoc.org/clientfiles/File/publicationsdocuments/National%20Rail%20%2

0Underground%20CCTV%20Guidance%20Document%20%20FULL%20November%20

2010.pdf

3.2.1.2 Consideration should be given as to whether there is a business requirement for the

CCTV images to be remotely accessible on demand. Experience has shown that having

access to images can offer significant benefits in enabling earlier resumption of

services following incidents.

http://www.eurospec.eu/

http://www.atoc.org/clientfiles/File/publicationsdocuments/National%20Rail%20%20Underground%20CCTV%20Guidance%20Document%20%20FULL%20November%202010.pdf




3.2.1.3 Where CCTV is fitted consideration needs to be given for the amount of data storage

space, bandwidth and data retention time.

3.2.2 Personal security

3.2.2.1 Where the seating layout is “Airline style” the seats should be designed to deter the

activities of pickpockets from the seats behind.

Note: An example of good practice is the installation of a physical barrier between

seats, provided there is no conflict with dynamic seat performance

requirements for interior passive safety.

3.2.2.2 Consideration shall be given to potential terrorism risks by incorporating design

features that minimise the overall injuries sustained by passengers in the event of a

terrorist attack. Good interior passive safety design, i.e. interior features designed to

minimise secondary injuries to passengers and staff in such an incident, have been

shown to help provide such mitigation. Mandatory interior passive safety

requirements are set out in Part 6 of “GM/RT2100 issue 5: Requirements for Rail

Vehicle Structures” and guidance relating to best practice is given in “GM/GN2687

issue 1: Guidance on Rail Vehicle Interior Structure and Secondary Structural

Elements”, both available at:

http://www.rssb.co.uk/railway-group-standards.

3.2.2.3 RSSB commissioned a research project to look at aspects of personal safety “T1012:

Developing a good practice guide for managing personal security on-board trains”

which is available at:


brief-t1012.pdf

3.3 Passenger Ergonomics

3.3.1 Passenger comfort is an important issue for UK rolling stock and is not straightforward to

address when producing procurement specifications.

3.3.2 There is no agreed standard that specifies acceptable legroom for UK rolling stock. It is

recommended that current anthropometric data and associated forecasts for the life of the

rolling stock are used to inform proposed seat pitches.

http://www.rssb.co.uk/railway-group-standards




3.3.3 Seat legroom should be designed to accommodate a 95th percentile male (based on the latest

anthropometric data available for the GB population).

Note 1: The current 95th percentile male figure would result in a dimension of 688 mm for

airline seating. For absolute clarity, this is the dimension between the front face of

the seat back cushion and the rear face of the seat in front and is therefore not

“seat pitch.” [Source PeopleSize Pro 2008].

Note 2: Seat legroom should also take into consideration typical journey times.

3.3.4 The size of the seat squab should be designed to accommodate a majority of the population

(based on the latest anthropometric data available for the GB population).

Note 1: The current 95th percentile female figure hip breadth would result in a width of 466

mm for the squab. A 95th percentile male figure shoulder breadth is 516mm. When

fixed armrests are used consideration should be given to the actual usable width.

[Source PeopleSize Pro 2008].

Note 2: The depth of the seat squab to give thigh support should also take into

consideration typical journey times.

3.3.5 The height of the seat squab above floor level should be designed to accommodate a majority

of the population (based on the latest anthropometric data available for the GB population).

It should not be too low nor too high.

Note: The PRM TSI 2015 requires, for priority seats, a seat squab height of 430 – 500mm.

3.3.6 It is not considered to be appropriate to provide armrests in all circumstances. Where

provided, armrests should be moveable and of a length and height designed to accommodate

a majority of the population (based on the latest anthropometric data for the GB population).

Note 1: The current 95th percentile male figure would result in an armrest length of 442mm

and for a comfortable height for a 50th percentile female of 200mm above the seat

base cushion. [Source PeopleSize Pro 2008].

Note 2: Armrests are beneficial for passenger containment in the event of an accident.

3.3.7 For vehicles designed to operate longer distance services, e.g. inter-urban or intercity, power

supplies should be provided at all seats for the charging of mobile electronic devices. These

power supplies should be readily accessible to passengers and appropriately labelled. Also see

3.17.

3.3.8 The design of the interior layout should ensure that, wherever practicable, all passenger seats

and windows are aligned. Where seating bays are provided they should be aligned with the

adjacent window. Where there are no windows as a result of the vehicle structure, other

passenger amenities such as luggage stacks and toilet modules should make use of this space.

Note: Ideally, deadlights (the vehicle structure between window apertures) should not

exceed 450mm.


3.4 Ride Quality

3.4.1 There is no agreed standard that specifies acceptable ride performance for UK rolling stock.

“BS EN 12299: 2009 - Ride comfort for passengers - Measurement and evaluation” has been

published, however the target values have not been validated for existing UK vehicles,

although some of the criteria do have their origins in outputs from BR Research.

Note: Practically it is difficult to specify ride performance in terms of absolute targets for

vehicles due to the additional need to specify the relevant track quality parameters

and as a result ride quality has been specified in terms of comparison with existing

vehicles. However it is recommended that a percentage improvement (compared to

existing vehicles at an appropriate point in their maintenance cycle) in ride

performance should also be specified in order to ensure continual improvement.

3.5 Sound, noise and vibration levels

3.5.1 There is currently no agreed standard that specifies acceptable interior noise levels for UK

rolling stock. The V/V SIC is planning to produce a good practice guide for specification of

internal noise and vibration including, as far as is practicable, recommended limits and

methods for measurement for different types of train and train service. The intention is that

the passenger experience, in terms of noise levels and vibrations, should be broadly

comparable to, and preferably better than, that offered by other forms of surface

transportation such as road coaches and private cars. The results from this work will be

incorporated into a subsequent issue of the KTR document. In the meantime, it is

recommended that a percentage improvement in noise performance (compared to existing

vehicles) should be specified in order to ensure continual improvement.

3.5.2 Pending output from this research the following are recommended good practice limits.

3.5.2.1 General requirements for all vehicle types

When the Unit is stationary, with traction supply available and auxiliary systems

(including air conditioning) running and all doors closed, noise levels measured

inside the vehicles shall not exceed 65 dB(A).

All measurements are to be carried out in accordance with “BS EN ISO

3381:2011, Railway applications. Acoustics. Measurement of noise inside

railbound vehicles” which defines measurement positions, operating conditions

and environmental conditions including track roughness.

Units shall minimise the emission of prominent harmonics or discrete tones (as

defined in Annex D of “ISO 1996-2:2007 Acoustics -- Description, measurement

and assessment of environmental noise -- Part 2: Determination of

environmental noise levels”) in all operating modes or conditions.


3.5.2.2 For Metro-type vehicles (sliding pocket doors and 75mph top speed:

When the Unit is running at full speed, with all doors and windows closed, noise

levels measured inside the vehicles at shall not exceed –

o Saloons – 73 dB(A),

o Vestibules – 75 dB(A).

3.5.2.3 For Mainline vehicles with plug doors and 110mph top speed:

When the Unit is running at full speed, with all doors and windows closed, noise

levels measured inside the vehicles at shall not exceed –

o Saloons – 72 dB(A),

o Vestibules – 73 dB(A).

3.5.3 A particular source of annoyance for passengers comes from irritating noises, such as rattles,

squeaks, whistles and hums from interior fixtures and fittings. It is recommended that a

specific clause should be included in specifications to cover this point and that it should include

a requirement not only to demonstrate an absence of noises of this nature under all operating

conditions at train delivery, but also to advise design features that will prevent them from

occurring in the future.

3.5.4 Vibration from underfloor equipment, such as diesel engines and air compressors are also a

source of complaint. Care should be taken to isolate this from the vehicle body.

3.6 Passenger Counting

3.6.1 Vehicles should have passenger counting capability or provision should be made for the

inexpensive retrofit of a passenger counting system.

Note 1: A relatively low cost example of a passenger counting system is the use of the

vehicle “load weigh” signal, although other equivalent solutions exist.

Note 2: In this context “inexpensive” means that the design has made the provision for the

fitment of equipment by the designer purposely allocating free space; power

supply and consideration of cabling to the relevant location(s).

3.7 Passenger Information System (PIS)

3.7.1 Consideration should be given to defining the functionality of the PIS to encompass the

following features:

3.7.1.1 Capability to acquire and display real time delay information.

3.7.1.2 To provide estimated times of arrival at stopping points en-route.

3.7.1.3 To interface and integrate with other remote information systems.


Note: This feature is considered especially important since the on-train system

forms part of the holistic “whole system” PIS in support of providing the

passenger with information from “end-to-end” of their journey.

3.7.1.4 To provide accurate real-time intermodal/interchange running information

particularly at times of disruption.

3.7.1.5 To broadcast accurate real-time information via the on board audio/visual system,

or,

3.7.1.6 To update specific interactive locations in the train for ad-hoc use by passengers, or,

3.7.1.7 Provision of information via a train borne Wi-Fi network to be provided for use by

passengers using a personal Wi-Fi device (refer to section 5.7).

Note: It is recommended that the research report “Integrated Passenger

Information: Delivering the Rail End to End Journey” commissioned by the

Department for Transport is considered when specifying the requirements

for trainborne PIS systems.

3.7.1.8 To interface with the vehicle Selective Door Operation system - where applicable

(see 4.2.4.).

3.7.2 Public address and audible information systems shall be designed to provide announcements

within the vehicle that are 5dB above the ambient interior noise level at the time of the

announcement.

3.7.3 On the exterior of the relevant vehicle, in a position that is readily visible to passengers when

boarding, visual Passenger Information Systems shall display:

the train destination,

the next calling point,

departure time,

the number / letter of the vehicle in the train consist.

3.7.4 Consideration should be given to making the Public Address system zonal. This would permit

the traincrew to select the vehicles in the train consist to which announcements would be

made. It is anticipated that this would be useful for broadcasting specific messages in, say,

first class passenger saloons or on train services which divide en-route.

3.7.5 The PIS shall only display messages sent from authenticated devices, i.e. it must prevent

unauthorised messages being displayed.


3.8 Seat Reservation Systems

3.8.1 Consideration should be given to provision of an electronic seat reservation system. Where

such a system is provided:

3.8.1.1 It should be possible to remotely upload on-board seat reservation systems well

within the train’s turnaround times at stations. It is suggested that this time should

not exceed two minutes.

3.8.1.2 Unreserved seats should be readily identifiable to passengers entering the

passenger saloon from both ends of the vehicle. A suggestion is that a Green Light

Emitting Diode (LED) is employed for this purpose. This LED could be mounted

below the luggage rack immediately above each seat.

Note: An optional potential enhancement to this functionality would be to

similarly identify reserved seats with a red LED.

3.8.2 Labels showing the seat number layout of the vehicle should be provided on the exterior of

the vehicle, adjacent to exterior doors. Such labels should be readily viewable to passengers

when boarding.

3.8.3 Where a seat reservation system is provided the method for showing reserved seats should

be moveable or have the facility to align the indicators with the relevant seat in the event of

the saloon layout being altered.

3.9 Provision of Luggage Storage

3.9.1 It is accepted that it can often be difficult to obtain the right balance between number of seats

and the provision of adequate space for storing luggage. This balancing act can only be

determined by consideration of the type of service the rolling stock is intended to operate.

Note: Passengers perceive that there is inadequate provision of luggage storage facilities

on board recent designs of rolling stock.

3.9.2 Luggage stacks should be designed to make the best use of the space available on board e.g.

three-tier stacks should be considered that provide safe storage so that larger items of luggage

can only be stored in the lower area of the stack. These luggage stacks should be designed and

located in such a way that luggage remains visible to passengers.

Note: Passengers have expressed the view that they are particularly uncomfortable with

having to leave their luggage effectively hidden from view in end-of-vehicle luggage

stacks.

3.9.3 Overhead luggage racks should be able to safely store items of baggage of dimensions 56cm x

25cm x 45cm.

Note: This requirement reflects current airline limits with respect to hand baggage.


3.9.4 Innovative solutions, for example seats that can be converted to store luggage when not in

use or the provision of luggage storage under the seat in front should be considered in order

to optimise the amount of luggage storage provided.

3.9.5 A RSSB research project looking to help reduce the injuries that luggage cause on trains

“T1057: Investigating the risks posed by luggage to passengers and staff on trains and

stations” has started and a link is provided for information.

http://www.rssb.co.uk/pages/research-catalogue/t1057.aspx

3.10 Toilets

3.10.1 Whilst the provision of toilets on trains is now very much the accepted norm, it should not be

automatically assumed that this is appropriate for all types of train operating all types of duty

cycle. As an example, passenger capacity on metro is frequently a critical factor in train design

and the installation of toilets inevitably occupies a significant amount of space. It is therefore

common practice worldwide not to provide toilets where this type of train is operating

intensive services with frequent stops into and across large conurbations. It is therefore

recommended that, when considering the provision of toilets, consideration is given to typical

journey times and to the potential availability of toilets at stations and other locations nearby.

3.10.2 Where a case can be made not to install toilets, trains should be specified to include passive

provision, to cover the possibility of being subsequently transferred to other routes where

toilet provision is required.

Note: In this context “passive” means that the design has made the provision for the

fitment of equipment by the designer purposely allocating free space and

consideration of cabling, wiring, underframe space for tanks and pipework to the

relevant location(s).

3.10.3 On-train toilet reliability and availability issues cause real problems to train operators the

world over. Recognised best practice in toilet design, together with options for consideration,

are included as Appendix C to this document.

3.10.4 Where possible, toilet control systems/networks should not be connected/interfaced to the

train control network. However, where this is unavoidable, such connections should be

security monitored for unauthorised access. Additionally, all access panels within the toilet

cubicle should be secured to prevent physical access to train networks.



3.11 Cleanability

3.11.1 To improve cleanability (and also to improve security aspects of the interior design) support

points (e.g. interior fixtures and fittings) towards the middle of the vehicle floor should be

avoided. The ideal solution would be an entirely clear floor.

3.11.2 Where possible, to prevent the build-up of dirt and dust in inaccessible places, crevices should

be eliminated. Inaccessible and unused spaces should be filled. Dirt that builds up in these

areas that are hard to reach and clean can easily be circulated. Radiused corners should be

used where surfaces meet, e.g. between panels and floors, in order to make cleaning easier.

3.11.3 When selecting materials, for long term appearance, the choice of colour is more important

than the choice of material.

3.11.4 Using carpets that do not require abrasive chemicals to clean them makes cleaning easier and

helps to maintain their appearance for longer. Deep pile carpets are not suitable as they tend

to hold on to dirt. The careful choice of vestibule matting can help prevent dirt from shoes

being trodden throughout a carriage.

3.11.5 There is a tendency to think that, for seat covers, uncut moquette has slightly better resistance

to holding on to dirt and dust than cut moquette.

Note: The visual appearance of cut moquette is enhanced if the pile runs in an upward

direction on seats i.e. the movement of passengers sitting in seats separates the

fibres.

3.11.6 Fabric surfaces can be pre-treated but there is an associated cost to this. Anti-graffiti coatings

can be applied to other surfaces and these aid general cleaning as well as the removal of

graffiti.

3.12 Vandalism Mitigation

3.12.1 The sections below identify a number of actions that may be taken to improve the resistance

of vehicles to vandalism damage. These need to be considered in the context of the levels of

vandalism anticipated on the routes over which trains are intended to operate.

3.12.2 All interior glazing should be fitted with “anti-etching” film.

Note: Consideration should be given as to when the films are actually applied during the

construction stage of new build rolling stock in order to ensure that they can be

subsequently removed and replaced at the depot.

3.12.3 Interior fixtures should have anti-graffiti coatings applied to an extent that reflects the risk of

vandalism (see section 3.11.6).

3.12.4 Where vandalism is more prevalent, seat fabrics should have features, e.g. wire mesh, that

prevents damage from knives etc.


3.12.5 Anti-graffiti films should be applied to rolling stock exteriors to ensure the surface coatings

and labelling are able to cope with graffiti removal processes.

3.12.6 Hand rails and steps on the exterior of vehicles should be designed to prevent persons from

using them when the train is in motion, i.e. train surfing.

3.13 Interior Panels

3.13.1 Interior panels should be designed to be as damage resistant as possible and sufficient spares

should be made available.

3.13.2 The fixing of interior panels should avoid self-tapping screws, as often the tapped hole

becomes larger over time.

3.14 Flooring

3.14.1 Flooring should be chosen to be as slip-resistant as possible, particularly in vestibules which

could be wet. Guidance is given in HSE document “Assessing the slip resistance of flooring”.

A copy of the guidance can be found at:

http://www.hse.gov.uk/pubns/geis2.htm.

3.14.2 The floor in vestibules should have a slight camber and the covering should have grooves to

prevent pooling of water. The door threshold strip should also have slots to allow water to

drain.

3.15 Interior Powered Doors (excluding toilet doors)

3.15.1 RSSB have carried out a research project “T1036: On-board injuries associated with internal

train doors to develop a specification for interior powered doors”.

In due course this may become a Railway Industry Standard. In the meantime the research

brief can be found at:


t1036.pdf

http://www.hse.gov.uk/pubns/geis2.htm




3.16 Buggy Space, Cycle Store or Multi-use Storage

3.16.1 Buggy storage space should be considered separately from wheelchair and cycle ones, where

space allows and demand is sufficient. Where this is not the case it may be better to consider

multi-use space dependent on route for either mainly cycles or mainly buggies. The buggy

space should be close to toilets with baby-change facilities.

Note that provision for wheelchairs is mandated by Accessibility Regulations and is exclusively

for this purpose.

3.16.2 Where cycle rack provision is required it is recommended that cycle racks are located in close

proximity to access doors; are positioned on suitable flooring and make optimum use of

available space.

3.16.3 For all of the above areas consideration should be given to the flow of passengers passing

through.

3.16.4 ATOC has produced a Cycle tool kit with a chapter “Cycle Carriage” which contains some useful

information for cycle storage areas. The document can be found at: http://www.cycle-

rail.co.uk/links/ along with other cycle related information.

3.16.5 RSSB have also carried out research “T1034: Understanding the business case for investment

in Cycle-Rail”. The research brief can be found at:


t1034.pdf

3.17 Passenger power supplies

3.17.1 For refurbishments where power constraints may limit 230V supplies consider a USB outlet

for each seat.

3.17.2 For new-build consider a mix of 230V supply & USB outlet.

Note that USB outlets were never designed for such use, merely as part of a computer. They

are now used for many applications, but the connecting arrangement is not necessarily robust

for this type of railway vehicle use. Consideration for easy change out of broken ones should

be considered.

3.17.3 For a 230V power supply system the following shall be provided:

Sockets should be to “BS 1363: 13A plugs, socket-outlets, adaptors and connection units.

Specification for rewirable and non-rewirable 13A fused plugs”.

The output from the socket should suit the type of equipment for which it is to be used.

The reliability of the inverter to be as high as possible to reduce failures.

http://www.cycle-rail.co.uk/links/

http://www.cycle-rail.co.uk/links/






3.17.4 When designing the 230V power supply system the following should be considered:

The power consumption and diversity and number of outlets to be installed.

Typically 70mA per socket is a reasonable value to use.

Whether the outlets have a switch or not, having switches may lower the reliability and

are not essential.

Inclusion of an indicator on each socket to show the system is live.

How the system can be reset, by whom.

Auto-resetting could be an option, with a timeout before it tries again on the assumption

that what caused the trip had been removed.

How the system is earthed, how the wires are retained as sockets may not meet the

railway vibration requirements.

The splitting of supplies to each side of the carriage will increase availability but means

two inverters will be needed. Alternating sockets from each inverter along each side of

the carriage could lead to fault-finding issues.

3.18 Lighting

3.18.1 Lighting levels on some trains are either too bright and clinical, or too dim. Sometimes where

glass is used in luggage racks the light shining through is reduced when items are placed on

the rack. When defining the light level type testing this effect should be considered.

3.18.2 Intelligent lighting could be considered which suits the ambient lighting levels, but changes in

these levels should be gradual so as not to create a strobing-effect.

3.18.3 Passenger controlled reading lights should be considered. Passengers welcome the ability to

influence the lighting levels of their immediate environment. Such reading lights should be

designed so that:

they are modular (in order to be able to facilitate a flexible interior layout),

train crew and maintenance staff are easily, and from a single location, able to override

the local controls to force them all to be lit, to facilitate the identification of defective

lighting components. Also a means should be provided to switch them all off from a single

location.

3.19 Interiors “Miscellany”

3.19.1 Since each service operated will have specific requirements, e.g. extra luggage provision on

airport services, higher density seating on commuter services, there can never be a “one

solution fits all” to this aspect of train design. As a result of this, what follows is a list of interior

features with associated guidance that should be considered when specifying vehicle interiors.

In all cases full account should be taken of the principles, requirements and guidance relating

to interior passive safety.


3.19.1.1 Window blinds

Where window blinds are specified, mitigation should be incorporated into the

design of the blinds to prevent them rattling in service.

3.19.1.2 Litter Bins

An assessment should be made as to the design of and capacity of litter bins

provided on-board.

Note: Passengers perceive that there is inadequate provision of litter bins on

board recent designs of rolling stock. There are either too few, they are

not large enough or they are poorly identified.

3.19.1.3 Provision of Handholds

Additional handholds should be considered in areas where passengers are likely to

congregate when trains are crush loaded e.g. door vestibules and wheelchair

areas.

3.19.1.4 Provision of Tip-Up Seats

In order to maximise the provision of seating at times of heavy passenger demand

the creative use of tip-up seats should be considered. However, the use of tip-up

seats in vestibule areas is not recommended since this positions seated passengers

(and their luggage) in access / egress routes and therefore obstructs the flow of

other passengers.

3.19.1.5 Fixed Tables

Full width tables at bay seating areas should be considered. Passengers have

commented that they like such features, but sometimes have difficulty accessing

seats as a result. Folding or tapered tables should be therefore considered and

fixed table support points should be positioned as close as possible to the vehicle

bodyside (see section 3.11.1). Table access should be designed to accommodate a

95th percentile male (based on the latest anthropometric data available for the GB

population).

Note: The current 95th percentile male seated thigh depth is currently 202 mm

and therefore an additional margin will need to be added to this dimension

to facilitate passenger access. In addition, if the table edge overlaps the

leading edge of the seat this dimension should also be increased.

[Source PeopleSize Pro 2008].

3.19.1.6 Seat Back Tables

Where seats are arranged “airline style” provision of folding seat back tables

should be considered that are of sufficient size to support and use a laptop.


3.19.1.7 Cup Holders

Provision of a recess for cups should be considered in fixed and folding tables.

3.19.1.8 Table Surfaces

Tables should be designed with a lip around the perimeter (to contain spilled drinks

etc.) and have a non-polished, non-slip surface.

3.19.1.9 Coat Hooks

Coat hook provision should be considered.

3.19.1.10 Seat rails

The use of seat rails for attaching seats, tables, partitions etc. permit a more

flexible interior which could be changed to suit service requirements. Where fitted,

charging points should be on the seat rather than the wall. This ensures the

continued correct location of power sockets in the event that seats are moved in

the future.

3.19.1.11 Bodyside windows

The number of variant sizes of bodyside windows should be limited in order to

minimise the stock holding.

3.20 Platform train interface

3.20.1 Following on from the Platform Train Interface Strategy published in January 2015, various

projects have been taking place looking at understanding the gap/step from the train to the

platform and how it can be reduced or made safer. The strategy can be found at:

http://www.rssb.co.uk/Library/improving-industry-performance/2015-01-platform-train-

interface-strategy.pdf

3.20.2 The following RSSB research projects are nearing completion and will provide some useful

design considerations for the train (and platform):

“T1037: Investigation of passenger vehicle footstep positions to reduce stepping

distances and gauging constraints”,

“T1054: Evaluating platform gap fillers to reduce risk at the platform/train interface”,

“T1080: Understanding the influence of different platform edge step / gap arrangements

on boarding and alighting accidents at the platform train interface”.

Search on the RSSB website (www.rssb.co.uk) for more information.

http://www.rssb.co.uk/Library/improving-industry-performance/2015-01-platform-train-interface-strategy.pdf

http://www.rssb.co.uk/Library/improving-industry-performance/2015-01-platform-train-interface-strategy.pdf

http://www.rssb.co.uk/


3.21 Wheelchair ramp design

3.21.1 Accessibility regulations require that wheelchair ramps be temporarily fixed to the train

whilst in use. It does not suggest how, but at present this is done using a lug and hole

arrangement. Whilst the industry is moving towards a common ramp to improve train

operator usability, manufacturers are advised to liaise on current practices for storage and

deployment.

3.21.2 For ease of deployment and location a visual indication, e.g. arrows, should be provided on

the ramp surface and vehicle to indicate the position of the lug and hole.

3.21.3 The ramp or installation should be designed so that the train doors cannot be closed with

the ramp in position.

3.21.4 RSSB research project “T759: Improving the methods used to provide access to and from

trains for wheelchair users” contains a lot of useful information on ramps and can be found

at:

http://www.rssb.co.uk/research-development-and-innovation/research-and-

development/research-reports-catalogue/pb001980


development/research-reports-catalogue/pb001981

3.22 Mobility scooter access

3.22.1 RSSB research project “T1055: Improving accessibility and safety for mobility scooter users

travelling by rail” will evaluate what improvements should be made to assist mobility

scooter users to board and alight from trains and to improve the processes used by staff in

dealing with mobility scooter users. A link to the project is at:


3.23 External access doors

3.23.1 Due to issues of passengers becoming trapped in exterior doors and being dragged along

platforms and prior to standards being drafted and RAIB reports being published, further

consideration should be given as to how to prevent passengers, luggage, or items of clothing

becoming trapped in the doors. Additionally the means of alerting traincrew in a timely

manner should be considered.

Door systems shall be fitted with 'anti-trap and drag' functionality.

http://www.rssb.co.uk/research-development-and-innovation/research-and-development/research-reports-catalogue/pb001980






3.23.2 Recommendation 1 in the RAIB report on West Wickham as follows should be applied:

The intent of this recommendation is to prevent passengers being put at risk of an accident

at the platform train interface, in circumstances where they have been able to open

passenger trains doors using the door open controls after the door closing cycle has been

initiated. The recommendation seeks completion of work already started by some railway

organisations.

Operators and owners of trains with power operated doors should jointly review passenger

door operation, and apply any necessary modifications so that, if doors are opened by

passengers using the door open controls during the door closing cycle, the doors will fully

open for a period consistent with safe use by a passenger.

The full report can be found at:

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/503841/R

032016_160229_West_Wickham.pdf

3.23.3 Following a recommendation in other RAIB reports a National Foreword has been added to

BS EN 14752:2015 Railway applications — Body side entrance systems for rolling stock”,

however applying this standard may not fully cover issues like door obstruction, sensitive

edge, trap and drag and interlocking. A proposal to amend the standard is being considered.

3.23.4 RSSB research project “T1102: Optimising door closure arrangements to improve boarding

and alighting” will identify practicable improvements to current door closure arrangements

and inform long-term improvements to rolling stock design and relevant industry standards.

Reference is provided here for information.

3.23.5 A Railway Industry Standard “RIS-2747-RST Functioning and Control of Exterior Passenger

Doors on Vehicles” is currently out for comment and due to be published in late 2016. It may

cover some of the issues mentioned above.

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/503841/R032016_160229_West_Wickham.pdf

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/503841/R032016_160229_West_Wickham.pdf


4 Key Requirements - Operational

4.1 Driver Only Operation (Passenger) (DOO(P))

4.1.1 Rolling stock shall be specified for a single train crew member operation (or the provision

made for subsequent inexpensive retrofit of DOO(P) equipment).

Note: In this context “inexpensive” means that the design has made the provision for the


consideration of cabling to the relevant location(s).

4.2 Selective Door Operation (SDO)

4.2.1 Rolling stock shall be designed for vehicle level SDO operation (or the provision made for

subsequent inexpensive retrofit of SDO equipment) where this is initially not required.



consideration of cabling to the relevant location(s).

4.2.2 The SDO system shall be able to mitigate the effects of a driver releasing the doors on the side

of the train not adjacent to a platform i.e. provide correct side door enable functionality.

4.2.3 Where active, the SDO system shall be able to mitigate the effects of a driver not stopping in

the correct location along the platform.

4.2.4 The SDO system should interface with the Passenger Information System (PIS) to provide

sufficient notice to passengers of the following:

4.2.4.1 The side of the train of the next door release.

4.2.4.2 From which vehicle/door to alight.

Note 1: Such information will have to be given in sufficient time to permit mobility

impaired passengers to migrate to the correct doorways on the train.

Note 2: RSSB has developed the requirements for a national, vehicle based

automatic SDO system utilising track mounted Radio-frequency

identification (RFID) tags and on-board readers as a Railway Industry

Standard “RIS-2795-RST Rail Industry Standard for Track to Train RFID

Compatibility” available from the RSSB website.


4.3 Location of Driver Resettable Controls and Isolation of Equipment

4.3.1 Driver resettable controls, e.g. miniature circuit breakers (mcbs), shall be positioned where

drivers can access them quickly in all normal operational conditions. Wherever practicable, no

driver resettable controls or isolation equipment shall be located in passenger areas, due to

the extreme difficulty in gaining access on crowded trains.

4.3.2 Driver resettable controls shall be protected from accidental operation.

4.3.3 The ability for drivers to isolate defective essential equipment from the cab should be

considered. The driver then need not pass through a train nor exit the train to walk on the

track.

4.4 Cab Design and interfaces

4.4.1 The design of driving cabs should incorporate a standard arrangement of the following key

controls:

Traction

Brakes

Doors

Couplers

Note: There is a European project part of MODTRAIN developing a standard driving cab.

The output from this project should be taken into consideration.

4.4.2 Driving cabs shall be designed to comfortably accommodate a 95th percentile UK male and a

5th percentile UK female. Driving cabs should also be designed to ensure drivers are protected

against Musculoskeletal disorders (MSDs).

Note: Unless another (equivalent) assessment method is available, it is recommended that

the outputs of Railway Safety and Standards Board (RSSB) Project “T940:

Development of a tool to assess and manage musculoskeletal disorder risk in train

drivers” is used to assess the cabs of new builds of rolling stock - details of this project

can be found at:


brief-t940.pdf

4.4.3 Where cab equipment and controls need to be moved to permit fitment of ETCS displays and

other ancillary equipment as part of the design, guidance is given in document

“ATOC/EC/GN/004 Guidance Note - ETCS Cab Human Factors Design Guidance” which can be

found at:

http://www.rssb.co.uk/rgs/oodocs/ATOCECGN004%20Iss%201.pdf



http://www.rssb.co.uk/rgs/oodocs/ATOCECGN004%20Iss%201.pdf


4.4.4 Experience has shown that Driver Safety Devices (DSDs) have proved difficult to design

satisfactorily to accommodate both the 5th percentile female and the 95th percentile male.

Combined with the adjustable driver’s seat and in order to maintain sight-lines the pedal

should be adjustable for height. One method is to use a two height plate (known as a shoebox)

as shown in the pictures below.

DSD ‘Shoebox’ DSD ‘Shoebox’ in position

4.4.5 In-cab display equipment (computer screens and all other cab controls, indicators and

instruments) shall be legible in all lighting conditions (including darkness and direct sunlight).

Such display equipment shall be designed with adjustable brightness functionality to cater for

the range of lighting conditions experienced.

Note 1: RSSB Project “T906: ERTMS/ETCS driver/machine interface options for future train

cab design” provides guidance on some of these aspects - details of this project can

be found at:


t906.pdf

Note 2: A potential enhancement would be for the brightness of cab display equipment to

automatically adjust to the ambient light level e.g. day / night / tunnels etc. However,

a manual override of the automatic brightness levels should also be provided.

4.4.6 Control of service critical systems shall not rely on touch screen technology. 4.4.7 Driving cabs shall be operationally ready, i.e. ready for the train to be driven, following the

driver activating a cab by inserting a master key, within one minute.

Note: These requirements apply to all possible combinations of multiple unit formations

and also encompass activities related to coupling and uncoupling.




4.4.8 In order to minimise time and ensure data integrity, on-board systems shall communicate so

that drivers only have to enter data once, e.g. on the driver entering the train headcode and

their ID No: any on on-board systems (PIS, On-Train Data Recorder, Radio, etc.) should

automatically configure as appropriate.

Note: Consideration should be given to the issuing of train crew with smart cards that

contain all their personal data plus diagrams to be worked. The driver would

therefore use this card with a suitable train based interface to enter the relevant

data.

4.4.9 Consideration should be given to the provision of an exterior ambient temperature gauge in

the cab that the driver can read whilst seated in the normal driving position.

4.4.10 The size of the “reading zone” for driver’s papers is stated in the TSIs but not its orientation.

To prevent the placing of drinks on the surface it is suggested that the reading zone is not

horizontal.

4.4.11 A cup holder or place for a cup should be provided. 4.4.12 Consideration should be given to providing drivers with a means to charge mobile devices via

USB ports or 230V sockets. For more guidance see 3.17.2 and 3.17.3.

4.4.13 Space to securely locate a hand held device or tablet so that it can be seen while driving.

4.4.14 In order to assist with driver training or driver assessment, operators should consider the

extent of cab sightlines required from the second man’s seat.

4.4.15 Rolling stock shall be designed to ensure that cab access door handles, buttons or levers are

of sufficient height to be comfortably used by a 5th percentile female and a 95th percentile

male. Refer to the European Standard “EN 16116-1: Railway applications. Design

requirements for steps, handrails and associated access for staff. Passenger vehicles, luggage

vans and locomotives” and rolling stock TSI for more details. For information, current TSIs

state that the height should be measured from a ground level that is 200mm below top of rail.

4.4.16 The driver shall be able to judge the stopping position of the train at the platform. A previous

method is a cab side window.

4.4.17 RSSB research project “T1076: Standardising pictograms in train cabs” will look at

standardising pictograms in driving cabs. A link is provided for information:

http://www.sparkrail.org/Lists/Records/DispForm.aspx?ID=22047



4.5 Human Factors Mitigation - Design of Control Systems

4.5.1 In the event of two or more “master keys” being active (as a result of human error or

otherwise) in a train consist, manufacturers shall design control circuitry so that there is an

alarm and an indication of the location of the second key reported to the train crew.

4.5.2 In the event of two or more “conductor keys” being active in a train-consist there shall be an

alarm and an indication to the driver.

4.5.3 Such credible operational “errors” as those listed in 4.5.1 and 4.5.2 shall not result in any

damage to the train control systems or other train equipment.

4.6 Supply System Changeovers

4.6.1 Dual voltage rolling stock should be designed so that supply changeover from 25kV AC

overhead electrification to 750V DC third rail (and vice versa) is achieved as quickly as possible.

Note: Ideally system changeovers should be completed within one minute for all on board

systems and possible formations of multiple units.

4.6.2 System supply changeovers should be achievable both statically and dynamically.

4.7 Reminder of number of vehicles in a train

4.7.1 Where trains can operate in multiple formations, a system to remind the driver of the number

of vehicles in the train shall be provided, as this will assist with train stopping positions at

platforms. Where a train management system (TMS) is fitted, it shall be shown on the screen.

Where there is no TMS, a robust system that requires effort to amend, shall be considered.

4.8 Closed Circuit Television (CCTV)

4.8.1 Forward facing

It is recommended that forward facing CCTV cameras should be fitted to all rolling stock. Night

vision capability should be considered for these cameras. “GM/GN2606: Guidance on the

Fitment of Forward and Rear Facing Cameras to Rolling Stock” should be considered and a

copy of the document can be found at:

http://www.rssb.co.uk/rgs/standards/GMGN2606%20Iss%201.pdf

http://www.rssb.co.uk/rgs/standards/GMGN2606%20Iss%201.pdf


4.8.2 In-cab CCTV

Rolling stock should be designed to facilitate the inexpensive retrofit of in-cab CCTV cameras.

Note 1: In this context “inexpensive” means that the design has made the provision for the

fitment of equipment by the designer purposely allocating free space; power supply

and consideration of cabling to the relevant location(s).

Note 2: The CCTV footage from these in-cab cameras would be used in the event of an

incident to determine the actions of the driver and therefore the proposed camera

mounting positions should facilitate this. The images should be synchronised with

forward-facing CCTV and On Train Data Recorders.

A RSSB research project “T1100: Exploring the use of in-cab CCTV in the rail industry” is due to

start. The reference to the project is provided here for information.

4.8.3 Remote access to images

Consideration should be given as to whether there is a business requirement for the CCTV

images to be remotely accessible on demand. Experience has shown that having access to

images can offer significant benefits in enabling earlier resumption of services following

incidents.

4.8.4 Disk space & bandwidth

Where CCTV is fitted, consideration needs to be given for the amount of data storage space,

bandwidth and data retention time.


5 Key Requirements - Communications and Diagnostics

5.1 Software security

5.1.1 All software on board the train should follow the key points outlined in Appendix D.

Note: Train operators and suppliers should also seek to follow the points identified in the

'DfT Rail Cyber Security Guidance' and should note any mandated cyber security

requirements, e.g. National Rail Security Programme [NRSP].

5.1.2 RSSB has been commissioned to develop an industrial strategy, titled “Industry Cyber

Security Strategy”. It is envisaged that this be published in summer 2016. The information

is provided here for reference.

5.2 Open Source Software

5.2.1 It is recommended that all systems on the train that collect, process or store data should be

specified to use Open Source Software (OSS). This should include Train Management

Systems, controllers for train sub-systems, train safety systems (including ETCS/ERTMS) and

On Train Data Recorders. More information relating to OSS is contained in the RSSB

Knowledge Search Report “S179: Open source software” which can be found at:


5.3 European Rail Traffic Management System (ERTMS)

5.3.1 It is recommended that ERTMS equipment should be installed on rolling stock being designed

to operate on routes where ERTMS is planned to become operational (as per an agreed and

published Industry ERTMS Programme) within five years of service introduction. For all other

rolling stock, provision should be made for inexpensive retrofit of ERTMS equipment.


fitment of equipment by the designer purposely allocating free space for internal

equipment such as the Driver Machine Interface (DMI) and European Vital Computer

(EVC); external equipment such as the Doppler Radar and Balise Reader; together

with; power supply requirements and consideration of cabling to the relevant

location(s).

Following the principles of Open Source Software described in 5.2, it is recommended that

OpenETCS (http://openetcs.org/) should be specified to be “Open Proof”. Further information

may be found in the following documents at:

http://www.uic.org/cdrom/2012/10_ERTMS-Conference2012/docs/E5-OpenETCS-

abstractV2.pdf


http://openetcs.org/

http://www.uic.org/cdrom/2012/10_ERTMS-Conference2012/docs/E5-OpenETCS-abstractV2.pdf

http://www.uic.org/cdrom/2012/10_ERTMS-Conference2012/docs/E5-OpenETCS-abstractV2.pdf


https://static.lwn.net/images/conf/rtlws-2011/proc/Hase.pdf

5.3.2 Unless otherwise specified, the on board system shall comply with the latest version of the

National On board Sub-System Requirements Specification (NOSS), and the latest Baseline

and Maintenance Release which is currently set at Baseline 3, Maintenance Release 2. It

shall also be fully compatible with the infrastructure on the route in which the train is to

operate.

5.4 Remote Condition Monitoring (RCM) Systems

5.4.1 RCM has potential benefits for infrastructure maintainers; train operators; vehicle owners and

vehicle maintainers. Hence, these parties should be invited to participate in new systems and

provide input to business cases.

5.4.2 When developing the RCM requirements for any vehicle or vehicle systems, consideration

should be given to complying with the “8 Principles” that have been developed by the Cross-

Industry RCM Working Group (XiRCM). See them at:

http://www.rssb.co.uk/Library/groups-and-committees/2011-remit-x-industry-remote-

condition-monitoring-group.pdf

For information, these principles are presented below:

5.4.2.1 Principles are applied to Remote Condition Monitoring (RCM) activities in any of the

four quadrants (see document in above link) where there is cross-industry impact.

5.4.2.2 Business cases shall include all cross-industry elements including evaluation of

benefits and costs.

5.4.2.3 An end to end cross-industry RCM operating model (including processes and

contracts) is clearly described and agreed (defined shape).

5.4.2.4 Solutions shall conform to cross-industry RCM Reference Architecture.

5.4.2.5 Network wide enablers (e.g. processes, technology, standards) are justified

separately from solution projects but aligned with their plans (funding / delivery).

5.4.2.6 Cross-industry RCM standards shall be applied to technical solutions and business

processes.

5.4.2.7 Application of these cross-Industry RCM Principles has governance that is Industry

recognised.

5.4.2.8 Business as Usual procurement activities should consider application of x-industry

RCM principles.

https://static.lwn.net/images/conf/rtlws-2011/proc/Hase.pdf

http://www.rssb.co.uk/Library/groups-and-committees/2011-remit-x-industry-remote-condition-monitoring-group.pdf

http://www.rssb.co.uk/Library/groups-and-committees/2011-remit-x-industry-remote-condition-monitoring-group.pdf


5.4.3 Where Unattended Infrastructure Measurement Systems are being considered at an early

stage in the procurement phase, discussions should be held with the infrastructure manager

in order to establish the business case for the optimum condition monitoring solutions

required for a fleet of trains. These discussions should establish an agreement as to:

5.4.3.1 What assets should be monitored?

5.4.3.2 What parameters are required to be captured? How frequently along the track are

measurements required and to what resolution, accuracy, etc.?

5.4.3.3 How the data will be linked to an accurate time stamp?

5.4.3.4 How the data will be linked to an accurate location stamp?

5.4.3.5 How will the captured data be transmitted from the train to ‘shore’ for processing

and distribution?

5.4.3.6 How often do measurements need to be made to give data that will allow

deterioration rates to be determined?

5.4.3.7 In the case of real time reporting of defects from the trainborne measurement

system what action needs to be taken and in what timescales?

5.4.3.8 What proportion of the fleet should equipment be installed on to give the required

coverage, redundancy and operational flexibility?

Note 1: RSSB research “T857: Detailed review of selected remote condition

monitoring areas” has useful information and can be found at:


brief-t857.pdf

Note 2: Also information for RSSB research “T1010: Cross-industry remote condition monitoring programme” can be found at:


development/research-project-catalogue/T1010

5.4.4 The Radio-frequency identification (RFID) AVI tag specification for rail

“RFID_in_RAIL_GS1_in_Eu_Final.pdf” can be found at:

http://gs1.eu/?page=&tudasbazis=60&lister=224



http://www.rssb.co.uk/research-development-and-innovation/research-and-development/research-project-catalogue/T1010

http://www.rssb.co.uk/research-development-and-innovation/research-and-development/research-project-catalogue/T1010

http://gs1.eu/?page=&tudasbazis=60&lister=224


5.5 Diagnostics

5.5.1 Train systems should be provided with intelligent diagnostics to assist depot staff with

troubleshooting and fault finding.

5.5.2 Train systems should be provided with the functionality to export sufficient data to inform

immediate corrective action; to assist with fault diagnosis and therefore inform effective

maintenance and repair activities.

5.5.3 It is suggested that this communication could be via secure Wi-Fi at terminal or suitable

intermediate stations such that interrogation or diagnostics can be performed before the train

reaches the depot.

5.5.4 Consideration should be given to prognostic systems, which will predict and warn of pending

failure.

5.6 Mobile Communications Reception

5.6.1 Consideration shall be given to specifying aspects of rolling stock design that improve on-

board mobile network reception.

5.7 Passenger internet access

5.7.1 Consideration shall be given to the provision of passenger Wi-Fi.

Note: It is recommended that the outputs of RSSB Project “T964: Operational

Communications” are used to inform any decisions with regards to the provision of

on-board Wi-Fi services on rolling stock. Of particular relevance is the “Rail Mobile

Communications Service Handbook” that the project produced and can be found at:


brief-t964.pdf

5.7.2 Systems that provide the passenger with internet access should be deemed non-critical. As

such, it is important to protect the systems that are critical/important to the operation of the

train and ensure that vital functions have a secure architecture (c.f. 1.18 - Systems

Architecture), that they are protected and that they are separated as much as possible from

any passenger facing systems.

5.7.3 The passengers should be protected from malicious interference via the on-board passenger

facing systems. As such, standard procedures should be taken to protect passenger devices

and data from compromise via the on-board facing systems.

5.7.4 Consideration should be given to the location of mobile communications gateways in order

that multiple antennas can be fitted to take advantage of developing antenna standards and

future spectrum release for commercial broadband use.




Note: A new Rail Industry Standard “RIS-0700-CCS – Rail Industry Standard for Internet

Access on Trains for Customer and Operational Railway Purposes” is currently out

for consultation for issue later in 2016. It will specify the minimum requirements

for on-train Mobile Communication Gateways, and On-board Digital Repeaters.

5.8 On Train Data Recorders (OTDR)

5.8.1 It is considered essential that the functionality to remotely access OTDR data should be

provided.

5.8.2. In addition, consideration shall be given to providing the following functionality:

5.8.2.1 In-built GPS time stamp.

5.8.2.2 In-built GPS location stamp.

5.8.2.3 Open interface standard for OTDR data. No proprietary decryption software should

be permitted.

5.8.2.4 Spare channel capacity provision.

5.8.2.5 Ability to change the sampling rate of individual channels.

5.8.2.6 Ability to change the activation thresholds of individual channels.

5.8.2.7 OTDR vehicle connector should be designed to facilitate access for wiring changes

etc.

5.8.2.8 OTDR to be designed to also perform the role of ERTMS Juridical Recorder Unit (in

terms of ERTMS functionality).

Note: Issue 2 of GMRT2472 now refers to standard “BS EN 62625-1: Electronic railway

equipment - On board driving data recording system – Part 1: System specification”,

but does not call-up some of the above useful list. The RGS can be found at:

http://www.rssb.co.uk/rgs/standards/GMRT2472%20Iss%202.pdf

5.9 Global System for Mobile Communications – Railway (GSM-R)

5.9.1 The GSM-R radios should work alongside and be resistant to interference from the authorised

public network.

Note 1: The present GSM-R radios are vulnerable to interference from public

GSM/UMTS/LTE-900 MHz transmitters which will get worse over the next 5 years.

Work undertaken by the International Union of Railways (UIC) and Network Rail

Telecom (NRT) recommends that up-rated Mobile Radio Modules (BRIC) should be

provided in the radio. These modules should be already available through the cab

radio suppliers.

http://www.rssb.co.uk/rgs/standards/GMRT2472%20Iss%202.pdf


A specification will be published in autumn 2016 by the European Commission (EC).

In the meantime two specifications have been published by ETSI on their website

at:

http://www.etsi.org/standards-search:

ETSI TS 102 933-1 V1.3.1 (2014-06) Railway Telecommunications (RT); GSM-R

improved receiver parameters; Part 1: Requirements for radio reception

(reference RTS/RT-0024)

ETSI TS 102 933-2 V1.3.1 (2014-08) Railway Telecommunications (RT); GSM-R

improved receiver parameters; Part 2: Radio conformance testing

(reference RTS/RT-0025)

The European Rail Agency and EC strongly supports that any new Cab Radio or ETCS

Data Only Radio (EDOR) shall be compliant with the above specifications.

Note 2: Filters have also been suggested but have high volume, are heavy, more expensive

and in certain scenarios seem to be less effective than the new Mobile Radio

Modules. They will not allow Public Roaming envisaged to be implemented by the

GB Rail Industry.

http://www.etsi.org/standards-search


Appendix A – Items intentionally excluded from KTR – Issue 4 Items listed below are those that the group developing this document have discussed and have taken

the positive decision (at this stage) not to include any guidance in the KTR. Such decisions have been

taken for various reasons that typically include an inability of the group participants to agree on

specific requirements, or that it is very difficult to specify any meaningful requirements.

This list is provided for completeness to inform the industry that the issue has been considered and

has not been omitted from the KTR development process.

Note: This list will be reviewed continuously as part of the ongoing review and updating process for

this document.

Items purposely excluded:

Floor level emergency lighting – preference is for passengers to remain inside vehicle

Additional tactile / braille signage on labels and controls

Conclusions from RSSB Project T942: Pansway Acceptance – included in standards

UNIFE TecRecs – as awaiting publication

Wheelchair restraints – not liked by users

Driverless trains – too advanced at present, though in RTS Portfolio

Standard measure of rolling stock efficiency – awaiting standards and research

Maintenance requirements and downtimes – too specific

Heated 750V DC shoegear – awaiting updates from manufacturers

SMART technology for coupling – future part of Research Project T1003 or RTS Portfolio

Resistance to terrorist attacks - awaiting government guidance

Smart cards for driver’s log-in – technology not yet at reliable level

Seat layouts and arrangements including provision of 3 + 2 seating

New weather categories – awaiting new guide from Network Rail

Cab “not-to-couple” sign – operations issue

Monitoring the Platform/train interface – with PTI Strategy Implementation Group (PTISIG)

Darkness operated headlights – needs more development

Sleeper train design – awaiting information

Train floor height, door widths, steps – awaiting PTISIG outputs

Automated train preparation – awaiting information


Appendix B – List of research and innovation sources Listed below are useful links to research and innovation programmes currently taking place in Britain

and continental Europe.

Horizon 2020 https://ec.europa.eu/programmes/horizon2020/

Shift2Rail http://www.shift2rail.org/

Roll2Rail http://www.roll2rail.eu/

Digital Railway http://digitalrailway.co.uk/ Key Depot Requirements Will be on ATOC website in due course.

Rail Supply Group http://www.railsupplygroup.org/ RTS 2012 http://www.rssb.co.uk/library/future%20railway/innovation-in-rail-rail-technical-strategy-2012.pdf ReFocus 20 point plan http://www.atoc.org/clientfiles/files/publicationsdocuments/npsAB1F_tmp.pdf Supply Chain Forum http://www.railsupplygroup.org/wp-content/uploads/2016/01/RSG-Brochure-Jan-2016.pdf

https://ec.europa.eu/programmes/horizon2020/

https://ec.europa.eu/programmes/horizon2020/

http://www.shift2rail.org/

http://www.roll2rail.eu/

http://digitalrailway.co.uk/

http://www.railsupplygroup.org/

http://www.rssb.co.uk/library/future%20railway/innovation-in-rail-rail-technical-strategy-2012.pdf



http://www.atoc.org/clientfiles/files/publicationsdocuments/npsAB1F_tmp.pdf

http://www.atoc.org/clientfiles/files/publicationsdocuments/npsAB1F_tmp.pdf

http://www.railsupplygroup.org/wp-content/uploads/2016/01/RSG-Brochure-Jan-2016.pdf




Appendix C - Toilet design requirements

The detailed recommendations listed below have been derived from a range of stakeholder feedback

provided by train operators, owners and manufacturers, together with Transport Focus. The list is not

intended to be exhaustive and those specifying toilets for new or refurbished trains are advised to also

take into account the following documents:

To make inroads into improving toilet design, European Operators have jointly developed some

common requirements for on-train toilets that should encourage suppliers to improve their

products across Europe. These requirements have been captured in a EuroSpec, “Specification for

toilets of railway vehicles”. The Association of Train Operating Companies (ATOC) is a partner in

the EuroSpec consortium.

Copies of the EuroSpec can be obtained free of charge via the EuroSpec website at

www.eurospec.eu.

prEN 16922, “Railway applications – Ground based services – Vehicle waste water discharge

equipment” – currently (at April 2016) in draft form and subject to review

FprEN 16585-1, “Railway Applications — Design for PRM Use - Equipment and Components On

Board Rolling Stock — Part 1: Toilets” currently (since May 2015) in draft form and subject to

consultation

Persons with Reduced Mobility TSI.

Where there is any conflict between items listed below and requirements contained within mandatory

Standards, then Standards requirements clearly take precedence.

C.1 Toilet Controls

C.1.1 Call for Aid

o Shall be located well away from other controls, such as door and flush, to avoid

accidental operation due to confusion,

o The selected location shall minimise the risk of accidental operation due to being

kicked. This should include not locating any lower than is required by PRM TSI,

o Shall only activate an alarm; NOT stop the train.

C.1.2 Toilet Flush

o Flush control shall be visible at all times, including when the toilet seat is raised,

o To conserve water supplies, a two stage flush system should be considered,

o Consideration should be given to using an automatic flush, activated by a sensor

which detects when toilet is not being used or the toilet lid is closed. If this option

is adopted, clear signage is required.

C.1.3 Water / Soap / Hand Dryer

o Automatic activation, using sensors, is preferred,

o Dispense / outlet points shall be visible and clearly labelled,

o Activation sensor locations shall be clearly identified; e.g. by using a light beam,

o Hand dryers shall automatically switch off, via a timer,

http://www.eurospec.eu/


o Transport Focus has advised that research amongst a group of disabled

passengers has indicated that the best layout is soap furthest away, water central

and drier nearest to the person, who may still be seated on the toilet.

C.1.4 General

o The design of all toilet controls, not only those for accessible toilets, should be

intuitive, simple to use and consistent across different types of train.

C.2 Doors and Door Controls

C.2.1 Power doors are viewed as a significant source of toilet unreliability and it is therefore

recommended that these should only be used where required to meet legislation,

such as the PRM TSI.

C.2.2 Where power doors are used:

o They shall be designed to auto reset after forced manual operation,

o Controls shall be located as close as possible to the door as this is where users

intuitively expect to find them,

o Door locking should be activated by a lever (although it may operate an electrical

switch) as this action is associated by users with operating a door lock,

o Pressing the “Door Open” button from the inside shall automatically unlock the

door (this requires the lock lever to automatically move back to the unlocked

position),

o Controls outside the toilet shall have “Open” and “Close” buttons, so that the

door can be readily closed from outside,

o Operation of the door lock shall be accompanied by an audible “clunk” and an

audible/visual message “Toilet is locked”, meeting the needs of passengers with

visual or auditory impairment, in order to reassure users that the door is locked,

o Toilet should be the last place of refuge for a person feeling threatened – “Door

Close” operation from inside shall take precedence over “Door Open” activation

from outside, although an override should be provided for staff use.

C.2.3 Since there is no standard toilet design, passengers have commented that they would

welcome a common method of locking the toilet door.

Note: The renderings below suggest an arrangement that should be considered for

new designs.


C.2.4 Door lock should be able to be operated without using a hand (hygiene issue).

Operation should be possible by, for example, by operating buttons or levers using an

elbow.

C.2.5 External indicators shall be provided as follows:

o An indicator, which can be readily understood by passengers, to show whether a

toilet is engaged or has been locked out of use (two different indications

required),

o An indication, for staff information only, to advise when a toilet has remained

locked for more than, say, 20 minutes – to draw the attention of staff to a

potential fare dodger or collapsed person,

o Features of this design should include:

An indicator to be provided adjacent to each door, on the outside, with an

option to provide a notification to the driver – primarily for use when trains

are operating DOO,

The system should reset the timer if the toilet is vacated and reoccupied prior

to being checked by on-train staff,

The timer should reset when controls such as flush or washbasin spray are

activated.


C.3 Tank Capacities and Range

C.3.1 Range

o In order to maximise range, flush systems which minimise water consumption are

preferred,

o Given the critical importance of toilets to passenger comfort, particularly on

longer journeys, toilet provision, in terms of the ratio of seats to toilets, requires

careful consideration. It is suggested that the minimum acceptable level of

provision should be:

For intercity or inter-urban services, 85 seats per toilet,

For short distance / commuter services, 125 seats per toilet.

o A CET discharge periodicity of 2-3 days is believed to be typical, but this requires

separate consideration for each application and may be significantly different for

diesel trains, as opposed to electric trains which require servicing significantly less

frequently,

o To avoid major problems in the event of a toilet becoming defective, it is

recommended that all units should have a minimum of two toilets provided,

o Typically, the capacity of the waste tank would be double that of the fresh water

tank. However, this ratio may need to be varied depending on the nature of the

service to be operated,

o Where difficulties are experienced in providing sufficient tank range for the

planned duty cycle, consideration should be given to provision of a separate toilet

with only a waterless urinal and washbasin, in order to reduce the overall demand

for water.

C.3.2 Whole System Considerations

o The design of train toilets has changed little since Controlled Emission Toilets have

been installed on GB rolling stock. Designs of toilet have recently been developed

that either treat waste before discharging clean water to the track or recycle this

water for toilet flushing. Such systems offer significant benefits in terms of

reducing the size and weight of tanks, reducing water consumption and greatly

increasing the time intervals between servicing. The case for introducing this

technology needs to be considered when procuring new toilet systems.

Note: RSSB Project “T692: Water Recycling for Train Toilets” investigated this

area during 2007 – details of this project can be found at:


brief-t692.pdf

o For any trains with an expected life beyond the end of 2019, track discharge toilets

shall not be provided.




C.3.3 Other Design Considerations

o Consideration should be given to specifying a “load shedding” system which

automatically reduces flush volumes when water levels are low. In addition, the

system shall ensure that water remains available for hand washing even when

none is available for flushing,

o Even when no water is available for flushing, the system design shall continue to

evacuate the bowl when the flush is operated. Under these circumstances toilets

shall remain available for use and not automatically lock themselves out of use,

o Filling and CET discharge connections shall be provided on both sides of the train,

o Consideration should be given to measures to make toilets feel less

claustrophobic; for example through provision of a suitably obscured window.

C.4 Ease of Manufacture / Maintainability

C.4.1 Maintainability

o It shall be possible to change any “active” component within the toilet (including

the door system) in no more than 30 minutes,

o “Passive” components such as hoses should ideally be specified to remain

serviceable for the expected life of the vehicle or, if this is not practicable, at least

up to a Half Life Overhaul,

o To prevent the over pressurising of water tanks, the surface area of the overflow

shall be at least double that of the inlet,

o To avoid blockages, pipe lengths shall be kept as short as possible and, for waste

pipework, have a good “fall”. More detailed requirements are contained in

prEN 16922,

o Design consideration shall be given to the potential implications of leaks from

pipework, to ensure that leakage does not occur in inaccessible locations and

cannot collect and initiate corrosion that may affect the vehicle structure,

o As a part of the design, the methodology for cleaning CET tanks shall be stated

and demonstrated. More detailed requirements are contained in prEN 16922,

o CET tank profiles shall facilitate cleaning and consideration should be given to

making the internal surfaces non-stick. See also prEN 16922,

o CET tanks shall be readily removable, using a forklift truck,

o The location of CET tanks within the vehicle bodyshell should be avoided,

o Suitable facilities should be designed and provided to enable Train Managers to

unblock toilets in service,

o Automatic frost draining of water tanks is NOT recommended. Manual draining

facilities shall be provided.

Note: This is opposite to the requirement in the Eurospec document, as winter

weather in GB is rarely cold enough to warrant it.

o A drain to the outside shall be provided in the toilet floor, to ensure that any fluid

leakage does not enter the passenger compartment.


C.5 Customer Facing Ancillary Equipment

C.5.1 Toilet Tissue Dispensing

o Toilet tissue dispensers shall be capable of easily dispensing tissue without

shredding or damaging it, even when the dispenser has been filled to its maximum

capacity. It shall not be possible to over-fill.

C.5.2 Hand Washing

o Soap dispensers shall be designed not to leak or clog – lids that require to be

removed for filling should be retained,

o Where access is provided to the soap dispenser via a panel / door, it shall not be

possible for this to be closed unless the soap dispenser is closed correctly,

o Any drips from the soap dispenser shall fall into the washbasin; not onto the

vanity unit top or floor,

C.5.3 Hand Drying

o Consideration should be given to the use of high velocity air dryers, using less

energy and reflecting the new norm for public toilets,

o The hand dryer shall take its supply air feed from inside the toilet cabin, this keeps

the air pressure inside the toilet cabin neutral. This will prevent transient smells

being expelled into the passenger environment.

C.5.4 Toilet Pan

o Toilet seats and lids shall remain stable in the upright position for the entire range

of train operating conditions. Consideration should also be given to specifying

slow close hinges for toilet seats and lids,

o Preference should be given to specifying white sanitary ware, as this looks more

“domestic” and less industrial and it is easier to see when surfaces are clean.

C.5.5 Other

o It should be noted that many visually impaired passengers prefer to use standard

toilet cubicles, rather than universal ones, as equipment is much closer to hand,

o It is recommended that a nappy changing table should be provided, probably that

hinges down from the wall; at least in selected toilets. The table shall be secure,

include a notch or hook to hold nappy bags and have a belt/strap to secure

infants. Provision of a waste bin for nappies should be provided.

Note that persons with medical conditions needing stoma bags would also

find a shelf and bin useful.

o Consideration should be given to provision of a dispenser for sanitary waste bags.

o Consideration should be given to provision of a waste bin for sanitary items and

nappies in all toilets,

o Consideration should be given to providing vending machines for sanitary items

(or to advertise them as being on sale in the buffet car),


o Hooks for coats and bags shall be specified, sufficient to cope with the size and

weight of bags likely to be taken into a toilet and configured such that they

prevent such items from coming into contact with the floor or with any other

horizontal surfaces (e.g. top of vanity unit). In a universal toilet hooks should be

placed at various heights to take account of a range of users,

Note that persons with medical conditions needing stoma bags would also

find a hook useful.

o Consideration should be given to the provision of holders for walking aids such as

sticks and crutches, to prevent them from falling when the train moves.

C.6 Resistance to Misuse / Vandalism

C.6.1 Toilet Blockage

o The type test specified shall include common blockage items, e.g. nappy, sanitary

waste, drinks can, coins, wet wipes,

o It is recommended that consideration should be given to providing an audible

warning of items not to be placed into the toilet pan. However, any such warning

should be brief and to the point.

o Likely system blockage points shall be readily accessible.

C.6.2 Vanity Units

o Joint lines and use of sealant should be minimised,

o Integrating the slash back into the hand basin moulding should be considered,

o Hand basins shall be provided with an overflow and a sensor should be provided

to cut off the water supply in the event that the overflow becomes blocked,

o The hand basin tap shall automatically shut off after a pre-determined period of

operation,

o Vanity units shall be designed to take account of operation when standing on

maximum canted track and include a lip around the bowl to retain water,

o To reduce vulnerability to vandalism, mirrors shall not be made from glass.

C.6.3 Other

o Access doors for emptying waste bins shall automatically lock when closed, only

requiring a key to open,

o The use of vinyl films is recommended, to protect surfaces from graffiti,

o Vandal resistant hinges shall be used for the toilet lid,

o It is recommended that, as far as practicable, panel design should be moulded in

one piece, preventing them from being pulled off,

o Designs shall avoid crevices where hypodermic needles might be concealed, with

the associated risk of injury to maintenance and cleaning staff.


C.7 Health and Hygiene

C.7.1 Odour Prevention

o Extraction systems shall create a negative pressure in the toilet compared to the

remainder of the vehicle interior, thus helping to prevent the release of

unpleasant odours,

o Provision of scent facilities, via either scent dispensers or scent gel in the toilet

pan, should be considered,

o Designs shall minimise the risk of standing water.

C.7.2 Legionella

o Spray taps on washbasins that may produce air-borne water droplets or

atomization shall be avoided,

o It is recommended that, so far as is practicable, water storage tanks should be

protected from heat; either from heat sources such as vehicle exhausts or from

solar gain,

o Water systems shall be designed for ease of chlorination and removal of lime

scale,

o The use of copper piping should be considered, to reduce the risk of

bacteriological contamination of water,

o It shall be possible to completely drain water systems. Pipe runs should be short

with few bends and with a continuous fall towards the outlet.

Note 1: In addition, RSSB Project “T985: Identification and analysis of risks

posed by legionella bacteria in on-train non-potable water systems”

provides guidance on additional best practice - details of this project

can be found at:


Note 2: ATOC has also produced a Guidance Note “ATOC/GN013: ATOC

Guidance Note - Control of Risk Posed by the Presence of Legionella

Bacteria in On-train Non-potable Water Systems”, copies of which can

be found at:

http://www.rssb.co.uk/rgs/oodocs/ATOCGN013%20Iss%202.pdf



http://www.rgsonline.co.uk/other_organisations/atoc/atoc%20guidance%20notes/atocgn013%20iss%201.pdf



http://www.rssb.co.uk/rgs/oodocs/ATOCGN013%20Iss%202.pdf


C.7.3 Ease of Cleaning

o The toilet floor shall take the form of a fully moulded pan, as used in aircraft,

o Joints between panels may act as dirt traps and should be kept to a minimum,

o All surface finishes shall be specified to be non-absorbent,

o The use of nano-technology to create self-cleaning surfaces should be considered.

C.7.4 Other

o Provision of a dispenser for hand gel / sanitiser should be considered,

o Operation of the toilet flushing system shall not be audible within the passenger

saloon area.


Appendix D – Software security

The following gives guidance for the design of software and its future updating and amending.

D.1 Introduction

This is an emerging area which the industry needs to address. It is a complex area and general

information is given below, but it is recommended that specialist advice is sought.

D.2 System Architecture

D.2.1 Security Requirements

Poorly designed network architectures that lack a defence-in-depth approach to

security may be vulnerable to cyber exploitation. Secure network architectures

contain a combination of network segmentation, communication traffic control, and

communication traffic monitoring: segmentation is used to separate functional sets

of network hosts into groupings; traffic control is currently implemented with routers

and firewalls to prevent unauthorised access between different subnets; and traffic

monitoring validates what traffic is allowed and alerts when unauthorised traffic is

detected.

Security can be enhanced by partitioning networks into multiple segments and placing

technical security controls (currently e.g. firewalls, unidirectional communication

devices, or virtual private network [VPN] concentrators) between the network

segments. Hardware, software, and firmware that restrict communications are

important tools in establishing an appropriate cybersecurity defensive architecture.

The network architecture is how a network is designed and segmented into logical,

smaller functional subnets (i.e. network security zones) for the purpose of

communication.

The following shall be provided by a supplier:

Recommendations as to the design and configuration of network security zones

within the procured product.

Information on all communications (e.g. protocols) required between network

security zones, whether inbound or outbound, and identification of each network

component of the procured product initiating communication.

A method to restrict communication traffic between different network security

zones and documentation on all methods and equipment used to restrict

communication traffic.

Verification that disconnection points are established between the network

security zones and methods to isolate the zones to continue limited operations.


A means whereby network traffic may be monitored, filtered, and/or alarmed

(e.g. alarms for unexpected traffic through network security zones) and filtering

and monitoring rules.

Documentation on all firewalls and rule-sets supplied for normal and emergency

operations. If the purchaser has the responsibility of procuring their own firewalls,

appropriate firewall rule sets and rule set guidance for normal and emergency

operations. The basis of the firewall rule sets for inbound and outbound traffic

should be “deny all,” with exceptions explicitly identified.

The purchaser with access, including administrative rights as and when required,

to network components of the procured product, including all firewalls.

Documentation on all remote access entry pathways and ensure that they can be

enabled or disabled by the purchaser as needed.

D.2.2 Communication Traffic Monitoring

Recording specific system activity in the form of logging generates an audit trail.

Failure to perform logging against a consistent time source makes it difficult to

monitor activity, perform diagnostics and identify potential cyberattacks in time to

take protective actions or carry out forensic activities in the event of a successful

cyberattack. Without timely access to information with consistent time-stamps on

system activity, post-event investigations may not yield conclusive results and the risk

of similar events occurring in the future would remain high.

The following shall be provided by a supplier:

Standard time synchronisation in the procured product (e.g. Global Positioning

System [GPS], Network Time Protocol [NTP] and IEEE 1508-2008). If the supplier

is not providing a standard time synchronisation, then they shall provide an

alternative authoritative time source and configure the product to synchronise to

that time source instead.

Logging capabilities and/or the ability to support the purchaser’s existing logging

system. Logging capabilities provided shall be configurable by the purchaser and

support the purchaser’s security auditing requirements. As a minimum, the

following time-stamped events shall be captured:

o Information requests and server responses

o Successful and unsuccessful authentication and access attempts

o Account changes

o Use of privileged accounts

o Application start-up and shutdown

o Application failures

o Major application configuration changes.


An approach for collecting and storing (e.g. transfer or log forwarding) security log

files. Recommendations for log management and Security Information and

Event Management (SIEM) integration methods (e.g. syslog); mirroring log files to

a secure secondary location should also be considered.

Detail of all log management capabilities that the procured product is capable of

generating and the format of those logs and should identify which logs are

enabled.

D.2.3 End point device security

End point devices (e.g. sensors) can be used as access points to other systems that

perform command and control functions. Such devices are used to provide system

control at the lowest level of a process and are vulnerable to communication

interception and modification. Hardware and software (e.g. portable configuration

computers) are sometimes needed to program these devices. End point devices and

configuration computers need to be secured by physical and cyber means.

End point devices are a part of the entire system and need to be able to communicate

with the rest of the system while performing specific control functions. If the

communication from the network to the device or from the device to the network is

intercepted and modified, the controlled process could be adversely affected.

Therefore, it is necessary to verify that both the device itself and the communication

to and from the device are secured to achieve integrity of the communication. In

addition, modifications to the control function of the device can affect the integrity of

the data transmitted and the actions taken by the control system. To avoid this, it is

necessary to secure the device from both cyber and physical modifications.

The following shall be provided by the supplier:

Physical and cyber security features, including but not limited to authentication,

encryption, access control, event and communication logging, monitoring, and

alarming to protect the device and configuration computer from unauthorised

modification or use.

A clear identification of the physical and cyber security features and the

methodology(ies) for maintaining the features, including the methods to change

settings from the vendor configured or manufacturer default conditions.

Verification that the addition of security features does not adversely affect

connectivity, latency, bandwidth, response time, and throughput, when

connected to existing equipment.

Detailed assurance that all software components that are not required for the

operation and maintenance of the device have been removed or disabled and

provision of documentation on what has been removed and/or disabled.


Within a pre-negotiated period, appropriate software and service updates and/or

workarounds to mitigate all vulnerabilities identified with the product (at that

time or later) and to maintain the established level of system security.

Clear and written verification documentation that the safety system is certified

after incorporating the security devices.

D.3 Secure Development Practices

Secure product development practices are a set of processes integrated into the System

Development Life Cycle (SDLC) that reduce the security risks of a developed product. These

practices help to develop more robust hardware, software, and firmware with fewer

weaknesses and vulnerabilities, as well as to identify and remediate weaknesses and

vulnerabilities before deployment. Secure development practices ensure that security is

integrated into all phases of the SDLC and should be considered a key component of systems

development.

The following shall be provided by the supplier:

Summary documentation of its secure product development life cycle including the

standards, practices (including continuous improvement), and development

environment (including the use of secure coding practices) used to create or modify the

provided system hardware, software, and firmware. Where applicable, the provision of

documentation that sets out how the most critical application security weaknesses

(including Open Web Application Security Project (OWASP) Top 10 and/or SANS Institute

Top 25 Most Dangerous Software Errors) are addressed in the SDLC.

A Quality Assurance program and evidence that the software and firmware of the

procured product have undergone Quality Control testing to identify and correct

potential cybersecurity weaknesses and vulnerabilities. This testing should include fuzz

testing, static testing, dynamic testing, and penetration testing. Positive and appropriate

negative tests to verify that the procured product operates in accordance with its

requirements and without extra functionality, as well as monitor for unexpected or

undesirable behaviour during such tests should be used. This testing may be done by the

supplier or an independent entity. Provision of summary documentation of the results of

the testing that includes all unresolved vulnerabilities and recommended mitigation

measures for each.

Summary documentation of its coding reviews, including defect lists and plans to correct identified vulnerabilities.

A contingency plan for sustaining the security of the procured product in the event that

the supplier is no longer willing or able to support the product (e.g. security-related

procedures and products placed in escrow).

Note: The purchaser should have the right to request documentation of the

implemented cybersecurity program, including recent assessment results

and/or conduct periodic [at a pre-negotiated frequency and scope] on-site

security assessments at the supplier’s facilities. The purchaser should also have


the right, at his sole discretion, to conduct such assessments using an

appropriate and independent third party.

D.4 Third party supplied systems/software/modules

It is important that software development procedures utilised by a third party on behalf of a

supplier are as robust as those of the contracted supplier. As such, it is recommended that the

following should be provided:

Summary documentation of any third party product development life cycle including the

standards, practices (including continuous improvement), and development

environment (including the use of secure coding practices) used to create or modify third

party provided system hardware, software, and firmware. Where applicable,

documentation on how the most critical application security weaknesses (including

OWASP Top 10 or SANS Institute Top 25 Most Dangerous Software Errors) are addressed

in the third parties SDLC.

Information as to the country (or countries) of origin of the procured product and its

components (including hardware, software, and firmware) and furthermore should

identify the countries where the development, manufacturing, maintenance, and service

for the product are provided. Prior agreement from the purchaser before making any

change to such arrangements should be sought.

D.5 Documentation and Tracking of Vulnerabilities

When security vulnerabilities are discovered in hardware, software, and firmware, the timely

application of corrective actions and/or mitigation steps can reduce the likelihood that

adversaries will be able to exploit these vulnerabilities. Some of these vulnerabilities may be

publicly disclosed before a supplier can develop remedies; others may be kept from disclosure

until remedies are available. Security breaches may also affect the cybersecurity of the

procured product. Such breaches may involve a compromise of security involving the

supplier’s organisation, or any organisation involved in the product’s supply chain. Security

breaches may result in the loss of sensitive product design information, information on the

purchaser’s use and configuration of the product, a compromise of access control information

for the deployed products (e.g. compromise of access control information that the supplier

uses to perform maintenance on a deployed product), or other security-sensitive information.

If the purchaser is informed of a security breach in a timely manner, it may be possible to

apply mitigating measures to maintain adequate levels of security.

It is therefore recommended that:

i) prior to contract award;

ii) post contract award but prior to product delivery; and

iii) post product delivery, suppliers are required to:

o Provide purchasers with information about product hardware, software and firmware versions and vulnerabilities (identifying which of the vulnerabilities have been publically disclosed) and any actions they have taken to redress those vulnerabilities.


o Notify purchasers of identified security breaches within their organisations and supply-chains.

o Work with purchasers to identify and mitigate the risk from the exploitation of all such product vulnerabilities.

o Remedy security vulnerabilities in a timely manner.

Note: The information to be provided should include a description of each vulnerability

and its potential impact, root cause, and recommended compensating security

controls, mitigations, and/or procedural workarounds and corrective actions.

D.6 Security Risk Assessment

The supplier and/or purchaser should undertake a security-informed risk assessment on each

system that:

identifies threats, vulnerabilities and impact;

analyses likelihood and consequences; and

ultimately evaluates risks against risk appetite and demonstrates the adequacy of the assessment process and suitability of the techniques employed.

The supplier and/or purchaser should document and implement one or more cybersecurity

policies for applicable systems, which will address the risks that have been identified.

D.7 Full systems software identification/classification & impact assessment

Systems and software that require protection from cyber threats, first need to be identified

and sufficient information about their condition recorded and maintained to:

allow appropriate controls to be deployed,

provide a common reference between government agencies and duty holders, and

provide a basis for assurance activities.

It is therefore recommended that the following identification activities are undertaken:

Systems and software are recorded in a structured, indexed, searchable repository.

The supplier records sufficient information about identified systems to allow effective assessment of system vulnerability. This should include as a minimum:

o System name/function

o Hardware make and model

o Operating system(s)

o Operating system version(s)

o Major software components

o Software version including patch level(s)

o Systems interfaces

o Communication protocols supported


Suppliers should document a policy that sets out the principles applied to determine system risk rating.

D.8 All software

Obsolescence management should be covered by contractual arrangements for the design life

of the vehicle and should include all rolling stock related hardware, software and firmware.

key train requirements issue 4 - rssb · · 2017-05-311.4 braking systems ... (electromagnetic...

Documents