Uncontrolled When Printed Railway Group Standard

GK/RT0207
Issue One
Date August 2000

Signalling Design
Production

Synopsis
This document sets out the mandatory
requirements for the production of
designs for the provision of new
signalling systems and the alteration of
existing systems.

Signatures removed from electronic version

Submitted by
This document is the property of
Railtrack PLC. It shall not be
reproduced in whole or in part without
the written permission of the Controller,
Elizabeth Fleming
Railway Group Standards,
Standards Project Manager
Railtrack PLC.

Authorised by Published by:

Safety & Standards Directorate
Railtrack PLC
Railtrack House DP01
Euston Square
Brian Alston London NW1 2EE
Controller, Railway Group Standards
© Copyright 2000 Railtrack PLC
 Uncontrolled When Printed

This page has been left blank intentionally

 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Signalling Design Production Date August 2000
Page 1 of 21

Contents
Section Description Page

Part A
Issue Record 2
Responsibilities 2
Compliance 2
Health and Safety Responsibilities 2
Supply 2

Part B
1 Purpose 3
2 Scope 3
3 Definitions 4
4 Design Management 5
5 Design Development 6
6 Design Verification 13
7 Design Approval 13
8 Modifications to Designs 15
9 Control of Design Documents and Software/Data 16
10 Assessment and Demonstration of Safety 17
11 Use of Design Support Tools 18
12 Special Cases of Design Production 19

References 21

RAILTRACK 1
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Date August 2000 Signalling Design Production
Page 2 of 21

Part A
Issue Record
This document will be updated when necessary by distribution of a complete
replacement.

Revisions in the reissued document will be marked by a vertical black line in the
right hand margin adjacent to the revision.

Issue Date Comments

One August 2000 Original Document.
Replaces withdrawn documents
GK/RT0004, GK/RT0110, GK/RT0115,
GK/RT0116, GK/RT0201, GK/RT0202 and
GK/RT0205.
GK/GN0600, GK/RC0701 and GK/RH0710
are also hereby withdrawn.

Responsibilities
Railway Group Standards are mandatory on all members of the Railway Group *
and apply to all relevant activities that fall into the scope of each individual’s
Railway Safety Case. If any of those activities are performed by a contractor, the
contractor’s obligation in respect of Railway Group Standards is determined by
the terms of the contract between the respective parties. Where a contractor is a
duty holder of a Railway Safety Case then Railway Group Standards apply
directly to the activities described in the Safety Case.

* The Railway Group comprises Railtrack and the duty holders of the Railway
Safety Cases accepted by Railtrack.

Compliance
The provisions in this document are to be complied with in respect of all signalling
design work from 7 October 2000.

Health and Safety

Responsibilities
In issuing this document, Railtrack PLC makes no warranties, express or implied,
that compliance with all or any documents published by the Safety & Standards
Directorate is sufficient on its own to ensure safe systems of work or operation.
Each user is reminded of its own responsibilities to ensure health and safety at
work and its individual duties under health and safety legislation.

Supply
Controlled and uncontrolled copies of this document may be obtained from the
Industry Safety Liaison Dept, Safety and Standards Directorate, Railtrack PLC,
Railtrack House, DP01, Euston Square, London, NW1 2EE.

2 RAILTRACK
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Signalling Design Production Date August 2000
Page 3 of 21

Part B
1 Purpose
The purpose of this document is to set out the mandatory requirements for the
processes whereby designs for signalling systems are produced, to ensure that
such designs are safe and fit for purpose.

2 Scope
The overall scope of Railway Group Standards is as specified in Appendix A of
GA/RT6001.

This document contains requirements which are applicable to the duty holder of
the following category of railway safety case:

• Infrastructure Controller

Specifically the contents of this document apply to signalling design processes

for:

• the site-specific design of new signalling systems which are to form part of
Railtrack Controlled Infrastructure;
• alterations to, and the abolition (also known as “recovery”) of, existing
signalling systems which are part of Railtrack Controlled Infrastructure.

The scope is restricted to infrastructure for systems that utilise lineside signals or
fixed block cab signalling.

The scope does not include:

• the functional, operational and safety performance requirements for signalling

systems and equipment (these are addressed in other Railway Group
Standards);
• processes for the capture of user requirements prior to the commencement of
signalling system design;
• design of moving block signalling systems;
• minor alterations where the design, functionality and configuration of the
signalling system is essentially unaltered and for which engineering details
are not necessary (eg. re-allocation of a cable core or relay contact;
repositioning of an item within an apparatus case);
• design of products that are used as part of a signalling system (see
GI/RT7002);
• design of train-borne signalling systems and equipment;
• operational telecommunications links and networks that are used to provide
data communications between parts of the signalling system;
• design considerations relevant to the occupational safety of persons who
install, test, maintain or operate the systems and equipment (except in
respect of staff protection and warning systems, which are within the scope of
this document – see definition of signalling systems and equipment);
• legislative requirements relevant to design work, such as the Construction
(Design and Management) Regulations 1994 and the Railways and Other
Transport Systems (Approval of Works, Plant and Equipment)
Regulations 1994.

RAILTRACK 3
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Date August 2000 Signalling Design Production
Page 4 of 21

3 Definitions
Application Requirements
Rules, conditions and constraints relevant to the safety of a product in its
proposed application.

Approval in Principle
Approval by a competent person or body that the concept design of the signalling
system will meet the Infrastructure Controller’s requirements, and that appropriate
standards and design criteria are proposed for the engineering details.

Concept Design
A suite of documents that constitute the proposals for how the safety and
operational requirements for the signalling part of a project are to be met. They
provide the basis for the production of the engineering details. See clause 5.1.3
for a list of concept design documents.

Design Production Organisation

An organisation that undertakes the preparation of signalling designs.

Engineering Details
A suite of documents that provide the detailed information necessary for the
construction/installation of the signalling system. It may also include application-
specific software/data for the signalling system, where it is produced as a part of
the design process. See clause 5.5.4 for a list of engineering detail documents.

Infrastructure Records
The definitive records of the signalling system which reflect the actual
configuration of the installed equipment, wiring and software. Such records are
created and retained in accordance with GI/RT7001, and may be physical
drawings or electronically stored data.

Product
Any of the following within the scope of this document; system; sub-system,
equipment, component, materials.

Scheme Plan
A plan of the railway layout that depicts the proposed provision of (or alterations
to) signalling.

Signalling Systems and Equipment

Systems and equipment used for:

• authorising and safeguarding the movement of trains; and

• providing protection and warnings for trackside personnel, where such
systems and equipment form part of the whole signalling system.

The definition includes software and data, as well as equipment and wiring.

Technical Approval
Approval by a competent person or body that:

• the engineering details of the signalling system meet the Infrastructure

Controller’s requirements; and
• appropriate standards and design criteria have been used; and
• competent persons have used reasonable care in preparing the design; and
• the safety of railway operations and safe interworking have not been
compromised.

4 RAILTRACK
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Signalling Design Production Date August 2000
Page 5 of 21

4 Design Management
4.1 Management Systems and Procedures
4.1.1
The Infrastructure Controller shall:

• have management, organisational and procedural arrangements in place to

control the production of signalling designs; and
• ensure that design production organisations have management,
organisational and procedural arrangements in place that are appropriate for
the particular design activities and type(s) of signalling design work they are
required to undertake.

4.1.2
The Infrastructure Controller shall ensure that the specific management,
organisational and procedural arrangements to be applied to the signalling design
phase of each project are documented (eg. in the form of a safety plan,
procedures, method statements or specifications) insofar as is necessary for the
purposes of producing safe designs. The documented arrangements shall
include (but are not necessarily limited to):

a) the responsibilities, levels of authority and reporting lines of individuals and

organisations involved in the design process(see section 4.3); and
b) the selection and use of competent personnel (see section 4.2); and
c) the procedures to be applied in the production of the designs (including any
special arrangements – see section 12); and
d) the arrangements for verification and approval of the designs (see sections 6
and 7); and
e) the associated activities to be undertaken (eg. safety analysis, site
assessments, correlation); and
f) the control of documents and software/data (see section 9); and
g) the use of design support tools (see section 11); and
h) any requirements for the audit of the processes.
The Infrastructure Controller shall review those documents produced by the
design production organisations in order to be satisfied that the proposed
arrangements provide an acceptably safe means of producing the designs.

4.2 Competency
4.2.1
The Infrastructure Controller shall ensure that its own organisation and the design
production organisations engaged on a project have personnel assigned to the
work who collectively possess, or have the capability to acquire:

• the necessary knowledge in respect of the design processes and procedures

(including the use of design support tools, where used); and
• the necessary knowledge for the particular signalling system being designed
(including knowledge of the associated signalling principles, and of the
equipment which comprises the system).

4.2.2
The Infrastructure Controller shall ensure that its own organisation, and the
design production organisations engaged on a project, have processes in place
for deploying their personnel in a manner which achieves compatibility between
the design tasks they are required to undertake and the competencies that the
individuals possess.

4.3 Control of Organisational Interfaces

4.3.1
Where more than one design production organisation is involved in design
production, the Infrastructure Controller shall ensure that their interactions are
controlled so as to avoid any overlap, inconsistency or omission in the designs

RAILTRACK 5
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Date August 2000 Signalling Design Production
Page 6 of 21

that could subsequently jeopardise the safe operation of the signalling system.
Circumstances where this applies include (but are not limited to):

• the use of sub-contractors to produce parts of the design;

• the use of multiple contractors to produce parts of the design, but not working
in a contractor/sub-contractor relationship;
• separate projects with potentially conflicting or overlapping design work;
• the use of other organisations to produce non-signalling designs (eg.
permanent way layouts) where there is a dependency between such designs
and the signalling designs.

4.3.2
The Infrastructure Controller shall ensure that interactions between the design
production organisation(s) and the signalling installation and testing organisations
are controlled so that:

• all of the design (including any modifications) is correctly installed and fully
tested before being commissioned; and
• the infrastructure records, when updated, accurately reflect the commissioned
system.

4.3.3
The Infrastructure Controller shall ensure that requirements for interactions with
other organisations are identified, and those interactions controlled, insofar as it is
relevant to the production of safe designs. Other organisations include, but are
not limited to:

• procurement and manufacturing groups;

• train operators;
• other infrastructure controllers;
• Her Majesty’s Railway Inspectorate;
• highway authorities.

5 Design Development
5.1 Options Identification, Feasibility Analysis and Concept Design
The commencement of the design process depends upon the provision of a set
of requirements (or specification) that defines what the infrastructure is required
to do, both operationally and from a safety perspective. The identification, or
capture, of such requirements, is not the subject of this document. Railway Group
Standard GK/RT0206 sets out the mandatory requirements relating to the
specification of reliability, availability, maintainability and safety (RAMS) for
signalling systems.

5.1.1
Options shall be identified and evaluated for the design of new/altered systems at
the commencement of a project, in order to establish signalling arrangements
which are both practicable and achieve a level of safety, reliability and availability
that meets specified requirements (see GK/RT0206).

Where practicable signalling arrangements that achieve adequate levels of safety

cannot be provided, then the following elements shall be re-evaluated, and
modified if necessary, so that an acceptably safe solution is found:

• the remit for, and scope of, the signalling work;

• the proposed/actual track layout (eg. junction configurations);
• other infrastructure (eg. platforms, structures);
• the proposed operational use (eg. timetabling, permissive working).

Layout risk assessment forms a key part of the optioneering phase of a project.
Requirements for this activity are set out in Railway Group Standard GK/RT0078
(see references).

6 RAILTRACK
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Signalling Design Production Date August 2000
Page 7 of 21

5.1.2
The selected option for the signalling arrangements shall be documented in the
form of a concept design. The concept design documentation shall, as a
minimum, contain sufficient information for the purposes of:

• Approval in Principle (see section 7.1); and

• statutory approval by HMRI; and
• signal sighting (see GK/RT0037); and
• producing the engineering details (see section 5.5).
5.1.3
The documentation listed below shall be considered for inclusion as part of the
concept design:

a) Information regarding the overall design objectives and proposals.

b) Scheme Plans and, where appropriate, other related layout plans such as
signalling facilities diagrams for each stage of the project (not mandatory
where there is no alteration to the existing signalling plan).

c) Information regarding new signalling systems and equipment to be provided,

including the product acceptance status of such equipment.

d) Information regarding existing signalling systems and equipment affected by

the project, including any to be decommissioned.

e) Identification of, and information regarding, the design of interfaces with:

• existing signalling systems; and
• other infrastructure; and
• trains; and
• signallers and maintainers.

f) A list of the Railway Group Standards (including issue numbers) with which
the Scheme Plan conforms, together with details of non-compliances.

g) A list of other Railway Group Standards (including issue numbers) with

which the engineering details are proposed to conform, together with outline
details of non-compliances (where known at this phase of the design
process).

h) Proposed staging of the work, where not all the work is being commissioned
together.

i) Proposed strategy for testing and commissioning the signalling, insofar as it

is relevant to the design and the staging of the work.

j) An initial demonstration that the safety requirements for the system can be
met by the proposed design.

k) Any safety analysis that is necessary at the concept design phase (eg. for
overrun control and mitigation) – see section 10.

l) An explanation of the rationale for the design decisions and choices.

m) Any assumptions, calculations etc, that have been made.

5.1.4
The processes used in the production of the concept design documents shall be
adequate to ensure that the proposed signalling arrangements are:

• compliant with the requirements of relevant Railway Group Standards and any
other relevant safety requirements and targets (see GK/RT0206); and

RAILTRACK 7
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Date August 2000 Signalling Design Production
Page 8 of 21

• practicable and fit for purpose, in both engineering and operational terms.

5.1.5
The Infrastructure Controller shall consult with train operators during the
feasibility and design conception phase, to ensure that their views are
considered, particularly in respect of:

• the provision, position and aspects/indications of signals; and

• signalling arrangements for the despatch of trains from platforms; and
• transitions between different types of signalling; and
• train protection systems.

5.2 Site Assessments, Surveys and Signal Sighting

5.2.1
Where the installation work will involve making alterations or additions to, or could
affect the safe operation of, the existing signalling systems and equipment, then a
site assessment shall be undertaken. The purpose of such assessments is to
identify hazards associated with the existing equipment which may present a risk
during the installation phase of the project or during the operational life of the
system.

5.2.2
The findings of the site assessments shall be recorded. Where necessary, the
concept design documentation, method statements and technical specifications
shall be amended to take account of the findings of the site assessments.

5.2.3
Insofar as is reasonably practicable, the hazards identified by the site
assessment shall be eliminated or mitigated by an appropriate choice of design.

5.2.4
Where a hazard is identified that presents a serious and imminent risk to the
safety of the operational railway, the Infrastructure Controller shall ensure that
appropriate action is taken to address the problem (without waiting for the project
to address the problem through the design work).

5.2.5
Other site surveys shall be undertaken where necessary to determine positions of
existing/new equipment, locations of buried services, critical dimensions and
clearances, etc, in order to facilitate the production of the engineering details.

The requirements for signal sighting are set out in GK/RT0037.

5.3 Correlation
5.3.1
Where the installation work will involve making alterations or additions to existing
signalling systems, the details shown on the existing infrastructure records of
those parts of the system affected by the work shall, except in the circumstances
described below, be checked (correlated) for accuracy and completeness (or
produced, where they do not already exist) against the actual wiring and
equipment on site.

Correlation need not be carried out if:

a) the existing infrastructure records are known to be accurate and complete; or

b) the condition of the equipment or wiring is such that the correlation work
would itself present a serious risk to the safety of the operational railway; or
c) the risks arising if correlation is not carried out are low, and the costs of
correlation are assessed as being grossly disproportionate to any further
benefit in risk reduction; or

8 RAILTRACK
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Signalling Design Production Date August 2000
Page 9 of 21

d) the equipment and wiring is to be entirely abolished (recovered), without any

stagework alterations affecting it prior to abolition.
5.3.2
Where discrepancies are found as a result of the correlation work, they shall be
checked, investigated and documented to the extent necessary for design
purposes.

5.3.3
Updated versions of the infrastructure records shall be generated, for use as the
basis for the production of the engineering details.

The amended versions of the infrastructure records shall be checked to verify

that they have been made in accordance with the findings of the correlation
process.

5.3.4
Where discrepancies are found which could jeopardise the safe maintenance of
the infrastructure, copies of the updated records and/or the findings of the
correlation shall be made available to the maintainer.

5.3.5
Where discrepancies are found which indicate the potential for a failure that could
jeopardise the safety of the operational railway, the Infrastructure Controller shall
ensure that appropriate action is taken to rectify the problem (without waiting for
the project to address the problem through the design work).

5.3.6
Where it is proposed not to carry out correlation out for any of the reasons stated
in 5.3.1, the proposal shall be subject to the approval of the Infrastructure
Controller. In the case of 5.3.1(b), and so far as is reasonably practicable in the
case of 5.3.1(c), alternative measures shall be applied to control the risk of a
discrepancy giving rise to an unsafe situation during, or after, installation. The
alternative measures shall be documented in the safety plan or method
statements for the design, installation or testing phases of the work, as
appropriate.

In practice, in the circumstances described in clause 5.3.1(b), it is likely that the

proposed design will have to be changed so that it does not involve alterations to
wiring and equipment that is in poor condition (see also clauses 5.2.1 and 5.2.3).

5.4 Technical Specifications

5.4.1
Where necessary, specifications shall be produced which provide additional
technical information required to translate the concept design into engineering
details.

5.5 Production of Engineering Details

5.5.1
Except where permitted by section 12 of this document, production of engineering
details shall not commence until:

a) Approval in Principle of the concept design has been given (see section
7.1); and

b) infrastructure records (as mandated by GI/RT7001) affected by the design

have been updated to show any previous work on the same infrastructure,
including earlier stages of the same project (see section 9.3); and

c) site assessments have been completed, where such assessments are

required (see section 5.2); and

d) correlation work has been completed (see section 5.3); and

RAILTRACK 9
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Date August 2000 Signalling Design Production
Page 10 of 21

e) signal sighting activities have been completed (see GK/RT0037).

In respect of activities (b) to (e), these need be completed only to the extent that
they are relevant to the portion of the project for which engineering details are
being produced.

5.5.2
The processes used in the production of the engineering details shall be
adequate to ensure that the proposed signalling arrangements:

a) meet the requirements of the concept design documents, including the

referenced Standards; and

b) take account of findings from site assessments and surveys; and

c) incorporate the recommendations and requirements of signal sightings; and

d) conform to any safety requirements derived through safety analysis (see

section 10); and

e) make use of products for which product acceptance has been (or is in the
process of being) secured, and in conformance with the relevant associated
application requirements (see GI/RT7002); and

f) are physically and electrically compatible with other infrastructure (track,

structures, electrification, telecomms etc.), with trains and with the
environment; and

g) are capable of being contructed/installed and maintained without exposing

the operational railway to unacceptable levels of risk; and

h) are compatible with the proposed testing strategy and phasing of the work;
and

i) are capable of delivering the safety requirements and targets throughout the
operational life of the system.

5.5.3
Engineering details shall be unambiguous in intent and of adequate clarity and
presentational quality for the purposes of:

• construction and installation;

• testing and commissioning;
• producing final infrastructure records.
5.5.4
The documentation and software/data listed below shall be considered for
inclusion as part of the engineering details:

a) control tables (or an equivalent) which define the required interlocking and
interdependencies between parts of the signalling system (points, tracks,
signals etc);

b) details of new systems, equipment and wiring to be provided (including,

where important for safety, the type/model/version number; modification
state; configuration/coding information);

c) details of existing systems, equipment and wiring to be modified, removed

or taken out of use but not removed;

d) details of interfaces between existing and new systems/equipment, and of

interfaces with signallers and maintainers;

10 RAILTRACK
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Signalling Design Production Date August 2000
Page 11 of 21

e) application-specific software and data that forms part of the signalling

system;

f) details of test rigs and other temporary arrangements;

g) details of buildings, apparatus cases, fixtures, fittings, etc. relevant to the

housing and environmental/physical protection of equipment;

h) details of earthing arrangements;

i) physical dimensions, equipment positions, alignments etc. where important

for safety;

j) electrical ratings and values (eg. maximum voltages, currents etc.) where
important for safety;

k) any other installation details relevant to safety (eg. installation specifications

and Codes of Practice to be applied; types of materials to be used; setting
up procedures; manufacturers’ instructions; equipment specifications;
standard drawings). It is permissible for such documents to be referenced
by the engineering details, rather than included as part of the design itself.

The design documentation and software/data shall also depict/include any other
work (eg. other stages of the same project) that are not yet installed /
commissioned, but which will be by the time that the engineering details currently
under consideration are to be installed.

5.5.5
Details shall be recorded of:

• the rationale for the design (except where it is self-evident); and

• any assumptions made; and
• any calculations made
in order that testers, maintainers and designers (who may subsequently need to
alter the system during its service life) can understand the thinking and logic
behind the engineering details.

5.5.6
It is permissible for engineering details to omit information about some features of
the installation (eg. the exact position of an item of equipment within an apparatus
case, or the precise voltage setting for a power supply). However, such
instances shall be limited to those cases where all of the following criteria are
met:

• it is not practicable to provide comprehensive information;

• it is reasonable to expect competent installation personnel to be able to make
decisions on site regarding the details which have been omitted;
• no major risk would arise if the installation personnel made a decision which
was incorrect or, if they did, such an error would be revealed (eg. during
subsequent testing) before an unsafe situation could arise.
Wherever applicable, the engineering details shall state any limits relevant to the
omitted information (eg. a voltage shall be selected to be within specified
maximum and minimum values).

Where important for safety, the Infrastructure Controller shall ensure that precise
positions, voltages and other parameters determined on site are subsequently
recorded on the infrastructure records (see GI/RT7001).

RAILTRACK 11
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Date August 2000 Signalling Design Production
Page 12 of 21

5.6 Provision of Ancillary Information

5.6.1
In association with the production of the engineering details, documentation and
information shall be provided, as required, for the following purposes:

• to inform operating staff, drivers (and others, where necessary) about the
introduction of the new/altered signalling (see GO/RT3209); and
• so that operating staff (and others, where necessary) have supporting
instructions and information for the operational use of the new/altered
signalling (eg. signal box instructions – see GO/OT0018; route lists – see
GK/RT0026; Sectional Appendices – see GO/RT3206).
5.6.2
Information and instructions shall be provided to the maintainers of the signalling
system prior to the commissioning, to facilitate maintenance. This is additional to
the requirements of clause 9.3.2.

5.7 Design Presentational Standards

5.7.1
The Infrastructure Controller shall define and document standard presentational
formats, symbols and nomenclature for engineering details which, subject to the
provisions of clauses 5.7.2, shall be applied to all signalling designs, in order to
minimise the risk of misinterpretation by installers, testers, maintainers and,
where relevant, operators. Presentational standards shall be provided for, as a
minimum:

a) control tables; and

b) symbols and associated nomenclature (for use on signalling plans, wiring
diagrams etc); and
c) differentiating between equipment/wiring to be:
• installed and commissioned;
• installed but not yet to be commissioned;
• installed and now to be commissioned;
• removed;
• taken out of use but not removed.
5.7.2
It is permissible for the Infrastructure Controller to authorise the use of non-
standard presentations in the following circumstances:

• where safety could be jeopardised during construction, testing or

maintenance because of confusion between standard and non-standard
presentations on records of existing infrastructure where non-standard
presentations have previously been used; or
• where novel or uncommon equipment is to be used, for which presentational
standards have yet to be defined.
5.7.3
The meaning of symbols, nomenclature and abbreviations used shall be specified
in a legend associated with any document where:

• non-standard symbols, nomenclature or abbreviations are used; or

• users of the documents may not be familiar with the symbols shown (eg. on
operating notices for drivers).

5.8 Changes to Standards during Project Life

5.8.1
Procedures shall be in place for the review of Railway Group Standards which are
issued after design work commences, but whose compliance dates are earlier

12 RAILTRACK
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Signalling Design Production Date August 2000
Page 13 of 21

than the commissioning date(s), to assess their relevance to the signalling design
phase of each project. All such reviews shall be documented.

Section 8 of this document specifies the requirements for managing modifications

to the design resulting from changes to Railway Group Standards.

Where such a review demonstrates that a change in the design to achieve

compliance is either impracticable or would introduce increased risk, the situation
shall be regularised (GA/RT6001, 6004 and 6006 refers).

6 Design Verification
6.1 Principle
6.1.1
The concept design and engineering details shall be subject to independent
verification to ensure, so far as possible, that any design deficiencies are
eliminated.

6.2 Verification Process

6.2.1
The verification shall take the form of a systematic check of the design
documentation and software/data listed in clauses 5.1.3, 5.4.1, 5.5.4, 5.5.5 and
5.6.1. The degree of independence of the persons undertaking the verification
from those who prepared the designs shall be commensurate with the safety-
criticality of the systems being designed. No reliance shall be placed on
subsequent testing activities to reveal any design deficiencies.

6.2.2
Persons who perform the verification shall:

• assess the extent to which the design meets the relevant requirements of
sections 5.1 (for concept design), 5.5 and 5.6 (for engineering details), and
5.7 (applicable to both concept design and engineering details); and
• identify, so far as is practicable, all errors, omissions and unwanted
functionality in the design; and
• check that the design has been produced in accordance with the documented
arrangements for the work (see clause 4.1.2).

6.2.3
Design deficiencies shall be notified to the producer of the design in order for
corrections to be made. The persons undertaking the verification shall ensure
that the producers of the design understand the nature of any deficiencies, but
shall not make any corrections themselves. Corrections shall be subject to re-
verification, to ensure that:

• each deficiency has been fully addressed and all affected designs and
software/data corrected; and
• no unsafe side effects have been introduced as a result of the correction.

7 Design Approval
7.1 Approval in Principle
7.1.1
The concept design documentation (as listed in clause 5.1.3) shall be subject to
Approval in Principle (see GC/RT5101). In order to give approval, the
Infrastructure Controller shall undertake a review of the concept design so as to
be satisfied that:

• the proposals are acceptably safe, practicable and fit for purpose; and
• the design has been produced in accordance with the management
requirements mandated by section 4 of this document.

RAILTRACK 13
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Date August 2000 Signalling Design Production
Page 14 of 21

The rigour with which the review is conducted (eg. whether calculations are re-
checked, and whether all elements of a scheme plan are individually scrutinised)
shall take into account factors such as:

• the complexity and degree of novelty of the design;

• the extent to which other engineering disciplines are involved;
• the competency of the design personnel undertaking the design and
verification activities.

7.1.2
Approval in Principle shall not be given until:

• the concept design documentation has been verified in accordance with

section 6; and
• where applicable to the concept design, non-compliances or derogations
against Railway Group Standards have been authorised; and
• the review described in clause 7.1.1 has been successfully completed.

7.1.3
Approval in Principle shall be given by persons in the Infrastructure Controller’s
organisation who are competent to do so. The giving of Approval in Principal
shall not be delegated to any other organisation, although it is permissible for the
review activities to be delegated, provided that the integrity of the approval
process is not thereby compromised.

7.2 Technical Approval of Engineering Details for Construction Purposes

7.2.1
The engineering details (as listed in clause 5.5.4) shall be subject to Technical
Approval. Technical Approval shall take the form of an assessment of the
engineering details, taking into account the objectives and factors for
consideration set out in GC/RT5101, and additionally ascertaining that the design
has been produced in accordance with the management requirements set out in
section 4 of this document.

The rigour with which the assessment is conducted (eg. whether all engineering
detail documents are assessed, or just a sample of them) shall take into account
factors such as:

• the complexity and degree of novelty of the design;

• the extent to which other engineering disciplines are involved;
• the competency of the design personnel undertaking the design and
verification activities.

7.2.2
Technical Approval shall not be given until:

a) the engineering details have been verified in accordance with section 6; and

b) relevant associated engineering details produced by other design production

organisations (including those for other engineering disciplines) have been
produced and verified by the appropriate engineers in those disciplines, and
confirmed as being compatible with the signalling designs; and

c) where applicable to the engineering details, non-compliances or derogations

against Railway Group Standards have been authorised; and

d) any safety analysis necessary for the design and for products which form part
of the design (see section 10) has been developed sufficiently that installation
work can proceed without risk to the operational railway; and

e) the assessment described in clause 7.2.1 has been successfully completed.

14 RAILTRACK
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Signalling Design Production Date August 2000
Page 15 of 21

7.2.3
The Infrastructure Controller shall ensure that Technical Approval is given by a
competent engineer in the Infrastructure Controller’s organisation, or by another
competent engineer to whom authority has been delegated by the Infrastructure
Controller (provided that the integrity of the approval process is not thereby
compromised).

8 Modifications to
Designs
8.1 General Requirements
8.1.1
Where a change to the concept design or engineering details becomes necessary
after the design has been verified as correct but before the signalling is
commissioned, consideration shall be given to:

• whether, in the case of a design error, it is an isolated example or indicative of

a systematic error; and
• the implications for other parts of the design; and
• the implications for the installation and testing work.

8.1.2
The amended design shall indicate clearly details of any changes required to
equipment and wiring that has already been installed in accordance with the
previously issued version(s) of the design. This applies whether or not the
installed wiring and equipment that requires modification has been
commissioned.

8.1.3
Where necessary, consequential alterations to designs produced by other design
production organisations (including those for other engineering disciplines) shall
also be made.

8.2 Re-verification and Re-approval

8.2.1
Where the design documents and software/data have already been verified, the
modifications and any other design documents and software/data affected by the
modifications shall be subject to re-verification in accordance with section 6.

8.2.2
Where the design documents and software/data have already been approved, the
modifications shall be subject to re-approval in accordance with section 7 if the
nature or scale of the change invalidates the basis of the original approval.
8.3 Records of Design Modification Proposals and Requests
8.3.1
Summary records of all design modifications shall be maintained throughout the
project, so as to enable identification of:

• the origins or originator of the modification proposal or request; and

• the date of the proposal or request; and
• whether or not the proposal/request is accepted or rejected; and
• the documents and software/data affected (including the version); and
• the status of the design modification work (produced, verified, issued etc); and
• the reason for each modification.
The records shall include all modifications arising from changed requirements
and from problems/errors encountered during installation and testing. Design
deficiencies identified during verification do not need to be included in these
summary records.

RAILTRACK 15
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Date August 2000 Signalling Design Production
Page 16 of 21

9 Control of Design
Documents and
Software/Data
9.1 Identification of Design Documents and Data
9.1.1
A system of version control shall be applied to all design documents and
software/data so as to enable unambiguous identification of:

• all the items (documents, software, data etc) affected by the work, both for
reference purposes during the project, and for the purposes of records
management during the operational life of the signalling system (see
GI/RT7001); and
• the project (and stage of a project, where relevant) to which each item relates;
and
• the status of each item (produced, verified, issued, superseded, etc); and
• the producer and verifier of each item (including the organisation for which
they work); and
• the date of production and verification of each item.
9.1.2
Where design documents and software/data are modified during the design work
(see section 8), it shall be possible to identify by reference to each document or
item of software/data:

• which modifications (as detailed in the summary records of modifications –

see clause 8.3.1) have been applied to the document or software/data; and
• the status of the design modification (produced, verified, issued, etc); and
• the producer and verifier of each modification (including the organisation for
which they work); and
• the date of production and verification of each modification.

9.2 Control of Issue of Design Documents and Software/Data

9.2.1
Except where permitted by clause 12.2, engineering details (as listed in clause
5.5.4) shall not be released for construction and installation purposes until
Technical Approval has been given.

9.2.2
Design documents and software/data (and any modifications to them) shall be
issued for installation and testing purposes in a controlled manner, so as to:

• ensure that recipients are in possession of the most up to date set of designs;
and
• ensure that it is clear to whom the documents are issued and the purposes for
which they have been issued; and
• facilitate traceability of issued documents, software and data.

9.2.3
Arrangements shall be in place to enable installation and testing personnel to
verify that the engineering details in accordance with which they have completed
their work are the most up-to-date versions of the designs produced by the
design production organisation (eg. by the use of closure lists).

9.2.4
Copies of design documents and software/data issued by the design production
organisation shall be faithful reproductions of the master versions.

The arrangements for the transport/transmittal of design documents and

software/data between the design production organisation and any other
organisation shall be sufficiently secure so as not to result in loss or corruption of
the design information/data.

16 RAILTRACK
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Signalling Design Production Date August 2000
Page 17 of 21

9.3 Control, Updating and Issue of Records

9.3.1
A set of records (including drawings, CAD files, software and data) that
accurately depict the existence and configuration of the current operational
signalling systems shall be maintained securely throughout the design,
installation and testing phases of a project. It is permissible for these records
(the “security set”) to be either the master versions of the infrastructure records
(see GI/RT7001) or copies of them.

Where commissioning takes place in stages, an updated security set of records

shall be generated promptly after the completion of each stage, and shall replace
the previous set.

9.3.2
Records of the new/altered signalling system (“as commissioned”) shall be made
available to maintainers as soon as the signalling is commissioned. Where the
commissioning takes place in stages, records shall be made available
immediately after each stage.

Where the records issued to maintainers are of a temporary nature, final records
shall be issued as soon as practicable.

9.3.3
When each commissioning of the new/altered signalling has been completed, a
new/updated set of infrastructure records shall be generated as quickly as
practicable (except where permitted by section 12.3), in order to meet the
requirements of GI/RT7001. Superseded records shall be disposed of in
accordance with the requirements of the same Railway Group Standard.

9.3.4
The records of the signalling system that are to be retained in accordance with
GI/RT7001 shall include not only the infrastructure records, but also any
supporting documentation generated during the design process which may be
relevant for the subsequent safe use, maintenance, modification and eventual
decommissioning of the systems and equipment. In determining the records to
be retained, consideration shall be given to all the documentation and
software/data listed in clauses 5.1.3, 5.4.1, 5.5.4, 5.5.5 and 10.1.4 of this
document.

10 Assessment and
Demonstration of Safety
10.1 General Requirements for Safety Analysis
10.1.1
An analysis of safety (usually involving risk assessment) shall be carried out in
association with signalling design work in the following circumstances:

• where products and/or their application require assessment and acceptance

(see GI/RT7002);
• where other Railway Group Standards relevant to the design mandate a risk
assessment (eg. GK/RT0206, GK/RT0078, GK/RT0044);
• where non-compliances or derogations to Railway Group Standards are being
sought (see GA/RT6001, GA/RT6004, GA/RT6006).

10.1.2
The rigour of the analysis shall be commensurate with the risk. In determining
the required degree of rigour, the following shall be taken into account:

• the complexity of the design and its interactions with the rest of the railway,
and the consequential predictability of its safety performance in its proposed
application; and
• the extent to which the design is novel; and

RAILTRACK 17
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Date August 2000 Signalling Design Production
Page 18 of 21

• the safety contribution that the part of the design under consideration is
required to make in achieving the overall safety requirements and targets for
the signalling system.

10.1.3
Where major change or innovation is involved, and in other circumstances at the
Infrastructure Controller’s discretion, the safety analysis shall be performed in
accordance with the general requirements of European Standards EN50126,
EN50129 (where relevant) and UK rail industry best practice (eg. the Engineering
Safety Management “Yellow Book”).

10.1.4
All risk assessments and other forms of safety analysis shall be documented.

10.2 Review and Endorsement of Safety Analysis

10.2.1
The Infrastructure Controller shall review and endorse the safety analysis in the
following circumstances:

• where safety analysis is mandated by a Railway Group Standard (eg.

GK/RT0206, GK/RT0078, GK/RT0044, but excluding GI/RT7002 which
specifies its own requirements for the review of product risk assessments);
• where non-compliances or derogations to Railway Group Standards are being
sought (see GA/RT6001, GA/RT6004, GA/RT6006);
• where a formal Safety Case has been prepared.

11 Use of Design
Support Tools
11.1 Software-based Design Tools
11.1.1
Software-based design support tools (eg. CAD systems, data preparation
workstations, EPROM blowers, spreadsheets for design calculations, risk
assessment models) used for the production and verification of design
documentation and software/data shall be of an integrity appropriate to their
application (see EN50128). In determining the integrity required, account shall be
taken of:

• the safety criticality of the elements of the signalling system for which the
design documentation or software/data is being produced; and
• the contribution made by other processes and procedures associated with the
design activity which may help to ensure that the final design is correct (but
no reliance shall be placed on the testing activity in this context).

11.1.2
Software-based design support tools and the procedures associated with their
use shall be assessed in order to demonstrate that they meet the required
integrity requirements. In determining the required degree of rigour of the
assessment, the following shall be taken into account:
• the safety criticality of the elements of the signalling system for which the
design support tool is being used to generate designs; and
• the complexity of the design support tool and the consequential predictability
of its performance; and
• the extent to which the design support tool and its proposed application is
novel.

11.1.3
Software-based design tools shall be used only for the applications for which they
have been assessed as suitable.

18 RAILTRACK
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Signalling Design Production Date August 2000
Page 19 of 21

11.1.4
Version control shall be applied to all software, data, templates etc, that form part
of a software-based design support tool, so as to:

• ensure that only permitted versions and combinations of hardware, software,

data, templates etc, are used in the production of designs; and
• facilitate compatibility between existing records which are stored electronically
(eg as CAD files or software/data) and the design support tools used to make
alterations to those records.

11.2 Other Design Support Tools

11.2.1
Other design support tools shall be selected, used and maintained as appropriate
to the safety criticality of their application. Such tools include, but are not limited
to:

• measuring devices;
• printers, plotters and copiers;
• calculators.

12 Special Cases of
Design Production
12.1 Projects Commissioned in Stages
12.1.1
Where a project is to be commissioned in separate stages, each stage shall be
treated as a separate alteration of the infrastructure, for the purposes of
producing the designs. A separate set of engineering details shall be produced
for each stage, irrespective of the time-scale between stages.

12.2 Permitted Variations to the Order of Design Activities

12.2.1
It is permissible for the Infrastructure Controller to authorise variations to the
mandated order in which design activities are undertaken. Examples of such
variations may include (but are not limited to):

• production of engineering details before Approval in Principle has been given

for the concept design;
• correlation while design production is in progress;
• issuing of engineering details for off-site construction purposes before
Technical Approval has been given.

12.2.2
Such authorisation shall be given only if the risks of producing an unsafe set of
engineering details have been assessed, and appropriate measures put in place
to control those risks.

No reliance shall be placed on testing activities to reveal any design deficiencies

arising from a variation to the mandated order of design activities.

Examples of measures to control the risks may include, (but are not limited to):

• a tracking system to ensure that any changes required to the design and/or
records arising as a consequence of the variation are incorporated into the
engineering details;
• designated “hold points” in the design process beyond which work must not
progress until any deficiencies arising from the variation have been identified
and eliminated;
• an appropriate organisational structure to ensure unified design management,
where the reason for the variation is to allow design for one project (or stage
of a project) to proceed before another overlapping project (or stage) has
been commissioned.

RAILTRACK 19
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Date August 2000 Signalling Design Production
Page 20 of 21

12.2.3
Before design documentation and software/data is issued for installation and
testing purposes, all activities up to and including verification that could have a
bearing on the accuracy of the designs shall be satisfactorily completed, and any
deficiencies and inconsistencies arising from the variations to the mandated order
shall be identified and eliminated.

12.3 Temporary Work

12.3.1
Where the design is for work of a temporary nature, it is permissible for the
Infrastructure Controller to authorise that the infrastructure records are not
updated (see clause 9.3.3). Examples of temporary work include (but are not
limited to):

• work for temporary speed restrictions;

• release of controls (to facilitate train movements during a signalling failure -
see Section E of the Rule Book, GO/RT3000);
• emergency work (eg. plain lining of points after a derailment);
• short duration stages of work (typically lasting less then three months) that
are progressing towards the overall finished project.

12.3.2
Such authorisation shall be given only if:

• copies of the design for the temporary work are kept securely until the wiring
and equipment is restored to its original configuration; and
• the maintainer is provided with appropriate information about the temporary
work; and
• controls are in place to ensure that designers undertaking any other work that
could be affected by (or affect) the temporary work are aware of the existence
of the temporary work and take it into account when producing their
engineering details.

12.4 Recovery of Redundant Wiring and Equipment

12.4.1
Engineering details shall usually indicate that all redundant wiring and equipment
is to be removed, and the infrastructure records shall similarly reflect the removal
of that wiring and equipment. However, where it is known at the design phase of
a project that some wiring and equipment cannot be removed (eg. because it is
unsafe to do so, or because it is not possible to do so until a later stage in the
project), it shall be shown on the engineering details as required to be taken out
of use but not physically removed.

The infrastructure records shall similarly show the existence of redundant wiring
and equipment that has not been removed.

20 RAILTRACK
 Uncontrolled When Printed
Railway Group Standard
GK/RT0207
Issue One
Signalling Design Production Date August 2000
Page 21 of 21

References
Railway Group Standards
GA/RT6001 Railway Group Standards Change Procedures
GA/RT6004 Temporary Non-Compliance with Railway Group Standards
GA/RT6006 Derogations from Railway Group Standards
GC/RT5101 Technical Approval Requirements for Changes to the Infrastructure
GI/RT7001 Management of Safety Related Records of Elements of the Infrastructure
GI/RT7002 Acceptance of Systems, Equipment and Materials
for Use on Railtrack Controlled Infrastructure
GK/RT0026 Signallers' Route Lists
GK/RT0037 Signal Sighting
GK/RT0044 Controls for Signalling a Train onto an Occupied Line
GK/RT0078 Overrun Protection and Mitigation
(to be superseded by GI/RT7006 and GK/RT0064)
GK/RT0206 Signalling and Operational Telecommunications Design: Safety Requirements
GO/OT0018 Provision of Operations Instructions for Signal Boxes and Other Locations
GO/RT3000 The Rule Book
GO/RT3206 Format and Content of the Sectional Appendix
GO/RT3209 Format and Content of the Weekly Operating Notice

The Catalogue of Railway Group Standards and the Railway Group Standards
CD-ROM give the current issue number and status of documents published by
the Safety & Standards Directorate.

Other References
Construction (Design and Management) Regulations 1994
Engineering Safety Management (“Yellow Book”) ISBN 0 9537595 1 2
European Standard EN50126: Railway Applications: The specification and
demonstration of dependability - RAMS
European Standard EN50128: Railway Applications: Software for Railway Control
and Protection Systems
European Standard EN50129: Railway Applications: Safety-related Electronic
Systems for Signalling
Railways and Other Transport Systems
(Approval of Works, Plant and Equipment) Regulations 1994

RAILTRACK 21