T HR RS 00840 ST RSU Appendix D - Train (Driver) Safety ...

Su

pers

eded

by

TS 0

4069

:1.0

, 01/

09/2

021

RSU Appendix D - Train (Driver) Safety Systems

T HR RS 00840 ST

Standard

Version 2.0

Issued date: 04 November 2016

Important Warning This document is one of a set of standards developed solely and specifically for use on Transport Assets (as defined in the Asset Standards Authority Charter). It is not suitable for any other purpose. You must not use or adapt it or rely upon it in any way unless you are authorised in writing to do so by a relevant NSW Government agency. If this document forms part of a contract with, or is a condition of approval by a NSW Government agency, use of the document is subject to the terms of the contract or approval. This document is uncontrolled when printed or downloaded. Users should exercise their own skill and care in the use of the document. This document may not be current. Current standards may be accessed from the Asset Standards Authority website at www.asa.transport.nsw.gov.au. © State of NSW through Transport for NSW

T HR RS 00840 ST RSU Appendix D - Train (Driver) Safety Systems

Version 2.0 Issued date: 04 November 2016

01/0

9/20

2104

069:

1.0,

TS

by

Su

pers

eded

Standard governance

Owner: Lead Rolling Stock Engineer, Asset Standards Authority

Authoriser: Chief Engineer, Asset Standards Authority

Approver: Executive Director, Asset Standards Authority on behalf of the ASA Configuration Control Board

Document history

Version Summary of changes

1.0 First issue 19 December 2014

2.0 Second issue

For queries regarding this document, please email the ASA at [email protected] or visit www.asa.transport.nsw.gov.au

© State of NSW through Transport for NSW



Preface The Asset Standards Authority (ASA) is a key strategic branch of Transport for NSW (TfNSW).

As the network design and standards authority for NSW Transport Assets, as specified in the

ASA Charter, the ASA identifies, selects, develops, publishes, maintains and controls a suite of

requirements documents on behalf of TfNSW, the asset owner.

The ASA deploys TfNSW requirements for asset and safety assurance by creating and

managing TfNSW's governance models, documents and processes. To achieve this, the ASA

focuses on four primary tasks:

• publishing and managing TfNSW's process and requirements documents including TfNSW

plans, standards, manuals and guides

• deploying TfNSW's Authorised Engineering Organisation (AEO) framework

• continuously improving TfNSW’s Asset Management Framework

• collaborating with the Transport cluster and industry through open engagement

The AEO framework authorises engineering organisations to supply and provide asset related

products and services to TfNSW. It works to assure the safety, quality and fitness for purpose of

those products and services over the asset's whole of life. AEOs are expected to demonstrate

how they have applied the requirements of ASA documents, including TfNSW plans, standards

and guides, when delivering assets and related services for TfNSW.

Compliance with ASA requirements by itself is not sufficient to ensure satisfactory outcomes for

NSW Transport Assets. The ASA expects that professional judgement be used by competent

personnel when using ASA requirements to produce those outcomes.

This standard covers rolling stock onboard safety systems that protect train safety in the event

of a failure in the manual functions of train operation. Such systems have previously been

termed 'driver safety systems'. This standard also covers onboard safety systems that protect

the platform-train interface, which was not included in previous versions of driver safety systems

standards.

This document should be read in conjunction with T HR RS 13001 ST Train Safety Systems.

In this document the terms driver safety systems and train safety systems are interchangeable.

This document supersedes T HR RS 00840 ST v1.0 RSU Appendix D – Driver Safety Systems.

© State of NSW through Transport for NSW of 29

Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



Table of contents 1. Introduction .............................................................................................................................................. 5

2. Purpose .................................................................................................................................................... 5 2.1. Scope ..................................................................................................................................................... 5 2.2. Application ............................................................................................................................................. 6

3. Reference documents ............................................................................................................................. 7

4. Terms and definitions ............................................................................................................................. 8

5. Functional requirements ....................................................................................................................... 10 5.1. React to or respond appropriately to a movement authority to ensure safe movement of trains ........ 11 5.2. Control train speed .............................................................................................................................. 11 5.3. Operate a train only when train crew is present in cab ....................................................................... 11 5.4. Supervise rail corridor .......................................................................................................................... 12 5.5. Supervise passenger transfer .............................................................................................................. 12 5.6. Design .................................................................................................................................................. 13

6. Minimum requirements for rolling stock ............................................................................................. 13 6.1. Multiple unit passenger trains (including locomotives designed to operate exclusively for passenger operations as power units)............................................................................................................................... 13 6.2. Locomotive hauled freight and passenger trains ................................................................................. 14 6.3. Infrastructure maintenance vehicles (with a driver’s compartment or position) .................................. 15

7. Exemption criteria for existing trains .................................................................................................. 19

8. Emergency cock .................................................................................................................................... 20

9. Train stop and trip gear system ........................................................................................................... 20 9.1. Major componentry .............................................................................................................................. 20 9.2. Operation ............................................................................................................................................. 21

10. Operator enable system ........................................................................................................................ 22 10.1. Driver incapacitation ........................................................................................................................ 23 10.2. Circumvention .................................................................................................................................. 23 10.3. Fail-safe ........................................................................................................................................... 23 10.4. Operation ......................................................................................................................................... 23

11. Vigilance control system ...................................................................................................................... 24 11.1. Operation ......................................................................................................................................... 24 11.2. Human factors ................................................................................................................................. 28

12. Passenger transfer supervision system ............................................................................................. 28


Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



1. Introduction The Asset Standards Authority (ASA) has established interface requirements pertaining to

vehicles operating in the Transport for NSW (TfNSW) metropolitan rail area. The requirements

are specified in T HR RS 00000 ST RSU 000 Series - Minimum Operating Standards for Rolling

Stock - General Requirements.

T HR RS 00000 ST is the first in a series of standards that set the minimum operating standards

for rolling stock. This series should be read in conjunction with the entire standard, which is

made up of the following parts:

• T HR RS 00000 ST (RSU 000 series) General Requirements

• T HR RS 00100 ST (RSU 100 series) General Interface Requirements

• T HR RS 00200 ST (RSU 200 series) Common Interface Requirements

• T HR RS 00300 ST (RSU 300 series) Locomotive Specific Interface Requirements

• T HR RS 00400 ST (RSU 400 series) Freight Rolling Stock Specific Interface

Requirements

• T HR RS 00500 ST (RSU 500 series) Locomotive Hauled Passenger Rolling Stock Specific

Interface Requirements

• T HR RS 00600 ST (RSU 600 series) Multiple Unit Train Specific Interface Requirements

• T HR RS 00700 ST (RSU 700 series) Infrastructure Maintenance Rolling Stock Specific


• T HR RS 00811 ST to T HR RS 00890 ST (RSU App A1 to RSU App I) Appendices

RSU (rolling stock unit) is a historical term used to designate individual sections of the series. In

this context unit relates to parts of the standard not a rail vehicle.

2. Purpose The purpose of RSUs is to ensure that all rolling stock operating in the TfNSW metropolitan rail

area meet the minimum standards required to ensure compatibility with the network and its

infrastructure as required by TfNSW’s accreditation with the Office of the National Rail Safety

Regulator (ONRSR).

2.1. Scope This standard covers the requirements of safety related equipment fitted to all rail vehicles

operating in the TfNSW metropolitan rail area.


Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



This standard covers safety systems that reduce the likelihood, or protect against the

consequence, of a failure in the manual functions of train operation.

Safety systems not related to manual functions of train operation are outside the scope of this

standard. Figure 1 illustrates the scope of this standard in the overall context of train safety. The

scope of this standard is the element in the box with the red broken border and red text.

Failure in train operation

Failure of a manual function

Failure of the protective system

Initiating event (human error)

Failure of an automated system

Hardware failure or software error

Failure of manual recovery

Failure to respond to Emergency situations

appropriately

Failure of the detection system

Failure of manual recovery

Figure 1 - Scope of T HR RS 00840 ST

2.2. Application This standard is to be referenced by users of the suite of minimum operating standards for

rolling stock documents.

This document applies to all vehicles operating in the TfNSW metropolitan rail area.

Exemptions may be granted for existing vehicles that are not fitted, or are only fitted with some

of, the safety systems specified in this standard. Refer to Section 7.

Alternative or modified solutions

Alternative or modified design solutions may be acceptable, conditional on provision of an

adequate safety assurance case. See Section 6.

An example of an alternative design solution is replacing the existing vigilance control system

with another physiological vigilance measurement device.

An example of a modified design solution is changes to the existing vigilance control system

such as timing cycles.


Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



Figure 2 provides an overview of how this standard is applied. The specifications that are only

applicable to multiple unit passenger trains (including locomotives designed to operate

exclusively for passenger operations as power units) are represented in the boxes with a broken

border.

T HR RS 00840 ST RSU Appendix D

Functional requirements (Section 5)

Existing and deemed- to-satisfy solutions

Minimum requirements (Section 6)

T HR RS 20003 SP (OES + Vigilance)

T HR SC 01650 SP (ETCS Onboard Equipment)

System requirements (Sections 7 - 12)

Alternative or modified solutions

T HR RS 13001 ST Train Safety Systems

Figure 2 Application of T HR RS 00840 ST

3. Reference documents The following documents are cited in the text. For dated references, only the cited edition

applies. For undated references, the latest edition of the referenced document applies.

Australian standards

AS 7527 Rolling stock event recorders

Transport for NSW standards

SPG 0706 Installation of Trackside Equipment

T HR HF 00001 ST Human Factors Integration – Rolling Stock

T HR RS 00000 ST (RSU 000 series) General Requirements

T HR RS 00100 ST (RSU 100 series) General Interface Requirements


Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



T HR RS 00200 ST (RSU 200 series) Common Interface Requirements

T HR RS 00300 ST (RSU 300 series) Locomotive Specific Interface Requirements

T HR RS 00400 ST (RSU 400 series) Freight Rolling Stock Specific Interface Requirements

T HR RS 00500 ST (RSU 500 series) Locomotive Hauled Passenger Rolling Stock Specific


T HR RS 00600 ST (RSU 600 series) Multiple Unit Train Specific Interface Requirements

T HR RS 00700 ST (RSU 700 series) Infrastructure Maintenance Rolling Stock Specific


T HR RS 00811 ST to T HR RS 00890 ST (RSU App A1 to RSU App I) Appendices

T HR RS 13001 ST Train Safety Systems

T HR RS 20003 SP Passenger Rolling Stock Driver Safety System

T HR SC 00006 ST Rolling Stock Signalling Interface Requirements

T HR SC 01650 SP ETCS Onboard Equipment

4. Terms and definitions The following terms and definitions apply in this document:

ASA Asset Standards Authority

ATP automatic train protection; a system which supervises train speed and target speed, alerts

the driver of the braking requirement, and enforces braking when necessary. The system may

be intermittent, semi continuous or continuous according to its track to train transmission

updating characteristics.

authorised person a second person authorised to travel in the cab of an infrastructure

maintenance vehicle accompanying the driver or operator and qualified to take control and bring

the vehicle to a stand in case of an emergency

CCTV closed-circuit television

circumvention a deliberate and improper act for the removal or bypass of safety systems, other

than by an authorised procedure

consist rolling stock (vehicles, units, cars, wagons, sets, locomotives) marshalled together

operating as a train

controller key a key that enables operation of the reverser handle and master controller. Also

known as butterfly key

driver or operator a person suitably qualified to operate the controls of a powered vehicle or

train on the TfNSW network


Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



driver safety systems see TSS (train safety systems)

emergency cock a means of directly venting the brake pipe to atmosphere, usually located

within a crew work area or in an appropriate location on the vehicle for access by authorised

personnel

existing vehicles vehicles currently accepted for operation on the TfNSW network as at the

date of issue of this version of the standard

freight train a train predominantly consisting of freight vehicles

infrastructure maintenance vehicle a railbound self-propelled vehicle that is used to carry out

inspection or repairs, or both either to the track or 1500 volt overhead wiring equipment. Some

of these vehicles can only be removed from the line by the use of special take-offs or portable

turnouts.

isolation the deactivation of safety systems by an authorised procedure

locomotive a self-propelled railbound vehicle, powered by any form of energy, which does not

convey passengers or freight but that is used to control and move one or more other vehicles

which form a train

manual functions of train operation basic train control functions requiring human input (for

example, ensure safe movement of trains, drive train, supervise rail corridor and supervise

passenger transfer)

metropolitan rail area rail freight network and the rail passenger network within the

metropolitan rail area bounded by Newcastle (in the north), Richmond (in the northwest),

Bowenfels (in the west), Macarthur (in the southwest) and Bomaderry (in the south), and all

connection lines and sidings within these areas, but excluding private sidings

OES operator enable system; a device that applies emergency brakes and disables traction

power if a continuous control input required of the driver or operator is interrupted or not

detected. On conventional vehicles with an automatic brake, the emergency brake is achieved

by directly venting the brake pipe to atmosphere

ONRSR Office of the National Rail Safety Regulator

possession closure of one or more lines to allow work to be carried out in the danger zone

using a local possession authority (LPA) or a track occupancy authority (TOA)

power unit a self-propelled vehicle, which may or may not convey passengers or freight or

both, and operates in conjunction with similar vehicles in a multiple unit consist

railbound infrastructure maintenance vehicle an on-track infrastructure maintenance vehicle

that cannot be removed from track without the use of a heavy crane. These vehicles are

transferred around the network on rail.

reverser handle an operating control used to determine the direction of travel


Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



road rail vehicle any type of track vehicle that can travel on either road or rail and can easily

transfer from one mode of operation to the other

RSU (rolling stock unit) historical term used to designate individual sections of the Minimum

Operating Standards for Rolling Stock

second person a suitably qualified person (with route knowledge and ability to recognise signal

aspects), who is required to accompany the driver in the driver’s cab of a locomotive or train or

a vehicle performing the function of a locomotive and is able to bring the train or vehicle to a

stand in the event of emergency

task linked vigilance control system a vigilance control system that accepts specified task

functions as input, to satisfy acknowledgment within the vigilance control system

TfNSW Transport for NSW

train a train is:

• any locomotive or locomotives or powered unit or powered units either attached or

unattached to vehicles

• any self-propelled passenger unit or units

train stop and trip gear system a system involving a trip valve on the train or vehicle and a trip

arm located track side which when engaged, directly vents the brake pipe on the train or vehicle

to atmosphere. The train stop is used at signals in conjunction with a red aspect and in areas

where train speed is required to be externally controlled.

TSS train safety systems; systems for reducing the likelihood, or protect against the

consequences, of a failure in the manual functions of train operation

unit a single item of rolling stock (passenger vehicles or locomotives)

vehicle general term used to describe rolling stock

vigilance control system a system that will react by bringing a vehicle or train to a stand if an

acknowledgment input is not received within a specified time increment. On conventional

vehicles with an automatic brake, this is achieved by directly venting the brake pipe to

atmosphere.

5. Functional requirements All functional requirements in Section 5 are numbered in the format of 'TSS', followed by a

series of numbers. Each individual number indicates a standalone requirement.

TSS5.0-1: Safety systems shall be fitted to rolling stock to reduce the likelihood, or protect

against the consequences, of a failure in the manual functions of train operation.


Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



TSS5.0.1-1: Changes in the operational context of rolling stock shall initiate a review to

determine if any changes to existing safety systems are required to ensure TSS5.0-1 is fulfilled

under the new operations.

An example of a failure of a manual function being the failure of a driver to stop prior to a signal

at danger (SPAD).

Note: If a manual function is subsequently automated (such as by a change in

operational context) then a safety integrity level (SIL) shall be determined and

allocated to the equipment as part of the train safety SFAIRP demonstration.

TSS5.0-2: Safety systems shall render the train to a safe condition in the event of a failure of a

manual function during train operations.

Note: While most safety systems render the train to a safe condition in the event of a

failure of a manual function automatically (via an engineering solution), safety systems

requiring manual activation by a second train crew is permitted under certain

operational contexts (for example in freight locomotives, a second driver in place of

trip gear to apply emergency brakes manually for SPADs).

5.1. React to or respond appropriately to a movement authority to ensure safe movement of trains TSS5.1-1: Emergency brakes shall be applied to all vehicles in the train consist and remove

(cut) traction power if a safe separation (distance) between trains, governed by the signalling

aspects, cannot be maintained.

An example of a system in current operations on multiple unit passenger trains is the trip gear

for mitigation of the potential consequences of a SPAD (Section 9).

5.2. Control train speed TSS5.2-1: The train shall not exceed the maximum allowable line speed.

TSS5.2-2: An onboard automatic train protection (ATP) system shall be fitted in accordance

with T HR SC 01650 SP ETCS Onboard Equipment for multiple unit passenger trains (including

locomotives designed to operate exclusively for passenger operations as power units)

categorised under Section 6.1.

5.3. Operate a train only when train crew is present in cab TSS5.3-1: The train shall remain stationary unless the presence of a train crew member is

confirmed continuously in the driving position.

An example of a system in current operations on multiple unit passenger trains is the operator

enable system (OES) (Section 10).


Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



5.4. Supervise rail corridor TSS5.4-1: There shall be methods and systems to prevent the train colliding with objects or

persons on track.

Currently a train driver is responsible for supervising the rail corridor by looking out for obstacles

on track and applying braking if required. An example of a system in current operations to

support driver alertness is the vigilance control system, which brings the vehicle or train to a

stand if the driver or operator fails to acknowledge the necessary control indications within a

specified time interval (Section 11).

TSS5.4-2: There shall be obvious means to apply emergency brakes to all vehicles within the

train consist and remove (cut) traction power by the driver or other train crew inside the cab.

An example in current operations is through the application of the emergency brake cock (refer

to Section 8) which results in emergency brake application and removal (cutting) of traction

power.

5.5. Supervise passenger transfer TSS5.5-1: There shall be methods and systems to ensure the safety of passengers boarding

and alighting from the train at platforms.

5.5.1. Control the opening and closing of doors at platforms TSS5.5.1-1: Only doors adjacent to a platform shall be opened for passengers at station stops.

TSS5.5.1-2: Passenger doors shall not be opened until the train has reached a complete stop.

5.5.2. Ensure passengers are not hit by or trapped in door during the door opening and closing sequence TSS5.5.2-1: Passengers shall be warned prior to door closure, release and opening at stations.

TSS5.5.2-2: The door closing sequence shall be interrupted if a passenger or object is

obstructing the closing of doors.

5.5.3. Ensure a safe starting condition TSS5.5.3-1: The train shall only be allowed to depart from the platform if all passenger doors

are fully closed and no objects or persons have the risk of being dragged along the platform.

A combination of various systems, referred to in this standard as a passenger transfer

supervision system is currently used to manage this platform train interface (Section 12).


Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



5.6. Design TSS5.6-1: The design of train (driver) safety systems shall consider and incorporate features to

minimise the possibility or opportunity for unauthorised circumvention of any or all of the safety

system elements.

Note: The fitment of seals to isolation devices provides a deterrent for deliberate

circumvention.

TSS5.6-2: All systems shall comply with T HR HF 00001 ST Human Factors Integration –

Rolling Stock.

TSS5.6-3: All systems shall be designed to permit authorised isolation of each sub-system in

the event of failure of any critical train (driver) safety systems component, thus requiring an

authorised procedure to allow the train or vehicle to proceed out of service.

TSS5.6-4: Any failure of a critical component in the system shall result in the train or vehicle

being brought to a safe condition.

TSS5.6-5: Operation of a critical component or system outside its designed parameter shall

result in the train or vehicle being brought to a safe condition.

6. Minimum requirements for rolling stock Train (driver) safety systems shall be fitted to meet all relevant requirements specified in

Section 5.

Data logging requirements shall comply with AS 7527 Rolling stock event recorders.

Note: For rolling stock fitted with analogue or tape type data logger or recorders, such

as Hasler recorders, the system will need to meet the requirements specified in the

ONRSR rail safety compliance coded - Data Loggers.

Section 6.1 to Section 6.3.3 describes deemed-to-satisfy solutions for different types of rolling

stock. For operators that wish to adopt an alternative or modified solution, the development

framework and assurance requirements outlined in Section 6 and Section 7 of

T HR RS 13001 ST Train Safety Systems shall be used.

6.1. Multiple unit passenger trains (including locomotives designed to operate exclusively for passenger operations as power units) The fitting of all of the following systems shall be considered satisfactory in meeting the

minimum requirements:

• a vigilance control system (task linked and non-speed dependant)

• an OES (two methods) © State of NSW through Transport for NSW of 29

Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



• a trip gear valve

• European Rail Traffic Management System (ERTMS) level 2 compliant ATP onboard

equipment in accordance with T HR SC 01650 SP

• an emergency cock

• an on-board control system that shall not allow the train or vehicle to power up, move or

continue in motion with any of the driver safety systems isolated except under degraded

and specifically defined operating conditions

• a passenger transfer supervision system meeting the requirements in Section 5

Note: T HR RS 20003 SP Passenger Rolling Stock Driver Safety System provides the

details on developing an OES and vigilance control system based on those currently

in use in NSW.

6.2. Locomotive hauled freight and passenger trains Each locomotive driver’s compartment, for locomotives without driver only operation, shall

include driver safety systems incorporating the following:

• a vigilance control system

• a second person


• an on-board control system that shall not allow the train to power up, move or continue in

motion with any of the driver safety systems isolated except under degraded and

specifically defined operating conditions

• a passenger transfer supervision system meeting the requirements in Section 5 (passenger

trains only)

Note: Locomotives operating exclusively in shunting yards do not require driver safety

systems. However, if such locomotives are required to be moved on the main line they

need to be hauled dead attached or operated within a locomotive consist but not as

the lead locomotive.

Driver only operation on locomotive hauled freight and passenger trains is considered a

significant change to the operational context and hence requires additional safety assurance

prior to operation on the network. Refer to Section 6 and Section 7 of T HR RS 13001 ST.

Note: Practice has shown that for driver only operation, the following should be fitted

in each locomotive driver's compartment, as a minimum:


• an OES


Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1




• an on-board control system that does not allow the train to power up, move or continue

in motion with any of the driver safety systems isolated except under degraded and


• a pressure maintaining brake valve

• working onboard communications equipment which provides direct communications

with the train control centre

• door locks to prevent illegal entry of cab while locomotive is unattended

• a dump valve clamp (DVC) present in the lead locomotive

Note: For shunting locomotives operated by a single person with a second person on

track as shunter, an OES or vigilance system should be fitted.

6.3. Infrastructure maintenance vehicles (with a driver’s compartment or position) Driver safety systems requirements for different types of infrastructure maintenance vehicles are

outlined in Section 6.3.1 to Section 6.3.3.

6.3.1. On-track (railbound) infrastructure maintenance vehicles On-track (railbound) infrastructure maintenance vehicles operating in travel mode, alone or as a

motive power unit hauling or controlling other infrastructure maintenance vehicles between and

within track possessions, may have potentially a kinetic energy (E) exceeding 600 kNm, based

on Equation 1.

Equation 1 - Potential kinetic energy of on-track (railbound) infrastructure maintenance vehicles

E = 0.0386 MV²

Where:

E = kinetic energy (kJ)

M = maximum vehicle mass (tonnes)

V = maximum vehicle speed (km/h)


Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



Driver and authorised person

When the value of 'E' for a vehicle is greater than 600 kNm the driving compartment or position

controlling the operation of the vehicle, without driver only operation, shall include driver safety

systems incorporating the following:


• an authorised person to stop the vehicle or train in the event of an emergency

• an emergency cock or alternate suitable device for stopping the vehicle in an emergency

(application of emergency brake)

• an on-board control system that shall not allow the vehicle to power up, move or continue



• an ONRSR approved process to enable suppression of the vigilance control system whilst

the vehicle is in work mode within a possession

Driver only

When the value of 'E' for a vehicle is greater than 600 kNm, the driving compartment or position

controlling the operation of the vehicle, for driver only operation, shall include driver safety



• an OES


(application of emergency brake and removal (cutting) of traction power)


in motion with any the driver safety systems isolated except under degraded and




If it is not possible to incorporate suitable driver safety systems within the vehicle, the vehicle

maximum allowable speed shall be reduced to bring the value of 'E' below 600 kNm.

6.3.2. Road rail infrastructure maintenance vehicles Road rail infrastructure maintenance vehicles (except those covered by Section 6.3.3),

operating in travel mode, alone or as a motive power unit hauling or controlling other

infrastructure maintenance vehicles between and within track possessions, may have potentially

a kinetic energy (E) exceeding 600 kNm, based on Equation 2. © State of NSW through Transport for NSW of 29

Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



Equation 2 - Potential kinetic energy of road rail infrastructure maintenance vehicles

E = 0.0386 MV²

Where:

E = kinetic energy (kJ)

M = maximum vehicle mass (tonnes) including any attached trailers

V = maximum vehicle speed (km/h)

Driver and authorised person


controlling the operation of the vehicle, without driver only operation, shall include driver safety



• an authorised person to stop the vehicle or train in the event of an emergency


(emergency brake application and removal (cutting) of traction power)



Driver only


controlling the operation of the vehicle, for driver only operation, shall include driver safety



• an OES


(emergency brake application and removal (cutting) of traction power)






If it is not possible to incorporate a suitable driver safety system within the vehicle, the vehicle

maximum allowable speed shall be reduced to bring the value of 'E' below 600 kNm.


Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



6.3.3. Road rail prime mover vehicles authorised to operate as a

locomotive only within a track possession Section 6.3.3 covers road rail prime mover vehicles operating in travel mode, alone or as a

locomotive hauling or controlling railbound rolling stock, exclusively within a track possession.

Driver and second person

The driving compartment or position controlling the operation of the vehicle or train, without

driver only operation, shall include driver safety systems incorporating the following:

• a driver suitably qualified to operate the vehicle both on road and as a locomotive on rail

• a brake controller compatible with the brake system on the vehicles to be hauled or

controlled


• a second person

• an emergency cock or alternate suitable device for stopping the vehicle or train in an

emergency (emergency brake application)


in motion with any of the driver safety systems isolated except under downgraded and


Driver only

Driver only operation on road rail prime mover vehicles is considered a significant change to the

operational context and hence requires additional safety assurance prior to operation on the

network. Refer to Section 6 and Section 7 of T HR RS 13001 ST.

Note: The driver needs to be suitably qualified to operate the vehicle both on road and

as a locomotive on rail.

Note: Practice has shown that for driver only operation, the following should be fitted

in each locomotive driver's compartment, as a minimum:

• a brake controller compatible with the brake system on the vehicles to be hauled or

controlled


• an OES

• an emergency cock or alternative suitable device for stopping the vehicle or train in an

emergency (emergency brake application and removal (cutting) of traction power)


Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



• an on-board control system that shall not allow the train to power up, move or continue



• a pressure maintaining brake valve

• working on-board communications equipment which provides direct communications

with the train control centre

• door locks to prevent illegal entry of cab while vehicle is unattended

• a dump valve clamp (DVC) present in the lead vehicle

Note: Such vehicles needs to be fitted with a suitable air compressor and main

reservoir system to meet the duty requirements for a main reservoir and train brake air

supply.

7. Exemption criteria for existing trains Rolling stock currently operating on the TfNSW metropolitan rail area that is not fitted with the

deemed-to-satisfy safety systems specified in this standard shall be assessed to determine if

they need to be upgraded.

A cost benefit assessment shall determine the cost, risk and benefit of upgrading existing rolling

stock to meet the functional requirements in Section 5 based on a SFAIRP (so far as is

reasonably practicable) argument.

Factors to be considered include the following:

• the extent of non-compliance and associated risks involved

• the current and future operational context of the rolling stock, including the amount of time

the rolling stock operates or is going to operate on the TfNSW metropolitan rail area

• alternative means to achieve the equivalent level of overall safety

• the remaining service life of the rolling stock

• time required for the upgrade or modifications to be implemented

• cost of modification in relation to risk and benefit

The rolling stock operator shall have documented evidence that an appropriate assessment has

been undertaken to support its decision to upgrade or not upgrade the rolling stock.

Written confirmation shall be available from the operator that the appropriate assessment has

been undertaken.

If the cost benefit assessment determines that existing rolling stock should be upgraded to meet

the requirements of this standard, a temporary concession should be applied for to cover the

period of time of operation on the TfNSW metropolitan rail area. © State of NSW through Transport for NSW of 29

Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



If the cost benefit assessment does not justify that the existing rolling stock be upgraded to

meet the requirements of this standard, a permanent concession should be applied to provide

justification for continuing operation on the TfNSW metropolitan rail area.

8. Emergency cock An emergency cock shall be provided in the driving cab for the driver and other train crew to

apply emergency braking.

On vehicles with an automatic brake system, opening of the emergency cock shall ensure that

the brake pipe is directly vented to atmosphere, resulting in an automatic (emergency) brake

application applied to all vehicles within the train consist and removal of (cut to) traction power.

On vehicles without an automatic brake system, opening of the emergency cock shall remove

(cut) traction power and vent or release the pressure that is holding the spring parking brake

cylinder off, resulting in the application of the spring parking brake.

On some vehicles without an automatic brake system, an emergency brake button may be used

in place of an emergency cock. In this case the activation of the emergency brake button shall

remove (cut) traction power and apply the emergency brake on all vehicles within the train

consist.

9. Train stop and trip gear system The function of the train stop and trip gear system is to intervene and stop a train or vehicle

fitted with trip gear if it fails to stop for a signal at stop (red signal aspect). When the train stop

arm engages the trip gear lever, the associated valve directly vents the train or vehicle brake

pipe to atmosphere, initiating the removal of (a cut in) traction power and an automatic

(emergency) brake application on all vehicles within the train. The train stop is used at signals in

conjunction with a red signal aspect and in areas where train speed is required to be externally

controlled.

Emergency trip braking performance is specified in Section 7.4 (Train braking requirements) of

T HR RS 00100 ST RSU 100 Series – Minimum Operating Standards for Rolling Stock –

General Interface Standards.

9.1. Major componentry The major components of the train stop or trip gear system are the following:

• a trackside train stop or arm

• a bogie axlebox mounted trip valve or lever

• a control governor pressure switch or switches

• a safety apparatus isolating (SAI) or trip valve isolating cock © State of NSW through Transport for NSW of 29

Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



9.2. Operation The vehicle mounted trip gear system shall interface with the existing signal train stop and train

braking system.

9.2.1. Trackside equipment The train stop is an existing piece of trackside equipment positioned adjacent to signals and

positioned as a group of timed train stops in areas requiring speed control. The train stop arm is

raised when the signal is displaying a red signal aspect (signal at stop) or in the area requiring

speed control.

Figure 3 shows the trackside train stop set up limits.


Figure 3 - Train stop mounting dimensions

9.2.2. Train or vehicle onboard equipment The trip gear valve or trip lever system is mounted on the left hand leading axlebox beneath

each driver or operator compartment. The trip lever shall be designed to engage the raised

trackside trip arm.

The trip gear shall be of lightweight construction. A robust design is an important factor in

reducing the dynamic loading on the mechanism and its attachment to the bogie axlebox. The

trip lever shall be spring loaded to allow passing obstructions such as ballast and other signal

trip arms in the reverse travel direction.

For rolling stock with no automatic or remote trip gear valve dropping and lifting capability, a

manual latch shall be provided on the trip valve to retain the trip lever in the latched up position

on all non-leading vehicles. The design shall be such that, if the operating trip lever is manually

latched up (out of service), the trip valve is held open and thus exhausts the brake pipe to

atmosphere (maintains an emergency brake application).

Further information is available in SPG 0706 Installation of Trackside Equipment.

Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



Systems that provide automatic raising of the trip gear lever for operation outside the limits of

the TfNSW metropolitan rail area shall be designed to maintain the trip valve in the closed

position.

When the trip valve is activated, an emergency brake application shall be made and the traction

power shall be removed (cut).

On a train or vehicle with an automatic brake system, the emergency brake application is made

by venting the brake pipe to atmosphere. Removal (cutting) of the traction power is made by the

brake pipe pressure dropping to a predetermined level (for example 250 kPa), the pressure

switch (control governor or equivalent) shall isolate traction power to the train or vehicle, which,

together with an automatic brake application, will bring the train or vehicle to a stationary

positon.

The trip valve shall be designed to not reset unless the driver makes a deliberate action to reset

the trip gear.

On a train or vehicle with an automatic brake system, this may be accomplished by reducing

brake pipe pressure below a predetermined level (for example 70 kPa), such that the brake pipe

will not fall below this level with the brake pipe being charged and with the minimum allowable

number of compressors running.

Systems that provide automatic or remote raising of the trip gear lever shall provide detection of

the raise or lower status, such that traction power is disabled if the trip lever is not lowered,

when operating in the TfNSW metropolitan rail area.

The trip lever shall be capable of striking a raised train stop arm whilst travelling in the reverse

direction at a minimum speed of 25 km/h without trip valve activation or it shall be latched up on

terminal cars when trailing in the direction of travel. When the train or vehicle is propelling or

reversing, the trip arm shall be in the lowered position on the leading car in the direction of

travel.

The trip lever shall be capable of striking a raised train stop arm whilst travelling in the forward

direction at the train or vehicle maximum design speed without causing trip valve malfunction or

damage to the trip gear or train stop mechanism.

10. Operator enable system The function of the OES is to detect the presence of the driver or operator at the controls of the

train or vehicle. If a required continuous control input by the driver or operator is interrupted or

not detected whilst the train or vehicle is in operating mode, then the system shall react by

making an emergency brake application and removal of (cutting the) traction power.

On trains or vehicles with an automatic brake system, the emergency brake application is made

by venting the brake pipe to atmosphere. The venting of the train or vehicle brake pipe shall be

accomplished by the system opening the emergency application valve, resulting in a full brake © State of NSW through Transport for NSW of 29

Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



application on the train or vehicle and traction power isolation. Isolation of traction power is

effected through a pressure switch when the brake pipe pressure drops to a predetermined

level (for example, 250 kPa), which together with the brake application will bring the train to a

stand.

The OES shall interface and be fully compatible with the train or vehicle traction control and

braking system.

10.1. Driver incapacitation Loss of circuit continuity within the OES could mean driver incapacitation and possible loss of

control of the train or vehicle. The interface between the driver or operator and the OES shall be

designed such that it is necessary for the driver or operator to remain at his or her work station,

either sitting or standing, and maintain the detection circuit continuity whilst the train or vehicle

is in motion with the brakes released.

10.2. Circumvention The OES shall be designed, as far as practicable, to prevent intentional or unintentional

circumvention of its operation whilst the train or vehicle is in motion with the brakes released.

10.3. Fail-safe In addition to the fail-safe requirements specified in Section 5.6, the equipment providing the

OES function shall provide a fail-safe function whenever the brakes on the train or vehicle are

released and the controller key or reverser handle is in the operating position. This requirement

shall apply unless the OES is isolated in accordance with an authorised procedure to allow the

train or vehicle to proceed.

The OES shall be designed to make an emergency brake application if the system becomes

inoperative due to technical failure or due to inappropriate actions by the driver or operator

whilst the train is moving with the brakes released.

10.4. Operation The driver or operator shall be required to maintain input to a suitable OES (for example a

spring-loaded pedal, controller handle or both) continuously in a predetermined position or

range, such that the detection circuit continuity is maintained. An emergency brake application

shall be initiated if all or either of the OES controls are released and the detection circuit is

opened, whilst the train or vehicle is in motion with the brakes released.

On vehicles fitted with an automatic braking system, the emergency brake application is

achieved by venting of the train or vehicle brake pipe.


Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



Resetting the OES shall be readily achieved by moving any of the OES controls back to their

predetermined position or range within a specified time interval or otherwise a full penalty brake

application shall occur.

A means shall be provided to suppress the OES without driver or operator input, whilst the train

or vehicle is stopped at stations or signals.

For multiple unit passenger rolling stock (including locomotives designed to operate exclusively

for passenger operations as power units) the driver or operator shall be provided with at least

two methods by which they can maintain a suitable input and can easily change between

methods whilst operating the vehicle or train, as per Section 6.1.

11. Vigilance control system The function of the vigilance control system is to monitor the responsiveness of the driver,

operator or crew person and bring the vehicle or train to a stand if the driver or operator fails to

acknowledge the necessary control indications within a specified time interval.

On rolling stock fitted with an automatic brake system, this may be achieved by venting the train

or vehicle brake pipe to atmosphere and removing (cutting) the traction power.

11.1. Operation The vigilance control system is a timed cycle of warning events consisting of first, a visual

flashing light warning, followed by an auditory warning that, if neither is acknowledged, results in

a brake penalty being initiated (emergency brake application).

Some vigilance control systems randomly select the time interval and thus the driver or operator

can only acknowledge the vigilance warning after the visual signal. Other systems use task

linking to reset the vigilance cycle before the visual warning occurs. The latter system is

preferred because it reduces the driver or operator workload and in the main receives

confirmations of driver awareness more frequently.

Some trains are fitted with a speed dependent vigilance control system. In this case, as the

speed increases through speed bands, the vigilance cycle times are decreased.

The vigilance control system may be suppressed if the vehicle or train brakes are applied

sufficiently to hold on any grade on the network and the vehicle has come to a stand. This is a

mandatory requirement for multiple unit passenger rolling stock (and locomotives designed to

operate exclusively for passenger operations as power units).

11.1.1. Vigilance cycle and timing

When there is no vigilance control input detected, then the cumulative elapsed time before the

onset of, and the time intervals between the visible and audible alarm indications, and brake

penalty application shall be as specified in Table 1 or Table 2. © State of NSW through Transport for NSW of 29

Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



Table 1 - Timings for a non-speed dependent vigilance control system

Rolling stock type

Maximum time interval from acknowledgement to visual warning (seconds)

Maximum time from visual to audible warning (seconds)

Total elapsed time from acknowledgement to audible warning (seconds)

Maximum time interval from audible warning to brake penalty (seconds)

Total elapsed time from acknowledgement to brake penalty (seconds)

Multiple unit passenger - suburban or intercity*

30 5 35 5 40

Multiple unit passenger - regional or interstate*

40 5 45 10 55

Passenger - loco hauled (driver plus second person)

60 17 77 17 94

Freight - driver only

40 10 50 10 60

Freight - driver plus second person

60 17 77 17 94

Infrastructure maintenance vehicles - operator plus second person

60 17 77 17 94

* Including locomotives designed to operate exclusively for passenger operations as

power units

If after the elapsed time specified in Table 1 or Table 2, from the initial vigilance

acknowledgment, the driver or operator, has not made another vigilance acknowledgment via

the available system control inputs, the following shall occur:

• An in-cab visible warning shall start in the form a flashing light located such that it is visible

to all crew personnel, under all operating conditions. Only the driver or operator shall

respond to the visible warning through the operation of any of the task linked driving

controls, or press a vigilance acknowledgment button, or by fully depressing the OES pedal

(if fitted), for no more than 3 seconds.

• If the visible warning is not acknowledged within the time interval specified in Table 1 or

Table 2, from the onset of the visible warning, an additional audible warning will sound. The

audible warning shall be audible to the crew persons under all operating conditions. Only © State of NSW through Transport for NSW of 29

Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



the driver or operator shall respond to the audible warning sound in the same manner as

for the visible warning.

• If the audible warning is not acknowledged within the time interval specified in Table 1 or

Table 2, from the onset of the audible warning, a brake penalty is initiated by an application

of the emergency brake and the traction power is removed (cut).

Table 2 - Timings for a speed dependent vigilance control system

Vehicle / train speed (km/h)

Maximum time interval from acknowledgement to visual warning (seconds)

Maximum time from visual to audible warning (seconds)

Total elapsed time from acknowledgement to audible warning (seconds)

Maximum time interval from audible warning to brake penalty (seconds)

Total elapsed time from acknowledgement to brake penalty (seconds)

0 to 75 45 5 50 10 60

Over 75 to 90

35 5 40 10 50

Over 90 to 110

30 5 35 5 40

Greater than 110

25 5 30 5 35

On vehicles fitted with an automatic brake system, the emergency brake application is achieved

by venting the train or vehicle brake pipe to atmosphere.

It shall not be possible to release the brakes until the reset time stated in Table 1 or Table 2 has

elapsed. When the time has elapsed, the vigilance cycle can be reset, by pressing the

acknowledgment button and the brakes can be operated, in the normal manner.

In addition to the timing requirements for non-speed dependant vigilance control systems, as

detailed in Table 1, the vigilance control system shall ensure that:

a. the minimum time before the vigilance control system can be reset after a penalty brake

application, that is the train is fully stopped (stationary):

i. is 3 seconds for multiple unit passenger rolling stock (suburban/intercity). If no speed

input is available the minimum no reset time shall be 45 seconds.

ii. is 10 seconds for multiple unit passenger rolling stock (regional/interstate). If no speed

input is available the minimum no reset time shall be 90 seconds.

iii. is 30 seconds for all other rolling stock

b. where a vehicle is fitted with a speed dependent vigilance control system, the maximum

times shall not exceed any of the above timings for any speed


Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



c. vigilance control systems designed to be only acknowledged after the visual warning (that

is, an acknowledgment made before the visual warning), does not reset the vigilance

control system timing cycle.

In addition to the timing requirements for speed dependant vigilance control systems, as

detailed in Table 2, the vigilance control system shall ensure that:

a. In the event of a defective speed input signal, the vigilance timings shall default to the

times for the greater than 110 km/h speed range.

b. After a train or vehicle has come to a stop after a vigilance penalty application, the

vigilance control system shall not be able to be reset for at least a further 3 seconds. If the

speed signal is faulty, the reset shall not occur until at least 45 seconds from the time of the

penalty application.

11.1.2. Vigilance control system acknowledgment and task linking Acknowledgement of the vigilance control system may be made through pressing the

acknowledgement button (alternatively using an OES pedal) or automatically via task linked

activities, which may include the following:

• a minimum meaningful movement of the power controller handle

• a minimum meaningful movement of the brake controller handle

• operation of the warning horn

• operation of headlight high or low beam switch (where fitted)

A task linked vigilance control system is preferred over a non-task linked vigilance control

system and is mandatory for multiple unit passenger rolling stock (and locomotives designed to

operate exclusively for passenger operations as power units) as per Section 6.1.

It is preferred that acknowledgement of vigilance control system pre-emptively before the visual

warning period by non-task linked inputs (vigilance acknowledgment button or OES pedal) is not

permitted, that is, resetting of the vigilance control system by use of the vigilance acknowledge

button should only occur during the visual or visual and audible warning periods. This is a

mandatory feature for multiple unit passenger rolling stock (and locomotives designed to

operate exclusively for passenger operations as power units).

Note: A single voluntary reset (SVR) function is permitted on TfNSW

regional/interstate passenger rolling stock which allows the driver to reset the vigilance

just once via the vigilance acknowledgement pushbutton before the activation of the

first stage warning. Refer to T HR RS 20003 SP.

The operation of setting the OES pedal is not considered a task linked function, however the

pedal may be used as a vigilance acknowledgment function during the visual or visual and

audible warning periods. © State of NSW through Transport for NSW of 29

Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



The system design shall be such that if the vigilance acknowledgment button or operator enable

pedal or both are depressed continuously the time cycle will remain uninterrupted and thus it will

continue to cycle as if no acknowledgment has been made.

11.2. Human factors Human factors experience in operation of the vigilance control system mandates the following

requirements:

• The in cab visible warning (vigilance) light shall be clearly visible to the driver at any time of

the day or night and not diminish the driver's night vision. In multiple unit passenger rolling

stock, a control shall be provided to the driver to adjust the brightness of the vigilance light

however the brightness shall remain above zero.

• The vigilance acknowledgment button or buttons shall be located on the driver's desk or on

a vertical face in the control area such that the driver shall be able to reach the button with

an outstretched arm and without upper body movement. The button shall not be located

such that the movement of the driver’s thigh, knee or foot can operate it.

• The vigilance audible warning shall be distinguishable from any other audible information

devices from within the cab.

12. Passenger transfer supervision system A combination of systems (traction interlocking, door obstruction detection, visual and audio

door motion warnings and closed-circuit television (CCTV)) used in isolation or in combination

under different configurations are utilised across different passenger fleets to act as passenger

transfer supervision system.

Traction interlocking

The function of traction interlocking is to ensure traction is only applied when all body side

passenger doors are fully closed and locked. A stationary train at the platform shall not be

allowed to move relative to the platform until interlocking of all body side passenger doors is

achieved (confirmed closed and locked).

Note: For passenger trains with manual doors opened and closed by the train crew,

mechanical locking under an approved operator procedure can be considered as an

alternative to traction interlocking.

Door obstruction detection system

The function of a door obstruction detection system is to reduce the possibility of passenger and

objects being trapped in doors by detecting if a passenger or object is in the path of a closing


Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1



passenger body side door. The door shall automatically reopen allowing the passenger or

object to move out of the path to enable the door closing sequence and traction interlocking.

Note: For passenger trains with swing type doors operated manually, an approved

operating procedure including manual operation by the train crew can be considered

as an alternative to automatic obstruction detection.

Door motion warning system

The function of a door motion warning system is to warn passengers from inside and outside

the vehicle prior to door motion (closure, release and opening).

A visual and audible warning, inside and outside the vehicle shall be provided to warn

passengers prior to door motion.

Closed-circuit television

CCTV may be used, in conjunction with traction interlocking, door obstruction detection and

door motion warnings to assist with supervising passenger transfer at platforms.


Supe

rsed

ed b

y TS

040

69:1

.0, 0

1/09

/202

1

T HR RS 00840 ST RSU Appendix D - Train (Driver) Safety ...

Documents

Transcript of T HR RS 00840 ST RSU Appendix D - Train (Driver) Safety ...