Notification Draft 2015 306 D EN

1.
------IND- 2015 0306 D-- EN- ------ 20150713 --- --- PROJET
Technical Rules for Trams

Signal and train protection systems
(TRStrab SIG) 1
Edition: 1 August 2012

in the version of 17 February 2015
1
Notified in accordance with Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998
laying down a procedure for the provision of information in the field of technical standards and regulations and
of rules on Information Society services (OJ L 204 of 21 July 1998, p. 37), last amended by Article 26(2) of
Regulation (EU) 1025/2012 of the European Parliament and of the Council of 25 October 2012 (OJ L 316 of
14 November 2012, p. 12).
2
Foreword
The technical rules for trams (TRStrab) are considered the generally accepted
engineering principles for the construction and operation of trams and spell out in
detail the basic requirements of the tram construction and operation order (BOStrab).
They are prepared by the federal-state technical committee BOStrab (German

designation: BLFA BOSTrab) and notified by the Federal Ministry of Transport and
Digital Infrastructure in the Transport Gazette.
Deviation from the technical rules is permitted if at least the same level of safety is
provided.

3
Table of contents
FOREWORD
TABLE OF CONTENTS
PREAMBLE
1. INTRODUCTION
1.1 Definitions
1.2 Marking and mandatory nature of requirements
1.3 Obligations of tabular requirements
2. SCOPE AND FRAMEWORK CONDITIONS 10
2.1 Scope 10
2.2 Compliance with statutory principles and best practice 10
2.3 Definition of systems and installations under BOStrab 11
3. PRINCIPLES OF DRIVING OPERATION 13
3.1 Driving operation modes 13
3.2 Basic functions for protecting train movements 14
3.3 Grade of automation of driving operation 16
3.4 Basic definitions for protecting train movements 19
3.4.1 Braking actions 19
3.4.2 Train protection definitions 21
4. PREFERRED ARCHITECTURE 28
4.1 Objective 28
4.2 Delineation 29
5. PROTECTING ROUTES 30
5.1 Basis of route protection 30
5.2 General sub-route functions 32
5.3 Route between start point and destination point 35
5.4 Overlap 35
5.5 Flank protection 38
5.6 Level crossing protection systems 40
5.7 Switchover protection 43
5.8 Detection for route protection and switchover protection 44
6 SECURING HEADWAY CONTROL 45
6.1 Principles 45

4
6.2 Excluding contraflow 46

6.3 Headway control detection 47
7 SECURING SPEED 48
7.1 Basic concepts 48
7.2 Issuing permission to proceed 48
7.3 Integrating statuses in the permission to proceed 51
7.4 Stationary signals 52
7.5 Monitoring level crossings 53
7.6 Monitoring train driving quality 54
8 DETAILED ARCHITECTURE 56
8.1 Overview 56
8.2 Generic and application-specific 56
8.2.1 Specific application 56
8.2.2 Generic application 57
8.2.3 Generic product 57
8.3 Separation according to safety relevance 58
8.4 Absence of repercussions on networks 58
8.5 Restart behaviour 59
9 OPERATION AND DISPLAY 60
9.1 Overview 60
9.2 Overall system, control centre facilities 60
9.3 Display 61
9.4 Operation 63
9.5 Standard and ancillary operations 64
9.6 Logging and recording 68
10 ANNEXES 70
10.1 Abbreviations 70
10.2 Definitions 72
Bibliography 75
Acts and regulations 75
Guidelines and technical rules 75
Standards 75

5
Preamble
The technical rules for train (TRStrab) are considered the generally accepted
engineering principles for the construction and operation of train and spell out in
detail the basic requirements of the train construction and operation order
(BOStrab).
They are prepared by the responsible federal-state technical committee

(BLFA BOStrab), notified by the Federal Ministry of Transport, Building and Urban
Development (German designation: BMVBS) in the Transport Gazette and
published on the BMVBS home page.
These technical rules for signal and train protection systems (TRStrab SIG)
specify, in particular, the basic requirements of §§ 20, 21 and 22 BOStrab.
Deviation from these technical rules is permitted in accordance with § 2(2) of

BOStrab, if at least the same level of safety is provided.
The technical rules for signal and train protection systems pursuant to BOStrab
(TRStrab SIG) describe how the requirements of European standards
DIN EN 62290 and DIN EN 62267 can be implemented on the basis of BOStrab.
The application of this TRStrab should improve planning and legal certainty for
railway companies, manufacturers and technical supervisory authorities and also
facilitate recognition of registrations between technical supervisory authorities.
The subject of these technical rules is exempt from the application of the
specifications based on these guidelines on the basis of
Article 2(2)(a) of Directive 2004/49/EC of the European Parliament and of the

Council of 29 April 2004 on safety on the Communitys railways and
Article 1(3)(a) of Directive 2008/57/EC of the European Parliament and of the

Council of 17 June 2008 on the interoperability of the rail system within the
Community (recast OJ L 191 of 18 July 2008, p. 1)
in the Federal Republic of Germany pursuant to § 1(2) of the General Railways Act
(German designation: AEG) of 27 December 1993 (Federal Law Gazette I p. 2378,
2396; 1994 I p. 2439) last amended by

6
Article 2(122) of the Act of 22 December 2011 (Federal Law Gazette I p. 3044)
§ 65 of the Passenger Transport Act (PBefG) of 21 March 1961 (Federal Law
Gazette I p. 241), as amended by Article 2(147) of the Act of 7 August 2013
(Federal Law Gazette I p. 3154).
Notwithstanding the fact that the TRStrab SIG is considered by the BOStrab
federal-state technical committee as generally accepted best engineering practice
pursuant to § 2(1) BOStrab, the following references to existing federal legislation
transposing EU directives must be taken into account:
Technical specifications for products in these technical rules may only be

applied insofar as they do not deviate from the applicable federal regulations
transposing EU directives. This applies in particular to
- the Act on making products available on the market (Product Safety

Act ProdSG) of 8 November 2011 (Federal Law Gazette I p. 2179),
- the Electromagnetic Compatibility of Equipment Act (German designation:
EMVG) on 26 February 2008 (Federal Law Gazette I p. 220), as amended
by Article 4(119) of the Act of 7 August 2013 (Federal Law Gazette
I p. 3154),
- the Telecommunications Act (German designation: TKG) of 22 June 2004
(Federal Law Gazette I p. 1190), last amended by Article 22 of the Act of
25 July 2014 (Federal Law Gazette I p. 1266)
and the legal regulations issued on the basis of these Acts.
The same applies for technical specifications for products in these technical
rules in respect of legal provisions of the European Union that are directly
applicable, unless a deviation in accordance with Article 114 of the Treaty on
the Functioning of the European Union (OJ C-115 of 9 May 2008, p. 49) is
maintained or adopted by the Federal Republic of Germany.
The requirements of these technical rules may not be used by official bodies to
obstruct the marketing of products in the Federal Republic of Germany where
these were produced and/or marketed according to law in another Member
State of the European Union or Turkey or an EFTA country which is party to
the EEA Agreement. If the authority under § 54(1)(3) of the Passenger
Transport Act (PBefG) in the edition of the Notification of 8 August 1990
(Federal Law Gazette I p. 1690), as amended by Article 2(147) of the Act of

7
7 August 2013 (Federal Law Gazette I p. 3154), as amended by Article 4(21)

of the Act of 29 July 2009 (Federal Law Gazette I p. 2258) has evidence that a
particular product which has been produced and/or marketed according to law
in another Member State of the European Union or Turkey or an EFTA country
which is party to the EEA Agreement does not offer the level of safety
corresponding to the level required in this regulation, it may prohibit the
marketing of the product or remove it from the market, after it has
- notified the manufacturer or distributor in writing of which parts of the

national technical requirements prevent the marketing of the product in
question and
- have shown on the basis of all relevant scientific facts the compelling
reasons of public interest which require these parts of the technical
regulation to be applied to the product and why less restrictive measures
are unacceptable and
- has called upon the participating business to make any comments within a
time period (of at least four weeks or 20 working days) before an individual
measure to limit the marketing of the product is taken against it and
- has taken due account of these comments in the grounds for its final
decision. The authority must then under § 54(1)(3) of the Passenger
Transport Act (PBefG) in the edition of the Notification of 8 August 1990
(Federal Law Gazette I p. 1690), as amended by Article 4(21) of the Act of
29 July 2009 (Federal Law Gazette I p. 2258) notify the affected
participating business of the individual measures to limit the marketing of
the product, including a statement of the available legal remedies.

8
1. Introduction
1.1 Definitions
The relevant standards and provisions (BOStrab) use various terms for the same
object. To ensure clear allocation, the terms used in the technical rules are defined
in Annex 2.
In the following chapters of this document, term definitions are indicated in

standard typeface and with the abbreviation DEF.
1.2 Marking and mandatory nature of requirements

In the following chapters and annexes to this document
 requirements are indicated in standard typeface and with the abbreviation

ANF,
 requirements that are (must be) fulfilled under other subsystems or
organisations are indicated in standard typeface and with the abbreviation
EXT ANF,
 explanations, examples and reference values are indicated in italics.
The level of obligation of the requirements is modelled on DIN 820, Part 2, E and
taken into account in the wording of the requirements.
1.3 Obligations of tabular requirements

Where requirements are set out in tabular form, the following mandatory symbols
are used in the table fields:
M: This symbol (mandatory) means that the architecture, technology or

measure must be applied for this application.
HR: This symbol (highly recommended) means that the architecture,

technology or measure is highly recommended for this application. Where this
architecture, technology or measure is not used, the reason for not using it must
be documented and approved by the expert (or TAB).

9
R: This symbol (recommended) means that the architecture, technology or

measure is recommended for this application.
NRQ: This symbol (not required) means that the architecture, technology or
measure is not mandatory for this application but also that there is no reason why
it may not be used.
NR: This symbol (not recommended) means that the architecture, technology
or measure is explicitly not recommended for this application. Where this
architecture, technology or measure is used, the reason for using it must be
documented and approved by the expert (or TAB).
NA: This symbol (not applicable/not allowed ) means that the architecture,
technology or measure may not be used or is even prohibited for this application
due to higher-level requirements or framework conditions.
The differentiation and meaning of mandatory symbols correspond to the

standards EN 50129 (Annex E), EN 50128 (Annex A) and IEC 61508-2, -3, -6
(English version).

10
2. Scope and framework conditions
2.1 Scope
The technical rules apply to trains operated under the Passenger Transport Act
(PBefG) in accordance with BOStrab. They apply to:
 signal systems (§ 21 BOStrab),

 train protection systems (§ 22 BOStrab) and
 level crossings (§ 20 BOStrab).
2.2 Compliance with statutory principles and best

practice
The legal provisions for trains place requirements on safety; first in general form,
such as in § 2 BOStrab and also more specifically in § 22 BOStrab (fail safety for
train protection systems).
Under § 4(2) PBefG, elevated railways, underground railways, suspension

railways and similar railways with a special design are also considered tramways.
The legal provisions for tramways determine
 defined safety standards (e.g. § 20 BOStrab, safety of level crossings

depending on user groups and usage frequency),
 basic functional requirements for operating systems and vehicles (e.g.
§ 22(2) BOStrab, route protection systems),
 quality requirements for the construction of operating systems and
vehicles (e.g. § 22(4) BOStrab, reliability and fail safety),
 procedures for the construction and approval of operating systems (§ 60,
§ 62 BOStrab) by the competent technical supervisory authority,
 responsibilities for compliance with safety and organisational requirements
incumbent on companies and their operations managers (§ 7,
§ 8 BOStrab).
BOStrab requires that operating systems and vehicles meet safety and
organisational requirements. They are deemed to have met these requirements
where they are built and operated in line with
 the BOStrab provisions,

11
 the requirements laid down by the technical supervisory authority and the
 licensing authority,
 and generally acknowledged best practice;
(§ 2 BOStrab). A deviation from generally accepted best practice is permissible if

at least the same level of safety is provided.
Both to clarify the national legal standards and to harmonise the legal standards
and the European standards for railway applications and to stipulate the
implementation of further best engineering practice, specifications are laid down in
the TRStrab SIG on the basis of current high levels of protection generally
accepted in the Federal Republic of Germany.
2.3 Definition of systems and installations under

BOStrab
BOStrab sets out requirements for operating systems, installations and vehicles.
These form the basis for the documented definition required under DIN EN 50126
of the system to be reviewed at the beginning of the life cycle.
The following general classifications shall be given to railway companies for the
scope of this TR assistance with the system to be specified under DIN EN 50126.
This is done in particular with a view to carrying out risk analysis.
Examples of possible system levels are shown in the following table:
Overall system Subsystem Installation

Signal system Driving signal system for Driving signal for driving signal
single-track line system
Processor for driving signal
system, etc.
Driving signal system for Driving signals and points for
route control driving signal system
Processor for driving signal
system
Individual point controller Point signal for individual point
controller,
etc.
Train protection Route protection Route protection points, etc.
system (interlocking system)

12
Train control Train control stop etc.
Operator terminal Operator terminal processor

etc.
Level crossing Level crossing safety Processor for level crossing
system (BÜSA) safety system, light signals,
semi-barrier, cut-off loop, etc.
Table 1: Examples of system levels

13
3. Principles of driving operation
3.1 Driving operation modes

BOStrab § 49 contains basic requirements for driving operation and sets out the
two operating modes Driving on sight and Driving under control-command
including their conditions of use. The following tables give an overview of the
prerequisites and technical consequences for both these operating modes.
Provisions under Driving on-sight driving under control-

BOStrab allowed with command with
construction type ---- independent tracks
(§ 49(2) and (3))
street-running tracks where street-running tracks where
maximum line speed maximum line speed
≤ 70 km/h > 70 km/h
street-running tracks in short street-running tracks in
tunnels (visible stopping tunnels
distance)
operational type shunting moves
(§ 49(3))
malfunctions with regard to
standing instructions
Table 2: BOStrab provisions for driving operation modes
BOStrab requirements driving on-sight driving under control-

command
Headway control effected by driver ensured by train protection
(§ 49(1)) systems as per § 22
other signalling by driving signal ensured by train protection
dependencies (e.g. exclusion systems as per § 21(3) systems as per § 22
of contraflow on single-track
lines, § 49(5))
Signals Driving signals as per Main signals and advance
(§ 21(23)) Appendix 4(3) signalling as per
Appendix 4(1) and 2
Point signal Point signal as per ----
(§ 51(11)) Appendix (4)(10)
Train control ---- ensured by train protection
(§ 22(1)(2)(3)) systems as per § 22
on-board train control ---- are required for passenger
systems vehicles operated on train

14

command
(§ 22(5) and § 38(3)) protection sections
Table 3: BOStrab requirements based on driving operation modes
3.2 Basic functions for protecting train movements

The basic requirements for train protection systems under § 22 BOStrab apply
regardless of whether they are met by train personnel or by automatic systems or
by a combination of both (official justification for § 22 BOStrab). Therefore, the
following basic functions for protecting train movements may be derived from § 22:
 protecting routes
 securing headway control between trains
 securing speed
The basic functions derived from § 22 BOStrab also apply in areas where the
principles for driving on-sight are applied and therefore for driving signal systems
and point controllers.
The requirements for train protection systems under

§ 22(12) BOStrab for the three basic functions are set out below to
clearly delineate between the basic functions.

15

command
Route protection setting and setting and protecting
encompasses: protecting routes as routes as per § 22(1)(2)(1)
per § 21(3) within the
operational scope
required
ensuring that at least the
braking distance of
identifiable safety obstacles
(here: track ends and routes
that are not protected against
side-on or head-on collisions)
is clear and kept clear) as per
§ 22(2)(1)(1)
where speed determining the related
> 15 km/h, determining interlocking points as per
the interlocking points § 22(2)(1)(2) BOStrab.
Table 4: BOStrab requirements to protect routes

command
Securing headway control as per § 22(2)(1) BOStrab,
between trains ensuring that at least the
encompasses: braking distance from
identifiable safety obstacles
(here: moving and stationary
trains) is clear and kept clear.
Table 5: BOStrab requirements to secure headway control
The following types of identifiable moving and stationary trains may be used in the
route to be protected:
 through headway operation,

 through contraflow operation,
 through side-on operation (over common points or crossings).

command
Securing speed transmitting driving transmitting driving
encompasses: instructions to trains instructions to trains pursuant
pursuant to § 21(3), to § 22(1)(2)

16

command
§ 50 and § 51
---- transmitting permissible
speeds in driving instructions
to trains pursuant to § 22(2)
(3)
---- monitoring train driving and
influencing it in the event of
dangerous deviations
pursuant to § 22(1)(3)
Table 6: BOStrab requirements to protect speeds
The basic function Securing speeds encompasses choice of signal, fixed

signalling or transmitting permission to proceed with a secure operating profile,
monitoring speed and train control.
3.3 Grade of automation of driving operation

The mode of operation driving under control-command can be further
differentiated according to the level of automation. The grade of automation is
defined as set out in DIN EN 62290-1. Each of these grades of automation allows
for the technical implementation of additional control and safety functions to the
extent that service personnel are replaced by technical installations or specific
protective functions can no longer be performed.
DEF Train operation on-sight (GOA0): At this grade of automation, the driver
has full responsibility and no system is necessary to monitor his activities.
However, points and single-track lines may be partially monitored by the system.
Insofar as the definitions in DIN EN 62290-1 contain implicit requirements, it

should be noted that BOStrab and TR SIG may impose further requirements. For
example, driving signal systems for single-track lines under § 21(3)(2) BOStrab
are mandatory.
DEF Non-automated train operation (GOA1): At this grade of automation, the

driver who is observing the route and who takes control of the train if dangerous
situations arise is in the forward drivers cab on the train. Accelerating and braking
are performed by the driver in accordance with track-side signals or driver s cab

17
signals. The system monitors driver activity. This monitoring may be punctual,
semi-continuous or continuous while taking due account of signals and speed. The
safe departure of the train from the stop including closing the doors is the
responsibility of service personnel.
DEF Semi-automated train operation (GOA2): At this grade of automation, the

driver who is observing the route and who takes control of the train if dangerous
situations arise is in the forward drivers cab on the train. Accelerating and braking
are automated and the speed is continuously monitored by the system. The safe
departure of the train from the stop is the responsibility of service personnel
(opening and closing doors can be automatic).
DEF Driverless train operation (GOA3): At this grade of automation, in

comparison to Grade 2, additional measures are required as there is no driver
observing the route who can take control of the train if dangerous situations arise
is in the forward drivers cab on the train. At this grade of automation, one member
of service personnel must be in the train. The safe departure of the train from the
stop including closing the doors can be the responsibility of service personnel or
be automatic.
DEF Unattended train operation (GOA4): At this grade of automation, in

comparison to Grade 3, additional measures are required as there are no service
personnel on the train. The safe departure of the train from the stop including
closing the doors must be automatic. In particular, the system can detect and
control dangerous situations and emergencies such as the evacuation of
passengers. Some dangerous conditions or emergency situations such as
derailment or smoke and fire detection may require personnel deployment.
ANF Responsibility for the execution of basic driving functions must be split
between operatives and the technical system according to the following table,
depending on the grade of automation.

18
Basic driving functions Grade of automation

GOA0 GOA1 GOA2 GOA3 GOA4
x8 Syste Syste
protecting routes System System
(system) m m
protecting train securing headway control x8 Syste Syste
System System
movements between trains (system) m m
x x Syste Syste
securing speed System
(system) (system) m m
Control and monitoring of Syste Syste
Driving X X System
acceleration and brakes m m
Preventing a collision
with identifiable safety Syste Syste
X System System
obstacles (§ 22(2) m m
Monitoring the route (2) BOStrab)
(i.e. from the track Preventing a collision Syste
area) X X X System
with other obstacles m
Preventing a collision Syste

X X X System
with people on the track m
Controlling and
monitoring passenger X X X X System
compartment doors
Preventing injury to
Monitoring boarding persons between cars or
X X X X System
and alighting between platform and
train
protecting starting
X X X X System
conditions
Set-up/ Suspension X X X X System

Operating a train
Monitoring train status X X X X System
train diagnosis; detecting
System
Ensuring the fire / smoke, derailment,
and/or
detection and loss of train integrity;
X X X X personn
handling of handling emergency
el in
emergency situations situations (calling,
OCC
evacuating, monitoring)
Comments, abbreviations
GOA0 = Train operation at sight (driving on-sight)
GOA1 = Non-automated train operation
GOA2 = Semi-automated train operation
GOA3 = Driverless train operation
GOA4 = Unattended train operation
x = Responsibility of service personnel (can be performed through the technical system)
System = must be performed by the technical system
(System) = Support possible through the technical system for functions under Chapter 3.2
x8 Exclusion of contraflow on single-track lines must be carried out pursuant to § 21(3)(2)
OCC = Operation Control Centre
Table 7: Basic driving functions (based on DIN EN 62290-1)
Automated driving (braking and acceleration) is a state-of-the-art control function

for the train protection system that is effective in accordance with § 22 BOStrab
depending on driving operation safety.

19
The basic functions set out in the table that are to be carried out by technical
systems for grades of automation GOA3 and GOA4 are not an integral part of train
protection systems under § 22 BOStrab, but may have a functional impact on
them. Basic requirements for these installations are set out in the Technical Rules
for Driverless Operation (RL FoF) and, where applicable, clarified in the following
VDV standards.
3.4 Basic definitions for protecting train movements
3.4.1 Braking actions
The braking actions below clarify the braking actions defined according to BOStrab
and TR Brakes for applications in the scope of these technical rules and establish
the basic requirements for on-board braking equipment to ensure overall safety of
operation.
Service braking is defined in TR Brakes.
EXT ANF Service braking deceleration is determined depending on the desired

vehicle dynamics.
Service braking deceleration is for example entered in the train protection profile
(see below), train headway calculations and calculations of sight sections.
Immobilisation braking is defined in TR Brakes.
Unlimited stoppage is a feature of immobilisation braking.
EXT ANF After service braking up to standstill the braking system should
automatically prevent trains from moving during boarding and alighting at stops
(without involving the driver or the on-board train protection system)
(immobilisation braking).
Sharp braking is defined in TR Brakes.
EXT While using vehicles on street-running tracks in train protection areas, sharp
braking may only be triggered by the driver. (see Sharp braking in TR Braking)
Train protection braking is defined in TR Brakes. The term emergency braking

is used in safety engineering and is therefore used synonymously.

20
ANF Safety requirements are attached to the application of emergency braking.

In particular, fail-safe triggering of emergency braking must be ensured through
the train protection system (§ 22(3) BOStrab).
EXT ANF Endangerment of passengers due to high deceleration and jolting

must be limited to no more than an unavoidable extent.
EXT ANF Emergency braking must be discontinued when the dangerous

deviation is eliminated and need not be continued until the train is brought to a
standstill.
ANF Emergency braking must be applied until the train is brought to a standstill
by the triggering train protection system if the braking requirement continues.
DEF Emergency braking distance is the distance it takes to bring the train to a
standstill when emergency braking is triggered, taking into account significant
emergency braking deceleration including response, delay and threshold time for
the braking system. The emergency braking distances agreed under a specific
application form the basis for keeping the safety-related braking distances required
under § 22(2)(1) BOStrab.
The definition of emergency braking distance includes the distance required for
response, delay and threshold time vis-à-vis VDV Guideline 340 in order to
comply with Appendix 2 BOStrab.
EXT ANF When defining the required deceleration values including response,
delay and threshold times, train protection requirements must be taken into
account. The planning of track systems (§ 15§ 17 BOStrab), signal and train
protection systems (§ 21§ 22 BOStrab) and vehicles (§ 33§ 48 BOStrab) must
be closely coordinated in respect of the requisite emergency braking distance.
EXT ANF Compliance with significant emergency braking distances is deemed

ensured if they are demonstrated and tested in accordance with TR Brakes. This
involves ensuring that the test exclusively relates to the braking system declared
autonomous under § 36(1) BOStrab independently of any additional braking
systems, representing the basis for limit values if a brake fails under
Appendix 2, Table 1 BOStrab.

21
3.4.2 Train protection definitions
DEF The danger point is the point before which the head of the train must come
to a standstill to avoid an operational hazard. The danger point lies in the direction
of travel before identifiable safety obstacles under § 22(2) BOStrab; these
include moving or stationary trains, track ends and routes that are not protected
against side-on or head-on collision.
Figure 1: Danger point: track end
(poss. head/front of train)
Figure 2: Danger point: unprotected point boundary markers
Figure 3: Danger point: unprotected switch point
WÜ
WÜ
WÜ = Wagenkastenüberhang
car body overhang (to be(zutaken
berücksichtigen)
into account)
Figure 4: Danger point: track section limit

22
DEF The neutral section is the line behind the destination point of a moving train
which must be maintained up to the danger point taking into account the features
of the train control system including location-based tolerances and safety
response times. Depending on the type of train control system, the neutral section
consists of
 either the entire emergency braking distance, if emergency braking is only

triggered at the destination point,
 or a fail-safe braking distance if the emergency brake can be triggered
before the destination point is reached because train movement was being
monitored.
The length of each neutral section is calculated according to tested operational

specifications, the properties of the train control system, significant emergency
and fail-safe braking and safety-related assumptions.
In international regulations, the neutral section is referred to as the safety

margin.
1 Service braking curve

2 Driving through stop sign (driver error assumed)
3 Driving over a crossing (emergency brake triggered)
4 Emergency braking curve
5 Neutral section
Figure 5: Neutral section in the event of punctual influence at the main signal
(train stop function)

23
1 Service braking curve

2 Monitoring curve of train protection profile
3 Triggering of emergency braking (driver error assumed)
4 Emergency braking curve
5 Emergency braking distance
6 Fail-safe braking distance
7 Neutral section
Figure 6: Neutral section in the event of (quasi-)continuous influence
ANF When calculating neutral sections, the gradient conditions on the line and
the geometrical and dynamic driving vehicle data of regularly used vehicles must
be taken into account.
ANF When calculating neutral sections, systemic location errors and tolerances
must be taken into account unless they can be justifiably ruled out. When adding
all the independent influencing factors affecting the maximum values, probability
distribution or a simultaneity factor may be taken into account.
Similar to the official justification for § 18(3) and 4 BOStrab.
DEF Permission to proceed represents the instructions for driving a train

(§ 22(1)(2)(2) BOStrab). It applies within specific limits and contains
 basic approval to drive a train,

 where necessary, information on permitted speeds, and
 where applicable, restrictive conditions required to ensure specific
operation modes or operational situations, such as driving in parking
facilities, driving on partially occupied tracks, coupled driving, driving with
substitute signals, emergency stop, driving over faulty level crossings.

24
In international regulations, permission to proceed is referred to as movement

authority. Restricted permission to proceed (e.g. driving with substitute signals or
warning signal) is referred to as degraded movement authority.
In international regulations, the term movement authority limit is used partly to

refer to permission to proceed limits as defined above, partly for danger points.
DEF The train protection profile is the speed limit profile to be established and
monitored according to train protection principles as part of a permission to
proceed. The train protection profile takes into account:
 the static speed profile which determines the highest permissible speed in
respect of track layout, structural loads, lateral and vertical acceleration
and compressive stress,
 the dynamic speed profile, which determines the highest possible speed in
respect of temporary speed restrictions and the state of track components
(e. g. point position) and permission to proceed limits,
 permissible vehicle speeds derived from vehicle dimensioning,
 the safe braking profile, both before the destination point of the permission
to proceed and before any necessary speed reduction taking into account
the length of the neutral section maintained.
Depending on content, the train protection profile can be represented as a route-

speed diagram.
Train protection profile generally means a train protection construct. However, at

low grades of automation (GOA 0 and 1), the train protection profile can be
implicitly derived from standing instructions, the driver s familiarity with the route or
stationary signals.
The train protection profile does not take into account location tolerances and
safety response times of the train control system. These are taken into account
when determining the requisite neutral sections and safety margins when driving
at the start of a speed reduction.
The train protection profile does not take into account (see operating profile):
 recommended speed to increase driving comfort,

 operational (not safety) stopping points,
 energy-efficient driving,
 noise protection.

25
DEF The operating (speed) profile is the speed profile to be formed within the
limits of the train protection profile to control train movements. The operating
profile takes into account:
 recommended speed to increase driving comfort,

 operational (not safety) stopping points,
 energy-efficient driving,
 noise protection.
Depending on content, the operating profile can be represented as a route-speed

diagram. Depending on the grade of automation, the train protection profile can be
implicitly derived from standing instructions for driving, scheduling and the driver s
familiarity with the route, or explicitly e.g. in the form of technical specifications for
the control components of the train protection system on the vehicle control
system.
Train protection profile, destination point, operating profile
2
3
ZP
1 Geschwindigkeitsprofil (stat./dynam.)
Speed profile (stat./dynam.)
2 Sicherungsprofil
2 Train protection profile
3 Fahrprofil
3 Operating profile
Figure 7: Example, train protection and operating profile when the signal is on

26
1 Speed profile (stat./dynam.)

2 Train protection profile
3 Operating profile
Figure 8: Example, train protection and operating profile when the signal is of
DEF Train detection is the secure determination of the location of rail vehicles
through
 track-side train detection systems (external detection) or

 on-board equipment in the train protection system (internal detection) with
support from track-side equipment
in a defined section of the track system or as an absolute position in reference to

local topography in the track network. Depending on system requirements, train
detection can provide further information such as direction of travel, driving speed,
acceleration and length of the detected train.
Examples of external detection are track vacancy detection systems such as track
circuits and axis counting circuits or rail contacts, light barriers and similar
equipment used to detect the presence and absence of trains. Internal detection
systems use on-board components to determine position, e.g. combinations of
odometer pulse generators, accelerometers or radar sensors and are
supplemented for synchronisation or initialisation by track-side elements such as
crossed line conductors, transfer loops, locating points in the form of balises.
EXT ANF When using track-side train detection systems, it must be ensured that
the vehicles used meet the requirements for detectability (e.g. sufficient train
shunt, detectability of tyres while avoiding interference from other vehicle
components (magnet rail brakes, EMC interference).

27
EXT ANF When using on-board train detection, it must be ensured that the
vehicles used meet the requirements to properly determine position (e.g. matching
tyre diameter, matching frictional and skid behaviour).

28
4. Preferred architecture
4.1 Objective
In extreme cases, implementation of the basic functions at the individual grades of
automation can be approached in two ways. On the one hand, a custom-made
solution can be designed for each application project, whereby the technical
architecture, interfaces and operating rules are redefined without reference to tried
and tested models. On the other hand, an all-encompassing system can be
designed which contains all necessary variants. Obviously, these approaches can
also lead to extreme inconsistency or inefficiency. Another risk is that the over-
individualised or over-generalised solution contains concepts and functions that
are not yet sufficiently operationally tested in this form and scope, so dangerous
deficiencies can arise.
In the following chapters on protecting train movements the preferred

architecture for the basic functions
 protecting routes,
 securing headway control between trains and
 securing speed
is defined with proven suitability for BOStrab requirements. The preferred

architecture ensures that
 the safety-related assumptions,

 the interfaces to other operating systems and vehicle components,
 the human-machine interfaces,
 the operating rules,
 operational quality assurance and
 personnel training
can be geared to practical needs. The preferred architecture promotes consistency

of signal and train protection systems and the reusability of their components.
4.2 Delineation
The subsystems for the basic functions with driverless and unattended driving
(GOA3 and GOA4):
 preventing a collision with identifiable safety obstacles,

29
 preventing a collision with people on the track,

 controlling and monitoring passenger compartment doors,
 preventing injury to persons between cars or between platform and train,
 protecting starting conditions
 setting up and suspending a train,
 monitoring train status,
 ensuring the detection and handling of emergency situations,
are clarified in the Technical Rules for Trams Operation without a Driver
(TRStrab FoF)

30
5. Protecting routes
5.1 Basis of route protection

Route protection encompasses:
 setting and protecting routes as per §22(1)(1)(1) BOStrab,

 ensuring that at least the braking distance of identifiable safety obstacles
(here: track ends and routes that are not protected against side-on or
head-on collisions) is clear and kept clear) as per § 22(2)(1) BOStrab,
 determining the related interlocking points as per § 22(2)(1)(2) BOStrab.
DEF A route means the sequence of track sections, points, crossings, signals
and other adjustable or non-adjustable elements in § 22 BOStrab and train safety
regulations which are directly driven over or involved when driving from a given
start point to a given destination point.
Adjustable elements include for example points, crossings with adjustable

centrepieces, rail blocks, key locks, platform gates, chamber locks and level
crossings.
Non-adjustable elements include track sections and crossings without adjustable

centrepieces.
DEF A route is protected if the route between start and destination is protected
by a driving signal system or a train protection system. A protected route
consists of:
 the starting point (generally a driving signal or main signal),

 route elements between starting point and destination point and
 the destination point (e.g. a signal or dead-end track).
The existence of a protected route means that permission to proceed can be

issued by a driving signal or substitute signal according to the principles of driving
on-sight.
For individual points, a route is deemed protected if the point is protected against
switching by locking and occupancy detection.
DEF A sub-route is a route protected by a train protection system as per

§ 22 BOStrab. A sub-route consists of:

31
 the starting point (generally the main signal),

 route elements between starting point and destination point,
 flank protection elements on the route side,
 the destination point (e.g. a signal, dead-end track or end of line with train
protection), and
 optionally an overlap (D-Weg) behind the destination point.
The existence of a sub-route means that permission to proceed can be issued by

a main signal according to the principles of driving under control-command.
There are deliberately no features in the above definition of sub-route components

that relate to the type of headway control or speed signalling (e.g. coupled sub-
routes on occupied destination tracks). These features are categorised in the
Chapters Securing headway control or Securing speed.
DEF An overlap (D-Weg) is an interlocking core component of a route. The

overlap consists of:
 overlap elements between route destination point and overlap destination

point and
 optionally, flank protection elements on the overlap side.
ANF The length of the overlap from the route destination point must be at least
as long as the neutral section behind the route destination point mathematically
required for the train using the route with a specific speed profile.
In straightforward cases, the neutral section can be maintained so that clear track
signalling up to the danger point is performed and monitored along the route.
2
G
1
11 Freimeldeabschnitt des section

Clear track signalling Zielgleises
of the target track
2 Schutzstrecke ohne eigenen Freimeldeabschnitt
2 Neutral sections without their own clear track
signalling section
Figure 9: Neutral sections without their own clear track signalling section

32
Two sub-routes are different if they differ in terms of at least one component. Sub-
routes with the same route between start and destination but different overlaps are
different. Sub-routes with the same overlap but different numbers of routes
between start and destination are different.
DEF Route release is the release of internal locks and loads used to calculate
and protect a sub-route or protected route.
5.2 General sub-route functions

DEF There are three different measures to protect routes:
Degre Heading Explanation

e
3 Route - protected route (start/destination)
- available flank protection
- protected overlap with optional flank protection
2 protected route connected protected route elements between start
and destination
1 individual protected point route element individually protected against
switching by locking and occupancy detection
0 no route protection only unsecured route components
ANF Depending on the grade of automation, the following apply to measures to

protect routes:
Standard GOA0 GOA1 GOA2 GOA3 GOA4

3 Sub-route NA M M M M
2 protected route HR/M(1) HR(2) HR(2) HR(2) HR(2)
1 individual protected point HR NA NA NA NA
0 no route protection NR(3) NA NA NA NA
(1) HR, where seen under § 21(3) BOStrab as operationally required (e.g.
depot, switches and turn-backs); M to protect single-track lines.
(2) as a back-up with disrupted route to issue substitute signal
(3) only allowed when using points that cannot be adjusted remotely
(§ 17(6) BOStrab).
The calculation and monitoring of sub-routes or protected routes must be done in

several phases due to logical complexity, parallel processes and calibration time

33
requirements. The most important phases are defined below although other phase
classifications are not excluded.
DEF Approval testing tests whether the current condition of the interlocking
elements allows for the sub-route or protected route as a whole to be set. Approval
testing refuses the setting application if for example a necessary element is under
stress or locked. If approval testing for the route fails, it can be useful as a back-up
to test only the route (without overlap or flank protection) for suitability.
DEF The purpose of stress caused to an adjustable or non-adjustable element

by a route, overlap or flank protection requirement is to avoid excluding non-
compatible stresses to the element.
ANF The following are considered non-compatible stresses:
 stresses that require the element in a different position,

 route stresses for different routes,
 stress on the route and overlap stress in
 different directions.
The following may for example be compatible: Route stress and one or two
overlap stresses in the same direction as the route (the overlaps come from
various route destination points). In specific cases track-side stress from two
tangential overlaps is permitted, but in this case overlapping with a route is
excluded.
DEF The purpose of a lock on an adjustable element is to prevent it being

switched if the element is stressed by a route, an overlap or as flank protection.
Locking of other adjustable elements is a matter of logic. Force-locking or

interlocking of moving components in the outdoor facility must be ensured
independently.
ANF An adjustable element may only be locked if its current position in the
outdoor facility matches the target position in line with stress and the element in
the outdoor facility (where technically feasible) is locked against departure from
the target position by force-locking or interlocking.
DEF In train protection systems, the purpose of route monitoring is to

continually check the statuses of all route elements on the set route. The statuses
give the following results:

34
 not monitored if at least one element of the route is not monitored,

 subject to limited monitoring if all elements of the route are monitored
but not all elements of the sub-route are monitored, or
 fully monitored, if all elements of the route are monitored.
Limited monitoring can be referred to for issuing a substitute signal.
DEF In driving signal systems for route control (see Section 2.4) the purpose of
route monitoring is to continually check the statuses of all route elements on the
set route. The statuses give the following results:
 not monitored if at least one element of the route is not monitored,

 monitored, if all elements of the route are monitored.
ANF The monitoring statuses of the route or protected route must be included in
the issuing of the permission to proceed. Where the monitoring falls back to a low
level, an issued permission to proceed must be immediately revoked.
DEF The purpose of approach locking on the route is to prevent route retraction
if a train is within the braking distance from the start point and it has permission to
proceed.
DEF The purpose of route release is to relieve stress and lock a route or
protected route.
ANF The following types of route releases must be available:
 train-operated release through proper crossing and clearing the entire

route.
 Overall retraction (standard operation), provided approach locking has not
yet been engaged and no elements on the route have been driven over.
 Emergency release, as required, overall emergency release or release of
individual elements.
ANF With this type of route release, stress and locks may only be relieved when
it is ensured that permission to proceed has not been issued or has been revoked.
5.3 Route between start point and destination point

DEF The choice of route determines a clear route between start and destination
point. Where there are topographic alternatives, the route shall be chosen
according to specified rules. System-specific configurations or current positions
may be taken into account.

35
ANF The route between start point and destination point shall be set
automatically when setting a sub-route or protected route.
ANF The train-operated route release of route elements between start and
destination point shall occur in sections which correspond to the train detection
sections.
Route release by sections minimises blockage periods and train headways. In the
ideal scenario, each route element occupies its own train detection section and
terminates directly after crossing and clearing.
ANF The train-operated route release can be used to identify errors and
disruptions in train detection. Release of the route element is dependent on the
occupation and clearing sequence of its own and the two adjoining train detection
sections.
DEF Route adjustment refers to the function whereby the use of the remainder
of a route (i.e. still to be crossed by the front train) by one or more following trains
is facilitated. Adjustment causes a full route to be formed from the location of the
front train to the original route destination and the front train no longer initiates any
route release.
Route adjustment is possible in GOA2 to GOA4 if headway control for the

following trains is taken over by automatic train control.
5.4 Overlap
DEF Overlap selection refers to an overlap behind a destination point. System-
specific configurations or current positions may be taken into account (pre-set
connection route, short and long overlap depending on occupation status).
DEF There are four different overlap standards:
Degree Heading Explanation

3 exclusive overlap overlap free, all elements set, locked and monitored, level
crossing protected, no permissible stress in the opposite
direction (and no counter overlap), head protection (to
avert head-on collision) only through the exclusion of
adverse permission to proceed.
2 Overlapping Overlap free, all elements set, locked and monitored, level
approved crossing protected, stress to elements by overlap in the
opposite direction permissible.

36

1 trailing point slipped Overlap free, head slipping elements set, locked and
monitored, trailing point slipped elements unlocked and not
monitored, level crossing not protected, stress to elements
by overlap in the opposite direction permissible.
0 Overlap no technical measures behind train movement destination
relinquishment
ANF Depending on the grade of automation, the following requirements apply to the
fitting of overlaps:
Overlap requirement level GOA0 GOA1 GOA2 GOA3 GOA4

3 exclusive overlap NA HR HR HR HR
2 Overlapping approved NA R R NR NR
1 trailing point slipped NA R R NR NR
0 overlap waived HR NR (1) NR (1) NR (1.2) NR (1.2)
(1) overlap can be waived:
 in turning and parking facilities (without passengers),

 with signals that arrange driving on-sight no later than the destination
track.
(2) overlap can be waived:
 with stealth running (v ≤ coupling speed) before the destination point with
specific driving profile monitoring.
ANF The setting of an overlap should be automatic as part of the setting of a

route.
ANF Pre-setting overlap should be possible:
 by manually setting a specific overlap at the destination point, or

 by pre-setting an adjoining route.
ANF The conditions for monitoring the overlap (see table on overlap requirement
levels) are entered in the issuing of the permission to proceed. Where the
monitoring conditions are breached (e.g. through the occupation of an overlap
section), the permission to proceed to automatically be revoked.
DEF The function overlap overrun extends a set overlap with the release of the
track sections because the train in front has moved off.

37
ANF The task of (optional) overlap overrun is to extend an existing neutral

section automatically under certain conditions to allow for a higher speed when
approaching the destination point. If an overlap overrun is used to extend the
existing overlap destination point, a new overlap destination point must be safely
determined until a new overlap element is set, locked and monitored.
The overlap overrun only makes sense if the increased speed of the train can be
transmitted in time.
A special case of the overlap overrun is when a monitored route without an

overlap is automatically supplemented by an overlap.
ANF Depending on the grade of automation, the following requirements apply to

overlap release types:
Overlap release types GOA0 GOA1 GOA2 GOA3 GOA4

automatic train-operated release where the NA M M M M
train moves to another connection route
automatic train-operated release after the NA NR NR HR (1) HR (1)
train is recognised as being at a standstill in
the destination section through internal
detection
automatic train-operated release after the NA R R HR HR
train is recognised as being at a standstill in
the destination section through external
detection (2)
overlap time resolution (train-operated NA HR HR R R
automatically according to projected
occupation time of destination section)
manual rule resolution by operators (after NA NR NR NR NR
standstill recognition in destination section
by personnel)
(1) HR only applies in homogeneous systems (all trains with internal detection);
otherwise NR.
(2) External detection e.g. by platform protection system in the case of open
platforms.
ANF Automatic or manual overlap release after standstill recognition in the

destination section may only be effective if the route between start point and
destination section is already released and the overlap has not yet been
approached (= partially or fully driven over).

38
ANF For automatic train-operated release of the overlap if the train proceeds to a
connection route, the same release criteria apply as for the connection route.
5.5 Flank protection

DEF Flank protection is the securing of a moving train against dangerous
slanting collisions by other rail vehicles. Flank protection is ensured by setting,
locking and monitoring protective elements and by monitoring the protected area
(between the moving train requiring protection and the protective elements).
Level crossing protection systems are not flank protection elements according to
this definition. They are more often integrated as an element of the route between
start and destination or as an overlap element.
DEF Selection of flank protection determines the elements that should offer
flank protection. System-specific configurations or current positions may be taken
into account (e.g. substitute protection in the case of double protection).
DEF There are four different flank protection levels:

4 Tongue protection Slanting collisions are physically excluded by
setting and locking points (including train
movements without permission to proceed and
without effective train control). The protected area
is monitored for vacancy.
3 Rail block protection Slanting collisions are physically excluded by
setting and locking rail blocks or similar derailment
equipment (including train movements without
permission to proceed and without effective train
control). The protected area is monitored for
vacancy.
2 Light protection Signals that can be the start point for slanting
collisions in specific topography and in the current
point position are locked and monitored in the stop
position. The issuing of adverse permission to
proceed is excluded. The protected area is
monitored for vacancy.
1 Monitoring of protected No protective elements. The protected area is
area monitored for vacancy.
0 Flank protection waiver No technical measures to protect slanting
collisions.
In flank protection levels 3 and 4 the protective measures are also effective
against

39
 driving without permission to proceed (e.g. through a stop sign),

 vehicle movements without active train control or with active train control
but without sufficient neutral section (e.g. when moving off through the
stop sign indicating a departure signal with punctual train control).
Flank protection waiver means that the securing of a moving train against
dangerous slanting collisions is only ensured by excluding adverse permission to
proceed.

the fitting of flank protection between start point and destination point:
Flank protection standard GOA0 GOA1 GOA2 GOA3 GOA4

in route start destination
4 Tongue protection NR HR HR HR HR
3 Rail block protection NR HR(2) HR(2) HR(2) HR(2)
2 Light protection NR R R R R
1 Monitoring of protected area NR NR NR NR NR
0 Flank protection waiver R(1) NR NR NR NR
(1) Exception: In the event of a direct danger of collision on branch lines (no
ban on trains meeting, no possibility for the drivers involved to avert danger)
tongue protection should be applied.
(2) Rail blocks should not be incorporated in tracks over which passenger
trains run.

the fitting of flank protection in the overlap:
Flank protection standard GOA0 GOA1 GOA2 GOA3 GOA4

in the overlap
4 Tongue protection NA NRQ(1) NRQ(1) NRQ(1) NRQ(1)
3 Rail block protection NA NRQ(1.2 NRQ(1.2 NRQ(1.2 NRQ(1.2
) ) ) )
2 Light protection NA NRQ(1) NRQ(1) NRQ(1) NRQ(1)
1 Monitoring of protected area NA NR NR NR NR
0 Flank protection waiver NA R(3) R(3) R(3) R(3)

40
(1) Flank protection may generally be waived in the overlap because a train
must overlap and a second non-signalled run in the overlap of the first train
must take place for flank danger to happen.
(2) Rail blocks should not be used in tracks over which passenger trains run.
(3) If a flank protection element is available, it should as far as possible be set

in that position. Monitoring is not necessary.
ANF Where flank protection is waived in the overlap, breaches of overlap profile
when its protective area is occupied must lead to occupancy detection of the
overlap, so that permission to proceed is not issued or is revoked.
ANF The release of protective elements must be automatic with the train-
operated or manual release of the route elements requiring protection. It must not
be possible to manually release protective elements.
5.6 Level crossing protection systems

The decision to protect a level crossing must be made in accordance with
§20(4) BOStrab.
DEF The following are designated as technically secure level crossing actuators
to protect road users:
 Light signals
 upstream light signals
 half barriers
 footpath barriers
 acoustic signal generators
 Level crossing protection system interfaces with road traffic signalling
systems
ANF When fitting the technically secure level crossing with actuators the relevant
regulations must be taken into account as well as § 20 and Appendix 1 BOStrab.
ANF For level crossings on lines operated in GOA3 and GOA4, the requirements
of RL FoF also apply.
In the case of GOA3/GOA4 TRStrab FoF can completely exclude level crossings.
ANF Where due to local conditions there is a strong probability that the light
signals will not be observed, technically secure level crossings must be fitted with
half barriers and, where applicable, footpath barriers.

41
This can be the case for example near facilities for children, the elderly and the
infirm or the visually impaired.
To decide whether in addition to the half barrier a footpath barrier is also required,
foot traffic must be considered separately.
ANF Double and multi-track technically secure level crossings that can be
crossed by more than one train simultaneously must be fitted with half barriers.
Exceptions are permitted with level crossings for footpaths, cycle paths and
platform access points which are also designed, through line monitoring, that other
train movements after the first train drives by can be clearly noticed.
DEF Level crossing protection systems (BÜSA) are the actuators of a

technically secure level crossing and local installations to control and monitor
these. The level crossing protection system can be autonomous or integrated in a
train protection or driving signal system.
ANF With autonomous level crossing protection systems, secure status or

function monitoring is signalled by the monitoring signals Bü 0/Bü 1, announced by
Bü 2. With driving on-sight, driving signals (generally F0/F1) may be displayed
instead of the monitoring signals.
ANF If the level crossing protection system is integrated in the train protection or
driving signal system, monitoring of secure status or function monitoring must be
included in the route monitoring.
ANF Protection of train movement on a technically secure level crossing must

run in the following phases:
 track- and direction-related activation of the level crossing protection

system,
 phased setting and monitoring of actuators on the level crossing,
 System-specific delay time procedure before permission to proceed is
issued,
 continuous monitoring of actuators to issue permission to proceed,
 revoking of permission to proceed if the monitoring conditions are
breached or the level crossing protection system is deactivated.
ANF The level crossing protection system should be activated by the train.
ANF With integrated level crossing protection systems, the setting of routes
should not yet activate the level crossing protection system but prepare for train-

42
operated activation during shunting. The level crossing is activated with project-
specific criteria to be determined.
ANF One of the following architectures must be used to monitor the actuators.
Architecture Activation Monitoring conditions
Monitoring after activation not safe-life Activation of the level crossing

and (at least partial) protection system is track- and
protection direction-related, projected
actuators are monitored, system-
specific delay times have expired.
Monitoring according to safe-life The level crossing protection
availability control prior to system has no internal or external
secure activation malfunctions/disruptions that could
prevent the protection of the level
crossing; the level crossing
protection system is available.

the monitoring of actuators in the permission to proceed:
Monitoring the actuators GOA0 GOA1 GOA2 GOA3 GOA4

All available yellow lights lit up before M M M
red and are dark again ANF For level
crossings on lines
All red lights light up M M M operated in GOA3
Available half barriers have left the R HR NA and GOA4, the
upper stop position requirements of
RL FoF apply.
Available half barriers have reached NRQ HR M
the lower stop position
ANF The track-related deactivation of the level crossing protection system must
be train-operated directly after the level crossing has been cleared.
DEF If a level crossing protection system is activated for longer overall than a
system-specific time to be determined, increased inappropriate behaviour by road
users is to be expected ( Timeout).
ANF With timeout, the autonomous level crossing protection system must revoke
or deny signal Bü 1 (or F1) on all monitoring signals. Level crossing protection
must be maintained until
 the level crossing has been properly cleared or

 any existing system-specific base position time has expired or
 any existing ancillary deactivation has occurred.

43
ANF If the level crossing protection system is integrated in a train protection

system, permission to proceed in the case of timeout should not be revoked using
main signals or protection profiles. Under § 52(3) a timeout message must be
displayed and reported in the operation control centre. Level crossing protection
must be maintained until
 the level crossing has been properly cleared or

 ancillary deactivation has occurred.
ANF The base position of the level crossing protection system may only be set
automatically with autonomous systems. With integrated systems, ancillary
activation must be provided.
5.7 Switchover protection

Switchover protection for adjustable elements is a function that generalises the
requirement of § 17(6) BOStrab for points that can be adjusted remotely.
ANF Adjustable elements should be made dependent on train detection

independently of route protection. If an adjustable element is in an occupied
detection section, position requests (initiating switchover) must be automatically
rejected. Where there is no route protection, initial run lengths (e.g. before switch
point, before hangar gate) must be maintained to prevent dangerous entry in the
circulating element.
ANF Switchover movements of adjustable elements relating to track layout that

have begun must be completed to the end if the detection section is occupied after
the movement begins.
ANF If the system has both switchover protection and route protection, both
functions must be carried out independently insofar as technically feasible.
Generally, however, the same detection equipment may be used for switchover
protection and route release.
5.8 Detection for route protection and switchover

protection
At the level Securing the route, detection is required inter alia for the following
functions:

44
 Initiation for automatic route positioning,

 Initiation of delayed signal positioning,
 Initiation for timely activation of level crossing protection system
 Approach locking of route,
 train-operated route release,
 overlap time resolution,
 train-operated deactivation of level crossing protection system,
 switchover protection for adjustable route elements,
ANF With switchover protection for adjustable route elements untimely clear
track signalling must be seen as a dangerous failure of the protection device.
ANF With train-operated route release and train-operated deactivation of the

level crossing protection system, an untimely sequence free occupied free
must be seen as a dangerous failure.
For example, a short-term failure of the power supply to the track-side train
detection systems or a short-term interruption of axle-counting data transfer must
not lead to the situation where the sequence free occupied free is generated
without any train travel thus triggering untimely release and deactivation.

45
6 Securing headway control
6.1 Principles
Pursuant to § 22(2)(1) BOStrab, Securing headway control between trains
relates to the fact that at least the braking distance from identifiable safety
obstacles (here: moving and stationary trains) is clear and kept clear.
The following types of identifiable moving and stationary trains may in principle be
used in the route to be protected:
 through headway operation,

 through contraflow operation,
 through side-on operation (over common points or crossings).
DEF The following are different headway control levels:

4 Moving block Based on internal detection of the front train
and the following train, the trains can follow
each other at a distance which covers the local
braking distance for the current speed of the
following train and the neutral section.
3 Driving at clear track Between the start and destination point on a
signalling distance route, other destination points are set up for
(moving up) headway control at externally detected clear
track signalling sections. Between start and
destination point on the route there may be
more than one train but not between two
destination points following each other within
that headway control.
2 Block interval driving Between start and destination point on a route
there is no more than one train. The
destination points of route protection and
headway control are identical.
1 Driving in partially occupied Driving in partially occupied track. Driving on-
tracks, coupled driving sight conditions apply on the destination track.
The position of the vehicles on the destination
track is variable.
0 driving on-sight Headway control by driver alone
ANF It must be expected at all times that the front train may come suddenly to a
halt. The danger point is always assumed to be the last known location of the end of
the front train. This applies in particular where (internal) detection of the front train
fails.

46
6.2 Excluding contraflow

ANF The exclusion of contraflow required in § 49(5) BOStrab for single-track
sections must be met at the level of Securing the route by excluding contraflow
routes.
ANF The exclusion of contraflow must also be met at the level of Securing
headway control by not issuing or revoking permission to proceed if a vehicle
coming in the opposite direction or the front train rolling back is safely detected.
In GOA0 the start signal must be set from F1 to F0, if the dependent activated driving
signal system on the other end of the single-track line detects an adverse movement
via Cancel contact at the counter-signal of via Deactivate contact at the
destination of the set route.
In GOA1 to 4 the issued permission to proceed must immediately be revoked if an

untimely occupancy is detected within the route or secured route.
ANF With driving signal systems for GOA0, e.g. with driving signal systems for
single-track lines, permission to proceed may only be issued by the signals F1, F2 or
F3 if exclusion of contraflow has been ensured. Several trains may follow in the same
direction only once the opposite direction has been released, as soon as all the
following trains have left the line.
Operation of the following trains with driving signal systems requires unbroken train
detection or in the case of punctual train detection train counting.
ANF For driving on partially occupied tracks and coupled driving, the train
protection system and the operational rules including signalling rules must ensure
that the vehicles on the destination track are not moving in the opposite direction to
the oncoming train.
Where a track is partially occupied, however, oncoming vehicles need not be

expected.
In the train protection system, the requirement may be met e.g. by switching on
safety stop signals or cancelling priority signals and, where applicable, using train
control (anticipated train stop).

47
6.3 Headway control detection

ANF With all detection systems, the technical measures or standing instructions
must be ensured that a track section is locked for regular operation before being
used by a vehicle that is not safely recognised due to the properties of the detection
system.
Such bypasses of the detection principle are e.g:
 Setting up a second route in an axle-counting section,

 Setting up a vehicle without sufficient train shunt (with plastic wheels or
insulated axles) in a track circuit,
 Entry of a diesel or battery-powered locomotive on a single-track line with
overhead line contacts,
 Use of vehicles without internal detection or with defective internal
detection in a system with internal detection only.
ANF With track circuits, the factors that could lead to insufficient train shunt must be
taken into account and controlled:
 silting (isolated positioning of a vehicle on braking sand),

 rust (with rarely frequented sections or newly built rails),
 tar (with urban rail systems introduced in the train protection area),
 leaf fall (on the surface),
 interruption of return conductor connections to the wheels and in the
wheels.
ANF The ancillary operation Initial axle-counting position must be secured using
standing instructions and, where possible technical measures against inaccurate
clear track signalling of an occupied clear track signalling section.
The possible technical measures go beyond the required securing of ancillary

operations (see Chapter 9). Alternative clear track signalling can for example be
made dependent on the fact that the last recorded movement was a count or that a
plausible initial test drive over two or more axle-counting points was recorded.
ANF With internal detection in vehicles, the factors that can distort the detection
results (occupation, location, speed) must be taken into account, such as gliding and
skidding of axles with odometer pulse generators.

48
7 Securing speed
7.1 Basic concepts

DEF Securing speed consists of two functions issuing permission to proceed
and Monitoring train driving quality (§ 22(1)(3) BOStrab).
For better understanding, the definition of permission to proceed is taken from

Section 3.4.2:
DEF Permission to proceed represents the instructions for driving a train (§ 22(1)
(2) BOStrab). It applies within specific limits and contains
 basic approval to drive a train,

 where necessary, information on permitted speeds, and
 where applicable, restrictive conditions required to ensure specific
operation modes or operational situations, such as driving in parking
facilities, driving on partially occupied tracks, coupled driving, driving with
substitute signals, emergency stop, driving over unsecured level
crossings.
In international regulations, permission to proceed is referred to as movement

authority. Restricted permission to proceed (e.g. driving with substitute signals or
warning signal) is referred to as degraded movement authority.
Depending on the grade of automation, the key parameters of permission to

proceed are transferred, encoded for each train, by technical means (e.g.
stationary light signals or data telegram; the full meaning of permission to proceed
with all behaviour requirements is the result of the combination of the transferred
parameters with the standing instructions including signalling rules.
7.2 Issuing permission to proceed

ANF Permission to proceed may only be issued if the vehicle and headway
control are secured.
The levels Securing the route and Securing headway control provide, in
addition to basic approval for train movement, the limits thereof, permissible speed
and restrictive conditions required due to specific operation modes or operating

49
situations, such as driving in parking facilities, driving in partially occupied tracks,

coupled driving, driving with substitute signals, emergency stop, driving over
unsecured level crossings.
DEF Permission to proceed may be issued or revoked by stationary signals or by

a protection profile.
ANF Permission to proceed issued by stationary signals must be issued at the

start point of train movement by a main signal and applies after driving by this
point to the next destination point. Permission to proceed may be actively revoked
to control emergency situations at specific locations between start point and
destination point by stationary signals (e.g. by stationary emergency signals at
stops). Permission to proceed may be actively modified at specific locations by
stationary signals (e.g. upgrading speed after leaving the point area or
downgrading due to a low-speed line).
With stationary signal systems, revoking permission to proceed does not

necessarily lead to timely service or emergency braking.
DEF The train protection profile can be transmitted punctually or continuously.
DEF Cyclically constructed, unbroken transmission is considered continuous

transmission if withdrawal and revocation of permission to proceed is effective
within defined short routes or driving times, meaning that the security objectives
set out in the risk analysis are met.
ANF With a punctually transmitted train protection profile, permission to proceed

must be issued at the start point of train movement and applies after driving by this
point to the next destination point. Permission to proceed may be actively revoked
to control emergency situations at specific locations between start point and
destination point by stationary influence points (e.g. in the case of emergency
signals at stops). Permission to proceed may be actively modified at specific
locations by stationary interference points or signals (e.g. upgrading speed after
leaving the point area or downgrading due to a low-speed line).
With a punctually transmitted train protection profile, revoking permission to

proceed does not necessarily lead to timely service or emergency braking.
ANF With a continuously transmitted train protection profile, permission to

proceed must be issued at the start of train movement and continuously confirmed

50
or renewed during travel to the specified destination point. Permission to proceed

may be actively revoked to control emergency situations at any location between
start point and destination point (e.g. in the case of emergency signals at stops).
Permission to proceed may be set or modified depending on the situation (e.g.
upgrading or downgrading speed).

the transmission of permission to proceed:
Issuing and revoking permission GOA0 GOA1 GOA2 GOA3 GOA4

to proceed
by stationary signals HR HR NA NA NA
by punctually transmitted train NR R NA NA NA
protection profile
by continuously transmitted train NR NRQ HR M M
protection profile
ANF The train protection system and standing instructions including signalling rules
must be so designed that when the permission to proceed is complied with
§ 54 (3) BOStrab can be met. Passenger vehicles may only be accelerated and
braked in such a way that passengers are not endangered any more than can be
avoided. Exceptions are for example emergency situations justifying immediate
withdrawal of permission to proceed and braking actions with the highest possible
deceleration, or unavoidable influences due to disruptions to the train protection
system.
This requirement must be observed in the (generic) design of the system but also
specifically adapted, e.g. when calculating sight points and installing advance
signalling.
An example of avoidable influence due to disruption to the train protection system is

emergency braking with the highest possible deceleration (with rail brakes) after
failure of data transmission of the train protection profile.
The train protection profile must in fact be so designed that service braking is always
available if transmission fails (see § 22(2)(1) BOStrab and the official justification for
§ 22).

51
7.3 Integrating statuses in the permission to proceed

ANF The train protection system and standing instructions including signalling rules
must be so designed that it is always clear which operating system statuses are
entered in the permission to proceed and train protection profile and which are not.
The basic concept of secured route suggests that all adjustable and non-adjustable
moving route components (such as spring-loaded points, level crossings or road
traffic signalling systems) are included in the issuing of permission to proceed,
insofar as they are relevant to operation.
With driving on-sight (GOA0) historically developed architecture with lower

integration level may remain in place, e.g.
 a driving signal system that does not depend on adjacent road traffic
signalling systems for a single-track line, or
 an individual point controller that does not depend on road traffic signalling
systems in the same hub.
ANF If different qualities of permission to proceed are displayed in a transport

company by the same signal patterns (e.g. driving signals), the signals must be
differentiated in terms of design (e.g. differently designed mast signs or identification
plates).
In the train protection area (GOA1) it can happen that hangar or platform gates (on
adjacent tracks) or chamber locks are not integrated in the permission to proceed.
ANF The safe states for moving route elements must be integrated in the
permission to proceed and the train protection profile according to the following rules.
Integration of safe states for GOA0 GOA1 GOA2 GOA3 GOA4

elements in the permission to
proceed
facing point HR (2.3) M M M M
trailing point R(1) M M M M
emergency stop switch NR HR M M M
Hangar gate, platform gate NR HR M M M
(on adjacent tracks)
Chamber locks (on main tracks) NA HR M M M
Level crossing protection system R M M NA NA
(See Section 7.5)

52
Road traffic signalling systems R NA NA NA NA
(1) Integration may only be dispensed with if the point construction type allows
for trailing in the wrong position (spring-loaded point, trailable points).
(2) Instead of integration, coordination also allowed (avoiding contradicting

signals)
(3) Standard depending on operational conditions (ban on trains meeting)
Requirements for stationary signalling may arise from the chosen integration level,
see Section 7.4 Stationary signals.
7.4 Stationary signals

ANF Where permission to proceed is issued by stationary signalling, route start
point and destination point must be indicated by main signals (H), protection signals
(Sh 2) or special signals (So 1 to So 4) as per Appendix 4 BOStrab.
ANF Where permission to proceed is issued by stationary signalling at GOA1, travel

on partially occupied destination tracks must be displayed by specific signals (couple
signals) to indicate the driving on-sight conditions to the driver on the destination
track.
ANF With GOA1 to GOA4 travel under driving on-sight due to disruptions to route
protection or headway control must be ordered by stationary signals (substitute
signals, additional signals for individual order, disruption signal).
ANF Where moving safety-related route components do not have their own
stationary signals to indicate their status and to allow train movements, they must be
integrated in the permission to proceed. Where integrated in the permission to
proceed, stationary signals may be used as a back-up (point signals, protection
signals including emergency signals, monitoring signals for level crossings).
ANF With GOA1 to GOA4 no point signals may be set in routes; end position
monitoring of all points must be integrated in the permission to proceed.
ANF Where the permission to proceed is transmitted to the train, the stationary
signals of the permission to proceed may not countermand it.

53
This requirement helps avoid driver personnel becoming accustomed to contradictory

permission to proceed signalling and to ignoring it. The requirement also facilitates
tests, trial operation, safety testing and acceptance.
The requirement may be met (in coordination with the standing instructions for
driving and the signal book) by:
 blanking stationary signals (for trains no transmitted permission to

proceed, the blank signal is rated as a stop signal).
 limiting the validity of stationary signals, e.g. in the following point zones,
where moving up is excluded to avoid contradiction from the outset.
ANF Where stand-alone speedometers are used (i.e. speed signals such as G1b or
G2b BOStrab that are not connected to a main signal), the signal image of the
speedometer cannot have any influence on permission to proceed, i.e. permission to
proceed cannot be either confirmed or revoked.
7.5 Monitoring level crossings

ANF To cross a level crossing in normal operation the train must have permission to
proceed in which the safety status of the level crossing is integrated. Under
§ 20(5) BOStrab permission to proceed relating to the level crossing by monitoring
signals Bü 0/Bü 1 pursuant to Appendix 4 BOStrab (announced by Bü 2) or relating
to the route must be issued by the permission to proceed for the train protection
system.
The two variants allowed by §20 BOStrab are designated Monitoring type ÜS (for
monitoring signal [Überwachungssignal]) and Monitoring type Hp (for main signal
[Hauptsignal]). The monitoring types allowed for railways Fü (for external
monitoring [Fernüberwachung]) and Bed (for operator servicing [Wärterbedienung])
are not allowed in BOStrab requirements.
ANF The monitoring types may be combined depending on the direction of travel.
A level crossing may be monitored for travel in one direction with main signals and
with travel in the other direction with monitoring signals.
ANF With systems with transmission of permission to proceed to the train (driving
can signalling or train protection profile) monitoring signals Bü 0/Bü 1 (announced by
Bü 2) may be set as back-up.

54
ANF Permission to proceed via monitoring signal, main signal or train protection
profile may only be issued in respect of track and direction.
For example, on an activated level crossing track, the monitoring signals for both
directions of travel may not show Bü 1 simultaneously.
7.6 Monitoring train driving quality

DEF Technical monitoring of train driving quality pursuant to § 22(1) BOStrab can
be either punctual or continuous.
ANF In the case of punctual monitoring of driving quality, the impact of dangerous
deviations required under § 22 (1)(3) BOStrab may only have a punctual effect. In the
case of continuous monitoring, the impact of dangerous deviations must also have a
continuous effect.
DEF Monitoring train driving quality relates either to pure movement and direction
or to speed.
ANF Depending on the grade of automation, the following requirements apply to the
selection of train control systems:
Monitoring train driving quality GOA0 GOA1 GOA2 GOA3 GOA4

punctual monitoring of movement NRQ R NA NA NA
and direction
punctual monitoring of speed NR HR NA NA NA
(including direction)
continuous train control system NR NR HR NA NA
without reverse channel vehicle >
line
continuous train control system with NR NR NRQ(1) M M
reverse channel vehicle > line
(1) With internal detection, the reverse channel is mandatory ( M obligation).
ANF Depending on the train control system and the grounds for its response,
emergency braking may only be released
 after the grounds for response are eliminated, or additionally

 after standstill has been safely detected, or additionally
 after ancillary operations or manual operating mode changeovers are
released.

55
ANF With GOA3 and GOA4 the execution of brake commands must be
automatically monitored by the train control system (§ 38(1)(3) BOStrab).
ANF With the safety planning of punctual monitoring of train driving quality it must
be assumed that the driver is driving past the monitoring location (e.g. the signal
indicating stop) at the speed last signalled or the speed regulated by the standing
instructions. Where there are speed monitoring installations on the route before the
monitoring location, the last punctually monitored speed may be assumed.
Acceleration beyond the last signalled or last monitored speed need not be assumed.

56
8 Detailed architecture
8.1 Overview
In contrast to the previous chapters on preferred architecture, the Chapter Detailed
Architecture does not deal with the allocation of specific safety functions and safety
requirements to signal and train protection subsystems but with the internal
configuration of the individual subsystems. Regardless of the concrete tasks for each
subsystem, the following questions are covered:
 How can the interaction of universal (non-system-specific, where

applicable operator-independent) and system-specific functions in a
subsystem be designed to minimise total expenditure on technical
components and safety work?
 How can the interaction or coexistence of safety-relevant and non-safety-
relevant functions in a subsystem be designed to minimise total
expenditure on technical components and safety work?
8.2 Generic and application-specific

For the reusability of hardware and software components together with their safety
certification and approvals, DIN EN 50129 recommends introducing three different
categories as part of a modular approach.
8.2.1 Specific application
DEF A specific application is only used for an individual system. It may be installed:
 track-side in a specific route area or

 on-board in a specific vehicle.
The specific application includes the system-specific topography, configuration and

project planning.
Examples of specific applications are:
 the electronic interlocking system at Berlin Uhlandstraße (with local

operator terminal),
 the train protection system control centre at Düsseldorf Heinrich-Heine-
Allee,

57
 the continuous automatic train control system of the Nuremberg twin unit
763/764,
 the Berlin Bösebrücke driving signal system,
 the Karlsbad Bahnhofstraße level crossing protection system.
A specific application can form the basis for one or more generic applications for
subsystems and generic products.
The specific application requires a system permit. This is valid for the individual
system in a specific configuration and project planning.
8.2.2 Generic application
DEF A generic application is a class of application for a defined task that can be
configured and planed for different specific applications. The generic application
includes all required functions and any optional functions for the defined task.
Examples of generic applications are designs (types) of:
 Electronic interlocking systems for trams and underground railways,

 Remote controls for relay interlocking installations,
 Driving signal systems for single-track lines,
 Level crossing protection systems for tram level crossings as per
VDV Guideline 341.
A generic application may form the basis for one or more generic products. Type
approval may be issued for the generic application. Type appraisal and type approval
on which it is based can be used in the defined application scope in the approval
process for one or more specific applications.
8.2.3 Generic product
DEF A generic product is an installation with defined framework conditions,

interfaces and functionality which
 is independent of the generic or specific application and

 can be used in different generic or specific applications.
Under DIN EN 62290-1, examples of generic products are: point mechanisms, axle-
counters, real-time operating systems, secure computer platform without user
software.

58
Product approval may be issued for the generic product. Product appraisal and
product approval on which it is based can be used in the defined application scope in
the approval process for one or more specific or generic applications.
A specific application consisting of several generic products requires in each case

further specific verification calculation and approval.
8.3 Separation according to safety relevance

ANF Non-safety-relevant functions must be integrated as far as possible in a safety-
relevant system if
 the non-safety-relevant function runs from the outset as per specifications

and operating conditions,
 Changes to planning are not expected, even where the environment
changes (e.g. schedule, vehicle parameters, vehicle dynamics), and
 functional extensions or links to other non-secure functions are not
expected.
An example of a non-safety-relevant function is an automatic route setting indicator

which attempts to set a pre-configured route when an approach section is occupied
and special approval criteria are met, is programmed to often repeat a failed attempt
and generates an alarm (optical or acoustic) and an error message in the event of
definable definitive failure.
8.4 Absence of repercussions on networks

Where non-safety-relevant subsystems are connected to networks in addition to
safety-relevant subsystems, the possibility for non-safety-relevant network
participants to have dangerous repercussions on the safety-relevant functions must
be safely ruled out.
A typical example is the non-safety-relevant automatic train routing computer on the

control system network. It must be provided with the statuses of many interlocking
elements and must (as with human operators) be able and currently entitled to set
routes. Therefore, it can mainly use the transmission methods and formats via which
other standard operations and even safety-relevant ancillary operations are
completed (see Chapter Operation and display ). The latter must however be
securely barred to the automatic train routing computer.

59
Another example is the picking up of interlocking notifications for service and

diagnosis, where applicable also remote diagnosis, and for operational data
acquisition systems (e.g. for statistical and accounting purposes). Here,
manipulations of secure functions over these non-secure subsystems must be safely
ruled out (including operation and display).
8.5 Restart behaviour

ANF When a subsystem is restarted, ordered blocks and restrictions (e.g. travel
and switch blocks, registered speed restrictions) must be restored, if possible
automatically, from redundant data retention.
ANF If ordered blocks and restrictions are not automatically restored, release for
operation subject to authorisation (Release operation after start-up ) must be
envisaged. Before this operation is executed, the subsystem may only allow
restrictive operations (registering blocks and restrictions, stop positions, etc.);
changeovers and route setting must be rejected.
ANF After a subsystem starts up, moving route elements may not be automatically
adjusted even if they are not in their defined base position or not in a compatible
position.
For example, the following may not be automatically adjusted: Points and rail blocks
with projected base position, with projected sequential interlocking to other elements
with several drives (even if the drives, e.g. of tongues and crossing have
incompatible positions).

60
9 Operation and display
9.1 Overview
Operation and display are cross-departmental functions required for most signal and
train protection subsystems. In addition, the concentration of operational control and
monitoring leads to a situation where the human-machine interfaces of the various
subsystems must be as fully integrated as possible in the same multi-functional
operations control system and at a minimum must be harmonised. Consequently, it
makes sense not to specify key requirements for operation and display at the level of
individual subsystems but at overall system level.
DEF Operation of signal and train protection systems includes all technical
equipment and functions with which operatives can issue orders to secure and
control train operation.
DEF Display of signal and train protection systems includes all technical equipment
and functions that show operatives the overall condition of the system to process
train operation.
9.2 Overall system, control centre facilities

ANF The central operating and display facilities of the signal and train protection
subsystems must be integrated as far as possible.
This is to avoid classification errors by personnel when interpreting displays and

operating the different subsystem functions (e.g. clear track signalling, route
protection, continuous automatic train control, platform protection system).
ANF When integrating operating and display installations of different subsystems,

simple operation, clarity of display elements and availability of the overall system
must be maintained if the subsystems fail.
For example, if continuous automatic train control fails, the statuses of interlocking
elements and the platform protection system must remain recognisable.

61
9.3 Display
ANF The signal and train protection elements must be represented in schematic,
topographical form in the displayed image.
ANF Where the size of the system so requires, the displayed image must be
representable in at least two levels of detail.
Normally the two levels of detail are area overview and magnifier (interlocking
system or line magnifier, vehicle magnifier).
ANF It should be possible at the operator terminal to show a large area at a low
level of detail and a selected section of that area at a high level of detail. If this is not
possible, it must be possible to make a fixed presentation of the overall area (at a low
level of detail) from the operator terminal.
Panorama panels are used to make a fixed presentation of the overall area.
ANF To present the statuses of the signal and train protection elements symbolic
forms, colours (foreground and background colours), typeface and dynamics
(continuous/blinking light) must be used ergonomically. This includes
 clear discrimination of symbolic forms with different meanings,

 good colour contrast between colours with different meanings,
 sufficient colour contrast between foreground and background colours,
 continuous (i.e. non-blinking) display image at default state,
 as far as possible, no use of different blinking patterns.
ANF The choice of colours for element statuses must follow a uniform, easily
remembered concept. The meaning of the colours must be identifiable accurately and
without aids (keys, display catalogues).
For instance, it makes no sense to present the status (open, closed) of a platform
gate using coloured circles (e.g. white, red). It makes sense to either use a form
symbol to represent track status horizontally and vertically or a changing typeface
open/closed.
For instance, it is not user-friendly to display (temporary) speed restrictions in the

track layout diagram with different colours (orange = 25 km/h, blue = 40 km/h, yellow
= 60 km/h).

62
ANF The colour concept must be compatible with standardised or generally

recognised colour codes, particularly with the signal images of the transport
company.
If they have the requisite compatibility with signal images, simplifications are allowed.
For instance, the signal images H1 (green) and H2 (green over yellow) in the display
image may be presented with a green signal head.
ANF One of the following basic systems must be used to illuminate platform strips:
Basic system Background clear and not clear and occupied

stressed stressed
Type 1 bright black or dark grey yellow red (2)
(similar to control
desk)
Type 2 dark blue yellow red (2)
Type 3(3) dark yellow green or blue (1) red (2)
(1) Route and overlap stresses may be differentiated by colour in platform

strips (route green, overlap blue). The colour differentiation between route
and overlap is recommended for underground railways with short
headways, if overlaps extend to or even beyond the length of the route.
(2) Where due to the system architecture several trains can regularly stay in
the same track clearance section, the platform strips should be specifically
marked.
(3) Type 3 illumination shows the current standard.
The difference between running routes and shunting routes is not generally required
in areas covered by BOStrab.
ANF The occupied status display must not be displaced by other status displays
(e.g. stresses, blocks, storage, operation markings).
ANF Particular statuses of clear track signalling (e.g. preliminary initial axle-
counting position, disruption of logical clearance) must be displayed on or in the
platform strips. Additional symbols, identifiers or the colour of the platform strip
should be used for this.
ANF Where the display image can be presented at several levels of detail, the
presentation of the statuses of the signal and train protection elements between the

63
levels of detail must be compatible and consistent. The same shapes and colours
may not have different meanings.
For instance, a main signal in the interlocking system magnifier usually consists of
several information-bearing partial symbols such as head, mast, foot and identifier. If
the main signal must be very simply presented in the area overview so that mast and
foot do not contain any more changing information, then mast and foot must also no
longer be displayed as in the magnifier. A tried and tested presentation of this is a
coloured triangle with the head in the direction of travel.
ANF If the display image can be presented at several levels of detail, the
presentation of the track layout diagram must be topographically similar at the
different levels of detail, and must in particular be oriented identically.
The direction of travel of a train must be presented identically at all levels of detail,
i.e. for example from left to right overall (not from right to left, from top to bottom or
from bottom to top). Exceptions are only allowed with connectors of short length.
ANF Status changes in elements must generally be displayed within 1 s.
Generally can quantitatively be replaced by in 95% of the operating time,

qualitatively with except in specific operating conditions such as set-up times and
redundancy switchovers.
ANF Image loading times may not generally exceed 2 s (measured from image
selection to full image composition).
9.4 Operation
ANF Operation and display of a signalling element must be integrated in the
operator terminal. This means that operator commands are incorporated using the
display symbols and the operated element where possible is marked in the
display image.
This is to avoid classification errors by personnel when interpreting displays and

during operation.
ANF The response times of operating and display systems to operations must not
exceed 1 s as a general rule.
ANF Response and processing times for emergency controls must not exceed 1 s
overall as a general rule. Deviations must undergo risk analysis.

64
9.5 Standard and ancillary operations

DEF Standard operations are operations which during approval testing and
execution do not cancel or bypass any technical safety dependencies.
Standard operations include for example point switching, point switching blocking,
route setting and route cancellation. For some transport companies the position of
the substitute signal (warning signal, additional signal for individual order) is also a
standard operation, because route monitoring at substitute signal level is a
prerequisite and responsibility for headway control via signalling is fully transferred to
the driver.
DEF Ancillary operations are operations which during approval testing and
execution cancel or bypass technical safety dependencies.
Ancillary operations include for example
 ancillary point switching which (in contrast to point switching) is also

executed on points reported as occupied (i.e. where applicable under the
train),
 ancillary point release to release route locking of a point regardless of the
current state of the route, start signal and train approach.
 initial axle-counting position where axle-counter is set to zero regardless of
the number of vehicle axles actually available (which under certain
circumstances can lead to immediate or premature clear track signalling),
 ancillary activation of a level crossing protection system to release the
level crossing for road traffic directly and regardless of whether a train is
approaching,
DEF Standard operations subject to authorisation are standard operations

which during approval testing or execution do not cancel or bypass any technical
safety dependencies but which may only be initiated under the full responsibility of
the competent human operator to avoid hazards.
Standard operations subject to authorisation include operations which
 lift blocks (unblock track crossing, unblock point for switching, unblock
signal, unblock automatic change direction, etc.),
 confirm to the technical system that the responsible operator has
successfully carried out specific safety-related testing (permission for

65
specific travel; clear signalling of level crossings with full barrier and
observation),
 increase level of or fully cancel speed restrictions,
 change operating modes (particularly from manual or servicing mode to
standard mode or automatic operation),
 cancel continuous activation (e.g. of level crossing protection system),
 reset failure or emergency states (e.g. reset triggered emergency stop
switch, platform protection system, derailment detector, fire detectors;
reset triggered speed monitoring installations),
if the related hazards are not counteracted by other operating or technical measures.
ANF When classifying standard operations as subject to authorisation or not subject

to authorisation, a hazard analysis must be carried out based on standard
instructions and any other safety devices available. An operation is subject to
authorisation when the untimely or faulty execution of the operation poses an
unacceptable risk.
The unauthorised unblocking of a track for travel is a danger to personnel on the

track and train traffic using the track released in an untimely fashion and which is not
yet navigable (broken rails, construction work, maintenance). Danger caused by
unauthorised unblocking can be counteracted in two ways:
 either through an unblocking operation subject to authorisation

 or through standing instruction, which must also
 prescribe protective measures, e.g. triggering occupancy detection
 using a jumper in the track circuit.
DEF Ancillary operations and standard operations subject to authorisation are

together referred to as operations subject to authorisation.
Classification is clarified by the example of the usual conditions for point switching:
not subject to authorisation subject to authorisation

standard operations switch points. block points block points for switching.
against switching.
ancillary operations -- This combination is not Switch occupied points. Switch
permissible -- trailed points.
ANF The input, transfer and execution of operations subject to authorisation must
be treated as safety-relevant functions and secured against the following hazards:
 that an input operation is executed before the operator can check it in

detail and confirm.

66
 that the operation comes from an unauthorised source (e.g. from an

automatic train routing computer or service computer),
 that an input operation not subject to authorisation has wrongly been
effected as an operation subject to authorisation (e.g. input point switching
effected as ancillary switching),
 that the order type of the input operation is wrong (e.g. input unblocking
against travel effected as initial axle-counting position),
 that an operation is effected on the wrong element (e.g. initial axle-
counting position effected on another track than on the track actually
visually checked for vacancy),
 that an operation is effected at the wrong time (delayed, repeated,
spontaneous),
 that an operation cancelled by the operator remains effective.
Assuming specific implementation concepts, the following operations subject to

authorisation are also referred to as operations
 subject to order release,

 input-secured or
 procedure-protected.
Whether operations subject to authorisation must also be counted or logged depends

on the above safety requirement and are dealt with in the Logging and recording
section.
ANF For ancillary operations with global effect (i.e. involving many elements
simultaneously), hazard analyses must be carried out.
A global initial axle-counting position for an entire interlocking area is generally not
justifiable or realistic because for a secure and problem-free application, the entire
area must actually be fully cleared. A global initial position for start-up disruptions to
logical clearance is generally justifiable to release the disruptions as quickly as
possible after starting up an interlocking computer.
ANF Where an ancillary operation bypasses a specific safety dependency of the

standard operation, approval testing of the ancillary operation of this specific
dependency should be discounted. Approval testing should not be made the logical
counterpart to the specific dependency as a condition of the ancillary operation.
For example, ancillary point switching should not be made dependent on whether the
point is actually reported as occupied. This includes the following justifications:

67
(1) The operator has increased responsibility and duty of care for ancillary
operations anyway. It can be assumed that the operator does not use
ancillary operations for no reason if standard operations would be
permissible and effective.
(2) Availability will be increased if the ancillary operation to bypass a

dependency can also do this in all disruptive events and undefined
statuses. Point switching without depending on the actual occupancy
detection is for example also available if
 clearance was rated as disrupted (e.g. anti-valence error on import),

 clearance between occupancy and clear states flutters at low frequency
 (e.g. with audio-frequency track circuit),
 the point itself is adjustable and monitored but the connection to
 related clearance elements has failed (undefined clearance status).
EXT ANF Operating personnel are expected to choose the operation variants or
operating sequence with the highest possible safety level depending on the situation.
For instance, to secure a moving train, the operator is expected to choose the main
options in the following sequence (with decreasing safety level):
 Route setting with driving signalling.

 Route setting with substitute signalling (warning signal, additional signal
for individual order, disruption signal, etc.).
 Route setting and individual verbal order against stop signal.
 Single setting and switch blocks on route and flank protection points and
individual verbal order against stop signal.
 Single setting of route and flank protection points, track chain blocking of
automatic point setting procedure and individual verbal order against stop
signal.
9.6 Logging and recording

Activities to maintain operational and traffic safety are also, pursuant to EN 50126
and TRStrab SIG ZA, described as continuous tasks in the life cycle phases
 Operation and maintenance

 Recording performance.
In the event of irregularities and accidents, recording and reconstruction media are
extremely helpful.

68
ANF Ancillary operations must be logged with clear parameters (operator terminal,
time, operated element, operated command). In the case of disruptions to technical
logging the operator must log events manually. To demonstrate the exhaustiveness of
technical and any manual logging, ancillary operations should be continuously
counted.
ANF Standard operations subject to authorisation must not be logged or counted as

ancillary operations.
DEF In Recording level 1 the ancillary operations and any standard operations
subject to authorisation are automatically recorded.
DEF In Recording level 2 all standard and ancillary operations and all textual error
and fault messages generated by subsystems are automatically recorded.
Recording level 2 corresponds to the operations log.
DEF In Recording level 3 all standard and ancillary operations, all textual error and
fault messages generated by subsystems and all operational status messages are
automatically recorded.
Recording level 3 includes the record & playback function, i.e. continuous recording
and playback where necessary of interlocking magnifier images.
ANF New signal and train protection systems must implement Recording level 2 at
a minimum. Where possible, Recording level 3 should be implemented.
ANF The recordings collected under Recording levels 2 and 3 must where
necessary have an option for manually or partly automated evaluation for the
following objectives:
 Information on accidents and other irregularities.

 Statistics on technical safety reactions.
 Statistics on technically related errors and faults.
 Statistics on ancillary operations.
 Qualitative assessment of frequency and reasonableness of ancillary
operations.
 General operating statistics as the basis for risk analyses.
ANF To facilitate reliable optional evaluation of recordings, the reporting timestamps

of subsystems involved must be synchronised with sufficient accuracy. The same
applies to vehicle reporting timestamps.

69
10 Annexes
10.1 Abbreviations
The abbreviations of acts, ordinances, standards and other regulations are not listed
here but in Annex 3 (Acts and regulations, guidelines and standards).
Internal text marks for TRStrab SIG (such as ANF for requirement) are grey
shaded.
aaRdT The generally acknowledged rules of technology

ANF Requirement of TRStrab SIG
BÜ Level crossing
BÜSA Level crossing protection system
DEF Definition of TRStrab SIG
D-Weg Overlap (part of a route)
EBA Federal Railway Authority (Eisenbahn-Bundesamt)
ESTW Electronic interlocking
EXT ANF External requirement of TRStrab SIG (aimed at other subsystems)
FRS Functional requirement specification
GOA Grade of automation
GOA0 Train operation at sight (driving on-sight)
GOA1 Non-automated train operation
GOA2 Semi-automated train operation
GOA3 Driverless train operation
GOA4 Unattended train operation
GOL Grade of line
HR highly recommended
M mandatory
MGS at least the same level of safety (§ 2(2) BOStrab
NA not applicable
NMAU endangered no more than can be avoided (§ 3(1) BOStrab)
NRQ not required
NR not recommended
OCC Operation control centre
PT1 Plan section 1 (requirement specifications, risk analysis, draft
planning documents)
PT2 Plan section 2 (functional specifications, proof of safety,
implementation documents)

70
R recommended
RSTW relay interlocking installations (push-button, track layout diagram, rail
plan interlocking)
SBA safety-related acceptance of TRStrab SIG
SPNV local passenger transport by rail
TAB Safety Authority
THR tolerable hazard rate
TR Technical rules
UGT Urban guided transport
UGTMS Urban guided transport management and command/control system

71
10.2 Definitions
Some definitions of TRStrab SIG are listed with a reference to the TRStrab SIG
section. Definitions from other documents are listed with their definition text and
source.
Term Definition
Approval Administrative act of the authority which allows a
system to be commissioned within a specified scope.
This approval is clarified in writing.
Railway companies Companies as defined in § 3 PBefG.
Review Analysis process to ascertain whether the draft and
validation of a product has managed to meet the
specified requirements and to assess whether the
product is suitable for its intended use.
Overlap, (D-Weg) The overlap is a part of a route which must be kept
free as a neutral section for safety reasons.
One-off test Corresponds in terms of content to the procedure for
product or type approval but only covers the scope of
application of a system.
Permission to use (operating Formal permission to use a product within specified
permit) application limits.
Vehicle operation Vehicle operation includes setting and securing
routes, dispatching and driving trains and
shunting(§ 1(5) BOStrab).
Hazard logbook Procedure to continuously document all safety-
relevant errors revealed and the elimination thereof by
manufacturers and railway companies.
Grade of automation, GOA See definitions GOA0 GOA4 in Chapter Operation
modes
Requirement specifications Also called system requirement specifications
Description of the direct requirements, expectations
and wishes for a planned system, formulated in
natural language. DIN 69905 describes requirement
specifications as all requests of a contracting entity in
relation to delivery and performance by a contractor
as part of an order.
Life cycle The activities during a time period that starts with the
conception of a system and ends with its
decommissioning when the system is no longer
available for use.
Technical specifications Also known as system architecture and
system design specifications
Description of the implementation of requirement
specification requirements by the manufacturer.
According to DIN 69905, technical specifications
include the implementation plan drawn up by the

72
Term Definition
contractor based on the execution of the requirement
specifications prescribed by the contracting entity.
Project planning The structuring and connecting of hardware and
software of a generic application for its specific
intended application.
PT1 Plan section 1
Construction documents to be submitted providing a
sufficient description of a planned application without
anticipating technical implementation later in the life
cycle. PT1 includes requirement specifications, risk
analysis and draft planning documents.
PT2 Plan section 2
Construction documents to be submitted providing a
sufficient description of an application implemented
for planning and acceptance testing. PT2 includes
technical specifications, evidence of controlled
hazards and implementation documents.
RAMS Reliability
Availability
Maintainability
Safety
Risk analysis Determining safety requirements for a protective
function or subsystem to reduce risk arising from a
process.
Risk analysis (qualitative) Determining the necessary minimum on the basis of
classified risk parameters.
Risk analysis (quantitative) Mathematical determination of tolerable hazard rates
on the basis of statistical input data.
Safety Integrity see Safety integrity
Safety Integrity Level (SIL) see Safety integrity level
Safety Absence of inadmissible risk of damage.
Safety integrity level (SIL) One of a specified number of discrete steps to specify
sufficient safety of safety functions assigned to safety-
relevant systems. The safety integrity level with the
highest number has the highest level of sufficient
safety.
Safety report Document in which an expert definitively sets out the
results of a product or application review.
Safety integrity The probability that a system meets the safety
requirements defined under all defined conditions
within a specified time period.
Safety management The management structure that ensures that the
safety process is correctly implemented.
Proof of safety Documented evidence that the product meets the
specified safety requirements.
Safety plan A documented compilation of scheduled measures,

73
Term Definition
tools and events used to introduce an organisational
structure, responsibilities, procedures, measures,
skills and tools. Overall, this ensures that an object
meets the safety requirements specified for a given
contract or project.
Tram Under § 4(2) PBefG, elevated railways, underground
railways, suspension railways and similar railways
with a special design are also considered tramways.
System requirement see Requirement specifications
specifications
System architecture see Technical specifications (part of technical
specifications specifications)
System design specifications see Technical specifications (part of technical
specifications)
Safety Authority Safety Authority as defined in § 54(1)(3) PBefG.
Source: TR SIG ZA.
Validation Evidence from tests and analyses that
the generic product,
the generic application,
the specific application,
meets the requirements specified for intended use in
all respects.
Verification Determination from analyses and tests that the results
of each phase of a life cycle meets the requirements
of the preceding phase.
Availability The ability of a product to be in a state in which it can
fulfil a function under specified conditions by a
specified time or during a specified period of time,
provided that the necessary external means are
provided.
Approval Formal permission to use a product or generic or
specific application within the specified application
limits.
Authorisation Decision by the competent supervisory authority
under § 60(3) BOStrab that building of the operating
system may begin.

74
Bibliography
Acts and regulations

BOStrab Order on the construction and operation of light rail transit systems
(BOStrab) 11.12.1987
PBefG Passenger Transport Act
Guidelines and technical rules

TRStrab Br Technical Rules for Brakes Dimensioning and Testing Vehicle
Brakes (TRStrab Br)
TRStrab SIG ZA Technical Rules for Trams Approval and Acceptance of Signal and
Train Protection Systems (TRStrab SIG ZA)
TRStrab FoF Technical Rules for Trams Operation without a Driver
(TRStrab FoF)
SIG RMI Guidelines for the Assembly and Maintenance of Railway Signalling
Systems SIG RMI (EBO/BOStrab).
Standards
DIN EN 50126 Rail applications specification and proof of reliability, availability,
maintainability and safety (RAMS), March 2000 Also IEC 62278.
DIN EN 50128 Railway applications Communications, signalling and processing
systems Software for railway control and protection systems,
November 2001. Also IEC 62279.
DIN EN 50129 EN 50129, Railway applications Communications, signalling and
processing systems Safety-related electronic systems for
signalling, December 2003.
Mü 8004 Technical Principles for the Approval of Safety-related Systems for
Signalling (Mü 8004). Federal Railway Authority (EBA), Central
Munich office, 01.08.2003.
DIN VDE 0831 Electric signalling systems for railways. DKE in DIN VDE, April 2006.
DIN EN 61508 Functional Safety of Electrical/Electronic/Programmable Electronic
Safety-related Systems, November 2002.
DIN EN 62267 DIN EN 62267 (VDE 0831-267):2008, Railway applications
Automated urban guided transport (AUGT) Safety requirements.
DKE in DIN VDE, Draft, 2008.
DIN EN 62290-1 DIN EN 62290-1 (VDE 0831-290-1):2007, Railway applications
Urban guided transport management and command/control systems

Part 1: System principles and fundamental concepts.
DKE in DIN and VDE, August 2007.
DIN EN 62290-2 DIN EN 62290-2 (VDE 0831-290-2):2009, Railway applications
Urban guided transport management and command/control systems

Part 2: Functional application specifications.

75
DKE in DIN and VDE, Draft standard, April 2009.


Notification Draft 2015 306 D EN

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Notification Draft 2015 306 D EN

Enviado por

Direitos autorais:

Formatos disponíveis

1.

Technical Rules for Trams

Edition: 1 August 2012

They are prepared by the federal-state technical committee BOStrab (German

Edition: 1 August 2012

Edition: 1 August 2012

6.2 Excluding contraflow 46

Edition: 1 August 2012

They are prepared by the responsible federal-state technical committee

Deviation from these technical rules is permitted in accordance with § 2(2) of

 Article 2(2)(a) of Directive 2004/49/EC of the European Parliament and of the

 Article 1(3)(a) of Directive 2008/57/EC of the European Parliament and of the

Edition: 1 August 2012

 Technical specifications for products in these technical rules may only be

- the Act on making products available on the market (Product Safety

and the legal regulations issued on the basis of these Acts.

Edition: 1 August 2012

7 August 2013 (Federal Law Gazette I p. 3154), as amended by Article 4(21)

- notified the manufacturer or distributor in writing of which parts of the

Edition: 1 August 2012

In the following chapters of this document, term definitions are indicated in

1.2 Marking and mandatory nature of requirements

 requirements are indicated in standard typeface and with the abbreviation

1.3 Obligations of tabular requirements

M: This symbol (mandatory) means that the architecture, technology or

HR: This symbol (highly recommended) means that the architecture,

Edition: 1 August 2012

R: This symbol (recommended) means that the architecture, technology or

The differentiation and meaning of mandatory symbols correspond to the

Edition: 1 August 2012

2. Scope and framework conditions

 signal systems (§ 21 BOStrab),

2.2 Compliance with statutory principles and best

Under § 4(2) PBefG, elevated railways, underground railways, suspension

The legal provisions for tramways determine

 defined safety standards (e.g. § 20 BOStrab, safety of level crossings

 the BOStrab provisions,

Edition: 1 August 2012

(§ 2 BOStrab). A deviation from generally accepted best practice is permissible if

2.3 Definition of systems and installations under

Examples of possible system levels are shown in the following table:

Overall system Subsystem Installation

Edition: 1 August 2012

Train control Train control stop etc.

Operator terminal Operator terminal processor

Table 1: Examples of system levels

Edition: 1 August 2012

3. Principles of driving operation

3.1 Driving operation modes

Provisions under Driving on-sight driving under control-

BOStrab requirements driving on-sight driving under control-

Edition: 1 August 2012

BOStrab requirements driving on-sight driving under control-

3.2 Basic functions for protecting train movements

The requirements for train protection systems under

Edition: 1 August 2012

BOStrab requirements driving on-sight driving under control-

BOStrab requirements driving on-sight driving under control-

 through headway operation,

BOStrab requirements driving on-sight driving under control-

Edition: 1 August 2012

BOStrab requirements driving on-sight driving under control-

The basic function Securing speeds encompasses choice of signal, fixed

Article 2(2)(a) of Directive 2004/49/EC of the European Parliament and of the

Article 1(3)(a) of Directive 2008/57/EC of the European Parliament and of the

Technical specifications for products in these technical rules may only be

M: This symbol (mandatory) means that the architecture, technology or

HR: This symbol (highly recommended) means that the architecture,

R: This symbol (recommended) means that the architecture, technology or

The basic function Securing speeds encompasses choice of signal, fixed

In international regulations, the neutral section is referred to as the safety

In international regulations, permission to proceed is referred to as movement

In international regulations, the term movement authority limit is used partly to

In the following chapters on protecting train movements the preferred