Escolar Documentos
Profissional Documentos
Cultura Documentos
------IND- 2015 0306 D-- EN- ------ 20150713 --- --- PROJET
1
Notified in accordance with Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998
laying down a procedure for the provision of information in the field of technical standards and regulations and
of rules on Information Society services (OJ L 204 of 21 July 1998, p. 37), last amended by Article 26(2) of
Regulation (EU) 1025/2012 of the European Parliament and of the Council of 25 October 2012 (OJ L 316 of
14 November 2012, p. 12).
2
Foreword
The technical rules for trams (TRStrab) are considered the generally accepted
engineering principles for the construction and operation of trams and spell out in
detail the basic requirements of the tram construction and operation order (BOStrab).
Deviation from the technical rules is permitted if at least the same level of safety is
provided.
Table of contents
FOREWORD
TABLE OF CONTENTS
PREAMBLE
1. INTRODUCTION
1.1 Definitions
1.2 Marking and mandatory nature of requirements
1.3 Obligations of tabular requirements
2. SCOPE AND FRAMEWORK CONDITIONS 10
2.1 Scope 10
2.2 Compliance with statutory principles and best practice 10
2.3 Definition of systems and installations under BOStrab 11
3. PRINCIPLES OF DRIVING OPERATION 13
3.1 Driving operation modes 13
3.2 Basic functions for protecting train movements 14
3.3 Grade of automation of driving operation 16
3.4 Basic definitions for protecting train movements 19
3.4.1 Braking actions 19
3.4.2 Train protection definitions 21
4. PREFERRED ARCHITECTURE 28
4.1 Objective 28
4.2 Delineation 29
5. PROTECTING ROUTES 30
5.1 Basis of route protection 30
5.2 General sub-route functions 32
5.3 Route between start point and destination point 35
5.4 Overlap 35
5.5 Flank protection 38
5.6 Level crossing protection systems 40
5.7 Switchover protection 43
5.8 Detection for route protection and switchover protection 44
6 SECURING HEADWAY CONTROL 45
6.1 Principles 45
Preamble
The technical rules for train (TRStrab) are considered the generally accepted
engineering principles for the construction and operation of train and spell out in
detail the basic requirements of the train construction and operation order
(BOStrab).
These technical rules for signal and train protection systems (TRStrab SIG)
specify, in particular, the basic requirements of §§ 20, 21 and 22 BOStrab.
The technical rules for signal and train protection systems pursuant to BOStrab
(TRStrab SIG) describe how the requirements of European standards
DIN EN 62290 and DIN EN 62267 can be implemented on the basis of BOStrab.
The application of this TRStrab should improve planning and legal certainty for
railway companies, manufacturers and technical supervisory authorities and also
facilitate recognition of registrations between technical supervisory authorities.
The subject of these technical rules is exempt from the application of the
specifications based on these guidelines on the basis of
in the Federal Republic of Germany pursuant to § 1(2) of the General Railways Act
(German designation: AEG) of 27 December 1993 (Federal Law Gazette I p. 2378,
2396; 1994 I p. 2439) last amended by
Article 2(122) of the Act of 22 December 2011 (Federal Law Gazette I p. 3044)
§ 65 of the Passenger Transport Act (PBefG) of 21 March 1961 (Federal Law
Gazette I p. 241), as amended by Article 2(147) of the Act of 7 August 2013
(Federal Law Gazette I p. 3154).
Notwithstanding the fact that the TRStrab SIG is considered by the BOStrab
federal-state technical committee as generally accepted best engineering practice
pursuant to § 2(1) BOStrab, the following references to existing federal legislation
transposing EU directives must be taken into account:
The same applies for technical specifications for products in these technical
rules in respect of legal provisions of the European Union that are directly
applicable, unless a deviation in accordance with Article 114 of the Treaty on
the Functioning of the European Union (OJ C-115 of 9 May 2008, p. 49) is
maintained or adopted by the Federal Republic of Germany.
The requirements of these technical rules may not be used by official bodies to
obstruct the marketing of products in the Federal Republic of Germany where
these were produced and/or marketed according to law in another Member
State of the European Union or Turkey or an EFTA country which is party to
the EEA Agreement. If the authority under § 54(1)(3) of the Passenger
Transport Act (PBefG) in the edition of the Notification of 8 August 1990
(Federal Law Gazette I p. 1690), as amended by Article 2(147) of the Act of
1. Introduction
1.1 Definitions
The relevant standards and provisions (BOStrab) use various terms for the same
object. To ensure clear allocation, the terms used in the technical rules are defined
in Annex 2.
The level of obligation of the requirements is modelled on DIN 820, Part 2, E and
taken into account in the wording of the requirements.
NRQ: This symbol (not required) means that the architecture, technology or
measure is not mandatory for this application but also that there is no reason why
it may not be used.
NR: This symbol (not recommended) means that the architecture, technology
or measure is explicitly not recommended for this application. Where this
architecture, technology or measure is used, the reason for using it must be
documented and approved by the expert (or TAB).
NA: This symbol (not applicable/not allowed ) means that the architecture,
technology or measure may not be used or is even prohibited for this application
due to higher-level requirements or framework conditions.
2.1 Scope
The technical rules apply to trains operated under the Passenger Transport Act
(PBefG) in accordance with BOStrab. They apply to:
BOStrab requires that operating systems and vehicles meet safety and
organisational requirements. They are deemed to have met these requirements
where they are built and operated in line with
the requirements laid down by the technical supervisory authority and the
licensing authority,
and generally acknowledged best practice;
Both to clarify the national legal standards and to harmonise the legal standards
and the European standards for railway applications and to stipulate the
implementation of further best engineering practice, specifications are laid down in
the TRStrab SIG on the basis of current high levels of protection generally
accepted in the Federal Republic of Germany.
The following general classifications shall be given to railway companies for the
scope of this TR assistance with the system to be specified under DIN EN 50126.
This is done in particular with a view to carrying out risk analysis.
protecting routes
securing headway control between trains
securing speed
The basic functions derived from § 22 BOStrab also apply in areas where the
principles for driving on-sight are applied and therefore for driving signal systems
and point controllers.
The following types of identifiable moving and stationary trains may be used in the
route to be protected:
DEF Train operation on-sight (GOA0): At this grade of automation, the driver
has full responsibility and no system is necessary to monitor his activities.
However, points and single-track lines may be partially monitored by the system.
signals. The system monitors driver activity. This monitoring may be punctual,
semi-continuous or continuous while taking due account of signals and speed. The
safe departure of the train from the stop including closing the doors is the
responsibility of service personnel.
ANF Responsibility for the execution of basic driving functions must be split
between operatives and the technical system according to the following table,
depending on the grade of automation.
protecting starting
X X X X System
conditions
The basic functions set out in the table that are to be carried out by technical
systems for grades of automation GOA3 and GOA4 are not an integral part of train
protection systems under § 22 BOStrab, but may have a functional impact on
them. Basic requirements for these installations are set out in the Technical Rules
for Driverless Operation (RL FoF) and, where applicable, clarified in the following
VDV standards.
The braking actions below clarify the braking actions defined according to BOStrab
and TR Brakes for applications in the scope of these technical rules and establish
the basic requirements for on-board braking equipment to ensure overall safety of
operation.
Service braking deceleration is for example entered in the train protection profile
(see below), train headway calculations and calculations of sight sections.
EXT ANF After service braking up to standstill the braking system should
automatically prevent trains from moving during boarding and alighting at stops
(without involving the driver or the on-board train protection system)
(immobilisation braking).
EXT While using vehicles on street-running tracks in train protection areas, sharp
braking may only be triggered by the driver. (see Sharp braking in TR Braking)
ANF Emergency braking must be applied until the train is brought to a standstill
by the triggering train protection system if the braking requirement continues.
DEF Emergency braking distance is the distance it takes to bring the train to a
standstill when emergency braking is triggered, taking into account significant
emergency braking deceleration including response, delay and threshold time for
the braking system. The emergency braking distances agreed under a specific
application form the basis for keeping the safety-related braking distances required
under § 22(2)(1) BOStrab.
The definition of emergency braking distance includes the distance required for
response, delay and threshold time vis-à-vis VDV Guideline 340 in order to
comply with Appendix 2 BOStrab.
EXT ANF When defining the required deceleration values including response,
delay and threshold times, train protection requirements must be taken into
account. The planning of track systems (§ 15§ 17 BOStrab), signal and train
protection systems (§ 21§ 22 BOStrab) and vehicles (§ 33§ 48 BOStrab) must
be closely coordinated in respect of the requisite emergency braking distance.
DEF The danger point is the point before which the head of the train must come
to a standstill to avoid an operational hazard. The danger point lies in the direction
of travel before identifiable safety obstacles under § 22(2) BOStrab; these
include moving or stationary trains, track ends and routes that are not protected
against side-on or head-on collision.
WÜ
WÜ
WÜ = Wagenkastenüberhang
car body overhang (to be(zutaken
berücksichtigen)
into account)
DEF The neutral section is the line behind the destination point of a moving train
which must be maintained up to the danger point taking into account the features
of the train control system including location-based tolerances and safety
response times. Depending on the type of train control system, the neutral section
consists of
Figure 5: Neutral section in the event of punctual influence at the main signal
(train stop function)
ANF When calculating neutral sections, the gradient conditions on the line and
the geometrical and dynamic driving vehicle data of regularly used vehicles must
be taken into account.
ANF When calculating neutral sections, systemic location errors and tolerances
must be taken into account unless they can be justifiably ruled out. When adding
all the independent influencing factors affecting the maximum values, probability
distribution or a simultaneity factor may be taken into account.
DEF The train protection profile is the speed limit profile to be established and
monitored according to train protection principles as part of a permission to
proceed. The train protection profile takes into account:
the static speed profile which determines the highest permissible speed in
respect of track layout, structural loads, lateral and vertical acceleration
and compressive stress,
the dynamic speed profile, which determines the highest possible speed in
respect of temporary speed restrictions and the state of track components
(e. g. point position) and permission to proceed limits,
permissible vehicle speeds derived from vehicle dimensioning,
the safe braking profile, both before the destination point of the permission
to proceed and before any necessary speed reduction taking into account
the length of the neutral section maintained.
The train protection profile does not take into account location tolerances and
safety response times of the train control system. These are taken into account
when determining the requisite neutral sections and safety margins when driving
at the start of a speed reduction.
The train protection profile does not take into account (see operating profile):
DEF The operating (speed) profile is the speed profile to be formed within the
limits of the train protection profile to control train movements. The operating
profile takes into account:
2
3
ZP
1 Geschwindigkeitsprofil (stat./dynam.)
Speed profile (stat./dynam.)
2 Sicherungsprofil
2 Train protection profile
3 Fahrprofil
3 Operating profile
Figure 7: Example, train protection and operating profile when the signal is on
Figure 8: Example, train protection and operating profile when the signal is of
DEF Train detection is the secure determination of the location of rail vehicles
through
Examples of external detection are track vacancy detection systems such as track
circuits and axis counting circuits or rail contacts, light barriers and similar
equipment used to detect the presence and absence of trains. Internal detection
systems use on-board components to determine position, e.g. combinations of
odometer pulse generators, accelerometers or radar sensors and are
supplemented for synchronisation or initialisation by track-side elements such as
crossed line conductors, transfer loops, locating points in the form of balises.
EXT ANF When using track-side train detection systems, it must be ensured that
the vehicles used meet the requirements for detectability (e.g. sufficient train
shunt, detectability of tyres while avoiding interference from other vehicle
components (magnet rail brakes, EMC interference).
EXT ANF When using on-board train detection, it must be ensured that the
vehicles used meet the requirements to properly determine position (e.g. matching
tyre diameter, matching frictional and skid behaviour).
4. Preferred architecture
4.1 Objective
In extreme cases, implementation of the basic functions at the individual grades of
automation can be approached in two ways. On the one hand, a custom-made
solution can be designed for each application project, whereby the technical
architecture, interfaces and operating rules are redefined without reference to tried
and tested models. On the other hand, an all-encompassing system can be
designed which contains all necessary variants. Obviously, these approaches can
also lead to extreme inconsistency or inefficiency. Another risk is that the over-
individualised or over-generalised solution contains concepts and functions that
are not yet sufficiently operationally tested in this form and scope, so dangerous
deficiencies can arise.
protecting routes,
securing headway control between trains and
securing speed
4.2 Delineation
The subsystems for the basic functions with driverless and unattended driving
(GOA3 and GOA4):
are clarified in the Technical Rules for Trams Operation without a Driver
(TRStrab FoF)
5. Protecting routes
DEF A route means the sequence of track sections, points, crossings, signals
and other adjustable or non-adjustable elements in § 22 BOStrab and train safety
regulations which are directly driven over or involved when driving from a given
start point to a given destination point.
DEF A route is protected if the route between start and destination is protected
by a driving signal system or a train protection system. A protected route
consists of:
For individual points, a route is deemed protected if the point is protected against
switching by locking and occupancy detection.
ANF The length of the overlap from the route destination point must be at least
as long as the neutral section behind the route destination point mathematically
required for the train using the route with a specific speed profile.
In straightforward cases, the neutral section can be maintained so that clear track
signalling up to the danger point is performed and monitored along the route.
2
G
1
Two sub-routes are different if they differ in terms of at least one component. Sub-
routes with the same route between start and destination but different overlaps are
different. Sub-routes with the same overlap but different numbers of routes
between start and destination are different.
DEF Route release is the release of internal locks and loads used to calculate
and protect a sub-route or protected route.
(1) HR, where seen under § 21(3) BOStrab as operationally required (e.g.
depot, switches and turn-backs); M to protect single-track lines.
(3) only allowed when using points that cannot be adjusted remotely
(§ 17(6) BOStrab).
requirements. The most important phases are defined below although other phase
classifications are not excluded.
DEF Approval testing tests whether the current condition of the interlocking
elements allows for the sub-route or protected route as a whole to be set. Approval
testing refuses the setting application if for example a necessary element is under
stress or locked. If approval testing for the route fails, it can be useful as a back-up
to test only the route (without overlap or flank protection) for suitability.
The following may for example be compatible: Route stress and one or two
overlap stresses in the same direction as the route (the overlaps come from
various route destination points). In specific cases track-side stress from two
tangential overlaps is permitted, but in this case overlapping with a route is
excluded.
ANF An adjustable element may only be locked if its current position in the
outdoor facility matches the target position in line with stress and the element in
the outdoor facility (where technically feasible) is locked against departure from
the target position by force-locking or interlocking.
DEF In driving signal systems for route control (see Section 2.4) the purpose of
route monitoring is to continually check the statuses of all route elements on the
set route. The statuses give the following results:
ANF The monitoring statuses of the route or protected route must be included in
the issuing of the permission to proceed. Where the monitoring falls back to a low
level, an issued permission to proceed must be immediately revoked.
DEF The purpose of approach locking on the route is to prevent route retraction
if a train is within the braking distance from the start point and it has permission to
proceed.
DEF The purpose of route release is to relieve stress and lock a route or
protected route.
ANF With this type of route release, stress and locks may only be relieved when
it is ensured that permission to proceed has not been issued or has been revoked.
ANF The route between start point and destination point shall be set
automatically when setting a sub-route or protected route.
ANF The train-operated route release of route elements between start and
destination point shall occur in sections which correspond to the train detection
sections.
Route release by sections minimises blockage periods and train headways. In the
ideal scenario, each route element occupies its own train detection section and
terminates directly after crossing and clearing.
ANF The train-operated route release can be used to identify errors and
disruptions in train detection. Release of the route element is dependent on the
occupation and clearing sequence of its own and the two adjoining train detection
sections.
DEF Route adjustment refers to the function whereby the use of the remainder
of a route (i.e. still to be crossed by the front train) by one or more following trains
is facilitated. Adjustment causes a full route to be formed from the location of the
front train to the original route destination and the front train no longer initiates any
route release.
5.4 Overlap
DEF Overlap selection refers to an overlap behind a destination point. System-
specific configurations or current positions may be taken into account (pre-set
connection route, short and long overlap depending on occupation status).
ANF Depending on the grade of automation, the following requirements apply to the
fitting of overlaps:
with stealth running (v ≤ coupling speed) before the destination point with
specific driving profile monitoring.
ANF The conditions for monitoring the overlap (see table on overlap requirement
levels) are entered in the issuing of the permission to proceed. Where the
monitoring conditions are breached (e.g. through the occupation of an overlap
section), the permission to proceed to automatically be revoked.
DEF The function overlap overrun extends a set overlap with the release of the
track sections because the train in front has moved off.
The overlap overrun only makes sense if the increased speed of the train can be
transmitted in time.
(1) HR only applies in homogeneous systems (all trains with internal detection);
otherwise NR.
(2) External detection e.g. by platform protection system in the case of open
platforms.
ANF For automatic train-operated release of the overlap if the train proceeds to a
connection route, the same release criteria apply as for the connection route.
Level crossing protection systems are not flank protection elements according to
this definition. They are more often integrated as an element of the route between
start and destination or as an overlap element.
DEF Selection of flank protection determines the elements that should offer
flank protection. System-specific configurations or current positions may be taken
into account (e.g. substitute protection in the case of double protection).
In flank protection levels 3 and 4 the protective measures are also effective
against
Flank protection waiver means that the securing of a moving train against
dangerous slanting collisions is only ensured by excluding adverse permission to
proceed.
(1) Exception: In the event of a direct danger of collision on branch lines (no
ban on trains meeting, no possibility for the drivers involved to avert danger)
tongue protection should be applied.
(2) Rail blocks should not be incorporated in tracks over which passenger
trains run.
(1) Flank protection may generally be waived in the overlap because a train
must overlap and a second non-signalled run in the overlap of the first train
must take place for flank danger to happen.
(2) Rail blocks should not be used in tracks over which passenger trains run.
ANF Where flank protection is waived in the overlap, breaches of overlap profile
when its protective area is occupied must lead to occupancy detection of the
overlap, so that permission to proceed is not issued or is revoked.
ANF The release of protective elements must be automatic with the train-
operated or manual release of the route elements requiring protection. It must not
be possible to manually release protective elements.
DEF The following are designated as technically secure level crossing actuators
to protect road users:
Light signals
upstream light signals
half barriers
footpath barriers
acoustic signal generators
Level crossing protection system interfaces with road traffic signalling
systems
ANF When fitting the technically secure level crossing with actuators the relevant
regulations must be taken into account as well as § 20 and Appendix 1 BOStrab.
ANF For level crossings on lines operated in GOA3 and GOA4, the requirements
of RL FoF also apply.
In the case of GOA3/GOA4 TRStrab FoF can completely exclude level crossings.
ANF Where due to local conditions there is a strong probability that the light
signals will not be observed, technically secure level crossings must be fitted with
half barriers and, where applicable, footpath barriers.
This can be the case for example near facilities for children, the elderly and the
infirm or the visually impaired.
To decide whether in addition to the half barrier a footpath barrier is also required,
foot traffic must be considered separately.
ANF Double and multi-track technically secure level crossings that can be
crossed by more than one train simultaneously must be fitted with half barriers.
Exceptions are permitted with level crossings for footpaths, cycle paths and
platform access points which are also designed, through line monitoring, that other
train movements after the first train drives by can be clearly noticed.
ANF If the level crossing protection system is integrated in the train protection or
driving signal system, monitoring of secure status or function monitoring must be
included in the route monitoring.
ANF The level crossing protection system should be activated by the train.
ANF With integrated level crossing protection systems, the setting of routes
should not yet activate the level crossing protection system but prepare for train-
operated activation during shunting. The level crossing is activated with project-
specific criteria to be determined.
ANF One of the following architectures must be used to monitor the actuators.
ANF The track-related deactivation of the level crossing protection system must
be train-operated directly after the level crossing has been cleared.
DEF If a level crossing protection system is activated for longer overall than a
system-specific time to be determined, increased inappropriate behaviour by road
users is to be expected ( Timeout).
ANF With timeout, the autonomous level crossing protection system must revoke
or deny signal Bü 1 (or F1) on all monitoring signals. Level crossing protection
must be maintained until
ANF The base position of the level crossing protection system may only be set
automatically with autonomous systems. With integrated systems, ancillary
activation must be provided.
ANF If the system has both switchover protection and route protection, both
functions must be carried out independently insofar as technically feasible.
Generally, however, the same detection equipment may be used for switchover
protection and route release.
ANF With switchover protection for adjustable route elements untimely clear
track signalling must be seen as a dangerous failure of the protection device.
For example, a short-term failure of the power supply to the track-side train
detection systems or a short-term interruption of axle-counting data transfer must
not lead to the situation where the sequence free occupied free is generated
without any train travel thus triggering untimely release and deactivation.
6.1 Principles
Pursuant to § 22(2)(1) BOStrab, Securing headway control between trains
relates to the fact that at least the braking distance from identifiable safety
obstacles (here: moving and stationary trains) is clear and kept clear.
The following types of identifiable moving and stationary trains may in principle be
used in the route to be protected:
ANF It must be expected at all times that the front train may come suddenly to a
halt. The danger point is always assumed to be the last known location of the end of
the front train. This applies in particular where (internal) detection of the front train
fails.
ANF The exclusion of contraflow must also be met at the level of Securing
headway control by not issuing or revoking permission to proceed if a vehicle
coming in the opposite direction or the front train rolling back is safely detected.
In GOA0 the start signal must be set from F1 to F0, if the dependent activated driving
signal system on the other end of the single-track line detects an adverse movement
via Cancel contact at the counter-signal of via Deactivate contact at the
destination of the set route.
ANF With driving signal systems for GOA0, e.g. with driving signal systems for
single-track lines, permission to proceed may only be issued by the signals F1, F2 or
F3 if exclusion of contraflow has been ensured. Several trains may follow in the same
direction only once the opposite direction has been released, as soon as all the
following trains have left the line.
Operation of the following trains with driving signal systems requires unbroken train
detection or in the case of punctual train detection train counting.
ANF For driving on partially occupied tracks and coupled driving, the train
protection system and the operational rules including signalling rules must ensure
that the vehicles on the destination track are not moving in the opposite direction to
the oncoming train.
In the train protection system, the requirement may be met e.g. by switching on
safety stop signals or cancelling priority signals and, where applicable, using train
control (anticipated train stop).
ANF With track circuits, the factors that could lead to insufficient train shunt must be
taken into account and controlled:
ANF The ancillary operation Initial axle-counting position must be secured using
standing instructions and, where possible technical measures against inaccurate
clear track signalling of an occupied clear track signalling section.
ANF With internal detection in vehicles, the factors that can distort the detection
results (occupation, location, speed) must be taken into account, such as gliding and
skidding of axles with odometer pulse generators.
7 Securing speed
DEF Permission to proceed represents the instructions for driving a train (§ 22(1)
(2) BOStrab). It applies within specific limits and contains
The levels Securing the route and Securing headway control provide, in
addition to basic approval for train movement, the limits thereof, permissible speed
and restrictive conditions required due to specific operation modes or operating
ANF The train protection system and standing instructions including signalling rules
must be so designed that when the permission to proceed is complied with
§ 54 (3) BOStrab can be met. Passenger vehicles may only be accelerated and
braked in such a way that passengers are not endangered any more than can be
avoided. Exceptions are for example emergency situations justifying immediate
withdrawal of permission to proceed and braking actions with the highest possible
deceleration, or unavoidable influences due to disruptions to the train protection
system.
This requirement must be observed in the (generic) design of the system but also
specifically adapted, e.g. when calculating sight points and installing advance
signalling.
The train protection profile must in fact be so designed that service braking is always
available if transmission fails (see § 22(2)(1) BOStrab and the official justification for
§ 22).
The basic concept of secured route suggests that all adjustable and non-adjustable
moving route components (such as spring-loaded points, level crossings or road
traffic signalling systems) are included in the issuing of permission to proceed,
insofar as they are relevant to operation.
a driving signal system that does not depend on adjacent road traffic
signalling systems for a single-track line, or
an individual point controller that does not depend on road traffic signalling
systems in the same hub.
In the train protection area (GOA1) it can happen that hangar or platform gates (on
adjacent tracks) or chamber locks are not integrated in the permission to proceed.
ANF The safe states for moving route elements must be integrated in the
permission to proceed and the train protection profile according to the following rules.
(1) Integration may only be dispensed with if the point construction type allows
for trailing in the wrong position (spring-loaded point, trailable points).
Requirements for stationary signalling may arise from the chosen integration level,
see Section 7.4 Stationary signals.
ANF With GOA1 to GOA4 travel under driving on-sight due to disruptions to route
protection or headway control must be ordered by stationary signals (substitute
signals, additional signals for individual order, disruption signal).
ANF Where moving safety-related route components do not have their own
stationary signals to indicate their status and to allow train movements, they must be
integrated in the permission to proceed. Where integrated in the permission to
proceed, stationary signals may be used as a back-up (point signals, protection
signals including emergency signals, monitoring signals for level crossings).
ANF With GOA1 to GOA4 no point signals may be set in routes; end position
monitoring of all points must be integrated in the permission to proceed.
ANF Where the permission to proceed is transmitted to the train, the stationary
signals of the permission to proceed may not countermand it.
The requirement may be met (in coordination with the standing instructions for
driving and the signal book) by:
ANF Where stand-alone speedometers are used (i.e. speed signals such as G1b or
G2b BOStrab that are not connected to a main signal), the signal image of the
speedometer cannot have any influence on permission to proceed, i.e. permission to
proceed cannot be either confirmed or revoked.
The two variants allowed by §20 BOStrab are designated Monitoring type ÜS (for
monitoring signal [Überwachungssignal]) and Monitoring type Hp (for main signal
[Hauptsignal]). The monitoring types allowed for railways Fü (for external
monitoring [Fernüberwachung]) and Bed (for operator servicing [Wärterbedienung])
are not allowed in BOStrab requirements.
ANF The monitoring types may be combined depending on the direction of travel.
A level crossing may be monitored for travel in one direction with main signals and
with travel in the other direction with monitoring signals.
ANF With systems with transmission of permission to proceed to the train (driving
can signalling or train protection profile) monitoring signals Bü 0/Bü 1 (announced by
Bü 2) may be set as back-up.
ANF Permission to proceed via monitoring signal, main signal or train protection
profile may only be issued in respect of track and direction.
For example, on an activated level crossing track, the monitoring signals for both
directions of travel may not show Bü 1 simultaneously.
ANF In the case of punctual monitoring of driving quality, the impact of dangerous
deviations required under § 22 (1)(3) BOStrab may only have a punctual effect. In the
case of continuous monitoring, the impact of dangerous deviations must also have a
continuous effect.
DEF Monitoring train driving quality relates either to pure movement and direction
or to speed.
ANF Depending on the grade of automation, the following requirements apply to the
selection of train control systems:
ANF Depending on the train control system and the grounds for its response,
emergency braking may only be released
ANF With GOA3 and GOA4 the execution of brake commands must be
automatically monitored by the train control system (§ 38(1)(3) BOStrab).
ANF With the safety planning of punctual monitoring of train driving quality it must
be assumed that the driver is driving past the monitoring location (e.g. the signal
indicating stop) at the speed last signalled or the speed regulated by the standing
instructions. Where there are speed monitoring installations on the route before the
monitoring location, the last punctually monitored speed may be assumed.
Acceleration beyond the last signalled or last monitored speed need not be assumed.
8 Detailed architecture
8.1 Overview
In contrast to the previous chapters on preferred architecture, the Chapter Detailed
Architecture does not deal with the allocation of specific safety functions and safety
requirements to signal and train protection subsystems but with the internal
configuration of the individual subsystems. Regardless of the concrete tasks for each
subsystem, the following questions are covered:
DEF A specific application is only used for an individual system. It may be installed:
the continuous automatic train control system of the Nuremberg twin unit
763/764,
the Berlin Bösebrücke driving signal system,
the Karlsbad Bahnhofstraße level crossing protection system.
A specific application can form the basis for one or more generic applications for
subsystems and generic products.
The specific application requires a system permit. This is valid for the individual
system in a specific configuration and project planning.
DEF A generic application is a class of application for a defined task that can be
configured and planed for different specific applications. The generic application
includes all required functions and any optional functions for the defined task.
A generic application may form the basis for one or more generic products. Type
approval may be issued for the generic application. Type appraisal and type approval
on which it is based can be used in the defined application scope in the approval
process for one or more specific applications.
Under DIN EN 62290-1, examples of generic products are: point mechanisms, axle-
counters, real-time operating systems, secure computer platform without user
software.
Product approval may be issued for the generic product. Product appraisal and
product approval on which it is based can be used in the defined application scope in
the approval process for one or more specific or generic applications.
ANF If ordered blocks and restrictions are not automatically restored, release for
operation subject to authorisation (Release operation after start-up ) must be
envisaged. Before this operation is executed, the subsystem may only allow
restrictive operations (registering blocks and restrictions, stop positions, etc.);
changeovers and route setting must be rejected.
ANF After a subsystem starts up, moving route elements may not be automatically
adjusted even if they are not in their defined base position or not in a compatible
position.
For example, the following may not be automatically adjusted: Points and rail blocks
with projected base position, with projected sequential interlocking to other elements
with several drives (even if the drives, e.g. of tongues and crossing have
incompatible positions).
9.1 Overview
Operation and display are cross-departmental functions required for most signal and
train protection subsystems. In addition, the concentration of operational control and
monitoring leads to a situation where the human-machine interfaces of the various
subsystems must be as fully integrated as possible in the same multi-functional
operations control system and at a minimum must be harmonised. Consequently, it
makes sense not to specify key requirements for operation and display at the level of
individual subsystems but at overall system level.
DEF Operation of signal and train protection systems includes all technical
equipment and functions with which operatives can issue orders to secure and
control train operation.
DEF Display of signal and train protection systems includes all technical equipment
and functions that show operatives the overall condition of the system to process
train operation.
For example, if continuous automatic train control fails, the statuses of interlocking
elements and the platform protection system must remain recognisable.
9.3 Display
ANF The signal and train protection elements must be represented in schematic,
topographical form in the displayed image.
ANF Where the size of the system so requires, the displayed image must be
representable in at least two levels of detail.
Normally the two levels of detail are area overview and magnifier (interlocking
system or line magnifier, vehicle magnifier).
ANF It should be possible at the operator terminal to show a large area at a low
level of detail and a selected section of that area at a high level of detail. If this is not
possible, it must be possible to make a fixed presentation of the overall area (at a low
level of detail) from the operator terminal.
Panorama panels are used to make a fixed presentation of the overall area.
ANF To present the statuses of the signal and train protection elements symbolic
forms, colours (foreground and background colours), typeface and dynamics
(continuous/blinking light) must be used ergonomically. This includes
ANF The choice of colours for element statuses must follow a uniform, easily
remembered concept. The meaning of the colours must be identifiable accurately and
without aids (keys, display catalogues).
For instance, it makes no sense to present the status (open, closed) of a platform
gate using coloured circles (e.g. white, red). It makes sense to either use a form
symbol to represent track status horizontally and vertically or a changing typeface
open/closed.
If they have the requisite compatibility with signal images, simplifications are allowed.
For instance, the signal images H1 (green) and H2 (green over yellow) in the display
image may be presented with a green signal head.
ANF One of the following basic systems must be used to illuminate platform strips:
(2) Where due to the system architecture several trains can regularly stay in
the same track clearance section, the platform strips should be specifically
marked.
The difference between running routes and shunting routes is not generally required
in areas covered by BOStrab.
ANF The occupied status display must not be displaced by other status displays
(e.g. stresses, blocks, storage, operation markings).
ANF Particular statuses of clear track signalling (e.g. preliminary initial axle-
counting position, disruption of logical clearance) must be displayed on or in the
platform strips. Additional symbols, identifiers or the colour of the platform strip
should be used for this.
ANF Where the display image can be presented at several levels of detail, the
presentation of the statuses of the signal and train protection elements between the
levels of detail must be compatible and consistent. The same shapes and colours
may not have different meanings.
For instance, a main signal in the interlocking system magnifier usually consists of
several information-bearing partial symbols such as head, mast, foot and identifier. If
the main signal must be very simply presented in the area overview so that mast and
foot do not contain any more changing information, then mast and foot must also no
longer be displayed as in the magnifier. A tried and tested presentation of this is a
coloured triangle with the head in the direction of travel.
ANF If the display image can be presented at several levels of detail, the
presentation of the track layout diagram must be topographically similar at the
different levels of detail, and must in particular be oriented identically.
The direction of travel of a train must be presented identically at all levels of detail,
i.e. for example from left to right overall (not from right to left, from top to bottom or
from bottom to top). Exceptions are only allowed with connectors of short length.
ANF Image loading times may not generally exceed 2 s (measured from image
selection to full image composition).
9.4 Operation
ANF Operation and display of a signalling element must be integrated in the
operator terminal. This means that operator commands are incorporated using the
display symbols and the operated element where possible is marked in the
display image.
ANF The response times of operating and display systems to operations must not
exceed 1 s as a general rule.
ANF Response and processing times for emergency controls must not exceed 1 s
overall as a general rule. Deviations must undergo risk analysis.
Standard operations include for example point switching, point switching blocking,
route setting and route cancellation. For some transport companies the position of
the substitute signal (warning signal, additional signal for individual order) is also a
standard operation, because route monitoring at substitute signal level is a
prerequisite and responsibility for headway control via signalling is fully transferred to
the driver.
DEF Ancillary operations are operations which during approval testing and
execution cancel or bypass technical safety dependencies.
lift blocks (unblock track crossing, unblock point for switching, unblock
signal, unblock automatic change direction, etc.),
confirm to the technical system that the responsible operator has
successfully carried out specific safety-related testing (permission for
specific travel; clear signalling of level crossings with full barrier and
observation),
increase level of or fully cancel speed restrictions,
change operating modes (particularly from manual or servicing mode to
standard mode or automatic operation),
cancel continuous activation (e.g. of level crossing protection system),
reset failure or emergency states (e.g. reset triggered emergency stop
switch, platform protection system, derailment detector, fire detectors;
reset triggered speed monitoring installations),
if the related hazards are not counteracted by other operating or technical measures.
Classification is clarified by the example of the usual conditions for point switching:
ANF The input, transfer and execution of operations subject to authorisation must
be treated as safety-relevant functions and secured against the following hazards:
ANF For ancillary operations with global effect (i.e. involving many elements
simultaneously), hazard analyses must be carried out.
A global initial axle-counting position for an entire interlocking area is generally not
justifiable or realistic because for a secure and problem-free application, the entire
area must actually be fully cleared. A global initial position for start-up disruptions to
logical clearance is generally justifiable to release the disruptions as quickly as
possible after starting up an interlocking computer.
For example, ancillary point switching should not be made dependent on whether the
point is actually reported as occupied. This includes the following justifications:
(1) The operator has increased responsibility and duty of care for ancillary
operations anyway. It can be assumed that the operator does not use
ancillary operations for no reason if standard operations would be
permissible and effective.
EXT ANF Operating personnel are expected to choose the operation variants or
operating sequence with the highest possible safety level depending on the situation.
For instance, to secure a moving train, the operator is expected to choose the main
options in the following sequence (with decreasing safety level):
In the event of irregularities and accidents, recording and reconstruction media are
extremely helpful.
ANF Ancillary operations must be logged with clear parameters (operator terminal,
time, operated element, operated command). In the case of disruptions to technical
logging the operator must log events manually. To demonstrate the exhaustiveness of
technical and any manual logging, ancillary operations should be continuously
counted.
DEF In Recording level 1 the ancillary operations and any standard operations
subject to authorisation are automatically recorded.
DEF In Recording level 2 all standard and ancillary operations and all textual error
and fault messages generated by subsystems are automatically recorded.
DEF In Recording level 3 all standard and ancillary operations, all textual error and
fault messages generated by subsystems and all operational status messages are
automatically recorded.
Recording level 3 includes the record & playback function, i.e. continuous recording
and playback where necessary of interlocking magnifier images.
ANF New signal and train protection systems must implement Recording level 2 at
a minimum. Where possible, Recording level 3 should be implemented.
ANF The recordings collected under Recording levels 2 and 3 must where
necessary have an option for manually or partly automated evaluation for the
following objectives:
10 Annexes
10.1 Abbreviations
The abbreviations of acts, ordinances, standards and other regulations are not listed
here but in Annex 3 (Acts and regulations, guidelines and standards).
Internal text marks for TRStrab SIG (such as ANF for requirement) are grey
shaded.
R recommended
RSTW relay interlocking installations (push-button, track layout diagram, rail
plan interlocking)
SBA safety-related acceptance of TRStrab SIG
SPNV local passenger transport by rail
TAB Safety Authority
THR tolerable hazard rate
TR Technical rules
UGT Urban guided transport
UGTMS Urban guided transport management and command/control system
10.2 Definitions
Some definitions of TRStrab SIG are listed with a reference to the TRStrab SIG
section. Definitions from other documents are listed with their definition text and
source.
Term Definition
Approval Administrative act of the authority which allows a
system to be commissioned within a specified scope.
This approval is clarified in writing.
Railway companies Companies as defined in § 3 PBefG.
Review Analysis process to ascertain whether the draft and
validation of a product has managed to meet the
specified requirements and to assess whether the
product is suitable for its intended use.
Overlap, (D-Weg) The overlap is a part of a route which must be kept
free as a neutral section for safety reasons.
One-off test Corresponds in terms of content to the procedure for
product or type approval but only covers the scope of
application of a system.
Permission to use (operating Formal permission to use a product within specified
permit) application limits.
Vehicle operation Vehicle operation includes setting and securing
routes, dispatching and driving trains and
shunting(§ 1(5) BOStrab).
Hazard logbook Procedure to continuously document all safety-
relevant errors revealed and the elimination thereof by
manufacturers and railway companies.
Grade of automation, GOA See definitions GOA0 GOA4 in Chapter Operation
modes
Requirement specifications Also called system requirement specifications
Description of the direct requirements, expectations
and wishes for a planned system, formulated in
natural language. DIN 69905 describes requirement
specifications as all requests of a contracting entity in
relation to delivery and performance by a contractor
as part of an order.
Life cycle The activities during a time period that starts with the
conception of a system and ends with its
decommissioning when the system is no longer
available for use.
Technical specifications Also known as system architecture and
system design specifications
Description of the implementation of requirement
specification requirements by the manufacturer.
According to DIN 69905, technical specifications
include the implementation plan drawn up by the
Term Definition
contractor based on the execution of the requirement
specifications prescribed by the contracting entity.
Project planning The structuring and connecting of hardware and
software of a generic application for its specific
intended application.
PT1 Plan section 1
Construction documents to be submitted providing a
sufficient description of a planned application without
anticipating technical implementation later in the life
cycle. PT1 includes requirement specifications, risk
analysis and draft planning documents.
PT2 Plan section 2
Construction documents to be submitted providing a
sufficient description of an application implemented
for planning and acceptance testing. PT2 includes
technical specifications, evidence of controlled
hazards and implementation documents.
RAMS Reliability
Availability
Maintainability
Safety
Risk analysis Determining safety requirements for a protective
function or subsystem to reduce risk arising from a
process.
Risk analysis (qualitative) Determining the necessary minimum on the basis of
classified risk parameters.
Risk analysis (quantitative) Mathematical determination of tolerable hazard rates
on the basis of statistical input data.
Safety Integrity see Safety integrity
Safety Integrity Level (SIL) see Safety integrity level
Safety Absence of inadmissible risk of damage.
Safety integrity level (SIL) One of a specified number of discrete steps to specify
sufficient safety of safety functions assigned to safety-
relevant systems. The safety integrity level with the
highest number has the highest level of sufficient
safety.
Safety report Document in which an expert definitively sets out the
results of a product or application review.
Safety integrity The probability that a system meets the safety
requirements defined under all defined conditions
within a specified time period.
Safety management The management structure that ensures that the
safety process is correctly implemented.
Proof of safety Documented evidence that the product meets the
specified safety requirements.
Safety plan A documented compilation of scheduled measures,
Term Definition
tools and events used to introduce an organisational
structure, responsibilities, procedures, measures,
skills and tools. Overall, this ensures that an object
meets the safety requirements specified for a given
contract or project.
Tram Under § 4(2) PBefG, elevated railways, underground
railways, suspension railways and similar railways
with a special design are also considered tramways.
System requirement see Requirement specifications
specifications
System architecture see Technical specifications (part of technical
specifications specifications)
System design specifications see Technical specifications (part of technical
specifications)
Safety Authority Safety Authority as defined in § 54(1)(3) PBefG.
Source: TR SIG ZA.
Validation Evidence from tests and analyses that
the generic product,
the generic application,
the specific application,
meets the requirements specified for intended use in
all respects.
Verification Determination from analyses and tests that the results
of each phase of a life cycle meets the requirements
of the preceding phase.
Availability The ability of a product to be in a state in which it can
fulfil a function under specified conditions by a
specified time or during a specified period of time,
provided that the necessary external means are
provided.
Approval Formal permission to use a product or generic or
specific application within the specified application
limits.
Authorisation Decision by the competent supervisory authority
under § 60(3) BOStrab that building of the operating
system may begin.
Bibliography
Standards
DIN EN 50126 Rail applications specification and proof of reliability, availability,
maintainability and safety (RAMS), March 2000 Also IEC 62278.
DIN EN 50128 Railway applications Communications, signalling and processing
systems Software for railway control and protection systems,
November 2001. Also IEC 62279.
DIN EN 50129 EN 50129, Railway applications Communications, signalling and
processing systems Safety-related electronic systems for
signalling, December 2003.
Mü 8004 Technical Principles for the Approval of Safety-related Systems for
Signalling (Mü 8004). Federal Railway Authority (EBA), Central
Munich office, 01.08.2003.
DIN VDE 0831 Electric signalling systems for railways. DKE in DIN VDE, April 2006.
DIN EN 61508 Functional Safety of Electrical/Electronic/Programmable Electronic
Safety-related Systems, November 2002.
DIN EN 62267 DIN EN 62267 (VDE 0831-267):2008, Railway applications
Automated urban guided transport (AUGT) Safety requirements.
DKE in DIN VDE, Draft, 2008.
DIN EN 62290-1 DIN EN 62290-1 (VDE 0831-290-1):2007, Railway applications
Urban guided transport management and command/control systems
Part 1: System principles and fundamental concepts.
DKE in DIN and VDE, August 2007.
DIN EN 62290-2 DIN EN 62290-2 (VDE 0831-290-2):2009, Railway applications
Urban guided transport management and command/control systems
Part 2: Functional application specifications.