Safe Braking Model Explained

During my teenage years, my driving instructor taught me the three second rule; the minimum separation between my car and the car in front had to be three seconds. He drilled this rule into my head, but a rule for cars does not translate well when driving a fifty ton train at 60 km/h around a blind curve. Something a little more sophisticated is required.

The equivalent guideline in the conventional signalling world is the “one block separation” rule; the distance separating two trains must be one block. This 150 year old practice ensures that if a train is tripped there is enough distance to stop the train.

However, over the past 30 years many transit authorities have moved away from conventional signalling and adapted CBTC technologies where the “one block separation” rule no longer applies. Trains now travel with a smaller separation between them, but how close can they operate and still maintain safety? 

The safe braking model is the method used to determine the minimum separation between trains. IEEE 1474.1 defines it as: 

“An analytical representation of a train’s performance while decelerating to a complete stop, allowing for a combination of worst-case influencing factors and failure scenarios. A CBTC equipped train will stop in a distance equal to or less than that guaranteed by the safe braking model.” (IEEE CBTC standard 1474.1, section 3.1)

That’s a mouth full.

Translation: the safe braking model is the calculated distance to stop a train, under the worst case failure, without colliding with an obstacle in front.

In appendix D of the same standard, IEEE provides a graphical illustration of a typical safe braking model (shown below). I’ll break down each element of this model and explain the rationale behind it.

Safe Braking Model Explained

Speed Profile Curve

The first element of the safe braking model is the ATP speed profile curve. This curve dictates the maximum speed the train is allowed to travel at. It’s a curve dynamically built by the train borne unit based on the characteristics of the track (Curve or grade) and train (brake rate, jerk rate, EB rate etc.).

The train borne unit will try to maintain the train speed as close as possible to the ATP speed profile by commanding brakes if the actual speed of the train is above the curve and command propulsion (accelerate) if the speed is below the curve.

Over Speed Detection Curve

The train speed cannot stray too far away from the ATP speed profile curve because this means the train is travelling at a dangerous speed which may result in a derailment or possible collision. Therefore, the train borne unit must maintain the actual speed within a narrow band called the ATP Over Speed Detection Curve. This curve is usually 3 to 5 km/h above the ATP speed profile and if the speed crosses this threshold, the emergency brakes (EBs) are released.

Emergency Brake (EB) Curve

The fastest way to stop a train is by the emergency brakes (EB). There is a finite distance the train will travel before coming to a stop and the emergency brake curve models this behaviour.

The starting point for the EB curve is slightly above the point where the train speed crossed the over speed detection curve. This is to take into account the error emanating from the tachometer or speed sensor. If the train was travelling 65 km/h, the model assumes the train is travelling at 67 km/h when the over speed occurred.

Segment A - Train Borne Unit Reaction Time – Segment A is the lag (due to hardware and software delays) before the train borne unit detects the over speed condition and issues the EB release command.

In this segment, the model shows a rapid acceleration. This is based on the assumption that the propulsion unit failed at the moment the over speed occurred causing an uncontrolled acceleration (runaway propulsion).  Since the EBs have not initiated, there is nothing preventing this acceleration. 

Segment B – Time to Disable Propulsion Unit after EBs Initiated – Segment B is the time it takes the propulsion unit to disable its output after the train borne unit sent the EB release command.

To prevent the situation where the train is emergency braking while the propulsion unit is commanding effort (accelerating), the EB status is fed directly to the propulsion unit. This allows the propulsion unit to disable its output when the EB release command is sent by the train borne unit.

Segment C – Additional Time to Apply EBs – The time it takes to physically release the EBs to the moment the brakes are touching the axle is defined by segment C. Since the propulsion is disabled but the EBs are not touching the axle, the train is coasting (flat line) because there is no force to propel the train nor to stop it.

Segment D – Emergency Brake Build Up Time – The brakes are now touching the axle but they are not applying full pressure. Segment D is the time it takes for the EBs to build up to 100% of its braking capability. The train is slowing down but not at the required GEBR (Guaranteed Emergency Brake Rate).

Segment E –Full Emergency Braking at GEBR – The emergency brakes are fully engaged and the train is stopping rapidly. GEBR is the Guaranteed Emergency Brake Rate. This is not the full braking capability of the EBs but an assumed reduced brake rate taking into account failures conditions such as seven axles out of eight have operational brakes.

Positional Uncertainty

Under an absolute worst case scenario, the black train will stop where segment E ends but there are aspects of the blue train in front that must consider by the safe braking model as well. 

If the blue train reported its rear position where segment E ends, the blue train would be considered safe from collision but, this assumes the reported position is accurate.

A position report cannot be taken at face value because there is always uncertainty due to the resolution of the tachometer, accuracy of the placement of the beacons, wheel wear etc. The train may report its location at chainage 300m but its actual location is chainage 297m. Hence, the positional uncertainty must be included as part of the safe braking model, otherwise there may be a possibility of a collision (see diagram above).

The positional uncertainty is added to segment E. This means if the rear of the blue train is located anywhere within this area, there is no possibility the black train will collide with it (see diagram below).

Since positional uncertain is a factor on the rear position, it will also be a factor on the front position and therefore must be applied to the front of the black train. This means, the safe braking model assumes the front of the black train is further ahead than reported. This is the point where segment A of the EB curve begins.

All of these elements taken together form the safe braking model. This analysis will determine the minimum safety distance the trains must maintain at any point on the track. 

Safe Train Separation

The safe braking model is a methodology to determine the safe separation between trains but, how is the model applied in a real world CBTC application? A simple example is the best way to understand.

Two trains are following each other, a black train and a blue train. Both trains report the front and rear position to the wayside unit through the radio.

When a route is requested for the black train, the wayside unit will add the positional uncertainty to the rear of the blue train, establishing the Limit of Movement Authority (LMA); this is the furthest the black train is permitted to travel.

The LMA is transmitted to the black train through the radio network establishing a brick wall that cannot be crossed even under a worst case failure.

The train borne unit will build the emergency brake curve from the LMA (brick wall) to its current position based on the speed and location of the train.

Next, the train borne unit will build the over speed detection and speed profile curves that define the target point the train must stop at.

The black train will follow the speed profile to the target point. If the train experiences an over speed condition, the train will emergency brake to a stop before the LMA.


The safe braking model is the 3 second rule for the CBTC world; it defines the minimum safety distance allowed between trains. The model assumes various failures occurring at the same time and if this type of failure were to occur, the train behind is guaranteed to stop before colliding with the train in front.

Some may argue the IEEE model defines the absolute minimum separation that must be maintained between trains in a CBTC system. I don’t believe this is the case; I believe trains can operate at smaller separations than that defined by IEEE but it requires a different approach to building the safe braking model. 

We’ll save that topic for another day.