System

Railway Signalling System, sixth subsystem decomposition. The {{entity:Signalling Communication Network}} {{hex:40E57018}} is the infrastructure backbone connecting all safety-critical subsystems — it carries interlocking commands, track occupancy data, ETCS movement authorities, and diagnostic information between the {{entity:Computer-Based Interlocking}}, {{entity:Train Detection Subsystem}}, {{entity:ETCS Radio Block Centre}}, and field equipment. Six of eleven top-level subsystems are now decomposed into components with requirements and interfaces.

Decomposition

The communication network was decomposed into six components reflecting a layered architecture that separates physical transport, safety protocol, security boundary, time distribution, and monitoring concerns.

The {{entity:Safety-Critical Data Network Switch}} {{hex:D4A57058}} forms the Ethernet backbone using Parallel Redundancy Protocol (IEC 62439-3) for zero-recovery-time failover. PRP was chosen over HSR because the signalling equipment room uses a star topology, not a ring. The switches operate at SIL2 because end-to-end safety integrity is provided by the {{entity:RaSTA Protocol Stack}} {{hex:40B57B58}} as middleware — a deliberate architectural choice that avoids the cost and complexity of SIL4-certifying network infrastructure.

The {{entity:Lineside Transmission Multiplexer}} {{hex:D0E57018}} extends connectivity from the SER to trackside locations over single-mode fiber trunks spanning up to 50km, with automatic protection switching under 50ms. The {{entity:Network Time Distribution Server}} {{hex:54F77218}} provides IEEE 1588v2 PTP synchronization with sub-microsecond accuracy and 24-hour rubidium holdover for juridical recording timestamps. The {{entity:Cybersecurity Boundary Gateway}} {{hex:D1B77858}} enforces TS 50701 zone separation between vital and non-vital domains using deep packet inspection and protocol allowlisting. The {{entity:Network Diagnostic and Monitoring Agent}} {{hex:55E67308}} provides SNMP v3 health monitoring with 30-second alarm detection for link degradation.

flowchart TB
  n0["Safety-Critical Data Network Switch"]
  n1["Lineside Transmission Multiplexer"]
  n2["RaSTA Protocol Stack"]
  n3["Network Time Distribution Server"]
  n4["Cybersecurity Boundary Gateway"]
  n5["Network Diagnostic and Monitoring Agent"]
  n1 -->|Fiber trunk data| n0
  n0 -->|IP transport| n2
  n3 -->|PTP sync| n0
  n4 -->|Filtered non-vital traffic| n0
  n5 -.->|SNMP polling| n0
  n5 -.->|SNMP polling| n1
  n5 -.->|SNMP polling| n4

Analysis

Cross-domain entity search revealed the {{entity:Vehicle Cybersecurity Gateway}} from the autonomous vehicle domain at 93.75% Jaccard similarity with the railway {{entity:Cybersecurity Boundary Gateway}} — both enforce zone separation between safety-critical and non-vital networks using allowlisting and deep packet inspection. The {{entity:COMSEC Key Management Module}} from the naval combat management system also scored 90.6%, confirming that security boundary enforcement is ontologically consistent across transport, automotive, and defence domains. This validates the TS 50701 approach as domain-appropriate rather than borrowed from IT security.

The RaSTA Protocol Stack {{hex:40B57B58}} classified as software (not physical), state-transforming, and temporally-aware — correctly reflecting its nature as SIL4 middleware with sequence checking and timeout monitoring. The classification divergence between the physical switches and the software protocol stack confirms the architectural layering is ontologically sound.

Requirements

Eight subsystem requirements were created: PRP zero-frame-loss failover ({{sub:SUB-REQS-FUNC-043}}), 50ms end-to-end latency budget derived from the 500ms signal update timing ({{sub:SUB-REQS-FUNC-044}}), EN 50159 Category 3 RaSTA safety at 10^-9 residual error rate ({{sub:SUB-REQS-FUNC-045}}), PTP sub-microsecond synchronization with 24-hour holdover ({{sub:SUB-REQS-FUNC-046}}), TS 50701 cybersecurity zone separation ({{sub:SUB-REQS-FUNC-047}}), lineside 99.999% availability with 50ms protection switching ({{sub:SUB-REQS-FUNC-048}}), monitoring alarm within 30 seconds ({{sub:SUB-REQS-FUNC-049}}), and PRP degraded-mode operation ({{sub:SUB-REQS-FUNC-050}}). Five interface requirements cover the fiber trunk, CBI dual-path PRP, TMS boundary flow control, PTP boundary clock, and monitoring-to-diagnostic interfaces ({{ifc:IFC-CBIINTERFACES-023}} through {{ifc:IFC-CBIINTERFACES-027}}). Seven verification entries provide fault injection tests for PRP failover, RaSTA error detection, cybersecurity penetration testing, PTP accuracy measurement, and link degradation alarm validation. All requirements traced to parent system requirements; all interface requirements have verification entries.

Next

Five subsystems remain: Colour-Light Signalling Output (safety-critical, high priority — driver-facing signal aspects), Traffic Management System, Signaller Workstation, Signalling Power Supply System, and Signalling Diagnostic and Monitoring System. The next session should tackle Colour-Light Signalling Output as it directly affects train movement safety and interfaces heavily with the CBI. Duplicate architecture decision {{stk:ARC-SYS-ARC-007}} vs {{stk:ARC-SYS-ARC-008}} should be resolved in the next QC pass.