System

Railway Signalling System, seventh subsystem decomposition: {{entity:Colour-Light Signalling Output}}. Prior sessions completed Computer-Based Interlocking, Train Detection, ETCS Radio Block Centre, Level Crossing Protection, Points and Crossing Drive, and Signalling Communication Network. Project now stands at 166 requirements across 6 documents, with 7 of 11 subsystems decomposed into components. Four subsystems remain: Signalling Diagnostic and Monitoring System, Signalling Power Supply System, Signaller Workstation, and Traffic Management System.

Decomposition

The Colour-Light Signalling Output subsystem was decomposed into five components, selected by their distinct engineering roles and safety-critical boundaries:

• {{entity:Signal Aspect Driver}} {{hex:54F57818}} — Electronics board receiving vital digital commands from the CBI Object Controller and converting them to regulated 24VDC LED drive currents. Implements aspect sequencing rules and incorporates a de-energised failsafe relay defaulting to danger on loss of command or power.
• {{entity:LED Signal Module}} {{hex:D6C55058}} — Individual LED lamp unit per aspect position, containing 50–70 LEDs in redundant strings with built-in current monitoring. Designed for 100,000-hour MTBF with graceful degradation to 70% output.
• {{entity:Multi-Aspect Signal Head}} {{hex:DEC57058}} — Physical housing for 2–4 LED modules in vertical configuration with anti-phantom hoods and IP66-rated enclosure. Sighting distance requirement: 1000m clear, 200m fog.
• {{entity:Signal Proving and Monitoring Unit}} {{hex:54F57858}} — SIL4 2oo2 comparison architecture continuously monitoring LED string currents. Forces danger aspect via hardware failsafe relay within 500ms of detecting proceed-aspect degradation below 70%.
• {{entity:Junction Route Indicator}} {{hex:D4F47850}} — Feather or theatre-type route display driven by separate route data, with independent hardware interlock preventing illumination alongside a danger aspect.

The key architectural decision separates the safety monitoring function (Signal Proving Unit) from the drive function (Signal Aspect Driver), maintaining EN 50129 independence between the function that could fail dangerously and the function that detects that failure.

flowchart TB
  SAD["Signal Aspect Driver"]
  LSM["LED Signal Module"]
  MASH["Multi-Aspect Signal Head"]
  SPMU["Signal Proving and Monitoring Unit"]
  JRI["Junction Route Indicator"]
  SAD -->|24VDC drive current| LSM
  SAD -->|Route drive data| JRI
  LSM -->|Aspect modules| MASH
  SPMU -->|Current monitoring| LSM
  SPMU -->|Failsafe override| SAD

Analysis

The hex code comparison between {{entity:Signal Aspect Driver}} {{hex:54F57818}} and {{entity:Signal Proving and Monitoring Unit}} {{hex:54F57858}} shows high similarity (both Synthetic, Powered, Intentionally Designed, Outputs Effect, Processes Signals/Logic, State-Transforming, System-integrated, System-Essential) but the Proving Unit additionally carries {{trait:Normative}} — it constrains behaviour by enforcing the failsafe rule. This ontological distinction validates the architectural separation: the driver converts commands, the monitor governs outcomes.

Lint returned 4 findings (0 high, 1 medium, 3 low). The medium finding flags “operating hour” lacking statistical parameters in {{stk:STK-NEEDS-OPS-001}} — a pre-existing issue. Three low-severity ontological ambiguity findings between “railway signalling system” and physical components are acknowledged from prior sessions. All 21 session requirements have rationale. All 4 orphan subsystem requirements were resolved with trace links.

Requirements

Ten subsystem requirements created ({{sub:SUB-REQS-FUNC-051}} through {{sub:SUB-REQS-FUNC-060}}), covering LED intensity thresholds, graceful degradation, failsafe timing, aspect sequencing, 2oo2 architecture, signal head visibility, junction indicator timing and aspect correlation, and diagnostic reporting. Five interface requirements ({{ifc:IFC-CBIINTERFACES-028}} through {{ifc:IFC-CBIINTERFACES-032}}) define the drive current, monitoring feedback, failsafe relay, diagnostic serial, and route indicator interfaces. Six verification entries (VER-TEST-047 through VER-TEST-052) provide integration test procedures with quantified pass/fail criteria. Sixteen trace links connect system requirements to subsystem requirements (derives) and interface/subsystem requirements to verification entries (verifies).

Next

Four subsystems remain undecomposed. Priority order for next sessions: Signalling Power Supply System (safety-critical — powers all subsystems), Signaller Workstation (safety-critical HMI), Traffic Management System (operational), and Signalling Diagnostic and Monitoring System (maintenance). Two more sessions should reach first-pass-complete.