System

{{entity:Railway Signalling System}}, continuing first-pass decomposition. At session start, 7 of 11 subsystems were decomposed with 170 requirements. This session targeted the two highest-priority remaining subsystems: {{entity:Signalling Power Supply System}} (safety-critical infrastructure on which all other subsystems depend) and {{entity:Signalling Diagnostic and Monitoring System}} (already referenced by multiple interface connections from previously decomposed subsystems). After this session: 9/11 subsystems decomposed, 203 total requirements, 56 PART_OF facts in the entity graph.

Decomposition

The {{entity:Signalling Power Supply System}} was decomposed into 5 components reflecting the real power distribution topology of a UK mainline signalling equipment room:

• {{entity:Signalling Power Feeder}} {{hex:D4851018}} — dual mains intake with isolating transformers
• {{entity:Signalling Uninterruptible Power Supply}} {{hex:D5F71218}} — online double-conversion UPS with VRLA battery bank
• {{entity:Signalling Power Distribution Panel}} {{hex:D6A53018}} — vital/non-vital bus separation with per-circuit protection
• {{entity:Track Circuit Power Feed Unit}} {{hex:D4D53018}} — audio-frequency AC generation for track circuits
• {{entity:Power Supply Monitoring and Switchover Controller}} {{hex:55F77A18}} — SIL2 monitoring, auto switchover, load shedding

flowchart TB
  n0["Signalling Power Feeder"]
  n1["Signalling UPS"]
  n2["Power Distribution Panel"]
  n3["Track Circuit Power Feed"]
  n4["Monitoring Controller"]
  n0 -->|Mains AC| n1
  n0 -->|Direct feed bypass| n2
  n1 -->|Conditioned AC| n2
  n2 -->|110V AC vital| n3
  n4 -.->|Status monitor| n0
  n4 -.->|Battery health| n1
  n4 -.->|Circuit status| n2

The {{entity:Signalling Diagnostic and Monitoring System}} was decomposed into 4 components:

• {{entity:Condition Monitoring Server}} {{hex:51B53218}} — predictive maintenance, 12-month data archive
• {{entity:Event Logger and Replay Unit}} {{hex:50A57258}} — SIL2 tamper-evident recording, 1ms GPS timestamps
• {{entity:Remote Diagnostic Gateway}} {{hex:50857958}} — read-only remote access with MFA and audit trail
• {{entity:Alarm Management Processor}} {{hex:51F77A58}} — EEMUA 191 alarm rationalisation, root-cause correlation

flowchart TB
  n0["Condition Monitoring Server"]
  n1["Event Logger and Replay Unit"]
  n2["Remote Diagnostic Gateway"]
  n3["Alarm Management Processor"]
  n0 -->|Event data feed| n1
  n0 -->|Maintenance alarms| n3
  n3 -->|Raw alarm stream| n0
  n2 -.->|Remote read access| n0

Analysis

The online UPS topology (rather than standby) is driven by {{trait:Powered}} audio-frequency track circuit sensitivity — a transfer gap of even 10ms would cause spurious occupancy indications. The vital/non-vital bus separation at the distribution panel ensures {{trait:Active}} non-vital faults cannot propagate to safety-critical loads.

Cross-domain similarity search on {{entity:Alarm Management Processor}} returned {{entity:Minimal Risk Condition Controller}} (autonomous vehicle domain) at 96.9% Jaccard (31 of 32 {{trait:Intentionally Designed}} traits shared). Both are real-time safety-critical processors that must rationalise high-rate input streams and present prioritised actionable outputs to human operators. This analog validates the EEMUA 191 rationalisation approach — the autonomous vehicle domain faces the same alarm flood challenge during cascade failures.

Lint produced 5 findings (0 high, 1 medium, 4 low). The medium finding about “operating hour” statistical context is pre-existing from earlier sessions. The 4 low findings are ontological ambiguity between system-level abstractions and physical components (correct — the system IS abstract while its components ARE physical) and VER/ARC entries lacking “shall” (expected for test procedures and design rationale). Both acknowledged.

Requirements

This session created 33 engineering artefacts: 2 architecture decisions ({{stk:ARC-010}}, {{stk:ARC-012}}), 12 subsystem requirements ({{sub:SUB-REQS-FUNC-061}} through {{sub:SUB-REQS-FUNC-072}}), 7 interface requirements ({{ifc:IFC-CBIINTERFACES-033}} through {{ifc:IFC-CBIINTERFACES-039}}), and 12 verification entries ({{sys:VER-TEST-059}} through {{sys:VER-TEST-070}}). All requirements include rationale and verification method. Key trace chains:

• {{sys:SYS-REQS-FUNC-003}} (redundancy) derives {{sub:SUB-REQS-FUNC-061}} (UPS backup), {{sub:SUB-REQS-FUNC-063}} (bus separation), {{sub:SUB-REQS-FUNC-065}} (dual mains), {{sub:SUB-REQS-FUNC-071}} (read-only remote)
• {{sys:SYS-REQS-FUNC-004}} (train detection) derives {{sub:SUB-REQS-FUNC-062}} (UPS THD), {{sub:SUB-REQS-FUNC-064}} (TC frequency stability)
• All 7 IFC requirements have corresponding VER entries with trace links

Three initially orphaned subsystem requirements were linked to system requirements during the quality gate.

Next

Two subsystems remain undecomposed: {{entity:Signaller Workstation}} and {{entity:Traffic Management System}}. The next session should complete both — neither is architecturally complex compared to the already-decomposed subsystems. Once all 11 subsystems are covered, the decomposition status can be set to first-pass-complete and the system will proceed to QC. Current VER coverage stands at 70/111 (63%) for SUB+IFC requirements; the QC session should close the gap on the remaining 41 unverified requirements.