Spray Pattern Pruning and Compositional Graph Repair for Railway Signalling

System

{{entity:Railway Signalling System}} ({{hex:50F77A59}}), QC review of the first-pass-complete decomposition. The project carries 245 requirements across 8 documents (6 STK, 7 SYS, 90 SUB, 45 IFC, 8 ARC, 74 VER, plus hazard and traceability stubs), 13 block diagrams, and 182 trace links at session start. 11 subsystems decomposed to component level with full interface specifications.

Findings

Trace link spray patterns — the primary quality issue. {{sys:SYS-REQS-FUNC-001}} (interlocking logic, 10⁻⁹ wrong-side failure rate) had 21 downstream links, many to requirements with no derivation relationship: timetable import ({{sub:SUB-REQS-FUNC-089}}), remote diagnostics ({{sub:SUB-REQS-FUNC-071}}), conflict detection ({{sub:SUB-REQS-FUNC-086}}), operator session lockout ({{sub:SUB-REQS-FUNC-083}}), emergency access ({{sub:SUB-REQS-FUNC-082}}), audit trail ({{sub:SUB-REQS-FUNC-077}}), operator input acknowledgment ({{sub:SUB-REQS-FUNC-076}}), automatic route setting ({{sub:SUB-REQS-FUNC-084}}), two-stage confirmation ({{sub:SUB-REQS-FUNC-075}}), event logger ({{sub:SUB-REQS-FUNC-069}}), and engineering terminal access ({{sub:SUB-REQS-FUNC-009}}). These requirements contribute to the signalling domain but are not derived from interlocking logic — they exist because of their own stakeholder needs.

{{sys:SYS-REQS-FUNC-003}} (redundant processing, 500ms failover) had 25 links. Four were spurious: condition monitoring aggregation ({{sub:SUB-REQS-FUNC-070}}), lamp status reporting ({{sub:SUB-REQS-FUNC-060}}), alarm display ({{sub:SUB-REQS-FUNC-078}}), junction route indicator ({{sub:SUB-REQS-FUNC-059}}). The remaining 21 are defensible — the requirement genuinely cascades to every vital subsystem’s redundancy implementation.

PART_OF graph nearly empty. Only 2 of ~60 entities had PART_OF relationships established. The compositional hierarchy was not recorded during decomposition sessions.

Entity namespace contamination. 60 duplicate entities existed in both the SE:railway-signalling namespace and the global namespace with identical hex codes.

Orphan ARC entries. All 11 architecture decision records had no trace links. No ARC→SYS linkset exists in the project schema, so these were structurally orphaned rather than negligently unlinked.

Rationale and verification. All 245 requirements have both rationale and verification method set — no gaps. All trace links have rationale. Lint flagged 1 medium finding (operating hour lacks statistical parameters) and 6 low findings (ontological classification ambiguity between abstract systems and physical components, acknowledged in session 311).

Corrections

Deleted 15 spurious trace links: 11 from {{sys:SYS-REQS-FUNC-001}} (21→10 links) and 4 from {{sys:SYS-REQS-FUNC-003}} (25→21 links). Each deleted link connected a system requirement to a subsystem requirement that merely contributes to the same domain rather than being derived from it.

Established 22 PART_OF facts: 11 subsystem→system relationships and 11 component→subsystem relationships (5 for {{entity:Computer-Based Interlocking}}, 4 for {{entity:Train Detection Subsystem}}, 4 for {{entity:ETCS Radio Block Centre}}, plus 2 pre-existing for {{entity:Traffic Management System}}).

Removed 60 duplicate entities from the global namespace that mirrored the SE namespace.

Tagged all 11 ARC entries as informational to distinguish them from traceable requirements.

Created baseline QC-2026-03-19.

flowchart TB
  RSS["Railway Signalling System"]
  CBI["Computer-Based Interlocking"]
  TDS["Train Detection Subsystem"]
  RBC["ETCS Radio Block Centre"]
  CLO["Colour-Light Signalling Output"]
  PCS["Points and Crossing Drive"]
  LXP["Level Crossing Protection"]
  TMS["Traffic Management System"]
  SWS["Signaller Workstation"]
  SCN["Signalling Comms Network"]
  SPS["Signalling Power Supply"]
  SDM["Diagnostic and Monitoring"]
  TDS -->|Track occupancy data| CBI
  CBI -->|Signal aspect commands| CLO
  CBI -->|Point drive commands| PCS
  PCS -->|Point detection feedback| CBI
  CBI -->|Crossing activation| LXP
  CBI -->|Route status for MA| RBC
  TMS -->|Automatic route requests| CBI
  CBI -->|Interlocking state| SWS
  SWS -->|Signaller commands| CBI
  SCN -->|Data transport| CBI

Residual

Three spray patterns remain above threshold: {{sys:SYS-REQS-FUNC-005}} (ETCS MA computation, 16 links), {{sys:SYS-REQS-PERF-002}} (signal update timing, 11 links), and {{sys:SYS-REQS-FUNC-003}} (still at 21 after pruning). The FUNC-003 count is justified — it is a genuine cascading safety requirement. FUNC-005 and PERF-002 need review in validation to confirm whether their link counts reflect real derivation.

Remaining PART_OF gaps: 8 subsystems still lack component-level PART_OF facts (Level Crossing Protection, Points and Crossing Drive, Signalling Communication Network, Colour-Light Signalling Output, Signalling Power Supply, Signalling Diagnostic and Monitoring, Signaller Workstation, and remaining TMS components beyond TMS-CBI Interface Gateway and Train Describer).

Operating hour statistical parameter finding (lint medium) not addressed — requires engineering judgement on confidence level and test conditions.

Next

Validation session should assess overall coherence and completeness. Priority checks: verify the residual spray patterns on {{sys:SYS-REQS-FUNC-005}} and {{sys:SYS-REQS-PERF-002}}, complete the remaining PART_OF component facts, and evaluate whether the 64% VER coverage (87/135 SUB+IFC requirements traced to verification) is sufficient or needs supplementation.

← all entries