Railway Signalling: 31 Adversarial Findings Expose VER Coverage and Subsystem Proportion Gaps
System
Red team review of the {{entity:Railway Signalling System}} ({{hex:50F77A59}}), a SIL 4 railway interlocking and train protection system with 255 requirements across 6 documents, 188 trace links, and 13 diagrams. The system decomposes into 11 subsystems: {{entity:Computer-Based Interlocking}}, {{entity:Train Detection Subsystem}}, {{entity:ETCS Radio Block Centre}}, {{entity:Colour-Light Signalling Output}}, {{entity:Points and Crossing Drive System}}, {{entity:Level Crossing Protection System}}, {{entity:Traffic Management System}}, {{entity:Signaller Workstation}}, {{entity:Signalling Communication Network}}, {{entity:Signalling Power Supply System}}, and {{entity:Signalling Diagnostic and Monitoring System}}.
flowchart TB
n0["Railway Signalling System"]
n1["Computer-Based Interlocking"]
n2["Train Detection Subsystem"]
n3["ETCS Radio Block Centre"]
n4["Colour-Light Signalling Output"]
n5["Points and Crossing Drive System"]
n6["Level Crossing Protection System"]
n7["Traffic Management System"]
n8["Signaller Workstation"]
n9["Signalling Communication Network"]
n10["Signalling Power Supply System"]
n11["Signalling Diagnostic and Monitoring System"]
n2 -->|Track occupancy| n1
n1 -->|Signal commands| n4
n1 -->|Point commands| n5
n5 -->|Detection feedback| n1
n1 -->|Crossing trigger| n6
n1 -->|Route status| n3
n7 -->|Route requests| n1
n1 -->|State display| n8
n8 -->|Signaller commands| n1
n9 -->|Data transport| n1
Adversarial Findings
Verification coverage (CRITICAL): 50/90 SUB requirements (56%) have no VER trace links. Over half the subsystem requirements cannot be verified under the current plan. All 45 IFC requirements have VER links, but the SUB gap is severe for a SIL 4 system where EN 50129 requires complete verification traceability.
Trace orphans: 18/90 SUB requirements (20%) have no incoming trace from any SYS requirement, including {{sub:SUB-REQS-FUNC-014}}, {{sub:SUB-REQS-FUNC-038}}, {{sub:SUB-REQS-FUNC-047}}, and 15 others. These requirements lack parent derivation — they exist without justification in the trace chain.
Spray patterns: 3 SYS requirements spray excessively: {{sys:SYS-REQS-FUNC-003}} (21 links), {{sys:SYS-REQS-FUNC-005}} (16 links), {{sys:SYS-REQS-FUNC-001}} (14 links). {{sys:SYS-REQS-FUNC-003}} (redundancy requirement) links to 21 SUB reqs — this is mechanical linkage, not genuine derivation. {{sys:SYS-REQS-FUNC-008}} (AWS/TPWS) has zero outgoing traces.
Untestable requirements: 11 tagged. 10/90 SUB reqs use SHALL without numeric acceptance criteria. Examples: {{sub:SUB-REQS-FUNC-003}} (flank protection — no timing constraint), {{sub:SUB-REQS-FUNC-075}} (two-stage confirmation — no timeout value), {{sub:SUB-REQS-FUNC-081}} (smart card auth — no response time). {{sub:SUB-REQS-FUNC-024}} references “configured T_NVCONTACT” without specifying the value or range.
Vague interfaces: 10/45 IFC requirements lack protocol, data rate, or latency specifications. Examples: {{ifc:IFC-CBIINTERFACES-002}} (signal aspect commands — no protocol), {{ifc:IFC-CBIINTERFACES-011}} (RBC gateway to app server — no rate), {{ifc:IFC-CBIINTERFACES-041}} (route commands to CBI — no latency).
Subsystem proportion: Severe imbalance. CBI has 24 SUB reqs; {{entity:Traffic Management System}} has 1; {{entity:Level Crossing Protection System}} has 2; {{entity:Signalling Communication Network}} has 3. A level crossing subsystem with only 2 requirements and no barrier sequencing, road traffic signal, or failure-mode requirements is grossly under-specified for a safety-critical road-rail interface.
Missing failure modes: 5 tagged. TMS (0 failure-mode reqs), ETCS RBC (4/6 reqs lack fault handling — no RBC failover, no degraded ETCS operation, no handover failure recovery).
Domain gaps: Zero human factors requirements despite {{entity:Signaller Workstation}} being safety-critical (EN 50126 mandates human factors analysis — alarm fatigue, workload limits, colour perception). Only 1 configuration management requirement for a SIL 4 system (EN 50128 requires comprehensive CM).
Lint findings: 80 total (17 high, 63 medium). 12/17 high-severity are {{trait:Biological/Biomimetic}} false positives on electronic subsystems — the lint tool misclassifies software/electronic components. 4 are legitimate: {{trait:Powered}} subsystems (interlocking, workstation, alarm processor, RBC) lack power budget requirements.
Flagged Requirements
| Ref | Category | Issue |
|---|---|---|
| {{sys:SYS-REQS-FUNC-003}} | rt-mechanical-trace | 21 outgoing links — spray pattern |
| {{sys:SYS-REQS-FUNC-005}} | rt-mechanical-trace | 16 outgoing links — spray pattern |
| {{sys:SYS-REQS-FUNC-001}} | rt-mechanical-trace | 14 outgoing links — spray pattern |
| {{sys:SYS-REQS-PERF-002}} | rt-mechanical-trace | 13 outgoing links — spray pattern |
| {{sys:SYS-REQS-FUNC-008}} | rt-mechanical-trace | Zero outgoing traces — AWS/TPWS orphan |
| {{ifc:IFC-CBIINTERFACES-002}} | rt-vague-interface | No protocol for signal aspect commands |
| {{ifc:IFC-CBIINTERFACES-003}} | rt-vague-interface | No protocol for point position data |
| {{ifc:IFC-CBIINTERFACES-011}} | rt-vague-interface | No data rate for RBC gateway transfer |
| {{ifc:IFC-CBIINTERFACES-014}} | rt-vague-interface | No rate for RBC handover data |
| {{ifc:IFC-CBIINTERFACES-015}} | rt-vague-interface | No rate for juridical recording |
| {{ifc:IFC-CBIINTERFACES-017}} | rt-vague-interface | No latency for obstacle detection |
| {{ifc:IFC-CBIINTERFACES-021}} | rt-vague-interface | No protocol for SNR sync |
| {{ifc:IFC-CBIINTERFACES-030}} | rt-vague-interface | No protocol despite “hardwired failsafe” |
| {{ifc:IFC-CBIINTERFACES-035}} | rt-vague-interface | No rate for power feed |
| {{ifc:IFC-CBIINTERFACES-041}} | rt-vague-interface | No latency for route commands |
| {{sub:SUB-REQS-FUNC-003}} | rt-untestable | Flank protection — no timing constraint |
| {{sub:SUB-REQS-FUNC-004}} | rt-untestable | Overlap locking — no timing |
| {{sub:SUB-REQS-FUNC-024}} | rt-untestable | References T_NVCONTACT without value |
| {{sub:SUB-REQS-FUNC-035}} | rt-untestable | LX fault response — no timing |
| {{sub:SUB-REQS-FUNC-059}} | rt-untestable | Junction route indicator — no performance |
| {{sub:SUB-REQS-FUNC-063}} | rt-untestable | Power separation — no isolation spec |
| {{sub:SUB-REQS-FUNC-071}} | rt-untestable | Remote diagnostic — no access criteria |
| {{sub:SUB-REQS-FUNC-075}} | rt-untestable | Two-stage confirmation — no timeout |
| {{sub:SUB-REQS-FUNC-081}} | rt-untestable | Smart card auth — no response time |
| {{sub:SUB-REQS-FUNC-082}} | rt-untestable | Emergency auth fallback — no criteria |
| {{ifc:IFC-CBIINTERFACES-006}} | rt-untestable | LX activation — no measurable criteria |
| {{sub:SUB-REQS-FUNC-085}} | rt-missing-failure-mode | TMS — sole req, no failure handling |
| {{sub:SUB-REQS-FUNC-021}} | rt-missing-failure-mode | ETCS MA computation — no fault handling |
| {{sub:SUB-REQS-FUNC-023}} | rt-missing-failure-mode | ETCS train tracking — no fault handling |
| {{sub:SUB-REQS-FUNC-025}} | rt-missing-failure-mode | ETCS Euroradio — no fault handling |
| {{sub:SUB-REQS-FUNC-027}} | rt-missing-failure-mode | ETCS transition — no fault handling |
Domain Analogs Checked
| Analog | Hex | Gaps Surfaced |
|---|---|---|
| {{entity:Traffic Management System}} | {{hex:51F47B58}} | Only 1 SUB req — missing route conflict detection, ARS failure modes |
| {{entity:Level Crossing Protection System}} | {{hex:55F77A59}} | Only 2 SUB reqs — missing barrier sequencing, road signal control |
| {{entity:ETCS Radio Block Centre}} | {{hex:51E57A58}} | 4/6 reqs lack fault handling — no handover failure, no degraded ETCS |
| {{entity:Vital Processing Unit}} | {{hex:51F53258}} | Analog suggests SIL-tagged requirements and diverse channel testing |
Recommendations
- VER coverage (P1): Add VER entries for the 50 unverified SUB requirements. This is the single largest gap — a SIL 4 system with 56% unverifiable subsystem requirements cannot pass safety assessment.
- Subsystem proportion (P1): Level Crossing needs barrier control, road signal sequencing, pedestrian detection, failure-mode, and timing requirements (estimate 8-12 additional). TMS needs degraded-mode, conflict resolution, and ARS failure requirements (estimate 5-8 additional).
- Human factors (P1): Add workload, alarm fatigue, colour perception, and emergency response time requirements for Signaller Workstation. EN 50126 mandates this for SIL 4.
- Trace orphans (P2): Establish parent derivation for 18 orphaned SUB requirements or document why they exist independently.
- Spray patterns (P2): Review and prune SYS-REQS-FUNC-003 (21 links) — a single redundancy requirement should not derive every subsystem’s failure-mode req. Link only where the redundancy architecture genuinely drives the subsystem design.
- ETCS failure modes (P2): Add RBC failover, degraded ETCS operation, and handover failure recovery requirements for the 4 flagged ETCS RBC reqs.
- Interface specs (P3): Add protocol, data rate, and latency to the 10 vague IFC requirements.
- Configuration management (P3): Add CM requirements per EN 50128 for SIL 4 software lifecycle.
Verdict
Informational. 31 requirements tagged across 4 categories: 11 rt-untestable, 10 rt-vague-interface, 5 rt-mechanical-trace, 5 rt-missing-failure-mode. Plus 6 domain gap findings stored in QUALITY namespace. The VER coverage gap (56% of SUB reqs unverified) and missing human factors requirements are the most critical issues for a SIL 4 railway system.