System Design Description (SyDD) — ISO/IEC/IEEE 15289 — Description | IEEE 29148 §6.5
Generated 2026-03-27 — UHT Journal / universalhex.org
flowchart TB n0["system<br>Railway Signalling System"] n1["subsystem<br>Computer-Based Interlocking"] n2["subsystem<br>Train Detection Subsystem"] n3["subsystem<br>ETCS Radio Block Centre"] n4["subsystem<br>Colour-Light Signalling Output"] n5["subsystem<br>Points and Crossing Drive System"] n6["subsystem<br>Level Crossing Protection System"] n7["subsystem<br>Traffic Management System"] n8["subsystem<br>Signaller Workstation"] n9["subsystem<br>Signalling Communication Network"] n10["subsystem<br>Signalling Power Supply System"] n11["subsystem<br>Signalling Diagnostic and Monitoring System"] n2 -->|Track occupancy data| n1 n1 -->|Signal aspect commands| n4 n1 -->|Point drive commands| n5 n5 -->|Point detection feedback| n1 n1 -->|Crossing activation trigger| n6 n1 -->|Route status for MA computation| n3 n7 -->|Automatic route requests| n1 n1 -->|Interlocking state display| n8 n8 -->|Signaller commands| n1 n9 -->|Data transport| n1
Railway Signalling System — Decomposition
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQS-FUNC-001 | The Vital Processing Unit SHALL implement 2-out-of-3 voted processing architecture where three independent channels execute identical interlocking logic, and any output command SHALL only be issued when at least two channels agree within a comparison window of 10ms. Rationale: 2oo3 architecture is required to achieve SIL 4 tolerable hazard rate of 10^-9/hr per EN 50129. A single-channel failure must not produce an unsafe output. The 10ms comparison window bounds the maximum skew between channels while accommodating clock jitter in the cyclic kernel. | Test | subsystem, cbi, vpu, session-300, idempotency:sub-cbi-vpu-voting-300 |
| SUB-REQS-FUNC-002 | The Computer-Based Interlocking SHALL enforce route-locking such that once a route is set, all points within the route are locked in the required position and all conflicting routes are excluded until the route is released by sequential track clearance or manual cancellation with a 120-second time delay. Rationale: Route-locking with conflict exclusion is the fundamental safety function of an interlocking per GK/RT0060. The 120-second cancellation delay prevents premature release while a train may still be approaching the route entrance signal, derived from worst-case braking distance at line speed. | Test | subsystem, cbi, vpu, session-300, idempotency:sub-cbi-route-locking-300 |
| SUB-REQS-FUNC-003 | The Computer-Based Interlocking SHALL set and lock flank protection points for every set route, ensuring that no vehicle from a converging path can enter the route corridor. Where physical flank protection is not available, the interlocking SHALL detect the absence and restrict line speed accordingly. Rationale: Flank protection prevents side collisions at junctions. EN 50129 and national rules (e.g., RSSB GK/RT0060) require flank protection as a mandatory safety function. The fallback to speed restriction addresses layouts where geometry prevents full flank protection. | Test | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-004 | The Computer-Based Interlocking SHALL maintain overlap track sections beyond each stop signal in a locked and unoccupied state for the duration that a route to that signal is set, releasing the overlap only after the approaching train has been proved stationary or has passed the signal. Rationale: Overlaps provide a safety margin for trains overrunning a stop signal. The overlap length and release conditions are derived from braking curves at the approach speed. Premature overlap release would remove the collision protection margin. | Test | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-005 | The Object Controller SHALL drive field equipment outputs only upon receipt of an authenticated, sequence-numbered command from the Vital Processing Unit, and SHALL confirm execution by reading back the actual field state within 200ms of command issue. Rationale: Authenticated commands prevent spoofing per EN 50159 Category 3. Read-back verification within 200ms ensures the interlocking detects stuck or failed field equipment within one safety cycle, preventing the assumption of a safe state that does not exist physically. | Test | subsystem, cbi, object-controller, session-300, idempotency:sub-cbi-oc-drive-300 |
| SUB-REQS-FUNC-006 | The Vital Processing Unit SHALL verify the integrity of Interlocking Application Data at startup using a cryptographic hash (SHA-256 minimum) and SHALL refuse to enter operational mode if the computed hash does not match the validated reference hash. Rationale: Corrupted application data could encode incorrect route tables, leading to conflicting routes being permitted. Cryptographic verification at startup per EN 50128 ensures only the independently validated dataset is executed. SHA-256 provides collision resistance sufficient for SIL 4. | Test | subsystem, cbi, application-data, session-300, idempotency:sub-cbi-data-integrity-300 |
| SUB-REQS-FUNC-007 | The Interlocking Communication Gateway SHALL implement EN 50159 Category 3 safety communication on all vital links, providing cryptographic message authentication, sequence numbering, and timeout supervision with a maximum message lifetime of 500ms. Rationale: Category 3 communication defences protect against message corruption, delay, insertion, and replay attacks on open transmission networks. The 500ms lifetime bounds the maximum age of any accepted vital message, derived from the interlocking cycle time and worst-case network latency. | Test | subsystem, cbi, comm-gateway, session-300, idempotency:sub-cbi-cgw-safety-300 |
| SUB-REQS-FUNC-008 | When one of the three VPU processing channels fails, the Computer-Based Interlocking SHALL continue operating in 2-out-of-2 degraded mode, maintaining full route-setting and signal control functionality with no reduction in the number of routes available, and SHALL raise a maintenance alarm within 1 second of detecting the channel failure. Rationale: Loss of one channel in a 2oo3 architecture reduces to 2oo2, which still achieves SIL 4 but with reduced availability (next failure causes shutdown). Immediate alarm ensures maintenance response before a second failure. Full functionality retention is required because train services cannot be degraded for a single channel loss. | Test | subsystem, cbi, vpu, session-300, idempotency:sub-cbi-degraded-mode-300 |
| SUB-REQS-FUNC-009 | The Engineering and Maintenance Terminal SHALL enforce role-based access control with a minimum of three roles (viewer, maintainer, engineer), and SHALL log every user action with timestamp, operator identity, and action description to a tamper-evident audit log retained for a minimum of 5 years. Rationale: Role-based access prevents unauthorised modification of safety-critical interlocking data. The 5-year audit retention aligns with RSSB and ORR requirements for safety record keeping. Tamper-evident logging enables incident investigation and regulatory audit. | Inspection | subsystem, cbi, emt, session-300, idempotency:sub-cbi-emt-access-300 |
| SUB-REQS-FUNC-013 | The Audio-Frequency Track Circuit SHALL detect any rail vehicle presenting a minimum shunting resistance of 0.06 ohm across the running rails, within 1 second of the vehicle entering the track section. Rationale: 0.06 ohm is the EN 50238 worst-case shunting resistance for lightweight vehicles with cast-iron brake blocks on contaminated rail. Detection within 1 second ensures the interlocking receives occupancy before a train travelling at maximum line speed (200 km/h) covers more than 56m, maintaining safe overlap margins. | Test | subsystem, train-detection, aftc, session-301, idempotency:sub-td-aftc-sensitivity-301 |
| SUB-REQS-FUNC-014 | When the Audio-Frequency Track Circuit receiver signal level falls below the calibrated threshold, the track circuit SHALL report the section as occupied within 500 milliseconds. Rationale: Fail-safe design principle: any loss of received signal (broken rail, equipment failure, power loss, cable fault) must default to the restrictive state. The 500ms threshold ensures the occupied indication reaches the interlocking before the next processing cycle completes, preventing a transient clear indication during failure. | Test | subsystem, train-detection, aftc, safety, session-301, idempotency:sub-td-aftc-failsafe-301 |
| SUB-REQS-FUNC-015 | The Axle Counter Evaluator SHALL correctly count all axle passages at speeds from 0 to 500 km/h for wheel diameters between 330 mm and 1000 mm, with a per-counting-point miscount probability of less than 10^-9 per axle passage. Rationale: The speed and wheel diameter range covers all European rolling stock from shunting locomotives to high-speed trains. The 10^-9 miscount probability is derived from the SIL 4 target (tolerable hazard rate 10^-9/h) combined with expected traffic density of approximately 1 axle passage per second at busy junctions, ensuring the axle counter contribution to dangerous failure rate remains below the SIL 4 allocation. | Test | subsystem, train-detection, axle-counter, safety, session-301, idempotency:sub-td-ace-accuracy-301 |
| SUB-REQS-FUNC-016 | When the Axle Counter Evaluator detects a discrepancy between entry and exit axle counts that persists for more than 2 processing cycles (200 ms), the evaluator SHALL set the affected section to occupied and generate a reset-required alarm. Rationale: A count discrepancy indicates either a missed axle or a spurious count — both are safety-critical. Two processing cycles allows for transient electrical noise rejection without delaying the fail-safe response beyond the interlocking cycle time. Manual reset is required because automatic count correction could mask a genuine vehicle presence. | Test | subsystem, train-detection, axle-counter, safety, session-301, idempotency:sub-td-ace-failsafe-301 |
| SUB-REQS-FUNC-017 | The Train Detection Data Concentrator SHALL aggregate occupancy status from all connected detectors and present a complete, consistent occupancy table to the CBI interface within 100 milliseconds of any detector state change. Rationale: 100ms aggregation latency ensures the total detection-to-interlocking pipeline (detector response + concentrator + CBI input scan) remains within the 500ms signal update budget defined in SYS-REQS-PERF-002. The concentrator consumes approximately 100ms of the 500ms budget, leaving margin for detector response time (up to 200ms for track circuits) and CBI input scanning (up to 100ms). | Test | subsystem, train-detection, data-concentrator, performance, session-301, idempotency:sub-td-tddc-latency-301 |
| SUB-REQS-FUNC-018 | When the active Train Detection Data Concentrator unit fails, the hot-standby unit SHALL assume data aggregation within 50 milliseconds, without loss of occupancy state for any monitored section. Rationale: 50ms switchover ensures the redundancy transition is invisible to the CBI, which polls the concentrator at 100ms intervals. State synchronisation between active and standby units must be continuous so that no section shows a transient clear during switchover — a momentary false-clear could allow the interlocking to release a route into an occupied section. | Test | subsystem, train-detection, data-concentrator, reliability, session-301, idempotency:sub-td-tddc-redundancy-301 |
| SUB-REQS-FUNC-019 | The Train Detection Data Concentrator SHALL continuously monitor the health of all connected track circuits and axle counter evaluators, detecting communication loss within 2 seconds and rail insulation degradation when track circuit received signal strength drops below 70 percent of calibrated nominal. Rationale: 2-second communication loss detection provides timely fault reporting without false alarms from transient interference. The 70% insulation threshold is the industry-standard early warning level: below 70% of nominal, track circuit performance becomes marginal and shunting sensitivity degrades, requiring maintenance intervention before a missed detection could occur. | Test | subsystem, train-detection, data-concentrator, diagnostic, session-301, idempotency:sub-td-tddc-diagnostic-301 |
| SUB-REQS-FUNC-020 | The RBC Application Server SHALL compute a complete movement authority, including end-of-authority, speed profile, and gradient profile, within 800 milliseconds of receiving updated route and occupancy data from the RBC-CBI Interface Gateway. Rationale: The 2-second system-level MA transmission budget (SYS-REQS-FUNC-005) must be allocated across the processing chain: 100ms CBI-to-RBC gateway latency, 800ms MA computation, 500ms Euroradio safe messaging, 200ms GSM-R radio delivery, leaving 400ms margin for retransmission. The 800ms computation budget was derived from SUBSET-026 Appendix A timing analysis for a 60-train load with worst-case route complexity. | Test | subsystem, etcs-rbc, session-302, idempotency:sub-rbc-app-ma-compute-302 |
| SUB-REQS-FUNC-021 | The RBC Application Server SHALL maintain simultaneous ETCS supervision sessions for a minimum of 60 trains, each receiving movement authority updates at intervals not exceeding 5 seconds under normal operation. Rationale: 60 concurrent trains represents the capacity of a major junction area RBC (e.g., Thameslink core through central London). The 5-second MA update interval matches the SUBSET-026 T_MAR (MA request timer) default value. Exceeding this interval triggers onboard emergency braking initiation via T_NVCONTACT. | Test | rt-missing-failure-mode, red-team-session-522 |
| SUB-REQS-FUNC-022 | The RBC Application Server SHALL operate in a 2-out-of-2 hot-standby configuration where the standby unit SHALL assume full MA computation within 3 seconds of detecting primary unit failure, without loss of any active train session. Rationale: 3-second failover budget ensures no train exceeds its T_NVCONTACT timeout (typically 10-15 seconds). Hot-standby with session state replication is required because cold restart would require all 60 trains to re-establish sessions simultaneously, causing a capacity storm. The 2oo2 architecture (rather than 2oo3) follows SUBSET-026 failover model where MA computation is deterministic given identical inputs. | Test | subsystem, etcs-rbc, session-302, idempotency:sub-rbc-app-redundancy-302 |
| SUB-REQS-FUNC-023 | The Euroradio Safe Communication Layer SHALL authenticate and integrity-protect all messages between the RBC and onboard ETCS equipment using SUBSET-037 message authentication codes with a residual error rate not exceeding 2^-40 per message. Rationale: The 2^-40 residual error rate is mandated by SUBSET-037 for SIL 4 communications. This ensures that the probability of an undetected corrupted movement authority being accepted by the onboard equipment is below the tolerable hazard rate of 10^-9 per hour, given the expected message rate of approximately 10,000 messages per hour across all train sessions. | Test | rt-missing-failure-mode, red-team-session-522 |
| SUB-REQS-FUNC-024 | When the Euroradio Safe Communication Layer detects loss of communication with an onboard unit for a duration exceeding the configured T_NVCONTACT value, the layer SHALL notify the RBC Application Server to revoke the affected train movement authority and log the disconnection event. Rationale: T_NVCONTACT is the ERTMS timeout that triggers onboard emergency braking if no valid safe message is received. The RBC side must mirror this detection to revoke the MA and prevent the track section from being allocated to another train while the disconnected train may still be occupying it. Without this, a phantom train scenario could develop where the RBC believes a train has stopped but it is still moving under its last valid MA. | Test | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-025 | The GSM-R Radio Interface Module SHALL establish a circuit-switched data call to a requesting onboard ETCS unit within 5 seconds of receiving the session initiation request, with a call setup success rate of at least 99.5% when GSM-R network signal strength is at or above -92 dBm (RXLEV 13) and cell load does not exceed 75% of traffic channel capacity. Rationale: The 5-second call setup time is derived from EIRENE FRS v8 specification for GSM-R railway data calls. 99.5% success rate accounts for the 0.5% radio congestion probability in high-traffic areas. Failed setups are retried automatically; three consecutive failures trigger a fallback to GPRS packet-switched bearer if available, or an alarm to the signaller. | Test | rt-missing-failure-mode, red-team-session-522 |
| SUB-REQS-FUNC-026 | The RBC-CBI Interface Gateway SHALL implement EN 50159 Category 3 safety communication on the link to the Computer-Based Interlocking, providing message authentication, sequence numbering, and timestamp validation with an end-to-end message transfer latency not exceeding 100 milliseconds. Rationale: 100ms gateway latency is part of the 2-second MA budget allocation. EN 50159 Category 3 is required because the RBC and CBI may be in different equipment rooms connected via a non-trusted network. The gateway must detect message replay, insertion, resequencing, and corruption — all attack vectors on a network traversing unsecured cable routes between buildings. | Test | subsystem, etcs-rbc, session-302, idempotency:sub-cbi-gw-safe-302 |
| SUB-REQS-FUNC-027 | The RBC Handover Controller SHALL complete the transfer of train supervision responsibility to an adjacent RBC within 5 seconds of the train entering the handover preparation area, including coordinated MA boundary alignment and session transfer confirmation. Rationale: 5 seconds is derived from the worst-case train speed (300 km/h on high-speed lines) and the minimum handover preparation zone length (2 km per SUBSET-026). At 300 km/h a train traverses 2 km in 24 seconds, so 5 seconds provides adequate margin for the handover protocol exchange (request, acknowledge, confirm) while leaving at least 19 seconds of supervised operation in the overlap zone. Exceeding 5 seconds at high speed risks the train entering the new RBC area without an accepted MA from the receiving RBC. | Test | rt-missing-failure-mode, red-team-session-522 |
| SUB-REQS-FUNC-028 | The Juridical Recording Unit SHALL record all movement authority computations, train position reports, session events, and emergency messages with UTC timestamps at 1 millisecond resolution, retaining data for a minimum of 90 days on redundant non-volatile storage with cryptographic tamper-evidence. Rationale: 90-day retention is mandated by EU Directive 2016/798 on railway safety for post-incident investigation. 1ms timestamp resolution is required to reconstruct the exact sequence of events during multi-train incidents where events may be separated by only tens of milliseconds. Cryptographic tamper-evidence (hash chains) ensures data admissibility in regulatory and legal proceedings. Redundant storage protects against single-disk failure during the retention period. | Inspection | subsystem, etcs-rbc, session-302, idempotency:sub-jru-retention-302 |
| SUB-REQS-FUNC-029 | When the RBC Application Server loses communication with the CBI for more than 10 seconds, the RBC SHALL freeze all current movement authorities at their last safe end-of-authority positions and SHALL NOT extend any MA until CBI communication is restored and confirmed via a full state synchronisation handshake. Rationale: Freezing MAs at their last safe positions prevents trains from receiving authority to proceed into track sections whose occupancy status is unknown. The 10-second threshold allows for transient network interruptions without premature MA freeze. Full state resynchronisation is required after restoration because the CBI may have changed route and point states during the outage, making incremental updates unsafe. | Test | subsystem, etcs-rbc, session-302, idempotency:sub-rbc-app-degraded-302 |
| SUB-REQS-FUNC-030 | When the RBC Application Server receives an unconditional emergency stop command from the CBI or signaller, the RBC SHALL transmit ETCS emergency stop messages to all affected trains within 500 milliseconds, overriding all normal MA processing. Rationale: 500ms emergency broadcast latency ensures that at 300 km/h a train travels no more than 42m before receiving the stop command. This is within the braking distance safety margin assumed by the CBI when commanding emergency route release. The override of normal processing prevents MA computation queuing from delaying safety-critical emergency messages. | Test | subsystem, etcs-rbc, session-302, idempotency:sub-rbc-app-estop-302 |
| SUB-REQS-FUNC-031 | When the Level Crossing Controller receives a train approach trigger from the CBI, the controller SHALL initiate the road warning sequence and achieve full crossing protection (barriers lowered, signals active) within the configured warning time, which SHALL be adjustable between 24 and 55 seconds to accommodate site-specific road clearance requirements. Rationale: 24-55 second range covers UK MCB-CCTV (24s minimum for short crossings) through AHB (55s for long crossings with slow-moving agricultural traffic). The warning time must be configurable per site because it depends on road width, speed limit, and expected traffic type — a narrow footpath crossing needs 24 seconds; a dual-carriageway crossing with heavy goods vehicles needs 55 seconds. | Test | subsystem, level-crossing, session-302, idempotency:sub-lc-timing-302 |
| SUB-REQS-FUNC-032 | When the Level Crossing Obstacle Detection System detects an object exceeding 0.5 metres in height on the crossing deck during barrier descent, the Level Crossing Controller SHALL inhibit further barrier descent and activate a crossing alarm, while maintaining road warning signals in the active state. Rationale: 0.5m threshold discriminates vehicles and pedestrians from debris and small animals that do not pose a collision risk. Barrier descent inhibition prevents a vehicle or person being struck by the barrier. Warning signals remain active because a train may still be approaching — the crossing is not safe for road traffic even though the barrier has stopped. | Test | subsystem, level-crossing, session-302, idempotency:sub-lc-obstacle-302 |
| SUB-REQS-FUNC-033 | The Barrier Drive Mechanism SHALL limit the torque at the barrier tip to a maximum of 150 Nm during descent to prevent injury to any person or object contacted by the barrier. Rationale: 150 Nm at the barrier tip corresponds to approximately 40 N force at a 3.75m barrier length, which is below the threshold for serious injury per EN 12604 (power-operated doors and gates). This is a critical safety requirement because barrier contact with a pedestrian is a foreseeable event, particularly at crossings with high foot traffic. | Test | subsystem, level-crossing, session-302, idempotency:sub-lc-torque-302 |
| SUB-REQS-FUNC-034 | The Road Traffic Signal Assembly SHALL achieve a minimum luminous intensity of 200 candela for each red flashing light when measured on-axis, sufficient for visibility at 100 metres in direct sunlight conditions with a solar luminance of 100,000 lux. Rationale: 200 candela at 100m in bright sunlight ensures road users can detect the warning from the UK stopping sight distance for 60 mph roads. This is the worst-case visibility scenario — signal intensity must overcome solar phantom effect where sunlight illuminates the signal optic and masks the LED indication. | Test | subsystem, level-crossing, session-302, idempotency:sub-lc-signal-intensity-302 |
| SUB-REQS-FUNC-035 | When the Level Crossing Controller detects any internal fault or loss of communication with the CBI, the controller SHALL drive the crossing to the protected state (barriers lowered, signals active) and SHALL report the fault to the CBI and diagnostic system. Rationale: Protected state on failure is the fundamental fail-safe design principle for level crossings — a spurious crossing closure causes traffic delay (a nuisance) while a spurious crossing opening causes a potential collision (a catastrophe). The asymmetry of consequence makes fail-to-protected the only acceptable failure mode. CBI notification ensures the signaller is aware and can manage train movements accordingly. | Test | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-036 | The Electro-Hydraulic Point Machine SHALL complete a full blade throw from normal to reverse or reverse to normal within 6 seconds for switch lengths up to 60m, measured from receipt of the drive command to confirmed detection in the target position. Rationale: 6-second throw time is derived from route-setting time budget: total route set time must be under 15 seconds (SYS-REQS-FUNC-001 cascade), of which interlocking processing takes 2s, signal update takes 0.5s, and up to 3 points may need to throw sequentially. 6s per point allows sequential throws with margin. Longer throw times degrade junction throughput and delay route availability. | Test | subsystem, points-drive, point-machine, session-304, idempotency:sub-points-throw-time-304 |
| SUB-REQS-FUNC-037 | The Point Position Detection Assembly SHALL confirm blade position as 'detected' only when the blade tip is within 2mm of the stock rail in the closed position, and SHALL report 'not detected' for any blade displacement exceeding 2mm from nominal. Rationale: The 2mm detection tolerance is derived from EN 13232-7 gauge maintenance requirements: a blade gap exceeding 3mm risks wheel flange entry between blade and stock rail. The 2mm detection threshold provides a 1mm safety margin below the hazardous gap dimension, accounting for detection rod mechanical play and thermal expansion of switch rails. | Test | subsystem, points-drive, detection, session-304, idempotency:sub-points-detection-tolerance-304 |
| SUB-REQS-FUNC-038 | The Point Drive Controller SHALL detect an obstruction between the switch blades within 1 second of motor current exceeding 150% of the nominal throw current profile, and SHALL immediately remove drive power and report an obstruction fault to the Object Controller. Rationale: Obstruction detection prevents mechanical damage to the point machine and track infrastructure. The 150% current threshold is based on typical electro-hydraulic machine current signatures — normal throw current varies by ±20% due to friction and temperature, so 150% provides discrimination between normal variation and a genuine obstruction. The 1-second detection window prevents prolonged force application that could damage blades or the obstruction. | Test | subsystem, points-drive, safety, session-304, idempotency:sub-points-obstruction-detect-304 |
| SUB-REQS-FUNC-039 | The Electro-Hydraulic Point Machine SHALL maintain a minimum clamping force of 8kN on the closed blade under all operating conditions, sufficient to resist dynamic forces from train wheels traversing the switch at speeds up to 300 km/h. Rationale: 8kN clamping force is derived from EN 13232-4 dynamic load analysis: a 25-tonne axle load at 300 km/h generates lateral forces up to 5kN at the blade tip due to hunting oscillation and conicity. The 8kN clamp provides a 1.6x safety factor, preventing blade creep under repeated loading that could open a flange-way gap. | Test | subsystem, points-drive, point-machine, session-304, idempotency:sub-points-clamp-force-304 |
| SUB-REQS-FUNC-040 | When power supply to the Point Position Detection Assembly is lost, the detection output SHALL default to 'not detected' within 100ms, preventing the interlocking from setting any route over the affected points. Rationale: Fail-safe detection default is a SIL 4 requirement per EN 50129: loss of detection information must be treated as a dangerous condition. The 100ms timeout ensures the interlocking detects power failure before the next processing cycle (250ms typical) and revokes any route requiring these points. Longer timeout risks a route being set over unproven points during the detection gap. | Test | subsystem, points-drive, detection, safety, session-304, idempotency:sub-points-failsafe-detect-304 |
| SUB-REQS-FUNC-041 | The Swing-Nose Crossing Actuator SHALL position the crossing nose tip within 0.5mm of the stock rail, and the Point Position Detection Assembly SHALL confirm nose alignment only when this tolerance is met. Rationale: 0.5mm tolerance for swing-nose crossings is mandated by high-speed turnout standards (EN 13232-7 Annex C): at speeds above 200 km/h, a gap exceeding 1mm at the nose creates unacceptable dynamic loads on wheel flanges and risks wheel climb. The 0.5mm tolerance provides a 2x margin against the hazardous 1mm threshold, accounting for thermal expansion and mechanical wear. | Test | subsystem, points-drive, swing-nose, session-304, idempotency:sub-points-swingnose-align-304 |
| SUB-REQS-FUNC-042 | The Point Heating System SHALL activate pre-emptive heating when ambient temperature falls below 3 degrees Celsius and relative humidity exceeds 80%, and SHALL activate full-power reactive heating when precipitation is detected at temperatures below 1 degree Celsius. Rationale: Heating activation thresholds are derived from meteorological analysis of ice formation conditions: ice accretion on switch rails begins at the intersection of sub-3C temperatures and >80% humidity. The 1C precipitation threshold accounts for supercooled rain (freezing rain occurs at 0-2C). Pre-emptive mode prevents ice formation; reactive mode melts accumulation. Without these thresholds, blade freezing can prevent point operation within 15-30 minutes of onset. | Test | subsystem, points-drive, heating, session-304, idempotency:sub-points-heating-activation-304 |
| SUB-REQS-FUNC-043 | The Safety-Critical Data Network Switch SHALL implement Parallel Redundancy Protocol per IEC 62439-3 on all vital communication paths, achieving zero-recovery-time failover with no frame loss during a single link or switch failure. Rationale: PRP is mandated because the interlocking cycle time of 500ms and ETCS MA computation of 2s leave no margin for network recovery. Any frame loss during failover could delay safety-critical commands beyond their integrity time windows, potentially leading to unsafe signal aspects or late movement authority updates. | Test | subsystem, communication-network, session-305, idempotency:sub-commnet-prp-redundancy-305 |
| SUB-REQS-FUNC-044 | The Signalling Communication Network SHALL deliver any vital message between the Computer-Based Interlocking and any connected subsystem endpoint within 50 milliseconds end-to-end latency under maximum traffic load, measured from source application buffer to destination application buffer. Rationale: The 50ms budget is derived from the 500ms signal aspect update requirement (SYS-REQS-PERF-002), allocating 10 percent of the total budget to network transport to leave 450ms for interlocking processing, output drive, and signal lamp confirmation. Exceeding this would cascade timing violations through the safety chain. | Test | subsystem, communication-network, session-305, idempotency:sub-commnet-latency-305 |
| SUB-REQS-FUNC-045 | The RaSTA Protocol Stack SHALL authenticate and integrity-protect all vital messages using EN 50159 Category 3 mechanisms with a residual error rate not exceeding 10^-9 per hour, detecting message corruption, replay, insertion, deletion, resequencing, and delay within the configured safety time interval Tmax. Rationale: EN 50159 Category 3 is required because the signalling network traverses open transmission media where all threat classes apply. The 10^-9 per hour residual error rate derives from SIL4 tolerable hazard rate apportionment across the communication channel, ensuring the network does not dominate the system hazard budget. | Test | subsystem, communication-network, session-305, idempotency:sub-commnet-rasta-safety-305 |
| SUB-REQS-FUNC-046 | The Network Time Distribution Server SHALL synchronize all network endpoints to UTC with an accuracy of 1 microsecond or better under normal GNSS reception, and SHALL maintain holdover accuracy within 10 microseconds for at least 24 hours following complete GNSS signal loss. Rationale: Sub-microsecond accuracy is required by the Juridical Recording Unit to establish unambiguous event ordering across distributed subsystems during incident investigation. The 24-hour holdover requirement covers the worst-case GNSS outage scenario without requiring manual intervention, using rubidium oscillator stability characteristics. | Test | subsystem, communication-network, session-305, idempotency:sub-commnet-ptp-accuracy-305 |
| SUB-REQS-FUNC-047 | The Cybersecurity Boundary Gateway SHALL enforce TS 50701 zone separation between the safety-critical signalling network and all non-vital networks, permitting only allowlisted protocol and message type combinations to traverse the boundary, and SHALL log all blocked traffic attempts for a minimum retention period of 180 days. Rationale: TS 50701 zone separation prevents lateral movement from compromised non-vital systems into the safety domain. Allowlisting rather than denylisting ensures unknown protocols are blocked by default. The 180-day log retention supports forensic analysis of security incidents aligned with railway operator CSIRT requirements. | Test | subsystem, communication-network, session-305, idempotency:sub-commnet-cybersec-305 |
| SUB-REQS-FUNC-048 | The Lineside Transmission Multiplexer SHALL achieve link availability of 99.999 percent per fiber trunk route, with automatic protection switching completing within 50 milliseconds of detecting a fiber path failure. Rationale: 99.999 percent availability equates to less than 5.3 minutes downtime per year, derived from the system-level availability target for continuous signalling operation. The 50ms protection switching time ensures the outage falls within the RaSTA Tmax window, preventing safety timeout activation during fiber cuts. | Test | subsystem, communication-network, session-305, idempotency:sub-commnet-lineside-avail-305 |
| SUB-REQS-FUNC-049 | The Network Diagnostic and Monitoring Agent SHALL detect and alarm any network link degradation where packet loss exceeds 0.001 percent or one-way latency exceeds 1 millisecond within 30 seconds of threshold exceedance, and SHALL forward consolidated health data to the Signalling Diagnostic and Monitoring System. Rationale: Early detection of link degradation allows preventive maintenance before safety-critical communication is affected. The 0.001 percent packet loss threshold is set one order of magnitude below the level that would trigger RaSTA retransmissions, providing advance warning. The 30-second detection time balances responsiveness against false alarm rates. | Test | subsystem, communication-network, session-305, idempotency:sub-commnet-monitoring-305 |
| SUB-REQS-FUNC-050 | When one of the two PRP redundant network paths is lost, the Safety-Critical Data Network Switch SHALL continue to deliver all vital messages via the remaining path with no increase in end-to-end latency beyond 5 milliseconds above nominal, and the Network Diagnostic and Monitoring Agent SHALL raise a degraded-mode alarm within 10 seconds. Rationale: Single-path operation is the designed degraded mode for PRP networks. The 5ms latency increase limit ensures the 50ms network latency budget is not exceeded. The 10-second alarm threshold ensures maintenance is alerted before a second failure could cause total communication loss. | Test | subsystem, communication-network, session-305, idempotency:sub-commnet-degraded-305 |
| SUB-REQS-FUNC-051 | The LED Signal Module SHALL produce a minimum luminous intensity of 200 candela for red aspects, 200 candela for yellow aspects, and 300 candela for green aspects, measured on-axis at the design beam centre, across the full operating temperature range of -25°C to +70°C. Rationale: Derived from Railway Group Standard GK/RT0045 visibility requirements. Green requires higher intensity because it must be distinguished from surrounding ambient light at maximum sighting distance. Values ensure reliable aspect recognition at 1000m sighting distance in clear conditions. Below these thresholds, aspect misidentification risk increases — particularly yellow/green confusion in low sun conditions. | Test | subsystem, colour-light, led-module, session-306, idempotency:sub-colour-light-led-intensity-306 |
| SUB-REQS-FUNC-052 | The LED Signal Module SHALL maintain minimum luminous intensity with up to 30% of LED strings failed, measured as aggregate output remaining above 70% of nominal intensity per Railway Group Standard. Rationale: LED modules use redundant parallel strings so that individual LED failures do not immediately extinguish an aspect. The 30% threshold is derived from field reliability data on LED signal modules: at this failure level the signal remains visible but maintenance must be scheduled. Beyond 30% string loss, the Signal Proving Unit detects the degradation and triggers appropriate alarms or failsafe action. | Test | subsystem, colour-light, led-module, session-306, idempotency:sub-colour-light-led-degradation-306 |
| SUB-REQS-FUNC-053 | When a proceed-aspect LED Signal Module fails or degrades below 70% luminous output, the Signal Proving and Monitoring Unit SHALL force the signal to display its most restrictive aspect (red) via hardware failsafe relay within 500 milliseconds of failure detection. Rationale: This is the primary safety function of the colour-light output subsystem (SIL4). A failed proceed aspect (green/yellow) that remains lit or appears lit when it is not creates a collision hazard. The 500ms detection-to-failsafe window ensures that no train receives a false proceed authority for more than one signal update cycle. Hardware relay implementation ensures the failsafe path is independent of software faults in the Signal Aspect Driver. | Test | subsystem, colour-light, signal-proving, safety, session-306, idempotency:sub-colour-light-proving-failsafe-306 |
| SUB-REQS-FUNC-054 | The Signal Aspect Driver SHALL enforce aspect sequencing rules such that a 4-aspect signal transitions through yellow before displaying red from a green or double-yellow aspect, with each intermediate aspect displayed for a minimum of 3 seconds. Rationale: Aspect sequencing prevents abrupt green-to-red transitions that could confuse drivers. The 3-second minimum for intermediate aspects derives from driver reaction time studies: a driver approaching at line speed needs at least 2 seconds to register an aspect change, and 1 second of margin accounts for attention latency. Sequencing is enforced at the driver board level as a second layer of defence independent of the interlocking logic. | Test | subsystem, colour-light, signal-aspect-driver, session-306, idempotency:sub-colour-light-sequencing-306 |
| SUB-REQS-FUNC-055 | When the Signal Aspect Driver loses its command input from the Object Controller or loses supply power, it SHALL default to displaying the most restrictive aspect (red) via a de-energised failsafe relay within 200 milliseconds. Rationale: Failsafe default to danger on loss of command or power is a fundamental principle of railway signalling safety (EN 50129). The de-energised relay design means the safe state requires no power — the relay physically drops to the danger-only path. 200ms ensures the transition occurs before a driver at maximum line speed (200 km/h) could traverse more than 11m, insufficient to pass the signal. | Test | subsystem, colour-light, signal-aspect-driver, safety, session-306, idempotency:sub-colour-light-failsafe-default-306 |
| SUB-REQS-FUNC-056 | The Signal Proving and Monitoring Unit SHALL implement a 2-out-of-2 (2oo2) comparison architecture for lamp failure detection, such that both independent monitoring channels must agree on lamp status before reporting healthy, and disagreement between channels SHALL trigger the failsafe relay. Rationale: A 2oo2 architecture achieves SIL4 dangerous failure rate targets by requiring agreement between two independent monitoring paths. A single channel failure (stuck-at-healthy) cannot mask a lamp failure because the second channel will disagree and trigger failsafe. This is the standard EN 50129 pattern for vital detection functions where false-healthy is the dangerous failure mode. | Analysis | subsystem, colour-light, signal-proving, safety, session-306, idempotency:sub-colour-light-proving-2oo2-306 |
| SUB-REQS-FUNC-057 | The Multi-Aspect Signal Head SHALL maintain aspect visibility at a minimum sighting distance of 1000 metres in clear daylight conditions, and 200 metres in fog conditions with visibility reduced to 200 metres, with anti-phantom hoods preventing false aspect display from direct sunlight. Rationale: Sighting distances are derived from braking distance calculations: at 200 km/h a train requires approximately 2000m to stop, so the signal must be visible at least 1000m ahead to provide warning time with two 4-aspect signals in sequence. Anti-phantom hoods are essential because sunlight entering the signal head can illuminate unlit aspects, potentially displaying a false proceed indication — this is a known hazard in UK operations with specific RAIB investigation precedents. | Test | subsystem, colour-light, signal-head, session-306, idempotency:sub-colour-light-head-visibility-306 |
| SUB-REQS-FUNC-058 | The Junction Route Indicator SHALL illuminate the correct route indication within 500 milliseconds of the interlocking confirming the route is set and locked, and SHALL extinguish within 200 milliseconds of the main aspect reverting to danger. Rationale: The 500ms illumination time matches SYS-REQS-PERF-002 signal aspect update requirement, ensuring route indication appears simultaneously with the proceed aspect. The faster 200ms extinguish time is required because an illuminated route indicator with a red aspect could mislead a driver into expecting a route that is being released — the indicator must go dark before or simultaneously with the aspect change to danger. | Test | subsystem, colour-light, junction-indicator, session-306, idempotency:sub-colour-light-jri-timing-306 |
| SUB-REQS-FUNC-059 | The Junction Route Indicator SHALL only illuminate when the associated main signal displays a proceed aspect (green, yellow, or double yellow), and SHALL remain extinguished whenever the signal displays a danger aspect (red), enforced by hardware interlock independent of the route data path. Rationale: A junction indicator lit alongside a red signal is a hazardous misleading indication — the driver might infer a route is set and proceed past the danger signal. The hardware interlock ensures this correlation is maintained even if the software route data path fails. This is a SIL4 requirement because incorrect correlation is a direct collision hazard at junctions. | Test | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-060 | The Signal Proving and Monitoring Unit SHALL report lamp status, degradation percentage, and failure mode classification to the Signalling Diagnostic and Monitoring System at intervals not exceeding 10 seconds via serial diagnostic interface. Rationale: 10-second reporting interval balances diagnostic data freshness against serial link bandwidth shared across multiple signal heads on a single communication link. The degradation percentage enables predictive maintenance scheduling — maintenance teams can plan lamp module replacement before the 70% threshold triggers a failsafe, reducing service disruption. Failure mode classification (open circuit, short circuit, partial degradation) supports root-cause analysis and spares planning. | Test | subsystem, colour-light, signal-proving, diagnostic, session-306, idempotency:sub-colour-light-proving-diagnostic-306 |
| SUB-REQS-FUNC-061 | The Signalling Uninterruptible Power Supply SHALL maintain conditioned 110V AC output to all vital signalling loads for a minimum of 2 hours following complete loss of mains supply, at full rated load. Rationale: 2-hour backup ensures signalling remains operational during typical UK distribution network restoration times (average 90 minutes for planned outages). Below 2 hours, signallers may be forced into degraded manual procedures during extended mains faults, increasing risk of wrong-side failures. | Test | subsystem, power-supply, session-308, idempotency:sub-ups-backup-duration-308 |
| SUB-REQS-FUNC-062 | The Signalling Uninterruptible Power Supply SHALL produce a sinusoidal output waveform with total harmonic distortion not exceeding 3 percent under all load conditions from 25 to 100 percent of rated capacity. Rationale: Audio-frequency track circuits operating at 83Hz and 91.5Hz are sensitive to harmonic content in their power supply. THD above 3 percent introduces spurious frequency components that can cause false track circuit occupancy or clear indications, both of which are safety-critical failures. | Test | subsystem, power-supply, session-308, idempotency:sub-ups-thd-308 |
| SUB-REQS-FUNC-063 | The Signalling Power Distribution Panel SHALL provide galvanically separated bus bars for vital signalling loads and non-vital loads, such that a fault on any non-vital circuit SHALL NOT cause loss of supply to any vital circuit. Rationale: Non-vital loads (building services, workstation displays, HVAC) share the same mains intake but must not be able to trip protection devices on vital circuits. A short circuit on a display monitor cable must not de-energise the interlocking power supply. Galvanic separation at the bus bar level is the standard mitigation. | Test | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-064 | The Track Circuit Power Feed Unit SHALL maintain output frequency stability within 0.1 percent of the nominal audio frequency under all load and temperature conditions. Rationale: Adjacent track circuits operate at different audio frequencies (e.g. 83Hz and 91.5Hz) to prevent cross-talk. Frequency drift beyond 0.1 percent narrows the guard band between adjacent circuits and can cause false occupancy indications in neighbouring track sections. | Test | subsystem, power-supply, session-308, idempotency:sub-tcpf-freq-stability-308 |
| SUB-REQS-FUNC-065 | The Signalling Power Feeder SHALL accept dual independent incoming mains supplies and SHALL automatically select the healthy supply within 100 milliseconds of detecting loss or out-of-tolerance voltage on the primary supply. Rationale: Dual incoming supplies from different grid feeders provide first-level redundancy before the UPS. The 100ms switchover time is within the UPS input hold-up period, ensuring the UPS battery is not discharged during routine supply changeovers. | Test | subsystem, power-supply, session-308, idempotency:sub-spf-dual-supply-308 |
| SUB-REQS-FUNC-066 | When operating on battery backup, the Power Supply Monitoring and Switchover Controller SHALL shed non-vital loads within 5 seconds of mains loss confirmation to extend vital supply runtime to a minimum of 3.5 hours. Rationale: Non-vital loads (HVAC, workstation displays, non-safety lighting) consume approximately 40 percent of the total signalling installation power budget. Shedding these loads within 5 seconds preserves battery capacity for vital functions. The 3.5-hour target exceeds the 2-hour vital-only requirement by providing margin for extended outages. | Test | subsystem, power-supply, session-308, idempotency:sub-mon-loadshed-308 |
| SUB-REQS-FUNC-067 | The Signalling Uninterruptible Power Supply SHALL monitor individual cell voltage and temperature of the VRLA battery bank and SHALL generate an alarm when any cell deviates by more than 0.3V from the bank average or exceeds 45 degrees Celsius. Rationale: Individual cell failure is the primary cause of UPS battery bank degradation. A single failed cell can reduce backup runtime by 50 percent or more without warning if not individually monitored. The 0.3V threshold and 45C limit are derived from VRLA manufacturer thermal runaway prevention guidance. | Test | subsystem, power-supply, session-308, idempotency:sub-ups-cell-monitor-308 |
| SUB-REQS-FUNC-068 | The Alarm Management Processor SHALL apply alarm rationalisation rules compliant with EEMUA 191 guidelines, reducing alarm rate to no more than 10 alarms per 10 minutes per operator position during normal operations and no more than 20 alarms per 10 minutes during upset conditions. Rationale: EEMUA 191 defines industry-standard alarm rates. Exceeding 10 alarms per 10 minutes leads to operator overload and missed critical alarms. During cascade failures, unrationalised systems can generate hundreds of alarms per minute, masking the root cause. | Test | subsystem, diagnostic-monitoring, session-308, idempotency:sub-amp-rationalisation-308 |
| SUB-REQS-FUNC-069 | The Event Logger and Replay Unit SHALL retain all signalling state change events, operator commands, and alarm events for a minimum of 90 days on dual-redundant non-volatile storage with tamper-evident integrity verification. Rationale: Network Rail standard NR/L2/SIGP/10201 requires minimum 90-day event retention for post-incident analysis. Dual-redundant storage prevents data loss from single disk failure. Tamper-evident storage ensures event records are admissible as evidence in RAIB investigations. | Inspection | subsystem, diagnostic-monitoring, session-308, idempotency:sub-elr-retention-308 |
| SUB-REQS-FUNC-070 | The Condition Monitoring Server SHALL aggregate health data from all signalling subsystems with a data collection latency not exceeding 30 seconds from field equipment state change to server database record. Rationale: 30-second aggregation latency provides near-real-time maintenance visibility while allowing time for data transport across multi-protocol collection (Modbus, SNMP, OPC UA). Tighter latency would require dedicated real-time links that are unnecessary for maintenance trend analysis. | Test | subsystem, diagnostic-monitoring, session-308, idempotency:sub-cms-aggregation-308 |
| SUB-REQS-FUNC-071 | The Remote Diagnostic Gateway SHALL enforce read-only access to diagnostic data for all remote sessions and SHALL NOT provide any control path to safety-critical signalling equipment. Rationale: Any remote control path to signalling equipment creates a cybersecurity attack surface that could be exploited to issue unsafe commands. Read-only enforcement eliminates this risk class entirely. Compliant with NR/L2/CYB/27009 requirement for network segmentation between diagnostic and vital domains. | Test | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-072 | The Event Logger and Replay Unit SHALL timestamp all recorded events with accuracy of 1 millisecond or better, synchronised to GPS time reference. Rationale: 1ms timestamp accuracy is required to establish causal ordering of events during post-incident analysis. GPS synchronisation ensures timestamps are absolute and correlatable with train-borne event records and other infrastructure logs. | Test | subsystem, diagnostic-monitoring, session-308, idempotency:sub-elr-timestamp-308 |
| SUB-REQS-FUNC-073 | The Track Diagram Display Processor SHALL render updated track occupation, signal aspect, point position, and route status indications within 500ms of receiving state change data from the Computer-Based Interlocking. Rationale: 500ms display latency ensures signaller sees current system state within one interlocking cycle. Longer delays risk the signaller issuing commands based on stale information, particularly during rapid route-setting sequences where multiple points and signals change within seconds. | Test | subsystem, signaller-workstation, session-309, idempotency:sub-sw-display-latency-309 |
| SUB-REQS-FUNC-074 | The Track Diagram Display Processor SHALL render a geographical schematic containing at least 500 simultaneously displayed objects (track sections, signals, points, level crossings) without exceeding 500ms refresh cycle. Rationale: 500 objects represents the upper bound for a large UK power signal box area (e.g., major junction with approaches). If the rendering pipeline cannot maintain frame rate at this object count, display lag during peak traffic periods would degrade situational awareness. | Test | subsystem, signaller-workstation, session-309, idempotency:sub-sw-display-capacity-309 |
| SUB-REQS-FUNC-075 | The Route Setting and Command Interface SHALL require a two-stage confirmation sequence (signal selection followed by route exit selection) for all route-setting commands, and SHALL transmit the command to the CBI only after the signaller confirms the complete route on a confirmation dialog. Rationale: Two-stage confirmation prevents accidental route setting from single erroneous clicks. This is a fundamental safety mechanism required by Railway Group Standard GK/RT0045 for signaller HMI design. Without confirmation, a mistaken click on a signal icon could set a conflicting route. | Demonstration | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-076 | The Route Setting and Command Interface SHALL acknowledge operator input within 200ms of the operator action, providing visual feedback (highlight, cursor change, or confirmation dialog) on the track diagram display. Rationale: 200ms is the human perception threshold for interactive responsiveness. Exceeding this creates uncertainty about whether the input was registered, leading to repeated clicks and potential double-commands. Derived from ISO 9241-305 HMI response time guidance. | Test | subsystem, signaller-workstation, performance, session-309, idempotency:sub-sw-input-response-309 |
| SUB-REQS-FUNC-077 | The Route Setting and Command Interface SHALL generate a timestamped audit record for every operator action (route setting, signal replacement, emergency control, alarm acknowledgement) with operator identity, action type, target object, and UTC timestamp accurate to 100ms. Rationale: Juridical recording of signaller actions is mandated by Railway Group Standard GE/RT8270 for post-incident investigation. 100ms timestamp accuracy enables correlation with interlocking event logs and train detection records during timeline reconstruction. | Test | subsystem, signaller-workstation, session-309, idempotency:sub-sw-audit-trail-309 |
| SUB-REQS-FUNC-078 | The Alarm Display and Management Panel SHALL present new alarms within 1 second of receipt from the Alarm Management Processor, sorted by priority (safety, operational, maintenance) with colour coding compliant with EEMUA 191 guidelines. Rationale: 1-second alarm latency is the EEMUA 191 recommended maximum for safety-related alarms in control room environments. Priority sorting ensures the signaller addresses the most critical condition first during multi-alarm situations. | Test | subsystem, signaller-workstation, session-309, idempotency:sub-sw-alarm-latency-309 |
| SUB-REQS-FUNC-079 | When more than 10 alarms are received within a 10-second window, the Alarm Display and Management Panel SHALL activate alarm flood management, suppressing consequential alarms and presenting a root-cause summary grouping related alarms by originating subsystem. Rationale: Alarm floods during major failures (e.g., power supply loss affecting multiple track circuits) can overwhelm the signaller with hundreds of individual alarms. EEMUA 191 Section 5.4 requires alarm flood suppression to maintain operator effectiveness. The 10-alarm/10-second threshold is derived from typical UK signalling alarm rates during power restoration events. | Test | subsystem, signaller-workstation, safety, session-309, idempotency:sub-sw-alarm-flood-309 |
| SUB-REQS-FUNC-080 | When the primary workstation fails (loss of application heartbeat, display output failure, or network connectivity loss), the Workstation Redundancy Controller SHALL complete switchover to the standby workstation within 5 seconds, with the standby resuming the identical track diagram state, alarm queue, and authenticated session. Rationale: 5-second switchover ensures the signaller regains situational awareness before any route-setting timeout expires (typical CBI route-setting timeout is 30 seconds). State transfer must include alarm queue to prevent loss of unacknowledged safety alarms during failover. Based on Network Rail GRIP Stage 4 availability modelling for York ROC workstations. | Test | subsystem, signaller-workstation, reliability, session-309, idempotency:sub-sw-failover-309 |
| SUB-REQS-FUNC-081 | The Signaller Authentication and Access Control Module SHALL authenticate signallers via smart card plus PIN before granting control access, and SHALL restrict command authority to the geographical area assigned to the authenticated signaller role. Rationale: Dual-factor authentication (smart card + PIN) prevents unauthorised route setting, which is a safety-critical function. Geographic area restriction ensures signallers only control areas they are trained and qualified for, as required by Rule Book Module TW1 for signaller competency management. | Demonstration | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-082 | When the authentication system is unavailable, the Signaller Authentication and Access Control Module SHALL permit emergency access via physical key override, granting full control authority with all actions logged as unauthenticated emergency operations. Rationale: Authentication system failure must not prevent emergency signalling operations. Physical key override is the industry-standard fallback mechanism, providing a non-electronic bypass that remains functional during complete IT system failures. Logging as unauthenticated ensures post-incident traceability. | Demonstration | rt-untestable, red-team-session-522 |
| SUB-REQS-FUNC-083 | While no operator input is detected for 300 seconds, the Signaller Authentication and Access Control Module SHALL lock command input while maintaining display-only mode showing the current track diagram and active alarms. Rationale: Automatic lock prevents unauthorised personnel from issuing commands on an unattended workstation. Display-only mode is preserved (rather than blanking the screen) because situational awareness must be maintained for adjacent signallers and supervisors. 300-second timeout balances security against operational workflow where signallers may monitor without input during low-traffic periods. | Test | subsystem, signaller-workstation, session-309, idempotency:sub-sw-screen-lock-309 |
| SUB-REQS-FUNC-084 | The Automatic Route Setting Engine SHALL issue route-setting requests to the CBI via the TMS-CBI Interface Gateway between 120 and 240 seconds before the planned train arrival at each signal, adjusted by current train speed and section length. Rationale: 120-240 second lookahead window ensures points are set and locked before train arrival while not occupying junction capacity unnecessarily. Too early locks out conflicting routes; too late risks the train approaching a signal at danger. Values derived from Network Rail ARS specification NR/L2/SIG/30014. | Test | subsystem, traffic-management, session-309, idempotency:sub-tms-ars-lookahead-309 |
| SUB-REQS-FUNC-085 | The Automatic Route Setting Engine SHALL manage simultaneous route-setting for at least 500 active train services across the control area without exceeding 2-second decision cycle time. Rationale: 500 trains represents peak capacity for a major UK regional operations centre (e.g., Wales and Western ROC manages approximately 450 services at peak). 2-second decision cycle ensures route requests are timely for the 120-second minimum lookahead. | Test | rt-missing-failure-mode, red-team-session-522 |
| SUB-REQS-FUNC-086 | The Conflict Detection and Resolution Module SHALL detect path conflicts at junctions, crossovers, and single-line sections at least 15 minutes before the predicted conflict time, and SHALL present the conflict alert with at least three regulation options ranked by total network delay impact. Rationale: 15-minute minimum lookahead gives signallers sufficient time to evaluate options and implement regulation before the conflict materialises. Three ranked options are the minimum for meaningful decision support — fewer options are not useful; more than five overwhelm the signaller. Total network delay ranking prevents local optimisation that increases overall disruption. | Test | subsystem, traffic-management, session-309, idempotency:sub-tms-conflict-lookahead-309 |
| SUB-REQS-FUNC-087 | The Train Describer and Berth Management component SHALL step train identities between berths within 500ms of receiving the corresponding track occupation change from the CBI, maintaining accurate identity-to-berth association for at least 500 concurrent train headcodes. Rationale: 500ms berth step latency ensures the track diagram display shows correct train identities in near-real-time. Delay beyond this creates visual mismatch between track occupation indications and train labels, confusing signallers. 500 concurrent headcodes matches the ARS capacity requirement. | Test | subsystem, traffic-management, session-309, idempotency:sub-tms-td-berthstep-309 |
| SUB-REQS-FUNC-088 | The TMS-CBI Interface Gateway SHALL enforce rate limiting of a maximum 20 route-setting commands per second to the CBI, and SHALL buffer excess commands in a FIFO queue with a maximum queue depth of 100 commands. Rationale: Rate limiting prevents the ARS from overwhelming the CBI command processing pipeline during perturbation recovery when many routes are re-set simultaneously. 20 commands/second is the typical CBI command processing capacity. 100-command queue depth covers the worst-case burst during a 5-second ARS decision cycle at maximum route density. | Test | subsystem, traffic-management, session-309, idempotency:sub-tms-gateway-ratelimit-309 |
| SUB-REQS-FUNC-089 | The Timetable and Train Graph Processor SHALL import and validate working timetable data in CIF format within 60 seconds of receipt, rejecting timetables with scheduling conflicts (overlapping platform allocations, impossible run times) and reporting validation failures to the signaller workstation. Rationale: 60-second import time ensures timetable updates during the operating day (Very Short Term Plan amendments) are available to the ARS quickly. Validation prevents corrupt or conflicting timetable data from causing incorrect ARS routing decisions. | Test | subsystem, traffic-management, session-309, idempotency:sub-tms-timetable-import-309 |
| SUB-REQS-FUNC-090 | When the TMS-CBI Interface Gateway loses connectivity to the CBI for more than 30 seconds, the Automatic Route Setting Engine SHALL suspend automatic route-setting for the affected interlocking area and SHALL alert the signaller that manual route setting is required, while continuing conflict detection and train graph display for unaffected areas. Rationale: Automatic route setting without CBI connectivity would queue commands that may no longer be valid when connectivity is restored. 30-second timeout allows for brief network interruptions (PRP switchover, RaSTA reconnection) without disrupting ARS operation. Continued conflict detection for unaffected areas prevents cascade degradation. | Test | subsystem, traffic-management, reliability, session-309, idempotency:sub-tms-degraded-mode-309 |
| SUB-REQS-PERF-010 | The Vital Processing Unit SHALL complete each interlocking processing cycle, from input acquisition through output command issue, within 500ms under worst-case loading of 200 simultaneous route requests. Rationale: The 500ms cycle time determines the maximum reaction time of the interlocking to any safety-critical event (train entering an occupied section, point failing to detect). Derived from the 2-minute headway requirement: at 160km/h line speed a train covers 44m per cycle, which must be bounded for safe braking distance calculations. 200 simultaneous routes represents a large junction during peak disruption recovery. | Test | subsystem, cbi, vpu, performance, session-300, idempotency:sub-cbi-cycle-time-300 |
| SUB-REQS-PERF-011 | The Vital Processing Unit SHALL achieve a mean time between dangerous failures (MTBFd) of at least 100,000 hours and a mean time to restoration (MTTR) of no more than 30 minutes when a spare module is available on-site. Rationale: MTBFd of 100,000 hours is the minimum to achieve the system-level 99.99% availability target with the 2oo3 architecture providing fault tolerance. The 30-minute MTTR with on-site spares ensures the system returns to full 2oo3 redundancy before a second failure is statistically likely, based on Markov availability modelling. | Analysis | subsystem, cbi, vpu, performance, session-300, idempotency:sub-cbi-vpu-availability-300 |
| SUB-REQS-PERF-012 | Each Object Controller SHALL manage a minimum of 16 field objects simultaneously, with a maximum input-to-output latency of 50ms for any individual object command. Rationale: 16 objects per OC is the standard grouping for trackside location cases, balancing wiring cost against OC unit count. The 50ms latency budget is allocated from the 200ms read-back window in SUB-REQS-FUNC-005, leaving margin for field device actuation time and communication overhead. | Test | subsystem, cbi, object-controller, performance, session-300, idempotency:sub-cbi-oc-capacity-300 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-CBIINTERFACES-001 | The interface between the Computer-Based Interlocking and the Train Detection Subsystem SHALL transmit track section occupancy status (occupied/clear) for each track circuit and axle counter section as a safety-certified binary state, updated at a minimum rate of 2Hz, over a dedicated serial or Ethernet link conforming to EN 50159 Category 1. Rationale: Track occupancy is the primary safety input to the interlocking. 2Hz update rate ensures the interlocking detects a train entering a section within 500ms (one cycle). Category 1 (closed network) is appropriate because this is a point-to-point link within the equipment room. Binary state per section minimises protocol complexity and interpretation ambiguity in the safety logic. | Test | interface, cbi, train-detection, session-300, idempotency:ifc-cbi-traindet-300 |
| IFC-CBIINTERFACES-002 | The interface between the Computer-Based Interlocking and the Colour-Light Signalling Output SHALL transmit signal aspect commands (red, yellow, double-yellow, green, flashing aspects) as vital output via Object Controllers, with the signal reverting to its most restrictive aspect (red) within 2 seconds if the command link is lost. Rationale: Signal aspects are the primary safety output to train drivers. The 2-second fail-safe timeout ensures signals default to red on communication loss, preventing a proceed indication without a valid route. Aspect commands flow through Object Controllers which provide the physical drive and read-back verification. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-003 | The interface between the Computer-Based Interlocking and the Points and Crossing Drive System SHALL transmit point position commands (normal/reverse) and receive point detection status (normal detected, reverse detected, no detection) via Object Controllers, with a maximum point movement timeout of 10 seconds after which the interlocking SHALL report a point failure. Rationale: Point detection confirms the physical position of switch blades before a route can be signalled. The 10-second timeout is derived from the maximum mechanical travel time of clamp-lock point machines (typically 5-7 seconds) plus margin. No-detection state triggers point failure and route cancellation to prevent movement over unsecured points. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-004 | The interface between the Computer-Based Interlocking and the ETCS Radio Block Centre SHALL provide route status data (route set, route locked, route released, overlap status) via the Communication Gateway using RaSTA (Rail Safe Transport Application) protocol over TCP/IP, with a maximum end-to-end latency of 500ms and a safety-integrity connection timeout of 2 seconds. Rationale: The ETCS RBC derives movement authorities from interlocking route status. RaSTA is the mandated safety protocol for ETCS Level 2 per SUBSET-098. The 500ms latency bounds the delay in issuing updated movement authorities after a route change. The 2-second timeout causes the RBC to issue an emergency stop if interlocking communication is lost, preventing train movement without current route data. | Test | interface, cbi, etcs, session-300, idempotency:ifc-cbi-etcs-300 |
| IFC-CBIINTERFACES-005 | The interface between the Computer-Based Interlocking and the Traffic Management System SHALL accept automatic route-setting commands and return route confirmation or rejection responses, using a non-vital TCP/IP link with message acknowledgment within 1 second. The interlocking SHALL independently validate every route request against its safety logic regardless of the TMS command. Rationale: TMS automates route setting for timetable execution but is non-vital — the interlocking must independently enforce safety. The 1-second acknowledgment enables TMS to detect communication failure and alert the signaller for manual intervention. Non-vital link classification reflects that TMS commands can never override interlocking safety logic. | Test | interface, cbi, tms, session-300, idempotency:ifc-cbi-tms-300 |
| IFC-CBIINTERFACES-006 | The interface between the Computer-Based Interlocking and the Level Crossing Protection System SHALL transmit crossing activation and release commands based on train approach detection, and receive crossing status (barriers down confirmed, barriers failed, road clear) as a vital input, with crossing proved down before the protecting signal can clear. Rationale: The interlocking must prove barriers are down before allowing a train to proceed towards a level crossing — this is a direct safety interlock. Crossing status as vital input ensures barrier mechanical failure prevents signal clearance. This implements the UK standard for AHBC crossings where the interlocking controls the approach signal. | Test | rt-untestable, red-team-session-522 |
| IFC-CBIINTERFACES-007 | The interface between the Wheel Sensor and the Axle Counter Evaluator SHALL transmit analogue pulse signals via shielded twisted-pair cable with a maximum cable length of 12 km, maintaining a minimum signal-to-noise ratio of 20 dB at the evaluator input across the full operating temperature range (-40 to +70 degrees C). Rationale: 12 km maximum cable length accommodates the largest typical interlocking area without repeaters. The 20 dB SNR threshold ensures reliable axle discrimination even with electromagnetic interference from AC traction return currents, which are the dominant noise source in electrified railway environments. Temperature range covers extreme European climate conditions per EN 50125-3. | Test | interface, train-detection, axle-counter, session-301, idempotency:ifc-td-ws-ace-301 |
| IFC-CBIINTERFACES-008 | The interface between the Audio-Frequency Track Circuit and the Train Detection Data Concentrator SHALL transmit binary occupied/clear status as voltage-free relay contacts, with the concentrator polling each track circuit input at a minimum rate of 10 Hz. Rationale: Voltage-free relay contacts provide galvanic isolation between the trackside track circuit equipment and the indoor data concentrator, preventing traction current ground faults from propagating into the signalling equipment room. 10 Hz polling rate ensures occupancy changes are captured within 100ms, consistent with the concentrator's aggregation latency budget. | Test | interface, train-detection, aftc, session-301, idempotency:ifc-td-aftc-tddc-301 |
| IFC-CBIINTERFACES-009 | The interface between the Axle Counter Evaluator and the Train Detection Data Concentrator SHALL use RS-485 serial communication at 19200 baud with EN 50159 Category 1 safety coding, transmitting section occupancy status, axle count values, and diagnostic data at a minimum update rate of 5 Hz per counting point. Rationale: RS-485 provides noise-immune differential signalling suitable for the equipment room environment. 19200 baud is sufficient for the data volume (approximately 20 bytes per counting point per update). EN 50159 Category 1 safety coding (sequence numbers, CRC, time stamps) protects against message corruption on the closed network. 5 Hz update rate per counting point ensures the concentrator receives occupancy changes within 200ms of the evaluator detecting them. | Test | interface, train-detection, axle-counter, session-301, idempotency:ifc-td-ace-tddc-301 |
| IFC-CBIINTERFACES-010 | The interface between the Train Detection Data Concentrator and the Computer-Based Interlocking Object Controllers SHALL transmit the unified occupancy table for up to 128 track sections as a cyclic vital serial message at 10 Hz, with EN 50159 Category 3 safety coding including cryptographic authentication. Rationale: 10 Hz cyclic transmission ensures the CBI always has occupancy data no older than 100ms. 128 sections is the maximum concentrator capacity, matching the largest typical interlocking area. EN 50159 Category 3 coding (with cryptographic message authentication) is required because this link carries vital data that directly controls route-locking decisions — any undetected corruption could lead to a false-clear and potential collision. | Test | interface, train-detection, data-concentrator, session-301, idempotency:ifc-td-tddc-cbi-301 |
| IFC-CBIINTERFACES-011 | The interface between the RBC-CBI Interface Gateway and the RBC Application Server SHALL transfer route status, point position, and track occupancy data as structured messages at a minimum rate of 10 updates per second, with each message containing a monotonic sequence number and UTC timestamp for safe message ordering. Rationale: 10 Hz update rate matches the CBI processing cycle (100ms) and ensures the RBC Application Server always has current interlocking state for MA computation. Sequence numbering and timestamps enable the application server to detect stale or out-of-order data, which could cause an MA to be computed against an obsolete track state. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-012 | The interface between the RBC Application Server and the Euroradio Safe Communication Layer SHALL transfer ETCS application messages conforming to SUBSET-026 packet format, with the safe communication layer accepting messages of up to 1023 bytes and providing delivery confirmation or failure notification within 2 seconds. Rationale: 1023 bytes is the maximum ETCS application message size per SUBSET-026 (accommodating the longest MA with full speed and gradient profile). 2-second delivery confirmation allows the application server to detect message delivery failures and trigger retransmission before the onboard T_NVCONTACT timeout expires. | Test | interface, etcs-rbc, session-302, idempotency:ifc-rbcapp-euroradio-302 |
| IFC-CBIINTERFACES-013 | The interface between the Euroradio Safe Communication Layer and the GSM-R Radio Interface Module SHALL provide a circuit-switched data bearer at 9.6 kbps with a bit error rate not exceeding 10^-3, with the Euroradio layer treating the bearer as unreliable and applying its own error detection and retransmission. Rationale: 9.6 kbps CSD is the standard GSM-R data bearer for ERTMS. The 10^-3 BER is the GSM-R specification limit; Euroradio is explicitly designed to provide SIL 4 safety on top of this error rate through its own integrity mechanisms. This interface definition ensures the safety case is independent of bearer reliability. | Test | interface, etcs-rbc, session-302, idempotency:ifc-euroradio-gsmr-302 |
| IFC-CBIINTERFACES-014 | The interface between the RBC Application Server and the RBC Handover Controller SHALL transfer train state data including current position, speed, active MA boundaries, and train characteristics within 200 milliseconds of the handover controller requesting it, to support the 5-second handover completion budget. Rationale: 200ms for state data transfer leaves 4.8 seconds for the three-way handover protocol exchange with the adjacent RBC. Train state data must include the complete supervision context so the receiving RBC can construct a valid initial MA without requiring a full position report cycle from the train. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-015 | The interface between the RBC Application Server and the Juridical Recording Unit SHALL transfer event records via an asynchronous message queue with a guaranteed delivery mechanism, ensuring no event is lost even during peak load of 500 events per second. Rationale: 500 events/second represents worst-case load: 60 trains each generating position reports, MA updates, and acknowledgments simultaneously during a service recovery scenario. Asynchronous delivery via message queue ensures that recording latency does not affect real-time MA computation in the safety-critical path. Guaranteed delivery prevents evidence gaps in incident investigation. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-016 | The interface between the Level Crossing Controller and the Computer-Based Interlocking SHALL exchange train approach triggers, crossing protection status (clear/protecting/protected/failed), and fault reports via an EN 50159 Category 2 safety communication link with a maximum end-to-end latency of 500 milliseconds. Rationale: 500ms latency is within the CBI processing cycle tolerance for level crossing state. EN 50159 Category 2 (rather than Category 3) is sufficient because the controller and CBI are typically co-located in the same signalling equipment room or connected via a dedicated cable route with no untrusted network segments. | Test | interface, level-crossing, session-302, idempotency:ifc-lcc-cbi-302 |
| IFC-CBIINTERFACES-017 | The interface between the Level Crossing Obstacle Detection System and the Level Crossing Controller SHALL provide obstacle presence/absence status as a binary safe signal updated every 200 milliseconds, with a fail-safe output that indicates obstacle-present on sensor failure or communication loss. Rationale: 200ms update rate matches the obstacle detection scan cycle. Binary safe signal with fail-safe default ensures that sensor failure is treated as a potential obstacle, preventing barrier descent onto an undetected vehicle. This is the critical safety interface: a failure to detect an obstacle leads directly to a collision hazard. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-018 | The interface between the Level Crossing Controller and the Barrier Drive Mechanism SHALL provide raise/lower commands and receive barrier position feedback (angle in degrees, fully-raised and fully-lowered limit switch states) with a control loop update rate of at least 10 Hz. Rationale: 10 Hz position feedback is required for the controller to detect barrier stall conditions (motor failure, physical obstruction) within 100ms, enabling timely fault response. Angular position data allows the controller to monitor descent rate and detect partial-descent faults that limit switches alone cannot identify. | Test | interface, level-crossing, session-302, idempotency:ifc-lcc-barrier-302 |
| IFC-CBIINTERFACES-019 | The interface between the Point Drive Controller and the Electro-Hydraulic Point Machine SHALL deliver 3-phase AC power at 380-440V, 50Hz, with motor current monitoring at 100Hz sampling rate for current signature analysis enabling obstruction detection and wear trending. Rationale: 3-phase 380-440V is the standard European trackside power supply for electro-hydraulic point machines per EN 50123. 100Hz current sampling is required to capture the throw current profile with sufficient resolution to discriminate obstruction signatures (sharp current spike) from normal friction variation (gradual increase). Lower sampling rates miss transient obstruction events. | Test | interface, points-drive, session-304, idempotency:ifc-pdc-ehpm-power-304 |
| IFC-CBIINTERFACES-020 | The interface between the Point Position Detection Assembly and the Point Drive Controller SHALL provide two independent detection channels using fail-safe vital relay contacts, with each channel reporting blade position as a binary normal-detected or reverse-detected signal, updated within 50ms of blade reaching the detection threshold. Rationale: Two independent detection channels are required for SIL 4 per EN 50129 — a single detection channel cannot achieve the required diagnostic coverage. Vital relay contacts ensure fail-safe behavior: contact opening (spring return) maps to not-detected, satisfying the safe default. The 50ms update latency ensures detection state is current within two interlocking processing cycles. | Test | interface, points-drive, session-304, idempotency:ifc-ppda-pdc-detect-304 |
| IFC-CBIINTERFACES-021 | The interface between the Point Drive Controller and the Swing-Nose Crossing Actuator SHALL include a synchronisation interlock ensuring the crossing nose drive command is issued only after the main point blades have reached mid-stroke, and nose detection must be confirmed before the overall point detection is reported as complete. Rationale: Synchronisation prevents mechanical interference between blade and nose movement. If both move simultaneously, the crossing nose may collide with a partially-moved blade. The mid-stroke trigger point ensures blades have cleared the nose swing path. Requiring nose detection before overall point detection prevents routes being set over a turnout where blades are proven but the nose gap remains open. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-022 | The interface between the Point Heating System and the Signalling Diagnostic and Monitoring System SHALL report heater element status, power consumption per switch, ambient sensor readings, and heating mode at intervals not exceeding 60 seconds, using SNMP or Modbus TCP over the signalling Ethernet network. Rationale: 60-second reporting interval provides sufficient granularity for energy management and fault detection without overloading the diagnostic network. Individual switch power reporting enables detection of partial heater element failures (common failure mode — single element burnout reduces heating capacity without triggering a full alarm). SNMP/Modbus TCP aligns with existing signalling diagnostic infrastructure standards. | Test | interface, points-drive, heating, session-304, idempotency:ifc-phs-diag-monitoring-304 |
| IFC-CBIINTERFACES-023 | The interface between the Safety-Critical Data Network Switch and the Lineside Transmission Multiplexer SHALL use Gigabit Ethernet (IEEE 802.3ab) with 1000BASE-LX single-mode fiber optics, supporting a minimum link distance of 50 km and providing bit error rate better than 10^-12. Rationale: Single-mode fiber is required for the 2-50km distances between SER and lineside locations. 1000BASE-LX provides the bandwidth headroom for multiplexed field data while maintaining the BER required for safety communication over long fiber runs. | Test | interface, communication-network, session-305, idempotency:ifc-switch-mux-305 |
| IFC-CBIINTERFACES-024 | The interface between the Safety-Critical Data Network Switch and the Computer-Based Interlocking SHALL carry RaSTA-encapsulated vital messages over dual-redundant PRP Ethernet paths, with each path using physically separate cabling and switch ports, and SHALL support a sustained throughput of at least 100 Mbit/s per path. Rationale: Physical path separation ensures PRP provides genuine redundancy against cable damage or switch port failure. 100 Mbit/s throughput accommodates the aggregate traffic from interlocking commands, route status, and diagnostic data with margin for future capacity growth. | Test | interface, communication-network, session-305, idempotency:ifc-switch-cbi-305 |
| IFC-CBIINTERFACES-025 | The interface between the Cybersecurity Boundary Gateway and the Traffic Management System SHALL enforce unidirectional data flow from the safety network to the TMS for route status and train position data, and controlled bidirectional flow for TMS route requests, with all TMS-originated messages subject to deep packet inspection and protocol allowlisting. Rationale: Unidirectional flow for status data prevents the TMS from being used as an attack vector into the safety domain. Controlled bidirectional flow for route requests is necessary for operational functionality but requires DPI to ensure only valid route request message formats traverse the boundary. | Test | interface, communication-network, session-305, idempotency:ifc-fw-tms-305 |
| IFC-CBIINTERFACES-026 | The interface between the Network Time Distribution Server and the Safety-Critical Data Network Switch SHALL use IEEE 1588v2 PTP over Ethernet multicast, with the switch acting as a PTP boundary clock to minimize timestamp error accumulation, achieving end-to-end synchronization accuracy of 100 nanoseconds between grandmaster and any network endpoint. Rationale: Boundary clock mode in the switch corrects for switch residence time, preventing timestamp degradation across hops. The 100ns end-to-end target provides 10x margin over the 1-microsecond juridical recording requirement, accounting for asymmetric path delays and temperature-dependent oscillator drift. | Test | interface, communication-network, session-305, idempotency:ifc-ptp-switch-305 |
| IFC-CBIINTERFACES-027 | The interface between the Network Diagnostic and Monitoring Agent and the Signalling Diagnostic and Monitoring System SHALL transmit network health status, alarm events, and performance metrics via a non-vital TCP/IP link through the Cybersecurity Boundary Gateway, using SNMP traps for alarms and periodic polling for metrics at intervals not exceeding 60 seconds. Rationale: Non-vital classification is appropriate because network diagnostic data does not affect safe train movements. Routing through the cybersecurity gateway ensures the monitoring traffic traverses the security boundary under controlled conditions. 60-second polling interval balances diagnostic granularity against monitoring bandwidth overhead. | Test | interface, communication-network, session-305, idempotency:ifc-mon-diag-305 |
| IFC-CBIINTERFACES-028 | The interface between the Signal Aspect Driver and each LED Signal Module SHALL provide regulated 24VDC drive current at 350mA per LED string via dedicated wiring per aspect position, with current ripple not exceeding 5% to prevent visible flicker. Rationale: Each LED module requires individually regulated current to maintain consistent brightness across modules of different colours and ages. The 350mA per string is the standard forward current for high-power signal LEDs. 5% ripple limit prevents flicker visible to drivers at close range, which could be mistaken for a defective signal. | Test | interface, colour-light, session-306, idempotency:ifc-sad-lsm-drive-306 |
| IFC-CBIINTERFACES-029 | The interface between the Signal Proving and Monitoring Unit and each LED Signal Module SHALL provide per-string current sense feedback via dedicated monitoring connections, with measurement accuracy of 2% or better across the full operating range. Rationale: Per-string current sensing is required for the 2oo2 monitoring architecture to detect individual LED string failures before they accumulate to the 30% threshold. 2% accuracy ensures the monitoring unit can distinguish between a healthy string at reduced output (e.g., temperature-related) and a genuinely degrading string, preventing both false alarms and missed failures. | Test | interface, colour-light, session-306, idempotency:ifc-spmu-lsm-monitor-306 |
| IFC-CBIINTERFACES-030 | The interface between the Signal Proving and Monitoring Unit and the Signal Aspect Driver SHALL use a hardwired failsafe relay contact that, when de-energised by the proving unit, physically disconnects all proceed-aspect drive outputs and forces the danger aspect, independent of any software or data interface. Rationale: The hardwired relay failsafe path must be completely independent of the digital data path between the proving unit and the driver board. If the relay interface were implemented in software (e.g., via a serial command), a software fault could prevent the failsafe from activating. The de-energised=safe design means power loss to the relay circuit also triggers the safe state. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-031 | The interface between the Signal Proving and Monitoring Unit and the Signalling Diagnostic and Monitoring System SHALL transmit lamp status, degradation percentage, and failure classification via RS-485 serial link at 9600 baud, using a polling protocol with a maximum response time of 500 milliseconds. Rationale: RS-485 is the standard serial interface for lineside signalling equipment, supporting multi-drop connection of multiple signal heads on a single bus run of up to 1200m. 9600 baud provides sufficient bandwidth for diagnostic telemetry from up to 32 signal heads per bus segment. The 500ms response time ensures the diagnostic system receives current status within one polling cycle. | Test | interface, colour-light, diagnostic, session-306, idempotency:ifc-spmu-diag-serial-306 |
| IFC-CBIINTERFACES-032 | The interface between the Signal Aspect Driver and the Junction Route Indicator SHALL transmit route identity data via dedicated digital outputs (one per feather position or serial data for theatre displays), with an independent hardware interlock contact from the main aspect circuit that prevents route indicator illumination when the danger aspect is displayed. Rationale: Dual-path interface design: the route data path carries the identity of which feather or character to display, while the independent hardware interlock provides the safety function of preventing illumination during danger. Even if the data path erroneously commands a route display, the hardware interlock (driven from the main aspect relay chain) prevents illumination when the signal is at red. | Test | interface, colour-light, junction-indicator, session-306, idempotency:ifc-sad-jri-route-306 |
| IFC-CBIINTERFACES-033 | The interface between the Signalling Power Feeder and the Signalling Uninterruptible Power Supply SHALL deliver 110V AC single-phase at 50Hz with voltage regulation within plus or minus 10 percent, via a dedicated cable run with individual circuit protection. Rationale: The UPS input must receive clean mains-derived power within its input tolerance range. Dedicated cable run prevents other loads from affecting UPS input voltage quality. | Test | interface, power-supply, session-308, idempotency:ifc-spf-ups-308 |
| IFC-CBIINTERFACES-034 | The interface between the Signalling Uninterruptible Power Supply and the Signalling Power Distribution Panel SHALL deliver conditioned 110V AC at 50Hz with THD below 3 percent, and SHALL include a maintenance bypass path that allows UPS servicing without interruption to vital loads. Rationale: Conditioned output from UPS feeds vital bus of distribution panel. Maintenance bypass is essential to allow UPS battery replacement and servicing without de-energising the signalling installation. | Test | interface, power-supply, session-308, idempotency:ifc-ups-pdp-308 |
| IFC-CBIINTERFACES-035 | The interface between the Signalling Power Distribution Panel and the Track Circuit Power Feed Unit SHALL provide individually fused 110V AC supply with earth-fault monitoring, and SHALL alarm within 2 seconds of detecting earth leakage exceeding 30mA on any track circuit feeder. Rationale: Track circuit power feeds are distributed to lineside locations where cable damage is a common fault mode. Earth-fault monitoring at the distribution panel detects cable insulation breakdown before it escalates to a short circuit that could trip the feeder, losing track occupancy detection across multiple sections. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-036 | The interface between the Power Supply Monitoring and Switchover Controller and the Signalling Diagnostic and Monitoring System SHALL transmit power system status, battery state-of-charge, mains quality metrics, and alarm conditions via Modbus TCP at a polling interval not exceeding 10 seconds. Rationale: Modbus TCP is the standard industrial protocol for power monitoring equipment. 10-second polling ensures the diagnostic system has near-real-time visibility of power system health for maintenance planning and incident response. Battery SOC is critical for predicting remaining backup runtime. | Test | interface, power-supply, session-308, idempotency:ifc-mon-diag-308 |
| IFC-CBIINTERFACES-037 | The interface between the Alarm Management Processor and the Signaller Workstation SHALL deliver rationalised alarms with priority level, source subsystem identification, and suggested operator response within 2 seconds of the originating event. Rationale: 2-second alarm delivery ensures signallers receive timely notification of safety-relevant conditions. Priority level and source identification enable rapid triage. Suggested response reduces cognitive load during high-stress situations. | Test | interface, diagnostic-monitoring, session-308, idempotency:ifc-amp-sw-308 |
| IFC-CBIINTERFACES-038 | The interface between the Condition Monitoring Server and the Event Logger and Replay Unit SHALL provide a continuous event stream via TCP with guaranteed delivery, sequence numbering, and automatic reconnection within 5 seconds of link loss. Rationale: Guaranteed delivery with sequence numbering ensures no events are lost or duplicated in the tamper-evident record. Automatic reconnection prevents gaps in the event log during transient network issues. | Test | interface, diagnostic-monitoring, session-308, idempotency:ifc-cms-elr-308 |
| IFC-CBIINTERFACES-039 | The interface between the Remote Diagnostic Gateway and the Condition Monitoring Server SHALL authenticate all remote sessions using multi-factor authentication and SHALL log all queries with user identity, timestamp, and data accessed. Rationale: MFA prevents unauthorized access to diagnostic data which could reveal system vulnerabilities. Full query logging provides an audit trail for detecting reconnaissance attempts and ensuring accountability for data access. | Test | interface, diagnostic-monitoring, session-308, idempotency:ifc-rdg-cms-308 |
| IFC-CBIINTERFACES-040 | The interface between the Track Diagram Display Processor and the Computer-Based Interlocking SHALL carry track occupation, signal aspect, point position, and route status data via the signalling data network using the RaSTA safe communication protocol, with state updates delivered within 500ms of the interlocking output cycle. Rationale: RaSTA provides SIL 4 end-to-end data integrity for display data, ensuring the signaller cannot see corrupted state information. 500ms delivery matches the display refresh requirement and the interlocking cycle time. | Test | interface, signaller-workstation, session-309, idempotency:ifc-tddp-cbi-statedata-309 |
| IFC-CBIINTERFACES-041 | The interface between the Route Setting and Command Interface and the Computer-Based Interlocking SHALL transmit route-setting, signal replacement, and emergency control commands via the signalling data network with end-to-end delivery confirmation within 1 second, and SHALL reject commands when the authenticated signaller lacks area authority for the target objects. Rationale: 1-second command delivery confirmation gives the signaller timely feedback that the CBI has received the command. Area authority checking at the interface prevents commands from being sent to the CBI for objects outside the signaller's control area, providing defence-in-depth beyond the CBI's own validation. | Test | rt-vague-interface, red-team-session-522 |
| IFC-CBIINTERFACES-042 | The interface between the Alarm Display and Management Panel and the Alarm Management Processor SHALL receive rationalised alarm messages containing alarm ID, priority level, originating subsystem, timestamp, and descriptive text, with delivery latency not exceeding 500ms from rationalisation completion. Rationale: 500ms interface latency combined with 500ms AMP processing gives 1 second end-to-end alarm presentation, meeting EEMUA 191 targets. Structured alarm messages (ID, priority, source, text) enable the Alarm Display to sort, filter, and group without additional processing. | Test | interface, signaller-workstation, diagnostic-monitoring, session-309, idempotency:ifc-admp-amp-alarms-309 |
| IFC-CBIINTERFACES-043 | The interface between the TMS-CBI Interface Gateway and the Computer-Based Interlocking SHALL exchange route-setting requests (TMS to CBI) and route confirmation, signal aspect, point position, and track occupation data (CBI to TMS) via the signalling data network, with the CBI returning route confirmation or rejection within 2 seconds of request receipt. Rationale: 2-second confirmation timeout allows the ARS to detect rejected routes and attempt alternatives within its decision cycle. This interface is the critical boundary between non-vital TMS and vital CBI — all commands cross this boundary and are validated by the CBI independently. | Test | interface, traffic-management, session-309, idempotency:ifc-tmsgw-cbi-route-309 |
| IFC-CBIINTERFACES-044 | The interface between the Train Describer and Berth Management component and the Track Diagram Display Processor SHALL deliver train identity labels (4-character headcode) for overlay on the track diagram, with berth step updates delivered within 500ms of the identity stepping event. Rationale: Train identity labels on the track diagram are essential for the signaller to associate physical track occupation with scheduled services. 500ms update latency matches the TD berth step and display refresh requirements, preventing displayed headcodes from lagging behind track occupation indications. | Test | interface, traffic-management, signaller-workstation, session-309, idempotency:ifc-td-tddp-trainid-309 |
| IFC-CBIINTERFACES-045 | The interface between the Traffic Management System and the Signaller Workstation SHALL deliver conflict alerts, regulation recommendations, and ARS operational status to the Route Setting and Command Interface, with conflict alerts displayed within 2 seconds of detection by the Conflict Detection and Resolution Module. Rationale: 2-second alert delivery ensures signallers receive conflict information while there is still time to act. ARS status display (active/suspended per area) is critical for signallers to know whether automatic or manual route setting is in effect for their control area. | Test | interface, traffic-management, signaller-workstation, session-309, idempotency:ifc-tms-sw-conflicts-309 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-009 | ARC: Colour-Light Signalling Output — Separated safety monitoring from drive electronics. The Signal Proving and Monitoring Unit is architecturally independent of the Signal Aspect Driver, using a 2oo2 hardware comparison architecture with a dedicated failsafe relay. This separation ensures that a software fault in the aspect driver cannot mask a lamp failure. The alternative — integrated monitoring within the driver board — would reduce component count but creates a common-cause failure path between the drive function and the monitoring function, violating EN 50129 independence requirements for SIL4 safety functions. The Junction Route Indicator is driven through the Signal Aspect Driver but correlated with the main aspect via an independent hardware interlock, preventing a lit route indicator alongside a danger aspect even under driver board software failure. Rationale: Architectural separation of the safety monitoring function from the drive function is the standard EN 50129 pattern for SIL4 output subsystems. | Analysis | informational |
| ARC-010 | ARC: Signalling Power Supply System — Online double-conversion UPS topology with vital/non-vital bus separation at the distribution panel. The UPS sits in-line between the mains feeder and distribution rather than as a standby unit because audio-frequency track circuits require continuous sinusoidal power with less than 3% THD — a transfer gap of even 10ms would cause spurious track circuit occupancy indications, potentially triggering emergency braking. Vital and non-vital loads are separated at the distribution panel bus level to ensure a fault on non-vital equipment (diagnostics, HVAC, lighting) cannot trip vital supply protection. Load-shedding of non-vital circuits during battery operation extends vital runtime from 2 hours to approximately 3.5 hours. Rationale: Online UPS avoids transfer-time gaps that would corrupt audio-frequency track circuit operation. Bus separation isolates vital signalling loads from non-vital fault propagation. This topology is standard practice for UK mainline signalling equipment rooms per NR/L2/SIGELP/27725. | Analysis | informational |
| ARC-012 | ARC: Signalling Diagnostic and Monitoring System — Separated alarm management from condition monitoring to avoid data overload. The Alarm Management Processor applies EEMUA 191 rationalisation rules before forwarding to the Signaller Workstation, preventing alarm floods during cascade failures. The Condition Monitoring Server handles long-term trend analysis and predictive maintenance independently, storing 12 months of operational data. Event logging is a dedicated SIL2 unit because incident records must be tamper-evident and independently verifiable by RAIB investigators. Remote access is isolated behind a read-only gateway to prevent any remote path to safety-critical equipment. Rationale: Functional separation ensures alarm management latency is not affected by heavy predictive analytics processing. Independent event logging at SIL2 ensures incident records are admissible for regulatory investigation. Read-only remote gateway eliminates the cybersecurity risk of remote control paths to vital signalling. | Analysis | informational |
| ARC-CBIARCHITECTUREDECISIONS-001 | ARC: Computer-Based Interlocking — 2oo3 voted architecture with distributed Object Controllers and centralised Communication Gateway. The VPU uses triple-redundant processing rather than 2oo2D (two-out-of-two with diagnostics) because 2oo3 provides higher availability: a single channel failure degrades to 2oo2 operation rather than system shutdown. Object Controllers are distributed to trackside locations rather than centralised in the equipment room, reducing cabling cost by approximately 60% and enabling geographic fault isolation — a failed OC affects only its local objects, not the entire interlocking. The Communication Gateway is a separate component from the VPU to isolate protocol complexity and external network exposure from the safety kernel. Alternative considered: integrated comms within VPU (rejected due to increased attack surface on the safety processor and higher re-certification cost when protocol versions change). Rationale: This architecture decision records the key trade-offs in CBI component topology. The 2oo3 vs 2oo2D decision is the most consequential: it trades slightly higher hardware cost (3 vs 2 channels) for significantly higher availability, which is justified by the 99.99% system availability requirement. | Inspection | informational |
| ARC-SYS-ARC-002 | ARC: Train Detection Subsystem — Dual-technology detection (audio-frequency track circuits plus axle counters) with centralised Data Concentrator. Track circuits provide continuous passive detection on plain line; axle counters are used at locations where track circuit performance is unreliable (level crossings, poor ballast areas, points zones with traction current interference). The Data Concentrator aggregates both technologies into a single occupancy table rather than exposing heterogeneous detector types to the interlocking, isolating the CBI from detector-technology changes. Alternative considered: unified axle-counter-only detection (rejected because track circuits provide independent broken-rail detection capability that axle counters lack, and regulatory precedent in most European networks requires track circuits on plain line). Rationale: Dual-technology detection maximises both safety coverage (track circuits detect broken rails, which axle counters cannot) and availability (axle counters maintain operation during poor insulation conditions that degrade track circuits). The centralised Data Concentrator decouples the CBI from field detector technology, enabling future migration without interlocking software changes. | Inspection | informational |
| ARC-SYS-ARC-004 | ARC: ETCS Radio Block Centre — Layered architecture separating safety application (MA computation) from safe communication (Euroradio) and radio bearer (GSM-R). The RBC Application Server implements SUBSET-026 movement authority logic in a 2oo2 hot-standby configuration, isolated from communication protocol complexity. Euroradio (SUBSET-037) provides SIL 4 end-to-end safety on top of the inherently unreliable GSM-R bearer, enabling the safety case to be independent of radio network reliability. The GSM-R Radio Interface Module is non-vital, allowing radio technology migration to FRMCS without re-certifying the safety application. A dedicated RBC-CBI Interface Gateway isolates the interlocking protocol from the ETCS application, so CBI vendor changes do not cascade into ETCS re-certification. The Handover Controller is separated from the core MA engine because inter-RBC coordination has distinct timing constraints (5-second handover budget) and state management that would add complexity to the safety-critical MA computation path. Alternative considered: monolithic RBC with integrated communications (rejected due to re-certification cost explosion when any protocol layer changes, and inability to achieve independent safety cases for application vs communication layers per EN 50129). Rationale: Layered separation is mandated by the EN 50129 safety case structure which requires independent safety arguments for application and communication. The 2oo2 hot-standby (rather than 2oo3) for the RBC Application Server is driven by SUBSET-026 defining a clean primary/standby failover model for MA continuity, unlike the interlocking which benefits from 2oo3 voting for cycle-by-cycle determinism. | Inspection | informational |
| ARC-SYS-ARC-005 | ARC: Level Crossing Protection System — Centralised controller with distributed field equipment and independent obstacle detection. The Level Crossing Controller is a single SIL 4 unit that sequences all protection actions, rather than distributed logic across field devices, because the protection sequence has strict temporal ordering (signals before barriers, alarm concurrent with signals) that would be difficult to guarantee with distributed coordination. Obstacle detection is a separate dual-technology system (IR + radar) rather than integrated into barrier sensors, because barrier-mounted sensors cannot detect objects that have entered the crossing deck after barrier descent begins — a separate scanning system covering the full road width is required. Alternative considered: CCTV-based obstacle detection with image processing (rejected due to insufficient reliability in fog, heavy rain, and night conditions compared to active IR/radar scanning, and higher false-positive rate that would delay crossing clearance). Rationale: Centralised sequencing eliminates timing hazards from distributed synchronisation. Independent obstacle detection addresses the hazard of a vehicle trapped on the crossing deck — this is the primary collision mechanism at UK level crossings and requires dedicated detection independent of the barrier system itself. | Inspection | informational |
| ARC-SYS-ARC-006 | ARC: Points and Crossing Drive System — Centralised drive controller with per-machine detection independence. The Point Drive Controller acts as a single electronics module managing both conventional point machines and swing-nose crossing actuators, with the critical safety function (blade position detection) implemented as an independent assembly with its own fail-safe relay contacts, not embedded in the drive electronics. This separation ensures that drive controller faults (power stage failure, firmware defect) cannot corrupt detection integrity. The swing-nose crossing actuator is treated as a distinct component with its own detection rather than a sub-function of the point machine, because the synchronisation interlock between blade and nose movement is a safety-critical sequencing function that must be independently testable. Point heating is architecturally decoupled from the vital signalling chain — it connects directly to the diagnostic system, not through the Point Drive Controller — because heating is a maintenance function with different availability and integrity requirements than the safety-critical drive/detect path. Rationale: The detection-independence architecture is driven by SIL 4 requirements per EN 50129 Table A.1: the detection function achieves its safety target through hardware independence from the drive function, not through software diversity alone. The swing-nose separation is driven by high-speed line safety cases requiring independent proof that both blade and nose are seated. The heating decoupling prevents a heating fault from degrading the vital signalling path. | Inspection | informational |
| ARC-SYS-ARC-007 | ARC: Signalling Communication Network — Layered architecture separating physical transport (PRP switches, fiber multiplexers) from safety protocol (RaSTA middleware) and security boundary (TS 50701 gateway). PRP chosen over HSR because the star topology of the SER requires standard Ethernet switches, not ring topologies. RaSTA provides SIL4 end-to-end safety independent of network SIL rating, allowing SIL2-rated switches. Cybersecurity boundary gateway enforces zone separation with deep packet inspection rather than VLAN-only isolation, providing defence-in-depth against lateral movement between safety and non-vital domains. IEEE 1588 PTP selected over NTP for sub-microsecond accuracy needed by juridical recording timestamps. Rationale: Layered decomposition enables independent certification of transport, safety protocol, and security components. PRP at SIL2 with RaSTA at SIL4 avoids the cost and complexity of SIL4-certifying network infrastructure while maintaining end-to-end safety integrity. | Analysis | informational |
| ARC-SYS-ARC-013 | ARC: Signaller Workstation — Separated display rendering, command input, alarm management, and access control into independent components with hot-standby redundancy at the workstation level. The Track Diagram Display Processor is dedicated to rendering because display update rates (500ms refresh, 200+ state changes/second) demand optimised graphics pipeline separate from command processing. Route Setting and Command Interface is separated from the display to enforce confirmation dialogs and audit trail generation as independent safety barriers — if the display processor fails, the command interface continues recording operator actions to the audit log. Alarm Display and Management Panel is an independent component rather than a tab in the track diagram because EEMUA 191 requires alarm presentation to remain visible and operational even during display processor degradation. The Workstation Redundancy Controller runs on dedicated embedded hardware independent of the workstation OS to avoid common-cause failures between the application being protected and the failover mechanism. Alternative considered: virtualised workstation with software-based HA (rejected because OS-level failures would simultaneously disable both application and failover detection, violating the independence requirement of EN 50129 Annex A for control system redundancy). Rationale: Component separation is driven by the need for independent failure modes: a display rendering fault must not prevent command input recording (juridical requirement), alarm presentation (EEMUA 191), or failover detection (availability). Dedicated redundancy hardware ensures failover survives OS crashes, the most common workstation failure mode observed in Network Rail's operational data. | Inspection | informational |
| ARC-SYS-ARC-014 | ARC: Traffic Management System — Separated automatic route setting, conflict resolution, train description, and timetable management into distinct components with a dedicated CBI interface gateway. The Automatic Route Setting Engine is the core decision component but is deliberately separated from the Conflict Detection and Resolution Module because ARS operates reactively (route requested when train approaches signal) while conflict resolution operates predictively (15-30 minute lookahead). Combining them would force a single processing model on fundamentally different temporal domains. The Train Describer is separated from ARS because TD must maintain a continuous, accurate berth table regardless of ARS mode (ARS can be disabled per area while TD must always run). TMS-CBI Interface Gateway isolates vendor-specific CBI protocol changes from TMS application logic, allowing CBI migration without TMS re-development. Alternative: direct ARS-to-CBI connection (rejected because each CBI vendor uses different route-setting protocols, and tight coupling would require TMS modification for every CBI upgrade). Rationale: Separation of reactive routing (ARS) from predictive conflict detection reflects fundamentally different algorithmic and timing requirements. The gateway isolation is driven by the commercial reality that TMS and CBI are typically supplied by different vendors, and interface changes are the primary cause of integration delays in UK re-signalling projects. | Inspection | informational |
flowchart TB n0["component<br>Vital Processing Unit"] n1["component<br>Object Controller"] n2["component<br>Interlocking Application Data"] n3["component<br>Communication Gateway"] n4["component<br>Engineering and Maintenance Terminal"] n0 -->|Vital commands / field status| n1 n2 -.->|Route/control tables| n0 n0 -->|Route state / MA data| n3 n3 -->|Route requests / coordination| n0 n4 -->|Diagnostics / data load| n0
Computer-Based Interlocking — Internal
flowchart TB n0["component<br>Audio-Frequency Track Circuit"] n1["component<br>Wheel Sensor"] n2["component<br>Axle Counter Evaluator"] n3["component<br>Train Detection Data Concentrator"] n1 -->|Analogue pulse signals| n2 n0 -->|Occupied/clear relay status| n3 n2 -->|Section occupancy via RS-485| n3
Train Detection Subsystem — Internal
flowchart TB n0["SIL 4 MA computation<br>RBC Application Server"] n1["SIL 4 safe messaging<br>Euroradio Safe Comm Layer"] n2["Radio bearer<br>GSM-R Radio Interface"] n3["SIL 4 interlocking link<br>RBC-CBI Interface Gateway"] n4["RBC-RBC handover<br>RBC Handover Controller"] n5["Event logging<br>Juridical Recording Unit"] n3 -->|Route status, track occupancy| n0 n0 -->|MA messages, ETCS packets| n1 n1 -->|Authenticated messages| n2 n0 -->|Train state, boundary data| n4 n4 -->|RBC-RBC handover msgs| n1 n0 -->|All operational events| n5
ETCS Radio Block Centre — Internal
flowchart TB n0["SIL 4 sequencer<br>Level Crossing Controller"] n1["Visual warning<br>Road Traffic Signal Assembly"] n2["Electromechanical<br>Barrier Drive Mechanism"] n3["IR + Radar sensor<br>Obstacle Detection System"] n4["Sound emitter<br>Audible Warning Device"] n0 -->|Signal commands| n1 n0 -->|Barrier raise/lower| n2 n0 -->|Alarm on/off| n4 n3 -->|Obstacle status| n0 n2 -->|Position feedback| n0
Level Crossing Protection System — Internal
flowchart TB n0["electronics<br>Signal Aspect Driver"] n1["optoelectronics<br>LED Signal Module"] n2["assembly<br>Multi-Aspect Signal Head"] n3["safety-monitor<br>Signal Proving and Monitoring Unit"] n4["display<br>Junction Route Indicator"] n0 -->|24VDC drive current| n1 n0 -->|Route drive data| n4 n1 -->|Aspect modules| n2 n3 -->|Current monitoring| n1 n3 -->|Failsafe override| n0
Colour-Light Signalling Output — Internal
flowchart TB n0["component<br>Signalling Power Feeder"] n1["component<br>Signalling UPS"] n2["component<br>Power Distribution Panel"] n3["component<br>Track Circuit Power Feed"] n4["component<br>Monitoring Controller"] n0 -->|Mains AC| n1 n0 -->|Direct feed bypass| n2 n1 -->|Conditioned AC| n2 n2 -->|110V AC vital| n3 n4 -.->|Status monitor| n0 n4 -.->|Battery health| n1 n4 -.->|Circuit status| n2
Signalling Power Supply System — Internal
flowchart TB n0["component<br>Condition Monitoring Server"] n1["component<br>Event Logger and Replay Unit"] n2["component<br>Remote Diagnostic Gateway"] n3["component<br>Alarm Management Processor"] n0 -->|Event data feed| n1 n0 -->|Maintenance alarms| n3 n3 -->|Raw alarm stream| n0 n2 -.->|Remote read access| n0
Signalling Diagnostic and Monitoring System — Internal
flowchart TB n0["component<br>Track Diagram Display Processor"] n1["component<br>Route Setting and Command Interface"] n2["component<br>Alarm Display and Management Panel"] n3["component<br>Workstation Redundancy Controller"] n4["component<br>Signaller Authentication and Access Control Module"]
Signaller Workstation — Internal
flowchart TB n0["component<br>Automatic Route Setting Engine"] n1["component<br>Timetable and Train Graph Processor"] n2["component<br>Conflict Detection and Resolution Module"] n3["component<br>Train Describer and Berth Management"] n4["component<br>TMS-CBI Interface Gateway"]
Traffic Management System — Internal
| Entity | Hex Code | Description |
|---|---|---|
| Alarm Display and Management Panel | 54FD7A58 | Alarm presentation and management HMI component integrated into the signaller workstation. Receives rationalised alarms from the Alarm Management Processor via the signalling data network. Displays alarms in priority-sorted list with colour coding (red=safety, amber=operational, blue=maintenance). Provides alarm acknowledgement, shelving, and filtering functions. Implements alarm flood management — suppresses cascade alarms during major failures and presents root-cause summary. Audible annunciation for unacknowledged safety alarms. Displays alarm history with search and filter. Must present new alarms within 1 second of receipt. Compliant with EEMUA 191 alarm management guidelines for control room displays. |
| Alarm Management Processor | 51F77A58 | Dedicated processor that receives raw alarm streams from all signalling subsystems, applies alarm rationalisation rules (suppression, shelving, grouping, prioritisation) per EEMUA 191 alarm management guidelines. Reduces alarm floods during cascade failures by correlating root-cause alarms. Outputs prioritised alarm list to Signaller Workstation displays and routes maintenance-level alarms to the Condition Monitoring Server. Maintains alarm history database with acknowledgement timestamps and operator response actions. |
| Audio-Frequency Track Circuit | 54E57018 | Jointless audio-frequency track circuit equipment (transmitter-receiver pairs) for continuous rail vehicle detection on main running lines. Operating frequency range 1.5-2.6 kHz (TI21/FS2500 type). Transmitter injects coded AC signal through running rails; receiver detects impedance drop when train axle shunts the circuit. No insulated rail joints required — frequency separation isolates adjacent sections. Fail-safe: loss of received signal = occupied. Detection sensitivity: 0.06 ohm shunting resistance. Outdoor trackside installation in hostile EMI environment near AC traction systems. |
| Automatic Route Setting Engine | 51B67B18 | Decision engine within a railway Traffic Management System that automatically requests routes from the Computer-Based Interlocking based on timetable data and real-time train positions. Compares planned train paths (from imported timetable) against current track occupation and train describer berth data. Issues route-setting commands to the CBI 2-4 minutes before a train requires access, optimising junction capacity by sequencing conflicting routes. Supports automatic regulation decisions (hold, re-route, re-order) when trains deviate from timetable. Non-vital system — all route requests are validated by the CBI interlocking logic before execution. Handles up to 500 trains simultaneously across a regional control area. Interfaces with the signaller workstation for manual override and conflict resolution. |
| AWS/TPWS Train Protection Equipment | D7E77859 | Combined Automatic Warning System and Train Protection and Warning System trackside equipment for UK mainline railway signalling. AWS comprises a permanent magnet installed between the rails 180m before each signal, which triggers an audible warning in the cab via an electromagnetic receiver on the train. TPWS comprises two elements: the Overspeed Sensor System, a pair of track-mounted inductive loops 50m apart before each signal that detects trains exceeding the approach speed threshold, and the Train Stop System, a single loop at the signal itself that triggers emergency braking if the train passes a signal at danger. TPWS operates independently of the driver and CBI, providing a last-resort safety barrier with target intervention speed of 75 mph. SIL 2 integrity for AWS, SIL 4 for TPWS train stop function. Must coexist with ETCS balise groups without electromagnetic interference. |
| Axle Counter Evaluator | 50B57018 | Central safety processing unit for the axle counting subsystem. Receives pulse signals from paired wheel sensor heads at track section boundaries, counts axle entries and exits per section, and determines occupancy by difference. Dual-channel (2oo2D) architecture with diverse hardware for SIL 4 compliance per EN 50129. Manages up to 24 counting points (48 sensor heads). Fail-safe: any counting discrepancy or communication loss forces section to 'occupied' state. Provides reset functionality requiring manual confirmation for count error recovery. Indoor installation in signalling equipment room. Interface to Train Detection Data Concentrator via RS-485 vital serial link. |
| Barrier Drive Mechanism | D6F51018 | Electromechanical barrier drive unit for railway level crossing half-barriers. DC motor-driven with worm gear reduction providing self-locking in any position. Barrier descent time 6-10 seconds configurable. Barrier rise time 4-8 seconds. Torque-limited to prevent injury (maximum 150 Nm at barrier tip). Position sensing via rotary encoder and limit switches at fully raised and fully lowered positions. Emergency manual release for road user entrapment. IP55 rated for outdoor installation. Operating temperature -25C to +55C. |
| Colour-Light Signalling Output | D4F5F858 | Lineside signal units displaying 2-aspect (red/green), 3-aspect (red/yellow/green), or 4-aspect (red/yellow/double-yellow/green) indications to train drivers. Modern multi-LED signal heads with individual LED monitoring for lamp-proved feedback to interlocking. Signal current detection confirms signal is displaying commanded aspect — any discrepancy triggers immediate red-revert. Junction indicator (feather) routes with 5-white-light arrays. Controlled via fail-safe relay or solid-state output from interlocking. Designed for outdoor mounting on posts or gantries, visible at >1000m in clear conditions. Includes approach-lighting to conserve LED life. |
| Computer-Based Interlocking | 51F77A58 | SIL 4 vital safety processor implementing route-locking and conflict-prevention logic for a mainline railway signalling system. Receives train detection data (track circuit states, axle counter counts) and operator route requests. Computes safe signal aspects and point positions by evaluating interlocking tables that encode all permissible route combinations. Outputs include signal commands, point drive commands, and level crossing activation triggers. Dual-redundant 2oo2 architecture with continuous self-checking. Must achieve <10^-9/h wrong-side failure rate. Response time <500ms from detection input to output command. Operates in indoor equipment rooms with conditioned power. |
| Condition Monitoring Server | 51B53218 | Central server aggregating real-time health data from all signalling subsystems (interlocking, track circuits, points, signals, communications, power supply) via multiple protocols (Modbus TCP, SNMP, OPC UA, proprietary serial). Runs predictive maintenance algorithms analysing trend data to forecast component degradation. Stores 12 months of rolling operational data for post-incident analysis and reliability reporting. Redundant server pair in active-standby configuration with automatic failover. Located in equipment room with connection to Wide Area Network for remote access. |
| Conflict Detection and Resolution Module | 51FC7B08 | Algorithmic conflict prediction engine within a railway Traffic Management System. Continuously analyses train running data and timetable to detect future path conflicts at junctions, crossovers, and single-line sections. Looks ahead 15-30 minutes using current train speeds and planned stopping patterns. When a conflict is detected, evaluates regulation options (re-order, hold, re-route, reduce dwell) and recommends the option that minimises total delay across all affected services. Uses weighted objective function considering train priority (express vs stopping), connection protection, and overall network delay propagation. Presents conflict alerts and recommended resolutions to the signaller for approval or manual override. Non-safety-critical — operates on predicted paths only, not on actual interlocking commands. |
| Cybersecurity Boundary Gateway | D1B77858 | Industrial firewall and network segmentation appliance implementing the demilitarized zone between the safety-critical signalling network (Zone 1 per TS 50701) and non-vital networks including traffic management system, diagnostic system, and corporate IT network. Enforces strict unidirectional or controlled bidirectional data flow policies. Deep packet inspection for signalling protocols with allowlisting of permitted message types. Intrusion detection system monitoring for anomalous traffic patterns. Dual-redundant with stateful failover. Must not introduce more than 1ms additional latency on permitted traffic flows. Rack-mounted in the signalling equipment room. |
| diesel generator | D6C41019 | Backup power generator for a railway signalling system, providing emergency power during mains failure |
| Electro-Hydraulic Point Machine | DFF51018 | Clamp-lock electro-hydraulic actuator for railway switches/turnouts. Contains a 3-phase AC motor driving a hydraulic pump, which pressurises a cylinder to move switch blades between normal and reverse positions. Locking is achieved by hydraulic clamping with mechanical backup. Typical throw stroke 143-220mm, throw force 4.5-7.5kN, operating time 3-8 seconds depending on switch length. Must operate reliably from -40°C to +70°C in exposed trackside environments. Installed at each switch/turnout on the controlled infrastructure. SIL 4 safety function: must not move blades while train is traversing, must lock positively in detected position. Key types include Alstom Hy-Drive P80, Siemens S700K, Vossloh BISI. |
| Engineering and Maintenance Terminal | 508C3218 | Non-vital workstation providing controlled access to the Computer-Based Interlocking for maintenance, testing, and configuration. Supports data loading (uploading new Interlocking Application Data after validation), diagnostic readout (VPU health, channel comparison status, watchdog timers), and controlled test mode enabling individual object stimulation for commissioning. Connected to VPU via a physically separate non-vital Ethernet port with role-based access control. All actions are logged with timestamp, operator ID, and action type. Used during planned possessions (track closures) for commissioning and fault investigation. Does not carry safety-critical data in operation. |
| ETCS Radio Block Centre | 51E57A58 | Core network-side component of ETCS Level 2 providing continuous cab signalling for mainline railway operations. Receives train position reports via GSM-R radio link, computes movement authorities (MA) based on interlocking route status and preceding train positions, and transmits MA, speed profile, and gradient data to on-board ETCS equipment (EVC). Interfaces with interlocking via standardised protocol for route status. Manages track description data (national values, speed restrictions, gradient profiles) stored in engineering databases. Handles up to 60 trains simultaneously with <2s MA computation latency. Eurobalise transponders provide fixed reference points for position calibration. SIL 4 for MA computation, SIL 2 for non-vital functions. |
| Euroradio Safe Communication Layer | 40B57958 | Safety communication layer implementing SUBSET-037 and SUBSET-098 for authenticated integrity-protected message exchange between ETCS Radio Block Centre and onboard equipment. Provides SIL 4 end-to-end safety on unreliable GSM-R bearer. Uses 3DES/AES-128 session keys from K-KMC authentication. Implements sequence numbering, timestamp validation, T_NVCONTACT timeout monitoring, and message integrity codes. Handles session establishment, maintenance, and safe disconnection. Supports 60 concurrent train sessions. Latency budget under 500ms one-way. |
| Event Logger and Replay Unit | 50A57258 | SIL2 tamper-evident event recording system that captures all signalling state changes, operator commands, alarm events, and interlocking decisions with GPS-synchronised timestamps at 1ms resolution. Records to dual redundant non-volatile storage (RAID-1 SSD) with minimum 90-day retention. Provides incident replay functionality for post-incident investigation by signalling engineers and RAIB inspectors. Data format compliant with Network Rail standard NR/L2/SIGP/10201 for signalling event recording. |
| GSM-R Radio Interface Module | D0F47018 | Non-vital radio network interface providing GSM-R bearer connectivity between ETCS Radio Block Centre and train-borne equipment. Interfaces with GSM-R Mobile Switching Centre via E1/IP trunks. Supports circuit-switched data at 9.6 kbps and GPRS packet-switched fallback. Manages radio session setup, handover between base stations, and emergency group calls. Handles 60 simultaneous radio sessions with under 200ms call setup time. Future interface provision for FRMCS migration over 5G. |
| Interlocking Application Data | 40853950 | Safety-validated geographic and control table data encoding the specific junction or station layout for a Computer-Based Interlocking. Contains route tables (origin signal, destination, points in route, overlap, flank protection), control tables (conditional approach control, sequential release timers), and element configuration (signal aspect sequences, point detection timeouts). Generated from signalling design schematics using certified data preparation tools and independently verified per EN 50128 SIL 4. Loaded as read-only dataset into VPU — any modification requires full re-validation. |
| Interlocking Communication Gateway | 50E57858 | Safety-certified communication interface module within the Computer-Based Interlocking, handling all external data exchange with adjacent interlockings, ETCS Radio Block Centre, Traffic Management System, and Signaller Workstation. Implements EN 50159 safety communication layers with cryptographic message authentication, sequence numbering, and timeout supervision. Manages multiple concurrent protocol sessions: proprietary vital link to adjacent CBIs for route-locking coordination, RaSTA (Rail Safe Transport Application) to ETCS RBC for movement authority data, and non-vital TCP/IP to TMS for route request/confirmation. Throughput: handles up to 200 messages/second with <50ms latency for vital links. |
| Junction Route Indicator | D4F47850 | Supplementary route indication display mounted below or alongside a main railway colour-light signal at junctions. Two common types in UK practice: (1) Multi-lamp feather indicator using 5 fibre-optic or LED position lights arranged in diagonal rows, each row indicating a diverging route direction; (2) Theatre-type alphanumeric matrix display using LED dot matrix to show route letters/numbers for complex junctions with more than 5 routes. Driven by separate route data from the CBI Object Controller independent of the main aspect command. Must illuminate within 500ms of route being set and locked. Only illuminated when a proceed aspect is displayed — extinguished when signal shows danger. SIL4 integrity for correct route/aspect correlation. Visibility requirement: 200m minimum in daylight conditions. |
| Juridical Recording Unit | 40843358 | Non-vital recording and logging unit capturing all ETCS Radio Block Centre operational decisions for post-incident analysis and regulatory compliance. Records all movement authority computations, train position reports, session establishments, emergency messages, and system state transitions with UTC timestamps at 1ms resolution. Stores data on redundant non-volatile media with minimum 90-day retention. Tamper-evident logging with cryptographic chain of custody. Data export via standardised interface for accident investigation authorities per EU directive 2016/798. Storage capacity for 500,000 events. |
| LED Signal Module | D6C55058 | Individual LED-based lamp unit fitted into each aspect position of a railway colour-light signal head. Contains array of high-intensity LEDs (typically 50-70 per module) arranged in redundant strings with individual current regulation. Produces monochromatic output: red (625nm), yellow (590nm), or green (505nm) per Railway Group Standard. Built-in monitoring outputs provide current feedback per LED string to the Signal Proving Unit. Designed for 100,000-hour MTBF with graceful degradation — signal remains visible with up to 30% LED string failure. Operates at 24VDC nominal from Signal Aspect Driver. Replaces older sealed-beam filament units while maintaining the same optical beam pattern and luminous intensity (>200cd for red, >300cd for green). |
| Level Crossing Audible Warning Device | D5D77A58 | Electronic audible warning device generating 2.5 kHz tone at 90 dBA at 1m distance for alerting road users to approaching trains at railway level crossings. Dual speakers for redundancy. Self-monitoring with fault detection reporting to Level Crossing Controller. Timed operation: sounds for fixed duration during barrier descent sequence, silences after barriers fully lowered to reduce noise impact on nearby residents. Environmental rating IP66. Compliant with BS EN 50556. |
| Level Crossing Controller | 51F77A78 | SIL 4 safety-critical controller managing the sequencing of road traffic signals, barriers, and audible warnings at railway level crossings. Receives approach trigger from CBI or track circuits indicating train approaching. Executes fixed protection sequence: activate road warning lights, sound audible alarm, lower half-barriers (if fitted), confirm protection complete to CBI. Monitors barrier position via limit switches. Handles obstacle detection sensor input. Fail-safe design: any component failure results in crossing remaining or returning to protected state. Interfaces with CBI via EN 50159 safe link. Manages crossing types MCB (manually controlled barrier), AOCL (automatic open crossing locally monitored), and AHB (automatic half barrier). |
| Level Crossing Obstacle Detection System | 55F77A19 | Scanning infrared and radar-based obstacle detection system monitoring the level crossing deck area for vehicles, pedestrians, or objects that have not cleared the crossing before barrier descent. Dual-technology (IR + radar) for weather resilience. Scans crossing area every 200ms. Detection zone covers full road width plus 1m either side. Must detect objects above 0.5m height. Interfaces with Level Crossing Controller to inhibit barrier descent or trigger crossing alarm if obstacle detected. False positive rate below 1 per 1000 crossings to prevent unnecessary traffic disruption. |
| Level Crossing Protection System | 55F77A59 | Automatic half-barrier level crossing (AHBC) system protecting road/rail intersections. Approach detection triggers sequence: road traffic lights amber then red, audible warnings activate, half-barriers descend. Full sequence time 27-32 seconds depending on approach speed. Barrier mechanism: electric motor with spring-return fail-safe (barriers descend on power loss). CCTV monitoring for operator-controlled crossings (MCB-OD type). Road traffic signals integrated with highway authority traffic management. Obstacle detection via radar or lidar for full-barrier crossings. Interfaces with interlocking for route-locking — no route set over crossing until barriers proven down. SIL 4 for crossing activation logic. |
| Lineside Transmission Multiplexer | D0E57018 | Time-division multiplexer or MPLS-TP node providing deterministic communication between lineside location cabinets and the signalling equipment room over fiber-optic trunk cables. Aggregates multiple low-bandwidth copper circuits from trackside equipment (signals, points, track circuits) onto high-capacity fiber links spanning 2-50km. Must maintain link availability >99.999% with automatic protection switching <50ms on fiber path failure. Operating in outdoor or semi-sheltered lineside cabinets exposed to temperature extremes (-25°C to +70°C), electromagnetic interference from traction current, and humidity. |
| Multi-Aspect Signal Head | DEC57058 | Physical signal head assembly for mainline railway colour-light signalling. Houses 2, 3, or 4 LED signal modules in vertical configuration displaying Red, Yellow, Double Yellow, and Green aspects per UK four-aspect signalling rules. Includes polycarbonate lenses with anti-phantom hoods to prevent sun phantom, background contrast boards, and IP66-rated enclosure for lineside installation. Mounted on signal posts, gantries, or platform-end brackets at heights of 2.5-6m above rail level. Must maintain aspect visibility at >1000m sighting distance in all ambient light conditions including direct sunlight. SIL4 safety integrity for aspect display correctness. |
| Network Diagnostic and Monitoring Agent | 55E67308 | SNMP v3-based network health monitoring system collecting real-time link status, forwarding latency, packet loss rates, bandwidth utilization, and error counters from all network switches, multiplexers, and gateways. Generates alarms for link degradation exceeding thresholds (e.g., packet loss >0.001%, latency >1ms). Maintains 90-day rolling log of network performance metrics. Feeds consolidated network health data to the Signalling Diagnostic and Monitoring System via a non-vital interface. Runs on a dedicated monitoring server in the SER with web-based dashboard for maintenance staff. |
| Network Time Distribution Server | 54F77218 | IEEE 1588v2 Precision Time Protocol grandmaster clock with GPS/GNSS-disciplined oscillator providing sub-microsecond time synchronization across the signalling communication network. Distributes UTC time to all network endpoints for juridical recording timestamps, event correlation, and diagnostic analysis. Dual-redundant configuration with automatic failover to backup grandmaster. GNSS receiver with multi-constellation support (GPS+Galileo) and spoofing detection. Holdover stability of ±1 microsecond over 24 hours using rubidium oscillator backup when GNSS signal is lost. |
| Object Controller | D0F57018 | Distributed safety-certified I/O module forming the interface between the Vital Processing Unit and trackside field equipment in a railway interlocking. Each Object Controller manages a geographic group of 8-16 field objects: signals, point machines, track circuit receivers, and axle counter evaluators. Communicates with VPU over safety-layer protocol (EN 50159 Category 3 over Ethernet). Performs output driving with read-back verification and input conditioning with debounce and validity checking. Installed in trackside location cases, operating -25C to +70C. MTBF target >100,000 hours. |
| Point Drive Controller | D0F57018 | Trackside electronics module that interfaces between the CBI Object Controller and the point machine. Receives throw commands (normal/reverse) and returns detection status (detected normal, detected reverse, not detected, in transit). Sequences 3-phase power to the point machine motor, monitors motor current draw for obstruction detection (current signature analysis), implements throw timeout supervision, and provides local diagnostic data logging. Typically housed in a sealed trackside equipment case (IP65+). Must handle power supply variations ±20% and provide brown-out protection. SIL 4 for detection reporting; SIL 2 for drive sequencing. Key interface: 2-wire or 4-wire vital circuit to Object Controller. |
| Point Heating System | 54F73218 | Electric resistance heating elements installed along switch rails and slide chairs to prevent ice and snow accumulation impeding blade movement. 2-5kW per switch, controlled by point heating controller activated by ambient temperature (<3°C), humidity (>80%), and precipitation sensors. Two modes: pre-emptive continuous low-power and reactive full-power. Total power demand 50-200kW per junction area. Must not interfere with track circuit operation — heating current isolated from signalling rails. SCADA interface for energy monitoring. |
| Point Position Detection Assembly | 54E17018 | Independent electro-mechanical detection system that proves railway switch blade position. Uses detection rods mechanically coupled to switch blades, driving either LVDT (Linear Variable Differential Transformer) displacement sensors or cam-operated vital contacts. Provides two independent detection channels: one for normal position, one for reverse position. Detection must be continuous and fail-safe — loss of detection signal must be interpreted as 'not detected' (points not proven). Detection tolerance typically ±2mm from nominal blade position. Must discriminate between fully seated and incompletely seated blades to prevent trains traversing partially-set points. Interfaces to Point Drive Controller via dedicated detection circuits. |
| Points and Crossing Drive System | D7F53018 | Electro-mechanical or electro-hydraulic point machines actuating railway switch blades and moveable crossings. Clamp-lock point machines (e.g., HW2000 or Alstom equivalents) providing 220mm throw with detection via internal contacts confirming both normal and reverse positions. Detection must be fail-safe: loss of detection forces interlocking to treat points as undetected (no route over). Drive time typically 3-6 seconds. Point heating systems prevent freezing in winter conditions. Interfaces: 110VDC or 3-phase AC power, discrete I/O to interlocking for drive commands and detection feedback. Must operate reliably in −40°C to +70°C trackside environment with ballast vibration and water ingress protection to IP67. |
| Power Supply Monitoring and Switchover Controller | 55F77A18 | SIL2 controller that continuously monitors mains supply status, UPS health, battery voltage and temperature, and manages automatic switchover between primary and backup power sources. Reports power system status and alarms to the Signalling Diagnostic and Monitoring System via Modbus TCP. Manages load-shedding of non-vital circuits when operating on battery backup to extend vital supply runtime. Records all power events with millisecond timestamps for post-incident analysis. |
| Railway Signalling System | 50F77A59 | A mainline railway signalling system conforming to CENELEC EN 50126/50128/50129 standards, responsible for the safe regulation of train movements across a multi-line railway corridor. The system controls signal aspects (red/yellow/green), points/switch machines, level crossings, and train detection using track circuits and axle counters. It implements vital interlocking logic (SIL 4) to prevent conflicting movements, integrates with the European Train Control System (ETCS Level 2) for continuous cab signalling, and provides centralised traffic management via a control centre. Operating environment spans outdoor trackside equipment (−40°C to +70°C, rain, vibration, EMI from traction current), indoor interlocking rooms, and control centre facilities. Key constraints: 10^−9/h tolerable hazard rate for wrong-side failures, 99.99% availability, <2s signal command latency, fail-safe design philosophy throughout. |
| RaSTA Protocol Stack | 40B57B58 | Software implementation of the Rail Safe Transport Application protocol per EN 50159 Category 3, executing on signalling network endpoints. Provides safety-critical authenticated peer-to-peer communication over IP networks with MD4/CRC message authentication codes, sequence number checking, timestamp validation, and configurable timeout monitoring (Tmax typically 500ms-2s). Runs as middleware between the application layer (interlocking logic, RBC logic) and the transport layer (TCP/IP). Must detect and report all communication errors within the safety integrity time interval. Certified to SIL4 for vital data exchange between interlocking and field controllers. |
| RBC Application Server | 50F57A58 | SIL 4 safety-critical application server implementing ETCS Level 2/3 movement authority (MA) computation per SUBSET-026 v3.6.0. Receives route status, point positions, and track occupancy from the Computer-Based Interlocking via a safe communication link. Computes continuous movement authorities including end-of-authority, speed profiles, gradient profiles, and mode transitions. Outputs MAs to onboard ETCS equipment via the Euroradio safe communication layer. Processes position reports from trains at minimum 5-second intervals. Manages up to 60 simultaneous train connections. 2oo2 architecture with hot standby for availability. Operating environment: indoor equipment room, 0-40°C, controlled humidity. |
| RBC Handover Controller | 51B57A78 | Safety-critical controller managing train handover between adjacent Radio Block Centres at RBC boundary areas. Implements SUBSET-026 RBC/RBC handover protocol including coordinated session transfer, movement authority boundary management, and safe transition of train supervision responsibility. Exchanges RBC-to-RBC messages via safe IP link per SUBSET-098. Maintains handover state machine for each train approaching boundary. Must complete handover within 5 seconds to avoid unnecessary service braking. Handles up to 10 concurrent handovers. |
| RBC-CBI Interface Gateway | 50E57058 | Safety-critical interface gateway providing bidirectional communication between ETCS Radio Block Centre and Computer-Based Interlocking. Receives route status, point positions, track occupancy, and signal aspect data from CBI. Transmits ETCS train position reports and MA acknowledgments back to CBI. Implements EN 50159 Category 3 safe communication protocol with authentication and sequence protection. Redundant dual-channel configuration matching CBI and RBC redundancy architectures. Message latency under 100ms end-to-end. |
| Remote Diagnostic Gateway | 50857958 | Secure network gateway providing authenticated remote access to signalling diagnostic data from the Railway Operating Centre or maintainer laptops via the signalling WAN. Implements role-based access control with multi-factor authentication. All remote sessions are logged and auditable. Enforces read-only access for remote users — no remote control of signalling equipment. Firewall rules restrict access to diagnostic data only, with no path to safety-critical interlocking networks. Compliant with NR/L2/CYB/27009 railway cybersecurity standard. |
| Road Traffic Signal Assembly | D6D57858 | Fail-safe road traffic signal unit at level crossings comprising twin red flashing lights, amber steady aspect, and LED array. Red lights flash alternately at 1 Hz. Must achieve minimum 200 candela luminous intensity for visibility at 100m in bright sunlight. LED technology with individual LED failure detection. Power supply monitoring with automatic switch to battery backup. Environmental rating IP67 for outdoor trackside installation. Conforms to Railway Group Standard RT/E/S/17031. |
| Route Setting and Command Interface | 50ED7A18 | Touchscreen and trackball-based operator input subsystem for railway signaller workstations. Provides route-setting functionality via point-and-click on signal/route icons on the track diagram. Implements 2-click route setting (entrance signal → exit signal) with visual confirmation feedback. Handles emergency controls (signal replacement, track release, points local control authorisation). All safety-critical commands require confirmation dialogue before transmission to CBI. Supports keyboard shortcuts for experienced signallers. Must process operator inputs within 200ms and provide visual acknowledgement. Generates audit trail of all operator actions with timestamps for juridical recording. |
| Safety-Critical Data Network Switch | D4A57058 | SIL2-rated managed Ethernet switches implementing Parallel Redundancy Protocol (PRP) per IEC 62439-3 for zero-recovery-time failover. Dual-redundant Layer 2 switches forming the backbone between CBI, train detection system, ETCS RBC, and points controllers in the signalling equipment room. Each switch supports 24+ Gigabit Ethernet ports with deterministic forwarding latency <10 microseconds. Operating in temperature-controlled SER environment, powered by dual redundant DC supplies. Handles safety-critical interlocking commands, track occupancy data, and movement authorities with guaranteed delivery. |
| Signal Aspect Driver | 54F57818 | Electronics board receiving digital aspect commands from the Computer-Based Interlocking Object Controller and converting them to appropriate LED lamp drive currents for a railway colour-light signal. Receives commanded aspect via vital digital I/O or RS-485 serial link from the Object Controller. Implements aspect sequencing rules preventing prohibited transitions (e.g., direct green-to-red without passing through yellow on 4-aspect signals). Drives LED Signal Modules at regulated 24VDC with precision current control. Incorporates failsafe design: loss of command input or power causes default to most restrictive aspect (red) via de-energised relay. Provides feedback to Signal Proving Unit and diagnostic telemetry. Operating temperature range -25°C to +70°C for trackside location controller enclosure. |
| Signal Proving and Monitoring Unit | 54F57858 | SIL4 safety-critical monitoring circuit that continuously verifies correct operation of each LED Signal Module in a railway colour-light signal. Monitors drive current and light output of every aspect lamp. Primary safety function: if a proceed-aspect lamp (green, yellow, or double yellow) fails or degrades below minimum luminous intensity threshold, the unit forces the signal to display its most restrictive aspect (red) via hardware failsafe relay. For red lamp failure, triggers alarm but does not change aspect (already most restrictive). Reports lamp status, degradation level, and failure mode to the Signalling Diagnostic and Monitoring System via serial diagnostic interface. Implements EN 50129 SIL4 requirements with 2oo2 comparison architecture for failsafe detection. Power supply: 24VDC from lineside power distribution. |
| Signaller Authentication and Access Control Module | 40B57B79 | Role-based access control system for signaller workstations in railway control rooms. Authenticates signallers via smart card plus PIN before granting control access. Implements role hierarchy: Signaller (route setting, alarm acknowledgement), Supervisor (degraded mode authorisation, emergency controls), Maintainer (diagnostic access, test functions). Controls which geographical areas each signaller can command based on area-of-control assignments. Logs all authentication events with timestamps. Enforces automatic screen lock after 5 minutes of inactivity while maintaining display-only mode. Integrates with centralised identity management system. Must not prevent emergency controls during authentication system failures — falls back to physical key override. |
| Signaller Workstation | D4ED7818 | Human-machine interface for railway signallers providing geographical overview display of controlled area, individual control of signals and points, alarm management, and emergency controls. Large-format LCD displays (typically 3-6 screens per workstation) showing stylised geographic track layout with real-time train positions, signal aspects, point positions, and track circuit states. ARS integration allows signaller to monitor automatic operation and intervene when needed. Touch-screen or trackball input with deliberate-action controls (two-step for safety-critical commands). Emergency plunger for immediate red-signal-all. Ergonomically designed for 12-hour shift operation. SIL 0 for display, SIL 2 for safety-critical control outputs. |
| Signalling Communication Network | 40E57018 | Redundant data communication network interconnecting all signalling subsystems across a railway corridor. Dual-ring fibre optic backbone with automatic failover (<50ms switchover). Carries vital interlocking data between distributed interlocking nodes and between interlocking and RBC, using safety-certified protocols (e.g., EULYNX-compliant SFCP or RaSTA). Also carries non-vital traffic management, diagnostic, and CCTV data on logically separated VLANs. GSM-R radio network segment provides train-to-trackside voice and ETCS data communication. Cybersecurity hardened with network segmentation, intrusion detection, and encryption. Bandwidth provisioned for future FRMCS migration. Must maintain 99.999% availability across the corridor. |
| Signalling Diagnostic and Monitoring System | 54A47318 | Condition monitoring and remote diagnostics system for all signalling assets across the corridor. Collects real-time health data from interlocking, train detection, points, signals, power supplies, and communications. Tracks point machine current profiles to detect degradation (e.g., increasing drive current indicating obstruction or wear). Monitors track circuit rail-voltage trends. Centralised fault logging with time-stamped event recording for incident investigation. Predictive maintenance algorithms flag components approaching failure. Web-based dashboard accessible to maintenance engineers and control centre. Interfaces with maintenance management system for work order generation. Non-vital (SIL 0) — observes but does not command. |
| Signalling Power Distribution Panel | D6A53018 | Central distribution board routing regulated 110V AC and 48V DC power to individual signalling subsystems via dedicated circuit breakers and fuse protection. Per-circuit isolation switches for maintenance. Current monitoring per feeder to detect overloads, earth faults, and cable degradation. Divided into vital (interlocking, track circuits, signals) and non-vital (communications, diagnostics) sections with separate bus bars. |
| Signalling Power Feeder | D4851018 | Primary power intake unit receiving 11kV/650V AC from the national grid or local distribution network, stepping down to 110V AC and 48V DC for signalling loads. Feeds the entire signalling installation via isolating transformers that provide galvanic separation between traction power and signalling power. Located in the equipment room with dual incoming feeds for redundancy. Must maintain power quality to EN 50121-4 EMC standards despite proximity to 25kV AC traction supply. |
| Signalling Power Supply System | 54D71018 | Uninterruptible power supply infrastructure for the railway signalling system. Dual-fed from independent grid transformers with automatic changeover. Battery-backed UPS at each signalling equipment room providing 4-hour autonomy for vital equipment and 2-hour for non-vital under full load. 110VDC vital bus for interlocking outputs (signal and point drives via track-side distribution). 48VDC for communications equipment. 230VAC for workstations and ancillary systems. Power distribution to trackside via lineside cable routes with overcurrent and earth-fault protection. Monitoring of all supply paths with alarm to central control on any single-point-of-failure loss. |
| Signalling Uninterruptible Power Supply | D5F71218 | Battery-backed online double-conversion UPS providing seamless power continuity during mains interruption. Maintains 110V AC output to vital signalling loads (interlocking, track circuits, signals) for minimum 2 hours at full load. VRLA battery bank with individual cell monitoring. Output sinusoidal with less than 3 percent THD to avoid interference with audio-frequency track circuits. SIL2 monitoring of battery state-of-charge and remaining runtime. |
| Swing-Nose Crossing Actuator | D7F53018 | Specialised actuator for movable-nose crossings on high-speed turnouts where the crossing nose gap must be eliminated for speeds above 200 km/h. Nose tip alignment within ±0.5mm. Dedicated hydraulic or electro-mechanical drive with independent nose position detection. Installed only on high-speed turnouts (1:26 or longer geometry). Must synchronise with main point machine — both blades and crossing nose confirmed before route set. SIL 4 for detection; throw time under 6 seconds. |
| Timetable and Train Graph Processor | 40B53358 | Data processing component within a railway Traffic Management System responsible for importing, validating, and managing the working timetable. Imports timetable data from the national timetable system (ITPS/Darwin) in CIF format. Generates train graph (time-distance diagram) for the control area showing planned vs actual train paths. Computes real-time punctuality metrics (PPM, right-time arrival) per train and aggregated by route. Provides timetable perturbation modelling — simulates impact of regulation decisions before they are applied. Maintains a rolling 24-hour window of timetable data with 7-day lookahead for planned possessions and engineering works. |
| TMS-CBI Interface Gateway | 50E47918 | Protocol gateway component within a railway Traffic Management System that manages the bidirectional data interface between the non-vital TMS and the safety-critical Computer-Based Interlocking. Receives route-setting requests from the Automatic Route Setting Engine and translates them into CBI-specific protocol commands. Receives route confirmation/rejection, signal aspect, point position, and track occupation status from the CBI and distributes to TMS components. Implements protocol conversion between TMS application protocol and CBI vendor-specific interface (e.g., Siemens Westrace, Alstom SMARTLOCK). Enforces rate limiting on route-setting requests to prevent CBI overload (maximum 20 route commands per second). Non-vital gateway — the CBI validates all commands independently. Provides store-and-forward buffering during brief CBI communication interruptions (up to 30 seconds). |
| Track Circuit Power Feed Unit | D4D53018 | Specialised power supply generating regulated AC at audio-frequencies (83Hz and 91.5Hz for UK Network Rail audio-frequency jointless track circuits) to energise track circuit transmitters. Each unit feeds multiple track circuits with individually adjustable output levels to compensate for varying rail impedance and track length. Frequency stability within 0.1 percent to prevent cross-talk between adjacent track circuits. Dual-redundant output stages with automatic changeover. |
| Track Diagram Display Processor | 50F57319 | Real-time graphical rendering engine for railway signaller HMI. Receives track occupation, signal aspect, point position, and route status data from the Computer-Based Interlocking via the signalling data network. Renders a geographical schematic diagram showing track sections colour-coded by occupation state (clear/occupied/failed), signal aspects, point positions, and active routes. Updates at ≤500ms refresh cycle. Runs on redundant workstation hardware with automatic failover. Must maintain display accuracy under peak traffic loads of 200+ simultaneous object state changes per second. Safety-related display — incorrect rendering could lead to signaller issuing unsafe commands. |
| traffic light controller | 51F77A58 | A roadside controller managing signal phases for a junction |
| Traffic Management System | 51F47B58 | Centralised traffic management (TMS) providing automated route setting, timetable execution, and real-time traffic regulation for a multi-line railway corridor. Implements ARS (Automatic Route Setting) algorithm that reads timetable, predicts train arrivals, and sends route requests to interlocking at optimal times. Conflict detection and resolution module proposes reordering when delays occur. Real-time train graph display with deviation highlighting. Interfaces with national timetable system for planned schedules and provides actual running data for performance monitoring. Non-vital system (SIL 0) — signaller can always override. Handles up to 500 train movements per shift. |
| Train Describer and Berth Management | 41B77318 | Train identity tracking component within a railway Traffic Management System. Receives train detection events from the CBI and associates them with train identities (headcodes) using automatic berth stepping rules. Maintains a real-time table mapping each train headcode to its current track section (berth). Handles interpose (manual identity assignment), cancel, and step-back operations. Provides train identity data to the Track Diagram Display Processor for display on the signaller workstation, and to the Automatic Route Setting Engine for timetable correlation. Supports ARS interworking by feeding actual train positions back to the routing algorithm. Processes up to 500 concurrent train identities with berth step latency under 500ms. |
| Train Detection Data Concentrator | D0F55058 | Safety-rated data aggregation processor (SIL 4 per EN 50129) that collects occupancy status from all Audio-Frequency Track Circuits and Axle Counter Evaluators across an interlocking area. Normalises heterogeneous detector outputs into a unified digital occupancy table. Provides vital serial interface to the Computer-Based Interlocking Object Controllers. Performs continuous diagnostic monitoring: detects degrading track circuit insulation, intermittent sensor faults, and communication link failures. Generates alarm data for the diagnostic system. Manages up to 128 track sections. Indoor rack-mounted unit in signalling equipment room. Dual-redundant hot-standby configuration with <50ms switchover. |
| Train Detection Subsystem | 54E57018 | Provides real-time train occupancy data to the interlocking. Comprises jointless audio-frequency track circuits (operating at 1.7kHz–2.6kHz) for continuous block occupancy detection, and wheel-sensor axle counters for point-specific detection and confirmation. Track circuits detect broken rails as a secondary safety function. Axle counters provide counting-head pairs at section boundaries with indoor evaluators. Must detect all rail vehicles including lightweight track maintenance machines (>30kg axle load). False-clear failure rate <10^-9/h. Operates in harsh trackside environment: −40°C to +70°C, traction return current interference up to 2000A, rail impedance variations due to weather. |
| Vital Processing Unit | 51F53258 | SIL 4 safety computer at the core of a Computer-Based Interlocking (CBI). Implements 2-out-of-3 (2oo3) voted architecture using three independent processing channels executing identical interlocking logic in lock-step. Each channel runs a cyclic safety kernel at 500ms cycle time, comparing outputs before commanding field equipment. Receives train detection inputs, route requests from TMS/signaller, and computes route-locking, flank protection, overlap management, and signal aspect determination. Designed to CENELEC EN 50129 SIL 4 with a tolerable hazard rate of 10^-9 per hour. Typical implementations: Alstom Smartlock 400, Siemens SIMIS-W, Hitachi HISAC-20. |
| Wheel Sensor | C4C54018 | Rail-mounted inductive proximity sensor pair installed at track section boundaries for axle detection. Each counting point uses two sensor heads spaced 0.5m apart on one rail to determine direction of travel by phase difference. Detects wheel flanges passing through the electromagnetic field. Operating range: all wheel diameters 330-1000mm, speeds 0-500 km/h. Passive (no trackside electronics) — generates analogue pulse signals transmitted to the Axle Counter Evaluator via shielded cable up to 12 km. IP68 rated for permanent outdoor rail-mount installation. Must withstand rail vibration, ballast tamping, and traction current interference. |
| Workstation Redundancy Controller | 51B77208 | Hot-standby management controller for paired signaller workstation installations. Monitors primary workstation health (CPU, memory, display output, network connectivity, application heartbeat) and triggers automatic switchover to standby workstation upon detection of primary failure. Switchover completes within 5 seconds with full state transfer — the standby workstation resumes displaying the identical track diagram state, route indications, and alarm queue. Implements split-brain prevention using heartbeat protocol over dedicated Ethernet link between workstation pairs. Generates diagnostic events for all switchover actions. Supports manual forced switchover for maintenance. Runs on dedicated embedded controller hardware independent of the workstation operating system. |
| Component | Belongs To |
|---|---|
| Computer-Based Interlocking | Railway Signalling System |
| Train Detection Subsystem | Railway Signalling System |
| ETCS Radio Block Centre | Railway Signalling System |
| Colour-Light Signalling Output | Railway Signalling System |
| Points and Crossing Drive System | Railway Signalling System |
| Level Crossing Protection System | Railway Signalling System |
| Traffic Management System | Railway Signalling System |
| Signaller Workstation | Railway Signalling System |
| Signalling Communication Network | Railway Signalling System |
| Signalling Power Supply System | Railway Signalling System |
| Signalling Diagnostic and Monitoring System | Railway Signalling System |
| Vital Processing Unit | Computer-Based Interlocking |
| Object Controller | Computer-Based Interlocking |
| Interlocking Application Data | Computer-Based Interlocking |
| Engineering and Maintenance Terminal | Computer-Based Interlocking |
| Interlocking Communication Gateway | Computer-Based Interlocking |
| Audio-Frequency Track Circuit | Train Detection Subsystem |
| Axle Counter Evaluator | Train Detection Subsystem |
| Wheel Sensor | Train Detection Subsystem |
| Train Detection Data Concentrator | Train Detection Subsystem |
| RBC Application Server | ETCS Radio Block Centre |
| Euroradio Safe Communication Layer | ETCS Radio Block Centre |
| GSM-R Radio Interface Module | ETCS Radio Block Centre |
| RBC-CBI Interface Gateway | ETCS Radio Block Centre |
| RBC Handover Controller | ETCS Radio Block Centre |
| Juridical Recording Unit | ETCS Radio Block Centre |
| Level Crossing Controller | Level Crossing Protection System |
| Road Traffic Signal Assembly | Level Crossing Protection System |
| Barrier Drive Mechanism | Level Crossing Protection System |
| Level Crossing Obstacle Detection System | Level Crossing Protection System |
| Level Crossing Audible Warning Device | Level Crossing Protection System |
| Electro-Hydraulic Point Machine | Points and Crossing Drive System |
| Point Position Detection Assembly | Points and Crossing Drive System |
| Point Drive Controller | Points and Crossing Drive System |
| Point Heating System | Points and Crossing Drive System |
| Swing-Nose Crossing Actuator | Points and Crossing Drive System |
| Safety-Critical Data Network Switch | Signalling Communication Network |
| Lineside Transmission Multiplexer | Signalling Communication Network |
| RaSTA Protocol Stack | Signalling Communication Network |
| Network Time Distribution Server | Signalling Communication Network |
| Cybersecurity Boundary Gateway | Signalling Communication Network |
| Network Diagnostic and Monitoring Agent | Signalling Communication Network |
| Multi-Aspect Signal Head | Colour-Light Signalling Output |
| LED Signal Module | Colour-Light Signalling Output |
| Signal Proving and Monitoring Unit | Colour-Light Signalling Output |
| Signal Aspect Driver | Colour-Light Signalling Output |
| Junction Route Indicator | Colour-Light Signalling Output |
| Signalling Power Feeder | Signalling Power Supply System |
| Signalling Uninterruptible Power Supply | Signalling Power Supply System |
| Signalling Power Distribution Panel | Signalling Power Supply System |
| Track Circuit Power Feed Unit | Signalling Power Supply System |
| Power Supply Monitoring and Switchover Controller | Signalling Power Supply System |
| Condition Monitoring Server | Signalling Diagnostic and Monitoring System |
| Event Logger and Replay Unit | Signalling Diagnostic and Monitoring System |
| Remote Diagnostic Gateway | Signalling Diagnostic and Monitoring System |
| Alarm Management Processor | Signalling Diagnostic and Monitoring System |
| Track Diagram Display Processor | Signaller Workstation |
| Route Setting and Command Interface | Signaller Workstation |
| Alarm Display and Management Panel | Signaller Workstation |
| Workstation Redundancy Controller | Signaller Workstation |
| Signaller Authentication and Access Control Module | Signaller Workstation |
| Automatic Route Setting Engine | Traffic Management System |
| Timetable and Train Graph Processor | Traffic Management System |
| Conflict Detection and Resolution Module | Traffic Management System |
| Train Describer and Berth Management | Traffic Management System |
| TMS-CBI Interface Gateway | Traffic Management System |
| From | To |
|---|---|
| Computer-Based Interlocking | Train Detection Subsystem |
| Computer-Based Interlocking | Colour-Light Signalling Output |
| Computer-Based Interlocking | Points and Crossing Drive System |
| Computer-Based Interlocking | ETCS Radio Block Centre |
| Computer-Based Interlocking | Traffic Management System |
| Computer-Based Interlocking | Level Crossing Protection System |
| Wheel Sensor | Axle Counter Evaluator |
| Audio-Frequency Track Circuit | Train Detection Data Concentrator |
| Axle Counter Evaluator | Train Detection Data Concentrator |
| Train Detection Data Concentrator | Computer-Based Interlocking |
| RBC Application Server | Euroradio Safe Communication Layer |
| Euroradio Safe Communication Layer | GSM-R Radio Interface Module |
| RBC-CBI Interface Gateway | RBC Application Server |
| RBC Application Server | RBC Handover Controller |
| RBC Application Server | Juridical Recording Unit |
| RBC Handover Controller | Euroradio Safe Communication Layer |
| Level Crossing Controller | Road Traffic Signal Assembly |
| Level Crossing Controller | Barrier Drive Mechanism |
| Level Crossing Controller | Level Crossing Audible Warning Device |
| Level Crossing Obstacle Detection System | Level Crossing Controller |
| Level Crossing Controller | Computer-Based Interlocking |
| Point Drive Controller | Electro-Hydraulic Point Machine |
| Point Position Detection Assembly | Point Drive Controller |
| Point Drive Controller | Swing-Nose Crossing Actuator |
| Object Controller | Point Drive Controller |
| Point Heating System | Signalling Diagnostic and Monitoring System |
| Safety-Critical Data Network Switch | Lineside Transmission Multiplexer |
| Safety-Critical Data Network Switch | RaSTA Protocol Stack |
| Network Time Distribution Server | Safety-Critical Data Network Switch |
| Cybersecurity Boundary Gateway | Safety-Critical Data Network Switch |
| Network Diagnostic and Monitoring Agent | Safety-Critical Data Network Switch |
| Network Diagnostic and Monitoring Agent | Cybersecurity Boundary Gateway |
| Network Diagnostic and Monitoring Agent | Lineside Transmission Multiplexer |
| Signalling Communication Network | Computer-Based Interlocking |
| Signalling Communication Network | ETCS Radio Block Centre |
| Signalling Communication Network | Signalling Diagnostic and Monitoring System |
| Signal Aspect Driver | LED Signal Module |
| Signal Aspect Driver | Junction Route Indicator |
| Signal Proving and Monitoring Unit | LED Signal Module |
| Signal Proving and Monitoring Unit | Signal Aspect Driver |
| Signal Proving and Monitoring Unit | Signalling Diagnostic and Monitoring System |
| LED Signal Module | Multi-Aspect Signal Head |
| Signalling Power Feeder | Signalling Uninterruptible Power Supply |
| Signalling Power Feeder | Signalling Power Distribution Panel |
| Signalling Uninterruptible Power Supply | Signalling Power Distribution Panel |
| Signalling Power Distribution Panel | Track Circuit Power Feed Unit |
| Power Supply Monitoring and Switchover Controller | Signalling Power Feeder |
| Power Supply Monitoring and Switchover Controller | Signalling Uninterruptible Power Supply |
| Power Supply Monitoring and Switchover Controller | Signalling Power Distribution Panel |
| Power Supply Monitoring and Switchover Controller | Signalling Diagnostic and Monitoring System |
| Condition Monitoring Server | Event Logger and Replay Unit |
| Condition Monitoring Server | Alarm Management Processor |
| Remote Diagnostic Gateway | Condition Monitoring Server |
| Alarm Management Processor | Signaller Workstation |
| Track Diagram Display Processor | Route Setting and Command Interface |
| Alarm Display and Management Panel | Track Diagram Display Processor |
| Workstation Redundancy Controller | Track Diagram Display Processor |
| Signaller Authentication and Access Control Module | Route Setting and Command Interface |
| Automatic Route Setting Engine | TMS-CBI Interface Gateway |
| Timetable and Train Graph Processor | Automatic Route Setting Engine |
| Conflict Detection and Resolution Module | Automatic Route Setting Engine |
| Train Describer and Berth Management | Automatic Route Setting Engine |
| TMS-CBI Interface Gateway | Train Describer and Berth Management |
| Track Diagram Display Processor | Computer-Based Interlocking |
| Route Setting and Command Interface | Computer-Based Interlocking |
| Train Describer and Berth Management | Track Diagram Display Processor |
| TMS-CBI Interface Gateway | Computer-Based Interlocking |
| Traffic Management System | Signaller Workstation |
| Component | Output |
|---|---|
| Vital Processing Unit | route-locking commands, signal aspect commands, point position commands |
| Object Controller | field equipment drive signals, input status reports |
| Interlocking Communication Gateway | movement authority data, route confirmation messages, vital link coordination |
| Audio-Frequency Track Circuit | binary occupied/clear status per track section via rail impedance measurement |
| Axle Counter Evaluator | section occupancy state derived from axle count differential, reset request alerts |
| Wheel Sensor | analogue pulse signals encoding wheel flange passage events and direction |
| Train Detection Data Concentrator | unified digital occupancy table, diagnostic alarms, degradation alerts |
| RBC Application Server | Movement Authority (MA) messages |
| Euroradio Safe Communication Layer | Authenticated safe messages |
| GSM-R Radio Interface Module | Radio bearer sessions |
| RBC-CBI Interface Gateway | Interlocking status data |
| RBC Handover Controller | Handover coordination messages |
| Juridical Recording Unit | Tamper-evident event logs |
| Level Crossing Controller | Protection sequence commands |
| Road Traffic Signal Assembly | Visual warning to road users |
| Barrier Drive Mechanism | Physical road closure |
| Level Crossing Obstacle Detection System | Obstacle detection status |
| Level Crossing Audible Warning Device | Audible warning tone |
| Electro-Hydraulic Point Machine | mechanical blade movement and hydraulic clamp locking force |
| Point Position Detection Assembly | vital blade position detection signals (normal detected, reverse detected, not detected) |
| Point Drive Controller | motor drive power sequencing, detection status reports, obstruction alarms, diagnostic data |
| Point Heating System | thermal energy to switch rails preventing ice and snow accumulation |
| Swing-Nose Crossing Actuator | crossing nose movement and position detection for high-speed turnouts |
| Safety-Critical Data Network Switch | redundant Ethernet paths with PRP zero-recovery-time failover for vital signalling data |
| Lineside Transmission Multiplexer | aggregated fiber-optic trunk links carrying multiplexed field equipment data |
| RaSTA Protocol Stack | SIL4-authenticated safety messages with sequence validation and timeout detection |
| Network Time Distribution Server | sub-microsecond UTC time synchronization via IEEE 1588v2 PTP |
| Cybersecurity Boundary Gateway | filtered and inspected data flows between safety and non-vital network zones |
| Network Diagnostic and Monitoring Agent | network health alarms, performance metrics, 90-day rolling logs |
| Multi-Aspect Signal Head | visible signal aspect (red/yellow/double-yellow/green) |
| LED Signal Module | monochromatic light output at calibrated intensity |
| Signal Proving and Monitoring Unit | lamp status and failsafe override |
| Signal Aspect Driver | regulated LED drive current per commanded aspect |
| Junction Route Indicator | route direction display at junctions |
| Signalling Power Feeder | regulated 110V AC and 48V DC bulk power from stepped-down mains supply |
| Signalling Uninterruptible Power Supply | seamless conditioned AC power with battery backup for minimum 2 hours during mains failure |
| Signalling Power Distribution Panel | individually protected and isolated power feeds to each signalling subsystem |
| Track Circuit Power Feed Unit | regulated audio-frequency AC power (83Hz/91.5Hz) for track circuit transmitters |
| Power Supply Monitoring and Switchover Controller | power system status reports, switchover commands, load-shedding sequences, event logs |
| Condition Monitoring Server | predictive maintenance alerts, degradation trends, reliability reports, 12-month operational data archive |
| Event Logger and Replay Unit | tamper-evident chronological event records with 1ms timestamps, incident replay sessions |
| Remote Diagnostic Gateway | authenticated read-only remote diagnostic sessions with audit trail |
| Alarm Management Processor | rationalised prioritised alarm stream, root-cause correlation, alarm history with operator response data |
| Track Diagram Display Processor | real-time schematic track diagram display |
| Route Setting and Command Interface | route-setting commands and operator action audit trail |
| Alarm Display and Management Panel | prioritised alarm display and acknowledgement events |
| Workstation Redundancy Controller | automatic failover and state transfer between workstation pairs |
| Signaller Authentication and Access Control Module | authenticated session and role-based access permissions |
| Automatic Route Setting Engine | automatic route-setting commands and regulation decisions |
| Timetable and Train Graph Processor | train graph display and punctuality metrics |
| Conflict Detection and Resolution Module | conflict alerts and regulation recommendations |
| Train Describer and Berth Management | real-time train identity to berth mapping |
| TMS-CBI Interface Gateway | protocol-translated route commands and CBI status data |