System Requirements Specification (SyRS) — ISO/IEC/IEEE 15289 — Specification | IEEE 29148 §6.2–6.4
Generated 2026-03-27 — UHT Journal / universalhex.org
| Standard | Title |
|---|---|
| EN 12604 | — |
| EN 13232-4 | — |
| EN 13232-7 | — |
| EN 50121-4 | — |
| EN 50123 | — |
| EN 50125-3 | — |
| EN 50128 | Railway applications — Software for railway control and protection systems |
| EN 50129 | Railway applications — Safety related electronic systems for signalling |
| EN 50159 | — |
| EN 50238 | — |
| ERTMS | — |
| ERTMS timeout that triggers onboard emergency braking if no valid safe message is received. The RBC side must mirror this detection to revoke the MA and prevent the track section from being allocated to another train while the disconnected train may still be occupying it. Without this | — |
| ETCS | — |
| ETCS Level 2 | — |
| ETCS Level 2 cab signalling in addition to lineside signals | — |
| ETCS Level 2 operations. Verify IFC | — |
| ETCS Level 2 to protect non | — |
| ETCS MA computation | — |
| ETCS MA computation of 2s leave no margin for network recovery. Any frame loss during failover could delay safety | — |
| ETCS MA delivery is unaffected by AWS | — |
| ETCS MA includes restriction within 2 seconds | — |
| ETCS RBC derives movement authorities from interlocking route status. RaSTA is the mandated safety protocol for ETCS Level 2 per SUBSET | — |
| ETCS RBC test simulator. Set and release routes while measuring end | — |
| ETCS RBC. Verify IFC | — |
| ETCS Radio Block Centre | — |
| ETCS Radio Block Centre SHALL provide route status data | — |
| ETCS Radio Block Centre for inclusion in movement authorities | — |
| ETCS application | — |
| ETCS application message size per SUBSET | — |
| ETCS application messages conforming to SUBSET | — |
| ETCS application messages of varying sizes | — |
| ETCS deployment on TEN | — |
| ETCS emergency stop messages to all affected trains within 500 milliseconds | — |
| ETCS equipment using SUBSET | — |
| ETCS fitment. During the ETCS transition period | — |
| ETCS fitment. During the ETCS transition period non | — |
| ETCS movement authorities to ETCS | — |
| ETCS movement authorities via SUBSET | — |
| ETCS movement authority includes the speed restriction in the MA speed profile sent to test trains. Verify signaller workstation displays TSR location | — |
| ETCS operation. AWS | — |
| ETCS paths simultaneously because a mismatch between lineside indication and ETCS MA speed profile would create hazardous inconsistency. The 5 | — |
| ETCS re | — |
| ETCS supervised braking curves use the EOA as the zero | — |
| ETCS supervision sessions for a minimum of 60 trains | — |
| ETCS unit within 5 seconds of receiving the session initiation request | — |
| IEC 61508 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 62439-3 | — |
| IEEE 1588 | Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems |
| IEEE 1588v2 | Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems |
| IEEE 802.3ab | Standard for Ethernet |
| ISO 9241-305 | — |
| Acronym | Expansion |
|---|---|
| ARC | Architecture Decisions |
| AWS | Automatic Warning System |
| CCCS | Completeness, Consistency, Correctness, Stability |
| EARS | Easy Approach to Requirements Syntax |
| IFC | Interface Requirements |
| STK | Stakeholder Requirements |
| SUB | Subsystem Requirements |
| SYS | System Requirements |
| TPWS | Warning System |
| UHT | Universal Hex Taxonomy |
| VER | Verification Plan |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| STK-NEEDS-CON-005 | The Railway Signalling System SHALL provide ETCS Level 2 cab signalling in addition to lineside signals, enabling mixed-traffic operation with both ETCS-fitted and non-ETCS-fitted rolling stock during the transition period. Rationale: European regulatory mandate (TSI CCS) requires ETCS deployment on TEN-T corridors. However, the transition period demands dual signalling (lineside + cab) because the entire fleet cannot be retrofitted simultaneously. The system must therefore provide both modalities concurrently without degrading safety or capacity for either traffic type. | Test | stakeholder, interoperability, session-299 |
| STK-NEEDS-OPS-001 | The Railway Signalling System SHALL prevent any two trains from simultaneously occupying the same track section, and SHALL prevent conflicting movements at junctions, to a tolerable hazard rate of no worse than 10^-9 per operating hour. Rationale: Fundamental safety requirement deriving from CENELEC EN 50129 safety case obligations and UK Railway Group Standard GK/RT0045. The 10^-9/h THR aligns with SIL 4 for catastrophic hazards (head-on collision, side collision at junctions). This is the primary raison d'etre of the signalling system — without guaranteed train separation, no safe railway operation is possible. | Analysis | stakeholder, safety, session-299 |
| STK-NEEDS-OPS-004 | The Railway Signalling System SHALL be maintainable by a team of 6 signalling technicians per 100 route-km, with mean time to repair not exceeding 2 hours for any single equipment failure. Rationale: Maintenance staffing levels are constrained by the infrastructure manager's budget and recruitment pipeline. 6 technicians per 100 route-km reflects current UK Network Rail norms. The 2-hour MTTR ensures that degraded-mode operation (which typically halves capacity) does not persist across peak traffic periods. | Demonstration | stakeholder, maintainability, session-299 |
| STK-NEEDS-OPS-006 | The Railway Signalling System SHALL protect all road-rail level crossings such that road users are warned and barriers are in position at least 20 seconds before the fastest train reaches the crossing, for all train speeds up to 160 km/h. Rationale: Level crossing collisions are the single largest category of railway fatalities in Europe. The 20-second minimum warning time is derived from road user clearance time calculations per Railway Group Standard RT/E/S/11200, accounting for a 60m road vehicle clearing the crossing at 5 km/h. Below 20 seconds, road users cannot reliably clear the danger zone. | Test | stakeholder, safety, level-crossing, session-299 |
| STK-NEEDS-PERF-002 | The Railway Signalling System SHALL support a minimum headway of 2 minutes between successive trains on main running lines to enable the planned timetable capacity of 30 trains per hour per direction. Rationale: Capacity requirement driven by the infrastructure manager's timetable planning. The 2-minute headway is typical of high-capacity mainline corridors (e.g., UK East Coast or West Coast Main Line). Below this headway, signalling becomes the bottleneck and timetable paths are lost. The 30 trains/hour/direction target derives from franchise commitments and passenger demand forecasts. | Test | stakeholder, performance, session-299 |
| STK-NEEDS-PERF-003 | The Railway Signalling System SHALL achieve an operational availability of at least 99.99% measured annually, with no single equipment failure causing total loss of signalling capability across more than one signal section. Rationale: Railway operators face severe financial penalties for service disruption. 99.99% availability (52 minutes downtime per year maximum) is the standard for UK mainline signalling renewals. The single-failure containment requirement prevents common-cause failures from cascading across the controlled area, which would strand hundreds of trains simultaneously. | Analysis | stakeholder, availability, session-299 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SYS-REQS-ENV-007 | While installed in trackside locations, the Railway Signalling System outdoor equipment SHALL operate continuously within specification across an ambient temperature range of −40°C to +70°C, relative humidity up to 100% (condensing), and electromagnetic compatibility per EN 50121-4 for emissions and immunity in the railway electromagnetic environment. Rationale: Trackside equipment is exposed to extreme conditions: sub-zero winter temperatures (especially in Scandinavian or Scottish deployments), solar heating of equipment cases to +70°C in summer, traction return current EMI up to 2000A at 50Hz, and continuous weather exposure. EN 50121-4 is the railway-specific EMC standard that ensures signalling equipment is neither disrupted by nor disrupts traction and communications equipment. | Test | system, environmental, session-299 |
| SYS-REQS-FUNC-001 | The Railway Signalling System SHALL implement vital interlocking logic that enforces all route-locking, flank protection, and overlap-locking constraints, achieving a wrong-side failure rate of no worse than 10^-9 per operating hour as determined by quantitative safety analysis per EN 50129. Rationale: Direct derivation from STK-NEEDS-OPS-001. The 10^-9/h THR is allocated to the interlocking function because wrong-side signal failures (showing a proceed aspect when the route is not safe) are the primary hazard mechanism. EN 50129 requires this to be demonstrated through a combination of hardware reliability analysis (failure modes), software safety integrity (EN 50128 SIL 4 process), and systematic capability assessment. | Analysis | rt-mechanical-trace, red-team-session-522 |
| SYS-REQS-FUNC-003 | The Railway Signalling System SHALL employ redundant processing in all vital subsystems such that no single hardware failure causes loss of safe signalling function, with automatic failover completing within 500 milliseconds and without any transient wrong-side output. Rationale: Derives from 99.99% availability requirement. Single-failure tolerance is achieved through 2oo2 or 2oo3 voting architectures in the interlocking and hot-standby in the RBC. The 500ms failover bound ensures that train detection continuity is maintained — track circuits that lose processing for >2s may falsely indicate clear when a train is present (rail voltage recovery artefact). | Test | rt-mechanical-trace, red-team-session-522 |
| SYS-REQS-FUNC-004 | The Railway Signalling System SHALL detect the presence of any rail vehicle with a minimum axle load of 30 kg within a track section, and SHALL report track section occupancy to the interlocking with a false-clear failure rate no worse than 10^-9 per operating hour. Rationale: Derives from STK-NEEDS-OPS-001. Train detection is the primary input to the interlocking — if a track section falsely shows clear when occupied, the interlocking may set a conflicting route. The 30kg minimum axle load covers all known rail vehicles including lightweight engineering trolleys. The 10^-9/h THR matches the interlocking allocation because a false-clear detection is functionally equivalent to an interlocking wrong-side failure. | Test | system, safety, train-detection, session-299 |
| SYS-REQS-FUNC-005 | The Railway Signalling System SHALL compute and transmit ETCS movement authorities to ETCS-fitted trains within 2 seconds of the triggering interlocking state change, via the Radio Block Centre over GSM-R with end-of-authority accuracy of 1 metre. Rationale: Derives from STK-NEEDS-CON-005. The 2-second latency ensures ETCS-fitted trains receive updated MAs before they reach their current end-of-authority at line speed, preventing unnecessary emergency braking. The 1-metre EOA accuracy is required because ETCS supervised braking curves use the EOA as the zero-speed target point — larger errors could permit overrun into an occupied section or force unnecessarily early braking. | Test | rt-mechanical-trace, red-team-session-522 |
| SYS-REQS-FUNC-006 | When a train is detected approaching a level crossing, the Railway Signalling System SHALL activate road warning signals and initiate barrier descent such that the full protection sequence (lights, audible warning, barrier down and proved) is complete at least 20 seconds before train arrival at the crossing, for approach speeds up to 160 km/h. Rationale: Direct derivation from STK-NEEDS-OPS-006. The approach detection point must be calculated from the maximum approach speed (160 km/h = 44.4 m/s) plus the full protection sequence time (typically 27-32s for half-barrier). At 160 km/h, the approach detection point is approximately 2.3 km from the crossing. Timing margins must account for track circuit pick-up delay (<1s) and barrier descent time (8-12s). | Test | system, safety, level-crossing, session-299 |
| SYS-REQS-FUNC-008 | The Railway Signalling System SHALL provide Automatic Warning System (AWS) and Train Protection and Warning System (TPWS) trackside equipment at all signals and speed restrictions, operating concurrently with ETCS Level 2 to protect non-ETCS-fitted trains and provide defence-in-depth for ETCS-fitted trains during the transition period, achieving a TPWS intervention reliability of at least 99.9% per demand. Rationale: UK Railway Group Standard GK/RT0045 and RSSB mandate AWS/TPWS at all controlled signals regardless of ETCS fitment. During the ETCS transition period, the fleet will include non-ETCS-fitted trains that rely exclusively on lineside signalling with AWS/TPWS as the final safety net against SPAD. Even for ETCS-fitted trains, AWS/TPWS provides an independent overlay protection layer. Removing AWS/TPWS prematurely would expose non-fitted trains to unmitigated SPAD risk. The 99.9% reliability target is per Railway Safety Principles and Guidance Part 2 Section E. | Test | rt-mechanical-trace, red-team-session-522 |
| SYS-REQS-FUNC-009 | The Railway Signalling System SHALL provide Automatic Warning System and Train Protection and Warning System trackside equipment at all signals and speed restrictions, operating concurrently with ETCS Level 2, achieving a TPWS intervention reliability of at least 99.9 percent per demand. Rationale: UK Railway Group Standard GK/RT0045 mandates AWS/TPWS at all controlled signals regardless of ETCS fitment. During the ETCS transition period non-ETCS-fitted trains rely exclusively on lineside signalling with AWS/TPWS as the final safety net against SPAD. The 99.9 percent reliability target aligns with Railway Safety Principles and Guidance Part 2 Section E. | Test | system, safety, aws-tpws, validation, session-313 |
| SYS-REQS-FUNC-010 | When the Computer-Based Interlocking or Radio Block Centre is wholly unavailable, the Railway Signalling System SHALL support a controlled transition to degraded operating mode within 60 seconds, providing the signaller with explicit degraded-mode status indication, and SHALL maintain a minimum safe capacity of 4 trains per hour per single line using verbal authorisation procedures with signaller-controlled release of individual signal sections. Rationale: Total CBI or RBC failure, while rare with design target MTBF greater than 50000 hours, must be planned for because it leaves trains without movement authority or signal protection. UK Rule Book Module TW1 defines degraded operating procedures including pilotman working and verbal authorisation that require the signalling system to release control of track sections individually. The 60-second transition time prevents trains approaching signals at danger without updated information. The 4 trains per hour floor is the minimum operational capacity that avoids route-wide cancellation during peak hours, derived from Network Rail operational resilience standards. | Demonstration | system, safety, degraded-mode, validation, session-313 |
| SYS-REQS-FUNC-011 | When the Computer-Based Interlocking or Radio Block Centre is wholly unavailable, the Railway Signalling System SHALL support a controlled transition to degraded operating mode within 60 seconds, providing the signaller with explicit degraded-mode status indication, and SHALL maintain a minimum safe capacity of 4 trains per hour per single line using verbal authorisation procedures with signaller-controlled release of individual signal sections. Rationale: Total CBI or RBC failure must be planned for because it leaves trains without movement authority. UK Rule Book Module TW1 defines degraded operating procedures including pilotman working and verbal authorisation. The 60-second transition time prevents trains approaching signals at danger without updated information. The 4 trains per hour floor avoids route-wide cancellation during peak hours per Network Rail operational resilience standards. | Demonstration | system, safety, degraded-mode, validation, session-313 |
| SYS-REQS-FUNC-012 | The Railway Signalling System SHALL record all safety-critical state changes, operator commands, alarm events, and equipment status transitions across all subsystems with UTC timestamps at 1 millisecond resolution, retaining records for a minimum of 6 months on tamper-evident storage accessible to RAIB investigators within 4 hours of a request. Rationale: RAIB investigations require comprehensive event timelines across all signalling subsystems, not just ETCS. CBI interlocking decisions, point movements, track circuit occupancies, signal aspect changes, and operator actions must all be correlated during incident investigation. The 6-month retention aligns with Railways Accident Investigation and Reporting Regulations 2005. The 4-hour accessibility requirement reflects RAIB standard evidence preservation protocols. | Test | system, safety, recording, validation, session-313 |
| SYS-REQS-FUNC-013 | The Railway Signalling System SHALL manage temporary speed restrictions by enforcing reduced approach aspects at signals governing approach to the restricted section, transmitting speed restriction data to the ETCS Radio Block Centre for inclusion in movement authorities, and providing the signaller with TSR status display showing location, speed limit, and remaining duration for all active restrictions within the control area. Rationale: Temporary speed restrictions are imposed daily across the UK network for track maintenance and infrastructure condition. TSRs must propagate to both lineside signals via reduced approach aspects per Railway Group Standard RT/E/S/11201 and ETCS movement authorities via SUBSET-026 speed profile to protect both fitted and non-fitted trains. Without integrated TSR management, speed restrictions require manual signaller intervention for every affected train, increasing workload and error risk. | Test | system, operations, tsr, validation, session-313 |
| SYS-REQS-PERF-002 | The Railway Signalling System SHALL update signal aspects within 500 milliseconds of the interlocking determining that a route is set and locked, measured from interlocking output command to confirmed signal display change. Rationale: Derives from the 2-minute headway requirement. Signal aspect update latency directly affects following-train braking distance calculations and thus minimum headway. At 500ms, the delay contribution to headway is negligible (<50m at 200km/h). At >2s, headway calculations must add a full signal section, potentially increasing minimum headway beyond the 2-minute target. | Test | rt-mechanical-trace, red-team-session-522 |
| Source | Target | Type | Description |
|---|---|---|---|
| STK-NEEDS-PERF-003 | SYS-REQS-FUNC-010 | derives | Availability stakeholder need drives degraded-mode operating procedures |
| STK-NEEDS-OPS-001 | SYS-REQS-FUNC-008 | derives | Collision prevention stakeholder need drives requirement for trackside AWS/TPWS protection |
| STK-NEEDS-CON-005 | SYS-REQS-FUNC-009 | derives | AWS/TPWS is required for non-ETCS-fitted trains during mixed-traffic transition period |
| STK-NEEDS-OPS-001 | SYS-REQS-FUNC-013 | derives | TSR management ensures trains are protected at reduced-speed sections |
| STK-NEEDS-OPS-001 | SYS-REQS-FUNC-012 | derives | System-wide event recording enables incident investigation to verify safety function performance |
| STK-NEEDS-PERF-003 | SYS-REQS-FUNC-011 | derives | Degraded mode capability ensures continued operation when primary signalling fails |
| STK-NEEDS-OPS-001 | SYS-REQS-FUNC-009 | derives | AWS/TPWS provides independent SPAD protection layer deriving from train separation safety requirement |
| STK-NEEDS-PERF-003 | SYS-REQS-ENV-007 | derives | Availability requirement drives environmental specification |
| STK-NEEDS-OPS-004 | SYS-REQS-FUNC-003 | derives | Maintainability requirement drives redundancy architecture |
| STK-NEEDS-OPS-006 | SYS-REQS-FUNC-006 | derives | Level crossing safety need derives warning time requirement |
| STK-NEEDS-CON-005 | SYS-REQS-FUNC-005 | derives | ETCS compatibility need derives movement authority computation requirement |
| STK-NEEDS-OPS-001 | SYS-REQS-FUNC-004 | derives | Train separation need derives train detection integrity requirement |
| STK-NEEDS-PERF-003 | SYS-REQS-FUNC-003 | derives | Availability need derives redundancy and failover requirement |
| STK-NEEDS-PERF-002 | SYS-REQS-PERF-002 | derives | Headway capacity need derives signal command latency requirement |
| STK-NEEDS-OPS-001 | SYS-REQS-FUNC-001 | derives | Train separation safety need derives interlocking safety function |