Verification Plan (SVP) — ISO/IEC/IEEE 15289 — Plan | IEEE 29148 §6.6
Generated 2026-03-27 — UHT Journal / universalhex.org
| Ref | Requirement | Method | Tags |
|---|---|---|---|
| VER-027 | Verify SUB-REQS-FUNC-002: Set a route through a junction with 3 conflicting routes available. Confirm all points within the route lock to required positions (detection feedback within 6s). Attempt to set each conflicting route — verify all are rejected. Release the route and confirm points unlock after 120s timeout and all track sections clear. Rationale: Route-locking is the foundational safety function of any interlocking. Verification must confirm both positive (correct lock) and negative (conflict rejection) behaviours, using the EN 50128 SIL 4 test strategy requiring structured test cases derived from the interlocking application data. | Test | verification, cbi, session-303, idempotency:ver-sub002-route-lock-303 |
| VER-028 | Verify SUB-REQS-FUNC-005: Send a correctly authenticated, sequence-numbered command from VPU test harness to Object Controller. Confirm field output driven and read-back confirmation received within 50ms. Then inject a command with invalid authentication — verify Object Controller rejects it and maintains previous output state. Inject an out-of-sequence command — verify rejection and alarm generation. Rationale: The Object Controller's command authentication is a defence against spurious field equipment actuation. The test must prove both correct-path (valid command drives output) and attack-path (forged or replayed command rejected) behaviours per EN 50159 Category 1 communication requirements. | Test | verification, cbi, session-303, idempotency:ver-sub005-obj-ctrl-auth-303 |
| VER-029 | Verify SUB-REQS-FUNC-006: Load valid Interlocking Application Data with known SHA-256 hash into the VPU test instance. Confirm successful startup and transition to operational mode. Then corrupt a single byte of the application data file and restart — verify the VPU detects hash mismatch, refuses to enter operational mode, and generates a specific data integrity alarm. Rationale: Interlocking Application Data integrity is the basis of safe operation — a corrupted data set could create unsafe route conflicts. Verification must confirm both positive (valid data accepted) and negative (corrupted data rejected at startup) paths, consistent with CENELEC EN 50128 software verification requirements for SIL 4. | Test | verification, cbi, session-303, idempotency:ver-sub006-vpu-integrity-303 |
| VER-030 | Verify SUB-REQS-FUNC-008: With all three VPU channels operational, disable one channel via test fault injection. Confirm the CBI transitions to 2-out-of-2 mode within 100ms, continues processing routes, and generates a degradation alarm. Execute a route-set, signal-clear, and point-move sequence in degraded mode — verify correct operation. Confirm the CBI initiates repair notification within 30 minutes per the degradation time limit. Rationale: The 2oo3-to-2oo2 degradation path is the primary availability mechanism for the interlocking. Verification must prove both the transition (no momentary loss of service) and the continued safe operation in degraded mode, since the system may operate in this state for up to 30 minutes before requiring repair action. | Test | verification, cbi, degraded-mode, session-303, idempotency:ver-sub008-degraded-303 |
| VER-031 | Verify SUB-REQS-FUNC-015: Generate calibrated wheel pulse sequences at speeds of 0, 5, 100, 300, and 500 km/h using wheel diameters of 330mm, 680mm, and 1000mm. For each combination, pass a known number of axles (2, 4, 12, and 24 axles per train) through the counting point. Verify the evaluator reports the exact axle count with zero errors across 1000 repetitions per combination, confirming miscount probability below 10^-9. Rationale: Axle counting accuracy directly determines track occupancy state correctness. The test matrix covers the full speed and wheel diameter envelope specified in SUB-REQS-FUNC-015, with 1000 repetitions providing statistical confidence in the 10^-9 miscount probability bound. | Test | verification, train-detection, session-303, idempotency:ver-sub015-axle-counter-303 |
| VER-032 | Verify SUB-REQS-FUNC-016: Inject a simulated train entry of 4 axles followed by an exit count of 3 axles. Verify the evaluator sets the section to occupied (restrictive) state within 200ms (2 processing cycles). Confirm the evaluator generates a count discrepancy alarm with section identity, expected count, and actual count. Verify the section remains in occupied state until a supervised technician reset is performed. Rationale: Count discrepancy handling is the fail-safe mechanism of axle counting — when counts disagree, the section must default to occupied to prevent collision. The 200ms response time ensures the interlocking receives the restrictive indication before the next processing cycle can clear conflicting routes. | Test | verification, train-detection, session-303, idempotency:ver-sub016-discrepancy-303 |
| VER-053 | Verify IFC-CBIINTERFACES-025: Configure the Cybersecurity Boundary Gateway between the safety network and TMS. From the TMS side, attempt to send non-allowlisted protocol packets, malformed route requests, and replay captured messages. Verify that only allowlisted route request messages pass through and all others are blocked. From the safety network side, send route status and train position data and verify it reaches TMS correctly. Attempt to inject data from TMS into the safety network outside the controlled bidirectional channel. Pass criteria: unidirectional enforcement holds for all test cases, DPI blocks all non-conforming packets, and legitimate route requests are processed within 200ms. Rationale: Cybersecurity boundary is a critical defence layer — verification must demonstrate both that the unidirectional enforcement holds under attack and that legitimate traffic passes without disruption. DPI and allowlisting are tested with deliberately crafted adversarial traffic. | Test | verification, cybersecurity, session-307, idempotency:ver-ifc025-qc-307 |
| VER-054 | Verify IFC-CBIINTERFACES-027: Configure the Network Diagnostic and Monitoring Agent to transmit health data to the Signalling Diagnostic and Monitoring System via the Cybersecurity Boundary Gateway. Inject network alarm conditions (link down, threshold exceeded) and verify SNMP traps arrive within 5 seconds. Verify periodic polling metrics are received at intervals not exceeding 60 seconds. Simulate Boundary Gateway packet filtering and confirm monitoring traffic is correctly classified as non-vital and routed through the permitted channel. Pass criteria: all alarms received within 5 seconds, polling metrics arrive at configured interval, and no monitoring traffic bypasses the Boundary Gateway. Rationale: Network monitoring data must flow through the cybersecurity boundary to reach maintenance systems — verifying the path through the Boundary Gateway confirms both functional routing and security zone compliance. The 60-second polling interval and alarm latency bounds must be validated end-to-end including the gateway transit. | Test | verification, network-monitoring, session-307, idempotency:ver-ifc027-qc-307 |
| VER-055 | Verify SUB-REQS-FUNC-055: With signal displaying green aspect, remove the command input from the Object Controller by disconnecting the serial link. Measure time from disconnection to red aspect display. Repeat with supply power removal. Pass criteria: most restrictive aspect (red) displayed within 200ms of either fault condition in all 10 trials, via de-energised failsafe relay (verify relay state with independent monitoring). Confirm no transient non-red aspect is displayed during the transition. Rationale: SIL4 safety requirement — the failsafe default to danger aspect is the primary defence against signal driver failures. Testing must demonstrate both the timing bound (200ms) and the mechanism (de-energised relay) to confirm that the failsafe operates even under complete power loss. | Test | verification, signal-failsafe, safety, session-307, idempotency:ver-sub055-qc-307 |
| VER-056 | Verify SUB-REQS-FUNC-056: With both monitoring channels operational and all lamps healthy, confirm both channels report healthy and no failsafe relay trigger. Inject a known lamp failure detectable by both channels — confirm both detect and agree. Inject a discrepancy between channels by disconnecting one monitoring input while the other remains connected. Pass criteria: agreement case reports correct lamp status; disagreement case triggers failsafe relay within 500ms. Repeat for each aspect colour and for partial LED string failure. Rationale: The 2oo2 comparison architecture for lamp monitoring is a safety-critical function — a single monitoring channel failure must not cause a false healthy indication. Testing channel disagreement proves the failsafe mechanism operates when one monitor is unreliable. | Test | verification, signal-proving, safety, session-307, idempotency:ver-sub056-qc-307 |
| VER-057 | Verify SUB-REQS-FUNC-059: Set route through junction and confirm Junction Route Indicator illuminates with proceed aspect. Step signal to danger (red) and verify JRI extinguishes within 200ms. Disable the software route data path while maintaining a proceed aspect — verify JRI still obeys the hardware interlock tied to the main signal aspect. Inject a software command to illuminate JRI while signal is at danger — verify the hardware interlock prevents illumination. Pass criteria: JRI never illuminates when danger aspect is displayed, verified over 50 test cycles across all route/aspect combinations. Rationale: A lit JRI alongside a red signal is a hazardous misleading indication — driver may infer a route is set and pass the danger signal. The hardware interlock independence from the software route data path must be positively demonstrated. | Test | verification, junction-indicator, safety, session-307, idempotency:ver-sub059-qc-307 |
| VER-058 | Verify SUB-REQS-FUNC-037: Using calibrated gauge blocks, position blade tip at 0mm, 1mm, 1.9mm, 2.0mm, 2.1mm, and 3mm displacement from stock rail. At each position, read detection output. Pass criteria: detection reports 'detected' for displacements of 2.0mm or less; reports 'not detected' for displacements exceeding 2.0mm. Repeat at -25C, +20C, and +70C ambient temperatures to verify thermal stability. Measurement accuracy of test equipment shall be 0.1mm or better. Rationale: The 2mm detection threshold is the boundary between safe (locked) and unsafe (unlocked) blade position. Testing at the threshold boundary with calibrated displacement confirms the detection transition point is correctly set, and temperature cycling verifies thermal expansion does not shift the threshold. | Test | verification, point-detection, safety, session-307, idempotency:ver-sub037-qc-307 |
| VER-ANAL-008 | Verify SUB-REQS-PERF-010: Conduct worst-case execution time (WCET) analysis of the interlocking processing cycle with 200 simultaneous route requests, 500 track sections, and 120 point machines. Confirm by measurement on the target hardware with instrumented timing. Pass: measured WCET does not exceed 500ms under worst-case loading. Rationale: WCET analysis provides formal proof of timing compliance independent of test coverage. Combined with hardware measurement, this covers both theoretical and practical bounds. | Analysis | verification, cbi, vpu, performance, session-300 |
| VER-ANAL-009 | Verify SUB-REQS-PERF-011: Perform quantitative reliability analysis (Markov model or fault tree) of the VPU 2oo3 architecture using component failure rate data from manufacturer datasheets. Demonstrate MTBFd exceeds 100,000 hours and that MTTR of 30 minutes with on-site spares achieves the 99.99% availability target. Pass: calculated MTBFd >= 100,000 hours; availability model shows >= 99.99%. Rationale: Hardware reliability claims must be supported by quantitative analysis per EN 50129 Annex B. Field testing alone cannot demonstrate MTBFd within practical project timescales. | Analysis | verification, cbi, vpu, reliability, session-300 |
| VER-TEST-001 | Verify IFC-CBIINTERFACES-001: Inject simulated track circuit occupancy changes on the test interface at 2Hz rate. Confirm the interlocking receives and processes each state change within one 500ms cycle. Verify EN 50159 Category 1 message framing. Pass: all occupancy changes reflected in interlocking state within 500ms, no message rejection. Rationale: Integration test at system boundaries validates the actual message protocol and timing between CBI and train detection equipment. | Test | verification, cbi, train-detection, session-300 |
| VER-TEST-002 | Verify IFC-CBIINTERFACES-002: Set a route and confirm signal aspect command is issued to the correct Object Controller output. Then sever the command link and verify the signal reverts to red within 2 seconds. Test all aspect types (red, yellow, double-yellow, green, flashing). Pass: correct aspects commanded for valid routes; red default within 2 seconds on link loss. Rationale: Tests the safety-critical fail-safe signal behaviour and the complete command chain from VPU through Object Controller to signal head. | Test | verification, cbi, signals, session-300 |
| VER-TEST-003 | Verify IFC-CBIINTERFACES-003: Command each point machine to normal and reverse positions. Verify detection status is received within 200ms of movement completion. Simulate a detection failure (no detection after 10 seconds) and verify the interlocking reports point failure and cancels any route requiring that point. Pass: all detection states correctly received; timeout triggers point failure alarm. Rationale: Point detection is safety-critical — an undetected point allows route setting over unsecured switches. The timeout test verifies the fail-safe behaviour. | Test | verification, cbi, points, session-300 |
| VER-TEST-004 | Verify IFC-CBIINTERFACES-004: Establish RaSTA connection between CBI Communication Gateway and ETCS RBC test simulator. Set and release routes while measuring end-to-end latency of route status messages. Sever the connection and verify the RBC receives no valid data after the 2-second timeout. Pass: latency below 500ms for 99th percentile; timeout detection within 2.5 seconds. Rationale: Validates the safety communication protocol and timeout behaviour on the most critical external interface for ETCS Level 2 operations. | Test | verification, cbi, etcs, session-300 |
| VER-TEST-005 | Verify IFC-CBIINTERFACES-005: Send automatic route-setting commands from TMS test client. Verify route confirmation or rejection within 1 second. Send a command for a conflicting route and verify the interlocking rejects it regardless of TMS authority. Pass: all valid routes confirmed within 1 second; conflicting routes rejected; safety logic not overridden. Rationale: Demonstrates that the non-vital TMS interface cannot compromise interlocking safety logic, which is the fundamental safety principle of the CBI-TMS boundary. | Test | verification, cbi, tms, session-300 |
| VER-TEST-006 | Verify IFC-CBIINTERFACES-006: Simulate train approach and verify crossing activation command. Confirm that the protecting signal does not clear until crossing status reports barriers down. Simulate barrier failure and verify signal remains at red. Pass: signal clears only after barriers-down confirmed; barrier failure prevents signal clearance. Rationale: The level crossing interlock is a critical safety function — verifying that the signal cannot clear without barrier confirmation protects road users. | Test | verification, cbi, level-crossing, session-300 |
| VER-TEST-007 | Verify SUB-REQS-FUNC-001: Inject a known output command sequence and compare outputs from all three VPU channels. Introduce a deliberate bit-flip error in one channel and verify the 2oo3 voter produces the correct output and flags the faulty channel. Measure comparison window timing. Pass: correct output despite single-channel corruption; faulty channel detected; comparison within 10ms. Rationale: The 2oo3 voting mechanism is the primary safety architecture — this test validates both correct voting and fault detection. | Test | verification, cbi, vpu, session-300 |
| VER-TEST-010 | Verify IFC-CBIINTERFACES-007: Install wheel sensor pair at test track section boundary with 12 km cable run. Inject wheel-profile simulator pulses at speeds 0, 50, 200, and 500 km/h equivalent rates. Measure SNR at evaluator input at -40C and +70C ambient. Pass: SNR >= 20 dB at all conditions, evaluator correctly counts all injected pulses. Rationale: Full cable length and temperature extremes test worst-case signal attenuation. Speed range covers operational envelope endpoints. | Test | verification, train-detection, session-301 |
| VER-TEST-011 | Verify IFC-CBIINTERFACES-008: Connect track circuit relay simulator to concentrator input. Toggle occupied/clear at 5 Hz. Verify concentrator captures every state change with no missed transitions over 10000 cycles. Measure polling latency: pass if all transitions captured within 100ms. Rationale: 5 Hz toggle rate exceeds expected real-world transition rates and stress-tests the polling mechanism. 10000 cycles provides statistical confidence in reliability. | Test | verification, train-detection, session-301 |
| VER-TEST-012 | Verify IFC-CBIINTERFACES-009: Configure evaluator with 24 counting points. Inject simultaneous occupancy changes on all points. Capture RS-485 frames and verify: baud rate 19200, EN 50159 Cat 1 coding present (sequence number, CRC, timestamp), update rate >= 5 Hz per point, all occupancy states correctly reflected in concentrator output within 200ms. Rationale: Maximum counting-point load (24) tests throughput limits. Simultaneous changes test worst-case bus utilisation and message scheduling. | Test | verification, train-detection, session-301 |
| VER-TEST-013 | Verify IFC-CBIINTERFACES-010: Configure concentrator with 128 sections. Inject occupancy changes and capture vital serial output. Verify: cyclic message rate 10 Hz, EN 50159 Cat 3 coding with valid cryptographic MAC, all 128 section states correct. Inject corrupted messages and verify CBI rejects them. Rationale: 128-section load tests maximum capacity. Cryptographic authentication verification confirms the safety communication layer rejects tampered data, which is the primary defence against undetected data corruption on the vital link. | Test | verification, train-detection, session-301 |
| VER-TEST-014 | Verify SUB-REQS-FUNC-013: Apply calibrated 0.06 ohm shunting resistor across running rails at track circuit section. Measure detection time from shunt application to occupied indication. Repeat at 5 positions along section. Pass: all detections within 1 second. Rationale: 0.06 ohm shunt is the standard test resistance per EN 50238. Multiple positions test sensitivity across the full section length, including the known weak points near transmitter and receiver ends. | Test | verification, train-detection, session-301 |
| VER-TEST-015 | Verify SUB-REQS-FUNC-014: Disconnect track circuit receiver signal (simulate cable break). Measure time from signal loss to occupied indication. Repeat for power supply failure and transmitter failure modes. Pass: occupied indication within 500ms for all failure modes. Rationale: Tests all credible failure modes that could cause loss of received signal. Each must independently trigger the fail-safe occupied state within the specified time. | Test | verification, train-detection, session-301 |
| VER-TEST-016 | Verify IFC-CBIINTERFACES-011: Inject simulated route and occupancy updates from a CBI test harness at 10 Hz for 24 hours under 60-train load. Measure message delivery rate, sequence gap count, and timestamp drift. Pass criteria: zero sequence gaps, zero out-of-order deliveries, 100% message delivery rate. Rationale: 24-hour endurance test at full load verifies sustained interface performance, not just burst capability. Sequence gap and ordering checks validate the safety-relevant message integrity properties. | Test | verification, etcs-rbc, session-302 |
| VER-TEST-017 | Verify IFC-CBIINTERFACES-012: Transmit ETCS application messages of varying sizes (64B to 1023B) through the Euroradio layer under 60 concurrent sessions. Measure delivery confirmation latency for 10,000 messages. Pass criteria: 99.9% of messages confirmed within 2 seconds, maximum message size accepted without truncation. Rationale: Variable message sizes test boundary conditions including the 1023-byte maximum. 10,000 messages provide statistical confidence in the delivery confirmation timing across the session population. | Test | verification, etcs-rbc, session-302 |
| VER-TEST-018 | Verify IFC-CBIINTERFACES-013: Operate Euroradio over a GSM-R bearer simulator configured at 9.6 kbps with injected bit error rates from 10^-6 to 10^-2. Verify that Euroradio maintains SIL 4 message integrity at all error rates up to 10^-3. Pass criteria: zero undetected message corruptions across 10^6 test messages at each error rate level. Rationale: Graduated error injection from nominal to worst-case validates that the safety layer correctly handles the full range of bearer quality conditions. 10^6 messages per level provides statistical confidence in the residual error rate claim. | Test | verification, etcs-rbc, session-302 |
| VER-TEST-019 | Verify IFC-CBIINTERFACES-014: Trigger 100 handover requests at varying train speeds (80-300 km/h) and measure train state data transfer latency from request to complete delivery. Pass criteria: all transfers complete within 200ms, state data integrity verified against source. Rationale: Testing across the speed range validates that the interface performs consistently regardless of the urgency of the handover (higher speed = less time available). 100 iterations provide confidence in worst-case latency. | Test | verification, etcs-rbc, session-302 |
| VER-TEST-020 | Verify IFC-CBIINTERFACES-015: Generate 500 events per second from a simulated RBC Application Server for 1 hour. After test completion, verify that the Juridical Recording Unit received and stored every event with correct timestamps. Pass criteria: zero event loss, timestamp accuracy within 1ms of source. Rationale: 1-hour sustained peak load test validates the message queue's guaranteed delivery mechanism under worst-case conditions. Timestamp accuracy verification ensures the recording is usable for incident reconstruction. | Test | verification, etcs-rbc, session-302 |
| VER-TEST-021 | Verify SUB-REQS-FUNC-020: Execute 10,000 MA computation cycles under 60-train load with varying route complexity (simple through-route to complex junction with 8+ points). Measure computation time from input receipt to output ready. Pass criteria: 100% of cycles complete within 800ms, 99th percentile below 600ms. Rationale: 10,000 cycles across route complexity variants validate worst-case performance. The 99th percentile check at 600ms provides margin assurance — if the distribution is tight, the 800ms budget is well-allocated. | Test | verification, etcs-rbc, session-302 |
| VER-TEST-022 | Verify SUB-REQS-FUNC-022: With 60 active train sessions, inject primary unit failure (power loss, software crash, communication loss). Measure time from failure detection to standby assuming all sessions. Verify no train session is lost or interrupted. Repeat for 50 failure scenarios. Pass criteria: all failovers complete within 3 seconds, zero session loss. Rationale: 50 failure scenarios cover the range of failure modes (hardware, software, communication). Full 60-train load during failover tests the worst case where all sessions must transfer simultaneously. | Test | verification, etcs-rbc, session-302 |
| VER-TEST-023 | Verify SUB-REQS-FUNC-030: Issue emergency stop commands during various RBC load conditions (idle, 30 trains, 60 trains) and measure time from command receipt to transmission of emergency messages to all affected trains. Pass criteria: all emergency messages transmitted within 500ms in every scenario. Rationale: Testing at multiple load levels validates that emergency message prioritisation works correctly — the 500ms budget must hold even when the RBC is at peak MA computation load. This is the most safety-critical timing requirement in the ETCS RBC. | Test | verification, etcs-rbc, session-302 |
| VER-TEST-024 | Verify IFC-CBIINTERFACES-016: Simulate 1000 train approach sequences with the CBI test harness. Measure approach trigger to controller acknowledgment latency and crossing protection status report delivery to CBI. Inject communication faults during 10% of sequences. Pass criteria: all messages delivered within 500ms, fault conditions correctly reported to CBI within 1 second. Rationale: 1000 sequences provide statistical confidence in timing. Communication fault injection validates the safety communication layer's error detection and fail-safe reporting. | Test | verification, level-crossing, session-302 |
| VER-TEST-025 | Verify IFC-CBIINTERFACES-017: Place test objects of 0.5m, 0.3m, and 1.0m height on crossing deck and verify detection status output. Disconnect sensor communication and verify fail-safe obstacle-present output within 200ms. Pass criteria: 0.5m and 1.0m objects detected, 0.3m objects not detected, fail-safe output asserted within one scan cycle of communication loss. Rationale: Boundary testing at threshold height validates discrimination between hazardous and non-hazardous objects. Fail-safe test validates the critical safety property that sensor failure is treated as obstacle present. | Test | verification, level-crossing, session-302 |
| VER-TEST-026 | Verify IFC-CBIINTERFACES-018: Command 500 barrier raise/lower cycles and verify position feedback accuracy against independent angle measurement. Simulate motor stall at various positions and verify controller detects stall within 200ms. Pass criteria: position accuracy within 1 degree, stall detection within 2 update cycles. Rationale: 500 cycles test mechanical endurance and interface reliability. Independent angle measurement validates feedback accuracy. Stall detection timing is critical for the controller to stop driving a barrier that has contacted an obstacle. | Test | verification, level-crossing, session-302 |
| VER-TEST-033 | Verify IFC-CBIINTERFACES-019: Connect Point Drive Controller to instrumented point machine with inline power analyser. Command 10 consecutive throws. Verify 3-phase voltage is 380-440V at 50Hz. Verify current sampling captures at least 100 samples per second. Inject a mechanical obstruction at 50% throw and verify current spike is captured. Pass criteria: all voltage within range, sampling rate confirmed, obstruction signature detected in current log. Rationale: Integration test at the power interface boundary. Inline power analyser provides independent measurement of voltage and frequency. Obstruction injection validates the current monitoring path end-to-end, not just the sampling rate in isolation. | Test | verification, points-drive, session-304, idempotency:ver-ifc019-power-304 |
| VER-TEST-034 | Verify IFC-CBIINTERFACES-020: With point machine in normal position, verify both detection channels report normal-detected. Move blade 1mm beyond detection threshold using precision actuator. Verify both channels transition to not-detected within 50ms (measured by oscilloscope on relay contacts). Repeat for reverse position. Disconnect one channel and verify the remaining channel alone does not satisfy the two-channel detection requirement. Pass criteria: detection transitions within 50ms, single channel insufficient. Rationale: Precision actuator enables controlled displacement testing at the exact detection threshold. Oscilloscope timing verifies the 50ms latency requirement. Single-channel disconnection test validates the independence and dual-channel logic required for SIL 4. | Test | verification, points-drive, session-304, idempotency:ver-ifc020-detect-304 |
| VER-TEST-035 | Verify IFC-CBIINTERFACES-021: Command a full throw of a high-speed turnout with swing-nose crossing. Instrument the main blade and crossing nose positions with displacement transducers. Verify that nose drive command is not issued until main blades reach mid-stroke. Verify that overall point detection is not reported until nose detection is confirmed. Introduce a nose detection failure and verify overall detection remains not-detected. Pass criteria: sequencing confirmed, nose failure prevents overall detection. Rationale: Displacement transducers provide continuous position tracking to verify the sequencing interlock at the mechanical level, not just the electrical command level. The nose detection failure test validates the critical safety interlock: a route must never be set over a high-speed turnout with an unproven nose position. | Test | verification, points-drive, swing-nose, session-304, idempotency:ver-ifc021-sync-304 |
| VER-TEST-036 | Verify IFC-CBIINTERFACES-022: Configure Point Heating System with diagnostic reporting enabled. Monitor SNMP or Modbus TCP traffic for 5 minutes. Verify reports arrive at intervals not exceeding 60 seconds. Verify each report contains heater status, power consumption, ambient readings, and heating mode. Simulate a heater element failure and verify fault appears in next report cycle. Pass criteria: all report fields present, interval within specification, fault detected. Rationale: Network traffic monitoring provides independent verification of reporting interval and content completeness. The simulated element failure validates the diagnostic path for the most common point heater failure mode. | Test | verification, points-drive, heating, session-304, idempotency:ver-ifc022-diag-304 |
| VER-TEST-037 | Verify SUB-REQS-FUNC-036: Command 20 consecutive throws (10 normal-to-reverse, 10 reverse-to-normal) at ambient temperatures of -25C, +20C, and +55C. Measure elapsed time from drive command receipt at Point Drive Controller input to detection confirmed at output. Pass criteria: all throws complete within 6 seconds for standard (up to 60m) switch lengths. Rationale: Temperature extremes test hydraulic fluid viscosity effects on throw time — low temperature increases viscosity and slows the actuator. 20 throws provide statistical significance. Both throw directions must be tested as hydraulic circuits may have asymmetric flow characteristics. | Test | verification, points-drive, session-304, idempotency:ver-sub036-throw-304 |
| VER-TEST-038 | Verify SUB-REQS-FUNC-040: With points in detected-normal position, remove power supply to the Point Position Detection Assembly. Measure time from power removal to detection output transitioning to not-detected at the Point Drive Controller output. Repeat for detected-reverse position. Pass criteria: detection defaults to not-detected within 100ms in both cases. Rationale: Validates the SIL 4 fail-safe path. Power removal simulates the worst-case detection circuit failure. Oscilloscope measurement at the PDC output boundary provides precise timing. Both positions must be tested as the relay circuits may have different release characteristics for normal vs reverse contacts. | Test | verification, points-drive, safety, session-304, idempotency:ver-sub040-failsafe-304 |
| VER-TEST-039 | Verify SUB-REQS-FUNC-038: During a point throw, introduce calibrated obstructions of 5N, 50N, and 500N force at 25%, 50%, and 75% of throw stroke. Verify Point Drive Controller detects obstruction (current exceeds 150% nominal) within 1 second, removes drive power, and reports obstruction fault to Object Controller. Pass criteria: obstruction detected and drive removed within 1 second for all force levels that exceed the 150% current threshold. Rationale: Calibrated obstruction forces test the sensitivity of current signature analysis across the throw profile. Different positions along the stroke have different normal current profiles, so the 150% threshold must work at all positions. The 5N level tests that small obstructions below the threshold do not cause false trips. | Test | verification, points-drive, safety, session-304, idempotency:ver-sub038-obstruction-304 |
| VER-TEST-040 | Verify IFC-CBIINTERFACES-024: Inject single link failure on one PRP path during sustained vital message traffic between CBI and network switch. Pass criteria: zero frame loss detected at receiving endpoint, measured by RaSTA sequence number gap analysis. Repeat for each port and each cable segment. Rationale: Direct test of PRP zero-recovery-time claim under realistic traffic conditions. Sequence number analysis provides frame-level detection of any loss that traditional packet counters might miss. | Test | verification, communication-network, session-305 |
| VER-TEST-041 | Verify SUB-REQS-FUNC-044: Measure end-to-end message delivery latency from CBI application buffer through network to each connected subsystem under maximum traffic load using hardware-timestamped test frames. Pass criteria: 99.99th percentile latency does not exceed 50 milliseconds across 24-hour test duration. Rationale: 24-hour duration captures diurnal traffic patterns and background maintenance activities. Hardware timestamping eliminates software-induced measurement jitter. 99.99th percentile threshold ensures the requirement is met under worst-case conditions, not just average. | Test | verification, communication-network, session-305 |
| VER-TEST-042 | Verify SUB-REQS-FUNC-045: Inject known message corruptions (bit flip, replay, sequence reversal, delayed delivery beyond Tmax) into RaSTA communication path. Pass criteria: all injected errors detected and reported by the RaSTA Protocol Stack within one safety time interval, with no corrupted message delivered to the application layer. Rationale: Fault injection verifies each EN 50159 threat class is independently detected. Testing all threat classes ensures the safety case claim of Category 3 coverage is substantiated by evidence. | Test | verification, communication-network, session-305 |
| VER-TEST-043 | Verify IFC-CBIINTERFACES-026: Measure time offset between PTP grandmaster and each network endpoint using independent GPS-disciplined reference clock. Pass criteria: offset does not exceed 100 nanoseconds at any endpoint over 72-hour test, including during simulated GNSS signal loss with holdover active. Rationale: 72-hour test duration exercises holdover behavior beyond the 24-hour requirement to verify margin. Independent GPS reference eliminates circular measurement dependency on the system under test. | Test | verification, communication-network, session-305 |
| VER-TEST-044 | Verify SUB-REQS-FUNC-047: Attempt to send non-allowlisted protocol packets and malformed messages through the Cybersecurity Boundary Gateway from the non-vital network side. Pass criteria: all non-allowlisted traffic is blocked, blocked attempts are logged with source address and timestamp, and no additional latency beyond 1ms is introduced on concurrent permitted traffic. Rationale: Penetration testing from the non-vital side validates the allowlist enforcement. Concurrent permitted traffic measurement ensures security inspection does not degrade safety-critical communication timing. | Test | verification, communication-network, session-305 |
| VER-TEST-045 | Verify SUB-REQS-FUNC-049: Degrade a network link to produce packet loss exceeding 0.001 percent. Pass criteria: alarm generated within 30 seconds, alarm correctly identifies the degraded link, and health data appears in the Signalling Diagnostic and Monitoring System within 60 seconds. Rationale: Validates both alarm timing and correct link identification under controlled degradation conditions. 60-second diagnostic propagation confirms the cross-subsystem interface operates correctly. | Test | verification, communication-network, session-305 |
| VER-TEST-046 | Verify IFC-CBIINTERFACES-023: Measure optical link parameters including BER, received power, and link distance on each fiber trunk between SER and lineside locations. Pass criteria: BER better than 10^-12 sustained over 48-hour continuous traffic test, and link operates at specified distance with 3dB margin. Rationale: 48-hour BER measurement provides statistical confidence at 10^-12 level. 3dB optical margin accounts for connector aging, cable splice degradation, and temperature-dependent attenuation variation over the link lifetime. | Test | verification, communication-network, session-305 |
| VER-TEST-047 | Verify IFC-CBIINTERFACES-028: Apply rated load to each LED Signal Module output of the Signal Aspect Driver. Measure drive current per LED string with calibrated ammeter. Verify 350mA ±2% under steady-state conditions. Measure current ripple with oscilloscope at 100MHz bandwidth. Pass: ripple does not exceed 5% peak-to-peak across all strings at -25°C and +70°C ambient. Rationale: Integration test at system boundaries to verify interface compliance between Signal Aspect Driver and LED Signal Module. | Test | verification, colour-light, session-306 |
| VER-TEST-048 | Verify IFC-CBIINTERFACES-030: With Signal Aspect Driver commanding green aspect, trigger Signal Proving Unit failsafe condition. Verify via oscilloscope that all proceed-aspect drive outputs are physically disconnected and danger aspect is driven within 500ms. Repeat with proving unit power removed. Pass: relay de-energises and danger aspect displays in both scenarios. Rationale: Critical safety verification: the hardwired failsafe relay must operate correctly independent of software state, and must default safe on power loss. | Test | verification, colour-light, safety, session-306 |
| VER-TEST-049 | Verify IFC-CBIINTERFACES-029: Inject known currents into LED string monitoring connections using calibrated current source. Compare Signal Proving Unit readings against reference. Pass: measurement error does not exceed 2% across 10% to 100% of rated current range at -25°C and +70°C. Rationale: Monitoring accuracy verification ensures the proving unit can reliably distinguish degraded strings from healthy ones across the full operating temperature range. | Test | verification, colour-light, session-306 |
| VER-TEST-050 | Verify IFC-CBIINTERFACES-031: Connect Signal Proving Unit to Diagnostic System via RS-485 bus. Send poll commands at specified interval. Verify response within 500ms containing valid lamp status, degradation percentage, and failure classification. Simulate lamp failure and verify correct reporting. Pass: all fields correctly populated within timing constraint. Rationale: Diagnostic interface verification at integration level to confirm data format, timing, and content accuracy. | Test | verification, colour-light, diagnostic, session-306 |
| VER-TEST-051 | Verify IFC-CBIINTERFACES-032: Command route data to Junction Route Indicator while main aspect is at danger. Verify indicator remains dark. Set route and display proceed aspect. Verify correct feather/character illuminates within 500ms. Revert to danger. Verify indicator extinguishes within 200ms. Disconnect data path and verify interlock independently prevents illumination. Pass: all timing and interlock criteria met. Rationale: Combined functional and safety test verifying both the route data path and the independent hardware interlock that prevents misleading indications. | Test | verification, colour-light, junction-indicator, session-306 |
| VER-TEST-052 | Verify SUB-REQS-FUNC-053: With signal displaying green, simulate proceed-aspect LED module failure by open-circuiting LED strings to reduce output below 70%. Measure time from failure injection to danger aspect display. Repeat for yellow and double-yellow aspects. Pass: failsafe activates within 500ms in all cases across 100 test cycles. Rationale: Statistical verification of the safety-critical failsafe timing requirement across multiple test cycles to establish confidence in the 500ms bound. | Test | verification, colour-light, safety, session-306 |
| VER-TEST-059 | Verify IFC-CBIINTERFACES-033: Connect Signalling Power Feeder output to UPS input via test cable. Measure output voltage at UPS input terminals under no-load, 50 percent load, and full-load conditions. Pass criteria: voltage within 99V to 121V (110V plus or minus 10 percent), frequency 50Hz plus or minus 0.5Hz. Verify individual circuit protection trips within rated curve. Rationale: Integration test at the feeder-UPS boundary confirms power quality at the handoff point and validates circuit protection sizing. | Test | verification, power-supply, session-308 |
| VER-TEST-060 | Verify IFC-CBIINTERFACES-034: Operate UPS under battery backup condition. Measure output voltage and THD at distribution panel input using a power quality analyser. Pass criteria: voltage 110V plus or minus 5 percent, THD below 3 percent at 25, 50, 75, and 100 percent load steps. Verify maintenance bypass transfers load without interruption (zero transfer time on oscilloscope). Rationale: Confirms UPS output quality meets track circuit sensitivity requirements and validates bypass path for maintenance access. | Test | verification, power-supply, session-308 |
| VER-TEST-061 | Verify IFC-CBIINTERFACES-035: Apply controlled earth fault at 30mA on one track circuit feeder cable. Measure alarm generation time at distribution panel. Pass criteria: alarm within 2 seconds, faulted circuit identified by circuit number, other circuits unaffected. Rationale: Validates earth-fault detection sensitivity and response time at track circuit distribution boundary. | Test | verification, power-supply, session-308 |
| VER-TEST-062 | Verify IFC-CBIINTERFACES-036: Configure Monitoring Controller and Diagnostic System on test network. Generate test alarm conditions (low battery, mains loss, earth fault). Pass criteria: all alarm states reported via Modbus TCP within 10-second polling cycle, battery SOC accurate within 5 percent of reference measurement. Rationale: Confirms end-to-end data flow from power monitoring to diagnostic system and validates alarm propagation timing. | Test | verification, power-supply, session-308 |
| VER-TEST-063 | Verify SUB-REQS-FUNC-061: Disconnect mains supply to UPS with signalling installation at full rated vital load. Monitor UPS output voltage continuously. Pass criteria: output voltage remains within specification for minimum 120 minutes. Record actual runtime to exhaustion for capacity baseline. Rationale: Full-load discharge test confirms battery capacity meets the 2-hour backup requirement under worst-case conditions. | Test | verification, power-supply, session-308 |
| VER-TEST-064 | Verify SUB-REQS-FUNC-066: Simulate mains loss with non-vital loads connected. Measure time from mains loss confirmation to non-vital circuit de-energisation. Pass criteria: non-vital loads shed within 5 seconds, vital loads unaffected, predicted runtime exceeds 3.5 hours. Rationale: Validates the load-shedding sequence timing and confirms extended vital runtime calculation is correct. | Test | verification, power-supply, session-308 |
| VER-TEST-065 | Verify SUB-REQS-FUNC-067: Introduce a cell simulator with adjustable voltage into the battery bank. Set one cell 0.35V below bank average. Pass criteria: alarm generated within one polling cycle, alarm identifies specific cell position. Repeat for temperature sensor at 46 degrees Celsius. Rationale: Confirms cell-level monitoring detects incipient battery failure before it affects backup capacity. | Test | verification, power-supply, session-308 |
| VER-TEST-066 | Verify IFC-CBIINTERFACES-037: Generate 50 test alarms of mixed priority from alarm simulator. Measure end-to-end delivery time from alarm generation to Signaller Workstation display update. Pass criteria: all alarms displayed within 2 seconds with correct priority, source identification, and suggested response text. Rationale: Validates alarm delivery latency and data completeness at the AMP-Workstation boundary under representative load. | Test | verification, diagnostic-monitoring, session-308 |
| VER-TEST-067 | Verify IFC-CBIINTERFACES-038: Generate 1000 test events with known sequence numbers via CMS. Disconnect and reconnect network link between CMS and Event Logger after event 500. Pass criteria: all 1000 events present in Event Logger with correct sequence, reconnection within 5 seconds, no duplicates or gaps. Rationale: Tests guaranteed delivery and reconnection behaviour under network disruption conditions. | Test | verification, diagnostic-monitoring, session-308 |
| VER-TEST-068 | Verify IFC-CBIINTERFACES-039: Attempt remote login with valid single-factor credentials. Pass criteria: access denied. Login with valid MFA credentials. Pass criteria: access granted, session logged with user identity and timestamp. Issue diagnostic query and verify query content appears in audit log. Rationale: Tests MFA enforcement and audit logging at the remote access boundary. | Test | verification, diagnostic-monitoring, session-308 |
| VER-TEST-069 | Verify SUB-REQS-FUNC-068: Generate sustained alarm stream at 30 alarms per minute from test simulator. Measure alarm rate at operator display after rationalisation. Pass criteria: displayed rate does not exceed 10 alarms per 10 minutes during normal mode, 20 during upset mode. Rationale: Validates EEMUA 191 alarm rate compliance under sustained high-rate input. | Test | verification, diagnostic-monitoring, session-308 |
| VER-TEST-070 | Verify SUB-REQS-FUNC-072: Record events from GPS-synchronised reference clock. Compare Event Logger timestamps against reference. Pass criteria: timestamp deviation does not exceed 1ms across 24-hour test period. Rationale: Validates timestamp accuracy against GPS reference over extended period to detect drift. | Test | verification, diagnostic-monitoring, session-308 |
| VER-TEST-071 | Verify IFC-CBIINTERFACES-040: Inject 200 simultaneous object state changes via CBI test interface. Measure end-to-end delivery time from CBI output cycle to Track Diagram Display Processor data receipt. Pass: all state updates received within 500ms. Verify RaSTA protocol integrity by injecting corrupted packets and confirming rejection. Rationale: Integration test at CBI-workstation boundary. 200 simultaneous changes represents peak traffic load. Corruption injection verifies RaSTA safety layer protects display integrity. | Test | verification, signaller-workstation, session-309, idempotency:ver-ifc040-statedata-309 |
| VER-TEST-072 | Verify IFC-CBIINTERFACES-041: Issue route-setting, signal replacement, and emergency control commands from test workstation. Measure delivery confirmation latency. Attempt commands for objects outside authenticated area. Pass: all commands confirmed within 1 second; out-of-area commands rejected at interface level before reaching CBI. Rationale: Tests both timing and access control enforcement at the command interface boundary. Out-of-area rejection test verifies defence-in-depth for area authority. | Test | verification, signaller-workstation, safety, session-309, idempotency:ver-ifc041-commands-309 |
| VER-TEST-073 | Verify IFC-CBIINTERFACES-042: Generate 50 test alarms of mixed priority from alarm simulator, injected at Alarm Management Processor output. Measure delivery latency to Alarm Display and Management Panel. Verify alarm message structure contains all specified fields (ID, priority, subsystem, timestamp, text). Pass: all alarms received within 500ms with complete fields. Rationale: 50-alarm burst tests interface capacity under alarm flood conditions while verifying structured message completeness. | Test | verification, signaller-workstation, session-309, idempotency:ver-ifc042-alarms-309 |
| VER-TEST-074 | Verify IFC-CBIINTERFACES-043: Send 50 route-setting requests via TMS-CBI Interface Gateway. Measure CBI response time for confirmation/rejection. Inject invalid route requests and verify rejection. Pass: all valid routes confirmed or rejected within 2 seconds; invalid requests return error codes. Rationale: Tests TMS-CBI interface boundary under load. Invalid route injection verifies CBI validates all TMS commands independently. | Test | verification, traffic-management, session-309, idempotency:ver-ifc043-tmscbi-309 |
| VER-TEST-075 | Verify IFC-CBIINTERFACES-044: Simulate 100 concurrent berth stepping events from Train Describer. Measure delivery latency to Track Diagram Display Processor. Verify headcode labels match berth positions on displayed track diagram. Pass: all identity updates delivered within 500ms with correct berth association. Rationale: 100 concurrent steps tests interface throughput at peak berth-stepping rate. Visual verification confirms end-to-end identity-to-berth correctness. | Test | verification, traffic-management, signaller-workstation, session-309, idempotency:ver-ifc044-trainid-309 |
| VER-TEST-076 | Verify IFC-CBIINTERFACES-045: Trigger 10 conflict detection events from TMS test data. Measure delivery latency from detection to display on Signaller Workstation. Verify conflict alert includes at least 3 regulation options. Pass: all alerts displayed within 2 seconds with options ranked by delay impact. Rationale: Tests the full conflict alert path from detection to signaller presentation. Option ranking verification ensures decision support quality. | Test | verification, traffic-management, signaller-workstation, session-309, idempotency:ver-ifc045-conflicts-309 |
| VER-TEST-077 | Verify SUB-REQS-FUNC-079: Inject 50 alarms within 5 seconds from alarm simulator. Verify flood management activates, consequential alarms are suppressed, and root-cause summary groups alarms by originating subsystem. Pass: flood mode activates when threshold exceeded; summary displays within 2 seconds of activation. Rationale: Tests alarm flood detection threshold and root-cause grouping accuracy under realistic cascade conditions. | Test | verification, signaller-workstation, session-309, idempotency:ver-sub079-alarmflood-309 |
| VER-TEST-078 | Verify SUB-REQS-FUNC-080: Simulate primary workstation failure (kill application process, disconnect display, disconnect network). Measure switchover time to standby. Verify standby displays identical track diagram, alarm queue, and authenticated session. Pass: switchover completes within 5 seconds for all three failure modes. Rationale: Three distinct failure injection modes (process, display, network) verify the Workstation Redundancy Controller detects all monitored failure types. State verification confirms complete transfer. | Test | verification, signaller-workstation, reliability, session-309, idempotency:ver-sub080-failover-309 |
| VER-TEST-079 | Verify SUB-REQS-FUNC-081: Attempt login with valid smart card and PIN. Attempt login with invalid PIN. Attempt route-setting command for object outside assigned area. Pass: valid credentials grant access; invalid PIN rejected; out-of-area commands blocked. Rationale: Tests both positive authentication path and negative cases (wrong credentials, area violation) to verify access control enforcement. | Demonstration | verification, signaller-workstation, safety, session-309, idempotency:ver-sub081-auth-309 |
| VER-TEST-080 | Verify SUB-REQS-FUNC-085: Load ARS with 500 simulated train services across full control area timetable. Measure ARS decision cycle time under full load. Pass: all route-setting decisions completed within 2-second cycle time with no missed routes. Rationale: 500-train load test verifies ARS performance at rated capacity. Decision cycle measurement confirms algorithmic scalability. | Test | verification, traffic-management, performance, session-309, idempotency:ver-sub085-arscapacity-309 |
| VER-TEST-081 | Verify SUB-REQS-FUNC-088: Send 100 route-setting commands to TMS-CBI Interface Gateway within 1 second. Verify gateway rate-limits to 20 commands/second and buffers excess in FIFO order. Inject 150 commands to exceed queue depth. Pass: first 100 commands queued and delivered at 20/s; commands beyond queue depth of 100 rejected with error. Rationale: Tests both rate limiting enforcement and queue overflow behaviour under burst conditions exceeding rated capacity. | Test | verification, traffic-management, session-309, idempotency:ver-sub088-ratelimit-309 |
| VER-TEST-082 | Verify SUB-REQS-FUNC-060: Inject simulated lamp degradation (LED current reduction to 70%, 50%, 30% thresholds) and partial failure (single LED string open circuit) into Signal Proving Unit test harness. Confirm diagnostic messages transmitted to Diagnostic system within 10-second reporting interval with correct degradation percentage and failure mode classification. Pass: all injected faults reported within one reporting cycle with correct classification. Rationale: Validates lamp monitoring detection threshold and reporting latency. Degradation thresholds chosen to match EN 50129 signal visibility safety case requirements. | Test | verification, colour-light, session-311, idempotency:ver-spu-lamp-reporting-311 |
| VER-TEST-083 | Verify SUB-REQS-FUNC-070: Stimulate field equipment state changes (point position, track circuit, signal lamp, power supply) across all monitored subsystems simultaneously. Measure time from state change at field equipment to corresponding database record on Condition Monitoring Server. Pass: 95th percentile collection latency does not exceed 30 seconds under peak load (all subsystems reporting simultaneously). Rationale: Validates end-to-end monitoring latency under worst-case concurrent reporting. 30-second threshold ensures maintainers have near-real-time visibility of degradation trends before safety functions are compromised. | Test | verification, diagnostic-monitoring, session-311, idempotency:ver-cms-aggregation-latency-311 |
| VER-TEST-084 | Verify SUB-REQS-FUNC-071: Establish remote diagnostic session through Remote Diagnostic Gateway. Attempt write and control commands (route setting, signal control, point operation, configuration changes) through all available diagnostic protocols and API endpoints. Confirm all write attempts are rejected. Verify audit trail records each rejected attempt with session identity and timestamp. Pass: zero write commands reach safety-critical equipment and all attempts are logged. Rationale: Security boundary verification through adversarial testing. Must prove no diagnostic protocol or API endpoint can be exploited to inject control commands into the vital signalling chain. | Test | verification, diagnostic-monitoring, session-311, idempotency:ver-rdg-readonly-311 |
| VER-TEST-085 | Verify SUB-REQS-FUNC-089: Import reference working timetable in CIF format containing known scheduling conflicts (overlapping platform allocations at 3 stations, physically impossible run times on 2 segments). Measure import-to-validation completion time. Import a valid timetable and confirm acceptance within 60 seconds. Pass: all 5 injected conflicts detected, valid timetable accepted within time limit, rejection report identifies conflict type and location. Rationale: Validates both the 60-second performance requirement and the conflict detection accuracy. Injected conflicts represent real-world scheduling errors observed in UK Network Rail timetable data. | Test | verification, traffic-management, session-311, idempotency:ver-timetable-validation-311 |
| VER-TEST-086 | Verify system-level end-to-end: Simulate train approach on occupied route (axle counter detection) through interlocking route processing to signal aspect change and point position confirmation. Measure total chain latency from Wheel Sensor activation through Axle Counter Evaluator, Train Detection Data Concentrator, Computer-Based Interlocking route evaluation, to Signal Aspect Driver commanding restrictive aspect and Point Drive Controller confirming locked position. Pass: end-to-end chain completes within 2 seconds under nominal conditions; safety-critical aspects (restrictive signal, point lock) achieved within 500ms of interlocking decision; no data loss across 1000 consecutive test cycles. Rationale: Validates the primary safety chain from detection to protection. The 2-second end-to-end budget derives from SYS-REQS-FUNC-005 (ETCS MA computation) and SYS-REQS-PERF-002 (signal aspect update). The 500ms sub-budget for safety actions ensures the interlocking can meet its worst-case reaction time. 1000 cycles validates statistical reliability of the chain. | Test | verification, system-level, safety, session-311, idempotency:ver-system-e2e-safety-chain-311 |
| VER-TEST-087 | Verify SYS-REQS-FUNC-009: Install AWS permanent magnets and TPWS track-mounted loops at 10 test signal locations. Run 100 test train passes per signal with TPWS-equipped test vehicle. Confirm AWS horn sounds at every approach, TPWS Overspeed Sensor System triggers at speeds exceeding threshold by 3 km/h, and TPWS Train Stop System applies brakes within 1 second of passing signal at danger. Concurrently verify ETCS MA delivery is unaffected by AWS/TPWS equipment presence. Pass criteria: 99.9 percent intervention rate across 1000 test demands, zero interference with ETCS operation. Rationale: AWS/TPWS intervention reliability must be demonstrated by statistical testing across multiple signal locations to account for installation variation. The 1000-demand test programme provides 95 percent confidence for the 99.9 percent reliability claim per IEC 61508 statistical testing requirements. | Test | verification, aws-tpws, validation, session-313 |
| VER-TEST-088 | Verify SYS-REQS-FUNC-011: Simulate total CBI failure by disconnecting the Vital Processing Unit from the signalling network. Measure time from failure detection to degraded-mode indication on signaller workstation. Verify signaller can release individual track sections for verbal authorisation within the 60-second target. Execute 4 train movements per hour through the degraded area using Rule Book Module TW1 procedures. Confirm all safety interlocks prevent inadvertent release of occupied sections. Pass criteria: degraded indication within 60 seconds, 4 trains per hour achieved without safety violation, no occupied section released. Rationale: Degraded mode transition must be demonstrated end-to-end including human operator procedures because the 60-second target includes signaller recognition and mode selection time, not just system response. The 4 trains per hour throughput test validates operational viability under degraded conditions. | Demonstration | verification, degraded-mode, validation, session-313 |
| VER-TEST-089 | Verify SYS-REQS-FUNC-012: Generate simultaneous state changes across all subsystems at peak rate of 500 events per second for 24 hours. After test period, retrieve and verify records for 100 randomly sampled events across CBI, train detection, ETCS, level crossing, and points subsystems. Confirm all events are recorded with correct UTC timestamps within 1ms of source timestamp. Attempt record modification to verify tamper-evidence mechanism. After 6 months retention test, confirm oldest records remain accessible. Simulate RAIB data request and measure retrieval time. Pass criteria: zero event loss, timestamp accuracy within 1ms, tamper detection functional, 6-month retention verified, retrieval within 4 hours. Rationale: Event recording must be verified at peak load across all subsystems simultaneously because event storms during major failures are exactly when complete recording is most critical. The 24-hour sustained test validates storage capacity. The 6-month retention test validates long-term data integrity. | Test | verification, recording, validation, session-313 |
| VER-TEST-090 | Verify SYS-REQS-FUNC-013: Apply a temporary speed restriction of 40 km/h to a test section. Verify lineside signal approach aspects are reduced per RT/E/S/11201 within one signal update cycle. Verify ETCS movement authority includes the speed restriction in the MA speed profile sent to test trains. Verify signaller workstation displays TSR location, speed limit, and remaining duration. Remove the TSR and verify normal aspects and MA speed profiles are restored. Test with 5 concurrent TSRs across different sections. Pass criteria: correct approach aspects within 500ms, ETCS MA includes restriction within 2 seconds, display shows all active TSRs accurately, removal restores normal operation within one update cycle. Rationale: TSR management must be verified for both lineside and ETCS paths simultaneously because a mismatch between lineside indication and ETCS MA speed profile would create hazardous inconsistency. The 5-concurrent-TSR test validates the system under realistic operational load since major possessions often impose multiple simultaneous restrictions. | Test | verification, tsr, validation, session-313 |
| Requirement | Verified By | Description |
|---|---|---|
| IFC-CBIINTERFACES-045 | VER-TEST-076 | Integration test for conflict alert delivery |
| IFC-CBIINTERFACES-044 | VER-TEST-075 | Integration test for train identity delivery to display |
| IFC-CBIINTERFACES-043 | VER-TEST-074 | Integration test for TMS-CBI route command interface |
| IFC-CBIINTERFACES-042 | VER-TEST-073 | Integration test for alarm delivery interface |
| IFC-CBIINTERFACES-041 | VER-TEST-072 | Integration test for workstation command interface |
| IFC-CBIINTERFACES-040 | VER-TEST-071 | Integration test for TDDP-CBI state data interface |
| IFC-CBIINTERFACES-039 | VER-TEST-068 | MFA and audit logging test for remote diagnostic access |
| IFC-CBIINTERFACES-038 | VER-TEST-067 | Guaranteed delivery test for CMS-EventLogger interface |
| IFC-CBIINTERFACES-037 | VER-TEST-066 | Alarm delivery latency test at AMP-Workstation interface |
| IFC-CBIINTERFACES-036 | VER-TEST-062 | Modbus TCP integration test for power monitoring data |
| IFC-CBIINTERFACES-035 | VER-TEST-061 | Earth fault detection test for TC power distribution |
| IFC-CBIINTERFACES-034 | VER-TEST-060 | Integration test for UPS-distribution panel interface |
| IFC-CBIINTERFACES-033 | VER-TEST-059 | Integration test for feeder-UPS power interface |
| IFC-CBIINTERFACES-027 | VER-054 | Network monitoring interface end-to-end test for IFC-027 |
| IFC-CBIINTERFACES-025 | VER-053 | Cybersecurity boundary gateway penetration test for IFC-025 |
| IFC-CBIINTERFACES-032 | VER-TEST-051 | Junction indicator interlock test for IFC-032 |
| IFC-CBIINTERFACES-031 | VER-TEST-050 | Diagnostic serial interface test for IFC-031 |
| IFC-CBIINTERFACES-029 | VER-TEST-049 | Monitoring accuracy test for IFC-029 |
| IFC-CBIINTERFACES-030 | VER-TEST-048 | Failsafe relay integration test for IFC-030 |
| IFC-CBIINTERFACES-028 | VER-TEST-047 | Drive current integration test for IFC-028 |
| IFC-CBIINTERFACES-023 | VER-TEST-046 | Fiber trunk BER and optical margin integration test |
| IFC-CBIINTERFACES-026 | VER-TEST-043 | PTP synchronization accuracy measurement with holdover |
| IFC-CBIINTERFACES-024 | VER-TEST-040 | PRP failover integration test for CBI-switch interface |
| IFC-CBIINTERFACES-022 | VER-TEST-036 | Diagnostic reporting protocol compliance test |
| IFC-CBIINTERFACES-021 | VER-TEST-035 | Swing-nose synchronisation interlock test |
| IFC-CBIINTERFACES-020 | VER-TEST-034 | Detection interface dual-channel test |
| IFC-CBIINTERFACES-019 | VER-TEST-033 | Power interface integration test for PDC-EHPM |
| IFC-CBIINTERFACES-018 | VER-TEST-026 | Barrier position feedback and stall detection test |
| IFC-CBIINTERFACES-017 | VER-TEST-025 | Obstacle detection interface boundary and fail-safe test |
| IFC-CBIINTERFACES-016 | VER-TEST-024 | Integration test for CBI-LC Controller interface |
| IFC-CBIINTERFACES-015 | VER-TEST-020 | JRU guaranteed delivery test under peak load |
| IFC-CBIINTERFACES-014 | VER-TEST-019 | Handover state transfer latency test |
| IFC-CBIINTERFACES-013 | VER-TEST-018 | Bearer error injection test for Euroradio-GSM-R interface |
| IFC-CBIINTERFACES-012 | VER-TEST-017 | Integration test for RBC-Euroradio message interface |
| IFC-CBIINTERFACES-011 | VER-TEST-016 | Integration test for CBI-RBC interface |
| IFC-CBIINTERFACES-010 | VER-TEST-013 | Integration test for vital serial link from concentrator to CBI |
| IFC-CBIINTERFACES-009 | VER-TEST-012 | Integration test for RS-485 serial link between evaluator and concentrator |
| IFC-CBIINTERFACES-008 | VER-TEST-011 | Integration test for track circuit relay contact interface to concentrator |
| IFC-CBIINTERFACES-007 | VER-TEST-010 | Integration test for wheel sensor to evaluator cable interface |
| IFC-CBIINTERFACES-006 | VER-TEST-006 | Integration test for CBI-LX interface |
| IFC-CBIINTERFACES-005 | VER-TEST-005 | Integration test for CBI-TMS interface |
| IFC-CBIINTERFACES-004 | VER-TEST-004 | Integration test for CBI-ETCS RaSTA interface |
| IFC-CBIINTERFACES-003 | VER-TEST-003 | Integration test for CBI-Points interface |
| IFC-CBIINTERFACES-002 | VER-TEST-002 | Integration test for CBI-Signal interface |
| IFC-CBIINTERFACES-001 | VER-TEST-001 | Integration test for CBI-TrainDet interface |
| SUB-REQS-FUNC-089 | VER-TEST-085 | CIF timetable conflict injection test |
| SUB-REQS-FUNC-071 | VER-TEST-084 | Adversarial write-attempt test for remote diagnostic isolation |
| SUB-REQS-FUNC-070 | VER-TEST-083 | CMS aggregation latency test under peak concurrent load |
| SUB-REQS-FUNC-060 | VER-TEST-082 | Lamp degradation injection test for signal proving unit |
| SUB-REQS-FUNC-088 | VER-TEST-081 | TMS gateway rate limiting test |
| SUB-REQS-FUNC-085 | VER-TEST-080 | ARS capacity load test |
| SUB-REQS-FUNC-081 | VER-TEST-079 | Authentication and access control demonstration |
| SUB-REQS-FUNC-080 | VER-TEST-078 | Workstation failover test |
| SUB-REQS-FUNC-079 | VER-TEST-077 | Alarm flood management test |
| SUB-REQS-FUNC-072 | VER-TEST-070 | GPS timestamp accuracy test over 24-hour period |
| SUB-REQS-FUNC-068 | VER-TEST-069 | EEMUA 191 alarm rate compliance test |
| SUB-REQS-FUNC-067 | VER-TEST-065 | Cell-level monitoring alarm test |
| SUB-REQS-FUNC-066 | VER-TEST-064 | Load-shedding timing and runtime extension test |
| SUB-REQS-FUNC-061 | VER-TEST-063 | Full-load discharge test for UPS backup duration |
| SUB-REQS-FUNC-037 | VER-058 | Point Position Detection threshold boundary test |
| SUB-REQS-FUNC-059 | VER-057 | Junction Route Indicator hardware interlock independence test |
| SUB-REQS-FUNC-056 | VER-056 | Signal Proving Unit 2oo2 comparison architecture test |
| SUB-REQS-FUNC-055 | VER-055 | Signal Aspect Driver failsafe default test for SUB-055 |
| SUB-REQS-FUNC-053 | VER-TEST-052 | Failsafe timing test for SUB-053 |
| SUB-REQS-FUNC-049 | VER-TEST-045 | Network degradation alarm test |
| SUB-REQS-FUNC-047 | VER-TEST-044 | Cybersecurity boundary penetration and latency test |
| SUB-REQS-FUNC-045 | VER-TEST-042 | RaSTA error detection fault injection test |
| SUB-REQS-FUNC-044 | VER-TEST-041 | End-to-end latency measurement under load |
| SUB-REQS-FUNC-038 | VER-TEST-039 | Obstruction detection sensitivity and response test |
| SUB-REQS-FUNC-040 | VER-TEST-038 | Fail-safe detection default timing test |
| SUB-REQS-FUNC-036 | VER-TEST-037 | Throw time test across temperature range |
| SUB-REQS-FUNC-016 | VER-032 | Test verifies axle count discrepancy detection and fail-safe response |
| SUB-REQS-FUNC-015 | VER-031 | Test verifies axle counting accuracy across speed/wheel envelope |
| SUB-REQS-FUNC-008 | VER-030 | Test verifies 2oo3 to 2oo2 degraded mode transition |
| SUB-REQS-FUNC-006 | VER-029 | Test verifies VPU data integrity check at startup |
| SUB-REQS-FUNC-005 | VER-028 | Test verifies Object Controller command authentication |
| SUB-REQS-FUNC-002 | VER-027 | Test verifies route-locking enforcement |
| SUB-REQS-FUNC-030 | VER-TEST-023 | Emergency stop broadcast timing test |
| SUB-REQS-FUNC-022 | VER-TEST-022 | Hot-standby failover test |
| SUB-REQS-FUNC-020 | VER-TEST-021 | MA computation performance test |
| SUB-REQS-FUNC-014 | VER-TEST-015 | Fault injection test for track circuit fail-safe behaviour |
| SUB-REQS-FUNC-013 | VER-TEST-014 | Field test for track circuit shunting sensitivity |
| SUB-REQS-PERF-011 | VER-ANAL-009 | Markov reliability analysis for VPU MTBFd |
| SUB-REQS-PERF-010 | VER-ANAL-008 | WCET analysis for VPU cycle time |
| SUB-REQS-FUNC-001 | VER-TEST-007 | Fault injection test for VPU 2oo3 voting |
| SYS-REQS-FUNC-013 | VER-TEST-090 | Test of TSR propagation to lineside signals and ETCS MAs with concurrent restriction management |
| SYS-REQS-FUNC-012 | VER-TEST-089 | Test of cross-subsystem event recording at peak load with retention and tamper verification |
| SYS-REQS-FUNC-011 | VER-TEST-088 | Demonstration of degraded mode transition and operational capacity |
| SYS-REQS-FUNC-009 | VER-TEST-087 | Verification of AWS/TPWS intervention reliability and ETCS coexistence |
| SYS-REQS-FUNC-004 | VER-TEST-086 | End-to-end detection-to-protection chain test |
| SYS-REQS-PERF-002 | VER-TEST-086 | System-level end-to-end safety chain integration test |
| Ref | Document | Requirement |
|---|---|---|
| ARC-009 | architecture-decisions | ARC: Colour-Light Signalling Output — Separated safety monitoring from drive electronics. The Signal Proving and Monitor... |
| ARC-010 | architecture-decisions | ARC: Signalling Power Supply System — Online double-conversion UPS topology with vital/non-vital bus separation at the d... |
| ARC-012 | architecture-decisions | ARC: Signalling Diagnostic and Monitoring System — Separated alarm management from condition monitoring to avoid data ov... |
| ARC-CBIARCHITECTUREDECISIONS-001 | architecture-decisions | ARC: Computer-Based Interlocking — 2oo3 voted architecture with distributed Object Controllers and centralised Communica... |
| ARC-SYS-ARC-002 | architecture-decisions | ARC: Train Detection Subsystem — Dual-technology detection (audio-frequency track circuits plus axle counters) with cent... |
| ARC-SYS-ARC-004 | architecture-decisions | ARC: ETCS Radio Block Centre — Layered architecture separating safety application (MA computation) from safe communicati... |
| ARC-SYS-ARC-005 | architecture-decisions | ARC: Level Crossing Protection System — Centralised controller with distributed field equipment and independent obstacle... |
| ARC-SYS-ARC-006 | architecture-decisions | ARC: Points and Crossing Drive System — Centralised drive controller with per-machine detection independence. The Point ... |
| ARC-SYS-ARC-007 | architecture-decisions | ARC: Signalling Communication Network — Layered architecture separating physical transport (PRP switches, fiber multiple... |
| ARC-SYS-ARC-013 | architecture-decisions | ARC: Signaller Workstation — Separated display rendering, command input, alarm management, and access control into indep... |
| ARC-SYS-ARC-014 | architecture-decisions | ARC: Traffic Management System — Separated automatic route setting, conflict resolution, train description, and timetabl... |